leadership
VOL/04 | ISSUE/02
Business
Technology
Allergan’s IT helmsman K.T. rajan enabled management to view data from multiple sides.
Intelligent by DESIGn Allergan India transformed decision making by adding more color and facets to its data through multi-dimensional bI. Page 34
DECEMbEr 1, 2008 | rs100.00 www.CIO. I N
VIEW FROM TO THE TOP Arun Kanchan on transparency and fighting fraud. Page 42
READY, GET SET, GO! How Hyundai’s IT revved up its assembly line. Page 46
From The Editor-in-Chief
An interesting data point was thrown up in the recent The State of the CIO survey.
Outsourcing Out? India Inc. doesn’t seem hot about outsourcing IT.
About a third of respondents outsourced less than 10 percent of their operations. Well, one view on outsourcing is that it’s the only way CIOs can combat attrition at junior levels. A CIO from the manufacturing vertical is clear: “Outsourcing is good, because one need not invest in certain skill sets. Low-end roles like facilities management are easy to outsource, as also high-end skills where training and retention may become an issue.” Also in the gamut of ‘conventional wisdom’ is that it makes sense to outsource all nonvalue add activities. For instance, Geoffrey Moore, the guru of the concept of ‘core and the context’, says, organizations need to outsource the context and in-source or keep the core. The core is essentially all that gives strategic, competitive advantage in a direct manner. Chairman and Chief Mentor of Infosys Technologies N.R. Narayana Murthy, told me that another way to look at outsourcing is to Organizations seem consider the theories of Ronald H. Coase, hesitant to outsource a Nobel Laureate in Economics. Coase strategic applications or said that when the cost of a transaction trust outsourcers over in the marketplace becomes lower than internal staff. the cost of the transaction in-house, then, like it or not, you have to outsource. Otherwise you won’t be able to compete. This, Narayana Murthy felt, is a good way to determine what should be outsourced. Yet another perspective came my way from a member of our advisory board. He felt that organizations ought to outsource to acquire new capabilities, ramp up capacity and cut costs. All of these perspectives are logical and have well thought out rationales. In the weeks since the State of the CIO survey, I’ve spoken to many IT leaders to make sense of this. What I’ve learned thus far distills to the following: it’s easy to outsource most things hardware; organizations are reluctant to outsource the management of strategic applications; and, CIOs trust their own teams more than the best that outsourcers provide. This doesn’t cover either CIOs or outsourcers with much glory. I believe that outsourcing is a critical element that imparts agility and efficiency to an organization. Why then aren’t more CIOs in it favor? Particularly when the economic sentiment is nervous. Do you agree with your peers on this? Write in and let me know.
Vijay Ramachandran Editor-in-Chief vijay_r@cio.in
2
D E C e m B E R 1 , 2 0 0 8 | REAL CIO WORLD
Content,Editorial,Colophone.indd 2
Vol/4 | ISSUE/02
11/28/2008 7:09:36 PM
content decemBER 1 2008‑ | ‑Vol/4‑ | ‑issue/02
K.T. Rajan, director operations, IS and projects, Allergan India, drove growth by empowering his CXO peers to agree on a common course of action.
Business Intelligence
Executive Expectations
COVER STORY Intelligent By Design | 34
View From The Top | 42 Arun Kanchan, CEO, BSES, says that IT is instrumental in providing more transparency to its customers and reducing power theft.
I Photo by Srivatsa Shan dilya
What you see is what you believe. From their different vantage points, Allergan’s management was doomed to see different pictures of the company — unless a BI tool built like a cube could promise them different views of a single truth. Feature by Kanika Goswami
Cove r: design by ANIL T
3 4
Interview by Rahul Neel Mani
Business Transformation The Secrets of a Change Agent | 50 An exclusive and unclassified report on how Web 2.0 and strong IT governance are enabling the CIA to work more effectively.
Plus:
Feature by Thomas Wailgum
Understanding Business Intelligence TCO | 40
Think Tank
How can you manage your BI system’s total cost of ownership better? Avoid these common stumbling blocks that add big costs to any BI project.
Leading Business Change | 26 Enterprise architecture and IT portfolio management provide tools for innovating and executing change. They are not about IT, but about people, collaboration and culture.
Feature by Thomas Wailgum
Column by Chris Potts
more » 6
D E C e m B E R 1 , 2 0 0 8 | REAL CIO WORLD
Content,Editorial,Colophone.indd 6
Vol/4 | ISSUE/02
11/28/2008 7:09:41 PM
content
(cont.) departments Trendlines | 14 IT Management | Plan for Growth Now Quick Take | Gopal Rangarajan on Cloud Computing Voices | Virtualization’s Security Challenges Research | Datacenter Pros Look for Single View Risk Management | Cybersecurity Beyond IT Opinion Poll | Perks of the Job Survey | CEOs vs CIOs: IT Gets No Respect IT Budget | 20 Ways to Cut IT Costs Study | Infrastructure Security Under Cyberattack Web 2.0 | Smartphones Get Smarter Career | Customize the Pace of Your Career Corporate Issue | Tech-savvy CEOs, Please
Essential Technology | 54 SOA | Watching the In-Between Spaces
By Chris Clark Pundit | Cloud Computing Looms Large
By Bernard Golden
From the Editor-in-Chief | 2 The Outsourcing Option
By Vijay Ramachandran
NOW ONLINE
4 6
For more opinions, features, analyses and updates, log on to our companion website and discover content designed to help you and your organization deploy IT strategically. Go to www.cio.in
c o.in
Case File Ready, set, Go! | 46 Every hour that Hyundai India’s assembly line idled waiting for parts cost the company Rs 2 crore — and left its growth plans in a cloud of smoke. Listening to its shop floor workers solved the problem.
2 6
Feature by Kanika Goswami
Expert View Your Own Worst Enemy | 24 Even when companies say they want a CIO with detailed technical knowledge, fulfilling their expectations can prevent you from being effective. Column by Laurie Orlov
8
D E C e m B E R 1 , 2 0 0 8 | REAL CIO WORLD
Content,Editorial,Colophone.indd 8
Vol/4 | ISSUE/02
11/28/2008 7:09:48 PM
ADVISORY BOARD
Advertiser Index
Abnash Singh Publisher Louis D’Mello Associate Publisher Alok Anand
Editorial Editor-IN-CHIEF Vijay Ramachandran
Resident Editor Rahul Neel Mani assistant editors Gunjan Trivedi,
Kanika Goswami
Correspondents Snigdha Karjatkar, Sneha Jha,
Chief COPY EDITOR Sunil Shah Copy Editors Deepti Balani,
Shardha Subramanian
VP-HR & Process Architect, Britannia Alok Kumar Global Head-Internal IT, Tata Consultancy Services Anwer Bagdadi Senior VP & CTO, CFC International India Services Arun Gupta
Creative Director Jayan K Narayanan
VP & CIO, Mahindra & Mahindra
SENIOR Designers Jinan K Vijayan, Jithesh C C
Unnikrishnan A V Sani Mani (Multimedia) Designers M M Shanith, Anil T, Siju P
P C Anoop, Prasanth T R Photography Srivatsa Shandilya Production Manager T K Karunakaran DY. Production Manager T K Jayadeep Marketi ng and Sal es VP Sales (Events) Sudhir Kamath GENERAL Manager Nitin Walia Senior Mananger Siddharth Singh, Rohan Chandhok Assistant Manager Sukanya Saikia Marketing Priyanka, Patrao, Disha Gaur Bangalore Kumarjeet Bhattacharjee, Arun Kumar, Ranabir Das Delhi Saurabh Jain, Rajesh Kandari Gagandeep Kaiser Mumbai Parul Singh, Hafeez Shaikh, Kaizad Patel Japan Tomoko Fujikawa
USA Larry Arthur; Jo Ben-Atar
Events VP Rupesh Sreedharan Managers Ajay Adhikari, Chetan Acharya Pooja Chhabra
Airtel
17
Avaya
4&5
CA
BC
Canon
9
Epson
19
IBM
IFC
IBM
12 & 13
Ashish K. Chauhan President & CIO — IT Applications, Reliance Industries
Vinoj K N, Suresh Nair Girish A V (Multimedia)
54, 55, 56 & 57
Customer Care Associate & CTO, Shoppers Stop Arvind Tawde
Lead Designers Vikas Kapoor, Anil V K
Airtel
Alaganandan Balaraman
Design & Productio n Lead Visualizer Binesh Sreedharan
President, IT Operations & Center of Excellence, UCB Pharma
C.N. Ram Rural Shores Chinar S. Deshpande CEO, Creative IT India Dr. Jai Menon Group CIO Bharti Enterprise & Director (Customer Service & IT), Bharti Airtel
Interface Lenovo
1 Btw 24 & 25
Microsoft
7
MRO-TEK
23
Manish Choksi Chief-Corporate Strategy & CIO, Asian Paints M.D. Agrawal
M-Tech
3
Chief Manager (IT), BPCL
Oracle
Rajeev Shirodkar
Rittal
21
Sigma Byte
31
CIO, Future Generali India Life Insurance Rajesh Uppal
IBC
Chief GM IT & Distribution, Maruti Udyog Prof. R.T. Krishnan Jamuna Raghavan Chair Professor of Entrepreneurship, IIM-Bangalore S. Gopalakrishnan CEO & Managing Director, Infosys Technologies Prof. S. Sadagopan Director, IIIT-Bangalore S.R. Balasubramnian Exec. VP (IT & Corp. Development), Godfrey Phillips Satish Das CSO & Director ERM, Cognizant Technology Solutions Sivarama Krishnan
All rights reserved. No part of this publication may be reproduced by any means without prior written permission from the publisher. Address requests for customized reprints to IDG Media Private Limited, Geetha Building, 49, 3rd Cross, Mission Road, Bangalore - 560 027, India. IDG Media Private Limited is an IDG (International Data Group) company.
Printed and Published by Louis D’Mello on behalf of IDG Media Private Limited, Geetha Building, 49, 3rd Cross, Mission Road, Bangalore - 560 027. Editor: Louis D’Mello Printed at Manipal Press Ltd., Press Corner, Tile Factory Road, Manipal, Udupi, Karnataka - 576 104.
Executive Director, PricewaterhouseCoopers Dr. Sridhar Mitta MD & CTO, e4e S.S. Mathur GM–IT, Centre for Railway Information Systems Sunil Mehta Sr. VP & Area Systems Director (Central Asia), JWT V.V.R. Babu
This index is provided as an additional service. The publisher does not assume any liabilities for errors or omissions.
Group CIO, ITC
10
D E C e m B E R 1 , 2 0 0 8 | REAL CIO WORLD
Content,Editorial,Colophone.indd 10
Vol/4 | ISSUE/02
11/28/2008 7:09:49 PM
new
*
hot
*
unexpected
plan for Growth now in the face of an increasingly challenging economic climate," said Sondergaard. Gartner said that as business growth is not declining at the same rate across geographies, CIOs can exploit asymmetries between regions and industries to find new opportunities. "This is a great opportunity for businesses in the Asia Pacific. During 2009, some countries and regions are still expected to grow at fairly robust rates," said Sondergaard. "Divert resources to those regions of your global business where your regional offices, customers and suppliers are growing so fast that they are probably asking 'recession... what recession?'" According to Gartner, economic uncertainty dictates that prudent IT organizations prepare three alternative budgets: best-case, worst-case and mostlikely scenarios. —By Zafar Anjum
IllUStratI on by MM Shan Ith
I T M a n a g e M e n T Don't wait for signs of a return to growth to begin planning for business growth, advise Gartner analysts. An economic downturn can be a perfect time to undertake projects that warrant priority, because of their impact on future growth, say Senior VP and Global Head of research Peter Sondergaard. Speaking at the release of preliminary results of its annual Gartner Executive Programs CIO survey at the analyst firm's
Symposium, Sondergaard highlighted eight areas that IT executives should focus on to help their organizations weather economic turmoil. The list included cost optimization, virtualization, IT modernization, lowcarbon IT, workforce management, business intelligence, service-oriented architecture, business process management and multi-sourcing. According to the survey, out of 444 respondents around the world, 48 percent are projecting an IT budget increase in 2009. However, 52 percent of CIOs are reporting flat or IT budget decrease in the next year. On a weighted basis and considering all 444 IT organizations, 2009 IT budgets are set to increase 3.36 percent. "While these are preliminary results, they support what we have observed during 2008 — that enterprises see IT as a way to drive cost out of the business
Quick take
Gopal Rangarajan on Cloud Computing T e c h n o l o g y Cloud computing is being viewed as the next logical step in the consolidation of business tools. The technology has emerged as a viable option for organizations. Gopal Rangarajan, VP-IT, Reliance Life Sciences spoke to Snigdha Karjatkar and here’s what he had to say:
What promise does cloud computing hold? Cloud computing is a pretty exciting concept. Today, TCO is a decisive factor. Loading and running applications, creating environments and such other processes not only have a tangible cost but also a cost of realization. Although, this cost of realization is not generally quantified, it is very significant in today’s scenario. Cloud computing presents a reasonable solution for such pain points. What are the benefits of cloud computing? Apart from putting a tab on the cost of realization, it would address certain other issues that give technology
Vol/4 | ISSUE/02
heads sleepless nights. Reliability and compliance related issues will be well taken care of because of the regulated environment that governs most services. What are the pitfalls associated with the technology? Just like every other technology, cloud computing comes with its set of issues. The adoption of this concept would probably restrict the luxury of customized applications. It might confine demand for some business specific applications.
Gopal Rangarajan
How do you think cloud computing will evolve in the future? The concept, like we all know, is still emerging and evolving. It holds a lot of promise for me and my peers. But in the next three to five years, we will really get to know its ability to sustain itself over time. But, surely, I believe, it is indeed one of the options that we may all look at. REAL CIO WORLD | D E C E m B E R 1 , 2 0 0 8
11
Does Virtualization Throw Up Security Challenges? Virtualization continues to witness dramatic growth in deployment as an increasing number of enterprises derive the benefits of this cost saving tool. However, some believe that a virtualized setup presents potential security risks. Sneha Jha spoke to some of your peers and here’s what they had to say:
securITy
“Virtualization alleviates some security challenges if implemented and managed properly. It enables better manageability and control. ” TrendlInes
t.Jaganathan Director technology, t ajuba Solutions
“The consolidation of physical servers can make a virtualized setup vulnerable since all data and processes are placed in a centralized location creating a single point of failure.” tridib bordoloi head-It, t, Indian t Express newspapers
“Virtualization provides more security features than physical
infrastructure. The threat to information security presents itself when people with access to critical information send it out. A virtualized environment controls this effectively. ” ranJith pisharoty
Sr. Vp, p, Sutherland p Global Services, apaC 14
Trendlines.indd 14
lend your
Voice
Write to editor@cio.in
D E C E m B E R 1 , 2 0 0 8 | REAL CIO WORLD
Datacenter Pros Look for Single View r e s e a r c h IT professionals don't have the right tools in place to manage their datacenters effectively and many fail to monitor all their equipment, according to research from the (ARI) Aperture Research Institute. Their reserach found that under a third of all datacenter professionals monitored more than 90 percent of their equipment while, rather alarmingly, 12 percent of those surveyed had no sort of monitoring system at all. Tom Waun, Aperture's president said that managers who were failing to look at all the equipment were leaving themselves open to vulnerability. "The problem is that any item of equipment could fail; it could be a UPS or an aircon unit as well as a server." Waun said that organizations should be aiming to manage their datacenters from a central point with a single view. There's plenty of room for growth however, the ARI research found that only 35 percent of datacenter professionals were using a single-view product to monitor their own setups. There are plenty of challenges facing datacenter managers said Waun. "There's a lot of information that used to be held by lots of different people, but now the IT guy has to take an overall view. It's not just a question of monitoring, he has to plan capacity and ensure that the company not only has enough power but that power is used in the most efficient way." Waun said that the monitoring tool could be used not just for troubleshooting but also for capacity planning. For example, some servers operate at their highest efficiency when they're running at 94 to 98 percent; the trick is to organize them so they're operating at this level of efficiency. The ARI survey, which is funded by datacenter specialist Aperture, found that just over half of all datacenter professionals who were using monitoring software were using vendors' own systems which Waun said, fail to give a complete view. Waun would not be drawn on how much a single-view product would cost an organization or what sort of return on investment a customer could expect. "Every datacenter is different and there's no such thing as a typical installation — it's impossible to give any guess on price."
