CIO April 15 2010 Issue by Sreekanth Sastry

Alert_DEC2011.indd 18

11/18/2011 5:53:08 PM

From The Editor-in-Chief

Just last week, the head of an IT consulting organization asked me how I defined and

One Hundred Not Out Thanks for your guidance.

qualified the success of CIO Magazine. Was it by the amount of revenue it generated or by the profit it made or by the number of events it organized, he queried. None of those, I replied, declaring with more than a little pride that the real victory lay in our influencing you to trust us enough to tell your stories of triumph and failure without mangling up the facts. In 2005, we were chartered to provide a platform for peer group experience sharing, debate, mutual support and assistance for IT leaders in India. Our mission at CIO India was — and is — to understand the very issues that confront CIOs (and those of people with similar functions, if not designations), and to help them connect with other real people who grapple with similar issues. One of our first acts was to assemble an Advisory Board comprising current and former CIOs and academics to serve CIO Magazine, in all of its as our primary sounding board. avatars always qualifies Feedback from the board, as well as content with the touchstone its subsequent avatar, the Governing of a practioner’s experience. Board, determine topics and articles for the magazine; issues that need to be debated at face-to-face events; and, even the way we design and refine the information architecture of www.cio.in. Real people; real problems; real solutions. Those three short phrases characterize this publication and the various means by which we connect and interact with you. On the eve of our achieving a major milestone in this journey — our hundredth issue — we still believe that the most important ingredient that goes into making CIO Magazine unique is the experience that you and your peers have gained through formulating and executing IT strategies. Of course, we and you take for granted that we package the information we draw on to help turn data points into the insight that you and your peers can draw on. So, let me take this opportunity to renew our pledge to you: We will never preach to you or offer a theoretical solution to a hypothetical problem. We will always qualify our content with the touchstone of a practitioner’s experience. A century is special. And, not just one made by Sachin Tendulkar. Thanks a ton for making ours extra special by sharing your stories, your advice and your guidance. Here’s looking forward to the next 100 issues. Salud.

Vijay Ramachandran Editor-in-Chief vijay_r@cio.in

a p r i l 1 5 , 2 0 1 0 | REAL CIO WORLD

Content,Editorial,Colophone_Page.indd 2

Vol/5 | ISSUE/06

4/14/2010 2:35:09 PM

content april 15 2010‑ | ‑Vol/5‑ | ‑issue/06

Deep Dive

Business Leadership

COvER stORY 100 thIngs tO KnOW | 30

CoVEr: dESI gn by J IT hESh CC and MM ShanITh

In celebration of our 100th issue, we looked high and low and at all the aspects of your life to present you a list of the hundred ways, strategies, approaches, and ideas that makes you who you are — and how you can better fit your shoes. Here they are. feature by t f team CIO CIO Leadership summit season 2 |

112

Industry leaders tell you how to tweak your systems and build innovation so that its part of your process — not the exception. more » a p R i l 1 5 , 2 0 1 0 | REAL CIO WORLD

Content,Editorial,Colophone_Page.indd 4

Business Continuity thE EnD Of YOuR WORLD | 82 Power grid hacks, massive DNS rerouting, solar flares — end-times for IT may be more likely than you think. feature by Dan tynan f t

tOWARD InnOvAtIOn

DAtA LOss PREvEntIOn | 90 Data loss prevention has gone from a niche technology to something everyone’s offering. In the process, its definition has got a little murky. We clear that up.

Outsourcing BRIDgE tO A BEttER tOmORROW | 24 We must cast off the temptation to splash out as the economy picks up. Outsourcing is one very good way to do that. Column by Aubrey Christmas

more » Vol/5 | ISSUE/06

4/14/2010 2:35:18 PM

content

Thrive | 122 Communication | Talking Right

Column by Maryfran Johnson

Mentor | 124 Business Strategy | The Extended Enterprise

Column by Rajesh Uppal, Maruti Suzuki

From the Editor-in-Chief | 2 One Hundred Not Out

By Vijay Ramachandran

NOW ONLINE “A CIO’s position is closest-aligned to the CEO of a company. The CEO’s vision is translated by the CIO,” says Ajai Chowdhry, Founder, HCL and Chairman and CEO, HCL Infosystems.

For more opinions, features, analyses and updates, log on to our companion website and discover content designed to help you and your organization deploy IT strategically. Go to www.cio.in

c o.in

Executive Expectations View From The Top | 78 Ajai Chowdhry, Founder, HCL and Chairman and CEO, HCL Infosystems, on increasing computer literacy in India and dealing with the competition in the Indian PC market.

Interview by Varsha Chidambaram

Technology Insight Fixing it Up for the Future | 26 The cloud is going to change the way you deal with your applications. How to get ready. Column by Bernard Golden

a p r i l 1 5 , 2 0 1 0 | REAL CIO WORLD

Content,Editorial,Colophone_Page.indd 6

4/14/2010 2:35:26 PM

GoverninG BoArd PubLIsHEr louis d’Mello EdITO r IA L EdITOr-IN-CHIEF EXECuTIVE EdITOr (COMPuTErWOrLd) AssOCIATE EdITOr (ONLINE) FEATurEs EdITOr COPy EdITOr COrrEsPONdENTs

Vijay ramachandran

gunjan Trivedi Kanika goswami Sunil Shah Shardha Subramanian anup Varier, Priyanka, Sneha Jha, Varsha Chidambaram PrOduCT MANAgEr ONLINE Sreekant Sastry CusTOM Pub L IsHINg AssOCIATE EdITOr arakali a harichandan COPy EdITOr Kavita Madhusudan COrrEsPONdENT deepti balani d EsIgN & PrOduCTION LEAd dEsIgNErs Jithesh C.C, Vikas Kapoor, Vinoj Kn sENIOr dEsIgNErs Jinan K V, Sani Mani dEsIgNEr M M Shanith PHOTOgrAPHy Srivatsa Shandilya PrOduCTION MANAgEr T K Karunakaran dy PrOduCTION MANAgEr Jayadeep T K dy. EVENTs & AudIENCE dEVELOPMENT

ANIL kHOPkAr gM (MIS) & CIo, bajaj auto ANjAN CHOudHury CTo, bSE AsHIsH CHAuHAN deputy CEo, bSE A uL jAy AT jAyAWANT yAWANT President Corporate IT & group CIo, aditya birla group dONALd dP PATrA CIo, hSbC India dr. jAI MENON director Technology & Customer Service, bharti airtel & group CIo, bharti Enterprises gOPAL sHukLA VP - business Systems, hindustan Coca Cola MANIsH CHOksI Chief Corporate Strategy & CIo, asian Paints MANIsH guPTA director-IT, Pepsi Foods MurALI krIsHNA k. head - CCd, Infosys Technologies NAVIN CHAdHA CIo, Vodafone

VP rupesh Sreedharan sENIOr MANAgEr Chetan acharya MANAgErs ajay adhikari Pooja Chhabra MANAgEr PrOjECTs Sachin arora

rAjEsH uPPAL Chief general Manager IT & distribution, Maruti Udyog

MA rkETIN g & sA L Es (NATIONA L)

sANjAy A jAIN Ay CIo, WnS global Services

PrEsIdENT sALEs ANd MArkETINg VP sALEs gENErAL MANAgEr sALEs sr. MANAgEr CLIENT LIENT MArkETINg AssT. ssT. MANAgEr MArkETINg ssT AssT. T gM brANd T. AssT. ssT. MANAgEr brANd ssT AssOCIATE MArkETINg Ad sALEs CO-OrdINATOrs

Sudhir Kamath Sudhir argula Parul Singh rohan Chandhok Sukanya Saikia Siddharth Singh disha gaur dinesh P hema Saravanan C.M. nadira hyder

rEgIONA L sA L Es bANgALOrE ajay S. Chakravarthy Kumarjeet bhattacharjee Manoj d dELHI aveek bhose, Mohit dhingra Prachi gupta, Punit Mishra MuMbAI dipti Mahendra Modi hafeez Shaikh, Pooja nayak

All rights reserved. No part of this publication may be reproduced by any means without prior written permission from the publisher. Address requests for customized reprints to IDG Media Private Limited, Geetha Building, 49, 3rd Cross, Mission Road, Bangalore - 560 027, India. IDG Media Private Limited is an IDG (International Data Group) company.

Printed and Published by Louis D’Mello on behalf of IDG Media Private Limited, Geetha Building, 49, 3rd Cross, Mission Road, Bangalore - 560 027. Editor: Louis D’Mello Printed at Manipal Press Ltd., Press Corner, Tile Factory Road, Manipal, Udupi, Karnataka - 576 104.

ALOk kuMAr global head - Internal IT, TCS

a p R i l 1 5 , 2 0 1 0 | REAL CIO WORLD

Content,Editorial,Colophone_Page.indd 10

PrAVIr VOHrA group CTo, ICICI bank

sHrEEkANT ANT MOkAsHI Chief-IT, Tata Steel suNIL NIL MEHTA Sr. VP & area Systems director (Central asia), JWT T.k. subrAMANIAN div. VP-IS, Ub group V. k MAgAPu director, larsen & Toubro V.V.r bAbu group CIo, ITC

AdverTiser index

advertiser page No. 3i-infotech

accenture Services

115

aDC india Communications

113

adobe Systems india

amercian power Conversion india 62 & 63 Bharti airtel

57 & 58

Blue Coat Systems Singapore

Check point Software Technologies india

D-link india

65 & 66

Emerson Networks power (i) Fujitsu india

15 60 & 61

Genesys Telecommunications laboratories

76 & 77

HiD india

Hp Enterprises

Hp ipG 3 Hp Server

22 & 23

Hp Storage

49 & 50

Hp Technology Services

20 & 21

iBM india

iFC & 1

inspira Enterprise india

intel Technologies india

17 & 18

Kaseya

lexmark international (india)

Mcafee india Sales

109

Oracle

iBC

portwise

Ramco Systems

Rittal india

102 & 103

SaS institute (india)

Corrigendum

Sigma- Byte Computers

117

our March 15, 2010 cover story inadvertently said that Financial Technologies runs Sharekhan. It does not. Srinivasan Iyengar’s designation is not director-IT and Change Management but director-IT and operations and religare is not headquartered in netherlands. anindya Subhro biswas is head of Finance for the oxford bookstore not the apeejay Surrendra group. The errors are regretted.

Smartlink Network Systems

9 & 10

Socomec UpS india Steria (india) Symantec

5 69 41 & 42

Tandberg india

111

Tulip Telecom

Wipro infotec

29 & False Cover

This index is provided as an additional service. The publisher does not assume any liabilities for errors or omissions.

Vol/5 | ISSUE/06

4/14/2010 2:35:27 PM

new

hot

unexpected

Smart Catch with a Smartphone I t Remember when a traffic fine was reason enough not to break the law? No longer. At about Rs 200 a fine, it’s easy to jump a light, pay up, and ride away. Now, Bangalore’s traffic police is fighting back. It’s enforcing a rule that allows the police to confiscate the license of a repeat offender (normally after a third offence, say sub-inspectors unofficially). And they can do that thanks to a unique IT deployment, which links Government

police smartphones to a central database of vehicles, drivers and offenders that dates back to 2001. So, police can check immediately whether someone’s broken the law for the first time or not. “The purpose of the project was to a keep a track of repeat and habitual offenders,” says Pravin Sood, IGP and additional

commissioner of police (Traffic). “So that we can ask for stricter punishments.” As part of the project, the police have also been given blue-tooth, handheld printers that can be paired with their smartphones. So, when an offender is caught, his offence is uploaded immediately and the driver is given a printed challan or ticket on the spot. This does away with inefficiencies related to paper challans and — although the police won’t open admit it — it also lowers some of the potential for corruption — as long as an offender insists on a challan . The smartphone project, which started in 2007, and is now fully deployed across the city’s 650 traffic officers, is one part of a larger solution that integrates video surveillance and a website, which will go a long way in helping the city’s traffic police. In the last few years, traffic in the city has risen dramatically and is growing between 7 percent and 10 percent every year. — Priyanka

Quick ta t take ke

Guruprasad Murty on Mobile Apps Enterprises are increasingly equipping their managements with a growing number of mobile devices to access corporate data and applications. Varsha Chidambaram spoke to Guruprasad Murty, VP-Infrastructure Services & IS, Microland, on the role that mobility plays in his company’s overall business strategy.

IlluStratIon by MM Shan It h

mobIlIty

How do you leverage smartphones and other mobile tools in your enterprise? We support heterogeneous devices ranging from Blackberries to iPhones. We have used a blend of tools to ensure security policies are enforced and the user’s mobility needs are supported. We have also made investments in UC to enhance productivity. What do you think are some of the challenges that enterprise mobility raises? With device populism, enterprises now have a

Vol/5 | ISSu E/06

scenario where devices may or may not be corporate assets. So ensuring confidentiality and integrity of information is vital. Other than security, managing the apps and expectations of users is a key challenge for CIOs. What are some of the trends you see emerging in this space? By 2012, 70 percent of the global workforces will be enterprise mobile users. Also, we are moving away from a Blackberry-only policy to welcoming popular devices. And, across the globe, device OEMs and telcos have taken upon themselves to open more app stores.

Guruprasad Murty

What is the future of mobile apps? E-mail was the first enterprise app to be mobilized. Organizations have made significant investments in enterprise apps like SAP, Oracle, etcetera. Focus is now to mobilize the critical processes like purchase order approvals and HR-related processes. REAL CIO WORLD | a p r i l 1 5 , 2 0 1 0

What Tops Your Agenda for the New Financial Year? S t r a t e g y The financial year ushers in new plans and aspirations for the IT industry. With the upturn bringing back more buying power, CIOs are gearing up to invest. Priyanka asked your peers where they are parking their money and here’s what they had to say:

“We are looking forward to investing in the 3G space because we believe it will significantly alter the way people watch television.”

trendlines

Venkat Iyer Head-IT, Star TV

“As always, the prime focus for us will be business-IT alignment. IT is not a back-bencher and for all the new initiatives this year IT will act as a major enabler.” Sudesh Agarwal VP-IT, Lifestyle International

"We want to build a BI framework for the enterprise to help us take more informed decisions. We

realized that we already had data from the many systems that were previously implemented. We want to correlate the data to get better analytics.” Sudhir Reddy CIO, Mindtree

Lend Your

Voice

Write to editor@cio.in 12

Trendlines.indd 12

a p r i l 1 5 , 2 0 1 0 | REAL CIO WORLD

More Money For Security When an organization’s spine — it’s IT department — is attacked the business gets paralyzed. That’s why CIOs are struggling constantly to ward off threats and ensure that business runs non-stop. And to put effective checks in place, IT leaders are looking to up their security spending. In an IDC survey conducted in Australia, India, Korea, China, and Singapore, 63 percent indicated that they will spend more money than they did last year on security to address threats and improve compliance. IDC expects greater regulatory intervention from government authorities to drive corporate governance with the introduction of the IT Governance Standard ISO 38500. This is set to increase security software spending among businesses. A study conducted by Gartner projects that security software and services spending will outpace other IT spending areas this year. Security software budgets are expected to grow by about 4 percent in 2010, outpacing all other areas of infrastructure software. And security services budgets are projected to grow by almost 3 percent, leaving other service areas behind. The slowdown gave rise to cyber attacks and forced enterprises to look at security with new eyes. The Symantec Enterprise Security Survey 2010 revealed that Rs 60 lakh is the average annual costs incurred by Indian enterprises on account of cyber attacks. A huge majority (81 percent) also incurred direct financial costs in terms of brand reputation and lost revenues. Sixty-six percent say they have been on the receiving end of cyber attacks in the past 12 months — of which 34 percent say attacks were malicious and external; 23 percent experienced internal malicious attacks; and 31 percent were due to unintentional internal actions. Add to this an increasing sophistication of attacks, small budgets to cover necessary security purchases, lack of IT security experts, etcetera, and you get a list of challenges that hamper security management. "New IT initiatives like Saas, Iaas and virtualization complicate matters and add to the security woes of enterprises making management significantly difficult. So, traditional defensive methods also need to change and proactive approaches like reputation-based services, heuristics and basic behavioral knowledge should be implemented," said Vishal Dhupar, MD, Symantec India. The bright side is that organizations today are acknowledging that implementing compliance requirements provides an opportunity to revisit their current risk management position and identify opportunities for business efficiency and growth. — By Anup Varier

IT Budget

Vol/5 | ISSUE/06

4/13/2010 8:40:22 PM

We're Not Happy with ERP

trendlInes

within the company and determine the organizational change management needed to make the project successful," Panorama said. Altimeter Group analyst Ray Wang largely echoed that advice. "People do not invest enough in change management," he said. The length of ERP projects can exacerbate dissatisfaction, he added. "They put in the system, but people's requirements may have changed so much since they did the vendor selection." These factors illustrate why SaaS (software as a service) is making inroads into traditional ERP, thanks to quicker implementations and easier upgrades, according to Wang. "It doesn't mean you go SaaS all the way, but there are things that are much better with SaaS," such as human resources applications, which require frequent updates to reflect legislative and regulatory changes, he said.

