CIO May 1 2009 Issue by Sreekanth Sastry

leadership

VOL/04 | iSSUe/12

Business

Technology

ravishankar suBramanian of ing life insurance cut the cost of expansion by going Open Source.

Breaking New GrouN GrouNd here’s how open source helped ing life insurance unlock india’s semi-urban markets at a discount. Page 22

MaY 1, 2009 | rs100.00 www.CIO. I N

UntanGlinG saas ensure that SaaS’ flexibility doesn’t leave you in a twist.

Global Vision How a standard deployment helped Specsavers expand.

Page 42

Page 32

From The Editor-in-Chief

The Reinvention Equation Why keeping quiet won’t cut it any longer.

“Sooner or later comes a crisis in our affairs, and how we meet it determines our future happiness and success. Since the beginning of time, every form of life has been called upon to meet such crisis.” — Robert Collier Writer Robert Collier was convinced that the power of the mind was enough to create success in any arena of life, regardless of circumstance. While Collier’s hypothesis can be debated, it’s clear that CIOs need to be looking at fairly drastic moves if they are — not only to see the downturn through — but also look at how they’re going to tackle what lies beyond. Really? Shouldn’t this be the time to just hunker down and sit the storm out? Is this really the time to bring more risk into the equation than already exists? Pertinent observations. Let’s just stay sane and keep quiet. Absolutely. However, a ‘keep quiet’ policy is more likely to do harm to you and your department than going out there and making some noise and pushing the envelope. Ask Prof. Sourav Mukerji of the Indian Institute of Management, Bangalore, and he’ll tell you that this is the right time for CIOs to move to the “demand side” of things. This The slowdown is a great he feels will also open the path for CIOs to opportunity for CIOs to play expand their roles beyond IT. a decisive role in defining IT departments have traditionally their organizations’ operated on the supply-side of the business agenda. equation. While these functions are critical business success, they have remained ‘suppliers’ to the strategic demands of business. This, the good professor feels, also confines them to bottom line evaluation. Prof. Mukherji feels that the slump provides a great opportunity for the IT function to provide strategic inputs to business and play a decisive role in defining the organizations’ business agenda. Since CXO’S are more receptive to ideas at this point and organizations are more open to experimentation (provided there is a potential of favorable bottom line impact), Prof. Mukherji states that it’s easier to drive change during a crisis. That’s what switching to the “demand side” is all about. Curiously, while addressing a group of CIOs in Florida recently, CIO’s Publisher Emeritus Gary Beach had a similar observation: CIOs will have to re-invent themselves as data strategists or they will forever be stuck with simply running a company’s data center. Are you up to the challenge? Write in and let me know.

Vijay Ramachandran Editor-in-Chief vijay_r@cio.in

M A Y 1 , 2 0 0 9 | REAL CIO WORLD

Content,Editorial,Colophone.indd 2

Vol/4 | ISSUE/12

4/28/2009 7:31:38 PM

content MAY 1 2009‑ | ‑Vol/4‑ | ‑issue/12

Ravishankar Subramanian, Director-IT and Corporate Services, ING Life Insurance, thought it was unacceptable that the IT bill for a new branch was a hefty 20 percent of the total cost. So he made a radical decision to take his company Open Source — and made it work.

Open Source

Cloud Computing

COvER StORY BREAkIng nEW gROunD | 22

WAtChIng OvER thE CLOuD | 50 If you aren’t sure whether your cloud service provider is giving you what you paid for, turn to monitoring tools, they could be your guardian angels.

I Photo by SrIV Sr IVat atS S a ShandI Shand I lya

In the insurance business, everyone’s headed into the hinterland. But the cost of every new branch can bite deeply. Here’s how going Open Source helped ING Life Insurance save over Rs 8 crore and funded its expansion plans. Feature by Sneha Jha PLuS:

CoVE Co VEr: r: dESI d ESI gn by bI b I n ES ESh h S r EE dharan

2 2

IS thE WAR On OPEn SOuRCE OvER? | 28 Is Microsoft a friend or foe of Open Source? Microsoft can’t seem to decide whether to make love or war. But if it’s war, Microsoft appears to lack the legal weaponry to defeat or even disturb its adversaries. Feature by Elizabeth Montalbano

Feature by Robert L. Scheier

SaaS untAngLIng SAAS | 42 SaaS can plug business needs as they crop up. But this unplanned, rent-asyou-need approach can create fresh integration challenges. Feature by Robert L. Mitchell & Mark hall

Enterprise Management DOn’t DO AS YOu’RE tOLD | 18 A following-orders approach to business is the worst way an organization can combat a slowdown. Can leaders learn to let go? Column by Michael hugos

more » 4

M A Y 1 , 2 0 0 9 | REAL CIO WORLD

Vol/4 | ISSUE/12

content

Essential Technology | 54 Compliance | Go on GRC?

By Jarina D’Auria Pundit | Enterprise Resource Pit

By Thomas Wailgum

From the Editor-in-Chief | 2 The Re-invention Equation

By Vijay Ramachandran

3 2

NOW ONLINE For more opinions, features, analyses and updates, log on to our companion website and discover content designed to help you and your organization deploy IT strategically. Go to www.cio.in

c o.in

Case File Global Vision | 32 In growth mode and wanting to touch base with customers across the globe, Specsavers, the world’s largest privately-owned opticians, needed to get to the market quickly. A standard deployment model gave the company the power to cover more ground faster.

2 0

Feature by Rhys Lewis

Peer-to-Peer Surviving a Merger or Acquisition | 320 When the economy goes south, merger and acquisition activity goes up, as companies seek to weather the storm. If you get caught between two companies, there’s a way out. Column by Rich Casselberry 6

M A Y 1 , 2 0 0 9 | REAL CIO WORLD

Content,Editorial,Colophone.indd 6

Vol/4 | ISSUE/12

4/28/2009 7:31:51 PM

GoverninG BoArd

AdverTiser index

ALOk kumAR PubLISheR louis d’Mello ASSOCIATe PubLISheR alok anand eDITOR IA L eDITOR-IN-ChIeF Vijay ramachandran

global head - Internal It, t tCS t, ANIL khOPkAR

CORReSPONDeNTS Snigdha Karjatkar, Sneha Jha,

ANJAN ChOuDhuRY Cto, bSE

ChIeF F COPY eDITOR Sunil Shah COPY eDITORS deepti balani, Shardha Subramanian PRODuCT CT mANAGeR ONLINe Sreekant Sastry D eS IGN & PRODuCTION CReATIve DIReCTOR Jayan K narayanan LeAD vISuALIzeR binesh Sreedharan LeAD DeSIGNeRS Vikas Kapoor, anil V K Vinoj K n, Suresh nair girish a V (Multimedia)

IBC

ADC

APC

Canon

gM (MIS) & CIo, bajaj auto

ASSISTANT eDITORS gunjan trivedi, t Kanika goswami

Oracle

AShISh ChAuhAN President & CIo, It applications, reliance Industries A uL AT L JAYAw AYAwANT wANT President Corporate It t & group CIo, aditya birla group

Microsoft

IFC

Samsung

SAS

DONALD PATRA P CIo, hSbC India

Wipro

10&11

DR. JAI meNON

SeNIOR DeSIGNeRS Jinan K Vijayan, Jithesh C C Unnikrishnan a V Sani Mani (Multimedia) DeSIGNeRS M M Shanith, anil t

director t technology & Customer Service, bharti airtel & group CIo, bharti Enterprises GOPAL OPAL ShukLA

P C anoop, Prasanth t r PhOTOGRAPhY Srivatsa Shandilya PRODuCTION mANAGeR t K Karunakaran DY. PRODuCTION mANAGeR t K Jayadeep mARk eTING A ND SA L eS vP SALeS Sudhir Kamath GeNeRAL mANAGeR nitin Walia SeNIOR mANANGeR Siddharth Singh, ASSISTANT mANAGeR Sukanya Saikia bANGALORe Kumarjeet bhattacharjee, arun Kumar, ranabir das, Manoj d. DeLhI aveek bhose, gagandeep Kaiser, Punit Mishra mumbAI Parul Singh, hafeez Shaikh, Suresh balaji, dipti Mahendra Modi JAPAN t tomoko Fujikawa uSA larry arthur; Jo ben-atar eveNTS vP rupesh Sreedharan SeNIOR mANAGeR Chetan acharya mANAGeRS ajay adhikari, Pooja Chhabra

VP - business Systems, hindustan Coca Cola mANISh ChOkSI Chief Corporate Strategy & CIo, asian Paints mANISh GuPTA director-It, t, Pepsi Foods t muRALIkRIShNA k. head - CCd, Infosys technologies t NAv A IN ChADhA Av CIo, Vodafone PRAv RA IR vOhRA RAv group Cto, ICICI bank RAJeSh uPPAL Chief general Manager It t & distribution, Maruti Udyog SANJAY ANJAY JAIN CIo, WnS global Services ShReekANT mOkAShI Chief-It, tt t, tata Steel SuNIL mehTA

All rights reserved. No part of this publication may be reproduced by any means without prior written permission from the publisher. Address requests for customized reprints to IDG Media Private Limited, Geetha Building, 49, 3rd Cross, Mission Road, Bangalore - 560 027, India. IDG Media Private Limited is an IDG (International Data Group) company.

Printed and Published by Louis D’Mello on behalf of IDG Media Private Limited, Geetha Building, 49, 3rd Cross, Mission Road, Bangalore - 560 027. Editor: Louis D’Mello Printed at Manipal Press Ltd., Press Corner, Tile Factory Road, Manipal, Udupi, Karnataka - 576 104.

This index is provided as an additional service. The publisher does not assume any liabilities for errors or omissions.

Sr. VP & area Systems director (Central asia), JWt T.k. SubRAmANIAN div. VP-IS, Ub group v k mAGAPu v. director, larsen & toubro t

Corrigendum In our april 15, 2009 issue, anjan Choudhury’s designation (Pg. 26) should have read CIo of bombay Stock Exchange. the error is regretted.

vv v. .v.R .v v.R bAbu group CIo, ItC

M A Y 1 , 2 0 0 9 | REAL CIO WORLD

Vol/4 | ISSUE/12

new

hot

unexpected

Recession Resistant IT percent of those surveyed, both technology areas promising lower costs and greater flexibility for IT departments. One-fifth of respondents indicated they would work on green IT in 2009, and 19 percent intend to invest in business intelligence. Social networking projects are on tap for 18 percent of CIOs polled and another 17 percent will look to buy Web 2.0 technologies. Sixteen percent of the IT leaders, who were allowed multiple responses, said they would invest in outsourcing in 2009. "Although times are lean, many companies are finding that they can't afford to postpone IT investments that lead to increased security, efficiencies or revenues," said Dave Willmer, executive director of Robert Half Technology. "Organizations also are trying to make sure they are prepared for growth when conditions improve and enhancing their IT infrastructure is part of that process." —By Denise Dubie

IllUSTRaTIon by UnnIkRIShnan aV

I T M a n a g e M e n T Seven out of 10 CIOs looking to weather the recession know they need to put already small budgets toward investments in technologies that will help them secure information, virtualize resources and make datacenters more efficient, a new survey shows. Even in the midst of a recession, IT leaders realize they can't neglect certain

technologies, according to Robert Half Technology, which recently polled 1,400 CIOs to learn in which areas they plan to invest their 2009 budget. Some 70 percent said would invest in IT initiatives in the next 12 months, with 43 percent indicating that information security projects would be a top priority. Twenty-eight percent plan investments in virtualization and 27 percent will be looking to make their datacenters more efficient with technology purchases. "In any economy, protecting the confidentiality, integrity and availability of information is a must-have for companies of all sizes. Technology executives in the financial services and transportation sectors cited security most often, with 59 percent and 58 percent of the responses, respectively," said Robert Half Technology. VoIP and software-as-a-service initiatives are expected this year for 26

Quick take

Ratnakar Nemani on Arresting Virtual Sprawls I T M a n a g e M e n T As server virtualization gains popularity, it has created a fresh challenge: virtual sprawls. To find out how IT leaders can ensure that the benefits of virtualization don’t bite them back, Gunjan Trivedi spoke to Ratnakar Nemani, CIO & SAP Practice Head, VST Industries. Here’s what he had to say.

How serious is the threat of virtual sprawl? Within virtualization, creating servers and linking resources to these can be done with a few mouse clicks. It is this very ease that can result in an unmanageable sprawl of resources. And as enterprises increasingly adopt virtualization, the threat of virtual sprawls will become more serious. What should CIOs watch out for? What makes the situation worse is a lack of expertise. With virtualization enterprises need a higher level of skills to manage infrastructure. High attrition rates among these experts open the door for those with lower experience to

Vol/4 | ISSUE/12

create sprawls. CIOs need to handle the available skill sets within their teams deftly otherwise they may face an uncontrollable virtual sprawl. What about security concerns? Before virtualization, the risk was scattered but post-virtualization risks are pretty much centralized. A virtual sprawl jeopardizes this situation as it is difficult to get a handle on threat-prone areas in a virtualized environment. Security solutions that specialize in fortifying virtualized environments and virtual asset tracking tools need to be leveraged to understand the spread of virtual resources and plug potential loopholes.

Ratnakar Nemani

How can a CIO minimize virtual sprawl? CIOs need to get involved in virtualization projects from the start and be ready to get their hands dirty. The technology teams should not have an ad-hoc approach to virtualization and should have a hands-on attitude. Blueprinting and stepby-step monitoring are also key ingredients to successful virtualization with tighter control over virtual assets. REAL CIO WORLD | M a Y 1 , 2 0 0 9

Is IaaS Just Hosted Servers? B u s i n e s s A l i g n m e n t Infrastructure as a service is getting growing attention, but some CIOs are asking whether it is just a fancier term for hosted servers? Gunjan Trivedi spoke to some of your peers to find out:

“IaaS is totally different from hosted services. It is an interesting concept if one needs

trendlines

to grow fast without investing a lot of capital. However, the ROI of IaaS can only be found in long-term contracts in the range of seven to 10 years.”

T.P. Anantheswaran Head-IT, Mumbai International Airport

“Conceptually, IaaS evolved from hosted servers but they are different from each other. Because IaaS is still at its infancy it is more of an add-on to hosted servers at the moment.” V. Subramaniam CIO, Otis Elevators, India & UAE

“The two differ a lot. Bangalore

International Airport offers IaaS as a service provider to our clients at the airport. The services, however limited they are at present, do go beyond the mere collocation of servers.” S. Francis Rajan Head-ICT, Bangalore International Airport

Lend Your

Voice

Write to editor@cio.in 12

Trendlines 1.indd 12

M A Y 1 , 2 0 0 9 | REAL CIO WORLD

Datacenter Construction Slows,

Not Stops I n f r a s t r u c t u r e Datacenter construction requires massive investments in time and cash. It's no wonder, then, that companies who have embarked on building a new datacenter have not halted their projects. In interviews with over a dozen companies, each with $100 million (about Rs 500 crore) in IT investments, Joseph Pucciarelli, program director of technology financing and executive strategies for IDC (a sister brand of CIO), found that not one planned on scaling back their projects. "You are talking projects that have been in the works for years," Pucciarelli says. "These are complex multi-cycle construction efforts." Yet, the future is a different matter, he says. Economic uncertainty has caused many companies to review plans to expand IT infrastructure. In the past six month, new orders for datacenter construction have essentially halted, Pucciarelli says. "Everyone is waiting to see in which direction this period of economic volatility is going to pan out." Datacenters typically require three years or more to finish and cost millions. Just planning a project can take from two to four years, the analyst says. One of the 14 companies he interviewed in February has embarked on a $200 million (about Rs 1,000 crore) enterprise resource planning (ERP) project, which the firm aims to continue. "They're doing it because they are going to get all the cost benefits of a new IT infrastructure," he says. Tata Communications is another company that plans to continue building datacenters. The communications and managed service provider processes around 7 billion voice minutes a year and has datacenters in the US, the UK, Singapore and India. It's planning to construct new facilities in South Africa and China, says Abid Qadiri, VP of datacenter services for the company. The economic downturn has caused many companies to focus on cutting the costs of managing their data, making outsourcing attractive, he adds. Outsourcing is not the only solution. As companies consolidate during the economic downturn, they will typically merge datacenter operations into their newest facilities, Pucciarelli says. Over the next few years, the analyst expects many facilities to be put up for sale. —By Robert Lemos

Vol/4 | ISSUE/12

4/28/2009 7:33:48 PM

Green IT Takes a Backseat s t r a t e g y Firms are diverting their attention away from green IT projects in order to save money during the recession, according to a Gartner report. But the study of 620 executives who handle green technology demonstrated that businesses were still interested in some green schemes, especially if they offered quick cost savings. Most businesses will continue to make green IT efforts, according to the survey, with 60 percent of European firms planning green initiatives. Around one third will dedicate over 15 percent of their IT capital budgets to green programs. Some 67 percent of European firms said the recession had not made any impact on their green initiatives. But in

the US, around a third of firms said green initiatives were less important to them than before the recession. Many businesses saw being more green as an opportunity to save costs. But businesses should not mix green and costcutting aims, Gartner said. CIOs "need to break down budget silos and consider the wider cost-benefits to the organization" if they want their companies to achieve real financial benefits from green IT, Gartner warned. Firms will focus on green initiatives that result in quick cost cutting, Gartner said, such as those that improve energy efficiency. This year would be a "gap year for green projects lacking a shortterm cost-cutting and efficiency focus",

Gartner said. Only in the longer term would environmental sustainability be an important business issue, as tougher regulations kick in. "The broad area of green IT covering areas such as carbon reporting and offsetting, videoconferencing and green procurement will continue to be a key pillar of IT strategy and architecture during the next 10 years," said Rakesh Kumar, research vice president at Gartner. "Being green is definitely still a top-10 issue for businesses," he added. "But for the moment, unless it delivers a quick return on investment, green IT is very much second to cost containment and managing budgets." â&#x20AC;&#x201D;By Leo King trendlines

Should Security Stats Scare You?