—By Maxwell Cooter
Vol/4 | ISSUE/02
Cybersecurity Needs to Move Beyond IT
trendlines
r i s k M a n a g e m e n t Businesses need to expand in-house departments that focus on cybersecurity beyond IT, and the CFO should be dedicated to assessing and reducing cyber-risk, suggests a new report. Although the IT department should remain a major player in cybersecurity efforts, the CFO and the legal, risk management, human resources, public relations and other departments need to be involved in decisions about risk before cybersecurity breaches happen, the report said. The report, The Financial Impact of Cyber Risk, was released through a series of workshops in which more than 30 organizations participated. "The lesson that this workshop learned quickly was that cybersecurity, which has been traditionally viewed by some companies as an IT issue, is not just an IT issue," said Ty Sagalow, president of product development for general insurance at American International Group and the workshop leader. "Just like it is not just a legal issue to be solved by the general counsel. Just like it is not just a reputation issue or a communications issue to be solved by the head of public relations." The report recommends that business
CFOs become heavily involved in focusing on cyber-risk if they aren't already. CFOs are in a position to see the big picture and budget for increased IT spending, if needed, or cybersecurity insurance or more resources in other departments, Sagalow said. In addition, CFOs need to understand the potential financial risks to breaches or leaks, he said. Many IT departments already recognize that they're only part of the solution to cybersecurity issues, said Edward Stull, a software architect at Direct Computer Resources. Most IT departments are underfunded, added Larry Clinton, ISA's president. Increased attention from the CFO could result in additional funding and an additional focus on IT needs, he said. It may be obvious why the report recommends that the legal and public relations departments be involved in cyber-risk decisions. But even human resources has a role to play, as an estimated 70 percent of breaches come from inside the organization, Stull said. Here are five questions CFOs should ask department heads, according to the report: One: Has the company analyzed our cyber-liabilities?
Two: What's the potential for us to be named in class-action lawsuits after a breach? Three: Are there valid reasons we're collecting personal information? Four: What is our biggest cybervulnerability? Five: Do we have a documented and proactive crisis communications plan? The annual economic impact of cyberattacks in the US is about US$226 billion (about Rs 1,017,000 crore), according to a 2004 estimate from the Congressional Research Service. It's time for businesses to look at cybersecurity in a new way, with multiple departments involved in the issue, said members of the report task force. "If companies view cybersecurity as solely an IT issue, then we're not going to be as secure as we can be," Sagalow said. ISA and ANSI believe the report reflects a new way of looking at cybersecurity and cyber-risk, he added. "Cybersecurity isn't an IT issue," Clinton added. "It's an enterprise-wide risk management issue that affects every aspect of the organization." —By Computerworld Staff
What You Want?
What do you ask for during job negotiations? Here are the most common requirements cited by respondents to a recent CIO survey.
Relocation expenses
28%
Vacation/Time off (paid or unpaid)
48%
Bonuses
Trendlines.indd 16
24%
Stock options
24%
Healthcare
20% Perks
56%
18%
Salary
Severance package
83%
16
Education & training
D E C e m B E R 1 , 2 0 0 8 | REAL CIO WORLD
12%
Infograp hics BY p c ano op
27%
Source: CIO Research
Flexi time
Vol/4 | ISSUE/02
11/28/2008 4:52:07 PM
CEOs vs CIOs: IT Gets No Respect
trendlines
S u r v e y IT leaders looking for a pat on the back for delivering much-needed technology to the business could be waiting a long time. A Forrester Research survey shows that while a majority of business executives depend on technology to do their jobs, they don't credit IT for providing those high-tech resources. The business and IT relationship has long been challenged, but according to the survey of 600 business executives from North American US$1 billion-plus companies (about Rs 4,500 crore) shows that there is still much work to be done before these two factions can truly partner. While 82 percent of those surveyed said they rely on technology to do their jobs, 71 percent credited IT for being effective at supporting technology critical to the business. About three-quarters of respondents see technology as important in improving enterprise competitiveness, but about 60 percent reported IT as being effective at that goal. "While technology is very important to firms, IT is not expected to meet, nor does it succeed at meeting, the technology needs of the business," the report reads. Part of the problem could be that business leaders don't identify IT as the providers of technology they may very well support. For instance, 64 percent of respondents identified traditional enterprise software providers such as SAP and Oracle as the primary source of technology. Fifty-eight percent identified business applications developed by IT staff and 43 percent pointed to third-party or contracted application developers as their primary source of technology solutions. Forrester pointed out that despite the source of the application, internal IT is most likely involved with the provided technology. "It is likely, though not specifically noted, that all of the top-ranked sources of solutions involved IT in some capacity or other," the report reads. But IT falls short in other areas as well, according to the business respondents. One example is improving user workforce productivity. According to Forrester, "78 percent view this as a somewhat or critically important business driver, but only 45 percent viewed IT as supporting that need very well or excellently." —By Denise Dubie
18
Trendlines.indd 18
D E C e m B E R 1 , 2 0 0 8 | REAL CIO WORLD
Ways to Cut IT Costs To help IT executives navigate through the cost-cutting maze, Gartner analysts presented a list of 20 ways that IT leaders can slash expenses. 1 The most obvious place to start is people costs. Gartner estimates that 37 percent of the average IT budget is dedicated to personnel, so this represents a major opportunity to save money. Gartner recommends a blend of hiring freezes, reducing or eliminating special bonuses, cutting back on outside contractors. 2 Flatten the organization. Instead of having one person manage six or seven employees, trim some of that middle management and have your IT executives manage more like 20 people. 3 Move to shared services. In other words, consolidate things like help desk into one group that services the entire company. 4 Even if you have to borrow somebody from another part of the company, bring a finance person into your leadership team so that person can analyze your budget and find ways to help you trim costs. 5 Don't ignore unmanaged costs like printers or datacenter power. 6 Go back and check your invoices to make sure your vendors are charging you what your contract specifies. An example would be, if your wireless vendor agreed to give you free shipping when it sends new cell phones to remote workers. A few months later, shipping charges might start appearing on your cell phone bill, and if you don't check, you'll never know. 7 Eliminate unused software and modules. 8 Get tougher with vendors when it comes to negotiating contracts. Don't be afraid to switch vendors, or at least take the first step of determining what it would cost to switch. 9 Buy a telecom expense-management service. It pays for itself and more. 10 Deploy a corporate-wide plan for buying cell phones. Then, buy a cell phone plan that optimizes expenses. 11 If there are places where you don't need five nines of availability, settle for three nines. It will save you money when you negotiate with your vendor. 12 Buy a videoconferencing unit rather than constantly renting. 13 Where possible, use the Internet as a replacement for expensive WAN transport services. 14 Defer moving to Vista. If your PC hardware is holding up, consider sticking with it another year. 15 Use commodity products wherever possible, and skip best-of -breed in cases where 'best-of-need' will suffice. 16 Consolidate and virtualize servers. 17 Reduce storage costs via data deduplication. 18 Use better processes to make better use of existing tools. 19 Deploy IP telephony and VoIP as a way of cutting costs for moves, adds and changes. 20 Harvest unused software licenses and reuse them when a new employee makes a request. —By Neal Weinberg IT Budget
Vol/4 | ISSUE/02
11/28/2008 4:52:07 PM
Infrastructure Security Under Cyber-attack
TrendlInes
s T u d y Computer systems that run the world's critical infrastructure are not as secure as they should be and insiders are mad. That's according to a new survey that asked management, network engineers and administrators in nine infrastructure industries about the state of cyber security in the US, Canada, and Europe. Insiders felt that all of these industries, save financial services, were unprepared for cyber-attacks. These unready industries included: water, utilities, oil and gas, telecommunications, transportation, emergency services, chemical and the shipping industry. And that's bad news because more than half of them said that their companies had already been hit with some sort of cyber incident, data leak, or insider attack. Another 14 percent said they were expecting something like this to happen in the next year. "None of them thought that
they were very prepared for either insider threats or data leakage," said Elan Winkler, director of critical infrastructure solutions with Secure Computing. About 90 percent of the survey's 199 respondents were directly employed in infrastructure industry, while the other 10 percent listed some other occupation such as academic or consultant. The survey found that many insiders are dissatisfied with the lack of preparedness within their own industries. About three quarters of respondents said they were annoyed, angry or frustrated with the state of critical infrastructure security, Winkler said. "These are the people who actually know what's going on and they're unhappy," she said. "That, to me was a real surprise." Some industries are farther along than others, Winkler said. Financial, energy and telecommunications are the
most prepared, she said. While the water industry, shipping, and transportation industries were rated least-ready. However, the energy sector was considered the most in need of improved security because it is the biggest, most vulnerable and easiest to breach, respondents said. Cost was ranked as the biggest impediment to security, Winkler said. Industries that have already seen how a major disaster can affect their bottom line are more likely to have a serious risk analysis model that takes things like cybersecurity into account, said Eric Byres, CTO of Byres security, a critical infrastructure security consultancy. The companies that are prepared for the next cyber attack are the ones that have buy-in from the bosses, Byres said. "It really gets driven from the upper management," he said. —By Robert McMillan
2 . 0 with the cost of travel rising, web conferences using tools such as Microsoft's live Meeting and webEx have become a popular substitute for in-person presentations. but such services depend on desktop clients that aren't always handy for business travelers. a startup called phonetopp topp hopes t to address that shortcoming with its pioneering eponymous software and service for bringing web conferencing to smart phones. phonetopp topp will support t adobe Connect, live Meeting, and webEx web conferences on blackberry devices, iphones, and windows Mobile handsets, the company says. whenever a business sets up a web conference, phonetopp t topp will automatically be notified and provided with the phone numbers of invited mobile participants (who will continue to receive invitations as usual). when the conference time rolls around, the mobile participant will receive a phone call (identified as being from the web conferencing service). after accepting the call, the participant will launch the application, WeB
20
Trendlines.indd 20
D E C E m B E R 1 , 2 0 0 8 | REAL CIO WORLD
which will automatically enter the conference. phonetopp topp is optimized for powerpoint t presentations. Its interface features several controls, which appear as buttons along the right and left edges of the presentation content. the buttons on the left allow the participant to navigate through the slides (something desktop participants don't usually get to do). the buttons on the right afford access to additional screen elements such as a chat window (the button will light up when a new chat message is received), a list of participants, and notes. Using a headset, mobile participants will be able to talk while viewing the presentation. phonetopp topp will be a subscription service with fees expected t to run about US$8 (about rs 320) a month per meeting participant (on top of the usual meeting-service charges). It will be interesting to find out how well the service works over real-world networks. —by yardena y arar
Vol/4 | ISSUE/02
IllUSt ratIon by Un nIkrIShn an aV
Smartphones Get Smarter
thE paCE of yoUr CarEEr
TrendlInes
c a r e e r If, in the course of a day, people customize the things around them — how they take their morning coffee, how they assemble their outfit — then they should surely be able to apply that approach to their career. that's what Deloitte Canada talent lead tracey t wallace is asserting. that concept, she said, is the foundation of a career tool called mass career customization (MCC) developed by the t toronto-based professional services firm that just might help counter the skills shortage witnessed in recent years. "we make the argument," said wallace, "that if they can customize everything in their life... customize their coffees, their running shoes etcetera, why wouldn't they customize their career?" historically, said wallace, a female employee in midcareer choosing to focus on raising a family and entertain a reduced work schedule would have no recourse but to leave the organization altogether. but today, continued wallace, as organizations become more accommodating of flexible work arrangements, tools like MCC can allow that employee to dial down the pace of her career. that could mean decelerating her career by working fewer hours, restricted travel, and/or moving from a leader role to an individual contributor. "Mass career customization addresses that chasm between the employer and employee needs," said wallace, adding that while organizations have been successful around implementing flexible work arrangements like flex time and reduced hours, it hasn't been widely adopted. but MCC isn't just about dialing down a career. It's also the option to dial up a career against those same dimensions. a recent Mba graduate who's unmarried with no kids, or a person whose kids are grown up and moved out, said wallace, may opt to take on greater accountability, more of a leadership role, and travel more. wallace said that while MCC is a process on paper, it's essentially a dialogue between employee, manager and hr and is "meant to foster good communication between all parties." the tool works particularly well for the It t industry, said wallace, because unlike retail or banking that requires people on location to serve customers, It t is a segment of knowledge workers where "you've got a little bit more flexibility in terms of where work is done and how work is done." however, MCC still must complement, and be supported by an hr framework, said wallace, because areas like compensation, vacation policy, performance management will be impacted as well. —by kathleen lau
Tech-savvy ceOs, Please Issue Brand damage. Bankruptcy. Unemployment. These are just some of the consequences companies could suffer with simple loss of corporate information. "CEOs should understand that data loss, once it becomes public, puts their brand and shareholder equity at risk," said Pat Clawson, CEO and chairman of Lumension Security. "CEOs must take responsibility for understanding the impact on what data loss has for their business. They need to raise it to a board room issue," Clawson said. "In many respects, it is IT education for CEOs because CEOs usually don't like to say what they don't know," Clawson revealed. "They find it hard to ask questions within their organizations because it might yield that they don't know something." Clawson said it is important for CEOs to have "a strong CIO" that they can count on and who would educate them about IT. Yet CEOs, he said, must force themselves to learn. Clawson revealed traditional security is no longer relevant as most IT security products today were built for problems 10 years ago. "Information is an enormous risk today. It is a much more fluid world," he said, citing that data can be stolen or lost with the simple use of some of today's mainstream technologies such as Bluetooth, Blackberries and social networking sites like Facebook, the usual stuff that CEOs use. "These technologies could trigger attacks of polymorphic viruses," Clawson said, referring to an IT virus that changes code whenever it passes to another machine. Experts describe it as a difficult virus to detect if one is only using anti-virus scanners."This is why CEOs should be aware of IT security because they could be that CEO whose data gets stolen," Clawson said. "Not only will they lose their job as CEO but also destroy their company's brand along the way."
c o r p o r aT e
—By Tom S. Noda 22
D E C E m B E R 1 , 2 0 0 8 | REAL CIO WORLD
Vol/4 | ISSUE/02
IM aGIn G by MM Shan Ith
CustOmIzE
Laurie Orlov
Expert View
Your Own Worst Enemy Even when companies say they want a CIO with detailed technical knowledge, fulfilling their expectations can prevent you from being effective.