More than 35 percent of respondents said their projects took longer than expected; just 21.5 percent reported shorterthan-anticipated project times. Fortythree percent said the projects were completed on schedule. down the implementation's true total cost of ownership, much of which has nothing to do with software licenses. Three-quarters of a project's budget tends to go toward implementation, hardware upgrades, customization and other needs, according to Panorama. Customers should also develop a comprehensive implementation plan, as well as "identify pockets of resistance

Who They Gonna

Call?

on r/more c venient ser e i s vic Ea e

owledgeable rep 74% re kn res Mo en tat ive c i e v r se 66% ter Fas

67%

e options for ob tai Mor nin g l servic ecia Sp

es f or l

ce rvi se

Technology has improved customer service, but the majority of consumers still arenâ&#x20AC;&#x2122;t satisfied. What they want:

â&#x20AC;&#x201D;By Chris Kanaracus

ustomers al c oy

enterprIse a p p s More than half of companies that implement ERP systems end up garnering no more than 30 percent of the business benefits they expected, according to a study released by systems integrator Panorama Consulting Group. Some 72 percent of the 1,600 organizations surveyed said they were "fairly satisfied" with their ERP package. But this can be misleading, according to the study: "Some executives are just happy to complete projects, protect the company from risk and give little thought to whether or not the company is better off with the new software or whether or not they're getting as much out of the system as possible." Panorama's report breaks down ERP offerings into three tiers, with large vendors like SAP, Oracle and Microsoft occupying Tier I; companies such as Lawson, Infor and Sage in Tier II; and smaller players including Compiere, NetSuite and Syspro in Tier III. More than 35 percent of respondents overall said their projects took longer than expected; just 21.5 percent reported shorter-than-anticipated project times. Forty-three percent said the projects were completed on schedule. Thirty percent of Tier I projects had time overruns, compared to 18 percent for Tier II and 5 percent for Tier III. About 50 percent of projects overall ended up going over budget, with 40 percent meeting expected costs. Only 8.6 percent came in at a lower price tag than planned. Fifty-three percent of Tier I implementations had excess costs, compared to 33 percent for Tier II and 59 percent for Tier III. Overall, the study's findings are likely familiar music to followers of the ERP space, which has long been filled with stories of lawsuits filed by disgruntled customers, wild cost overruns and failed projects. ERP customers can avoid surprises by taking time to pin

64%

39% Source: Accenture 2009 Global Consumer Satisfaction Report

Trendlines.indd 14

a p r i l 1 5 , 2 0 1 0 | REAL CIO WORLD

Vol/5 | ISSuE/06

WI-fI A At tHE

Speed of Light light coming from lamps in your home could be used to encode a wireless broadband signal, according to German researchers. researchers at the Fraunhofer Institute for telecommunications t elecommunications at the heinrich-hertz Institute in berlin erlin experimented with using visible light from commercial light emitting diodes (lEDs) ( to carry data wirelessly at speeds of up to 230Mb/second. research esearch into wireless data communications using lEDs EDs has been going on for years, but the 230Mb/ second speed is considered a record when using a commercial lED, according to the optical Society of america , an organization for optics professionals. one of the German researchers on the project, Jelena Vucic, said there would be an advantage in using light to carry data over Wi-Fi or another system because the lights are already in a room. a signal from an lED is generated by slightly flickering all the lights in unison at a rate millions of times faster than the human eye can detect, the oSa statement said. Commercial lEDs have a limited bandwidth of a few megahertz, but Vucic's team was able to increase the amount ten-fold by filtering out all but the blue part of the lED spectrum. the team built a visible wireless system in their lab to download data at 100Mb/second, and then upgraded the system to get 230 Mb/second. Vucic said the team should be able to double the data rate again with some modulation adjustments. Sending data over fiber optic cable at enormous speeds has been going on for decades. however, taking data transmission to an open environment such as a living room over light from a lamp would be an enormous step, and a challenging one, said Jack Gold, an analyst at J. Gold associates. Gold said the German research seems to show data transmission via light only in one direction and only in one room. by comparison, Wi-Fi and other radio transmissions are bi-directional and can pass through walls. one practical concern in using visible wireless would be getting the data signal to the light itself, Gold said. technoloGy

Virtual Servers,

real threat trendlInes

s e c u r I t y | Sixty percent of virtual servers are less secure than the physical servers they replace, Gartner said in a new piece of research. This state of affairs will remain true until 2012, but security should improve substantially after that point, Gartner said, predicting that by 2015, only 30 percent of virtualized servers will be less secure than the physical machines they replace. Virtualization itself is not inherently insecure, but "many virtualization deployment projects are being undertaken without involving the information security team in the initial architecture and planning stages," Gartner said. And the problem will get more acute: by the end of 2012 more than half of eligible workloads will be virtualized, Gartner said. "As more workloads are virtualized, as workloads of different trust levels are combined and as virtualized workloads become more mobile, the security issues associated with virtualization become more critical to address," Gartner said. Gartner identified six security risks. First is that 40 percent of virtualization projects are undertaken without information security professionals in the planning stages. "Typically, the operations teams will argue that nothing has really changed — they already have skills and processes to secure workloads, operating systems and the hardware underneath," Gartner said. "While true, this argument ignores the new layer of software in the form of a hypervisor and virtual machine monitor (VMM) that is introduced when workloads are virtualized." Gartner notes that a threat to the virtualization layer can harm all hosted workloads. The hypervisor, as a new platform, contains new vulnerabilities including ones that have not yet been discovered. Additional risks include the following: Network-based security devices are blind to communications between virtual machines within a single host; workloads of different trust levels are consolidated onto single hosts without sufficient separation; virtualization technologies do not provide adequate control of administrative access to the hypervisor and virtual machine layer; and when physical servers are combined into a single machine, there is risk that system administrators and users could gain access to data they’re not allowed to see.

—By Jon Brodkin 16

Trendlines.indd 16

a p r i l 1 5 , 2 0 1 0 | REAL CIO WORLD

—by Chris Kanaracus Vol/5 | ISSuE/06

alternative views B Y a n u p va r i e r

Are Chargebacks a Viable Business Strategy? Ayes vs Nays

“Why should a predominantly technology-driven person get into a business role and charge internal customers?” Suresh Iyer, CSO, Aditya Birla Minacs

P hotos by Srivatsa Shan di lya

catering to separate sister concerns, chargebacks are not an effective model. The attempt to shift IT from a cost center to a profit center using chargebacks will also shift the responsibility from the CFO to the business heads of the various units. This actually becomes an additional responsibility for an IT department. Why should a predominantly technology-driven person get into a business role and charge its internal customers? The arguments in favor of this are not compelling enough. And I personally feel that in companies where chargebacks have succeeded, it’s because of the person leading the charge rather than the concept of chargebacks. If it is from a purely internal consumption point of view I think it has more to do with the personality of the CIO, who is already CEO material and who can play a leadership role. Only if the IT department extends beyond itself and serves other entities along with its internal customers, would chargebacks help in a faster integration of the systems and processes. Considering technology as one composite cost and allocating that across various lines of business is not a workable model. Even in the case of a new project, accounting for everything that goes into the project and attaching the cost to it will act as an impediment to the project. If the project has to fund itself then it is a weak model.

Vol/5 | ISSUE/06

Trendlines.indd 19

control to the businesses for the consumption of IT resources.” Shekar Sivasubramanian, President and CIO, Ocwen Business Solutions

If businesses are charged based on the utilization of services or

trendlines

Unless there is a go-to-market strategy associated with technology or IT is

“Through charge-backs you are only providing greater validation and

products from a technology perspective, then it offers a change from a fixed-cost model to a variable-cost model. Wherever financial control or capital costs are involved, chargebacks provide accountability and helps translate those costs into meaningful terms with respect to the business needs of the organization. For every new piece of technology that is bought — hardware or software — the cost can be broken down in terms of the business units that will use it. But a smarter way is to charge based on the number of transactions per user per month. That’ll give the businesses the flexibility to decide on the number of users that will have access. In a transactional model investments are also justified because when businesses consume more, I have to invest more. We can always convert the fundamentals of a technology consumed into tangible terms and that is the basis of chargebacks. Also, to tackle outsourcing vendors you have to be competitive in your pricing — although an internal IT team always has the advantage of a deeper understanding of the business and its functioning. And if the charges attached to these on-demand services are in line with market standards then they are completely justified. Chargebacks are not a way to distribute the fat or IT costs that aren’t properly aligned to the business. Through charge-backs you are only providing greater validation and control to the businesses for the consumption of IT resources.

REAL CIO WORLD | a p r i l 1 5 , 2 0 1 0

4/13/2010 8:40:39 PM

Aubrey Christmas

Outsourcing

A Bridge to a More Sustainable Tomorrow We must cast off the temptation to splash out as the economy picks up. Outsourcing is one very good way to do that.

Illust ration by mm s hanith

t the 2009 CIO Summit I was asked the question, "what strategies did you employ to manage the recession"? I candidly replied: "outsourcing.” Just as quickly I was asked what strategies I would employ post-recession. Again, I responded rather blankfaced: "outsourcing". While all the economic indicators point to a steady improvement in economic conditions, it's worthwhile for IT teams to reflect on the lessons learned and keep applying them as we look ahead to the new paradigm we are left to operate in after the economic recession. This reminds me of one of my first trips to America. I arrived in the country with about US$250 (about Rs 11,000) to my name and the promise of big things to come in my new found employment. While I knew my new job would soon lend itself to financial prosperity of sorts, in the meantime I had very little to survive on and had to learn to live within my means. That meant having to budget very tightly — eat and live in a measured way — until I was in a better position. That life lesson has stayed with me throughout my professional career, and it's a philosophy I've carried into my working life as well, and it became pertinent during this current economic recession. Without the experience of that life lesson at an early age, it might not have been as easy to navigate the recession. Because it taught me that if you manage what you have during the hard times, you can be successful when the good times arrive. But most importantly: whatever the economic conditions, live within your means.

A p r i l 1 5 , 2 0 1 0 | REAL CIO WORLD

Coloumn_Live_Within.indd 16

Vol/5 | ISSUE/06

4/13/2010 3:38:18 PM

Aubrey Christmas

Outsourcing

The Lesson This brings me back to outsourcing. The research firm Forrester estimates worldwide IT-related outsourcing is now about a $120 billion (about Rs 540,000 crore) per year business and that it will continue to grow. While I suspect the growth in outsourcing is not strictly IT-related — in other words services such as contact centers and mechanical maintenance and engineering have also been thrown into the outsourcing mix — what we can see is that outsourcing offers opportunities for businesses to explore cost savings. As IT leaders, as well as with the IT strategists, we need to come to terms with the advantages outsourcing offers, rather than frown upon it as some kind of a scourge. Here at the Employers and Manufacturers Association (Northern), we have successfully managed to integrate

six large, dominant providers that will provide resiliency to the ecosystem that services the needs of major corporations. Ultimately, that ecosystem will service the needs of middlemarket buyers as well." So what the figures are saying is like it or not, outsourcing has staked out some legitimacy in the local marketplace and has produced quantifiable bottom line results that have gained resonance within our industry. That brings me back to my original point about why I have adopted outsourcing in my IT strategy: it's about living within our means and outsourcing offers the opportunity to do that. We haven't signed a blank check and handed over all the organization's key functions, but we've selectively sourced the expertise we require to operate an efficient service to our business; while at the same time providing comfort to our key stakeholder — our colleagues — that we have the capability onsite to manage the core functions of the business.

As IT leaders, as well as IT strategists, we need to come to terms with the advantages outsourcing offers, rather than frown upon it as some kind of scourge. aspects of outsourcing by moving all our main infrastructure hardware along with critical application systems to virtualized datacenters. The benefits are operational cost savings in terms of connectivity costs, greater redundancy, stability and reduced downtime. Outsourcing gives me a number of options on how best to run my department. I retain a core staff with the skill set to manage the day-to-day operation, along with the flexibility to engage further assistance either on a contracted or casual basis. I liken it to a pendulum that swings high during the life of a major project and swings back once the project is over. The benefits being the business is not left trying to find work or make up work for employees to do at the conclusion of a project. On the other hand, the contracted help can plan their next move in advance. Outsourcing is a cautious move tinged with excitement, as we strive not only to make the advantage line, but also to come to terms with what it means to live within our means.

It’s the Future According to outsourcing advisory firm TPI, information technology and business services save on average 15 percent a year, substantially lower than over inflated estimates as high as 60 percent. However, TPI also suggests outsourcing will continue to grow as corporate takes an axe to operational costs. In its Outlook for the Global Outsourcing Industry for 2009 report TPI stated: "Coming out of the recessionary markets in late 2009, we will find a strong global outsourcing industry with four to

Vol/5 | ISSUE/06

Coloumn_Live_Within.indd 17

The Failures Aren’t the Rule The spectacular failure of outsourcing arrangements was highlighted in October 2009 when an IT outage crashed Air New Zealand airport check-in systems, as well as online bookings and call centre systems, affecting more than 10,000 passengers and throwing airports into chaos. The airline was quick to turn its guns on supplier IBM saying it had fallen "well short of expectations" in this instance. While the Air New Zealand incident should sound warning bells to those who have invested significantly in outsourcing arrangements — and there is an endless web of literature that forewarns about cozying up to outsourcing as a panacea — outsourcing certainly provides some alternatives and solutions. While my organization has adopted outsourcing options, first of all we ensured the areas we needed help with were properly functional before handing it over to a third party. It seemed more prudent, than handing over something that was broken. As IT leaders we must continue to lead. We've endured the hard times, matured significantly as a result and, in some cases, shown restraint. We've continued to demonstrate efficiency and now we must cast off the temptation to splash out as the economy picks up, but instead live within our means. CIO

Aubrey Christmas is the CIO of Employers' and Manufacturers' Association (Northern). Send feedback on this column to editor@cio.in

REAL CIO WORLD | A p r i l 1 5 , 2 0 1 0

4/13/2010 3:38:18 PM

Bernard Golden

Technology Insight

Fixing Up for the Future ofAppArchitectures The cloud is going to change the way you deal with your applications. How to get ready.

t’s interesting to note how cloud computing affects IT application architectures, specifically the flip side of the coin of data growth: application load. Succinctly put, the assumptions we have traditionally used to design app architectures are increasingly outmoded due to the changing nature of apps. Application architectures are going to change — just as much as IT operations — over the next five years due to the nature of cloud computing apps. IDC projections indicate that the average company will experience a seven-fold increase in unstructured data (think click stream capture and video storage, etcetera), accompanied by a doubling of structured data (think database row-and-colum info). I actually think that IDC's projections are understated on the structured data side, because of the constrained assumptions it (very reasonably) brought to its analysis. The remarkable decrease in the cost of IT brought about by cloud computing will — no surprise to economics majors everywhere — lead to much larger amounts of computing being done, which, in its turn, will lead to larger app architectures and topologies.