Vol/4 | ISSUE/12

Trendlines 1.indd 13

One vendor, Cloudmark, which makes e-mail security products, discounts the importance of security statistics that pop up in media reports. "An organization should be focused far more on their own internal metrics for determining their security posture, rather than on outside statistics," says Adam O'Donnell, director of emerging technologies at Cloudmark. However, Unisys, a systems integrator, begs to differ. Over the last two years, Unisys has undertaken a semi-annual survey of about 14,000 individuals from 13 countries, asking them eight questions about their perception of personal, financial and national safety online. For businesses concerned about what consumers are thinking, the results are one factor to consider, Unisys contends, pointing to the value of statistics. "It's fascinating to see how different the results are by country and demographics," says Tim Kelleher, vice president and general manager of managed security services at Unisys. "The world isn't homogenous. In France, no one is very worried about this stuff at all. But in Brazil and some of the Asian countries, people are feeling very insecure online. The US is sort of in the middle." In general, Kelleher thinks statistical trends are more significant than the numbers bandied about at the moment. â&#x20AC;&#x201D;By Ellen Messmer

REAL CIO WORLD | M a Y 1 , 2 0 0 9

Illustration by pc ano op

Did you know that the number of crimeware-spreading Web sites infecting PCs with password-stealing crimeware reached an all-time high of 31,173 in December, according to the APWG (formerly Anti-Phishing Working Group) coalition? Or that data breach costs rose to US$6.6 million (about Rs 33 crore) per breach last year, up from $6.3 million (about Rs 31 crore) in 2007, according to the Ponemon Institute. Or that 3 percent to 5 percent of enterprise desktops and servers, mainly Windows, are apt to be infected with botnet code, according to security firm Damballa, based on an analysis of its customers' network traffic? News reports are filled with such disturbing statistics culled from any variety of sources, but do IT leaders find themselves worrying about it all? "We all pay a little bit of attention," says Jeff Keahey, CIO at Wardlaw Claims, a property and auto claims insurance adjuster. "But we try to evaluate their bias." In general, someone is trying very hard to "get you to lean toward a certain product" and "a lot of statistics come with an advertisement in tow," he notes. Though he does take it all with a grain of salt, Keahey says he may look at security statistics as a general guideline about trends, and they may have some influence in deciding directions to take in countering threats. S e c u r it y

4/28/2009 7:33:49 PM

Cutting Information Security in Hard Times B u d g e t Although some analysts actually expect security spending to rise this year — at least as a percentage of total IT spending — some CIOs are giving serious thought to the once-unthinkable idea of trimming security budgets they seek to cut costs during this global recession. "Almost certainly people are experiencing cuts," says Pete Lindstrom, an analyst with the research firm Spire Security. "If you think of security as a cost center within a cost center [IT], ... then security is a great place to start," he adds. "There are companies that are discounting their security in order to drive bottom line," says Charlie Meister, executive director of the University of Southern California's Institute for Critical Information Infrastructure Protection. "I've seen a pretty significant cutback over the past six months," says Rich Cummings, CTO at HBGary, a security company that has clients in the financial services industry. Cutting security is risky since a security breach can be disastrous. The Ponemon Institute pegs the average cost of a data breach at $6.7 million (about Rs 33 crore). But you may have no choice if the money is not there. Experts say companies that have done the hard work of really

trendlines

Companies can improve their security posture without spending money by promoting an information security awareness program. understanding their risk posture can trim spending without increasing risk. And companies that have taken security seriously can be equally smart about how they reduce their security costs, says USC's Meister. Sadly, he notes, there are only a few companies in this position: "I don't think companies have done a great job of managing their risk profile. It doesn't occur [to them] until someone loses a laptop." So how do you cut security safely? One method is to get your security intelligence from free projects, such as the Shadowserver project, rather than paying for the information, Cummings says. The use of Open Source software can also be a great place to cut security costs — especially for small and medium-size businesses, says Spire's Lindstrom. They let businesses get equivalent security

SaaS Adoption Rates Surge A p p l i c a ti o n s SaaS

is sizzling. Adoption rates for SaaS solutions nearly doubled during the last 12 months according to a survey by Cutter Consortium. Survey respondents cited the need to eliminate additional infrastructure and staff costs in the current downturn as their primary objective for turning to SaaS. SaaS adoption over 12 months Currently using

32% 28%

Currently considering 9%

Not considering 2008

Trendlines 1.indd 14

63%

36%

32% 2007

M A Y 1 , 2 0 0 9 | REAL CIO WORLD

Source: Cutter Consortium

tools for less money. "If the product is commoditized enough and your people are skilled enough, it's not unreasonable at this stage of the game to consider Open Source applications," he says. For example, the ClamAV anti-virus software and Snort intrusion detection system are two widely used Open Source anti-virus products, as is the Open Source Security Information Management security event management software. Companies that don't have the money to pay for full disk encryption might want to look at TrueCrypt, another Open Source project. Because it lacks centralized management capabilities, TrueCrypt is "not going to be appropriate for every environment," says Morey Straus, an information security officer with the New Hampshire Higher Education Assistance Foundation, but it does work for some. But for companies that want to improve their security posture without spending money, taking the time to promote an information security awareness program can pay off big time, according to Straus. "That's just one of the easiest, most effective things you can do and it costs very little." Straus says he did this in two phases at his organization, a student loan provider. He started with a mass presentation outlining good security practices. He then followed up with departmental meetings, which he described more as a two-way discussion. "I get employees to share some of the risks and possible pitfalls," he said. "Those meetings are very beneficial." Analysts say that cutting down on manual processes is a smart way companies can cut costs and refocus staff resources. Luckily, many IT shops are not being forced to make the hard decisions just yet about where to cut security spending. Forrester Research says that security will get a slightly larger percentage of IT budget dollars this year — on average, 12.6 percent of total IT spending, compared to 11.7 percent in 2008. But because IT budgets are expected to drop 3.1 percent in 2009, that's a big jump in relative terms. —By Robert McMillan

Vol/4 | ISSUE/12

4/28/2009 7:33:49 PM

Not Ready For Mobility What You Don’t Know About ERP Think you know everything about ERP? here are five things to consider: erp

ERP Alternatives Are Everywhere ERP has been forever linked with complexity, high cost and arduous 18-month rollouts. Today, however, there are alternatives: on-demand and SaaS ERP vendors offer robust product sets and open-source apps can be bought via amazon.com's EC2 Web services platform.

Next-Gen ERP Products in 2010 oracle's long-awaited Fusion applications Suite will reportedly emerge in 2010. SaP's business Suite 7 should be ready for primetime use early next year. Each vendor hopes that its new offering will grab marketshare and customers from the other.

Maintenance Fees Are Not Falling Recession or not, oracle affirms it has no intention of messing with its maintenance fee — that highly lucrative annual revenue stream paid by customers for software license and product support that delivers 90 percent margins. In 2009, SaP actually increased its maintenance fees to keep pace with its rival.

Failure Is Still a Common Outcome Modern history overflows with ERP disasters. Waste Management is a case in point: it is currently embroiled in a nasty $100 million lawsuit with SaP over a failed implementation. also, Select Comfort decided to halt a $20 million (about Rs 100 crore) ERP project. —by Thomas Wailgum

Vol/4 | ISSUE/12

TrendlInes

SaaS ERP is For All SaaS is not just for small business. Case in point: Chiquita brands is rolling out a SaaS ERP app to its global operations (70 countries, six continents) to manage its 23,000 workers. GE recently implemented a SaaS supply chain app to manage US$55 billion (about Rs 275,000 crore) worth of corporate spending among 500,000 suppliers in 100 countries.

M o B I l I T y Companies expect to support a growing range of smartphones and mobile employees — but their mobile infrastructure lacks the procedures and products to secure and manage mobility, and to minimize downtime, according to Osterman Research's survey of 125 IT decision-makers. Based on the survey, Osterman predicts the percentage of employees with company-supplied mobile devices will rise from 23 percent in 2008, to 30 percent in 2009, and to 46 percent by the end of 2011. Research in Motion's BlackBerry and Microsoft's Windows Mobile are by far the dominant mobile platforms, and will continue to be so (56 percent of respondents use BlackBerry, 19 percent Windows Mobile, 10 percent Palm Treo and 5 percent iPhone.) The survey also found that 82 percent of companies supported BlackBerry devices in 2008, and 66 percent supported Windows Mobile. But Apple iPhone use is growing dramatically: 20 percent said they supported iPhones in 2008, and 44 percent said they will support them in 2009. The data indicates an increasingly heterogeneous mobile enterprise, with the attendant complexity of securing and managing it, says the report. It's likely that enterprises will turn to a range of software tools for doing so, or turn to emerging hosted services for these tasks. Mobile holders tend to have specific, high-value jobs. Over 75 percent said their technical senior managers use mobile messaging devices; 78 percent said non-technical senior managers carry them. About two out of three respondents named non-sales traveling employees, mid-level technical managers and mobile sales staff as device users in their companies.

Time IT Spends Managing Mobile Environments 35.5% Troubleshooting user issues 8.2% Troubleshooting Exchange/BES interactions 7.3% Troubleshooting BlackBerry Enterprise Server 3.6% Troubleshooting network issues 0.6% Others issues *The hours listed are for the median hours per week per 1,000 BlackBerry users.

Given this user profile, downtime could prove costly with 8 percent saying the impact would be critical, and 27 percent said it would be serious. Another 47 percent said there would be "some impact" from downtime. “We found that the typical organization experiences a mean of 29 minutes of downtime per month in their BlackBerry environment," the authors wrote. Outages for BlackBerry holders hits home. Just over half of the respondents said users were one to 10 percent less productive as a result of an outage; 17 percent said users were 11 to 25 percent less productive. About one in five said their users were 26 to 50 percent less productive. Despite this, the report found that many companies are not well-equipped to minimize mobility disruptions. Only 39 percent said they were very confident or confident that all elements of their mobile messaging platform are fully protected against downtime. The report was sponsored by Zenprise, a company that sells an application to automate the management and troubleshooting of mobile devices. —By John Cox REAL CIO WORLD | M a Y 1 , 2 0 0 9

Virtualization's Dark Side

trendlines

V i r t u a l i z a ti o n Users are paying little attention to some of the downsides of virtualization in their haste to reap the benefits that the technology can bring. That's according to Burton Group analyst Jack Santos who has co-written a briefing paper, The Dark Side of Virtualization for Burton clients detailing some of the problems facing virtualization users in the future. Santos stressed that virtualization had many advantages for organizations — and that there were considerably more advantages than disadvantages — but said that there were still some issues that needed to be resolved, particularly regarding management and security. He said that IT has "conveniently" ignored the risks, because they outweighed the benefits. However, he warned, this was a situation that could change. "As deployment expands [especially in a cloud-oriented world] the repercussions may get more significant," he said. The management of virtual environments, he said, would remain a thorny problem particularly given the disparate number of providers and the fact that even the virtualization software companies themselves had less than complete offerings in this space, pointing that few virtualization tools integrate with general datacenter management software such as Tivoli. He

said that he expected the situation to stay fragmented for some time to come. "Mideast peace, at this stage, will be easier than getting vendors to play," he said. The other problem area for virtualization was security, he said. To date, he says, there have been no public breaches of a virtualization hypervisor — although, he noted, the Xen hypervisor had been exploited by Invisible Things Lab at Black Hat 2008. "There is no question that hypervisor technology brings with it an expanded vulnerability to threats," he says. Although he pointed out that there was a paradox in this. According to Burton's Laws of virtualization security, users increased security risk by adding complexity but reduced it by adding another means of separation. One area that is improving however is licensing. Although Santos mentions some of the problems in his report, he said that vendors were working together to solve some of the sticking points, although he warned that it was up to users to push vendors harder. "Licensing has made tremendous strides, especially in the past year with most of the vendors are very open to dialogue. Customers need to continue to put on pressure when terms don't meet their needs. —By Maxwell Cooter

Insider Threat Debunked? S e c u r it y In retrospect, 2008 was a banner year for security breaches, according to new research from Verizon. And while many security vendors have been beating the drum on the threat of malicious insiders, the report indicates organizations should be more wary of outside attacks. The 2009 Verizon Business Data Breach Investigations Report finds that hackers continue to intensify and sharpen their efforts to steal sensitive data. In fact, more electronic records were breached in 2008 than the previous four years combined. The study's authors said the upswing is fueled by a targeting of the financial services industry and a strong involvement of organized crime. Corporations fell victim to some of the largest cyber-crimes ever during 2008, noted the report.

Trendlines 1.indd 16

M A Y 1 , 2 0 0 9 | REAL CIO WORLD

or intermediate controls. The findings debunk the notion A staggering 81 percent of that insiders account for the victims were not Payment Card biggest threat to security in of security threats in Industry (PCI) compliant. most organizations and instead most organizations Another finding that finds that 74 percent resulted came from external sources. In comparison, may surprise some is that from external sources. Only 20 only 20 percent were 99.9 percent of records were percent were caused by insiders. caused by insiders. compromised through servers The study, the second and applications, not from annual conducted by Verizon, user sources often associated with data is based on data analyzed from Verizon leaks, such as desktop PCs and mobile Business' actual caseload comprising 285 phones. Highly sophisticated attacks million compromised records from 90 accounted for only 17 percent of breaches confirmed breaches. The financial sector and 83 percent of attacks were considered accounted for 93 percent of breaches, and to be what Verizon termed as "not a staggering 90 percent of these involved highly difficult" to pull off. However, the groups identified by law enforcement as study authors also note that while the engaged in organized crime. percentage of sophisticated attacks was The research authors also noted that small, they accounted for 95 percent of the most breaches were avoidable. Nearly total records breached. nine out of 10 — or 87 percent — were —By Joan Goodchild considered avoidable through simple

74%

Vol/4 | ISSUE/12

4/28/2009 7:33:49 PM

Cloud Security Gray Skies

Vol/4 | ISSUE/12

Trendlines 1.indd 17

The Shortest Distance In Tokyo I n n o v a ti o n Travelers on Tokyo's subway system are getting some high-tech help finding their destinations with the start of trials of an interactive map system. The maps run on 47-inch LCD panels that have been installed at Ginza station in the heart of the city. Three subway lines intersect at the station, which serves around 275,000 people each day heading to and from one of Tokyo's busiest shopping and entertainment districts. As well as big department stores the area is home to numerous boutiques, cafés, bars and small shops that can be hard to find, especially with 32 exits from the station to choose from. In short: It's a great place to try a high-tech map system. Travelers can walk up to one of two screens being used in the trial and be presented with an area map. Alongside it are buttons to highlight popular destinations such as nearby banks, ATMs, convenience stores and post offices. Touching one of the buttons reveals the location of these places with an icon, and touching the icon draws the shortest route to that destination. For other destinations travelers can enter an address. The system covers only the local area, so half the address is already decided and users just enter the two or three numbers that specify the particular area and building in the Ginza area where they're heading and the route comes up. Owners of cell phones that support the Felica RFID technology can also get the destination coordinates transferred to their cell phones by pressing a button on the map to activate a Felica sensor and holding their cell phone close to it. Once above ground they can use a cell-phone mapping service to work out their route to the destination. The maps feature Japanese most prominently, although most of the functions and labels are also displayed in English. The screens are being tested until the end of June. From observation, the system is easy to use, but unlike the existing maps, the new system can only be used by one person at one time. The existing maps are large enough — sometimes occupying most of a wall — that several people can peer at them and figure out their route at the same time. —By Martyn Williams

REAL CIO WORLD | M a Y 1 , 2 0 0 9

trendlines

C l o u d C o m p u ti n g Businesses are concerned about the management and privacy of data they entrust to cloud computing service providers, but not many are doing anything about it, according to a Deloitte survey. It's unclear whether that's because they lack the means to make sure cloud providers are actually protecting data or whether businesses don't have the processes established to conduct evaluations, according to the survey report Enterprise@Risk: Privacy & Data Protection Survey. Of those surveyed, 82.6 percent say they haven't implemented formal programs to assess how well providers comply with the privacy and data management provisions that they agree to in service contracts, and this is a problem, Deloitte says. "You cannot put out in a third-party cloud data storage, e-mail and financial applications and say I am obliged to meet data laws, regulations and contractual agreements and not have some mechanism of assurance in place," says Rena Mears, partner and leader with Deloitte's security and privacy services. But the bottom line is that the corporation is ultimately liable for a breach, not the service provider, Mears says. So businesses using cloud computing services should perform ongoing risk assessment of the data that is trusted to the cloud, Mears says. Data should be classified for its sensitivity and regarded as a business asset from which the business is trying to derive the maximum return. Yet, at the moment, concern about enforcing regulatory and contractual requirements is not the top concern businesses have about the cloud. Of those who responded, 30 percent worried most about IP, with ability to enforce regulatory and contractual requirements ranking No.2 with 20.7 percent. Unauthorized use of data ranked third with 15.1 percent. The number of businesses facing these questions today is significant and growing. According to Deloitte, nearly 45 percent of respondents have already bought cloud computing services and 22 percent say they are considering them. Customers of these services use them for data storage (27.7 percent), e-mail (12.8 percent) financial applications (17 percent) and database applications (16.1 percent). Mears says she expects that the industry will come up with acceptable approaches for managing data in the cloud so it is treated in accordance with business and governmental regulations. The International Organization for Standardization, National Institute of Standards and Technology and others are working on frameworks for enforcing privacy and protection of data in the cloud. —By Tim Greene

4/28/2009 7:33:50 PM

Trendline_Nov11.indd 19

11/16/2011 11:56:19 AM

Michael Hugos

Enterprise Management

Don’t Do as You're Told A follow-your-orders approach to business is possibly the worst way an organization can combat a slowdown. Can leaders learn to let go?