D
on't you love the idiocy of some CIO job descriptions? They're the ones that demand skills in configuring servers, designing the website, creating a longterm strategy, 20 years of experience plus a deep track record in a subbranch of financial services. Or that specify knowledge of an arcane, perhaps obsolete technology. In my perusal of ads on CareerBuilder.com recently, I even saw one for a bank that required the ability to lift at least 15 pounds. Does experience with a specific technology category or product matter? Not so much. Let's think about both the technology needs of most CIO jobs and what are (or should be) the drivers behind an enterprise intent on recruiting those requirements. Most of the time, companies that require a CIO candidate to possess specific technical skills are shooting themselves in the foot. Here's why, even if you meet the criteria and get the job, you shouldn't define your role based only on those qualifications.
A Screening Mechanism
Il lustration by MM Shanit h
CIOs make good money. At their pay levels, the job will certainly involve managing (or hiring and then managing) a staff. Unless we're talking about a startup company, the person who is hired will inherit existing technologies along with a posse of eager tech and services vendors. Most CIO openings specify a minimum of 10-plus years of experience — and more in the larger firms. And with that experience, most enterprises expect to see a long and successful track record of implementing application projects. Firms are also increasingly intent on using technology to change processes, get new products up and running quickly, compete more effectively for customers and provide better service. They want CIOs they can understand (no techno-speak, 24
D E C e m B E R 1 , 2 0 0 8 | REAL CIO WORLD
Coloumn - 01 - Your Own Worse Enemy .indd 24
Vol/4 | ISSUE/02
11/28/2008 3:43:00 PM
Laurie Orlov
Expert View
Most of the time, companies that require CIO candidates to possess specific technical skills are shooting themselves in the foot. That is why even if you meet the criteria of a job posting, you shouldn't define your role based only on them. please) and who understand business. So even if a CIO enters with a laundry list of technical experience that matches what the company asked for in the job description, chances are she's going to spend virtually no time in the new job using those skills. In reality, technology requirements in CIO job descriptions are there to discourage candidates from other industries that use different products or from other departments of the same enterprise who are familiar with existing processes but not with the specific products that support them. Detailed technology requirements give the HR recruiter a checklist for eliminating candidates, not a way to find innovative thinkers who can bring a fresh perspective on compelling business changes. Instead, CIO job postings should be less specific. Biotech companies shouldn't mandate biotech company experience. Hospitals shouldn't look only at candidates who have implemented a specific healthcare package. In some geographical locations, that could narrow the field to fewer than five people, four of whom have jobs they like and won't leave. Companies should identify thorny enterprise pain areas (weak change management, cumbersome sales processes, lack of standard customer service processes) or other problems and should look at individuals with a track record for solving such problems. Most firms will benefit from talking with candidates from industries other than their own and with professional backgrounds other than IT. Asking such candidates how they would tackle the organization's thorniest problems could reveal refreshing insights and new possibilities, even if the candidate isn't selected. Enterprise execs generally look at candidates with backgrounds other than IT or outside their industries only when they are extremely frustrated by current IT performance. But that doesn't have to be the only time to seek a variety of experiences. Even recruiters for large companies make this mistake. They're often looking to poach a name-brand CIO from another company of the same size and industry. They look for someone who has done a transformational project exactly matching the proposed project of the search client's창 a broad-based SAP implementation, a global CRM system. What they should want is someone from another industry who has demonstrated process or innovation mastery, regardless of which package he implemented and perhaps regardless of whether he was a CIO or a business project champion.
Company size and growth potential. The smaller the firm and the greater the likelihood it will remain small, the greater its need for a hands-on CIO. A small shop needs someone who understands how networks are configured, who can debug PC problems and sync up cell phones and e-mail servers with one hand while advising the CEO on new app purchases and device trends with the other. Startup companies especially need a startup IT leader who can do as well as lead. An ex-consultant with years of hands-on experience can be ideal as a CIO. Staff size and ability to hire. If there are fewer than 15 people in IT, the CIO is really a manager. No matter how you subdivide the organization, you can't make a technology decision without becoming heavily involved in reviewing the choices and clearly understanding the differences between vendors and products. This CIO must have strong familiarity with all of IT's technical span of control, even as he has to bond with other business execs and grasp business strategy. As the organization grows, the CIO can develop a team of leaders and individual contributors who have the experience in a specific category or topic and can stand in the CIO's stead when negotiating with vendors and service providers. These CIOs are best cultivated from the ranks of the current apps or infrastructure managers regardless of industry.
When to Leave Tech Details Behind Some CIOs with tech backgrounds just love fiddling and are constantly tempted to gravitate to their tech roots. They become CIO hobbyists: playing with new tools and websites, helping the CEO with laptop or cell phone problems, meddling in and second-guessing the assignments of their staff. These CIOs hide behind these distractions as a way to avoid investing time and energy into learning about their peers, the businesses they run and their top challenges. If you're one of these CIOs, you risk leaving business execs with a strong impression that you're a sandbox CIO with lots of toys and time to spend on tasks that should be delegated. Overly techie CIOs who ignore their business relationships will eventually be fired by frustrated execs, who may be doomed to repeat history, getting the same kind of CIO the next time based on a techie job description and screened candidates whose skills exactly match it. CIO
When Technical Knowledge Is Necessary Sometimes a firm needs a CIO with deep technical knowledge. Several factors come into play here, including:
Vol/4 | ISSUE/02
Coloumn - 01 - Your Own Worse Enemy .indd 25
Send feedback on this column to editor@cio.in
REAL CIO WORLD | D E C e m B E R 1 , 2 0 0 8
25
11/28/2008 3:43:00 PM
Chris Potts
Think Tank
Tools for Leading Business Change Enterprise architecture and IT portfolio management provide strategic tools for innovating and executing change. They are not about IT, but about people, collaboration and culture.
I
Il lustratio n by MM Shan ith
n less than five years, the CIO role is destined to become either an executive leader of business change or absorbed into another role. This prediction comes from research by a leading CIO headhunter, Cathy Holley. Holley undertook the research in 2002, asking CIOs to envision their role in 10 years. We now see their conclusion being borne out. About the same time that Holley carrying out her research, my own company was exploring the maturity of organizations' strategic IT management. Of the CIOs in our survey, 69 percent said that the focus of their company's IT strategy was on operations and service management. For CIOs to turn around these historic expectations takes time and persistent tactics. Now, the need for corporate leadership in change has never been greater. Over the next three years, two-thirds of CEOs worldwide planextensive business-model innovation, and three quarters are actively entering new markets, according to the 2008 IBM Global CEO Survey. However, IBM concluded, CEOs are not confident of their ability to manage it. The economic climate must only add to those doubts. Investments that collectively change the business model — in IT and everything else — must be as efficient and value-creating as possible. Those CEOs ought to be doubly concerned because technology developments such as Web 2.0 — and the enterprise version of it — are changing business. Web 2.0 is altering the relationship between employee and employer, putting all of us at the center of our own networks of collaborators and knowledge-sharers. And it's more of a social and cultural movement than a tech one. Web 2.0 has also changed the nature of change itself. It represents a trend toward throwaway investments in change at employee and team levels, if not corporately. The venture 26
D E C e m B E R 1 , 2 0 0 8 | REAL CIO WORLD
Coloumn - 02 - Tools for Leading Business Change.indd 26
Vol/4 | ISSUE/02
11/28/2008 3:43:39 PM
Chris Potts
Think Tank
capitalists' perspective is that the churn in Web 2.0 apps and beyond will be much faster than we've seen before. This, too, will influence the way investments are made.
Where Web 2.0 Meets IT Strategy Although technology has sparked business changes, these changes are about people and culture. With the CIO as corporate strategist for technology, the executive team should be looking to her for guidance. For example, the CIO needs to show how the company's business model and change process can harness new trends to enhance corporate strategy, not undermine it. And she must remind all that the changes Web 2.0 has triggered are being driven more by people. The increasing personalization of IT via Web 2.0 offers people more freedom in the way they use technology and more accountability for their actions. To choose a way of working that delivers most value, each of us can exploit our unique skills, knowledge, contacts and personal enterprise. As a result, it is becoming harder for people who are at a distance from the corporate front lines — including the people in IT — to be responsible for designing and executing front-line processes. Accountability for what someone does with technology has to sit with that person and an immediate manager. This can represent a difficult cultural shift. At the corporate level, these factors challenge how execs shape and manage enterprise architecture. Even CEOs who are not planning new business models may find one thrust upon them. This model is one in which personal enterprise and collaboration flourish, using throwaway solutions where appropriate.
this can be a real surprise. They will find that true enterprise architecture is founded on collaboration among the company's executives and the people that work for them. It harnesses their collective enterprise and ideas for innovation into a business model that delivers the corporate strategy. The tactics for investment portfolio management have a different challenge: the company's culture for investing in change. For example, many companies scrutinize changes that involve IT investment more carefully than those that don't. But non-IT changes also involve investment in terms of money, time, and
Technology developments like Web 2.0 are changing business. Web 2.0 is altering the relationship between employee and employer, putting all of us at the center of our own networks of collaborators.
Tools of Change For today's CIOs to make the most telling contribution to this change, personal enterprise and collaboration, the 2012 vision of their role as leaders of change needs to come true as quickly as possible. Here's why. In recent years, CIOs have been assembling the two key capabilities a company needs for redesigning its business model and investing in change. First, they have been maturing the practice of enterprise architecture, albeit with an IT-centric theme. Second, given the scrutiny that boards have applied to IT costs and value, CIOs have been developing investment portfolio management. However, the challenge now facing CEOs and CIOs is that these vital business capabilities are often led from within IT — and with a mainly IT-oriented focus. So the next big step in the CIO's strategy, in collaboration with the CEO, is to maneuver them out of IT. This is not as easy as it may sound. For example, if enterprise architecture has been led traditionally by IT people, and if it's been about technologyrelated things, then everyone else must now discover its true business potential and their own roles in its success. For some
Vol/4 | ISSUE/02
Coloumn - 02 - Tools for Leading Business Change.indd 27
energy, and may be either executing or undermining the CEO's corporate strategy. Experience shows that starting to apply a single and consistent portfolio-management approach to all investments in change can easily trigger an unhelpful response from the corporate culture. How can these two tools help a CIO and the CEO? They may need to get the company and culture ready, starting with the executive team, to create a pull for the next moves before making them. Here are some options: Foster an understanding among executives that developments like Web 2.0 bring new implications and opportunities. Characterize those implications and opportunities as a social and cultural movement; an evolution in the relationship between employee and employer, and a shift toward throwaway investments in change. Discuss the impact of these developments on the distribution of accountabilities in the business model, knowing that this may be culturally uncomfortable; Explore what an enterprise architecture looks like that encourages personal enterprise, collaboration and accountability; and protects everyone from harmful mistakes. Help executives see how investment portfolio management for the entire business — not just those investments involving IT — will deliver the value in the business model as efficiently as possible, especially in a difficult economic climate. There is a pressing need for integrated leadership of business and technology change. The CIO's cultural challenge is to explain that these tools are primarily about people and collaboration, not technology. CIO Chris Potts is corporate IT strategist and CIO futurist with Dominic Barrow. He is the author of FruITion: Creating the Ultimate Corporate Strategy for Information
Technology. Send feedback on this column to editor@cio.in
REAL CIO WORLD | D E C e m B E R 1 , 2 0 0 8
27
11/28/2008 3:43:39 PM
Michelle McKenna
Peer-to-peer
Customer Data’s Treasure Trove of Ideas The CIO of theme park Universal Orlando challenges market assumptions to drive business in a shrinking economy.
P
Il lustration by unnikrishn an AV
erhaps I'm a tech-based version of a split personality. I'm the CIO of Universal Orlando Resort, but I'm also a mother of two and the planner of our family's vacations. In fact, I think of myself first as a theme park customer, second as a senior leader at Universal and finally as the company's CIO. Recently we were brainstorming new events that would bring more Florida residents to our theme parks during offpeak tourist periods. Our in-house marketing group was pitching proposals, and I offered the idea of a Guitar Hero competition. Everyone loved it. But that idea didn't come from being a CIO — it came from being a mother of two kids obsessed with the Guitar Hero video game (in which players perform as rock stars). Thinking like our customers and focusing on our company's markets are among the most important ways we can fulfill our responsibility to contribute to informed decision making. In today's contracting economy, it's more critical than ever for CIOs to study market trends and find ways to maximize business opportunities. Universal Orlando is one of many brands in the travel and entertainment industries competing for discretionary dollars spent by consumers on leisure time and vacations. Our universe is broad — whether we're focusing on our home state of Florida, elsewhere within the United States or internationally. Because our product falls into that discretionary expenditure category, we're often vulnerable to shifts in consumer confidence and virtually any other trend that influences the economy. Of course, the competition boils down to a market of one — the individual consumer. People often assume that because of
28
D E C e m B E R 1 , 2 0 0 8 | REAL CIO WORLD
Coloumn - 03 -Customer Data’s Treasure Trove of Ideas.indd 28
Vol/4 | ISSUE/02
11/28/2008 4:56:59 PM
Michelle McKenna
Peer-to-peer
our high volume of guests, the experience we provide for them also had to be geared for the masses. But digital technology now enables guests to customize their experience, whether it's a Web-based interaction or an in-park attraction. For example, our new Hollywood Rip, Ride, Rockit roller coaster, launching in 2009, will allow guests to customize their ride experience by choosing the music that plays around them while on the roller coaster. When the ride ends, guests will be able to edit video footage of that experience into a music video to keep, share with friends or post online. As CIO, I drive the knowledge, abilities and technologies to enable our customer-based market focus.
The CIO's Role as Marketer Our systems have always had valuable market-defining customer data, but we didn't always know how best to leverage it. Fortunately, I've been able to work closely with executive peers to implement business intelligence that triggers a more analytical, customer-centric approach to marketing and sales.