The Business Use of IT is Changing Illustration by mm shanith

In the past, IT was used to automate repeatable business processes — taking something that already exists and computerizing it. The archetype for this kind of transformation is ERP . That "paving the cow paths" approach to computing is changing. Today, businesses are delivering new services infused and made possible by IT — in other words, creating new offerings that could not exist without IT capabilities. A dramatic example of this is the way music services have developed. Like the way Pandora delivers customized song 26

a p r i l 1 5 , 2 0 1 0 | REAL CIO WORLD

Coloumn_App_Architect.indd 26

Vol/5 | ISSUE/06

4/13/2010 3:42:17 PM

Bernard Golden

Technology Insight

Given how the number, type, and nature of apps are changing, CIOs need to understand what this implies for the future of applications and the future architecture of applications. streams to its customers. It tracks the preferences and feedback of every one of its listeners to ensure each receives a personalized offering. Pandora's service could not exist without the support of massive amounts of computing power, which forms the core of the business. And, guess what, it's all driven by new apps.

The Nature of Applications is Changing Till now, most computing has been driven by human action — someone making a purchase, requesting a Web page, and so on. In the future, a growing percentage of computing will be driven by non-human activities from devices like sensors. Take electric meters. Instead of your meter being read by a human walking through your neighborhood, the meter itself will connect to the electric company datacenter and upload billing data. However, one of the other ballyhooed characteristics of these smart meters is their ability to give real-time readouts of load to users. This data about electric usage will be invaluable to electric companies to help understand how usage changes with immediate pricing feedback. This will result in far more data than just a monthly reading being sent to their datacenters. And that data will be transmitted in irregular patterns, leading to highly variable loads, thus affecting the nature of app architectures. Given how the number, type, and nature of apps are changing, what does this imply for the future of apps and the future architecture of apps? The implications are fourfold: Application load variability will increase: The driver for the vast changes in resource load variability is app load variability. For hotels, the traditional busy times are early morning (checkout) and late afternoon/early evening (check-in). In the future, personalized attention will mean high app load at other times, it will vary throughout the day — all 24 hours of it — rather than being focused during business hours. Apps will need to be much more able to dynamically scale. Application interfaces will change: Instead of being human- (and thereby screen-) focused, data will pour into apps from other apps, sensors, file uploads, and, things we haven't even thought of yet. So service interfaces and upload interfaces will join terminal interfaces. Apps will need to be able to gracefully — and dynamically — add new data streams as inputs. Application characteristics will change: The increasing importance of geo-location in apps will necessitate the rapid ability to shift context and data sets. If I'm driving in a taxi, the ‘nearby’ services change quickly as the car moves. Being able to shunt data in and out of working sets quickly (and being able to blend contexts as apps support multiple people sharing a nearby context) will become vital. This requires high performance. 28

a p r i l 1 5 , 2 0 1 0 | REAL CIO WORLD

Coloumn_App_Architect.indd 28

Application topologies will become more complex: As scale and variability increase, architecture designs must change. Complex apps often incorporate asynchronous processing for compute-intensive tasks; message queues are often used as part of this approach. Therefore, app architectures need to change to incorporate new software components and app design. What are some practical steps you can take to ensure your cloud-targeted app can support these new requirements? Here are some suggestions: Review software components that you plan to use in the app. Many software components were designed to be used in a static environment. A common design pattern for these components is the use of a ‘conf’ file which is edited by hand to configure the component context. Once the conf file is complete, the component is started (or restarted), reads the configuration information into memory, and goes into operation. In a cloud world, in which context changes constantly as new connections and integration points join and drop, this model is unsustainable. Look for components that have online interfaces to update context and dynamically add or delete connections. Plan for load balancing throughout the app. Many apps support load balancing at the Web server layer, but assume constant numbers (and IP addresses) for app components at other layers. With very large load variability, other layers need to be scalable and need to support load balancing to ensure consistent throughput. Don't design an app with the expectation that only two app components will reside at certain layers. Plan for dynamism and load balancing at all layers. Plan for application scalability. Maybe this is hammering the point home too many times, but double or triple your capacity planning and app architecture assumptions — maybe even factor in a 10X growth possibility. When you plan for much larger scales, you pay attention to bottlenecks and plan to how to relieve them dynamically. Plan for dynamic application upgrades. Forty years ago, auto manufacturers took two weeks to change over factories to prepare for new model manufacturing. Toyota figured out how to do it in two hours. That meant they had to design for dynamic factory upgrades. Cloud computing, with the 24 hour use cycles, means no downtime for app upgrades. Architecting apps so that the topologies can be changed while users continue to access individual servers requires Toyota-like planning. Likewise, upgrading database schemas (and data sets) to support new app versions necessitates Toyota-like approaches. CIO Bernard Golden is CEO of consulting firm HyperStratus, which specializes in virtualization, cloud computing and related issues. Send feedback to editor@cio.in

Vol/5 | ISSUE/06

4/13/2010 3:42:18 PM

Trendline_Nov11.indd 19

11/16/2011 11:56:19 AM

By Team CIO with inputs from IDG News Service

Cover_Story_Part1.indd 30

4/13/2010 8:04:01 PM

To know about what? Just about every aspect of your life as a CIO. We put your lives under a microscope and studied the hardest and the most interesting parts of it. Now we present our list of the 100 things that make you, you — and how, if we may, you could possibly be better.

Inside IT Strategy

Pg 34

Business Strategy Pg 38 Negotiation

Pg 40

Staff Management Pg 46 Technology

Cover_Story_Part1.indd 31

Pg 48

Just in case you haven’t already noticed, the world around us has changed. There are new rules, new goals, new opportunities. In the next few months, you’re going to be driven to keep pace with the needs of the upturn. These tricks will come handy. You’re going to have to refresh your identity and remind yourself what you really bring to the table. Again these tricks will come handy. New challenges will come your way and once again these tricks are going to come handy. Let the next few pages be a reminder of what it takes to be you and how to tap into your potential.

Resource Management Pg 54 Security

Pg 59

Change Management

Pg 67

CIO Role

Pg 70

Personal Skills

Pg 72

Cover Story IT Strategy [ 7 Tips ]

Strategies tegies to Leverage

the Upturn

Follow these four and you won’t regret the effort you put into reworking your roadmap during the slump — and it’ll leave your CXO peers smiling.

Reduce IT Complexity As a strategic play, cloud computing promises to redefine the way IT is consumed and is among the best long-term ways to simplify enterprise IT. Conceptually, it is capable of removing intrinsic complexities from an IT ecosystem and bring users closer to the real application of technologies with its service model. With management overheads and physical limitations on infrastructure growth out of the picture, businesses can focus more on bettering their time-to-market and increasing their productivity while considerably reducing their costs. Though it is largely uncharted territory, corporations are increasingly willing to identify and explore the possibilities within cloud computing. Rajeev Seoni, CIO, Ernst & Young, has redirected his efforts to sail in the direction of server consolidation

and adoption of cloud computing at his enterprise. “Cloud computing is definitely an area that’s drawing our attention, and how! From the perspective of reduced costs and infrastructure management overheads, it makes a lot of sense to us,” he says.

Save, Save, Save Slowdown or no slowdown, saving money never goes out of fashion. And there’s no better option than virtualization to get those 30 percent savings. Virtualization makes sound business sense to a lot of businesses as they look

From the perspective of reduced costs and infrastructure management overheads, cloud computing makes a lot of sense to us. — Rajeev Seoni, CIO, Ernst & Young 34

A p r i l 1 5 , 2 0 1 0 | REAL CIO WORLD

Cover_Story_Part1.indd 34

forward to posting robust growth. Not only does it save costs but also enhances the management of IT infrastructure. Srinivasan Iyengar, director IT & change management, Aegon Religare, is looking at virtualizing his servers. Initially, his enterprise automated business processes but because it now expects to double its business growth, server virtualization is one of its priorities. “I have to provide increased scalability of my server at minimum costs. And for that, virtualization is the best thing to do. Initially, we didn’t want to indulge in it because virtualization is not very beneficial when you are a startup. Now that we have started growing, we want to move in this direction,” he says. Vijay Sethi, VP-IS, Hero Honda, invested heavily in virtualizing his servers last year. And this year he wants to do more. “I will think of virtualizing more because we will save on energy and space. Also, we wouldn’t have to buy more servers. Virtualization remains a high priority,” he says.

Keep Customers Happy The slowdown demonstrated the survival of the fittest. And those that made their customers happy made it through easier. An in-depth understanding of the customer’s needs has emerged as a key business imperative in the downturn. That’s why Virender Pal, CTO, SpiceJet, is evolving a strategy that makes him more

Vol/5 | ISSUE/06

4/13/2010 5:54:14 PM

Cover Story | IT Strategy

customer-centric. “We want to focus our attention on serving and understanding our customers better. So, BI is the next big thing for us. We want to understand our customers more closely and connect with them in a more definitive way. We want to know their preferences including flight

timings, fares, choice of meals, etcetera.” he says. Using BI as a tool to respond to customer needs is also a strategy that appeals to Nilesh Sangoi, CTO, Meru Cabs, the fastest-growing player in the space. “After implementing transactional

Advantages of Being an Early Adopter

Grabbing an upcoming technology in its infancy is a strategy that can give you impressive returns. Don’t shy away.

It’s Easy On the Purse In 2007, when ICICI Bank, ICICI Prudential and ICICI securities jointly deployed virtualization, the technology was yet to gain mainstream acceptance. Joydeep Dutta, CTO, ICICI Securities swears by the benefits of making the early move. “We were the first company in our sector to make the move. And today, our datacenter expenses incurred on power, cooling and servers has come down significantly,” he says. Umesh Mehta, VP-IT, Asia MotorWorks, also feels that adopting technologies early provides organizations with strategic value and reduced costs. And he talks from experience. “We adopted business intelligence early on. We are growing at a healthy growth rate of 10 percent. And BI supports our growth. It has helped us reduce costs by 20 percent and has boosted our productivity by 35 percent. So we have seen a distinct advantage of early adoption,” he says.

63%

systems, we are now looking at tapping the potential of BI to be more responsive to the market,” says Sangoi. “We are a threeyear-old company now and our business processes are maturing rapidly. And that’s why I think it’s the ripe time to deploy BI.” Sanjay Malhotra, CIO, Amway India, also firmly believes that a robust customerfacing strategy is critical for his company. As an FMCG giant leveraging the direct selling channel, his company needs a strong system to generate and track potential customer leads. “Our independent business owners send us a lot of customer leads. These leads come through various channels. We need an effective mechanism for tracking them and ensuring their speedy closure. One way of doing this is to put our lead management system on CRM. Currently, we are evaluating CRM to deliver on our strategy of customer-centricity,” he says.

Outsource As the global economy is starting to pull out of the recession, companies are increasingly exploring strategies that will allow them to fuel growth and simultaneously curb costs. On their end, IT decision-makers are leaving no stone unturned to find ways to cope with mounting cost and growth pressures. That’s why outsourcing is once again garnering the attention of IT leaders because of it’s inherent ability to spread out costs and retain business agility. Besides generating significant cost savings, outsourcing promises to deliver greater operational efficiency, better quality, and access to larger talent pool. Little wonder then that CIOs are warming up to the idea of outsourcing strategic IT functions and applications. According to the State of the CIO, 34 percent of Indian CIOs say that the importance of outsourcing as a strategy has increased post the slowdown. According to Singapore-based IT market research and analyst firm, Springboard Research, 65 percent of IT executives in Indian corporations anticipate an increase in their investment in IT outsourcing in the next two years. CIO

Of early adopter companies grew faster than their competitors, says A.T. Kearney.

It Keeps You Ahead of the Pack For most process driven organizations there is a strong business case to explore emerging technologies. “Early adoption can be your key competitive differentiator. In 2004, we came up with a web portal for intermediaries and our agency force for our customer facing applications. This gave us an edge over other players in the industry,” BG Pal, CIO, Tata AIG insurance.

It Eases Your Learning Curve Sabyasachi C. Thakur, CIO, AIOCD, feels that early adoption gives him the ease of deploying the technology in small chunks. “When the technology matures you are at a better stage of your learning curve to adopt it for your business critical applications. It’s better to start early so that you are better geared for your future. Adopt early with the non-core applications so your learning curve also rises with the maturity of the technology,” he says. Vol/5 | ISSUE/06

Cover_Story_Part1.indd 35

REAL CIO WORLD | A p r i l 1 5 , 2 0 1 0

4/13/2010 5:54:15 PM

Cover Story Business Strategy [10 Tips ]

How to Get Your Business to

EmbraceYou eYou The buck stops here. Business-IT alignment is your responsibility, not the business’. Follow these three steps to bridge the gap between you and the business. If your eyes are glazing over at the thought of another business-IT alignment story, it’s time to pay attention. The fact is getting business and IT to align is more than just a nice-to-have. It can make the real difference between the success and failure of an IT project — and sometimes of a company like this example from Sarv Devaraj and Rajiv Kohli’s book The IT Payoff. (edited for brevity) Close Call was in the business of telemarketing and catalog sales. The CEO wanted to implement a data warehouse that would fully integrate various call centers. However, he believed that getting the data warehouse up and running in 3-4 months was just a matter of “getting the right people for the job”. The information system (IS) department was already stretched and therefore outside help was sought. The expectations, with regard to resources and time required, were very unrealistic. The project team spent three times its slated budget and half of Close Call’s IS staff quit after the project. The company’s stock price lost more than two-thirds of its value during the period. The reason for the failure, as stated by a consultant for Close Call, was because they attempted too many technology projects at the same time, a case of biting off more than they could chew. The lesson, in this case, is to

set realistic expectations of IT implementations. If you want to avoid that fate, start with this:

Explain Benefits Clearly Unrealistic expectations often result when the business hasn’t understood the scales used to measure value. Here’s how that worked for one CIO. “When we implemented an ERP solution the vendor had promised things like inventory and cycle-time reduction and productivity improvements in vague terms such that the CEO expected manpower to be reduced by 10 percent,” recalls H. Krishnan, assistant VP-IT, Indian Rayon (A Unit of Aditya Birla Nuvo). “We had to temper those expectations because although manpower count may not be affected directly, the same manpower can easily scale up production, and consequent transaction by 2530 percent without additional costs.”

Business must give IT notice for things they need. IT has external dependencies which business must know.

— T. Jaganathan, Director-Technology, Ajuba 38

A p r i l 1 5 , 2 0 1 0 | REAL CIO WORLD

Cover_Story_Part1.indd 38

Make Business Sponsors a Key Driver To ensure that IT projects are run as business projects at Idea Cellular, AVP-IT, Deepak Kulkarni, formed a core team of four people for each project comprising a CXO-level business sponsor, an expert from the business, a vendor project manager and an IT SPOC (single point of contact) who acts as a mediator between the business and technology folks. He tells you why, “The role of this team is to first set the direction to the project, and ensure that milestones are tracked. The business sponsor acts as the primary driver of the project.” But he’s quick to add, “Before the CIO can make such demands from the business, he has to establish his team’s credentials.”

Vol/5 | ISSUE/06

Cover Story | Business Strategy

Keep Business Informed Running a business is like a dance: it’s nice when it’s synchronized. At healthcare outsourcing services provider Ajuba, T. Jaganathan, director-technology, and his team have a monthly tech-ops meeting. Every second Monday, managers from IT and the business sit together and thrash out issues of concern. Action items arising out of these

meetings are closely tracked. IT then circulates a monthly executive report to every business leader with details of proposed new IT initiatives apart from a performance report in terms of issues faced and support metrics, among others. “Business must give sufficient notice to IT for any requirements. IT has a lot of external dependencies which the business needs to appreciate,” Jaganathan says. CIO

3 Strategic Decisions You Should Be a Part Of If you are truly one among your CXO peers, you need be in the room when these conversations are being tabled.

Mergers and Acquisitions

Financial Decisions

their CIOs simply can’t understand what the business direction is. Their CIOs are so technical that they end up relying more on their CFOs,” says Kumar Parkala, exec. director and head of IT Advisory, global head of Sourcing, KPMG. The inclusion of the CIO in important financial decisions such as investment planning or drawing up enterprise budgets is a crucial indicator of his or her role in the company’s overall strategic planning. And being in on the money conversations can benefit CIOs, too: it gives them more say over IT budgets. CIO

According to a new Forrester Research Nothing speaks more to the CXO archetype report, A CIO’s Guide to Merger and Acquisition than trading numbers, but it’s a skill few Planning, even in 2010, many CIOs are still Planning CIOs have mastered. “CEOs often tell me that relegated to mop-up duties when an M&A deal takes place — instead of being part PLUS of the strategic decision making. This is despite IT’s pivotal role in providing If you have to get close to the business, the management needs to notice you. many of the synergies companies expect Master these skills to make more business sense. out of an M&A. Fortunately, more CIOs are beginning to view M&As as opportunities to lead both the IT and business teams through Business Communication the integration process and establishing The ability of a CiO to articulate the value proposition of a technology to themselves as a credible and trusted business the business is critical. This is easier said than done since iT concepts are partner, articulating business strategy well fundamentally complex. it is equally important for a CiO to be able to translate beyond the role of IT cost-center manager. business needs into executable technological terms to his iT team.