Illustration by AN IL T

hat do companies get when people follow orders to the letter whether those orders make any sense or not? Situations change so fast that orders and decisions from last week may not be appropriate today but because people are afraid of getting fired and everybody is trying to avoid blame, they do as they are told even if it actually causes harm. That’s called malicious obedience. Malicious obedience is characteristic of the traditional business model. In that model, a handful of senior executives at the top of the organization do the thinking and everybody else does as they’re told — or else. That model worked well enough when things didn’t change so fast and there was more time for senior management to figure out what was going on and decide what to do about it. But in times like these there are too many decisions to make and they need to be made quickly. No small group of executives — no matter how smart, how tough, or how many computer systems they have — can keep up. Companies need to be agile if they are going to successfully navigate unpredictable economic and market turbulence. They need everybody thinking and acting in ways that benefit the company. Some people might say that getting everybody involved sounds like a recipe for chaos. Some people might say in times like these the best way is for everyone to follow the orders of a few leaders — and hope those leaders know what’s best. Yet there’s evidence that this traditional notion is out of date. Let’s look at a couple of companies doing well in markets that traditional wisdom says can’t do well in this economy. One is a manufacturer of networking equipment and the other is a retailer of consumer electronics. Both companies have been 18

M A Y 1 , 2 0 0 9 | REAL CIO WORLD

Coloumn - 01-Don’t Do as Your Told.indd 18

Vol/4 | ISSUE/12

4/28/2009 12:53:42 PM

Michael Hugos

Enterprise Management

steadily evolving a new type of business organization model for the last five or six years. The manufacturer is Cisco Systems. The retailer is Best Buy. Both of these companies are becoming responsive and agile.

Blazing a New Path A statement on the Cisco website under the tab ‘Business Agility’ says: “We know you need to be responsive in order to best serve the business, but often organizations like yours are increasingly challenged by outdated infrastructure and processes. To respond more quickly to changing business needs, companies need to evolve their IT operations, their datacenter infrastructure, and even their organizational model.” That reference to the organization model is the most important point. Cisco has made big changes in their organization model. They have decentralized decision-making that used to be done by 10 executives at the top and pushed it out to some 500 business unit managers who are close to the scene of the action and who now figure out how to get things done, leaving no room for malicious obedience. Business agility starts with an overhaul of the organization model and then different IT infrastructure to support the new business model. But decision making needs to be decentralized in a big way. Best Buy is doing something similar with a program they call ‘Results Only Work Environment’ or ROWE. The program asks business unit managers to tell their people what performance targets they need to achieve, but leave people free to figure out for themselves how to do it. A consulting company, CultureRX, has spun off from Best Buy to train other companies in how to implement ROWE in their organizations. CultureRX’s website says: “A ResultsOnly Work Environment is one where your talent will show up energized, disciplined, fluid, flexible, and focused — always ready to deliver the results necessary to drive your business. ROWE is a bold, cultural transformation that permeates the attitudes and operating style of an entire workplace, leveling the playing field and giving people complete autonomy — as long as the work gets done.” The United States Marine Corps also believes in decentralized decision making and a results-oriented approach. For those who like to draw analogies between success in war and success in business here’s something to think about. The Marine Corps has taken this approach and internalized it in their doctrine and their organization model. This doctrine is presented in a short handbook titled Warfighting. Every Marine from generals to new recruits are expected to understand and apply its precepts. Here is a quote from a section titled ‘Philosophy of Command’: “It is essential that our philosophy of command support

the way we fight. First and foremost, in order to generate the tempo of operations we desire and to best cope with the uncertainty, disorder, and fluidity of combat, command must be decentralized. Subordinate commanders must make decisions on their own initiative, based on their understanding of their senior’s intent, rather than passing information up the chain of command and waiting for the decision to be passed down.”

Get Some Gung-Ho Under the tyranny of the traditional business model people are afraid that if they try something new and it succeeds the credit will go to their boss — and if they fail they get fired. So the logical person quickly learns to just follow orders. There is no way for a business to become agile or responsive under these circumstances. If a company wants to be agile — and certainly not all companies see the need to be agile — then the best way to break the cycle of malicious obedience is for senior management to focus on defining what the company should do, but strictly refrain from saying how it should be done. This separation cuts out a lot of opportunities for malicious obedience. It leaves

We need systems that support a certain enthusiastic and dedicated spirit among us that enables responsiveness and agility; the Marines call it ‘Gung-ho’.

Vol/4 | ISSUE/12

Coloumn - 01-Don’t Do as Your Told.indd 19

people with no place to hide and at the same time it gives them permission and freedom to think for themselves. Most people love this and it shows up in the quality and productivity of their work. As IT professionals and enterprise architects (assuming our companies do decide to revamp their organization structure and decision making model to support agility and responsiveness) we ought to be thinking about what kind of IT infrastructure and what kind of application systems are needed to best support this new way of operating. Here’s a hint: traditional ERP type systems are not flexible enough. As you ponder this question, here’s another insight from the Marines. It’s from a section in Warfighting titled ‘Equipping’ and goes like this: “Equipment that permits over control of units in battle is in conflict with the Marine Corp’s philosophy of command and is not justifiable.” We need systems that don’t stifle us or control us but that support a certain enthusiastic and dedicated spirit among us that enables responsiveness and agility; the Marines call it ‘Gung-ho’. Gung-ho is a transliterated version of the Chinese words Kung and Ho, which mean ‘work’ and ‘together’. CIO Send feedback on this column to editor@cio.in

REAL CIO WORLD | M a Y 1 , 2 0 0 9

4/28/2009 12:53:43 PM

Rich Casselberry

Peer-to-Peer

Surviving a Merger or Acquisition When the economy goes south, merger and acquisition activity goes up, as companies seek weather the storm. If you get caught between two companies, thereâ&#x20AC;&#x2122;s a way out.

Il lustratio n by MM Shanit h

he company I work for recently announced a joint venture with a much larger company, although in reality it's probably an acquisition. My firm does a few hundred million dollars in annual revenue with 900 employees; the other firm is almost twenty times our size. They outsource their entire IT organization; ours is almost entirely in house. We looked at outsourcing our IT to the same company that manages their IT a few years ago and decided to continue to run it ourselves. We felt we would get better service and could do it for about 20 percent less than what it would cost to outsource. I manage the IT infrastructure and have about 30 employees who work for me. They are all very dedicated, and I wouldn't change any of them. We regularly pull off the impossible, and our executive team thinks highly of us. So when the joint venture was first announced, one of my newer employees asked me, "What does this mean? What should we do?" I've been through a few acquisitions during my twenty year career in IT, so I shared my perspective with my employees. As more companies contemplate M&A activity as a way to weather the economic storm, employees need to prepare themselves for change. Here are my secrets for survival.

Plan for the Worst The worst thing that can happen is that you get fired and don't get any severance. You're more likely to get some kind of severance package in the event you lose your job. Knowing your future finances may be uncertain, look at your bills and income. If you can pay all of your bills with savings and 20

M A Y 1 , 2 0 0 9 | REAL CIO WORLD

Coloumn - 02.- Surviving a Merger or Acquisition.indd 20

Vol/4 | ISSUE/12

4/28/2009 12:54:44 PM

Rich Casselberry

Peer-to-Peer

you are sure you can start a new job in a month, you probably don't have to worry about your finances too much.If you can't pay your bills you need to figure out what bills you can get rid of, like a membership at a local club and which ones you need to survive like the mortgage and groceries. You don't have to immediately sell off all of your worldly possessions, but you should make a list of what you could sell if you needed to free up some extra cash. If you're looking for work, consider trying something new. I've thought about going into sales, but I haven't been daring enough to quit my IT job to try it. Of course, if I were already out of work, I might have more incentive. I've also thought about starting an IT services company. I've known many people who've ended up doing something completely different after losing their job and who were grateful that they got laid off.

Plan for the Best The best case scenario if you want to keep your job is that you get promoted to lead a new group (or the same group that suddenly is much bigger). Give some thought to how you would manage it. How would you structure your new team? What would the budget look like? Which systems or applications would you keep or get rid of? Investigate as much as you can what each company has for technology.

PrepareYour Elevator Pitch In my case, I know I can save the new joint company 20 percent in annual IT operating costs. That's my pitch: "You let me run this; I'll save you twenty percent." In this case that's pretty close to $25 million (about Rs 125 crore) a year.

LetYour Executive Team KnowYouâ&#x20AC;&#x2122;re Ready I'm assuming that your goal is to keep your job. If that's not the case, let the executive team or your management know that you don't have a problem leaving the company. You don't want a manager fighting for your job if you are hoping to get a severance package. On the other hand, if you are looking for more responsibility, now is the time to mention it. Give your manager your elevator pitch and present him or her with your plans for how you would structure the new organization and save the combined company money.

Update Technical Documentation Even with the best plan and a solid pitch, you may not even have the chance to discuss it with the new executive team. They may have already made their personnel decisions. While you are

If you are looking for more responsibility, now is the time to mention it. Present your manager with your plans to structure the new organization and save the combined company money. Question everything including: are we organized properly? Should we merge with other departments? Can I do work outside of my current job function? Have answers to all of these questions. It's a safe bet that someone else is questioning everything, so you need to be prepared with the answers. Document how you can save money, improve services or otherwise provide value. In my case, I have the proposal from when we were considering outsourcing that shows we are 20 percent cheaper than the IT services company to which we would have outsourced. In addition, I calculated how much running the IT infrastructure would cost for offices of various sizes, how many offices I think the company with which we entered into the joint venture has, and what the IT organization would look like. I also calculated based on the proposal I have from the outsourcer what I think the other company is paying for services. Make sure you highlight your assumptions about how you will get your cost savings and what the new organization might look like. You will have time to tweak the plan as the structure of the joint venture or merger unfolds, but if you are way off and don't explain how you got there, you may do more damage than good. If you assume you can in-source everything, but the contract is ironclad for three more years, you aren't going to be able to save 20 percent.

Vol/4 | ISSUE/12

Coloumn - 02.- Surviving a Merger or Acquisition.indd 21

waiting to see what the outcome of the merger, acquisition or joint venture is, update server and password lists, processes and procedures, and disaster recovery plans. People remember what you were like when they worked with you, even if it is only during a transition. So by putting all this thought into a plan for how the new organization would work â&#x20AC;&#x201D; even if it doesn't get implemented, you look prepared and professional and that increases your chances of being kept on staff.

Wait This is always the hardest part. Try to avoid gossiping and speculation. Focus on the work at hand. Of course, it doesn't hurt to do some networking while you are waiting for the outcome of the merger or acquisition, but avoid jumping at the first job that comes your way. Many times people get promoted during acquisitions and some get retention bonuses for taking on the risk of staying with the company. CIO Rich Casselberry has held a number of IT management positions with enterprises, consulting organizations, and in the public sector during his 20-year career in IT. He is the lead author of Running a Perfect Intranet. He has also written 30 Skills Every IT

Person Needs. Send feedback on this column to editor@cio.in

REAL CIO WORLD | M a Y 1 , 2 0 0 9

4/28/2009 12:54:44 PM

Cover Story | Open Source

Ravishankar Subramanian, Director-IT and Corporate Services at ING Life Insurance was astonished by the high cost of IT in setting up small branches and decided to go Open Source.

In the insurance business, everyone's headed into the hinterland. But the cost of every new branch can bite deeply. Here's how going Open Source helped ING Life save over Rs 8 crore and funded its expansion plans. By Sneha Jha

Reader ROI:

Why convincing management about Open Source is important today How to support an Open Source desktop implementation How Open Source can directly impact business

Vol/4 | ISSUE/12

much last place you would expect to find life insurance. But, as it turns out, the ramshackle roadside pit stop in Bhubaneswar, Orissa, is an excellent location for ING Life to sell insurance: in recent years the dhaba has got so popular that a chowk had been named after it. As innovative as the idea was, it didn’t make life easy for the ING Life agents stationed there. The oppressive heat of a state that’s more associated today with droughts than its celebrated Jagannath Temple, made their entrepreneurial spirit the stuff of National Geographic. “They only had two desktops. The place operated without air conditioners, coolers or even a UPS,” recalls Ravishankar Subramanian, director-IT and corporate services, ING Life, after he visited them on a tour of the company’s branches in tier-III and tier-IV cities.

REAL CIO WORLD | M a Y 1 , 2 0 0 9

P hotoS by Sr IVatSa ShandIlya ImagI n g by anIl t

The Rupali Restaurant is pretty

Cover Story | Open Source Subramanian was in for another surprise. Until his trip, he had assumed that rentals and staff expenses comprised the lion’s share of the cost of setting up a new branch. “I thought IT formed only a small percentage of the total expense. I was wrong,” confesses Subramanian. At 20 percent of a new branch’s cost, IT was the second largest chunk and limited the insurer’s ability to provide facilities and still keep costs low. Fresh from his visit, Subramanian remembers his feelings of guilt. “It was a moment of epiphany. I felt the need to embed a culture of cost optimization throughout my department. I needed to do my bit,” he says. It would take him two years, but Subramanian would make good on his promise by turning to Open Source to slash the toll IT exerted on the company’s branches by half.

IntO the hInterland Competition in India’s life insurance business is fierce. As insurance companies fight just to stay in the game, their aggressive tactics have spawned an industry characterized by overcapacity, oversupply and product commoditi commoditization. It’s hard to say who’s winning: according to India’s Insurance Regulatory Development Authority only two of the country’s 20-odd insurance players have broken even. ING Life isn’t one of the two. Which is why, like most of its competition, the company has been consistently trying to expand its net network. And rural India, with its lower insur insurance penetration, is where everyone’s headed. According to a 2007 IIMS Dataworks survey only 27 percent of paid workers in rural areas had insurance, compared to the 47 percent pen penetration in more urban regions. “The income demographics in (rural India) are chang changing the interest of insurance companies. The growth potential is higher there and pie is just too big to be ignored,” says Subramanian. “Also, competition in the rural hinterlands is low compared to the metros where all players exercise their muscle. We feel that a high growth potential exists in rural and semi urban areas,” adds Ashwin B., COO, ING Life Insurance.

Today, eight years after it opened its doors, the Bangalorebased ING Life has a network of 265 offices spread out over 234 cities and towns. But that’s still a far cry from ICICI Prudential Life Insurance’s 2,100 branches (which also began operation about eight years ago). The problem with the rural push is that it’s expensive. Unlike other industries that can afford to send their foot soldiers into the hinterland armed only with handhelds, life insurance in India is a people-intensive business. A sales person needs to have at least three or four meetings with a prospective buyer before a sale is closed. Experience has also shown the importance of inspiring trust in potential customers, which means that insurance players must have a physical presence in towns and villages. But the high cost of servicing these non-metro clients is not compensated because, almost counter-intuitively, insurance comes at a relatively low price. “Insurance in India is a very low-ticket item. Our average premium for a life insurance policy is anywhere between Rs 15,000-Rs 16,000 a year which means that even when we do sell, the profit margins are wafer thin,” says Subramanian. That makes expansion a risky business. That has forced one of ING Life’s competitors, Bajaj Allianz, to halt its expansion plans because it could not sustain the business model. All of which makes optimizing cost an imperative, not an option for ING Life. “If we are able to package the whole thing on a shoestring budget, then we will be able to target more sales and service centers countrywide. We do not require a gold-plated IT structure or a replica of our head office. We require office structures that are financially viable. That, I think, is the crying need,” says Subramanian.