Thinking like our customers is among the most important ways we can fulfill our responsibility. In today's contracting economy, it's more critical than ever for CIOs to study market trends. Knowledge of our market helps me drill down into our data to understand what is really happening in our business. For example, trends indicated that our annual pass holders — residents of Florida, primarily — spend less on food, merchandise and other items than our day-pass guests. I wondered why that was, and thought that perhaps we were losing details by averaging out the spending data. It turned out that some pass holders do spend on par with day guests, particularly when they attend our special events, Mardi Gras and Halloween Horror Nights. This analysis showed that we needed to segment those annual pass holders more deeply in order to better understand them and market to them. So we are building a new data warehouse and business intelligence tools that will calculate spending by hour and by pass type. The initiative started in IT, and we can find many similar opportunities if we look at market details and ask questions.
Market Shifts in a Down Economy In an economy where the overall market for vacation spending is shrinking, boosting the conversion rate of consumers considering a Universal vacation has become a business priority, which also means it's my priority. Our conversion
Vol/4 | ISSUE/02
Coloumn - 03 -Customer Data’s Treasure Trove of Ideas.indd 29
rate — the number of people considering an online ticket purchase who execute the transaction — had plenty of room for improvement. We found that a lot of the conversion failure stemmed from clunky purchasing systems stuck together as e-commerce tools. By integrating these systems and their data, and by improving business process flow, I'm able to improve conversions and put IT in the revenue-producing seat — a seat I like to be in. To increase conversion and improve the international customer experience, we put ourselves in the customer's position and asked: what is the business process for someone traveling from abroad to buy a vacation here at Universal? Traveling to the United States has become a bigger hassle, so focusing on systems and processes executed at local airports can help reduce guest inconvenience upon arrival. We now have multiple initiatives planned to streamline the international guest's experience from initial ticket purchase on the Web to entry into our theme parks.
How to Be a Market Maven Any CIO can take a few steps to get market savvy. We get weekly data about what happened in the park and what the spending trends are per guest. CIOs should get copied on any reports like that, study them and look for patterns. Don't be afraid to ask questions about it; give yourself permission to be a smart (and inquisitive) businessperson. When I first joined the company and asked about market issues, people looked at me and thought, "Why did she ask that? It doesn't have anything to do with technology." Over time, they realized that I needed to understand our data in order to do my job. It's easy for me to access our customers because our theme park is next to my office. I put time on my calendar every week to go into the park. You can't do that in every business, but you can do something similar. Tell your CEO that to serve your customers, you need to understand what drives their decision making, and ask if there is a major customer willing to spend time with you. I know it's hard to make time for that kind of thing. I don't always stick to it, but I try to reserve every Wednesday as a no-meeting day — that is, no meetings with my IT staff that day. They understand that it's my time to walk around and talk to my peer group, to do some research, to read my RSS feeds from travel industry websites or read information that helps me be a better CIO. If you find that 100 percent of your typical day is taken up with internal meetings and operational issues, then something must change. If you really want to be a senior business leader who's keenly focused on your target market, you have to make the time. CIO
Michelle McKenna is senior vice president and CIO at Universal Orlando Resort in Orlando. Send feedback on this column to editor@cio.in
REAL CIO WORLD | D E C e m B E R 1 , 2 0 0 8
29
11/28/2008 4:56:59 PM
Laurie M. Orlov
Applied Insight
Look in Front When Cutting Back Forget those old slash-and-burn tactics. Instead, CIOs should identify what resources the IT organization needs to help the business reach its goals.
T
he economic slump has generated pain all around. If it hasn't kicked in for your organization, at some point it will. As we swing into the second half of the year, CIOs are scanning for opportunities to prune expenses. For those who anticipate being asked to cut their IT budgets between now and the end of the year, it's a good time to reflect on our past behavior. The last time the economy soured, CIOs responded as if the sky were falling. In the ensuing panic, many CIOs cut too much of the wrong things. This time, you need to plan ahead to preserve your organization's ability to grow again when needed.
Then: The Destruction of IT Competency
Il lustratio n by Sasi Bhaskar
Think back to the dotcom boom. Remember the Y2K spending hangovers, bloated organizations and datacenters everywhere crowded with redundant equipment? IT shops amassed unused software and stacks of yet-to-be-read service and maintenance contracts. Pioneering infrastructure outsourcing deals designed to ‘save money’ were launched with a baseline cost analysis. Travel was unconstrained, and everyone's stock was up. When the bubble burst, IT organizations were sitting ducks. Spending was justifiably slashed — but without contingencies and little strategic thought about what would happen once growth began again. Vendors went out of business, venture capitalists stopped funding new ideas and IT R&D teams were disbanded — putting a damper on innovation. Meanwhile, service levels often plunged and enterprise know-how was pushed out the door without warning, as ‘Just-Do-It’ outsourcing accelerated. 30
D E C e m B E R 1 , 2 0 0 8 | REAL CIO WORLD
Coloumn - 04-Look in Front When Cutting Back.indd 30
Vol/4 | ISSUE/02
11/28/2008 3:44:28 PM
Laurie M. Orlov
Applied Insight
Finally, as a nasty side effect, IT lost its charm as a career for young people just as the average age in many organizations began to climb. In one large defense industry IT organization I am familiar with, the average of IT employees is older than 50. In a large manufacturing company, only the senior IT staffers are employees; instead, IT careers with the company must be launched and developed inside supplier organizations.
Now: Preserve the Future of IT In this next wave of cutbacks, we can do better — now that we are armed with experience and hindsight. We know that the cuts we made last time — like eliminating investment in R&D — weakened IT's ability to respond when business picked up and CIOs were expected to contribute to innovation. Let's assume your organization is doing all the right stuff — consolidating servers, datacenters, vendor licenses and maintenance agreements; deferring new purchases and outsourcing commodity services under contracts that really do save money. Let's also assume that you've offered early-retirement incentives for employees who are eligible, that you've terminated any contractor roles you can live without and that you've deferred filling vacant staff openings. You know that
they don't join your company full-time, interns who work for you will end up referring new employees, customers, vendors and service providers. To tap into the supply of interns, cultivate a relationship with business and technical faculty at your local college. You may find talent you can't do without. Meanwhile, take advantage of this year's crop of graduates. As the economy softens, they're finding it tough to line up jobs. Persuade your boss to let you hire a few of the brightest before they give up and enroll in business school. It's better for them to gain a few years of work experience from your organization as context for an MBA — and better for you to be able to cultivate a future with them so they return to you after they get that graduate degree. 3. Solicit ideas from your staff and peers. Your staff knows what's really going on in the nether reaches of the firm: which organizations struggle under laborious processes or which business units are hugging their tiny datacenters to their chests. Collect the ideas using an online tool, such as a wiki or discussion forum, so you can save, share and respond to their ideas. Tap ideas from your business constituents, too. They know in their hearts what they truly need now and what can be put off until the next quarter or next year. Ask their advice on how you can help them sustain the company while saving
We know that the cuts we made last time — like eliminating investment in R&D — weakened IT's ability to respond when business picked up and CIOs were expected to innovate. you're doing all the right tactical things. So what shouldn't you cut and where else should you look? 1. Protect hard-to-fill roles. Architects, database administrators, relationship managers, security specialists and business analysts: it took you a long time to find them — and even longer for them to understand your tech environment, business constituents and enterprise strategies. How much time has it taken them to identify those investments your company sorely needs but no business leader or steering committee has thought to request? These folks know what's needed next year and beyond, though their value isn't always obvious to the CFO. Without that architect, future M&A synergies may take forever to crystallize. Without a really senior person acting as a demand manager, helping business units prioritize projects, those business units may get from IT just what they asked for — but not what they need. If the IT budget is a top target for cuts, maybe, as a last resort, you can shift business analysts and demand managers (though probably not the architects) to more flexible business budgets. 2. Bring on the interns. Interns are inexpensive. And one way or the other, young people represent the future of your business, your IT organization and the IT industry. Even if 32
D E C e m B E R 1 , 2 0 0 8 | REAL CIO WORLD
Coloumn - 04-Look in Front When Cutting Back.indd 32
money. You and your staff can suggest ways to save space, energy, time, maintenance, devices and even paper. While you're with them, take the opportunity also to answer their questions about IT spending that they may not understand.
Why You'll Succeed You're probably wondering whether this approach can work if IT is such a compelling cost-reduction target. I think it can because this time around, CIOs are better communicators. They've had to be to recover from the last round of cutbacks. CIOs today know how to make a business case, and how to explain IT's impact on profit and revenue. Today's IT executive is also experienced at explaining the value of strategic IT positions as well as the need for low-cost, high-potential new hires. He or she is well-positioned and skilled enough to listen to staff and business peers. CIOs who lived through the last poorly managed slashing and burning of IT are wiser about shaping the future that their organization needs. CIO
Laurie M. Orlov does research and consulting on business and technology strategy. She is a former vice president and principal analyst at Forrester Research. Send feedback on this column to editor@cio.in
Vol/4 | ISSUE/02
11/28/2008 3:44:28 PM
Trendline_Nov11.indd 19
11/16/2011 11:56:19 AM
Cover Story | Business Intelligence
Intelligent
Solution
What you see is what you believe. From their different vantage points, Allergan’s management was doomed to see different pictures of the company — unless a BI tool built like a cube could promise them different views of a single truth. By KaniKa Goswami
Reader ROI:
How BI can bring executives on the same page The importance of BI in bringing color to data Getting around BI challenges 34
D E C E m B E R 1 , 2 0 0 8 | REAL CIO WORLD
each other off, refusing to acknowledge the other’s sales figures. As each defended his end of the table unwilling to accept a version of the truth that the different numbers wove, the tension in the room rose. The standoff wasn’t the first. Finance had a set of sales figures, the logistics department had their own and sales insisted that both were wrong. The conversation between executives went something like this says K.T. Rajan, director operations IS and projects, Allergan India, “If you use my figures, let’s talk, otherwise there’s nothing to discuss.” Over a hundred man years worth of business savvy sitting in a room and the company twiddled its thmbs unable to find an unanimous way ahead. That’s the thing with stalemates: nobody wins. vol/4 | issUE/02
Photos by srivatsa shandilya imagin g by an il t
It was a stalemate. Allergan’s top executives faced
“Earlier, a little bit of guesswork and a little bit of gut feeling would have seen a decision through. Today, all decisions are data driven.” — K.T. Rajan, Director Operations, IS and Projects, Allergan India
Cover Story | Business Intelligence “You know what was interesting?” asks Rajan with a smile, “they were all right.” His lightheartedness belies the seriousness of the situation. In the gridlock of numbers, it was hard for the company to move but like a fissure under pressure, a decision would be made — based on one executive's figures. While that released the pressure, it always offended some of the top management. “It built resentment,” says Rajan, “and it was coming to a boiling point.”
United We Stand, Divided We Fall The 12-year-old Allergan India is a pharmaceutical that specializes in ophthalmic products. A joint venture between Allergan and Nicholas Piramal, the Rs 100-crore company offers medication for conjunctivitis, dry eyes and glaucoma and has about 17 percent of the Rs 430-crore Indian ophthalmic pharmaceutical market. Like other pharmaceutical business, Allergan knows the importance of an extensive downstream strategy. It prides itself on having the largest reach in the Indian ophthalmic industry with its network of 10,000 ophthalmologists. The company’s primary point of sale are 18 clearing and forwarding agents (CFAs). From there products go to the distributor, and the chain goes down a couple of tiers, to the wholesaler, retailer and chemist outlets. Between 900 and 1,200 distributors and about 1.2 lakh small distributors and stockists constitute secondary sales. This vast network creates plenty of scope for data inaccuracies. “Because we are a national set up, there are enough chances of data deviating from the real figures. This is not a reflection on anyone. Everyone is doing their job fine, but each one is looking at sales from their own perspective,” Rajan says. That formed one of the reasons why figures from different departments did not match, creating intelligence that was more confusing than enlightening. “Typically, the pharma industry has so many units and so many representatives with diverse activities that accurate data 36
Cover Story.indd 36
D E C e m B E R 1 , 2 0 0 8 | REAL CIO WORLD
collection is a problem. In my career with Johnson & Johnson, Bayer and Novartis, I have always been disappointed with the kind of data that was available,” says R. Raghu Kumar, MD, Allergan India. The problem was that like FMCG organizations, the sale of pharma products takes place at different stages. For instance, when a CFA requests for a certain product, that purchase requisition is used by the finance team to get a heads up on what’s being sold. When a box of Restasis is being moved from Allergan to a CFA, a goods receipt is produced, which inventory-focused production staff use to gauge what’s being sold. And when a purchase invoice is finally created when a CFA pays for the goods — possibly a few months later — the sales team uses that data to track sales. Layered over this mismatch in figures was the contrasting perspectives each department head brought. “As the production head, I think from an inventory point of view; how inventory builds up and how to reduce it. Rajesh, the director
of finance, looks at invoicing; what sales was against budget, what it was against the forecast. When each person takes his own view, it makes things difficult,” says Rajan. Without accurate sales data, it was getting hard to decide how much to produce, what promotions marketing should start on, or even for finance to finalize a budget or an expansion plan. The heat was on key areas including inventory, distribution production planning and dispatch planning. Allergan’s current system, also made it hard to keep track of the lifecycle of an order: from when an order was made, through production and delivery and finally to payment. The cycle could take up to months from end-to-end. As the company grew, it became increasingly crucial to monitor parameters like DSO (Day Sales Outstanding), which is used to gauge the performance of every division and DOH (the Day’s On Hand), which is a measure of inventory. “We have a huge transactions processing application called Empower. It addressed
Vol/4 | ISSUE/02
11/28/2008 7:14:48 PM
Cover Story | Business Intelligence our basic transaction processing including supply, billing and material management. It looked at various storage locations, getting all the invoicing right, getting all the pricing masters right — humungous tasks by themselves. We got our basic reports in place but we realized that we needed a system to throw up certain reports. We needed people to mine the data from Empower,” says Rajesh D’Mello, director finance, Allergan India. It was then that they realized there was a fair amount of inefficiency in the system. “It was taking some time to get data, understand it, and explain to people what exactly we were looking for. Given our headcount, we were a bit apprehensive to ask them to do more analysis. We realized that we were not getting efficiencies from our system. We wanted analysis, more dimensions from sales data, like sales according to time, zone, by area sales officer and by manager. That’s when we decided to introduce a business warehouse so that we could look at data from various dimensions, and generate as many reports
“It is refreshing to see that even as a small organization we were able to get data fast enough for us to take decisions. That’s a big change.” — R. Raghu Kumar MD, Allergan India
Vol/4 | ISSUE/02
Cover Story.indd 37
as we wanted,” says D’Mello, tracing the need for RUBIC (Re-usable Business Intelligent Components). The association with Rubik's cube is no accident. The cube represented the two things Allergan wanted from its IT team: a single version or block of truth and multiple sides to look at it.