4 Business Skills You Need to Develop

Sales and Marketing Today, more than ever, marketing is about engaging customers through multiple channels, including the use of social media and Web 2.0 tools to sense and respond to customer and market needs. Which takes a CIO’s responsibility beyond running a CRM system; CIOs should introduce multiple ways their salespeople can connect with customers. They should also look for ways to increase the effectiveness of their sales teams. “CIOs should leverage new-age technology such as business intelligence tools and dashboards to drive new businesses and capture market share,” says Saurabh Verma, senior manager, Software & Services Research, IDC India.

Vol/5 | ISSUE/06

Cover_Story_Part1.indd 39

Evaluate Risk it is the CiO’s innovative, creative and entrepreneurial spirit that sets him apart from iT managers. Essentially, good CiOs are bold and take risks; they should initiate projects offering creative new solutions to traditional business problems.

Understanding Numbers Understanding finance can help CiOs make more effective requests for things their department needs and suggest ways in which the company could improve its performance. CiOs should make decisions based on their companies’ corporate financials. When they have the knowledge and skills to ask questions they can take more informed decisions for the business.

General Management CiOs should disassociate themselves with the common misplaced perception of being the ‘tech guy’. Heading a non-iT function will help establish that credibility as a manager and win the confidence of their CEOs as key business strategists.

REAL CIO WORLD | A p r i l 1 5 , 2 0 1 0

Cover Story Negotiation [ 12 Tips ]

4Your Vendor

Ways to Squeeze

We gather four CIOs and let them tell you their negotiating secrets. Master these tricks and you’ll get a better deal the next time.

Build Uncertainty What makes vendors really uncomfortable is the unknown: not knowing where they stand and if there are alternative solutions that are undercutting them. An effective negotiating method is to build uncertainty. Tell them you’re considering alternative solutions or partners. This will give you leverage. Avoid giving out too much information, hint at competition or alternatives but don’t threaten. Be as vague as possible and let them imagine the worst. — Martin Ewing, (former CIO) & Founder, Pactoris

Know More Than Your Vendor Before getting into a negotiation, you should have a strategy in mind. You must know exactly what you want to achieve. If you don’t have a price-point strategy, your vendor will definitely get the upper hand. To get there, you have to know more than your vendor. And for that, you need to do your homework: find out the PLUS

Rephrase That! Three phrases you should never utter in a negotiation.

“You can’t make changes...” Instead of taking a dictatorial stand with the other party, you should offer to talk it out. When there is a disagreement in the contract, there’s always a way to negotiate without getting unpleasant.

“This wont do...” Starting on a negative note is not a good idea. If you expect more from your opponent, say “I think you’ll have to do better than that.” Don’t be arrogant or aggressive. The fact is few people will walk away from a deal once it’s commenced.

“Let’s Settle for...” Never be the first one to quote a price. Let the other party name a figure, so that you get better leverage.

A p r i l 1 5 , 2 0 1 0 | REAL CIO WORLD

Cover_Story_Part1.indd 40

price of a typical desktop, network or server. See what price his competition is providing. This will help you bargain hard. And you should always negotiate hard. Till the last minute, don’t let the vendor know that you are in his favor. — T.P. Anantheswaran, Senior VP-IT, Arshiya International

Whet His Appetite Hint at potential growth within your group companies if the price is right and the product is excellent. For him, that would mean more business and you’ll get a good price. You must try to get as much as you can from your vendor. After your deal is done, ask him to tell you about his new products. Persuade him to let you be the early bird that gets the beta. Offer to help some of your vendors do testing on new versions of their products. This can help you get a say in the development of the tool, plus an early heads-up to, say, a new functionality. — Jeremy Schnorbus, Director IT, NERA Economic Consulting

Separate the Hype from the Truth Knowledge about the different features of a product is fine, but it’s more important to find out what your vendor is not telling you. Knowing the limitations of the product will give you a lot more bargaining power. You should be able to differentiate between good-to-have and must-have. For example, if your vendor says his product is virtualization-ready, ask yourself if you are. Pay only for what you are using. Seek discounts on commercial offerings. It will also help you set realistic expectations for the business. — Gopal Rangaraj, VP-IT, Reliance Life Sciences CIO

Vol/5 | ISSUE/06

Cover Story | Negotiation

FiveTrickstoWin OverYourCFO Negotiating with your CFO is like conquering Everest. Sujit Sircar, CFO, iGATE, tells you what you need to know to get the upper hand.

Show Me the Money

Keep it Flexible

The CIO is like a child who likes to play with new technology. For him, whatever is new is better and hence we should have it. His idea is to ensure that the organization gets all the benefits of the latest technology available in the market. But a CFO believes in numbers. Whatever you invest in has to give a higher return. So if you want to change your ERP, you have to tell me what the organization will get in return. Will it improve productivity or bring in profits? CFOs don’t believe in feel-good factors. I can invest the same money in something that propagates sales, or in the market. I will invest in whatever gives me the highest return. You have to give me a reason why I should invest in your proposal instead.

There’s something called a variable cost: when sales goes up, cost goes up, when it comes down, costs also come down. But a CIO works with a fixed cost. However, he has to ensure whatever cost he is incurring is matched up to the revenue. If revenue goes up, my server will be used more leading to higher costs. But if my revenue comes down, server will be used less but maintenance will be higher. If the cost is variable then there is a higher probability of the project being approved. CIOs have to give CFOs that flexibility.

Be Honest Suppose a CIO has just upgraded to a new ERP and he realizes that the

Types of Negotiators There are three sort of negotiators according to Tom Hayman, founder of Negotiation Expertise. Find out which type is sitting across you. Traits: Controlling, driving, dominant Tactics: Broken record, intimidation, take it or leave it Motivation: Taking as much as possible Focus: Own needs Goal: To win and control Trust: Not interested Use of Power: Abuse Primary emotion: Anger

Traits: Detail oriented, analytical, conscientious Tactics: Concession giving, problem transfer Motivation: To be liked Focus: Other party’s needs Goal: Avoid conflict and comply Trust: Eager to trust other party Use of Power: Gives it away Primary emotion: Fear

Traits: Flamboyant, dynamic, people person, listener Tactics: What if/suppose, concessions, ask why? Motivation: Satisfy both parties, fairness Focus: Needs of both parties Goal: To influence and persuade Use of Power: Share Trust: Willing to build Primary emotion: Optimism

Negotiator Type: Competitive Expect to: Win

Negotiator Type: Compliant Expect to: Lose

Negotiator Type: Collaborative Expect to : Benefit Mutually

Vol/5 | ISSUE/06

Cover_Story_Part1.indd 43

Sujit Sircar, Chief Financial Officer, iGATE

implementation is not giving the benefits that it was supposed to. But because he is emotional about the project he wants to go on investing. It’s like good money chasing bad money. But to get your budget approved, you have to determine that at this particular point of time the system might fail and that you will stop loss: which means you will discontinue the project. You have to tell your CFO that you’ve reached stop loss position.

Mix In-house Expertise with Outsourcing I would want to ensure that I have the right mix of people and resources. A CIO can get specialized people, whose core competency is deploying that particular technology. That would be a lot cheaper. An ideal scenario would be a 50-50 ratio, but it would be great if it’s 80-20 ratio for outsourced and in-house talent. For me that means specialized services at lower costs. He can’t say I’ll do everything on my own. There’s no way that that’s going to fly.

Come with a Back-up Plan If you are telling me X product is the best, I want to know your criteria for evaluation. You can’t come to me with a single plan. Any IT implementation impacts the organization. So, if the systems go down you’ve got to have a BCP. CIOs should be able to tell CFOs how they plan to mitigate the loss if something goes wrong. They have to explain why we aren’t going for a cheaper product. CIO REAL CIO WORLD | A p r i l 1 5 , 2 0 1 0

Cover Story Staff Management [ 14 Tips ]

3Over Staffers

(Cheap) Tips to Win

These ideas are not only light on your budget, they will also get you results quickly. Vasanthi Srinivasan, Associate Professor, Organizational Behavior & Human Resources Management, IIMB, tells you why they work.

Thank Them

Introduce More Accountability

Mary Kay Ash, Founder of Mary Kay Cosmetics, once famously said, “There are two things people want more than sex and money: Praise and recognition.” That’s exactly why CIOs need to thank their staffers. Fairly obvious but it bears repetition. The use of praise to retain employees is one of the most important tools in a leader’s arsenal. Sure, staffers are just doing their jobs, but a little praise can get them to go that extra mile, which earns them more praise, and then you have a virtuous cycle. “People want to make a difference,” says Suzanne Bates in her book Motivate Like a CEO, “When they believe that what they are doing matters, it motivates them and stimulates their passion and energy.” However, some managers feel praising staffers too often can spoil them. HR experts say that is bunk. Positive reinforcement won’t give employees horns. But there are a few caveats to the praise strategy: don’t praise someone when they don’t deserve it. And be specific. Saying “nice job” can diminish the value of praise compared to “we tested out that idea of yours and I’m glad we asked your opinion!” What Srinivasan thinks of this idea: Appreciating work that’s done well is a good idea. We are very good at root cause analysis when it comes to failures, but how many times do we do a root cause analysis of our successes? It will allow us to replicate success easily.

Most experts in people management will tell you that there’s nothing like tapping into self-motivation to find that holy grail of HR: employee passion. To get there, CIOs must first build an environment of accountability. Staffers love leaders who communicate their expectations and hold people to their commitments. They also love a good challenge. Believe it or not, giving people more work actually wins them over. And once they have tasted the exhilaration of being accountable and bringing home the results, they are hooked. “By creating a culture of accountability,” says Bates “you get results, and people feel greater satisfaction, which, in turn, re-energizes and motivates the organization.” What Srinivasan thinks of this idea: Accountability comes only with responsibility. And assigning people responsibility requires delegation and the heart of delegation is trust. Some of us trust more, some of us trust less, we all need to work on this.

PLUS

5 Signs Your Retention Efforts Aren’t Working You’ll know an employee is probably leaving if she… Avoids greeting or making eye contact with you. Stops participating in meetings. Slackens off and performance drops. Is increasingly absent. Demonstrates a sudden change in behavior indicating either suppressed anger or withdrawal.

Support Your Staff CIOs work with knowledge workers, not laborers. Because what your staffers bring cannot be quantified easily, it is important to ensure they’re putting in their best. One of the best ways to do that is to listen and support their ideas. This doesn’t only extend to the sympathetic cluck when they’re having a bad day. It means listening to their ideas for real. Yet how many times have you turned down an employee idea saying “that’s not the way things are done here.” Even if you were right, who doesn’t agree that rules shouldn’t come in the way of progress, and possibly, innovation? What Srinivasan thinks of this idea: I have often found that we assign work to people and review but rarely ask them in between whether they need support. All of us — at every level — need support for anything we are doing for the first time. Even people who are do repeated tasks need support, maybe more psychological than physical or financial. I’d add another to this list: Be fair and be seen to be fair. As a manager, please remember you are being watched by others. Therefore, it is not enough to be fair, it is important to be seen to be fair. CIO

SoU rcE: ThE 7 hIddEn rEaSonS EmployEES lEaVE

A p r i l 1 5 , 2 0 1 0 | REAL CIO WORLD

Cover_Story_Part1.indd 46

Vol/5 | ISSUE/06

Cover Story | Staff Management

Interviewing Pointers: 4 Personality Types to Watch Out For He has a gold-plated resume, is extremely hard-working according to his references, and is articulate. But if he’s one of these types, you’d best think again before hiring him. The High-Beta Hire

The beta hire is someone who has a lot of potential and could totally knock things out of the park — or burn out and fail miserably. From experience I can advise CIOs that they need to spend a lot of time with high-beta hires who are management candidates no matter how busy CIOs are. Although in the past, I have been burnt by a high beta-hire, to this day, I still do take them on for manager jobs, but I spend 30 to 90 days in fairly intensive therapy sessions with any new manager in my organization. — KXelli Crane, SVP and CIO, Thomson Reuters

Mr Bad Attitude

Cultural Misfit

When I’m interviewing, I am looking for the right attitude because I don’t know how to teach that. I learned the attitude versus technical difference the hard way. I hired the absolute best technically qualified individual for a job back in 1988. It was a complete disaster. The individual didn’t have any ability to fit in. He was a one-man band who expected all of us to align to his way of thinking. It was a very painful experience; we wasted time and money and eventually had to let the individual go. For me it was the defining moment that shaped my views on hiring. — Jeff Marshall, CIO, Kohl

Your Clone

At a previous employer, we were thinking of moving more apps off the traditional mainframe into more of an open systems environment. I thought it would be a good chance to bring in someone with a different personality who would push the edges and stir things up a bit. What I failed to do was spend enough time up front describing different scenarios the person would face with our company. Later I learned that his solution to every problem was to fire people and start from scratch. Obviously that was not what I had in mind, nor was it going to work in our company. — Jeff Carlson, CIO, AIG American General

I think hiring managers tend to hire themselves over and over again so CIOs have to be aware of that. You also have to realize what culture you have as a company as well as what culture you have within your organization. I have two other rules I follow when I’m hiring: Hire people who do what you don’t like to do, and hire people who have passion for what they do. When I look at the good hires or the great hires, they are people that I hired who were smarter than me to start with or people who have surpassed my ability in a specific area. — Alan Etterman, Chief Administrative Officer, JDS Uniphase

Retention Strategies: Why Staffers Quit Why CIOs Think Their Staffers Leave...

...And Why They Really Leave

Expecting high attrition, we asked about 100 CIOs what they thought were the topfive reasons staffers quit. Here’s what they said

Based on multiple studies done at different points in the last 30 years, here is what employees say that actually want from their jobs — and what’s most likely to make resist new offers.

Salary / compensation Monotony of work Dissatisfaction with the management Office politics Dissatisfaction with company’s performance

Appreciation Being ‘in’ on things Sympathy and help with personal challenges Job security Compensation

Source: CIO Staffing Survey 2009

Source: Ken Kovach (1980); Val erie Wilson, Achievers International (1988); Bob Nelson, Blanchard Training & Developm en t (1991); Sheryl & Don Grimme, GHR Training Solutions (1997-2001).

REAL CIO WORLD | A p r i l 1 5 , 2 0 1 0

Cover_Story_Part1.indd 47

4/13/2010 5:55:01 PM

Cover Story Technology [ 7 Tips ]

Technologies nologies With Hidden den

Devils

Technology is a double-edged sword: it can fix some things, but it can also create more problems. Here are four examples.

SOA After being a buzzword a few years ago, it looks like SOA is making a comeback with the increased need for agility. “SOA is very useful if agility is a big issue for an organization,” says Asheesh Raina, principal analyst at Gartner. “Sure, all enterprises today need to be agile, but there are those who need it more, like the ones which have many customer interface points.” But enterprises drawn to its logical approach must take a step back and ask themselves whether they really need it given the huge changes and the costs it will entail. “SOA helps in using and re-using certain components independently, and if this is not a requirement of an organization, then implementing SOA is going to be an over-kill,” says Raina. There are companies which invest in setting up SOA and develop internal skill sets to support it, but see decreased outputs because their organization type is not suited for a SOA implementation. For them, SOA definitely complicates things, says Raina.

ERP It’s been said before and it will be said again, ERPs are hard to put in place, are expensive and take too much time. But where it really gets its notorious reputation among CIOs is customization. Most organizations need to customize their ERPs to suit their business requirements. But every time their ERP needs an update, the IT team has to roll back the solution to its original state, update it, and customize it all over again. “There are very few things one can do to avoid this,” says Raina. “However, this is an issue most organizations can foresee. BPM (business process management) can be really helpful here, because it acts as a middleware which will allow two things: it enables interoperability between different applications, and it allows business processes to be changed frequently.”