OpenIng a WIndOW Of OppOrtunIty If Subramanian wanted to contribute to the rural push, he knew he would have to lower the cost of setting up branches by attacking IT infrastructure. Some IT optimization had already been done for him. Because ING Life’s field force only spent a small fraction of their working day at the office, the company had ensured that branches pooled resources, which meant that every computer serviced every four or five sales managers. But hardware was a modest cost-reduction target and delivered short-term tactical gains. In order to achieve longerterm benefits, Subramanian wanted to target software costs.

“We have been actively pursing initiatives which will help us manage our costs more effectively and this project embodies that strategy.” — Ashwin B. COO, ING Life Insurance 24

Cover Story.indd 24

M a Y 1 , 2 0 0 9 | REAL CIO WORLD

Vol/4 | ISSUE/12

Cover Story | Open Source As luck would have it, at the beginning of 2006, the 49-yearold Subramanian attended an innovation workshop at IIT Mumbai where Linux was discussed as a cost-effective alternative to proprietary software. Even as the idea germinated in his mind, he knew that migrating all the company’s Windows XP desktops, its WS 2003 servers and ING Life's core applications (sales illustrator, branch MIS tool, and its transaction processing Life 400) to Open Source would be a large-scale change initiative. He was also acutely aware that nobody in the ING Group had ever attempted something as radical and that if he wanted to do this he would need to make an air-tight case to the senior management of the group in Hong Kong. Subramanian was certain the management would first want to know if less extreme options had been covered. So he approached Microsoft for a more cost-effective solution. According to Subramanian, Microsoft lowered its cost by 20 percent by reducing the number of components it offered. That’s when he decided to present a SUSE Linux Enterprise Desktop (SLED) plan to the senior brass in Hong Kong. His case was built on three pillars: growth, cost and savings. He explained to them the low-ticket, high-volume strategy the Indian market was pursuing and then showed them pictures he had taken of some of ING Life’s more remote branches. “They were astounded that we were generating business from small shops by the roadside. That’s when I introduced the cost-effectiveness of an Open Source environment,” recollects Subramanian. But what really acted as a counterbalance to management’s doubts that Open Source could disrupt business was this: the strategy would cut the IT cost of a new branch by 25 percent and bring the total cost of setting up a new branch by 5 percent. It would also allow each desktop to pay for itself in seven years. Going Open Source dramatically reduced the Rs 85,000 ING Life was paying Microsoft for every PC running Windows XP over a six year period. The potential savings piqued their interest and they decided to send a risk assessment team to study the proposal. “This gave with me the confidence that I could indeed pull this off,” says Subramanian. “Savings like this are extremely important in bending the curve from increasing losses to breaking even,” says Marco Fredricks, financial controller, ING Life. “With such savings we have the choice to absorb the amount directly to our bottom line or redeploy the cash in sales growth activities.”

With management’s buy in, he returned to India and started on a pilot in April 2008. ING Life’s Jayanagar branch in Bangalore was chosen as the site for a two month pilot. Subramanian quickly had all of the branch’s computers moved to SUSE Linux. His team quickly learnt that some of their older equipment’s RAM and hard disks needed to be upgraded to adjust to SLED. Also, some printers had to be re-configured because it wasn't possible to get the right printer drivers for SUSE Linux. Then there was the most used application: e-mail. “People are used to downloading and archiving e-mail in a certain way on Microsoft. It’s a little different on SUSE. They had to get used to that quickly otherwise their mail boxes filled up and they wouldn’t be able to access their e-mail,” says Subramanian. But what astonished Subramanian was that there weren’t too many unknowns they confronted. “The results of the pilot were encouraging because we didn’t find any surprises,” remembers Subramanian. With the success of the pilot, Subramanian felt conficonfi dent of embarking on a final roll out. And he did it quickly. Between June and December of 2008, ING Life moved 1,200 of its 2,000 desktops to Open Source. “Right now SUSE Linux and Open Office are being used by 5,000 employees. That’s the magnitude of this change,” says Subramanian. It was change he wanted to meet head on.

gettIng ettIng On WIth the prOgram User adoption has traditionally been a stumbling block for Open Source. According to North Bridge Venture Partners’ 2009 Future of Open Source Survey, “unfamiliarity with Open Source software” was one of the five barriers enterprises cited to Open Source adoption. “When I first heard of the migration, I was very apprehensive. I thought the cultural shift would be very hard,” says Venkat Reddy Peddolla, deputy manager, customer service, Secunderabad, ING Life. “My biggest

“With savings like this we have the choice of absorbing the amount to our bottom line or redeploy the cash in sales growth activities.” — Marco Fredricks

Financial Controller, ING Life Vol/4 | ISSUE/12

4/28/2009 7:36:11 PM

ING Life will save Rs

8.6 crore over sixyears by migrating 2,000 desktops to Open Source. It now spends only about Rs 6,000 for a SUSE Linux license, compared to Rs

85,000 with Windows XP. Despite Rs 8 lakh

toward implementation and training, going Open Source will save it

Rs 43,000 on every machine over six years.

fear was adapting to a whole new range of changes. My level of technical expertise isn’t very high. Making adjustments to Linux was a big deal.” To ensure he didn’t become another failure statistic, Subramanian put together a multi-pronged strategy to ensure that the project, now in the air, stayed there. One of the first things he did was to ensure that users, enterprisewide, knew that management backed the Open Source push. And he found the strongest communication channels within the organization to spread the word: he sought management’s help to communicate the vision of the change. To help them Subramanian provided the management with “success sound bytes” from users who had made the transition and were glad to share their feedback. “The MD, Kshitij Jain, went to all the locations and talked about the benefits of this project. Similarly, Rahul Agarwal, who heads sales, and Shamit Gupta, the head of marketing, — both of whom travel to the field often — talked about the importance of getting this right. That brought about a change in perception. The senior management saw me through the project,” says Subramanian. For his part, Subramanian used computer based training (CBT) that would get users acquainted with the new interfaces and acquire the necessary skills and expertise to handle SLED. “I even visited small sites. We offered them a carrot: we’d be able supply them with more hardware for the same cost this way. They had a few issues but, by and large, they were willing to give it a try,” he says. “I knew the cost involved with working on MS Office and we all understood the

need to reduce that cost. I understood that it was only a matter training. The change was not as hard as I had anticipated,” says Peddolla. In the meanwhile, Subramanian had begun work on his trump card. Well before the roll out, he had the foresight to start training a core team of IT staff on Open Source. The 20-man project team comprised people who would form the fulcrum of the change and were trained for five months on Linux and UNIX. Now that the company had taken the plunge, he had a ready pool of resources who were trained on Linux and who could be his troubleshooters. He also hired an Open Source helpdesk team from an outsourcer. Although this was an extra overhead, Subramanian knew how crucial it was to provide IT support to end users in remote branches. The hired helpdesk handled first issues and escalated more complex problems to the in-house experts. “We have a remote support team, but we needed an additional, focused team to support people when they had problems. Pre-implementation, we had 30 people working on the helpdesk in two shifts. Post-implementation, we added 20 more people. Once we complete the migration, we will phase them out and go back to the original 30,” says Subramanian. The helpdesk proved to be great idea. Tickets to the helpdesk came in at 40 a day and solving these problems were important because they could have caused dissatisfaction that could have festered over time. “The most common problem was that people were not very clear how to do housekeeping on Linux,” says Vignesh Kumar N.P., senior manager, IT infrastructure, ING Life. Other user problems revolved around compatibility. “When we sent (remote offices) something from the head office which was on Window to the field which was on Linux, there were compatibility issues,” recalls Kumar. Another migration challenge was e-mail. Some employees who had

“The most common problem was that people were not very clear how to do housekeeping on Linux.” — Vignesh Kumar N.P., Senior Manager, IT Infrastructure, ING Life 26

Cover Story.indd 26

M a Y 1 , 2 0 0 9 | REAL CIO WORLD

Vol/4 | ISSUE/12

Cover Story | Open Source been with the company for a long time kept their e-mails in an offline. “To migrate this and make it work on a new e-mail front-end from Linux posed a technical challenge because of the sheer volume of the files,” says Subramanian. For some of these issues, Subramanian went back to Novell to see how closely they could match Microsoft in terms of features. In the case of automatic archival of old e-mails, Novell gave them a solution which was close to the Microsoft way out, although not exactly the same. “We are working with them and they are progressively giving us upgrades closer to the Microsoft system,” says Subramanian. Importantly, as IT solved these and other issues, they were quickly collated into FAQs, which were uploaded on an internal site. This, says Subramanian came handy as new locations migrated to SUSE Linux.

Oh! fOr Open In retrospect, the amount of time that went into the planning of the Open Source project really paid off. “If we had not done that, I don’t think we would have been able to succeed. Managing and controlling a project and change across India isn’t easy. We needed good support infrastructure and the amount of planning that we did was important,” says Subramanian. Today, the helpdesk gets only 15 tickets a day — from over 5,000 employees. The project’s success isn’t limited to happy employees. Even after the adding the costs of travel for the implementation and onsite support (about Rs 4 lakh) and training (about Rs 4 lakh), Subramanian has still saved the company a truck load of money. At only about Rs 2,000 per SUSE license a year, he’s saving ING Life Rs 43,000 on every machine over six years. Back-of-the-envelope calculations of those savings spread across 2,000 machines add up to Rs 8.6 crore over six years. Today, the cost of setting up a small branch comprising three machines and one laptop cost has been brought down to about Rs 8 lakh. “We have been actively pursing initiatives which will help us manage our costs more effectively and this project embodies our strategy,” says COO Ashwin. Subramanian also has plans to wean the company off their current e-mail platform and the company’s propriety database, which should free up another Rs 3,000 per machine, per year.

At the moment though, Subramanian has only moved 1,600 machines, taking his total down to a neat Rs 6.8 crore. But he’s eager to change that quickly. The project was halted during the insurance industry’s peak season between January to March. The three-month gap gave Subramanian’s team a chance to proactively spot issues and resolved them. But come June, Subramanian plans to move the last 400 desktops to Linux. ING Life will need all the speed Subramanian and his team can muster if it wants to stay competitive. Although there is a huge market waiting — according to consultancy firm Celent revenues from India's rural insurance market will grow as much as four times to reach US$ 2.9 billion (about Rs 14,500 crore) by 2015 — ING Life’s rivals was already plucking the low-hanging fruit. In 2007-08, for example, ICICI Prudential Life exceeded its rural targets by 400 percent. ING Life isn’t taking the attack lying down. “We have a high level of penetration in the rural and semi-urban areas of Andhra Pradesh and Karnataka. Over 50 percent of our branches are in the four states of South India,” says Ashwin. ING Life, which grew by about a 100 branches last year (up from 40 the year before) knows that it has plenty of catching up to do. Hopefully, the monies that Subramanian’s saved will go some distance in opening up India’s heartland for them. CIO Sneha Jha is correspondent. Send feedback on this feature to sneha_ jha@idgindia.com

“If we can package the whole thing on a shoestring budget, we'll be able to target more sales and service centers countrywide. That, I think, is the crying need.” — Ravishankar Subramanian

Director-IT & Corporate Services, ING Life Vol/4 | ISSUE/12

Cover Story.indd 27

4/28/2009 7:36:49 PM

Cover Story | Open Source

Is Microsoft's War on open pen Source Over Is Microsoft a friend or foe of Open Source? Going by the company's actions, Microsoft can't seem to decide whether to make love or war. But if it's war, Microsoft appears to lack the legal weaponry to defeat or even disturb its adversaries. By ElizaBEth MOntalBanO

n one hand, Microsoft has extended an olive branch to the Open Source community, donating code to projects and backing big-name Open Source organizations like the Apache Software Foundation as part of an effort to do more than ever to acknowledge that it must work alongside Open Source, not fight it. On the other, it has continued to seek payments for patents it holds that are found in Open Source technologies and in general uphold its proprietary intellectual property licensing strategy â&#x20AC;&#x201D; the opposite of the philosophy behind Open Source. Microsoft 28

M A Y 1 , 2 0 0 9 | REAL CIO WORLD

Reader ROI:

How Microsoftâ&#x20AC;&#x2122;s mixed signals could hurt it Why Open Source is here to stay What Microsoft wants from the Open Source community

Vol/4 | ISSUE/12

Cover Story | Open Source has long held patent-infringement and possible litigation over the heads of Open Source vendors, at one time claiming that Linux infringed on more than 230 of its patents. Whatever plans Microsoft may have in reserve, Open Source companies, developers, and proponents say it doesn't really matter. With Open Source a powerful business model and force in its own right, they are more secure than ever that the software giant poses no real threat to their movement. It will take more than Microsoft to stop the momentum that Open Source — in particular Linux, which powers some of the largest networks in the world, including Google's — has in the market, they say. "Is its future threatened? No. Open Source isn't going anywhere," says Stephen O'Grady, an analyst with RedMonk. Even if Microsoft were to assert all of the patents the company claims to hold in Linux and other Open Source projects — which it would have a hard time doing — it still could not stop developers from using Open Source tools and software nor stop companies from adopting Open Source business models, he adds. "[Open source] is a style and an approach and a model that is here to stay," O'Grady says.

How Microsoft Is Accepting Change Most recently, Microsoft settled a patent-infringement case it filed against GPS device maker TomTom over patents that involved TomTom's implementation of Linux, a case that stirred up old feelings among Open Source companies that Microsoft plans to reignite a patent fight against them. Microsoft insisted the TomTom suit was a patent issue and not any specific grievance against Linux or Open Source software.

If Microsoft continues tO flip-flOp On OpEn SOurcE, it cOuld StyMiE itS aBility tO kEEp dEvElOpErS in thEir cOrnEr, as well as hurt the company's ability to keep up with a rapidly innovating market. 30

M A Y 1 , 2 0 0 9 | REAL CIO WORLD

Most of the Linux community accepted that assessment, but leaders such as Jim Zemlin, executive director of the Linux Foundation, says that any patent litigation against a technology that involves Open Source will keep the community wary. "It's just another example in the mind of an Open Source developer that this is not a positive company to be jointly working on development projects with," he adds. To be fair, Microsoft's stance on Open Source has changed remarkably over the last year or so, and at least a part of the company isn't trying to make Open Source go the way of the dinosaur, says RedMonk's O'Grady. This change is due mainly to Sam Ramji's Platform Strategy Group, formed a little over a year ago. Part of the duty of the group, which Ramji leads, is to reverse the message of Microsoft's previous and infamous ‘Get the Facts’ campaign, which aggressively tried to show customers the value proposition of deploying a Windows environment instead of Linux. The group also is trying to prove that Microsoft is reversing its us-versus-them attitude about Open Source and convince customers that the two technologies are not mutually exclusive and in fact can even be complementary at times. "Both Microsoft software and Open Source software exist within a larger industry context with numerous development approaches, licensing models, mixed IT environments, and the realities of a new economy," Ramji says. "We need to continue to ground ourselves in that context and acknowledge that Open Source software development is here to stay — including at Microsoft and among many people who develop with and use Microsoft technologies every day." Ramji and his cohorts do indeed seem sincere about their efforts to support Open Source. In a first for the company, Microsoft actually has Open Source code in a product it acquired as part of its purchase of Powerset last July. The HBase component of Powerset's product has Open Source code that Microsoft is actively redistributing back into the Apache Software Foundation's Hadoop project. In addition to the Powerset code, Microsoft also for the first time in 2008 began contributing other code to Open Source projects. In July, Microsoft began providing code to a PHP project called ADOdb. PHP is an Open Source, freely available scripting language that developers widely use for Web development. Microsoft also has become a sponsor of Apache, which required the company to provide funding for the foundation.