Beating BI Blues Allergan wasn’t alone in its bid to gather more intelligence from is systems. Business intelligence is an important priority for Indian CIOs. In the 2008 State of the CIO Survey, BI emerged as the topmost priority for CIOs in 2009. Given the economic slowdown, more companies, it seems, want to find new blue oceans to introduce their products. The argument is hard to get around — especially in a downturn. The big three analyst firms, Forrester, Gartner and, IDC agree that BI is one of five technologies that IT must continue to invest in even during a recession. BI can “help companies identify and retain their most-profitable customers," says Andrew Bartels, principal analyst at Forrester. And it also ensures other benefits. Gartner fellow and VP Jackie Fenn says that companies always need analytics. In the supply chain, for instance, analytics that trigger alerts like delayed payments, can deliver real value to companies. Both these benefits apply to Allergan. Which is why like most companies, Allergan, chose to implement BI: to give the business more actionable information. But, Allergan also needed BI to create a platform that its executives could collectively work off. The year 2006 saw a decision to implement a BI solution that could throw up solutions to this problem. In 14 months, with Mindtree (who had helped build Empower) as their technology partner, Rajan set up RUBIC. The tool had an SQL 2005 server at the backend and an extraction transformation loading (ETL) tool in the middle. The ETL extracts and cleans data then coverts it into a standard format. It then puts the data into a local ERP that feeds the data warehouse. The warehouse is fed from various transactional level systems. A number of analytics, static and dynamic
query capabilities were built on this. Reports are available through a presentation layer (on Windows Share Point), and allowed a comprehensive representation of various key business performance indicators. Data cleansing was an extremely important part of getting the application in place. Inconsistencies in names, geographies and figures that existed in static tables had to be standardized. In many cases, these were not errors, just different depictions of data. “A distributor may be listed in different names for different categories of products,” says Rajan. The system went live in early 2007, and senior and second-tier management across sales, finance and logistics were given access to the system, with strict security applications guarding access. The biggest advantage to RUBIC, says Rajan, is that data can be sliced multidimensionally. “The three key dimensions you can look at are product category, geography and time,” he explains. “The cube browser is meant for multi-dimensional analysis. For example, primary sales can be broken up by region, by month or by product. It’s user-driven and can be used for deeper analysis. By viewing data in different ways, we are able to better understand our strengths and drawbacks.” In addition, reconciliation problems disappeared, as if by magic. The magic, however, did not come easy. The foremost challenge was getting CXOs out of their comfort zone, says Rajan, who knows a thing or two about being out of comfort zones. As one of the top three candidates of the The Times of India's 'Lead India' campaign that sought community leaders to take on politics, he was put through a grueling process of personal interviews, public debates, and group discussions. “It’s about maturity and people stepping out of their comfort zone,” says Rajan talking about the change he needed to bring about to tip RUBIC’s chances of success. The reluctance of his peers was understandable. Hypothetically, if the production planning team went by the figures finance wanted, they would have to listen to a version of the truth that could bloat inventory and get production in trouble. “We were trying to REAL CIO WORLD | D E C e m B E R 1 , 2 0 0 8
37
11/28/2008 7:14:49 PM
Cover Story | Business Intelligence point out that while all of them were correct, but in the common interest of the company, we should be talking about the same figure,” Rajan says. His strategy used a mix of the threat of future problems and personal rapport. “It’s a big advantage that I am not seen as an IT person. My role consists of operations, which includes supply chain management. Being a CIO is about 25 percent of my function,” says Rajan. Users instinctively guessed that they could lose some face because of RUBIC.
“Since the solution exposed the inefficiencies of individual departments or business units, it required a lot of maturity and courage to explicitly acknowledge the situation. We had to come to a common understanding and adopt a shared vision. Collective bonding had to be developed and we leveraged each other’s strengths. Over time people became open to giving and taking feedback in the interest of running a high quality business operation,” he says. The fact that Rajan spearheaded Empower, Allergan’s first transaction management
Four Tips for Better BI
Avalanches of data and the need for better decisions mean it's time to take BI to the next level. Aberdeen offers ways to reach that next level easier.
David Hatch, research director at Aberdeen Group, offers four tips to get more user-friendly bi tools.
1
Explore new tools. new ways of delivering bi can help extend it throughout the enterprise. Consider software as a service bi or on-demand bi. look into the availability of bi as an embedded capability within ErP and Crm. since users are already familiar with these apps, bi adoption might be easier.
2
Find ways to integrate Web 2.0 information into BI. Web 2.0 data sources and other unstructured data can be used to boost bi efforts. amassing large sets of historical data reveals trends and performance metrics: these are the foundation of most bi efforts. but enhancing that historical data with relevant data from blogs, and competitors' websites is important for delivering actionable data.
3
Give users BI tools that they can be trained to use autonomously. Employees are more likely to use and embrace bi tools that they can use independently. t to do this, establish a group composed of both business users and it representatives to collaborate on prioritizing user needs and choosing or developing bi tools. hatch also advises being attuned to inflated vendor claims and involving vendors in proof-of-concept and pilot projects.
4
Consider operational BI. new bi offerings that automate data collection, assembly and delivery processes are one of the most promising areas of bi. to t check if they're right for you, look for data generated by business processes that lend themselves to automated analysis and actions taken on the basis of that analysis. For example, some financial service organizations use applications that automatically analyze fluctuations in currency rates, and automatically initiate trades. in manufacturing organizations, data analysis is done automatically on the progress of chemical interactions — temperature, viscosity and color of a mixture, for example — and changes to the mixture are automatically made before it reaches the production line. —by diann daniel 38
D E C E m B E R 1 , 2 0 0 8 | REAL CIO WORLD
system, also helped build confidence. “People who have seen [what it could do] kind of tasted blood,” Rajan says. Rajan's combination of people and business skills worked. “It is refreshing to see that even as a smaller organization we were able to get data fast enough for us to take decisions. That’s a big change. We may be small but our database is pretty robust,” says Raghu.
In Full Technicolor Rajan’s solution paid off in a big way. While the rest of the pharmaceutical industry grew between 5 and 6 percent in the last fiscal, Allergan India registered 20 percent growth, Rajan modestly acknowledged that some of that lead is thanks to RUBIC. It also improved the company’s day sales outstanding (DSO) and its inventory levels. Post-RUBIC, DSO levels dropped by 10 percent and Allergan achieved what few of its pharma peers have managed: it maintains an inventory of less than 20 days. The industry average, says Rajan, is about 45 days. He also points to a billing graph to demonstrate one of RUBIC’s victories. “In most pharma companies, billing cycles have a hockey stick shape. A significant portion of the month’s billing takes place during the last week — as much as 80 percent in some cases. In our case, a big chunk of the billing happens in week one,” he says. Multi-dimensional reports also ensure the health of Allergan’s stocks. “We can move stock to optimize inventory. In our industry, the health of stock is very important. We have to offer the right product, with right shelf life, at the right time,” he adds. And when a product’s time is running out, RUBIC steps in, helping the company in a way that is specific to its industry. “In pharma,” says Rajan “when a product is six months from expiry, a trader returns the goods. Instead of junking these, we distribute them as samples. We monitor products that are 270 days from expiry, 180 days and 90 days. If it’s near 90 days, we ensure that it is used immediately by giving it to camps or hospitals where there is fast turnover.” However, instead of the regular 18 CFAs Allergan normally works with, the final accounting for these near-expiry medicines
vol/4 | issUE/02
Cover Story | Business Intelligence has to be done directly with hospitals, camps and other outlets — making the inquiry-tocash process more complicated. RUBIC gave Allergan an accounting system that worked as a good tracking device. Figures aside, the biggest advantage RUBIC offers Allergan is the power of informed decision-making. “Earlier, a little bit of guesstimate and a little bit of gut feeling would have seen a decision through. Today, all decisions are data driven,” Rajan says. In addition, the dynamic nature of RUBIC’s analyses ensures that employees are more informed and consequently are more productive. “The head of finance is able to ask much better questions of the functional heads. At their level, they are already aware of the figures, even before there are questions from the top. And that sense of control adds to their productivity. When I want information, my questions are more pointed, and employees know what I want — they are no longer shooting in the dark. RUBIC adds to employee productivity,” Rajan says. During 2008, he adds, productivity among Allergan’s sales people increased by 16 percent. As head of production, Rajan is also proud of his increased control over inventory. “We are able to monitor inventory up to the secondary and tertiary level. Now, we know in which cycle a downturn will affect us and can turn a situation to our advantage. That, in turn, adds value to our production planning and working capital.” Allergan’s products have also witnessed a 28 percent growth in promoted brands, says Rajan. Secondary sales grew by 23 percent and the introduction of new products added 10 percent to the company’s kitty. The MD Kumar re-iterates, “RUBIC has really helped. You can see what is happening and you can dig deeper when you think something is not looking right. We’ve come very far in terms of being able to capture data and perform analysis that adds value to our decisions.”
3D is Only the Start RUBIC is here to stay. As Rajan points out, with Empower his people learnt firsthand what automation could do to process efficiency. With RUBIC, they saw what real-time multi-dimensional data could
Vol/4 | ISSUE/02
Cover Story.indd 39
“We got our basic reports but we wanted analyses, more dimensions from sales data, like sales according to time, zone, by area sales officer and by manager.” — Rajesh D’Mello, Director Finance, Allergan india
do to decisions. The way forward can only be further process optimization and the addition of more functions. Over time, there is an option of extending the availability of data to ranks below the CXO level. “It's the next step in making data available to the next level of managers,” says D’Mello. “Of course, this would depend on the technology available at that point. We need to make more informed decisions within a secure environment,” he says. He is also looking forward to adding functions to the system. “We would like
to include more data, perhaps add retail audit data, maybe even prescription data. We can make intelligence richer with those dimensions,” he says. But he also wants to temper some of that enthusiasm and guard against overusing the application. “It is important that it should not be clogged. Loading so much on it will only lead to trouble, one wouldn’t know where to look, and then accuracy and efficiency of the reports may suffer.” That’s the sort of ownership that every CIO dreams of. But when you have a solution that makes CXOs more productive, and puts you ahead of the competition, it’s hard not to love. And as the dark downturn clouds loom, Allergan is going to keep twisting and turning their RUBIC searching for new solutions. CIO With inputs from Tom Sullivan Kanika Goswami is assistant editor. Send feedback on this feature to kanika_g@cio.in
REAL CIO WORLD | D E C e m B E R 1 , 2 0 0 8
39
11/28/2008 7:14:56 PM
Cover Story | Business Intelligence
Understanding
Business Intelligence Intel lligence TCO
How can you manage your BI system's total cost of ownership better? Avoid these common stumbling blocks that add big costs to any BI project. By Thomas Wailgum
Companies of any size
Reader ROI:
BI's data management challenges What to look out for before you start
40
and from any industry today have one thing atop their business agendas: business intelligence. A majority of Indian CIOs who responded to the State of the CIO Survey said that business intelligence was their top priority for 2009. Two pieces of research from Aberdeen Group further illustrate business's growing and insatiable need for actionable reporting and analytical data. A 2008 survey of 4,300 companies found that the number-one technology that could have the greatest impact on businesses during the next two to five years was BI and analytics. That's not surprising because Aberdeen's 2007 research showed that the number-one technology spending item for companies was ‘reporting and analytics’. IT departments, in particular, are feeling the heat to give line-of-business executives and their demanding end users exactly what they want and need — even if it's clear that IT doesn't have the necessary application development and integration abilities. And in the rush to achieve BI bliss, many critical questions surrounding the ultimate costs — including: what's our total cost of ownership going to be with this BI system? — are left unanswered by many companies at the outset. This approach of walking in dark seems risky but perhaps, it's for a good reason. "That's a difficult thing to determine," says David Hatch, a business intelligence research director at
D E C E m B E R 1 , 2 0 0 8 | REAL CIO WORLD
Vol/4 | ISSUE/02
Cover Story | Business Intelligence Aberdeen Group. "There is no standard for a business intelligence scenario." Hatch's research shows that those companies that have recently rolled out a business intelligence system notice financial pressures coming from several areas. The first, and most important, Hatch says, is the pressure to improve data integration from multiple applications (noted by 42 percent of the respondents). From interviews with those who took part in the survey, Hatch notes that "this single factor alone can dictate the success or failure of a business intelligence initiative." "What I'm finding is that companies don't really understand the extent of the data management challenges to business intelligence until they get into it," Hatch says. And if internal IT does not have the skill sets or resources to solve these data challenges, that can become pricey for many companies — but few can see this before they start out. "You have to invest internally or look outside for help," Hatch says, "and both are expensive options."
vendors' pricing models are "always flexible," he does note that some vendors, such as Cognos (now owned by IBM), have pricing structures that offer a "price point that can accommodate just about any project size." In addition, the recent growth in on-demand and SaaS business intelligence options, which offer quicker implementation times and lower costs to get started, is another route for companies to go. "Flexibility like this is important," he says. "Without it, potentially high-ROI projects that should be pursued die on the white board during the cost analysis." That's the real hidden cost of BI implementations, O'Connell says: "Non adoption."
Secrets of the Business Intelligence Masters
In the course of analyzing the Aberdeen survey data, Hatch identified the top three strategies in which ‘best in class’ companies managed the TCO of business intelligence. (Aberdeen's best-in-class performers scored the highest compared with other surveyed companies in No User Interest, No Deal these three categories: time-to-completion of BI projects; IT departments also report feeling business intelligence on-budget completion of BI projects; and cost-per-user of implementation pressures related to the need to: deliver BI applications.) business intelligence to more end users (29 percent); These companies understood what the end-user improve ease-of-use of business intelligence for nonrequirements were for the business technical users (27 percent); and speed intelligence applications. They were the development of customized business able to identify data sources for business intelligence capabilities (19 percent), intelligence applications. And they according to Aberdeen's survey. defined business rules and calculations Unresolved and combined, those three required for reports and analytic views. problems can lead to substantial decreases Not surprisingly, understanding in user adoption — a pervasive problem what the end users want is a critical with business intelligence applications, factor, Hatch notes. "This highlights and one that makes determining TCO a the importance of planning business "cloudy exercise," Hatch notes. But at the intelligence implementations based same time there’s little value in a business on user requirements as a primary intelligence implementation if users cost-management factor," he writes ignore the tool. Source: State of the CIO Survey 2008 in the survey report. "If the end-user Even if user adoption is high and requirements are not well-understood up business intelligence projects swell in front, a lot of time and effort ends up being wasted." scope, any lingering issues like those revealed in the O'Connell suggests that companies pursue business Aberdeen survey will become only more intensified, Hatch intelligence projects that they know will result in direct warns. "Most companies start small with this," Hatch says. benefits. "By this, I mean tactical benefits such as improved "And it either grows, or it doesn't. But once it gets to the productivity, tightening of the value chain or sales enterprise-size level, some of these issues can get ugly." improvements," he says. "Use these benefits to pay for the David O'Connell, a senior analyst at Nucleus Research larger more indirect benefits such as improved visibility who covers business intelligence, says that while overall and better ability to detect and respond to changes in the cost is important, he sees a different type of problem right business environment." now. "I think [companies] are spending too much time That seems like a good place to start. CIO on TCO and not enough on identifying and estimating attainable benefits," O'Connell says. "If you strive to minimize costs, you'll minimize functionality, adoption, benefits and ultimately ROI." While O'Connell concedes that not all business intelligence Send feedback on the feature to editor@cio.in
23%
of Indian CIOs say that business intelligence is their most important priority for 2009.