Virtualization More organizations are turning to server virtualization to help control server utilization and server cost. But the ease and manageability 48

A p r i l 1 5 , 2 0 1 0 | REAL CIO WORLD

Cover_Story_Part1.indd 48

that the technology brings could actually work against it. Because it becomes so much easier to deploy a new server, IT departments, under pressure from the business, are doing so in the dozens. This unleashes an IT management and license problem which gets worse with every new VM. “Virtualization is a rather addictive technology and IT organizations are spinning out virtual machines faster then they can manage them. The technology warrants a management investment from the start,” says Stephen Elliot, a research director with IDC in an interview to Network World (a sister publication to CIO).

SaaS The economic downturn has made SaaS a popular word among even the non-tech, because it’s being sold as a delivery mechanism that brings down IT’s costs — for the short term, anyway. “SaaS could also very well fit into the bill,” says Raina, talking about technologies that could introduce challenges. “Take, for instance the case of seasonal technologies,” he says. “An organization might need them for a few months in a year, say during the end of a financial year, but they are not required for most of the remaining period.” But they still need to pay for it. And experts who have studied SaaS’ total cost of ownership over time find it’s sheen fades. If Saas is implemented just because it is the in-thing, says Raina, “it will be very complex for an enterprise to handle and they will end up making a mockery of themselves.”

Virtualization is addictive and IT is spinning out virtual machines faster then they can manage them. — Stephen Elliot, Research Director, IDC Vol/5 | ISSUE/06

4/13/2010 5:55:19 PM

Cover Story | Technology

As IT gears up to employees bringing their own technology to the workplace, it goes through three stages. Knowing at which stage you are will help you take the next step. Ten years ago, most people used more advanced technology when they went to work than they did at home. Today, that has been turned on its head. Many employees have newer technology at home than at work, and they expect IT support for many of their favorite devices. Today, new consumer electronics such as e-readers, Netbooks and tablet PCs are beginning to infiltrate the corporate environment. How should IT deal with that? Organizations are pursuing these three approaches. Play ostrich. The head-in-the-sand approach tolerates but does not encourage unauthorized technology, either through having no explicit policy or by ignoring violations. By sidestepping the fray, IT relinquishes any control over which technologies can be introduced and has no ability to coordinate support for new devices or versions. Laissez-faire organizations face a big security risk, as was demonstrated when the first, security-challenged iPhone was introduced. With no limits to consumer technology enforced, IT had a hard time addressing that situation. The ostrich option can also lead employees to believe that IT does not enforce any standards, which can open the door for all sorts of other policy violations. And even if corporate policy states that IT will not support specific consumer technologies, employees often push IT for assistance on the grounds that they are using them for corporate purposes. Burying your head in the sand can seem like a good way to avoid any big effect on expenses and infrastructure. Soon enough, though, you’ll find that you’re racking up enormous support costs and significant infrastructure complexity. Ban it. Some organizations, including the Pentagon, some financial services firms

and extremely low-margin businesses, have opted for locking down their infrastructure and prohibiting employees from introducing their own technology. They have decided that they can’t afford the security risks that accompany more wide-open policies or that they just can’t afford the cost of all that additional support. Unless security and cost concerns are truly compelling employees are not likely to understand IT’s reluctance to support commonplace consumer electronics. Policies prohibiting employee technology are viewed as unsympathetic to employee needs, and explanations that security, interoperability and reliability concerns are often interpreted as excuses

65%

of respondents say usercentric apps are effective at controlling costs. Seventy-six percent say it has helped them improve process efficiency at their organizations.

Vol/5 | ISSUE/06

Cover_Story_Part1.indd 51

for laziness. In the worst case, IT can come to be perceived as the ‘technology police’ and a roadblock to productivity. Once that happens, IT risks losing peer support for its initiatives. Condone it. Some IT organizations publish a list of approved technologies and agree to provide limited support for listed items. This is an excellent approach for organizations whose constituents purchase their own technology such as students, franchisees, consultants, or closely integrated suppliers. Typically, permitted applications and hardware devices adhere to open communications standards. Consumer hardware such as iPads and smartphones is more difficult. Each device must be evaluated to determine standards adherence, support requirements and infrastructure impact before defining appropriate support levels. This approach enhances IT’s reputation for being flexible and responsive and allows for the coordinated introduction of new devices or applications. But it has its costs. Employees may take advantage of IT’s flexibility and expect support for unapproved technology. In addition, IT needs a process to monitor the market and evaluate requests quickly. Finally, infrastructure costs can be enormous. IT must support a wide variety of (often redundant) devices and software. This demands an extremely secure, highly flexible and very expensive infrastructure. None of these options is perfect. But IT cannot afford to turn away from this increasingly important issue. And, avoiding a decision implicitly creates an ostrich strategy, which is clearly the most problematic.It’s better to agree on a corporate policy, publicize it and start budgeting for the projected impact. Do nothing and you risk having your corporation appear in tomorrow’s headlines as the latest entity to have its security breached, its data compromised and its CIO replaced. CIO REAL CIO WORLD | A p r i l 1 5 , 2 0 1 0

SoUrc E: npoWE r nETWorK

Countering Consumer IT in 3 Steps

Cover Story Resource Management

[ 10 Tips ]

4 Best Practices in Infrastructure

Management

Swamped by the exponential growth of data and new technologies, it’s getting difficult for CIOs to manage their infrastructure. Sivarama Krishnan, executive director, PwC India, tells you how to go about it.

Adopt an Integrated Approach Today, more and more CIOs are beginning to ask: What are my resources? How effectively am I managing them? How can I reduce my response time? How can I enhance the quality of servicing? The answer lies in adopting an integrated and comprehensive approach while managing IT resources throughout their lifecycle. If you look at it from an investment perspective, business demands are growing and the only way CIOs can cope up is by enhancing the use of existing resources. That’s where infrastructure resource management (IRM) steps in to provide agility and flexibility to respond to the business and market conditions.

Keep It Dynamic

Join Hands with Other Firms One of the best ways to manage your infrastructure is to partner with other technology firms. Bring in their knowledge to keep your your teams abreast of what is current. Most large companies have already moved to shared services and some are moving from distributed resource management to centralized resource management. CIOs should create a large shared service pool and leverage them to house skills in tune with current market needs. Shared services also help bring in new resources on board and providing value to the business. Exploiting and exploring the skill sets that vendors are providing to the organizations is a good way of increasing your IT team’s know-how.

Another way CIOs can cope up with increasing business needs is to keep their IRM dynamic. Until a few years back, the creation of a dynamic infrastructure was hindered by a lack of advancement in technology. But today with virtualization and cloud computing, you can keep yourself very dynamic, cost-lean as well as resource-lean. However, when it comes to cost, there has never been a trade-off between business and IT. But post-slowdown, this is changing. In large companies, CIOs are asking themselves: Since my budgets are getting curbed, can I have an alternate management of resources? Also, CIOs have to focus on cost of servicing and ROI. But more often than not, they tend to ignore ROI. I firmly believe that cost of servicing and chargebacks to business are the two areas they need to focus on while deploying a dynamic IRM. Also, chargeback to business brings in accountability while — Sivarama Krishnan, using the resources. Executive Director, PwC India

It is impossible to manage resources manually. You need integrated technology tools.

A p r i l 1 5 , 2 0 1 0 | REAL CIO WORLD

Cover_Story_Part2.indd 30

Consolidate Your Resources Consolidation paves the way for increased manageability and flexibility. Not only does it lower costs but also reduces the complexities of infrastructure management significantly. It provides you with the power to appreciate shared services and distribute them. Also, it is impossible to manage resources manually. You need to have an integrated technology tool to aggregate and monitor the usage of resources to ensure that it is effectively utilized. It is also critical to bring in specialized agencies to manage your resources rather than doing it all by yourself. CIO

Vol/5 | ISSUE/06

Cover Story | Resource Management

How to Extract

More from Your Staff

Yes, extract. Don’t be ashamed of saying it. It’s part of your job as CIO. Here are three ways to use your staff more optimally.

Consolidate V. Balakrishnan, CIO, Polaris Software, has capitalized on his company’s global integrated networks to attempt to consolidate the huge number of people the IT services company has. “Since we have global networks, we make sure that only one or two people deliver functionality across the world. This ensures that we don’t need to keep and maintain people at every location. We use VoIP, virtualization and audio conferencing to limit the use of manpower. If you have 20-30 functions you don’t need separate teams, one team is sufficient,” he says. These strategies have helped him — and his large team — slash opex and improve quality of services.

84%

Of employees feel that there is nothing wrong with surfing the Net at work, says an Assocham survey.

Get Them to Multi-task

IT-enable Work Sharing Often, there are daily assigned in an ad hoc have them: it could be that needs patching or

application that needs a tiny tweaking and can’t wait. And these throw a spanner in your planning, making it a challenge to ensure that some resources are not overloaded while others are idle. That’s’ why Sankarson Banerjee, CIO, India Infoline, has deployed a multiple project management tool on Open Source. “We’ve combined technology and daily meetings (derived from agile practices). Our tool helps us allocate work and track if it was completed or not. It also helps us identify people with too much or too less workload,” he says.

tasks that are manner. We all the one system a new in-house

For Sriram Naganathan, CTO, Reliance General Insurance, all job roles are rolled into one. “At the lower level, our IT staff acts as a business analyst and a developer. While, at the senior level we have given them business roles. My senior project managers are aligned with claims processing and BI. So, apart from IT they contribute to business functions as well,” he says. This strategy not only saves manpower but also exposes IT staff to business functions. CIO

3 Reasons to Have a Budget for Experiments Anwer Bagdadi, executive director, Paraphore BIV, a remote infrastructure management company, allots 5 percent of his budget to innovation. Why you should try it too. It Leads to Innovation

I strongly believe that every CIO must consciously allocate a part of the budget for experiments otherwise you can’t innovate. And some of these experiments could yield great returns for your company. It broadens your horizon because you are not restricted to the budget that has been allocated to fulfill a business need. With money for innovation in your hands, you can experiment as well as live up to the business’ expectations at the same time. And learn in the process.

A p r i l 1 5 , 2 0 1 0 | REAL CIO WORLD

Cover_Story_Part2.indd 32

It De-risks Technology

If I were to go to the management and tell them that we will implement a data warehousing system or a BI solution they would get daunted by the risk involved. So, I took out about two percent of my budget to do a POC. We started to educate and convey a variety of scenarios to different departments who’d be the end users. The management could see that there was a small cost involved and a clear cut deliverable. We were able to demonstrate that we could achieve the perceived goals.

It Keeps Your Team Current

CIOs are constantly inundated with multiple vendors coming in with new technology changes. They are informed about the possible benefits which these technologies can deliver. Normally, these things are not part of your budget. An organization which has a fairly well entrenched budgeting process does not accept technology for the sake of technology. It would like to see business benefits. An experimental budget lets you do a pilot so that you can articulate like your vendor.

Vol/5 | ISSUE/06

4/13/2010 5:21:54 PM

Cover Story Security [ 9 Tips + 3 Bonus ]

Growing Security Threats As the world of business evolves, so do the risks. Here are five trends that need to be on your radar because they will, if they have not already, give rise to new security issues.

The Rise of the Mobile According to a recent Ponemon Institute report, 59 percent of enterprises rated the data employees access over mobile devices as important to very important. Yet only 26 percent said they encrypted data on mobile devices most of the time and 51 percent said they never do. If IT leaders had problems with the loss of laptops, they’d better be prepared for a larger monster with smaller smart phones. “It is then very important that the device one is using is updated with the latest security apps and ensure that proper authorizing technologies are deployed so that only the right person can access information,” says Nareshchandra Singh, a principal research consultant at Gartner. Experts also advice prohibiting the storage of data on client devices and using highly-evolved encryption methods.

Expanding Social Networks When the term social engineering was coined, the world was a simpler place. Today, the risks of social engineering have increased manifold. According to a Sophos Security Threat Report, 70 percent of enterprises say their employees have been sent malware via social networking sites, a sharp rise from 36 percent last year. “All these Internet applications which have a social touch are very popular sources of security threats. And with a new generation workforce you cannot limit someone’s Internet access,” says Singh. Fraudsters are also adding new ways to reach and strike victims. Take Smishing for

As more IT resources are centralized, it is very important to have multiple layers of security. — Nareshchandra Singh, Principal Research Consultant, Gartner Vol/5 | ISSUE/06

Cover_Story_Part2.indd 35

example. Now scammers have graduated from using social networks to mobile phones (using SMS) to elicit personal information.

Consolidation Consolidation was the number one priority of CIO in 2009, says the National Association of State Chief Information Officers. Yet, that strategy comes with its downside: by gathering all their eggs, it becomes crucial to guard the basket. “As more IT resources are centralized, all the systems that were placed remotely are now in-house. It is thus important to have multiple layers of security,” says Singh.

Globalization As more companies imbibe the world-is-flat mantra, the risks to the supply chain increase dramatically. What used to be local threats like natural disasters, deliberate attempts of vandalism, or even malware, now set off alarms at a company’s headquarters. This requires crisis management plans to be expanded, higher monitoring of evolving situations and better IT security. And since the resources available to an enterprise are often limited, CIOs should envision an adequate supply-chain resilience strategy. “This is an absolutely valid security threat. Many people in the supply chain are not internal company employees yet have access to a company’s internal resources,” says Singh. “Hence, safeguarding the supply chain is very important.”

Empower the Employee It’s a well-known fact that insiders are the most dangerous threat to an organization. According to CIO’s Indian State of Information Security 2009, 87 percent of all security breaches can be traced back to employees, former employees and contractors. As more companies empower staffers, company secrets are more vulnerable. “Employees, obviously, have lower levels of security barriers to pass to get to company information,” says Singh, “and they can cause a lot of damage.” Red flags to watch out for: employees who suddenly start working late, or those trying to access information not directly required for their work. CIO Continued on Page 64 REAL CIO WORLD | A p r i l 1 5 , 2 0 1 0

4/13/2010 5:21:58 PM

Cover Story | Security

4 R’s to Builda Business Case for Security Security is like life insurance, everyone wants it, but no one wants to pay for it. Khalid Kark, Principal Analyst, Forrester Research, tells you how to get your management to be less myopic.

Reputation The impact of security breaches on wellestablished brands has resulted in huge financial losses. Not only are external threats from the hacking community becoming more sophisticated and targeted, the amount of damage done by internal threats has also been steadily increasing. CIOs must underscore the importance of security for the company’s reputation. One pharmaceutical company started getting complaints of adverse patient reactions from a geography where they had miniscule sales. The security team, working in conjunction with the fraud department, uncovered that a business partner account had accessed manufacturing details and packing specs for the product a few months back. Moreover, this partner was suspiciously monitoring the business and marketing plans from a centralized server. Further investigation showed that counterfeit drugs were being manufactured and sold in that geography under the same brand name. By stopping the activity, the security team protected the brand from further damage.

Regulation As regulations stack up, requirements seem to increase exponentially. CIOs are not only tasked with managing IT compliance requirements to multiple regulations, but doing it so efficiently that a single audit or assessment can be used multiple times. CIOs should focus on the following areas when articulating the value of regulation: complying with multiple regulations by

81%

PLUS

3 Facts that Plague Security Vendors don’t need to be ahead of the threat, just the buyer No other issue plagues the security industry more than this one. Vendors work with a single-minded agenda; to make money and not provide permanent security solutions to customers.

There is more to risk than weak software A majority of the security concerns hover around weak software. bad configurations and poorly-trained staff can be equally threatening to an enterprise.

There is no perimeter It is easier to put a security net in place if an organization is able to clearly define its perimeter; it could be the endpoint, or the user.

developing a common security and audit framework and avoiding fines and penalties for non-compliance.