Mixed Messages But cases like the TomTom suit and puzzling publicrelations efforts — like the release last year of a case study showing how purchasing Microsoft products instead of

Vol/4 | ISSUE/12

Cover Story | Open Source Microsoft’s Conflict Open Source products gives customers a better return Even if Microsoft's intentions toward Open Source — on their investment — continue to show the company's particularly those of Ramji's organization — are good, conflicted attitude. several factors will limit the company's ability to act on Such mixed messages may hurt Microsoft. "Microsoft those intentions. For example, Ramji's hands are tied as has enough smart people at the company to know that to what he can do to promote Open Source and free up the longer they delay taking advantage of Open Source, Microsoft's licensing restrictions because not all of the the more they jeopardize their position," says Andrew company is totally on board with his efforts. Updegrove, a partner and intellectual property attorney And because Microsoft's revenue relies on proprietary with Gesmer Updegrove and an outspoken advocate of software, supporting Open Source — although necessary Open Source. in some respects — is fundamentally He says Microsoft has an "unnatural a paradox for the company, says Eric advantage" in the marketplace because of Raymond, an Internet developer and the depth and the breadth of its customer Open Source advocate who co-founded base. "But they're going to lose that the Open Source Initiative. advantage because they are going to be Raymond says Microsoft will have too far behind everyone else in design, a hard time reversing some of its developers, and strategic thinking," he proprietary strategies now, because says. "They need to reverse polarity as have implemented much of its revenue is based on products soon as possible." Open Source software, like Windows and Office that are a de The popularity of Microsoft's software or plan to pilot it this facto standard in the market and can has always been driven by software year. A majority are be controlled only because they are developers, and Microsoft still has a driven by the need to closed source. Raymond says this sort loyal developer following. However, cut cost. of business model limits anyone, even many developers prefer to work with Source: Forrester Research Ramji and his organization, who is Open Source technologies for a slew trying to change Microsoft's attitude of reasons — among them they don't toward Open Source. "He can be open have to wait for updates from a vendor only where it doesn't affect Microsoft's control of the to make bug fixes, and the fact that many Open Source customer base, and he can't be open anywhere that it tools are freely available as part of community projects. might," Raymond notes. If Microsoft continues to flip-flop on Open Source, it For its part, Microsoft seems to think it can continue to could stymie its ability to keep developers in its corner, as balance its interest in protecting its intellectual property well as hurt the company's ability to keep up with a rapidly — which the company sees as the key to innovation both innovating market. "There is a constant demand for for closed source and Open Source companies — with its better ways to do things, better ways to compete, and the newfound interest in co-existing peacefully with Open innovation that meets this demand typically never comes Source competitors. from a large organization," says Joe Lindsay, vice president "Microsoft respects and appreciates the great of engineering for interactive media firm Brand Affinity contribution that Open Source developers make in our Technologies and a longtime user of both proprietary and industry. ... However, partnership with all software Open Source software. "Innovation happens in smaller companies, including those commercializing Open Source organizations, and those organizations use the tools technologies, must be built on mutual respect for IP that give them the most options, power, or freedom to [intellectual property] rights," Ramji says. "All industry innovate. These ideas used to be commercialized by large players must play by the same rules. Companies who companies, but that is no longer necessary for virtual distribute Open Source software also litigate to protect products like software." their IP, when they believe it is necessary to do so." Lindsay says that Microsoft's strength has always been Even if Microsoft can no longer dislodge Open Source, making innovation accessible to the average user rather it can still conduct skirmishes when its interests are than being a great innovator itself. But continuing to keep threatened. But the Open Source community is now a tight hold on licensing its code could weaken even that strong enough to fight back. CIO strength, he says. "Microsoft does not sell software that lets folks freely innovate; it sells software that lets folks innovate after paying Microsoft for Microsoft software and requires users of the innovation to pay Microsoft as well," he says. "It is a great annuity for Microsoft, but a cumbersome liability for the innovator and his users." Send feedback on this feature to editor@cio.in

46% Of businesses

Vol/4 | ISSUE/12

REAL CIO WORLD | M A Y 1 , 2 0 0 9

Trendline_Nov11.indd 19

11/16/2011 11:56:19 AM

In growth mode and wanting to touch base with customers across the globe, Specsavers, the worldâ&#x20AC;&#x2122;s largest privatelyowned opticians, needed to get to the market quickly. a standard deployment model gave the company the power to cover more ground faster. By Rhys Lewis

Case File

‘Should have gone to Specsavers’, runs the slogan,

Illustrat io n by MM Shanit h

and with branches opening on more high streets in more countries than ever, customers are realizing that they can indeed buy their new frames or lenses from the world’s largest privately owned opticians.

Specsavers is in a period of growth powered by an IT strategy aimed at producing a common customer service through global partner agreements like the services deal signed with Fujitsu Siemens Computers Infrastructure Services (FSC) in October. The deal with FSC, established eight years ago to cover the UK, Ireland and the Netherlands, was extended in October to support Specsavers’ further global expansion. The agreement effectively creates a standard deployment model for Specsavers stores the world over, and covers procurement, commissioning, installation, management and ongoing support for both hardware and software. By producing this standard deployment model for Specsavers’ IT, the FSC deal lets Specsavers open a new store in less than 11 weeks, anywhere in the world. “We’ve just rolled out 100 stores in 100 working days in Australia,” says Specsavers’ CIO Michel Khan. “We couldn’t have done that unless we had a really highly-geared process. It’s Specsavers-in-a-box, a complete set of applications covering merchandising, finance and distribution. It’s a global framework for expansion.” With new stores opening in Australia, New Zealand, Finland, Denmark, Norway, Sweden and Spain in 2008 alone, the FSC package is giving the firm a head-start on rivals. Because of varying legal, financial and healthcare requirements in the different territories, the boxed models are

Vol/4 | ISSUE/12

Case Study.indd 33

network operator Vanco (now Reliance, slightly different, but as these differences (not to be mixed with the Indian Reliance are incorporated into the systems before Group), signed in February for a five-year distribution, it doesn’t delay expansion. term. “I have an IT team in the UK with The Reliance deal reassures the IT team retail system skills. They build software, that wherever they decide to open stores, implement it and are a SWAT team that there is a reliable telecom infrastructure goes straight into new countries and in place to connect the store up to the identifies what we need to do to migrate local supply chain and to the head office. to that country,” says Khan. “The “They are ready and waiting for us,” Finnish application, for instance, may says Khan, who stresses the importance be very different from the Australian of economies of scale achieved through application, but it does have the core having global partners. “We’ve set up a Specsavers business process to service framework for global growth.” the customer.” Even before these deals were sealed, The system means that every one of Specsavers’ growth far exceeded its Specsavers’ 1,250 stores offers the same projections. In 2005, the company’s vision level of service and range of frames and was to have 1,000 outlets and achieve £1 lenses as the next. It covers every aspect billion (about Rs 8,000 crore) turnover of the buying process from the eye test by 2010. As it was, the 1,000th store was and choosing frames to checking the opened in Roosendaal in the Netherlands availability of lenses and, down the line, in November 2007, and the £1 billion mark issuing a reminder that your next eye test was passed in February 2008. is due. For all the consistency of platforms the “We spent a lot of time analyzing FSC and Reliance deals can offer, the true the business process before building flexibility and significant cost savings have Specsavers-in-a-Box,” says Khan. “The been achieved by Khan’s adherence to open real selling point isn’t the hardware, it’s the standards and Open Source software. The business process. We’ve got that right, and CIO says that using open standards offers that’s what we’re delivering everywhere. greater autonomy over upgrade cycles for Customers will get a consistent service both software and hardware level, and a consistent business Reader ROI: and keeps licensing costs process, whichever Specsavers How a standard down no matter how large the they go into.” deployment model installation, two factors that Global homogeny is also can speed up make it easier and cheaper for preserved by a £4.5 million expansion (about Rs 3,600 crore) WAN Why Open Source is a Specsavers to expand globally at the rate it has. management deal with good option REAL CIO WORLD | M a Y 1 , 2 0 0 9

4/28/2009 12:51:35 PM

Case File Open Minded “When I joined Specsavers 13 years ago, we had strategic decisions to make. An open standards base gave us flexibility and some portability,” says Khan. “First of all, it gives us a lower cost of deployment. When I’m buying one piece of software, I remember that I’m buying 1,000, so those Open Source components have actually taken out a lot of the cost of multiple deployments across the board. “The other thing is that we can define and control our own upgrade path. We’re not driven by things that have deadlines against them. We can stretch our assets better and we don’t have to change our hardware as often. “Integration and development tools are Open Source toolsets too, which has allowed us to bring down our development costs as well.” With rapid expansion of both high-street stores and infrastructure on the cards, support for Open Source moved up a gear in June 2007, when Specsavers migrated its in-store applications from Windows 2000 to Red Hat Linux. The company had already asked Open Source services group Sirius to create a centralized access control model for their UK workstations and network services. Sirius proposed using the OpenLDAP directory, which was implemented with Samba networking software and the Gosa graphical management interface. The final piece of the jigsaw was the Scalix enterprise e-mail system, an Open Source competitor to Microsoft Exchange Server, which replaced the incumbent SunOne e-mail system. Khan admits that open source systems may not suit every enterprise, but encourages fellow IT directors to at least consider the options. “I don’t know if it suits everyone, but I would encourage people to look at it closely,” he says. “There’s a fear factor from the connotation that Open Source is a free-forall and you don’t know what you’re getting, but if you examine it closely you are in a relatively tightly-controlled environment that’s not very different to a typical licensefee environment. It’s managed, it’s supported and it’s release-controlled. The real difference is the cost base. 34

Case Study.indd 34

M A Y 1 , 2 0 0 9 | REAL CIO WORLD

“Most people would find some desk team with business aspects of Open Source that analysis skills and its own would be relevant, and I’d say datacenter, which is linked that a lot of applications will back to the central systems ultimately have Open Source on Guernsey. The common SNAPSHOT components as that gives software and hardware Specsavers firms a level of flexibility and components of SpecsaversEstablished: 1984 development capability that in-a-box mean that upgrades they cannot sustain in-house. can be pushed out of the UK Headquarters: Guernsey Otherwise, you end up with hub and made live worldwide thousands of developers and in one go. Branches: 1,000 worldwide a legacy environment that’s The central datacenter difficult to migrate.” itself has a combination of Staff: 17,000 worldwide Following the in-store Red Fujitsu and Sun servers. Hat roll-out, Khan admits he There are no Fujitsu finds it irresistible to compare other retail engineers on site, but the company is systems with his own. tied to a conventional SLA. A monitoring “I go into stores and I peer at their arrangement means Fujitsu can watch terminals. I did it in passport control the the servers and alert Khan’s team to any other-day and had a telling off,” he chuckles. problems. Specsavers’ own staff can make minor hardware repairs, but anything more serious and Fujitsu engineers have Beyond Borders to cross the Channel. Khan is certainly familiar with passport “If we have a major issue, Fujitsu have checks, with Specsavers’ central operations to fly in. So they have a challenge to meet being based on Guernsey, where the their SLA, which is the same SLA as company was founded by husband-andthey’d have with a UK-based firm. But we wife optometrists Doug and Mary Perkins do have a close relationship with them, 24 years ago. Specsavers is the island’s largest private which is quite important.” employer, employing 650 people out of a As well as the IT function, Khan also population of 60,000, and despite some heads up Specsavers Aviation, a twolimitations of island life, there are no plane private airline that bypasses the plans to move IT operations or the global restrictions of scheduled airlines and datacenter wholly to the UK. provides direct flights to destinations that “There are challenges. Guernsey is would otherwise take a few hops to reach. an island, so it has a finite work pool. “The office in Southampton is 20 Telecommunications links are finite too, minutes from the airport. I can be in that although with the Vanco network we’re office at 7.30am, and I can leave at 5.30 able to get much more bandwidth. and be back home at 7.30, so I get a full “Getting on and off the island can be day. People coming from Southampton difficult, the fog comes in, flights are can be in Guernsey at 9am and leave at cancelled and you can be locked in for an about 5. extra day or two. The ferries can’t run in bad “We can fly to Holland under our own weather either. There’s no pattern to it.” steam and I can get to Dublin and back in Khan’s central IT team is split between a day. It gives us better use of people, time two bases. Thirty members of staff on and resources.” Guernsey run the datacenter and provide But customers concerned that the IT support for the headquarters. Across the green of Specsavers’ logo isn’t reflected channel in Southampton, 120 people make in its environmental policies needn’t be up the global support team, providing concerned. Long-time adoption of IP business analysis and retail expertise to telephony means Khan can meet colleagues develop the software for each country. in Australia, developers in California In addition, each territory has a small IT and outsourced staff in India regularly unit of 10-20 people comprising a service via videoconferencing.

Vol/4 | ISSUE/12

4/28/2009 12:51:36 PM

Case File

A Spectacular View

With Specsavers-in-a-box model, the company has reached out to the world fast.

Thanks to the model, now all of Specsavers’ 1,250 stores across the world offer the same level of service.

“Twelve years ago, when everyone else was looking in a different direction, we went for IP technology as our WAN,” he recalls. “It was quite immature then, but it has stood us in good stead. It’s got better and everyone’s got IP today. One of the first things we do when we go to a country is to link the IP up, get the network in place and put a videoconferencing in so that whoever goes out there can meet with us easily.” Khan is in his thirteenth year at Specsavers, joining in January 1996 when the company had only 180 stores and very little in terms of a coherent IT strategy. Stores would buy their own point-of-sale systems and there was no central customer database. One of his first projects was to answer a straightforward question: ‘how many customers do we have?’. A survey established that Specsavers had six million customers, and their profiles and buying habits were stored in a database that’s still going strong today, 12 years and 14 million customers later, and now feeds into a retail marketing system that sends out 250,000 letters a week. “We’re still using the same database we

Vol/4 | ISSUE/12

Case Study.indd 35

started 12 years ago. It’s sustained its life and it has scaled,” says Khan.

Eyeing Incentives His achievements have not gone unnoticed in the industry. Khan was awarded the Albert Heijn Lifetime Achievement Award at the Global Retail Systems Awards in 2005, and the IT Director of the Year at the 2005 Telegraph Business Awards. Specsavers’ IT team recently won the Retail Systems Award for IT team of the year, mainly thanks to Specsavers-in-a-box and the Australian roll-out. But whether an award is personal or for the whole IT team, Khan agrees that it reflects well on Specsavers. “It’s peer group recognition for the Specsavers IT team. It’s not a one-man band, hence the team of the year award. But it does help within the industry for other people that look on Specsavers IT and see that there is something leading edge, highly skilled and sophisticated here, so I think it does help our recruitment.” Over the next 12 months, further expansion is the aim. A follow-up to

With Open Source, the company now has greater autonomy over upgrade cycles, keeping licensing costs down.

Specsavers-in-a-box is in the pipeline in the shape of a common manufacturing process. This can be implemented in every Specsavers territory to speed up the process — and reduce the cost — of manufacturing lenses and delivering the finished spectacles to the customer. With an eye on the future, Khan says, “We’re currently working on a manufacturing-process-in-a-box. That will allow us to open manufacturing plants easier elsewhere in the world as well. So we’ve designed the manufacturing process we need using a robotic environment to produce the lenses and deliver the product to the customer. That will be delivered sometime next year.” With the company selling 18 million pairs of glasses a year, and a revised target of 2,000 stores on the horizon, the plants, like Khan, are bound to be busy. CIO

Infographics BY MM Shanith

Specsavers can open a new store in less than 11 weeks anywhere in the world.

The model covers every aspect of the buying process — eye test, choosing frames, checking the availability of lenses.

Send feedback on this feature to editor@cio.in

REAL CIO WORLD | M a Y 1 , 2 0 0 9

4/28/2009 12:51:38 PM

EVENT REPORT

Presenting Partner

Bounce Back

with More Force A downturn is the best time for businesses and IT leaders to prepare for growth. Virtualization, cloud computing, green IT and staying positive are some ways to keep ahead.