Vol/4 | ISSUE/02
Feature -01.indd 41
REAL CIO WORLD | D E C e m B E R 1 , 2 0 0 8
41
11/28/2008 3:49:38 PM
VIEW
from the TOP
Arun Kanchan, CEO, BSES, says that IT has been instrumental in providing more transparency to its customers and reducing power theft.
Lighting The Way
by Rahul Neel Mani It was in July 2002 that reeling under allegations of corruption and power thefts, the Delhi Vidyut Board — a government agency that supplied electricity to the state of Delhi — was privatized. The entire business of power distribution fell into the hands of BSES Power. Taking care of a problem child is never easy. With ongoing complaints of power thefts and inaccurate billing, the company knew that the road ahead was going to be difficult. It had to make its processes more efficient and restore its customer’s faith. It needed to automate its systems and facilitate accuracy. It was a situation where only IT could help. Arun Kanchan, CEO of BSES, believed that IT had the power to deliver. After taking over in April 2008, Kanchan has been able to transform the organization by reengineering legacy processes, resulting in more transparency for consumers and higher revenue realization for the company.
CIO: Most of your workforce came from the government sector (Delhi Vidyut Board), how did you manage the integration? View from the top is a series of interviews with CEOs and other C-level executives about the role of IT in their companies and what they expect from their CIOs.
42
D E C e mBE R 1 , 2 0 0 8 | REAL CIO WORLD
View from the Top.indd 42
Arun Kanchan: We were blessed to inherit the Delhi Vidyut Board manpower, who were experienced and skilled. Their experience helped us understand operational glitches, track operational
network and identify power theft-prone areas. However, there always will remain a set of individuals who will resist change. Hence, we organized regular training programs around IT, new and improved processes, customer interaction, interpersonal skills, responsiveness and accountability and involved them in our core business functions. They were given important roles to play and were made responsible for management decisions. Instead of keeping them aside, we took a
Vol/4 | ISSUE/02
11/28/2008 3:48:19 PM
Arun Kanchan expects I.T. to: Align itself closer to organizational goals Shed its ‘cost center’ mentality and bring in profits
What are the challenges of managing power distribution in one of the most power-hungry regions
Vol/4 | ISSUE/02
View from the Top.indd 43
of the world and how do you cope with them? The Indian power sector has shown impressive growth in size and capacity. The installed generation capacity has grown from 1,362 MW in 1947 to 144,564 MW as on 31st May 2008. Despite such growth, peak electricity supply fell short by 16.6 percent and there was an overall supply shortage of 9.9 percent during 2007-2008. India is one of the most promising markets for electrical
energy with an estimated demand growth rate of 7-8 percent annually. It has the potential to go much higher in the days to come. To sustain its economic growth, the present installed capacity in India needs to be enhanced. Modern transmission and distribution systems have to be improved to assure adequate, quality and competitively priced power supply. And this calls for substantial investments. A more worrying feature is the commercial viability of the distribution sector stemming from inefficiencies
REAL CIO WORLD | D E C e mBE R 1 , 2 0 0 8
Photos by DR LOHIA
path of change management, engagement and involvement. This has helped us a lot and brought cohesiveness and instilled team spirit which helped achieve our objectives. By taking advantage of this rich knowledge base, the company has benefited a lot.
43
11/28/2008 3:48:22 PM
View from the Top
and theft or misuse of power. For the year 2007-08, the total commercial loss for the state owned power sector excluding subsidy, stood at around Rs 25,701 crore. We needed to build a world-class power distribution system. The immediate challenge was to design infrastructure that will last, and provide for sustained economic growth. We took a multipronged approach to upgrade the system and improve service quality and the reliability index. And this was built on an IT infrastructure and hence IT became a key enabler for achieving our objectives. Currently, we have the largest IT infrastructure in North India coupled with streamlined business processes to provide seamless customeroriented services from various touch points.
How did BSES address the power theft issue? Power theft has become a great challenge for all power utilities. To reduce the AT&C losses (aggregate technical and commercial loss), containing power theft is a top priority. We have taken a drive to replace naked low-tension wires with insulated aerial bunched conductor (ABC) that will make it difficult to tap overhead wires, which has been the easiest way of stealing electricity. Simultaneously, theftprone areas have been identified and our enforcement team makes regular raids to book offenders, while the business team makes an effort to bring new customers into the net by issuing new connections in that area. One of the major enablers in detecting theft was the implementation of SCADA (supervisory control and data acquisition) and its integration with GIS. Further, the software developed for enforcement, registers and keeps track of raids as well as enforcement history. We have also floated a scheme among employees to reward them if they register a genuine power theft case. The installed electronic meters also have 44
D E C e m B E R 1 , 2 0 0 8 | REAL CIO WORLD
View from the Top.indd 44
“Our mission is customer satisfaction through technology -driven services that empower people to be creative and productive.” — Arun Kanchan tamper-proof seals and are programed to record any abnormality related to power theft.
What are the triggers for business innovation in your sector? The power distribution business runs on trust and transparency, as there is customer interaction at every service point. Customers have high expectations from this struggling sector. We have to take care of all business stakeholders’ interest. Hence, all our business innovations revolve around user expectations. Uninterrupted and quality power supply to customers, adhering to the expectations of regulators as well as the Government, meeting business profitability objectives and bringing responsiveness as well as accountability in customer services are some of the other triggers for
business innovation. We have achieved a lot in terms of quality of power, improved customer services, loss reduction, better infrastructure and financial capabilities. The sale of stabilizers as well as invertors in Delhi has gone down significantly, which is a remarkable trend. The Delhi model has become a good case study in the power sector.
What are your views about energy conservation? We are now witnessing a serious problem that threatens to undo our economic progress. Global warming and the threat of climate change are real and require immediate attention. The tropical regions such as the Indian subcontinent will be the worst hit. We are fast losing our fuel sources — coal and gas — required for power generation. India has saved 3.731 billion units of electricity last year by using electricity saving gadgets. The Central Government’s Bureau of Energy Efficiency (BEE) took many electricity saving initiatives. A city like Delhi can use this amount of power for a full month.
What role does IT play at BSES Power? Business today demands the agility to respond to business requirements, growth, competitive threats, regulatory requirements and more. The primary goal of IT-business alignment has usually been to assure that the investments in IT generate business values and mitigate risks. The implementation of a set of sound business practices is key to delivering IT services that meet organizational needs. Deregulation and privatization of the power industry has thrown a big challenge of improving efficiency of operations, enhancing customer care and improving overall service delivery. The most important determinant of success, perhaps, in such an endeavor is the proper use of IT.
Vol/4 | ISSUE/02
11/28/2008 3:48:23 PM
A well-designed and integrated IT system is the way in which utilities can move from their current operational levels to the expected level. A proper IT system implementation would aid in improving efficiency by eliminating unnecessary manual involvement in transaction processing or complaints redressal. IT can aid quick resolution of issues by providing the appropriate information to the correct person in the shortest possible time. Efficiency being the main criteria, automation is being given the highest priority. At BSES Power, our mission is customer satisfaction through technology-driven services that empower people to be creative as well as productive. This has been possible by leveraging IT in the entire spectrum of business operations. Technologies like SCADA, automated meter reading (AMR), GIS, ERP, outage management system (OMS), distribution management system (DMS), customer application system (CAS) and the integration of all these are some of the initiatives already implemented at BSES Delhi.
How does IT help with the process of billing? Billing has always been a critical factor for high losses and customer grievance. Key reasons are human intervention, corruption and weakly-defined processes. Hence, metering to billing was given utmost importance. IT plays the most important and crucial role because the stress is on process improvements, that means less human intervention and more automation. Earlier, meter reading was entirely manual. Audits of meter reading data were missing which resulted in a large number of erroneous bills. The billing cycle was long and bills with cluttered information were distributed to customers as hard copies. There was a complete meter to bill cycle revamp. To automate the entire process the meters were first changed from electromechanical to electronic. Today,
Vol/4 | ISSUE/02
View from the Top.indd 45
meter reading is being done SNAPSHOT be proactive in providing through CMRI (computer BSES solutions for end-to-end meter reading interface) or business processes. The Number of hand held devices for low thinking process should be employees: value customer (1 KW to more towards understanding 12,127 39 KW) and through AMR organizational business goals Revenue: Rs 5,626 crore for high consumption value instead of limiting themselves customers (40 KW and to their departmental goals. Number of locations: above). Today, IT has an ever413 This reduced human errors growing importance in CIO: and corruption drastically. organizations, and IT projects K. B. Singh Further, the downloaded often span the entire company. IT Team: meter readings had to pass CIOs need to have a high level 177 through stringent pre- and view of the company. post-audit process to weed They should learn to look out abnormal or exception bills before it beyond IT, and try to think about profit as reached the customers. A process which well as loss, rather than cost containment. used to take 20-24 days was trimmed to 10 The cost-centre mentality can be very days and we expect to bring it down to six limiting. CIOs need to listen to their teams, days very shortly. business stakeholders, understand nonBills are sent to customers in multiple verbal emotional signals and establish a ways: a hard copy through courier, via network of relationships. e-mail, via SMS and also on the Net with In our organization a CIO is as eligible CEO a user's registered account. The bills are as any other business or operational head. colorful and user-friendly. The IT process and software including What are your long-term pre- and post-audit has helped us reduce goals for BSES? errors in bills, validate data, and tracking delivered bills. Our constant endeavor had been to set Customers have multiple ways of making up a world-class power distribution utility their payments because all the payment which has triggered a set of many long-term gateways are automated and integrated, goals. Reducing AT&C losses, empowering thus, the consumers can pay through cash consumers to select from multiple metering collection centers, payment kiosks, BSES options (post-paid or pre-paid meters), Websites, easy bill outlets and mobile cash reducing theft, bringing all consumers in collection vans. our billing net are some of them. Technology is our main business driver and implementing automated metering up What is your advice to CIOs, to the distribution transformer (DT) level, who are attempting to align tagging all the consumers to the distribution technology with business? transformers and in turn mapping the How can IT leaders become same to GIS, has made all the employees more strategic? computer-savvy. At present, we are inching towards an environment of ‘smart’ as well With the success of our IT-enabled as an ‘intelligent’infrastructure. CIO business, we have a real case study to share with the business as well as with the IT community at large. CIOs should get involved with key business processes. Rahul Neel Mani is resident editor. Send feedback on Instead of a reactive approach, they should this interview to rahul_mani@idgindia.com REAL CIO WORLD | D E C e m B E R 1 , 2 0 0 8
45
11/28/2008 3:48:25 PM
Case File
Go!
Ready Set
Every hour that Hyundai India’s assembly line idled waiting for parts cost the company Rs 2 crore — and left its growth plans in a cloud of smoke. Listening to its shop floor workers solve the problem. By Kanika Goswami
Reader ROI:
The importance of real-time inventory for increasing productivity Why real-time inventory can improve relationships with suppliers How it can improve profitability 46
Case Study.indd 46
D E C e m B E R 1 , 2 0 0 8 | REAL CIO WORLD
Imaging by un nikrishnan AV
The folks at
Hyundai Motors India (HMIL) must just love M. Suresh. In a year when profit margins in the auto sector are being battered, the automaker’s GM of IT found a way to save his company a trunk-full of money — and ensure that the company can increase its output. But, perhaps more importantly, he created a solution that made life easier for the men running the assembly lines. It began in 2006, when production planning for the carmaker’s transmission line became a bottleneck. The transmission machine lines are where gear parts are made and are crucial because they supply the basic parts for the more important car assembly lines. Plants 1 and 2 — in charge of transmission and engine parts — at Hyundai’s 12-year-old factory at Irrungattukatoi near Chennai, had been having problems and they were getting worse. The factory produces 34 variants of passenger cars in six auto segments and in 2007, 3.27 lakh cars rolled off its assembly lines. Management had signed off on the construction of a second unit with the hope that by the end of 2008, the total output of the factory would jump to 5.3 lakh units. Plants 1 and 2 were crucial components of that estimate. If its 10 lines and 15 lines didn’t perform up to expectation, it would hold everything else up. In the way of optimal performance was one of Hyundai’s older systems that tracked inventory. As it was, it took about 50 people at 25 workstations to support the system. Without them, the engine and transmission lines couldn’t be fed with the right parts and the line would grind to a halt — directly impacting the car assemblies. No engines, no cars. “When we go back and investigate, (car assembly) line stoppage is usually due to the non-availability of parts,” says M. Suresh, GM-IT, HMIL. And these parts the company made itself.
Vol/4 | ISSUE/02
11/28/2008 3:50:55 PM
It wasn’t like Hyundai couldn’t produce the parts. The problem was no one could tell when an engine line was running out of even smaller sub-parts — like gears — because of a lack of real-time inventory. And the vendors who supplied these parts couldn’t plan either, which was hard on them because with Hyundai’s single source policy their business depended entirely on the car company. When the line stopped and tempers flared, vendors got caught in the crossfire. It was hard not to be angry when a line ground to a halt. At an average of 52 cars per hour, every 60-minute halt in production cost Hyundai about Rs 2 crore. That figure spurred the IT team to create a system that could track inventory better and, consequently, enable better production plans and increase transparency with Hyundai’s vendors.
What’s that Wobble? The Irrungattukatoi plant is also the production hub for Hyundai India’s exports, with over 1.2 lakh units sent to overseas markets — increasing the pressure to maintain production efficiency. And with the i10 meeting market expectations, Hyundai
Vol/4 | ISSUE/02
Case Study.indd 47
wanted to expand its dealer network within India, but it had to be certain that its factories could keep up with demand. It was the small stuff that threw a spanner in the works. The engine lines use parts that are bought from exclusive ancillary units. Vendors need to stay in touch with the Irrungattukatoi plant to know what exactly it needed, and that could only be done if there were production schedules in place. Such a plan could help everyone focus on the same goal. “We needed to avoid production shortages because of halts in the system. For that, an engine and transmission availability plan was essential,” says Suresh. If these schedules could be made available to everyone, planning at the vendors end would be smoother, which would ensure that the assembly lines were continuously fed. But planning was “purely Excel-based,” Suresh says. “There were manual reports from every line for every part, and the inventories of sub-parts. It took a minimum of three hours to consolidate these worksheets and then plan for the sub-part supplies needed for the next production cycle.” P.V. Satish, DGM-IT (manufacturing applications), adds, “our earlier legacy systems were meant for production accounting. But,
during the day, we needed the inventory of sub-parts on a real-time basis. The current stock status was required if accurate reports were to be generated, and that was possible only after the end of a production day. As a result, the entire production could only be accounted for the next day, which was not particularly helpful.” Anand Kumar, senior executive, 3/4/5 speed gear, power train (transmission shop), echoes this thought. “Stock had to be maintained at a minimum, but at the same time, we faced shortages of essential parts. We had to plan everyday basing ourselves on available stock and production capacity. Only after a daily update of actual quantities could we know where the shortages were. That’s why we requested for a solution.” Suresh agrees. “The shop floor identified this problem — and the solution too.” They concluded that to maintain optimal inventory and reduce downtime, they needed an application that could plan the production of engine and transmission parts according to the needs of the assembly lines.