Revenue Although information security does not always contribute directly to the revenue of a company, it’s often instrumental in protecting corporate intellectual property. But savvy CIOs go one step further and bolster their value articulation by pointing out that security helps with protecting IP from being stolen or disclosed and finding new business by marketing better security. In some industries such as financial services information security is part of the corporate marketing. Bank of America, for example, has successfully marketed itself as a bank that values its clients’ privacy and security. As a result, the bank has come up with innovative ways to increase revenue through

of Indian organizations have incurred brand or financial losses in 2009 due to cyber attacks. SoUrc E: Symant Ec StUdy

A p r i l 1 5 , 2 0 1 0 | REAL CIO WORLD

Cover_Story_Part2.indd 36

consumer security, such as offering twofactor authentication tokens for a small fee.

Resilience Resilience is a top concern due to pandemic scares and natural disasters. Many companies realize during these unfortunate disasters that they had no plans and processes to deal with them effectively. Security can help by ensuring continuity of critical business processes during these times and cocoordinating and responding to threats and incidents efficiently. A service provider in the Gulf region lost all its business when both its datacenters — 30 miles away from each other — were destroyed in hurricane Katrina. The company did not recover from this loss and had to file for bankruptcy. On the other hand, a financial service company was not only able to switch over to its back-up facility without any major hitch, but they were also able to account for 99 percent of their staff within three hours of a large hurricane hitting. The business continuity efforts were spearheaded by the security team and coordinated with the disaster recovery team from IT. Although the company did suffer a loss, it was able to recover completely in less than 48 hours. CIO

Vol/5 | ISSUE/06

Cover Story Change Management [ 12 Tips + 3 Bonus ]

Get Your Troops to Fall

In Line

You know the drill: Change is the only constant. Now, Janet Gasper Chowdhury, Managing Consultant (People & Change practice), PwC, tells you how to outflank change.

Tactic 1: Build Credibility Evidence suggests that people are antagonized by the way most organizations bring about change. At best, people comply reluctantly and, at worst, actively resist management initiatives. Either outcome amounts to wasted time and resources, because a management that is misaligned with human nature requires expensive controls to police its employeesâ&#x20AC;&#x2122; behavior. The problem is that decisions are made by management behind closed doors without input from the very staff who are expected to change their behavior. It is important to involve people to

Major Change Challenges The big hurdles in managing change according to survey of IT executives and senior managers. Lack of transparency

18%

Lack of change know-how

20%

Lack of higher mgt. commitment

35%

Complexity is understimated

35%

Corporate culture

49%

Changing mindsets

58%

SoUrcE : t hE IBm Glo Bal m akInG chanGE Work St Udy

Vol/5 | ISSUE/06

Cover_Story_Part2.indd 39

understand their concerns and apprehensions. Leadership needs to be in tune with what is happening at the grassroots and CIOs need to know the truth at those levels.

Tactic 2: Communicate with the Troops Employees resist change only when that change is foisted on them without their consent. Conversely, they are open to change when they understand and accept the reasons for it. At far-sighted companies, IT leaders, with the sponsorship of executive management, have a clear vision of what they want to achieve. They nurture alliances with business unit leaders, set an example by being early adapters, and communicate continually using a variety of on- and off-line vehicles. Specifically to your department: The issue of job loss is one of the many concerns that employees have. But this may not be the case and a CIO re-train and re-deploy staff. But it is poor communication that makes employees think that there will be job loss because their manual tasks will now be done by a system.

Tactic 3: Stick to English Success in IT requires common understanding. Members of the executive management team are able to communicate effectively about finance, for example, because they all speak the same language and agree on a common set of financial metrics. These corporate leaders do the same with most elements of operations, customer service, and marketing. IT is no different. Much of the responsibility for demystifying IT lies with the CIO. Far-sighted CIOs speak the language of business. Instead of confusing non-IT staffers with abstruse technological references, experienced CIOs successfully bridge the business-IT communication gap. The ability to translate the promise of IT into business reality is what allows effective CIOs to transform IT from a legacy-burdened infrastructure to a strategic enabler of corporate performance. REAL CIO WORLD | A p r i l 1 5 , 2 0 1 0

4/13/2010 5:22:13 PM

Cover Story Change Management

Tactic 4: Train More Today, companies acknowledge that their most important assets are their people. Few, however, actually follow through on this belief. Change projects still typically devote the bulk of their budgets to technology and processes rather than staff issues. They invest minimally in educating people about new systems and processes, which lead to failure of IT initiatives. More often than not, change management is confused with training. It is not. Change includes understanding people readiness, identifying groups of impacted people, branding a change initiative, involving people in decisions, driving initiatives to help build awareness and change mindsets, measuring the impact of change, etcetera.

Tactic 5: Don’t Block Incoming Traffic Leading companies solicit feedback from employees affected by a new IT program or initiative. They survey employees and

7 Moves to Make in Your First 100 Days You’ve changed jobs and the first hundred days are crucial to building the right rep among your peers. This is what you need to focus on to create the right impression.

Get a heads up on information like who is on the management committee, where the board meets, how the audit committee works, and what is the overall investment strategy of the organization. This will help you network better and also give a clear understanding of their concerns and the best way of approaching them.

CHANGE AHEAD

More often than not, change management is confused with training. It is not. It’s a lot more and then some. — Janet Gasper Chowdhury, Managing Consultant (People &

Establish contacts with people from all rungs of the organizational ladder and try to learn as much as possible about the good and bad of your new organization. These inputs along with a study of existing processes and procedures will help you formulate a clearer goforward strategy for the organization.

communicate directly with them. They also offer support to anyone having follow-up questions after an implementation. To maintain momentum, these companies also acknowledge progress with the new programs and initiatives, scheduling meetings during which employees can discuss positive interactions as a result of the changes that took place. CIOs have to offer employees a forum to voice their opinions about IT initiatives. CIO

Go beyond the walls of the IT department and into the field to other departmental meetings, on sales calls, to customer sites. You can boost your credibility by demonstrating your commitment to learn how the organization works, whom IT serves internally and externally, and how users feel about their experience with IT.

Change practice), PwC

Differentiate between urgent and important decisions and define an early victory, the size and magnitude of which is clearly not of the essence. This is so that you are seen as being proactive.

PLUS

Notes to Self: On Change Resistance is a natural reaction to change and the energy inherent in it can be channeled to support — rather than cripple — technology adoption. If something is perceived as running against organizational culture then chances are high that it will simply fall through. ‘Anytime’ is not always a good time to bring about change. And there is no ‘one time’ that works best. In short: timing is crucial.

Attend meetings you wouldn’t normally attend, work closely with the hands-on folks and equip yourself with internal jargon and acronyms so as not feel left out of the discussions.

A p r i l 1 5 , 2 0 1 0 | REAL CIO WORLD

Cover_Story_Part2.indd 40

‘Don’t fix it if it isn’t broken’ may not always be the best approach. Creating efficiencies or cost effective solutions for things that aren’t broken can contribute as much or even more than fixing broken processes.

Get an independent third-to party identify your weaknesses especially if you must eliminate inefficient processes or identify which legacy systems are money-losers. Bringing in outside experts to deliver the unvarnished truth enables you to establish a baseline and develop long-term planning. CIO

Vol/5 | ISSUE/06

4/13/2010 5:22:23 PM

Cover Story CIO Role [ 10 Tips + 3 Bonus ]

Five Keys to the

Boardroom

According to a CIO-IIMB study only 7 percent of CIOs have been assigned board duties. We spoke to K. Ramsamy, chairman, Roots Group — who promoted his CIO to the board — to find out how you can buck that trend.

Engage with Customers CIOs and their IT teams need to create ways to establish meaningful, business-driven, and quantifiable engagements with their customers, both internal and external. Unlike other department heads, CIOs have excellent enterprise wide perspective with access to functional silos. K. Ramsamy, chairman, Roots Group, feels that in order to be a successful director on the board a CIO “needs to possess an exceptional ability to handle people at all levels while strictly adhering to the company’s culture in every move he makes.” So if CIOs identify business modelbased opportunities for customer intimacy their perspective will complement those of the CEO and CFO and that will play a crucial role in opening the doors to the boardroom.

Stay Ahead of the Curve Stay ahead with the trend in your own company and your industry instead of being bogged down with internal issues. Keeping abreast with industry movements and having a clear understanding of the company’s operations is important if a CIO is to deliver business value. “He should have the ability to understand where his company is and where he — and his board — wants to take it. He must create a strategic approach to take the company to that place,” says Ramasamy.

Focus on the Big Picture While they recognize the importance details, most board members want to focus on the big picture and don’t want to see data that’s not presented in a simple fashion. They want dashboards and report cards — not pages of text. So a CIO’s ability to focus on the larger picture and not get caught up in

CIOs should have the ability to understand where their companies are — where their boards want to take them. — K. Ramsamy, Chairman, Roots Group

Why I Switched to a New Job What you too should probably be looking for, because there is more to a new job than more money. Dhiren Savla From Kuoni India To CRISIL

“Today, I am in a challenging role where IT is a differentiator and an agent for the diversification of the business rather than being just an enabler.”

A p r i l 1 5 , 2 0 1 0 | REAL CIO WORLD

Cover_Story_Part2.indd 42

“For my new position I was offered partnership at the firm. Today, I am heading the IT advisory practice, which is a revenue generating and client facing unit.”

SureSh Kumar From KPMG To Grant Thornton

J. rameSh From MIRC Electronics (Onida) To Crompton Greaves

“I am delighted to work on integrating systems and offering solutions that support a fast growth in M&As, which CG has been a part of in the recent past.”

Vol/5 | ISSUE/06

4/13/2010 8:07:42 PM

Cover Story CIO Role

the intricacies (which is easy, given how part of the CIO role is operational) is key. In his book, The Practical CIO: A Common Sense Guide for Successful IT Leadership, Jose Carlos Eiras says, “CIOs should stop focusing on the specific needs of IT and losing sight of the big picture. Moreover, emerging requirements such as ISO 38500 (international standard created to guide the corporate governance of IT) necessitate that the board is responsible for tracking how IT is being used for governance. At the board level, who can explain it better than the CIO.”

Establish Yourself as an Industry Expert Get in the sights of your board by being recognized as an established industry expert through published pieces and speaking opportunities at forums. According to Ramasamy, “A director must have the knowledge about the companies overall operation and the vision and the caliber to lead the company to face the future challenges.” And joining industry groups, CIO forums, attending meetings, and taking active part in its activities are great ways for CIOs to find their footing on a larger canvas. They are also a perfect place to showcase IT leadership since they these are attended not just by CIOs but by CEOs and board members of other organizations.

Join the Board — of Another Company Get a seat on the board of a small technology firm, or of a nonprofit. These organizations are more than willing to welcome the contributions of a CIO at the board level and everyone benefits.

K. ramsamy, Chairman, roots Group And if your own company is not already a household name, your board activity will broaden your brand across a new network of executives and this will help increase visibility for your company. Sitting on a board can also help expand your circle of potential advisers as you will get to connect with other professionals like academics, researchers, and even venture capitalists. This access could help you address some issues in your own company by learning from experiences in their industry. CIO PLUS

Say again? a “In my new role I can now concentrate more on meeting customers, understanding what they need from the business and running IT with a real P&L mentality other than selling internally.”

ShiriSh Gariba From Elbee Express To Cnergyis

Vol/5 | ISSUE/06

Cover_Story_Part2.indd 43

Interview bloopers you want to avoid. Kamal Sharma From Satyam To Mindlance

“I got an opportunity to work at a business level where I would be strategizing for the IT infrastructure practice from a service as well as a product point of view and deciding on the company’s technology focus.”

Focusing only on your tech achievements when asked to describe yourself. instead: Take major aspects of your job, like leadership, strategy, execution, and risk aversion, and build a brief story from your experiences around each issue. Preaching instead of sharing your experience when asked to recount the challenges you’ve tackled. instead: Stick with the first person and provide detail to support your response. Pulling out Power Point presentations of the great IT strategies you’ve implemented. instead: be ready with presentations but don’t thrust it down your interviewers’ throats.

REAL CIO WORLD | A p r i l 1 5 , 2 0 1 0

4/13/2010 8:07:53 PM

Cover Story Personal Skills [ 9 Tips + 3 Bonus ]

9 Personal

Skills You Should Hone IT expertise can do only so much. You need to polish your personality to move up the ladder. Start with these.

Communicate Clearly Experience shows that nothing beats open and clear communication. Take Mother Dairy’s example. When the company was migrating to SAP, there was reluctance from some business users to migrate completely. They wanted to continue with some customized legacy modules, recalls Annie Mathew, CIO, Mother Dairy. “We put lot of effort in convincing everybody about the risks that would crop up if we took the easy way out. For instance, achieving just-intime transactions for fruits and vegetables would be challenging considering their high perishability and the limited window available for transaction entry. We worked with the business to simplify and streamline transactions so that the entries were reflected in the system in real time. But it needed multiple sessions with users to discuss their pain points and arrive at workable solutions. It is very important to keep the communication channels open.”

Listen Better Listening is probably one of the most under-rated skills among most CXOs. Worse, it’s sometimes not even recognized as one, especially PLUS

Networking No-no’s Three event networking bloopers to avoid Don’t MONOPOLIZe. Spend time with everyone. And instead of saying, “Excuse me, I need to talk to other people,” use, “I’m enjoying talking with you, but I am sure there are many other people who want to speak with you.” Don’t SeLL. Always start with a casual subject. No promotional literature. Remember, networking isn’t advertising. Don’t FOrGeT. Always follow up. Studies show that you need to reconnect with the potential employer or buyer within three days.

A p r i l 1 5 , 2 0 1 0 | REAL CIO WORLD

Cover_Story_Part2.indd 44

among family-run businesses. But Sebastian Joseph, executive VP and head-technology, Mudra Group, takes listening seriously. He uses what’s called the ‘ladder’approach, which is short for: Look at the person speaking to you, ask questions, do not interrupt, do not change the subject, empathize, respond. Listening has helped Joseph save money for the advertising group. The company’s printing team observed that if they could decrease the amount of paper used in telephone directory printing, they would be able to save money. The IT team tweaked the pagination system and increased the number of entries per column, which introduced huge savings in paper cost. “When we all looked at the numbers we saw an opportunity,” says Joseph. But that conversation only took place because the IT team listened to what seemed like just another idea.

Know When to Say No Right-sizing expectations is moving up on the list of must-have skills for CIOs. Sure, technology is breaking new ground everyday but there is a limit to what it can do and how much time it can be done. And that’s something CIOs need to be able to tell their CXO peers. Learning to say no to business’ unending expectations can be difficult but as a business leader CIO need to learn to put their feet down. “Saying no is always hard to do but a great way to get most of your high priority things done,” says CIO columnist and former CIO of Xerox Patricia Wallington. Marketing IT internally is good, over-selling it, not so much. It’s the CIOs responsibility to ensure that business has realistic expectations from IT.

Build Contacts CIOs rely heavily on their peers for skills enhancement well as professional growth. And networking is a great way for the CIO career opportunities. But how can CIOs expand their circle of peers? Events is one way. Another is keeping in touch with former bosses and colleagues and reaching out to new ones can be facilitated by social networking sites like ryze.com, Spoke.com, or ecademy.com encourage real time interaction, helping real contact building.

Vol/5 | ISSUE/06

Cover Story Personal Skills

Evaluate Risk A greater number of IT leaders are moving closer to the CEO’s cabin. But according to CIO Research, only 23 percent of Indian CIOs currently handle P&L responsibilities. This is a clear indication that CIOs need to hone their risk-taking abilities — and their riskevaluating skills — if they want to be trusted by the management. Taking risks and innovating should be an integral part of any CXO’s personality. But the first step is to be able to evalaute it and not just from the gut. The truth is few are born with the ability to evaluate risk and IT leaders need to learn the skill.

Hone Financial Acumen With IT no longer a mysterious back-office, CIOs need to not only pay for themselves, but also rake in profits. When talking money, IT leaders need to be fluent in financial jargon. More often than not, business and business people are measured by what they achieve financially — and growth is measured on a YoY or QoQ basis and profitability is gauged by EBIT margins or PAT. “Obviously that’s a lot of jargon, so if a CIO doesn’t understand how those measures are calculated, what factors move these measures in the right direction, and what he can do to improve these metrics, he will be at sea,” says Prateek Agarwal, CFO, Hexaware Technologies.

Organizing your day well in advance helps. It’s good to have a plan but it’s great to have a plan B.