“this is not business as usual. the ones who adapt to change are the ones who will survive." Neelam DhawaN MD, HP India

“every thing that drove inflation rates up earlier in the year, also drove it down significantly later." Dr. Subir GokarN Chief Economist, Standard & Poor’s, Asia Pacific

The law of evoluTion has always supported the survival of the fittest. With the recession shaping up as a fight for life, many organizations are choosing to evolve their way out of it. They are now cashing in on opportunities that the current state of the economy has to offer. HP’s two-day event The New Economics of IT in Goa was aimed at imparting and sharing ideas to leverage the downturn and emerge stronger. Neelam Dhawan, MD, HP India, gave an overview of the event’s agenda and said that few have adapted to the current environment. “This is not business 'as usual’. Those who adapt to change are the ones who will survive,” she said. Dhawan pointed out how her organization was geared to help organizations leverage the slump. Dhawan observed that IT is expected to help the business take advantage of opportunities that are arising out of this new economic era, by reacting quickly to deliver new services that drive growth. She

EVENT REPORT

explained how HP works constantly towards developing solutions for clients to fight the downturn better and keep future needs in view. Dr. Subir Gokarn, chief economist, Standard & Poor’s Asia Pacific, expressed his views on The Indian Economy in 2009: Resilience or Regression. He began by explaining how the economy got into the situation it is in today. With the auto industry feeling the pinch, declining exports and a bleeding manufacturing sector, there has been a significant slump in growth, he said. Gokarn said that barely six months ago inflation was hovered at 13-14 percent and that while worsening global conditions have hampered the economy, they have also brought inflation down. Other positives are the rural economy and the public sector. With 16-17 percent contribution to the GDP, the agriculture sector, says Gokarn, has been immune to the slowdown. While talking about Computing: Everything as a Service, Chris Whitney, director service automation & integration lab, HP, said, “Cloud is a repository of services. The browser has transformed the way we do things.” The cloud has opened the door for evolutionary transformation, he said, making consumers' lives more productive and comfortable. Google, Salesforce.com, Apple, and Amazon have moved to the cloud, clearly indicating that the cloud is growing. And the time is ripe to take advantage of the cloud. “The slowdown is the right time to embrace the cloud because it brings a host of benefits. It is elastically scalable, easy to use, reliable, secure, cost effective, and more importantly there is no need for negotiation and contracts.” Industry expert, Prof. Sourav Mukherji, associate professor, organization & strategy, IIM, Bangalore, spoke about the Evolving Role of CIO through Business Cycles, and maintained that economic downturns provide an opportunity for IT to provide strategic inputs to their businesses. For this to happen, CIOs and their teams need to play a more decisive role in defining the organizations’ business agenda. He added that it’s easier to drive change during a crisis, and it pays to centralize, get more value from existing resources, and move up the information value chain. “Review processes, review business models, experiment and innovate, in order to create a positive impact on bottom and top lines — this is the best time to start playing on the demand side,” he said. During a depression, he said, CIOs need to network more than before. Following closely, Anthony McMohan, VP-software, HP APAC, spoke on Driving Business Values and IT Efficiency for Better Business Outcomes. He said that after the last recession ended, the industry saw a 40 percent increase in new leaders. “What are you planning to do as a CIO?” he asked. "Do you have a plan to take to your CXO to drive the changes that can be made during this time? Strategizing is extremely important here. How do you plan to accelerate growth and how do you plan on mitigating risk while lowering costs." Applications that HP offer can help take the entire value chain to a higher level, he explained. Time-to-market, project management and IT staff improvements can be all be speeded up using these applications, he concluded.

“the cloud is a repository of services. the browser has transformed the way we do things." chriS whitNey Director, Service Automation & Integration Lab, HP

“During a slump, cios need to become drivers and not remain supporters of growth." Prof. Sourav mukherji Associate Professor, Organization & Strategy, IIM, Bangalore

“after the last recession ended, the industry showed a 40 percent increase in leaders." aNthoNy mcmohaN VP, Software, HP APAC

“cios will need to stay ahead of the curve because no one can tell where business is heading." alaGaNaNDaN balaramaN VP-HR & Process Architect, Britannia Industries

EVENT REPORT

“the slowdown is an opportunity and an obligation that we need to take advantage of." DaviD briSkmaN VP & CIO, Ranbaxy

“we all need to face this reality: we can’t do what business doesn’t require." aruN GuPta Customer Care Associate & Group CTO, Shoppers Stop

“assessment of energy consumption is very necessary in order to make informed decisions." jeaN-clauDe va v NDerStraeteN Environmental Director, HP APAC

“we strive for a rapid response to a business needs and a tight linkage of business with it." DurGaDutt NeDuNGaDi Director, Technology & Alliances, HP India

“Visualization and repeating affirmation are important stepping stones to reach our goals." Dr. aarti khoSla Founder, Prerna School of Inspiration in New Delhi

Next on was a panel of IT leaders who discussed virtualization's impact on enterprise IT. They brought up issues that CIOs faced or could face and Aman Dokania, VP & GM, software technology solution group, HP APAC, contributed with some ideas of how HP’s applications could help resolve these issues. Sunil Mehta, Sr. VP & area systems director - Central Asia, JWT, suggested that virtualization takes patience, experience and time to deploy. The next generation benefits of virtualization were also discussed. Sunil Rawlani, CIO, HDFC Standard Life Insurance, pointed out that the need for space, energy, and efficiency will push organizations to adopt virtualization. Pravir Vohra, group CTO, ICICI Bank, shared his experience of virtualizing a large number of servers, where he says the main objective was increasing efficiency and the utilization of resources. Everyone agreed that infrastructure efficiency was the primary reason for most organizations to virtualize. Talking about Navigating the Slump, Alaganandan Balaraman, VP-HR & process architect, Britannia Industries, took a new direction on the slump. He observed that because the art of predicting is no longer useful, an organization’s responsibility to do what it can, in the now, is more urgent. He called for changes in three areas: structure, process and culture. He also stressed on the importance of focusing on costs, substantiating his views with experiences from Britannia. He cautioned CIOs to pay more attention to the rapidly changing business environment and suggested that technology needs to be uncertaintybased. Processes that are supported by IT need to be more flexible; employees need to be given the choice to create prototypes; and it is important to be loosely-coupled, he said. And this work must happen at a fundamental level. “Dealing with uncertainty has to happen at the architecture level,” he said. In closing he suggested that CIOs, like their businesses, must move away from a paradigm in which they set a goal and then start creating the capabilities to get there. Don’t Waste a Good Crisis was the idea of David Briskman, VP & CIO, Ranbaxy towards the downfall of economy. He talked about the different push areas that CIOs should focus on during a slowdown to leverage it. But first he stressed that the CIO-CXO dialogue needs to move from ‘you-can-only-spend-this-much’ to one in which a business leader sees a need and demands for it. He then looked at cost from three angles: fixed, variable and discretionary, and studied ways to reduce them. Some of his ideas included checking whether you need services you have signed up for and sweating assets. He suggested, “If you can’t align a project to your strategy, don’t do it and outsource when you can, but don’t outsource leadership and design.” In parting he said, “When you see an opportunity, take it. Don’t get boxed in. The slowdown is an opportunity and an obligation that we need to take advantage of for our businesses.” Arun Gupta, customer care associate & group CTO, Shoppers Stop, echoed some of Briskman’s thoughts on changing the way CIOs interact with the business and the CFO in particular. In this context, talking about Sleeping with the Enemy, Gupta gave examples

EVENT REPORT

of some CIOs who tried to push projects in a company that didn’t require them. “I think we all need to face the reality; we can’t do what business doesn’t want,” he said. That said, he also gave some pointers on how to get a project passed. The savings route he said did not work for him, but pointing to what the competition was doing certainly did. He also said that he never created an IT budget. “I let the business create the budget based on the services they want,” he said. Speaking about business and IT alignment, he said, “Railway tracks are always perfectly aligned and never meet. I think there is a need for them to meet.” Environment change being a high-level trend, Jean-Claude Vanderstraeten, environmental director, HP APAC, talked about how better business outcomes could equal better environmental results. His discourse revolved around how environmental considerations could be embedded in to IT operational plans and objectives so that better business results could be achieved. He said that as energy consumption in IT operations continued to grow, there was an opportunity to bridge facilities and IT beyond the datacenter and across the entire IT domain to manage energy as a business lever that could enable productivity, growth and alignment to environmental objectives. “The assessment of energy consumption is very necessary in order to take informed decisions towards reducing it,” he said. He also demonstrated some solutions that could help companies achieve a carbon-neutral balance. Changing Datacenter Economics was the theme on which Durgadutt Nedungadi, director of technology & alliances, HP India, spoke. He observed that currently all savings, whether in cost or energy reduction, boiled down to managing datacenters. Discussing datacenter architecture, he explained how adaptive infrastructure could deliver next-generation datacenters that could meet certain vital business expectations. “An ideal datacenter must respond to a business order with a service and it must function totally lightsout (should be automated)," he said. Putting forth his organization’s vision for next-generation datacenters, he said, “What we strive for is a rapid response to a business order with service, a tight linkage between business and an IT process and a completely dynamic automated infrastructure that is tightly managed.” It’s the law of attraction and also the mantra to beat the slowdown: You can have what you want; it’s all about the mind. On the last day of the event, Dr. Aarti Khosla, founder, Prerna School of Inspiration in New Delhi, in an Inspiring Mind Workshop explained why it is important at a time like this to train the mind to be affirmative. In a slowdown, "we should focus on turning our dreams into reality. One should show confidence and faith and persevere till success is reached. Visualization and repeating affirmation are important stepping stones in reaching our goals,” she said. She emphasized the need to ward off doubts from the mind because it lessens its power, making it weak. The primitive mind, Khosla said, has two major instincts – the fight and flight response. To tackle the slowdown, what do you choose?

“Virtualization as a technology is maturing. it is opening up a lot of benefits beyond consolidation." amaN DokaNia VP and GM, Software Technology Solution Group, HP, APAC

“Virtualization improves efficiency but you have to be diligent over what you want to do around it." SuNil rawlaNi CIO, HDFC Standard Life Insurance

“the main objective for virtualization at our bank was increasing efficiency and the utilization of resources." Pravir vohra Group CTO, ICICI Bank

“there’s no silver bullet to the virtualization approach; it takes time and patience to deploy." SuNil mehta Sr. VP & Area Systems Director - Central Asia, JWT

untanglIng

SaaS can plug business needs as they crop up. But this unplanned, rent-as-you-need approach can create new integration challenges. How to ensure SaaS’ flexibility doesn’t leave you in a twist. By RoBeRt L. MitcheLL and MaRk eveRett haLL

Reader ROI:

Why SaaS' needit-now culture can create siloes How to avoid SaaS integration pitfalls The need for a strategist

When Hines Interests launched its real estate investment trust business, Hines Real Estate Securities, as a complement to its real estate development business, it built its IT infrastructure around a bevy of SaaS products. But the need to exchange data between various hosted applications — transaction processing, CRM, literature-fulfillment, and expense and vendor payment systems — created a tangled web of integrations linking SaaS to SaaS and SaaS to on-premises applications.

M A Y 1 , 2 0 0 9 | REAL CIO WORLD

Il lUStrat Ion by an Il t

It was almost too much of a good thIng.

Vol/4 | ISSUE/12

SaaS

It's the SaaS twist: Add too many applications, and you might to find yourself back in the bad old days, when the various applications in the corporate infrastructure wouldn't talk to one another. "When you're heavily reliant on SaaS, you're putting yourself in the position of siloed data once again," says Benny Lasiter, business systems architect at Hines Real Estate Securities.

Reeling It In More enterprises are increasing their reliance on SaaS. You only need to scratch the surface to see that SaaS is becoming a strategic tool for users large and small with an array of IT needs. Take Medco Health Solutions in New Jersey. The US$45.5 billion (about Rs 227,500 crore) prescription benefit management company has more than 20,000 employees, and compliance is a strategic part of its business. Jayme Antonoplos, director of compliance management, says employees must heed and monitor a broad range of regulations, including internal ethics mandates, prescription drug laws and the Health Insurance Portability and Accountability Act. Until 2006, the company oversaw its compliance efforts with a patchwork of internally written applications. Since then, Medco has begun shifting to on-demand services. One of SaaS's key advantages â&#x20AC;&#x201D; speed â&#x20AC;&#x201D; has already proved its worth during some recent acquisitions. "Compliance activities have to start quickly," usually within 30 to 60 days of absorbing a new company, says Antonoplos. SaaS advocates often point to the speed at which on-demand applications can be deployed. Keitaro Shigemasa, CIO at Link Theory Holdings, which

Top 5 SaaS Drawbacks 1. Integration with existing data 2. Potential security risks 3. offline connectivity 4. Vendor lock-in 5. network bandwidth Source: Computerworld survey, March 2009

Vol/4 | ISSUE/12

Whose Burden? How are you tying in SaaS apps with your company's legacy data? Our IT department is writing the hooks 29% Our SaaS vendor is helping with the integration 29% We're not integrating with legacy data 16% The business units that use SaaS deal with integration 13% We're working with a SaaS integration specialist 4% We're using a specialized SaaS integration tool 2% Other 7% Source: Computerworld survey, March 2009

produces the Theory brand of women's apparel, says time was a key factor in its decision to adopt Sky IT Group LLC's SkyPad business intelligence dashboard for point-of-sale analytics. And like Medco, New Yorkbased Link Theory is a large company with multiple stakeholders in the system. "We could have done it ourselves," Shigemasa says. "But we lacked the staff and the data warehouse tools. Plus, it would have taken three months or so to get it done." It only took four weeks to deploy SkyPad, he says. And Shigemasa praises the service because it requires little effort from his staff to train or support users. And Saas is beginning to shed its only-for-CRM image. Kenny Gravitt spent 33 years working at IBM and Lexmark International recovering used hardware assets and reusing the parts in refurbished goods or selling them. After a brief but boring stint in retirement, Gravitt started Global Environmental Services LLC, a 20-employee electronics recycling company last summer. REAL CIO WORLD | M A Y 1 , 2 0 0 9

SaaS Having been nurtured on IBM's sophisticated ERP systems, Gravitt understood how vital it was to track the growing inventory of gear and the tens of thousands of discrete parts in his 70,000-square-foot warehouse. But his initial Excel- and Access-based inventory system fell well short of meeting his needs. That's when Gravitt discovered SmartTurn, an online inventory management service from SmartTurn. He credits SmartTurn with giving his customers sophisticated insight into his supply chain operations without a pricey IT investment. The SaaS tool, he says, "has won us two contracts" with major computer vendors, who pay the company to recycle hardware in Kentucky but can track progress in real time over the Web with SmartTurn. "It's our advantage over the competition," Gravitt says.

Tangled Up All this popularity could hurt SaaS. In many organizations, SaaS offerings sneak in through the departments within individual business units, often without the knowledge of IT. Rogue projects have become "the profile of SaaS" in the enterprise, says Ron Papas, senior vice president and general manager of Informatica Corp.'s on-demand group. Later, as those applications multiply and grow, problems arise. "You do it once, twice, and five times later, you have these disparate solutions coming into the IT infrastructure. There's no strategy, no consistency, and there's a problem," says Benoit Lheureux, an analyst at Gartner. "Most companies don't even know that they should have a SaaS integration strategy, let alone align that with their internal B2B integration strategy. That is a huge problem." But you need not go it alone. As IT executives are working through their SaaS tangles, they're developing

Who's in Charge? IT department 71% End-user departments 16% Joint management 9% Other 2% Don't know 2%

Source: Computerworld survey, March 2009

M A Y 1 , 2 0 0 9 | REAL CIO WORLD

Top 5 SaaS Applications 1. Customer relationship management 2. Human resources management 3. Collaboration 4. t travel expense management 5. Sales incentive management Source: Computerworld survey, March 2009

fresh integration strategies and getting help from new tools and integration specialists. Things can go wrong even after SaaS applications are integrated with the rest of your infrastructure. Pervasive Software lists three of the most common challenges. New features that raise the bar. The SaaS vendor adds new features that you would like to use. Example: the vendor offers more granular reporting, but the process flows you've built need to change to take advantage of that. â&#x20AC;&#x2DC;Improvementsâ&#x20AC;&#x2122; to the SaaS vendor's API. SaaS vendors may revise application programming interfaces several times a year, and that can cause problems with customized integration work. Example: outbound messaging is a mechanism that notifies another application that a change to the data has occurred and that an update may be needed on the other end. "For various reasons, SaaS vendors have had to change how that signal appears to the outside world," says David Inbar, director of marketing at Pervasive Software. That forces changes that may appear to be small details but still require altering your integration process or mapping. Salesforce.com strives to ensure that updates don't break the way its API processes transactions. "Where that may fall down is if we change the behavior of the API calls. If it behaves differently, the customer's integration code may not know what to do," says Ariel Kelman, senior director of product marketing at Salesforce.com. To avoid such problems, the company keeps old API versions online. Self-inflicted wounds. You make changes to your business processes that break the system. Example: you build a system for purchase orders and then decide to split the workflow for small and large customers, changing the process and information flows through one or more SaaS or in-house applications.

The Need for a Strategist "It is essential to have a central architect with an overall picture of the data, someone who understands the business side of things and the technical implementation of that," says Lasiter. Otherwise, unexpected problems are bound to arise.