Back to the Garage Suresh’s team started working on generating online reports of production REAL CIO WORLD | D E C e m B E R 1 , 2 0 0 8
47
11/28/2008 3:50:58 PM
Photo by Srivatsa Shandilya
Case File and breakdowns, detailing the use and plan for parts. They created an application that could capture production data line-wise, shift-wise, discover shortfalls, changes in plan, specification adjustments and where and when a lack of raw material took place. The IT team then studied the exact needs of users, and using available resources, developed a detailed data model to create a database. A team of 10 Java professionals was hired to develop an application and implement it. It was tested by users until they were comfortable and were satisfied that it met their line-information needs. The application uses AS/400 green screens to capture production data online, and hosts it on the Web. Input devices on the network like PCs and barcode printers were installed on side of the lines. “The stock at our end and the vendor’s end provides the base for production planning,” Suresh says. “So, we also developed a Web-based system for inquiry of stock and other crucial data. The system also provides a graphical representation of machinery breakdown data for analysis.” But the project wasn’t all in a days work. If it had to be successful, Suresh
people had to report online,” would have to overcome recalls Suresh. resistance by the line team Fortunately, says Satish, itself. Although they had there was almost no training requested for the solution, required for the data entry. they thought that someone SNAPSHOT Production and inventory else would input the data. Hyundai plans were based on the data When the system was India given by the line people. developed, getting the data Employees: 7,200 “Essentially it was data from various users and entry of the input, output, consolidating it into reports IT Staff: 80 line issues and material was difficult. It was only damages,” says Satish. after several rounds of IT Budget: However, there was a discussions with the user Rs 40 crore simple technology issue that team, that they arrived at a Number of was linked with a production good solution. Locations: need. Many parts needed “There was some resistance 7 to undergo heat treatment from our workforce to enter GM-IT: before they could be used in data every two hours. Due M. Suresh the engine line. Hyundai’s to this resistance the line partners need to access supervisors had to do the data information on heat treatment stages to entry for about a month. Soon, it was being plan their own processes, so a parallel done by the line people,” say Satish. set of applications had to be developed to The change of responsibility caused enable them to see the same data online. ripples that didn’t escape Suresh’s notice. While, this was not really a problem, says “There were some issues with the end users, Satish, it was something that could have since earlier the production management been envisaged earlier. team did the data entry. But with the introduction of the application, the line
On a Roll
The solution started showing results almost immediately. “Without these applications, it was difficult to get any figures and the production line faced some very difficult times,” says Kumar who works the transmission line. The system has made the job much easier for Kumar and his co-workers. “The implementation is helping, and will help even more with time,” he maintains.
“Now that production figures are entered in real-time, we can improve decision-making and increase user productivity.” — M. Suresh, GM-IT, Hyundai Motors India
48
Case Study.indd 48
D E C e m B E R 1 , 2 0 0 8 | REAL CIO WORLD
Vol/4 | ISSUE/02
11/28/2008 3:51:03 PM
Case File
Assembly line
smooth
By gathering data at the line level, Hyundai discovered it could monitor inventory and ensure that its assembly lines were constantly fed.
This line produces engine and transmission parts. Inefficiencies here hold up the main car assembly line. by installing input devices beside the line, hyundai can now better monitor and control production. A line worker placing parts on the line, updates stock level every two hours.
That is the sort of user satisfaction that drives IT progress at Hyundai. “At HMIL,” Suresh says, “we don’t justify investments in terms of ROI. In the business, we see IT as a support function and a business enabler, so by doing this we are able to improve productivity and reduce inventory. Usually, we do not try to justify ROI or quantify benefits. Our benefits are only in terms of improvement in business processes.” Suresh’s modesty veils the fact that halts in the assembly line cost the company dearly, and that he can demonstrate the revenues that the production planning software saved Hyundai. Apart from calculating the number of cars that could not be produced because of a lack of planning, Satish points out that “the application is basically meant to reduce line complication and optimize sub-part transmission production. And, now that the actual production figures are entered in real time, they can be used for stock accounting purposes as well. The direct advantages
Vol/4 | ISSUE/02
This is repeated along 25 workstations on the line.
include the availability of higher-value information to improve decision-making and increase user productivity. It should also improve production efficiency, quality and profitability of the shop floor. That data will enable users to understand and monitor current performance while planning for the future. Since it delivers the information over Web, all levels of management can view the data at any time.” There is another benefit to the production planning software. Suresh also set it up to improve information for Hyundai’s suppliers. “Vendors’ supplies can now be aligned with the production line, making it easier to balance inventory at both ends,” he says. On the vendors’ front, he adds, “They needed some information to plan their production. This application was meant to cater to that requirement as well, in the sense that the vendors would also have some visibility of our stock, and vice versa.” It helps if line workers know what vendors
Real-time inventory ensures that line workers are not blamed if a line stops due to a lack of inventory.
Constant data empowers production planners to change plans on the fly and produce engine types whose stocks are available.
have in the line and vendors know what we have of their stock. “In order to meet both these requirements, we had to initiate this system, to plan better for production of subparts,” he points out. “In fact, now, as an extension, we are also looking for capacity planning and machine capacity based on this,” adds Suresh. The biggest benefit that the production planning application has brought to the factory floor is the sense of confidence on the line operator staff. They can now help plan the next line process without fear of the line facing a shutdown. Suresh and his IT team have ensured that Hyundai’s plant does not suffer even an hour of stoppage of production line due to non-availability of parts or bad planning. And that goes a long way on planning profitability. CIO
Kanika Goswami is assistant editor. Send feedback on this feature to kanika_g@cio.in
REAL CIO WORLD | D E C E m B E R 1 , 2 0 0 8
49
In fo graP hIcS by Pc anooP
Real-time stock levels help Hyundai’s vendors know when they have to replenish stocks.
The
Secrets of a Change Agent An exclusive and unclassified report on how Web 2.0 and strong IT governance are enabling the CIA to collaborate more effectively with the US intelligence community. By Thomas Wailgum
Feature -02.indd 50
11/28/2008 7:19:07 PM
Business Transformation
Illustrat Io n by bIn EsH srEEDHaran
You don't just walk into the Central Intelligence Agency You don't just walk into the(CIA) Centralto interview Intelligence (CIA) towith interview its CIO, asAgency you might some other its CIO, as you might with some other CIO, some company, CIO, atat some otherother company, in some in some othernondescript nondescript office park. other office park. Security for visitors is frequent and tight. Your name? Your contact here? Your Social Security number? Your cell phone, please? After clearing the check points you are whisked upstairs and there is Al Tarasiuk, flanked by two public-affairs people and his chief of staff in a seventh-floor corner office with a sprawling view of the Virginia Woods. Dressed in a conservative shirt and tie — he looks like the CIO of any large multinational. On his bookshelf sit The Big Switch, The New CIO Leader, Enterprise Architecture As Strategy, among other titles. And much like his private sector peers Tarasiuk has enterprise-wide responsibilities for infrastructure, applications, hardware and networks. Nearly three years into his term as CIO, one of Tarasiuk's most critical duties has been, in fact, to infuse more corporate-like thinking into the CIA's IT operations and staff. "My boss," Tarasiuk says of CIA Director Gen. Michael Hayden, "asked me to establish 'corporate everything' for IT — to the extent possible." But then, just as easily as Tarasiuk discusses agile development and SOA and IT governance — typical CIO stuff — he solemnly switches to the harsh realities of his particular line of business. When asked about information-sharing failures surrounding 9/11, he chafes a little. "I won't comment on how we got to 9/11," he says, "but I can comment on how we've improved since that." He's well aware of what's contained in documents such as the 9/11 Commission Report, The Intelligence Reform and Terrorism Prevention Act of 2004 and the Commission on the Intelligence Capabilities of the United States Regarding Weapons of Mass Destruction: namely, that all point to a dire need for the 16 government intelligence agencies to cease long-standing turf wars and tear down internal and external information silos — all in an effort to share critical intelligence more openly and avoid costly and deadly mistakes of the past. The 9/11 report found that during the spring and summer of 2001, US intelligence agencies received a stream of warnings that al-Qaeda had planned "something very, very, very big." The CIA director at the time, George Tenet, told the 9/11 Commission, "The system was blinking red." Since 9/11, the CIA's mission has been to support President Bush's prosecution of the ‘global war on terror,’ and it has escalated the agency's need for first-rate intelligence, enterprise-wide data sharing and agile IT systems on the back end. In Tarasiuk's office, two black-and-white framed images of the 9/11 aftermath — the charred remains of the World Trade Center and the disfigured Pentagon — stand out among other photos on a bookshelf. When asked if they help him not forget the CIA's current mission, he says that he can never forget. "Everyone in this building believes we are at war," he says, "and that's the pace we operate at every day."
Reader ROI:
the MiSSion enabler
Breaking down barriers to knowledge sharing
Since taking over the CIO reins in fall 2005, Tarasiuk's own mission has focused on the corporatization of CIA IT — which is no small feat. Severe security requirements, national security concerns and a culture
Best practices for enterprise wikis
Vol/4 | Issu E/02
REAL CIO WORLD | D E C E m B E R 1 , 2 0 0 8
51
Business Transformation where spying and deception are just part of the business add a whole other layer of complexity to attaining true business-IT alignment. For many years, IT was not seen as a strategic enabler to CIA's success, say CIA employees. Spies in the field didn't think they needed IT, and the analysts trying to make sense of the spies' intelligence had to get by with antiquated data-management systems. Technology was "a threat, not a benefit," noted one CIA researcher in 2002. And 'cylinders of excellence' — meaning data silos — were ever-present. Tarasiuk has, so far, opened up the 61-year-old insular spy agency to the concept of more efficient and effective information sharing by using Web 2.0 technologies, such as the CIA's Wikipedia-like Intellipedia that's used across the US intelligence community. Another sign of change is a grassroots, Web-based collaboration among Russian intelligence experts at several US agencies, which enables analysts to securely share their insights, analysis and information on breaking news on Russia. Tarasiuk has instituted a new IT governance team that has — for the first time — the highest level of management support at the agency. His team has also moved completely to agile project management methodologies, virtualized 1,000 servers that are projected to save $18 million (about Rs 72 crore) in 2008, and empowered frontline CIA employees to ask for, decide on and employ new IT tools. In 2007, Tarasiuk's team was finally able to replace the CIA's main information-handling system, which was severely outdated and lacked the basic functionalities found in 1990s-era e-mail systems, with a more modern and user-friendly system called Trident.
Creating a governance board to make a big, strategic IT decisions is one of CIO Al Tarasiuk's key accomplishments. 52
Feature -02.indd 52
D E C e m B E R 1 , 2 0 0 8 | REAL CIO WORLD
In the process, Tarasiuk has tried to revitalize IT's image within CIA to match what's necessary today, "to be seen an as enabler of mission and not just a technology shop that's delivering a desktop," he says. His message of IT-driven change and business-not-asusual has permeated CIA. "Al said that the new priority is setting deadlines and meeting goals," says Ken Westbrook, chief of business information strategy in the intelligence directorate (the CIA employees who analyze intelligence and write reports). Westbrook's new liaison role, working on managing the IT portfolio for the analysts, is one piece of the CIA's overhaul of the business-IT relationship. "Now we've got to deliver on time and on budget. I give Al a lot of credit for making that happen."
Eliminating Technology Iron Walls Tarasiuk has driven change inside the CIA's IT operations and won notice for his efforts. But that is not to say everything now is perfect — or close to finished. After all, demand for all this change — more information sharing between and inside agencies that frees previously firewalled intelligence from fragmented silos and thousands of databases — was forced on the CIA and other agencies by the creation of the Office of the Director of National Intelligence (DNI) in 2004, to oversee all 16 government intelligence organizations. The current director, J.M. ‘Mike’ McConnell, is taking great pains to replace the 'need to know' culture with 'responsibility to provide' among the organizations. (The shift is significant because it replaces knowledge hoarding with knowledge sharing.) "What's happening at the CIA is really representative of what's happening government-wide, where you have a number of agencies with antiquated systems, and the challenges in front of them and the opportunities we have are requiring a lot more flexibility, speed and agility," says Lena Trudeau, a program director at the National Academy of Public Administration (NAPA), an independent government advisory group. Trudeau studies how collaborative technologies can help solve the US government's complex problems, which "require [the government] to act in a different way than a lot of these legacy systems and processes allow." Technology is a vital piece of the CIA's overall change, and Tarasiuk knows it. "IT is the lifeblood of this organization," he says. "I'm trying to eliminate the technology iron walls that have existed in the past" inside the agency, he says. However, long-standing interagency rivalries (the FBI and CIA, for instance, have an intense mutual dislike and distrust) won't vanish overnight. Then there are the ongoing controversies, such as allegations that CIA officers tortured detainees and were involved in such
Vol/4 | ISSUE/02
11/28/2008 7:19:09 PM
activities at secret prisons, or ‘black sites,’ in foreign countries. When asked how he keeps IT workers' focus on the mission at hand and not on CIA controversies, Tarasiuk says resolutely: "Because of the history and things that have happened in the past, it's always going to be a lightning rod when there's a discussion about this agency. One of my roles that I take very seriously is to isolate our folks from the stuff that gets put out that's not true. I basically tell them not to worry about it and focus on mission." And then there are the cultural differences — even inside the CIA — that are difficult to quell. "The big push to share is a much harder problem than anyone wants to admit," says Ken Orr, founder and principal researcher at The Ken Orr Institute, a business technology research company. Orr is a former member of the National Research Council (NRC) committee, which has advised the FBI on technology projects in the past. "An enormous amount is semantics and language — in order to connect the dots, you've got to be talking about the same dots." Tarasiuk says that he's been able to pull off as much this far because of the credibility he's earned over his 20-plus years at the CIA, leaning on the contacts he's made along the way, and, most important, the backing of Director Hayden. Like all CIOs worth their salt, however, he hasn't been afraid to make the tough decisions, like on new data-sharing policies. "If we can't come to consensus, I'm going to make the call," he says, "and in some cases it goes against what some want to do." The CIA's in-progress extreme makeover, however, goes to show that if the IT department at 'The Company' (as the CIA is known) can learn how to be agile and collaborative and open to new ideas — and still maintain national security — so can the IT department at your company. Tarasiuk knows full well where he's come from and what challenges still lie ahead. "We're in a transformation," he says. "It's huge, but it's only the beginning of what's happening." CIO Send feedback on this feature to editor@cio.in
Vol/4 | ISSUE/02
Feature -02.indd 53
What the CIA Learned About Enterprise Wikis Officials offer three best practices. The CIA’s Intellipedia, built on wiki technology, is a central repository where the US intelligence community collaborates on key topics and challenges. Two officials who have championed the technology are Sean Dennehy, the CIA’s Intellipedia Evangelist, and Don Burke, whose title is Intellipedia Doyen. The two shared some of their best practices.