— Ishita Sen, VP & Center-head, Reliance Tech Services

Control Your Emotions Professor of Organizational Behavior and an expert in emotional intelligence, Richard Boyatzis once said: “At its most basic, emotional intelligence is, literally, the intelligent use of emotions.” If only it was as simple as that. But that’s exactly what Ratnakar Nemani, CIO, VST, did and won the respect of his team members. When Nemani turned his in-house SAP team into a revenue-generating center, he was confronted with a slew of new challenges, he didn’t have to face as CIO. Among those were irate customers. D. Naren Babu, a SAP consultant who reports to Nemani, remembers one highpressure, client-facing situation, (which is all he is willing to divulge) in which Nemani’s ability to show restraint came shining

But not too high Aim to Be adjustable a decisive leader a visionary Impressively presentable 74

A p r i l 1 5 , 2 0 1 0 | REAL CIO WORLD

Cover_Story_Part2.indd 46

Manage Your Time When they said you can’t negotiate with death and mothers, they forgot to add the number of hours in a day. But smart time management can increase your efficiency significantly. Start by making making to-do lists, prioritizing work, focusing on one thing at a time, and setting deadlines for yourself. Or you could take a leaf out of Ishita Sen’s book. “I believe that you can manage to do a lot of work in a limited time if you organize your day well, sometimes even weeks and months in advance,” says the VP and center-head of Reliance Tech Services. Another piece of advice that works for her? “There should not only be provision for a Plan A, but also a Plan B, so I don’t get flustered at the last minute.”

Mentor

aim im high igh Politically-savvy

through. “He patiently handled all the accusations thrown at him. I was amazed at how cool and calm he was and how he came out a winner,” he says.

Without Being Political Compromising too much a dictator a day dreamer

Now, as it has always been, nurturing and mentoring the best IT talent needs to be near the top of CIO skills. Ensuring a constant dialogue with your team makes sure that high performing resources know they are valued. Identifying the best talent should be a constant endeavor, and singling them out to train them for a leadership role is a good retaining strategy. But mentoring the best talent has to be a gradual process, a structured activity. The mentoring activity should start by introducing the person to management roles, inviting them to strategy meetings and allow them to take independent decisions. CIO

a dandy Vol/5 | ISSUE/06

VIEW

from the TOP

IT in Every

Home

By Varsha Chidambaram

Born out of HCL, among the pioneers of the computer revolution in India, HCL Infosystems began its journey producing micro-computing calculators back in 1976. Since then, from introducing India’s first home PC to developing what’s arguably considered the country’s most impressive mobile distribution strategy in 1996, the company has achieved many a milestone. But it has been a bumpy ride, including when it was forced to change business models to survive in a pre-liberalized environment. Ajai Chowdhry, founder, HCL and chairman and CEO, HCL Infosystems, shares lessons he and the company have learnt from some of the Stone Age of India’s computing history and insights on tackling the challenges of low PC penetration in India. And more currently, how the company with its deep presence in India, is taking on competition from cheaper PC alternatives.

How competitive is the domestic PC and laptop market? And how are you dealing with it? Ajai Chowdhry View from the top is a series of interviews with CEOs and other C-level executives about the role of IT in their companies and what they expect from their CIOs.

a p r i l 1 5 , 2 0 1 0 | REAL CIO WORLD

View from the Top.indd 50

Although the PC and laptop market has always been a competitive market, in the last five years, there haven’t been any real new entrants, except for one or two Chinese or Taiwanese companies who don’t really have a brand. On the other hand, because there has been a significant

slowdown elsewhere in the last two years, India has caught everyone’s attention. And that means that there is plenty more competition in India. We started the IT revolution in India therefore our brand association is very high. Furthermore, we have focused business teams that address each part of the market be it government, the public sector, the private sector, the small and medium industry or the consumer. We have great positioning in the government and PSU market — we

Ph oto by Srivatsa Sh an dilya

Ajai Chowdhry, Founder, HCL and Chairman and CEO, HCL Infosystems, on increasing computer literacy in India and dealing with the competition in the Indian PC market.

Vol/5 | ISSUE/06

4/13/2010 3:46:42 PM

Ajai Chowdhry expects IT to: Translate the CEOâ&#x20AC;&#x2122;s vision Create profit Innovate

View from the Top.indd 51

4/13/2010 3:46:44 PM

View from the Top

are located in every taluka of the country. It is that extensive service and sales capability — in every district — that really gives us our competitive advantage.

How do you compete with cheaper, assembled PCs? The grey market has always existed. Our strategy is to educate consumers on how to buy and what to buy. A lot of the products available in the grey market are assembled in somebody’s garage, taking some new parts and mixing them with some old parts. That’s how their products end up being cheaper.

Why is India still the most under-penetrated PC market among markets its size? Worldwide, the government has always the largest customer for technology. The government has to be more aggressive in their strategy to increase PC penetration if nothing else but because there is a direct connection between PC penetration and GDP growth. If the country wants to record a 10 percent GDP growth, then PC penetration has to go up. My dream is to provide access for all. If you make broadband readily available, PC sales will go up. Broadband access should be made available to every city, town, and village in the country. Indian telecoms have paid a lot of attention to voice but they haven’t paid enough attention to data. In the consumer market, financing for PCs is not available and that’s also a big impediment.

export market. Till then we were limited to the domestic market.

What's your view on risk?

"A CIO’s position is closest-aligned to the CEO of a company. The CEO’s vision is translated by the CIO. " — Ajai Chowdhry is a lack of deep partnerships with the front-end users in most cases. Customers of e-governance projects need to be more involved.

What's the secret behind cracking government deals? We have been doing business with various state governments for over 30 years. We have taken a proactive role and constantly update the government on the latest technologies. That's why we are regarded as trusted advisors. Another reason the government has so much confidence in us is because we are located in every district. Our reach for providing services as well as hardware support is the highest in the country.

You work a lot of the government. Why are so few e-gov projects successful?

What’s the biggest challenge you’ve faced?

First, the e-governance projects that we’ve been a part of have been remarkable successes. The issue with e-governance is that although the plans are fantastic in nature, they are never executed in a time-bound fashion. There should be an expiry date to funds allotted to every e-governance project. Another problem

The biggest challenge for us came in 1991, prior to the economic liberalization when the country had very little foreign exchange. To make computers we had to import components but we didn’t have LCs (letter of credit) which we could open. That’s when we decided that we have to make a foray into the

a p r i l 1 5 , 2 0 1 0 | REAL CIO WORLD

View from the Top.indd 52

There is no future without risk. And not just the risk taken by top management but even others within the organization. Our best innovations happened when people took risks. Back in 1991, a young employee came up with the idea of creating a market for consumer PCs, following which we launched Beanstalk which has been one of our most profitable product lines. We encourage our employees to take risks — the more mistakes you make today the better you become tomorrow.

Can you define the CIO’s role within an organization? A CIO’s position is closest-aligned to the CEO of a company. The CEO’s vision is translated by the CIO. A CIO’s job is not to benchmark or copy; it is to innovate. CIOs need to take up an entrepreneurial role and create profit through technology. CIOs should no longer involve themselves with the IT part of the business although they should be responsible for making an organization IT savvy. CIOs should involve themselves in new areas where they can make a difference. And that will come only if the CIO works with the business and marketing.

What’s in HCL's future? HCL has always thrived on innovation. From the beginning we were a product company. We have been constantly developing a range of software products that are integrated within our hardware. Similarly, when we entered the systems integration space, we decided that we would not only provide services but also develop specialized products. Our strategy has always been to give the customer a complete experience — be it in hardware, software or services. And we hope to continue doing so. CIO Varsha Chidambaram is a correspondent. Send feedback on this interview to varsha_chidambaram@ idgindia.com

Vol/5 | ISSUE/06

4/13/2010 3:46:45 PM

Trendline_Nov11.indd 19

11/16/2011 11:56:19 AM

A p r i l 1 5 , 2 0 1 0 | REAL CIO WORLD

Feature_3_doomsday.indd 82

Vol/5 | ISSUE/06

4/13/2010 6:04:05 PM

The End of Your

World By Dan Tynan

Power grid hacks, massive DNS rerouting, solar flares — end-times for IT may be more likely than you think. Technology drives just about everything we do, and not just at our jobs. From banks to hospitals to the systems that keep the juice flowing to our homes, we are almost entirely dependent on tech. More and more of these systems are interconnected, and many of them are vulnerable. We see it almost every day. But what if instead of simply a denial-of-service attack against select Websites, the entire Internet suddenly stopped working — or for that matter, Google could not Reader ROI: be reached. What if instead of a mere data breach, our financial institutions were What happens if iT goes down by a weapon that could instantly neutralize all electronic transactions? Or if attacked How to avoid tech hackers wormed their way into the systems that control the power grid? disasters The Heck, risks of what if God decided she’d had enough of us and decided to send a solar depending on iT storm our way?

4/13/2010 6:04:09 PM

Business Continuity If you think these things can’t happen, think again. Some already have occurred on a smaller scale. But we thought it might be fun to turn up the volume and see what might happen — how likely a ‘tech doomsday’ scenario might be, how long it would take us to recover, and how we might prevent it from coming to be. What could possibly go wrong? Try these scenarios for starters.

TecH dOOMSday ScenarIOnO. 1: GooGle is Gone

says nir Zuk, founder and cTO of Palo alto networks, a network security company. For example: an IT manager installs GoToMyPc on a machine in the datacenter so that he can fix problems in the middle of the night from his home. But it has a weak password and gets hacked. Or he installs a P2P app to download songs, unwittingly allowing outsiders to download confidential files from the company Lan — including password sets and network configuration maps. Or he sets up Webex to do a presentation, then foolishly tells the program to share his desktop across the Web. Once inside,

IllUStratIon by MM Shan It h

News flash: Visitors to Google.com were stunned when it returned a “404 Not Found” error for tens of millions of Web searchers. All Google services — Gmail, Google Docs, AdSense — were inaccessible for periods ranging from hours to days, depending on users’ locations.

Google has so insinuated itself into our lives it seems almost unthinkable that we might have to live without it. experts consulted for this story agreed that to take down a company as mighty and well fortified would require someone on the inside — not necessarily a malicious Google employee, just a stupid one (if such beings exist) with the right admin privileges. It’s not entirely unfeasible. Last december, attackers tricked Google employees to visit a malicious website, which then exploited a vulnerability inside Internet explorer to install an encrypted backdoor into the Google network. From there they accessed the Gmail accounts of chinese dissidents. In our doomsday scenario, a Google employee merely installs a rogue application on the network that allows external attackers — say, an unfriendly nation state with a grudge — to slip behind the company‘s firewall. “The main vector for getting inside most organizations today are rogue applications residing on the network,” 84

A p r i l 1 5 , 2 0 1 0 | REAL CIO WORLD

Feature_3_doomsday.indd 84

attackers could root around the network until they locate the command and control centers for Google’s many datacenters. and then they can turn out the lights, leave behind a logic bomb that corrupts Google’s databases, or simply have their way. “I’m not familiar with the structure of Google’s network, but they must have a command and control app that lets them shut down their datacenters,” says Zuk. “everyone does.” What could happen: y yahoo and Bing become swamped with search traffic, and might collapse under the weight. Organizations that rely on Gmail and Google docs for their day-to-day operations will find themselves unable to get much done (though, given how many outages Gmail

had over the last year, they might be used to it). y youTube fans may discover there are approximately 7,834 other free video sites out there. Web entrepreneurs who rely on Google ads will find themselves bereft of income for an unknown period of time. Other consequences, according to Google Blogoscoped author Philipp Lenssen: “People may not be able to post an update about their life, leading others to believe they’ve disappeared (because Blogspot is down); conspiracy theorists will be able to sell more books on ‘why Google went down (and what the nSa had to do with it)’; and people who want to search for ‘why Google is down’ realize that, well, Google is down so they can’t search for that.”

How long would it take to recover: From hours to days, depending on what measures Google already has in place. a Google spokesperson contacted for this story says, “We are always planning for different threat scenarios, but we aren’t going to discuss specific defense measures.”

Likelihood: Zuk says it’s more likely than most big companies are willing to admit. “In a big company like Google or yahoo, y which have tens of thousands of employees, there will always be unaware employees who do something stupid like sharing their desktop via Webex,” he says. “It only takes one to do it, and from there the route to the datacenter is a quick one.”

How to avoid this fate: To avoid getting nailed by rogue apps, companies need greater visibility into their networks to expose any apps that are running and what ports they are using, and to map all of their other dependencies as well, says Steve cotton, ceO of FireScope, a developer of IT service management solutions. To avoid being compromised by insiders, companies should get real-time notifications of the activities of privileged Vol/5 | ISSUE/06

Business Continuity users, block specific unauthorized activities, and split the responsibility for monitoring among multiple users, says Slavik Markovich, CTO at database security firm Sentrigo. “This last point is critical, as the very privileges needed to properly manage the systems and databases makes it very easy for malicious users to defeat whatever controls may be in place, or to cover their tracks,” he says. “There is a dramatic difference in the likelihood of a breach when it can be accomplished by a single rogue insider, as compared to one that requires co-conspirators across multiple functions.”

Tech doomsday scenario No. 2: The Net goes down

“Everybody trusts the DNS, but it’s not really trustworthy,” says Rod Rasmussen, president and CTO for anti-phishing services firm Internet Identity. “The system itself isn’t well protected. And all you need are a name and a password to take out a DNS server or a particular domain.” Attackers don’t even need to attack DNS

News flash: The Internet melted down today as millions of Web surfers found themselves redirected to the wrong sites, thanks to problems with the domain name server system. Can the Internet be taken offline? Many experts scoff at the idea, citing too many diverse communications channels, too many redundancies, and an architecture designed to route around failures. “I think it would be very difficult to take down the whole Internet, unless you had a worldwide EMP event that takes everything else down as well,” says Dr. Ken Calvert, chair of the University of Kentucky’s Department of Computer Science. “At all levels you have diversity of technology carrying the bits, whether it’s satellite, fiber, or wireless. There’s a lot of redundancy there.” Yet even if the Net can’t be entirely shut off, short of an act of God, attackers can create havoc by attacking it at one of its weakest points: the domain name system. By hijacking traffic meant for different domains, attackers can drive unsuspecting surfers to malicious sites, effectively take down any site by flooding it with traffic, or simply send everyone looking for Google.com or Yahoo.com into the ether — making the Net largely useless for a great many people. 86

A p r i l 1 5 , 2 0 1 0 | REAL CIO WORLD

Feature_3_doomsday.indd 86

servers or poison their caches; they can achieve the same effects by taking over large domain registrars. A successful infiltration of Network Solutions, for example, could put attackers in charge of more than half the domains for all US financial institutions, says Rasmussen. From there, attackers could redirect surfers to bogus sites and later use their credentials to log in and drain their accounts. Or they could simply target large domains with huge amounts of traffic, or create havoc by messing with the Net’s time servers.

What could happen: The Internet appears to be down, even though it’s not. Millions of Web surfers can’t reach the sites they need, or worse, they’re misdirected to malicious sites that steal their credentials or their identities. Attackers reset the servers that keep time on the Net, bringing billions of financial transactions that rely on accurate timestamps to a screeching halt, bringing businesses to a standstill.

How long would it take to recover: It could take anywhere from a couple of days to months, in most cases, says Rasmussen. “Because this is the DNS, it’s not hard to undo anything,” he says. “The problem is how long the bad guys tell the DNS system to maintain the records; 48 hours is pretty typical.”

The other option: After you discover your domain’s been hijacked, get on the speed dial with major ISPs and tell them to update their records. Even then, you’ll still miss smaller ISPs or large enterprises that maintain their own DNS tables. “It usually takes a pretty big disaster to get people to respond,” says Rasmussen. “That’s the problem with a distributed system; when it goes bad it stays bad for a while.”