Vol/4 | ISSUE/12

SaaS For example, most SaaS integration projects touch backCloud Seeding end business applications, such as financial systems. As While Hines used on-premises middleware, it's becoming these links multiply, they swamp the central system. "All increasingly popular among other companies to use of a sudden, the performance of the finance application is integration-as-a-service (IAS) offerings from vendors crawling because you have all of these things connecting such as Boomi and Informatica. These provide a common to it," says Rick Nucci, CTO at Boomi, an integration tool integration hub for all SaaS-to-SaaS and SaaS-to-onvendor. "It's like the old EAI days. You end up with this premises integrations. spaghetti code effect." "The main reason to go with hosted integration tools The flexibility of SaaS and the ability to change vendors is rapid development," says Papas. While on-premises quickly also present challenges, such as how to reconcile new software tends to be upgraded every 12 to 18 months, SaaS applications with SaaS vendors may older data. For example, revise their software Lasiter switched SaaS three times or more vendors recently. "Now, each year. IAS vendors here we are doing endcan help ensure that 1. Develop an overall integration strategy that of-the-year processing, customizations for includes SaaS. and we have data from customers continue two vendors. All of that to work. 2. t take time to fully understand business process has to fit together for Zamil Industrial ITG, requirements before starting integration work. year-end reporting," a construction products 3. Hire an information architect with a deep he says. In the SaaS manufacturer in Saudi world, he says, things Arabia, had no problems understanding of the business process requirements as constantly change. It's up integrating its servicewell as the technology issues. to IT to manage all of the oriented architecture moving pieces. middleware with a Those headaches can service management be avoided by having an integration strategy that includes application from Service-now.com. "We implemented SaaS. But that runs counter to the ad hoc, need-it-now our SOA-based Oracle Fusion middleware before we culture into which many SaaS implementations are sold. went for Service-now.com," says Ahmed Abdrabalnabi, Ad hoc isn't always a bad thing, says David Inbar, service planning manager at Zamil. Integrating it with director of marketing at Pervasive Software. "It may employee information residing in Active Directory and an violate a lot of textbooks, but that's how a lot of business on-premises human resources application was "as easy gets done â&#x20AC;&#x201D; and gets done fast." But at big companies as drinking a glass of water." The process took just a few where dozens, or hundreds, of SaaS implementations can days, he says, but that's because integration requirements pop up, ad hoc projects can create a mess. were evaluated upfront to make sure Service-now.com For Lasiter, a structured integration framework evolved was the right fit. over time. Hines turned to SaaS because the real estate Although that time frame worked for Zamil's securities business had to be up and running quickly. implementation, it would be overly optimistic for most It needed a flexible system that allowed quick changes, integration projects. About 80 percent of integrations because business processes were still evolving. use basic technologies such as file transfers, and projects Lasiter also wanted all of the data in a common with SaaS applications tend to roll out faster than the repository for reporting purposes, so he decided to create 12-to-18-month window that's typical for traditional an on-premises database that would serve as the core on-premises applications, says Annrai O'Toole, vice repository and traffic cop for data exchanges. He used a president of integration at Workday, a provider of hosted tool from Pervasive to create the integration links. "We applications. Nonetheless, a typical integration project built an insulating layer of integrations that allow us to involving Workday systems, including the migration and maintain a central hub of data for reporting purposes," he cleaning of data, specification of business processes, and says. And the design allows Hines to switch SaaS vendors systems configuration, still takes around 70 days. CIO fairly easily. "We didn't try to do it all at once," he says. Instead, Hines added the integrations one by one over two and a half years. About 20 percent of the effort was coding. The rest involved defining business processes, analyzing data and figuring out the reporting requirements. Send feedback on this feature to editor@cio.in

Tips for Successful Integration

Vol/4 | ISSUE/12

REAL CIO WORLD | M A Y 1 , 2 0 0 9

EVENT REPORT

Presenting Partner

beyond the

Green fad IT leaders realize it’s time to identify the essence of green IT and act smartly to reap its benefits. “it’s very difficult to demonstrate the efficiency of the equipment in realtime environment." r. Muralidharan CIO, Syntel

“While revamping our it infrastructure we decided to shop smart and shop green." naresh Vatkar Divisional Head-IT/MIS, Goldshield Services

“We are trying to reduce the use of paper by introducing e-contracts in the organization." Chaitanya Wagh Group CTO, JM Financial

Recent months have seen a wave of corporate announcements about green technology and environmentally-friendly IT. While it’s clearly a monumental task and a great opportunity, organizations are still uncertain about going green. With global warming becoming a serious concern and the economic climate heating up, CIOs are under tremendous pressure to cut opex and account for the energy costs their systems incur. Is it time for CIOs to add 'energy czar' to their list of job roles? In order to understand how their peers are tackling the situation, IT leaders participated in a CIO Roundtable titled Green or Green Wash Whose Responsibility Is It? CIOs across different verticals shared their views on how their organizations are gearing up to use green IT smartly — extracting maximum value while bringing down operating expenses. GreeninG initiatives Talking about the greening efforts through which his organization saved energy and costs, R. Muralidharan, CIO, Syntel, said, “We are imparting a lot of education on saving power in our organization. Our business requires us to use a lot of paper; automating print, converting some print formats to online along with exchanging electronic data helps us reduce the printing requirements.” Naresh Vatkar, divisional head-IT/MIS, Goldshield Services said, “We have revamped our entire IT infrastructure, and we choose to shop smart and shop green. Greening in our organization happens on ad-hoc basis, like switching to more efficient resources available, using LCDs, Wi-Fi, and saving costs by cutting down the number of printers.”

EVENT REPORT Discussing about the initiatives his organization has taken, Chaitanya Wagh, group CTO, JM Financial said, “We are trying to reduce the use of paper and for that we have e-contracts in place. Right now, we are developing a work flow around it and it will be automated soon.” When asked about outsourcing the datacenter, V. Subramaniam, “There’s a need to keep CIO, Otis Elevator Company, said track of all greening that a planned approach could lead efforts before it becomes a to savings, “By moving to a vendor mandate.” center we saved on capex and we are saving a lot on operational daVid bluManis DATACEnTER ADVISOR, ASIA PACIFIC & expenses as well. He further JAPAn, APC added, “Process optimization leads to green, and right now we are automating all the processes in IT." Vikas Arya, CTO, Sistema Shyam Teleservices, said, “For insourcing or outsourcing a datacenter, energy is not the only deciding factor; cost of ownership and corporate strategy should also be taken into account.” To this S.S. Mathur, GM-IT Infrastructure, Centre for Railway Information Systems (CRIS) added that energy saving is all about efficiency, “Initial cost doesn’t really go up when you are moving to efficient systems, you just have to be a bit careful while designing. Simple things can help save energy.”

Green Wash With shelves adorning energy saving, eco-friendly products; and buzzwords like conservation, green initiatives, lean architecture doing the rounds, everyone is diving into the green. Should CIOs take the plunge and invest in green solutions or are there any parameters to help them shop in this rush to go green? U.C. Dubey, EVP-IT, IFFCO- TOKIO General Insurance, said, “When you procure any equipment in this scenario, you have to look at it from various angles, including performance, power consumption, manageability and reliability.” Ajay Kumar Meher, VP-IT, Set India/ Sony Entertainment Television India, agreed with Dubey and said that everyone claims to be green these days, but the consumers do not have any benchmarks or parameters to verify this. Voicing his concerns, Tamal Chakravorty, CIO, Ericsson India, said, “I don't want to see the product demos, I just need to see what difference

“Process optimization leads to green and we are automating all the processes in it." V. subraManiaM CIO, Otis Elevator Company

“for insourcing or outsourcing a datacenter, energy is not the only deciding factor." Vikas arya CTO, Sistema Shyam Teleservices

“initial cost doesn’t really go up when moving to efficient systems." s.s. Mathur GM-IT Infrastructure, Centre for Railway Information Systems (CRIS)

“While procuring equipment in this scenario, look at it from different angles, like realibility and efficiency." u.C. dubey EVP-IT, IFFCO-TOKIO General Insurance

“We want the vendors to explain the challenges involved in the solutions’ implementation." Pankaj sindhu Director-IT, Fulford (India)

“oeMs need to be sensitive and should consider efficiency before introducing any equipment." ajay khanna CIO, Eicher Motors

“We have a global mandate to go green and have set a target to cut down our carbon footprint." sunil Mehta Sr. VP & Area Systems Director-Central Asia, JWT

EVENT REPORT

“it is responsible for running the opex and it shouldn’t be hidden, as it is substantial amount." ruPinder goel CIO-Enterprise Services, Bharti Airtel

“in the airline industry, energy management is an organization-wide requirement." t.P. ananthesWaran CIO, Mumbai International Airport

“Whatever initiatives you take, make sure it is followed across the organization." C.r. narayanan Sr. VP-IT, DSC

“We, as it, are helping the operations to bring in as much efficiency as we possibly can." k.P. saPkota Regional Manager-IT, Intercontinental Hotels Group

“Greening is not all about involving it but the contribution of other departments as well." Virender Pal CTO, Spicejet

“anything that can promise short-term roi will capture the attention in a downturn." arun guPta Customer Care Associate & CTO-Solutions and Technology Team, Shopper's Stop

this would make to what I already possess and how much will it help me save." Muralidharan of Syntel said, “It’s very difficult to demonstrate the efficiency of the equipment in real-time environment although these are demonstrated in the vendor labs, but this hardly helps. One needs to look at it from a solutions standpoint.” In response to this, Pankaj Sindhu, Director - IT, Fulford (India), said, “As CIOs we have reached a maturity level where we don’t need the vendors to explain how much we can save by using these green products, but we want them to explain the challenges involved in its implementation.” Adding to this, Ajay Khanna, CIO, Eicher Motors, said, “A lot of sensitivity has to come from OEMs where they need to consider the efficiency before introducing any equipment.”

the it-facilities Mix When asked how the IT department in his organization is contributing to the green cause, Sunil Mehta, sr. VP & area systems director - Central Asia, JWT, said, “We have a global mandate to go green. We have set a target to cut down our carbon footprint. In this effort, IT heads are involved in managing facilities as well. If we can achieve what we have set to, we will do a favor to ourselves and the society.” Sharing his views on the same, Rupinder Goel, CIO-Enterprise Services, Bharti Airtel, said, “IT is responsible for running the opex and it shouldn’t be hidden, it’s a substantial amount and if you don’t watch the cost or don’t have enough visibility on this front, I don’t think it will bring any consciousness for you to do anything about it.” T.P. Anantheswaran, CIO, Mumbai International Airport, said, “In our industry, energy management is an organization-wide requirement rather than a pure IT-based requirement.” C.R. Narayanan, sr. VP - IT, DSC, said, “Whatever initiatives you take, make sure it is followed across the organization. I realize that most of the power consumption happens on the client side and there are multiple ways to reduce that consumption.” K.P. Sapkota, Regional Manager-IT, Intercontinental Hotels Group, added, “In our organization, IT is involved in finance, forecast and procurement functions. We, as IT, are helping the operations to bring in as much efficiency as possible." Virender Pal, CTO, Spicejet, said, “Airline industry does a lot of damage to the environment, so we can do small things to contribute to the environment. For us, greening is not all about involving IT but the contribution of other departments to conserve things is also necessary.” When asked if the present slump has accelerated the adoption of green solutions, Arun Gupta, customer care associate & CTOsolutions & technology team, Shopper's Stop, said, “Rip and replace will not happen now as it involves a lot of expenditure. I don’t think looking at green as a social responsibility will gain enough traction today as people are looking at conserving money right now. Anything that can promise short-term ROI will capture the attention.” Putting forth his views on this, Ajay Dhir, CIO, Jindal Stainless, said, “There’s a drive to conserve cost, and a need to be more ecosensitive. IT is aware of costs, not just IT costs but also power costs, and the slowdown has brought in a lot more awareness."

EVENT REPORT

“there’s a drive to conserve cost, and a need to be more eco sensitive." ajay dhir CIO, Jindal Organisation

“We are enforcing green in our organization from social responsibility stand-point." dhiren saV a la aV CIO, Kuoni Travel Group (India)

eco-friendly or econoMic-friendly? When asked how his organization went green, Dhiren Savla, CIO, Kuoni Travel Group (India), said, “We are enforcing green from a social responsibility standpoint. By reducing paperwork in our company we reduced paper usage and we also encourage our clients to send and accept documents in electronic format.” Whereas, S.K. Sehgal, GM - IT, SBI, said that greening is not just a social initiative, it is also makes economic sense. Atul Kumar, AGM - IT, Syndicate Bank, held the same view, “Green IT is not only about power saving, it is beyond that. For instance, thin-clients not only save energy but also guard against multiple threats and offer better manageability.” Sharing his views on this, Ashish Rane, DGM-IT, Apollo DKV, said that if he could contribute to the environment in some way by keeping customers happy and offering better services, his organization would like to go forward with green technology. According to S.C. Mittal, executive director-systems, IFFCO, production in processing industry involves high energy consumption. So automatically the cost reduction discussion arrives at reducing the consumption of energy. "But the organization is also contributing to the social cause of greening by trading carbon credits and properly disposing IT assets by donating it to rural schools," he said. David Blumanis, datacenter advisor, Asia Pacific and Japan, APC, tried to sensitize the greening issue by emphasizing on the need of tracking all the greening efforts made by CIOs in India. “The government will soon make it mandatory with the striding carbon emissions. Whatever you do now, will not be useful unless you substantiate it when the scheme is in place," he said.

Read more on 'Implementing Energy Efficient Data Centers' at www.apc.com/promo (download code: 12076q)

“Greening is not only a social initiative, it also makes economic sense for many organizations." s.k. sehgal GM-IT, SBI

“Green it is not only about power saving, it also helps beyond that." atul kuMar AGM-IT, Syndicate Bank

“We would like to contribute to the environment besides keeping customers happy." ashish rane DGM-IT, Apollo DKV

“in processing industry cost reduction is focused on cutting down energy costs." s.C. Mittal Executive Director-Systems, Indian Farmers Fertiliser Cooperative (IFFCO)

“i do not need demonstration of products but want to know what difference they make." t Mal ta al Chakra ChakraVorty CIO, Ericsson India

“everyone claims to be green but consumers do not have benchmarks to verify this." ajay kuMar Meher, VP-IT, Set India/Sony Entertainment Television India

Cloud Computing

Watching

Reader ROI:

How to monitor your provider’s performance Managing the cloud’s security issues

M A Y 1 , 2 0 0 9 | REAL CIO WORLD

rian Corrigan used to run datacenters for major casinos, so he knows not to gamble with missioncritical apps. Now, he works in the other gaming industry — the one with joysticks and lots of shooting — building communities for online gamers and collecting information about game usage for their publishers. As CTO at Agora Games, he needs to quickly ramp up and then cut his computing capabilities as new games come on the market, become all the rage, and eventually fade into so-so status. So, it's little surprise that he's joined the growing ranks of companies buying computing, storage, and networking power as they need it from the cloud. What is more surprising is that Corrigan and a number of other IT managers say that the use of virtualization and Open Source monitoring tools lets them do just as good a job, if not better, monitoring

Vol/4 | ISSUE/12

IllUStratIon by Unn IkrIShn an aV

If you aren’t sure whether your cloud service provider is giving you what you paid for, turn to monitoring tools, they could be your guardian angels. By RoBeRt L. ScheieR

Cloud Computing

g Over and managing virtual machines in the cloud as equipment in-house or in a collocation facility. That's especially true for those strapped for the time, money, or skills to analyze every last picosecond of application performance.

TrusT BuT Verify

include Amazon.com with its Elastic Compute Cloud (EC2) compute services and Simple Storage Service (S3). Additionally, different vendors sell backup, security, and other IT functions as a service from the cloud. Finally, there are Web-based development platforms such as Salesforce. com's Force.com and Microsoft's Azure. As you would expect, SaaS vendors such as Salesforce. com say the trust SaaS customers put in their vendors is well placed. "Most companies don't know as much about their own systems' behavior as they can find out, from any Web browser, about the systems in the Salesforce. com cloud," says Ariel Kelman, senior director of platform product marketing for Salesforce.com. But others — such as those who hope to sell systems management software to cloud customers — aren't so sure. Along with concerns about security, one of the first questions enterprise customers ask is: "How do I know I'm getting what I'm paying for?" says Stephen Elliot, vice president of strategy for the datacenter automation business unit at CA. After independent monitoring of their cloud services, many customers have "gone back and renegotiated contracts" after receiving lower than promised levels of service, says Ramin Sayar, senior director of products for business service management at Hewlett-Packard. Many customers take comfort in the fact that highly publicized outages, such as those suffered by Google's e-mail service and by Amazon.com's EC2 and S3 offerings, are poison to a provider's image. Many are comfortable with the dashboards published by Salesforce.com and Amazon.com, which provide varying levels of detail about the health of their services. (Later this year, Amazon.com plans to provide more real-time updates on metrics such as customers' CPU and network utilization.) Finally, most cloud providers provide SLAs spelling out the performance they will deliver and penalties if they fail.

Not all compute clouds are created equal, and whether cloud computing gives you enough visibility and control for datacenter adoption depends very much on what type of cloud computing you're buying. Perhaps the most familiar cloud model is software as a service (SaaS), which lets customers use application software over the Web. Examples include, most notably, Salesforce.com in the CRM space and Google Apps for e-mail and calendaring. Here, the customer typically buys from the cloud specifically to get away from systems management chores and often trusts the vendor's performance dashboards and the absence of screaming from users to tell them the application is running. A second cloud model, which usually requires and offers customers far more hands-on access, is infrastructure as a service, or utility computing. Here, the customer buys the ability to create, manage, and delete virtual servers, storage, and Source: Gartner network resources in the cloud. Vendors

$150 Billion

Revenue to be made from cloud computing by 2013 as it grows faster than expected.