1
Set access policies. Establish access controls about who views and who edits information on a wiki. With Intellipedia, for instance, there are three different versions: one is viewable by most agency employees, another is secret and a third is top secret. Within each version, some employees have editing or writing access while others only are allowed to view, based on their security clearance. The beauty of the wiki model, Dennehy says, is that all edits can be easily tracked and made available in version history. “We are often asked in the intelligence community, ‘what did you know and when did you know it?’” Dennehy says. “We are not dealing with facts; we are dealing with puzzles and mysteries. If we get something up, we can debate it and talk about what to do. We can have a page that says analysts believe X and some believe Y, and we make that transparent so people can look at what documentation supports what viewpoints.”
2
Start small. Burke says implementing social software is more of a cultural challenge than a technical one. Many US intelligence agencies held their own data and didn’t share it with one another, so changing that paradigm can be difficult, he says. So, it’s important to start small. At the CIA, the first wiki page they created was a list of acronyms. Since the intelligence community is riddled with them, it became a page that people saw the value of and were willing to update. “It’s very simple, and it gets people who are uncomfortable with the tools to quickly make an edit and publish it,” Dennehy says.
3
Move information out of traditional enterprise tools. In order to change the tools people use to consume and disseminate enterprise content, first show that you aren’t making more work for them. If you find an employee who typically publishes information by e-mailing 50 co-workers, encourage him to use a wiki or an internal blog instead. “Move processes out of channels and onto platforms,” Burke says. “If we can take those and replace it with platform-based tools, we can capture them on the network.” —By C.G. Lynch REAL CIO WORLD | D E C e m B E R 1 , 2 0 0 8
53
11/28/2008 7:19:09 PM
Essential
technology Illustration by unnikrishnan AV
From Inception to Implementation — I.T. That Matters
By exploding an enterprise’s monolithic applications into smaller services that can be used in different contexts, service oriented architecture opens up new security holes.
54
Essentisl Tec.indd 54
D E C e m B E R 1 , 2 0 0 8 | REAL CIO WORLD
SOA: Watching the In-Between Spaces By Chris Clark
| Many organizations are embracing service oriented architecture (SOA) as a way to increase application flexibility, make integration more manageable, lower development costs, and better align technology systems to business processes. The appeal of SOA is that it divides an organization's IT infrastructure into services, each of which implements a business process consumable by users and services. For example, a service may expose the functionality to add a new employee to the employer's payroll and benefits system. To make services usable in multiple contexts — for both lowered cost and increased process consistency — each service provides a contract describing how it may be used and what functionality it contains. But the SOA approach turns on its head the traditional security approach used by many enterprises today. The mix-and-match nature of SOA services, and the use of messaging as the orchestration mechanism for SOA's composite applications, eliminates the ability to build clear boundaries around — and security barriers for — enterprise applications. The very thing that gives SOA its flexibility also increases its security risk.
SOA
Vol/4 | ISSUE/02
11/28/2008 4:30:24 PM
essential technology
Service Contracts Expose Your Treasures Consider how a typical service executes on a typical SOA infrastructure: users and services communicate by passing messages between each other across the ESB (enterprise service bus). The ESB acts as a message conduit for the organization and understands the available services, their semantics, and how to get an application message from one point to another. Each service on the ESB must be addressable using the ESB's standard message-passing protocol (usually SOAP). To make services easier to consume, each service must also have a way of describing itself and how the service is to be used. This description is called a service contract and is most commonly described via WSDL (Web Service Description Language). Few development methodologies have embraced the principle of interoperable contracts as tightly as SOA. To ease collection and the discovery of new contracts, in many SOA architectures each service possesses
discoverable. And therein lies one of the new security risks of SOA. Such freely available contracts are very helpful for developers as they build new services and reuse existing services across the enterprise. Unfortunately, what works for the developer is equally helpful for attackers looking to understand the enterprise and its services. Attackers can collect these contracts and use them to easily create an internal treasure map of an organization. To identify high-value targets, the attacker uses the map and reviews the contracts for services that have weak authentication or are responsible for high-value services such as security management. SOA practitioners might try to make it harder for attackers to build such a map by disabling anonymous exposure of service contracts in favor of authenticated or offline distribution. Although this is a solid security decision, it does not work for all services and all organizations. That's because, by restricting the distribution of contracts, it becomes more difficult for legitimate users
Standardized contracts and contract retrieval methods make SOAsystems more discoverable.And therein lies one of the new security risks of SOA. a method for clients to query and retrieve the contract. This method for retrieving contracts is often standardized, if not by the application framework vendor, then by SOA practitioners themselves. Standardized contracts and contract retrieval methods make SOA systems more
Essentisl Tec.indd 55
to discover services and becomes less likely that development tools can seamlessly import contracts.
The Message Layer Security Ironically, the use of message layer security is another related SOA vulnerability. Message
25% The percentage
of companies, according to a Gartner survey, which plan to adopt SOA in 2008. Source: Gartner
layer security enables developers to pick and choose the portions of the message to be signed and/or encrypted. To support addressing and routing on the ESB, the destination information of a message is often excluded from the encrypted portion of the message. The selective encryption/signing approach differs from other point-to-point or transport layer security protocols, such as SSL, that protect the entire connection. With message layer security, an attacker passively monitoring the network can gain deep information about the application layer messages being sent between senders and receivers. Selectively applied security increases complexity and the probability of developers or administrators failing to apply critical security protections to portions of a given message. Service information disclosure may not be a high risk in some environments, but it
11/28/2008 4:30:25 PM
essential technology
is not to be taken lightly. The more informed the attacker, the more targeted the attack will be. Before SOA, there was a certain amount of obscurity gained by having disparate systems using a wide range of protocols. Attackers had difficulty finding and understanding all the systems in an environment. SOA has removed this barrier and greatly improved the attacker's ability to perform thorough reconnaissance.
Messaging Intermediaries SOA makes systems more dynamic by moving away from monolithic software to self-contained, reconfigurable components that can be assembled and orchestrated as needed. To manage this orchestration
At first glance, you might think that carrying routing information in the clear is not that different from the clear IP and TCP headers on packets protected using a protocol such as SSL. But they are different: SSL provides intermediaries with very little information about the contents of the messages flowing through them and does not expect intermediaries to do little more than forward messages with the guarantee that the entire message is signed and encrypted. But SOA intermediaries are typically more invasive and often modify the message itself without invalidating signatures. This manipulation window provides a tool for attackers to use when trying to change the SOA environment.
Engineering flexible systems such as SOAis a real security challenge — but it's not an impossible one if you take the right steps from the beginning. of components, SOA encourages the use of message routers and service registries that operate on messages as they travel across the ESB. For message routers to be able to operate on a message, portions of the message must be unencrypted, or the message router must have access to a key to decrypt the message. This approach means you cannot use transport layer security between a service provider and a service consumer. And it means that attacker could exploit these message management and orchestration intermediaries to compromise the behavior of the end points.
Essentisl Tec.indd 56
It's true that WS-Security can provide SSL-like guarantees over message security, but the flexibility and complexity of the WS-Security standard increases the risk that sensitive information within the message will not get appropriate encryption or integrity protections. Likewise, service registries are a risky intermediary that the SOA approach depends on to function. They are similar to a DNS for services. When a service consumer wants to find the appropriate service provider, the consumer will query the service registry to find the
current address of the provider. In many deployments, the service registry can be dynamically updated by administrators or by the providers themselves. This provides the SOA benefit of easy reconfiguration as the addresses for services change due to movement of services. But that configuration control is what makes service registries an attractive target for attackers. For example, attackers could manipulate the registry to return addresses pointing to services hosted by the attacker. If the attacker targets the correct service, such as the security service, the attacker may be able to craft custom responses to clients trying to use the security service. In one case, an attacker was able to hijack the security service and issue blanket approvals for all access requests. To deploy a secure and dynamic SOA, developers and architects must consider which portions of the system to make dynamic and which portions to keep static. The configuration elements of the SOA that enable reconfiguration must be reviewed for security issues that would let the attacker orchestrate the environment.
ESBs Communication Opens New Entry Points At the center of any significant SOA deployment is an ESB that handles message routing and provides required basic services. Often, organizations have several ESBs, connected via a bridge. Whether you have one ESB or several, the very use of an ESB eliminates the traditional ‘soft’ firewalls, making the ESB an attack target — especially because it
11/28/2008 4:30:25 PM
essential technology
hosts critical services, such as logging and authentication. ‘Soft’ firewalls are artificial restrictions on communication that occur when all connected parties are not speaking the same protocol. So, even if an attacker gains access to one system, the lack of protocol compatibility limits the reach of an attack. For example, an attacker who has compromised the Web server may not be able to reach the mainframe because the mainframe uses Token Ring, but the Web server sits on a TCP/IP network with no bridge between the two. ESBs are designed to remove communication barriers, which means an attacker can likely reach the mainframe from the Web server in a SOA deployment. The same connectivity that enables the SOA approach ends up assisting the attacker. The high connectivity of an ESB increases the importance of having solid application security process for internal, external, and ESB services. Before connecting traditionally weakly protected systems such as mainframes to the ESB, review their security properties to make sure the systems are capable of operating in a hostile environment. Consider the new communications environment implemented in your SOA from the perspective of an attacker and model the distance an attack could spread from a compromised server. Then design a mitigation plan to control and stop the spread. Engineering flexible systems such as SOA is a real security challenge — but it's not an impossible one if you take the right steps from the beginning. CIO
SOA-based System Compels Security Overhaul at Hotel Chain
Building a central reservation system based on service-oriented architecture technology has
meant an overhaul in underlying IT security at hotel group Starwood Hotels & Resorts International. Patrick Foley, director of global technology compliance at Starwood describes how the move to XML-enabled SOA for a new central reservation system impacted underlying corporate security in unexpected ways. SOA, in defining systems as flexible services, has meant that existing perimeter security is no longer as effective, encryption is more difficult, and logging needs are intensified. Foley is referring to Starwood's first SOA project, launched a few years back, that suffered a few setbacks. The chief problem early on was failing to understand how necessary it was to bring in a security architect to advise developers on how to build SOA according to security standards, such as those promulgated by OASIS and the W3C. "You will need a security architect," says Foley, noting that Starwood ended up turning to a data architect to be the security architect for the SOA-based central reservation system. Some of the security impact that Starwood has seen in the evolution of the new reservation system, now undergoing beta testing, is that SOA engenders far more logging and auditing, which must be done for regulatory compliance. As a consequence, Starwood acquired a security information management system to handle logging needs. "With Web services, your logs are everywhere the services are," Foley noted, adding this logging adds to corporate network traffic. Another challenge associated with SOA's Web services is determining how to encrypt and otherwise secure data traffic when it's not as centralized. "The initial reaction was, 'Let's just encrypt everything,'" Foley said. But it quickly became apparent that encrypting all traffic put a huge load on the corporate infrastructure and also brought in issues of key management. Adjustments had to be made to selectively encrypt more sensitive data. Another hurdle was finding new approaches to security because with Web services, "the perimeter controls are less effective than with only an internally managed system," Foley said. He added that although a lot of the key data will still be stored behind a firewall, some will not. Hardening servers, and making sure hosting providers adhere to security guidelines as well, becomes more important than ever. Intrusion-detection/prevention systems take on greater importance with SOA, Foley says, "because you may have to leave your firewall more open." One adjustment has been to segment off the network more internally to create more trusted areas that are harder to access. All of these security questions that arise with Web services should be tackled before gung-ho software developers go about building critical SOA-based systems, Foley cautions.
—By Ellen Messmer
Send feedback on this feature to editor@cio.in
Essentisl Tec.indd 57
11/28/2008 4:30:25 PM
Pundit
essential technology
Cloud Computing Looms Large The technology could soon be the de facto way of working.Are you ready for the rain? By Bernard Golden Infrastructure | Gartner says cloud computing is the next big thing. And the ability to move from talent-constrained, capital intensive datacenter management to inexpensive, pay-as-you-go cloud infrastructure as too logical to be denied. There will be plenty of FUD spread about its shortcomings, but there was plenty of FUD about today's current champions when they first got started. So what should you be thinking about if you want to get going with cloud computing? Here are key factors for you to recognize: Get used to virtualization: The foundation of cloud computing is virtualization. Cloud computing is different to the superficially similar external hosting, aka ASP — a trend
your system begins to outstrip the resources assigned to it, more can easily be added to ensure your system doesn't suffer. This means that you'll need to get comfortable with virtualization. While cloud providers like Amazon will attempt to provide management abstractions shielding you from the virtual systems, if you drill down, you'll soon see virtualization. Building up virtualization skills is a prerequisite for moving to cloud computing. Get used to Linux: In order for cloud providers to deliver inexpensive computing, they've all leveraged Linux as their virtualization platform. While one or more of the providers will undoubtedly explore using Windows Server as the virtualization
disadvantage to the immediate availability of virtual machines. Get used to a new type of application delivery: Given that you'll be running VMs on top of a hypervisor and a virtual machine is a complete image containing OS, middleware, and application, application providers will soon deliver their product — not on a CD, not in an installable image but — in a complete VM, pre-configured, with all the other required software also installed and configured. You'll simply plop the VM down onto a hypervisor and it will be ready to run. You may have to do some final configuration to tune the VM, but the timeconsuming manual work of installation and basic configuration will be done. As I say in
The ability to move to inexpensive, pay-as-you-go cloud infrastructure is too logical to be denied. that crashed and burned precisely because of its differences from cloud computing. External hosting merely moves the machine from your datacenter to someone else's. You are still subject to that machine's issues: hardware breakdowns, resource limitations, and inflexible hosting. In contrast, cloud computing starts by turning the machine into a virtual image, which resides on a physical server in the cloud's hosting environment. That virtual image can be moved, breaking the hardware dependency associated with external hosting. Now, your system is insulated from hardware breakdowns. And if 58
ET-Pundit.indd 58
DE C e m B ER 1 , 2 0 0 8 | REAL CIO WORLD
platform, it will prove difficult for them to get the numbers to pencil out — not to mention the challenges of license management in the cloud, since Microsoft licenses are designed for a more static environment. Just as the cloud providers will attempt to shield users from virtualization, they'll attempt to do the same regarding the underlying OS, with the same results. When it comes to guest virtual machines (aka VMs), the cloud providers will support them, but you'll face the burden of license management and the reality that bringing up a Microsoft VM will require intervention to manage license input — a
my book Virtualization for Dummies once this new mode of application delivery takes hold, we'll look back on the old way of installing applications the way we look at movies and see someone making a long distance call by telephoning an operator to make the connection. Not only will you like this, as it frees you from a lot of tedious, error-prone hands-on work, the vendor will like it better too, as a significant percentage of their support calls occur during the initial installation and configuration phase. CIO To Be Concluded Send feedback on this column to editor@cio.in
Vol/4 | ISSUE/02
11/28/2008 4:38:37 PM