Vol/4 | ISSUE/12

looking oVer your ProVider’s shoulder But you don't have to trust the vendors' reports to assess whether they deliver the service promised. CIOs can use anything from simple network-sniffing tools to Open Source monitoring software and enterprise-class management systems to see what they're getting from the Web. REAL CIO WORLD | M A Y 1 , 2 0 0 9

Cloud Computing While not all integrate seamlessly with mainstream systems management tools running customers' internal operations, they are often good enough to get the job done. IT can expect to use OS management tools, vendors' performance dashboards, and — in some cases — root access to servers. What you can't expect to get are universal interfaces between cloud and legacy management tools and — in some cases — neither administrative access to servers nor the ability to install management or security agents. Customers purchasing infrastructure as a service, and who have the greatest management needs, should ideally use "the same agents, the same tools, the same configuration, and management tools" as in their own

Are cloud Security fears oVerBlown? It may sound like heresy, but it's possible to worry too much about security in cloud computing environments, said speakers at IDC's Cloud Computing Forum. Security is the number-one concern cited by It departments when they think about cloud deployments, followed by performance, availability, and the ability to integrate cloud services with in-house It, according to IDC's research. keeping data secure is critical, of course, but companies need to be realistic about the level of security they achieve inside their own business, and how that might compare to a cloud provider such as amazon Web Services or Salesforce.com, some speakers said. "I think a lot of security objections to the cloud are emotional in nature, it's reflexive," said Joseph tobolski, director for cloud computing at accenture. "Some people create a list of requirements for security in the cloud that they don't even have for their own datacenter." Doug Menefee, CIo at Schumacher Group, which provides emergency room management services to hospitals, agreed. the company is in the midst of a project to migrate most of its apps to hosted, cloud-based services. "My It department came to me with a list of 100 security requirements and I thought, ‘Wait a sec, we don't even have most of that in our own datacenter’," he said. Schumacher Group takes security seriously, Menefee said, but as a mid-sized company with only three It staff working full time on security, he trusts large cloud providers to do it better. "We get the same level of security with Salesforce.com as any large company using that service," he said. "I'm using the economies of scale." — James niccolai

M A Y 1 , 2 0 0 9 | REAL CIO WORLD

datacenters to simplify and standardize administration, says Joseph Tobolski, a partner at Accenture Technology Labs. While there isn't universal integration between such tools and the cloud service providers' APIs, he expects such integration "pretty soon" because of the need for "some sort of control of the cloud." Consider how these IT pros check up on and manage their cloud services. OmniPresence, which sells videoconferencing and teleconferencing equipment and services, uses the Zenoss family of management software to monitor the equipment and services it provides to customers. Omnipresence's director of technical services, Chris Sanford, says he can monitor services in the cloud as easily as those located in-house, using Zenoss to create data collectors that "sit out in the cloud" and send information about system performance and reliability to a monitoring dashboard. For Agora Games, one critical requirement in choosing a cloud provider was having root-level access to the 60 to 70 virtual servers it runs at cloud provider Terremark Worldwide. "We're really heavy users of Ubuntu Linux," says CTO Brian Corrigan. "It's hard to take a Unix guy and tell him he can't have low-level access to the system. We really tweak the Unix system to get a lot of performance" to keep Agora's gaming customers happy. Using Terremark's cloud computing environment, Corrigan says, he can just as easily manipulate his virtual servers as if they were in-house or at a collocation facility. He can build a test environment for a new game, easily clone it for production, and then remove it when the popularity of the game fades. He also says the virtualization makes it easier to enforce change management procedures and keep developers from posting code directly to the production environment by creating virtual network segments dedicated to testing. In addition, he says, he gets the use of higher-quality equipment than at many collocation facilities. In addition to the console Terremark provides, Agora can use its own monitoring applications "to keep them honest," says Corrigan. "We did it a lot in the beginning, but there has never been any sort of problem, so we just sort of trust them," he says. Pathwork Diagnostics uses Amazon.com's EC2 infrastructure to meet big spikes in demand for computing power whenever it acquires specimens of various types of tumors and must race competitors to create tests to detect those tumors. Pathwork only needs to monitor the virtual ‘compute units’ it is using, as well as the amount of memory allocated to each, says Zoran Popovic, a senior software engineer. To do that, Popovic uses Unix Open Source tools for both jobs. His only gripe: One tool forces him to monitor each virtual machine separately, rather than all at once. Dreambuilder Investments has built its key business applications on Salesforce.com's Force.com platform,

Vol/4 | ISSUE/12

Cloud Computing and it relies on cloud services from other vendors for its backup, accounting software, and even PBX. The company has built a few simple tools to monitor the quality of its Web connections, but it usually relies on the CRM giant to keep its applications running and provide updates on their health. Even if all a customer does is monitor the heartbeat of a cloud service, that can be enough, OmniPresence's Sanford says. Just a notification that Salesforce.com has gone down, even with no additional detail, "allows you to troubleshoot that problem, and maybe even get it resolved before anyone knows it's broken. It may not be Salesforce, but [instead] may be your own internal Internet router." At the very least, it keeps the IT guy from being blindsided publicly by the cloud.

seCuriTy's gray skies

asia's Cloud Computing CIOs According to new IDC research, cloud computing is being used, or considered, by more than half of asia Pacific's senior It executives and cost-cutting is the key driver. Some 11 percent of those surveyed are already using cloud-based solutions and a further 41 percent are either evaluating or piloting cloud computing solutions. the survey concluded that worldwide It spending on cloud services will grow almost threefold by 2012. IDC predicts that spending on cloud computing will accelerate throughout the forecast period, capturing 25 percent of It spending growth in 2012, and nearly a third of growth the following year. "Future uptake of cloud computing looks strong," said Chris Morris, director for IDC's asia Pacific services research and lead analyst for cloud computing research in asia Pacific. "over the next three years, as the use of cloud services expand from the domain of early adopters to that of the early majority, it becomes critical for It vendors to develop strong cloud offerings, and play a leadership role in aligning their new cloud products and services with their organization, their traditional offerings, partner ecosystem, and customer and market requirements. the IDC survey involved 696 It executives and CIos across asia Pacific excluding Japan to gather their views, understanding, current usage and planned usage of cloud computing. â&#x20AC;&#x201D;ross o. Storey

Data security is one of the biggest worries keeping enterprise apps out of the cloud. But it isn't a showstopper for small to medium-size firms, even those that rely completely on the cloud. For example, Agora could encrypt the data on each server but doesn't, because of the likely drag on performance. The fact he has root-level control of each server means "we can prevent anyone else from getting access to the data," says Corrigan. And unlike at a collocation facility, whose administrators would need access to his servers in case they cause trouble for other customers, Agora's own administrators are the only ones with the authority to touch his virtual servers. As for network security, says Corrigan, "We went from having a stack of physical servers with publicly accessible IP addresses to a slew of virtual machines with private IP addresses behind a software firewall. We can manage all of the firewall rules in one place, installing less restrictive generic rules on the actual VMs." At Pathwork, Popovic encrypts data to and from Amazon.com using the SSL protocol, decrypting it for analysis while in the EC2 cloud. "There is always a risk when you release your data out of your private network," he says, "but we think the risk is manageable." Enforcing proper access control to applications and services is just as critical for apps in the cloud as in-house and should be part of any customer's security policies regardless of where they host their IT infrastructure. Amazon.com uses firewalls to ensure "everybody's computing instances are completely walled off from everybody else's information," says Adam Selipsky,

Vol/4 | ISSUE/12

vice president of product management and developer relations for Amazon Web Services. Each instance is preconfigured for maximum security with all unnecessary ports turned off, he says. Rather than dissect Salesforce.com's security policies, Dreambuilder CTO Jonathan Snyder trusts that "the many very large customers who rely on Salesforce the same way I do" keep the pressure on Salesforce.com to protect their data â&#x20AC;&#x201D; and, by extension, his data. "I'm going along for the ride," he jokes. Of course, moving to the cloud is not a panacea. IT and business managers first need to do the hard work of thinking through what applications or services make sense to move to the cloud, rather than just follow the siren song of low price. Then they need to evaluate what levels of monitoring and management make sense for their skill set, the criticality of the application, and most of all, their business needs. But for the right applications under the right business conditions, managing and monitoring IT in the cloud is not only doable but easier than in a brick-and-mortar, in-house datacenter datacenter. CIO

Send feedback on this feature to editor@cio.in

REAL CIO WORLD | M A Y 1 , 2 0 0 9

Essential

technology Buy a governance, risk management and compliance (GRC) tool or leverage existing apps? There is no easy answer. But, a company's size and the scope of its operations can help guide the decision.

Essentisl Tec.indd 54

M AY 1 , 2 0 0 9 | REAL CIO WORLD

From Inception to Implementation â&#x20AC;&#x201D; I.T. That Matters

Go on GRC? By Jarina D'Auria

| As economic tough times continue, there's one thing companies can count on: more regulations. For the CIO and the IT department, that will mean more time spent grappling with and monitoring a seemingly endless (and growing) mountain of data related to compliance. How pervasive is the challenge? Last May, the Information Systems Audit and Control Association (ISACA) surveyed more than 3,000 of its members and found that regulatory compliance ranked among the top-five business issues facing IT managers and executives. In its report, ISACA notes that "regulatory compliance still operates in a 'project mode' and has not yet been embedded in business processes." CIOs who seek to conquer compliance issues have found various routes â&#x20AC;&#x201D; and tools â&#x20AC;&#x201D; to help them achieve that aim. Some have purchased governance, risk management and compliance (GRC) tools to automate the process of staying on top of rules and regulations. Others have combined products such as office suites or accounting software with strong governance and business process frameworks. Both methods can succeed in identifying compliance requirements and making sure your company is effectively

Compliance

Vol/4 | ISSUE/12

4/28/2009 12:55:27 PM

essential technology

following the rules. So which way should you go? There is no black-and-white answer to the question. However, a company's size and the scope of its operations can help guide the decision, says Forrester senior analyst Marc Othersen.

MakeWork Easier A GRC tool can be an effective way to achieve compliance if your business is subject to many regulations and if the organization is spread out globally, says Othersen. Other countries have different regulations and industry standards, so a company with global operations has more rules to follow, he says. A tool can make it easier and more cost-effective for a company to comply with regulations wherever it does business. Holly Marr, operations management organization leader at Acxiom, a global provider of information management solutions, started using CA's GRC Manager about six months ago to keep on top of approximately 900 compliance controls that the $1.4 billion (about Rs 7,000 crore) company must abide by. "Our company has been learning how to manage the process [of compliance] in the most efficient way, and the tool is a way to go," she says. Before the tool, internal auditors manually tested the controls for each regulation, which then had to be documented and sometimes remediated. However, all this information was housed in Excel spreadsheets and other documents that needed to be shipped to internal auditors, regulators, upper management and regional offices to sign off on. Marr and her team chose CA's tool because it automatically helps them map industry-standard controls, such as the IT governance framework Cobit. It also consolidates the company's compliance data in one place. The amount of manual work required to do both these things was labor-intensive for IT, says Marr. GRC tools often automate timeconsuming manual processes, taking testing time from weeks to days, says Forrester's Othersen. Without such tools,

Vol/4 | ISSUE/12

Essentisl Tec.indd 55

a company might have to test manually for every regulation, which takes time, money and effort, especially if a company has thousands of servers or global IT operational processes. By implementing GRC Manager, Acxiom expects to shave two days off the process of creating its monthly and quarterly compliance reports. Acxiom also created a central repository for all its compliance data, which helps promote transparency and may cut costs. Marr says the tool allows IT to focus more closely on important business risk factors and how to better facilitate project management and workflow. GRC tools also significantly streamline the compliance process because they eliminate redundancies, says Othersen. For example, a company might have SarbanesOxley and Gramm-Leach-Bliley Act teams testing for access controls. GRC tools can identify whether teams are doing the same tests. "Some companies have 300 teams, so they could potentially be doing the same tests and getting the same results 300 different times," says Othersen.

An Emphasis on Process Compliance is a major corporate objective at Purdue Pharma, a player in the highlyregulated pharmaceutical arena. The $2.5 billion (about Rs 12,500 crore) company, which operates only in the US, views it as both a business process and governance challenge. So Purdue Pharma VP and CIO Larry Pickett opted to use the company's suite of office applications (Microsoft Word, Excel and SharePoint) and its business processes to help manage the information to support regulatory requirements. Pickett believes a company can effectively manage its own compliance needs with the proper executive commitment and structure in place. For that reason, he doesn't see the need for a GRC tool since compliance is embedded in the company's business processes. The first step, he says, is identifying and prioritizing business risks facing the organization. For instance, a major risk,

22% Of Indian CIOs are

also responsible â&#x20AC;&#x201D; in a leadership capacity â&#x20AC;&#x201D; for risk management over and above their IT responsibilities. Source: CIO Research

such as Information Systems Quality Assurance compliance, is assigned to appropriate business owners who then oversee their own specific solutions and reports in collaboration with IT. That data is collected into the Microsoft Office products; it is then shared and reviewed at various committee meetings held by the business owners. "If there is a structure in place, it's pretty straightforward to see if you are compliant," Pickett says. "I'm not saying that collecting and reporting data in a tool is useless, but I just don't see the need for it in terms of risk management," he adds. "The audit committees here aren't looking at a tool. They are looking at the risks, the challenges and what we are doing." The main focus of your GRC regimen should be on identifying and managing the risks around one's business, not in implementing technology for the sake of technology, says Pickett. Face it: The need for compliance isn't going away. And while the choice to purchase a tool to document and automate the process is yours, the choice to follow the regulations is not. CIO

Send feedback on this feature to editor@cio.in

REAL CIO WORLD | M a Y 1 , 2 0 0 9

4/28/2009 12:55:27 PM

Pundit

essential technology

Enterprise Resource Pit

ERP is to blame for some of the disdain CFOs and CEOs have for IT. By Thomas Wailgum ERP | We're always trying to figure out why IT is demeaned by the cost center label used by CEOs, CFOs, and other leaders. The way I see it, the number-one reason for such disdain is ERP, and what I'll refer to as the 3 C's: cost, complexity and customization. A new CFO Research Services survey of 157 senior finance executives, which specifically looked at initial and ongoing ERP system ownership costs, illustrates this point beautifully. For starters, companies are probably awed by the initial acquisition and implementation costs of ERP. The CFO study focused primarily on companies with $100 million to $1 billion (Rs 500 crore to Rs 5,000 crore) in annual revenues, and half of the respondents said they spent over $1 million

Customization is a fact of life with ERP. In fact, eight out of 10 respondents said their companies "have customized their ERP systems either moderately or extensively to adapt to their company's unique business needs," says the CFO study. These companies weren't customizing their ERP just for fun, they were trying to stay in business. "Companies grow and change," notes the study. "They open new facilities or consolidate operations, add partners or outsource functions, and centralize or decentralize the back office. Reporting needs increase as regulatory bodies heighten oversight and as companies expand across borders. In short, businesses change, and as they do, so do management's information needs."

follow shrink-wrapped solutions, " said one manufacturing CFO. Another took an even more extreme position: "Our policy is that we will not make custom modifications to the software; we will modify the business process if necessary or create an offline procedure." While I understand the logic behind these CFO strategies, I foresee an unintended consequence right around the corner: Rankand-file employees who have to use the ERP system everyday will not only dislike that you're changing their technology interface, but now you're going to allow the technology to dictate how they should perform their jobs, with the new business processes? Yikes. Of course, CFOs and CEOs shouldn't be excluded from any culpability in creating

ERP systems have become a noose around companies' necks which tighten with each customization and whose costs continue to spiral.And some CFOs have had enough. (about Rs 5 crore) for the license, service and first year's maintenance of their current ERP. Nine out of ten respondents said they spent a minimum of $250,000 (about Rs 125 lakh). These estimates didn't include internal costs for rolling out the system, such as for project management, user training and IT support. Even if the CFO and CEO can stomach that kind of initial capital outlay, there's much more to contend with including thorny and expensive customization issues, upgrade decisions and annual maintenance fees. 56

ET-Pundit.indd 56

MAY 1 , 2 0 0 9 | REAL CIO WORLD

So just how much does this cost? A typical company in the survey will spend an average of $1.2 million each year (about Rs 6 crore) to maintain, modify and update its ERP. ERP systems have become a noose around companies' necks which tighten with each customization and whose costs continue to spiral. And some CFOs, says the survey, have had enough of customizations. Instead, they are following a new (and potentially dangerous) policy: Keep everything vanilla. "Change your processes to best practices and

these financial black holes â&#x20AC;&#x201D; they are the ones who approved the ERP projects in the first place. But, perhaps, they have been making these decisions without knowing all the facts about the long-term costs associated with ERP systems, which make the upfront sticker price is almost meaningless. Which brings us right back to why CFOs and CEOs hate IT. CIO Send feedback on this column to editor@cio.in

Vol/4 | ISSUE/12

4/28/2009 12:55:57 PM