Likelihood: More likely than you think. This has already happened several times on a smaller scale. In December 2008, Ukranian-based attackers used a phishing attack to gain log-on credentials for Checkfree, an online bill payment system used by more than 70 percent of US banks. In April 2009, an SQL injection exploit at registrar Domainz.net allowed Turkish attackers to take over the New Zealand sites for Microsoft, Sony, CocaCola, HSBC, and Xerox, among others. The same hackers also took over all of Puerto Rico’s domains. This past January the domain for Baidu, the largest Chinese search site, was taken over by a group calling itself the Iranian Cyber Army. Vol/5 | ISSUE/06

4/13/2010 6:04:20 PM

Business Continuity In that case, Baidu filed suit against its US registrar, Register.com, claiming it was slow to respond to the site’s plea for help.

How to avoid this fate: “Eternal vigilance?” asks Rasmussen. “You want to monitor the hell out of what you and other people are doing with your domains and theirs, so you can turn off the system and anything that connects to it if you or someone you trust has a problem.” Some registrars are hardening their defenses against hijacking and making it tougher to change DNS records, but mostly it’s up to domain owners themselves to police their own records and, more importantly, respond quickly when they’ve been compromised.

Tech doomsday scenario No. 3: God strikes back

surges that knock out the power grid and the Internet at the same time.”

What could happen: Everything that would happen in the previous four scenarios, and then some. Forget clean water. Forget health care. Wipe out the last 20 years of recorded history, because most of it was stored digitally. “We’d feel it first in the economy and our financial institutions, where everything is digital.

News flash: This report is being brought to you via word of mouth, because nothing else is working. An enormous solar flare has struck earth, causing a worldwide failure of the electrical power grid and communications systems. Think of it as the mother of all power surges. The sun spits out an enormous cloud of superheated plasma several times larger than the earth, which slams into our atmosphere. Supercharged particles travel through the earth’s crust, frying all the power transformers it touches — instant worldwide blackout. Sound like a cheesy Hollywood plot? This precise thing happened on a smaller scale in Quebec in 1989, when a solar storm caused 6 million people to lose power. “The chances of the Internet totally crashing are slim to none, but if anything could cause the Net to go down it would be a solar flare,” says security consultant Robert Siciliano. “A plasma ball hitting the earth’s magnetic fields that it can’t deal with. The step-up and step-down transformers that manage our power grid would fry. It would literally be the perfect storm of cataclysmic power 88

A p r i l 1 5 , 2 0 1 0 | REAL CIO WORLD

Feature_3_doomsday.indd 88

Markets will collapse,” says Siciliano. “Where’s everything backed up — in a filing cabinet? The economy would collapse, the banks would lock their doors and keep whatever money they had in the vault, because the rest has evaporated into thin air. Once the money’s gone, we would have to reset the clock. We would have to reset ourselves.”

the gas pumps won’t be operating, so a guy who’s supposed to take a part to repair a facility can’t get there because he has no gas. It could literally throw us back to 1840.”

How likely is this to occur: Lord only knows. But consider this, says Irv Schlanger, an assistant professor in Drexel University’s Computing and Security Technology program. “We are all familiar with the 11-year solar flare cycle,” says Schlanger. “What most people are not aware of is the 110year solar flare cycle. The 110-year cycle is massive when compared to the 11-year cycle. The affects of the 110-year cycle would be very similar to that of a nuclear EMP. We are currently due for the 110year solar flare.” How to avoid this fate: Silent prayer to the deity of your choice. “Man-made terrorist activity is bad, but as we’ve seen lately, Mother Nature is a b****,” says Siciliano. “She doesn’t give a damn about you or me.” CIO

How long would it take to recover: Unknown. According to a January 2009 report by the National Academy of Sciences, the effects of a severe geomagnetic storm would be felt for years, most acutely in societies that are the most dependent on technology. The US could take from four to 10 years to bounce back, according to the NAS — if it bounces back at all. “It will take a tremendous amount of manpower to clean up the mess,” adds Siciliano. “Something that catastrophic,

Send feedback on this feature to editor@cio.in

Vol/5 | ISSUE/06

4/13/2010 6:04:21 PM

everything you wanted to know and more

Scrutinizing DLP Data loss prevention has gone from a niche technology to something everyone’s offering. In the process its definition has got a little murky.We clear that up.

a p r i l 1 5 , 2 0 1 0 | REAL CIO WORLD

Deep Dive_April2010.indd 48

What’s Inside Deep Dive Features Your Guide to Unscrambling DLP ��92 What Goes Into the Mix ��98 Half Price Sale ��100 Column Opening Pandora’s Box ��96 Test center DLP Vs DLP ��104

Vol/5 | ISSUE/06

4/13/2010 6:31:59 PM

Deep Dive | Data Loss Prevention

Your Guide to Unscrambling By Bill Brenner

For those who believe they’ll never get a handle on data loss prevention (DLP), here are some survival stories from security practitioners who found the light. 92

a p r i l 1 5 , 2 0 1 0 | REAL CIO WORLD

Deep Dive_April2010.indd 49

DLP

is all the rage in this era of data security breaches and clever malware attacks. Naturally, every security vendor wants a piece of the action. But in the vendor stampede for market share, something disturbing is happening: Companies are buying technology that, once installed, doesn’t offer all the ingredients of true DLP, says Rich Mogull, former Gartner analyst and founder of security consultancy Securosis. “The term DLP has essentially become meaningless because of a variety of vendors who wanted to say they were offering it,” says Mogull, a respected voice in the industry. The true definition of DLP has always been somewhat muddy. Mogull describes the acronym Vol/5 | ISSUE/06

4/13/2010 6:32:00 PM

DLP’s Implementation Challenges 64

Challenges in defining confidential content as a buzzword created for marketing purposes. But it used to be easier to tell when a company was truly offering it. Mogull’s definition of DLP goes something like this: “products that as a minimum identify, monitor and protect data in motion, at rest and in use through deep content analysis.” The tool identifies the content, monitors its usage and builds defenses around it. There are a ton of vendors who perform some of these functions. But unless they tackle everything in the above definition, Mogull says it’s not truly DLP. “Encryption and endpoint control vendors call what they do DLP,” he says. “A firewall does some of what the concept entails. All of these tools are helpful in different areas of security, but they are not DLP.” Of course, when a vendor doesn’t offer a technology that tackles a specific problem, a solution is to buy up a vendor who has what they need and bake it into the product line. Symantec muscled its way into the DLP space by acquiring Vontu, a company Mogull sees as an early leader of true DLP technology. Meanwhile, RSA snatched up Tablus and McAfee bought Reconnex. Then there was the Websense acquisition of PortAuthority Technologies and CA’s buy of Orchestria. Then there are the vendors who offer important pieces of the DLP puzzle but don’t do everything necessary to call themselves DLP providers. “Many are helpful in their own way, including the portable device control vendors, the USB blockers, and so on,” he says. “But they don’t analyze content so they are not technically DLP.” There are still a few independent DLP vendors out there, Mogull says, including Vericept and Code Green Networks. Of course, like any technology, the perception of what is truly DLP depends on who you ask. Imran Minhas, information security officer at the National Bank of Kuwait, says DLP means prevention of confidential, restricted or internal-use data being leaked. User access to public/personal e-mail such as Hotmail and Yahoo are major

Vol/5 | ISSUE/06

Deep Dive_April2010.indd 50

Time-consuming implementation process

System capabilities lower than expected

Higher solution cost than expected Higher internal costs for solution management than expected

25 19

High inaccuracy rate

Other None

SoUrcE: GTB T EchnoloGIES

concerns in this area. “I haven’t seen every single product out there but so far Symantec seems to be the best for DLP, mainly because of the ease of use,” says Minhas. Wayne Proctor, CISO at First Data USA, says a major trend he has observed is for the vendors to extend from monitoring content only in outgoing traffic to monitoring other sources of data (primarily data at rest and data on endpoints). “I don’t view this as twisting the meaning of DLP but just leveraging their content evaluation engines to offer additional services,” he says. Proctor adds that some of DLP vendors offer services that are not leakage related, such as identifying potential disgruntled employees and persons who are downloading software that is not approved for usage on a company network. “These types of additional services are certainly beyond the core focus of DLP but these are also valueadded services that are fine to offer as long as the performance of the core DLP offerings are not negatively impacted,” he says.

Going Down the DLP Road It’s no easy task implementing a DLP program when there’s so much disagreement in the security community over what DLP entails. But those who’ve been through it have good news: It can be done. Several IT security practitioners say they achieved a reasonable DLP program once they stopped listening to vendors

trying to sell so-called ‘DLP out of the box’ products and focused instead on mixing myriad security technologies with training programs to help users defend themselves. Though the people policies are pretty consistent across business sectors, there’s no one-size-fits-all approach to the technology side of things. There are common tools, mind you, but they are not assembled the same way in every enterprise.

Finding What’s Right Chuck McGann, manager of corporate IS services for the US Postal Service, has heard many a vendor pitch and found that even though they were pitching DLP, nothing they offered fit his individual needs. “I’ve had too many conversations with vendors telling me how their products work, and they just don’t meet my enterprise needs in terms of how they function in the pattern-matching and false-positive-reduction areas,” he says. For his part, McGann determined the technological part of his DLP program needed to address the following areas: Keyword pattern matching Auto quarantine for files that violate policy The ability to specify and use certain combinations of data for matching Exact data matching Detection of specific data at rest and in transit Robust reporting capability real CIo WorlD | a p r i l 1 5 , 2 0 1 0

Deep Dive | Data Loss Prevention

No Dependence on Users While he agrees user awareness training is important, Career Education CISO Michael Gabriel decided his enterprise can only do so much to save users from themselves. Therefore, he went in search of technology that would address his particular needs. “Explaining everyone’s role to them is much less of an issue if you can let technology minimize their role,” Gabriel says. “Any time you rely on the end user to do something, you’re likely to fail.” His journey into DLP started with the search for e-mail encryption as a way to accomplish what he described above. He notes that he was the first Vontu customer in Chicago, implementing the vendor’s Prevent product in 2005 as an integration with an Ironport MTA and the PGP Universal encrytion gateway to provide his company with automated e-mail encryption. By finding something that detects confidential information using exact data matching — automatically encrypting it if being sent to an authorized recipient — he was able to meet a major piece of his DLP goals. “Since then, we have also implemented the Vontu Monitor, Discovery, and Endpoint solutions, and I’m currently working with their product managers on what I consider to be the next big application of DLP technology; using it not only to detect and remediate stray confidential data, but to provide information that will identify which broken business process resulted in that data being there in the first place,” Gabriel says. “This would move DLP from being a reactive technology to a proactive technology.”

Vendors Getting the Hint? Though a frustration with security vendors wrongly pitching products as DLP is common among CIOs, there are signs the vendor community is starting to change. More are beginning to offer products as the solution to part of an enterprise’s DLP needs rather than trying to sell their wares as DLP in a box, says Nick Selby, former research director for enterprise security at The 451 Group and CEO/co-founder of Cambridge Infosec Associates. “There is a growing realization among vendors that they can 94

a p r i l 1 5 , 2 0 1 0 | real CIo WorlD

Deep Dive_April2010.indd 51

Don’t Let Vendors Set Your Strategy Businesses should plan a thorough data loss prevention strategy before talking to suppliers, Gartner advises. That’s because vendors are likely to sway discussions to specific aspects of DlP, when a full strategy is required for the technology to be effective, the analyst house says. “You’ve got to define your strategy first, then talk to the suppliers,” says Paul Proctor, VP at Gartner. “At the moment businesses aren’t labeling data properly, they don’t know where it is, they aren’t handling it properly, and their policies are poorly defined and enforced.” organizations needed to first define their data types, followed by building a list of possible actions for that data, then defining policy, and finally negotiating with suppliers. For defining data types, Proctor says, firms should categorize information according to its nature and where it resides. For example, intellectual property could be split into drawings (then divided as cAD, PDF, and GIF), documents (split as structured, unstructured, labeled and unlabeled), and personal data (split by types such as credit cards or ID numbers, or by its application such as order processing or online sales). For building a list of possible actions that could happen to the data, businesses should “boil the possible uses down to 10 to 15 situations”, Proctor says. These could include data crossing the enterprise boundary; data stored in unauthorized places; the copying, printing, moving, saving, cutting and pasting of data; and business processes that could put the data at risk. common areas of worry for businesses included sales people stealing client information, and the offshoring of work involving critical intellectual property, he says. last, for defining policy, firms needed to set different levels of reaction according to how concerned they would be about the incident. The lowest stage could be alerting the business and recording the situation for future analysis. The next higher stage would be intercepting the data to automatically encrypt it, move it from the risk area, or demand user justification for a particular operation. Above that, the particular operation could be automatically halted. “A lot of people have deployed a sort of DlP for simple requirements, like protecting credit card data,” he concluded. “But that isn’t enough — they need to protect all data including their valuable intellectual property.” — leo King

go farther by addressing what exactly they can help with,” Selby says. “It is less about ‘we-can-do-everything’ marketing and more about how ‘we can help you with specific pieces of DLP.’” Ted Heiman, the western regional sales manager for ForeScout Technologies, acknowledges that vendors have done a lessthan-admirable job at helping companies address DLP. But, he adds that the difficulty understanding the true definition of DLP goes beyond the vendor community. “There is no true, single point DLP product on the market. I believe this is where the big misconception is. DLP is a solution not a product,” he says. His opinion is that the best solution

to combating data loss is educating employees. “How many enterprises do you know that have really educated their employees about data security and the steps each employee can take to prevent critical data from getting into the wrong hands?” he asks. “Let’s face it. The biggest threat to enterprise customers and their critical data is their network administrators. These guys have more power and access than most users and they also know how to exploit it. If you want to address DLP I think you need to start there.” CIo

Send feedback on this feature to editor@cio.in

Vol/5 | ISSUE/06

Trendline_Nov11.indd 19

11/16/2011 11:56:19 AM

by Jeff bardin

Opening Pandora’s Box StRateGy | Data Loss Prevention (DLP) tools are great solutions. They detect what’s flowing out of your virtual boundaries examining sex, drugs, rock & roll, intellectual property (IP), personally identifiable information (PII) and anything you wish across any and all Internet protocols. They can crawl your local area network searching unstructured data sources (Word, Excel, PowerPoint, Acrobat, text

need to understand is how deep the business wants you to go. If you go too deep, meaning if you detect too many sensitive things too soon or at all, you may find yourself in an uncomfortable position since you have not prepared the chain of command and the business for what you will find. It’s a cultural issue of significant importance. Personal experience tells me that you will not be seen as the savior you fashion

a. Try before you buy. Have your vendors run the solution for a week prior to your purchase. b. Compare results. c. Examine false positives. d. Brace them for what they may find. (I have found pornography, the buying and selling of AK47s, unsavory videos, credit cards flowing with impunity outside of the company along side of intellectual property, salary information,

If you detect too many sensitive things too soon with your DlP project, you may find yourself in an uncomfortable if you haven’t prepared the business. files) for credit card information, social security numbers, pornography, salary information and termination lists. DLP can be the greatest thing since sliced bread if and only if you have a plan in place long before you deploy any of the solutions out there. Most security engineers and even many chief information security officers (CISOs) get that glazed over look in their eyes when they hear about all the wonderful things that a DLP solution can do. Plug it in and all those enterprise security the problems just vanish into thin air. What you are not told during a DLP sales pitch is the Pandora’s Box you not only are about to open but completely unhinge. What you really 96

a p r i l 1 5 , 2 0 1 0 | real CIo WorlD

Deep Dive_April2010.indd 53

yourself to be, but potentially an enemy of the state. In fact, the sad truth is that the bodies you discover may eventually lead to your own undoing. But that doesn’t mean you should give up on DLP entirely. Here are some tips on ensuring the proper depth and the structure you need to have in place prior to and during a DLP solution rollout: Determine the Specific Risk Appetite of Your Company Let them know that you are going to enable all filters for a week across all protocols and that you will share this information only with senior members of legal, compliance, privacy, HR, internal audit and IT.

malware, adulterous activity, plots within plots, plans to subvert something or someone, social security numbers and corporate business plans, businesses being run off corporate servers; you get the idea.) Establish Policies Ahead of Time Ensure you have air cover. You need to do this to expand your coverage. a. These policies must be created with legal, compliance, privacy, HR and the CIO. b. What are the corporate policies in place today supporting DLP? Is there an expectation of privacy for your users (employees, vendors, contractors) when using your assets? Or is HR prepared

Vol/5 | ISSUE/05

by Jeff Bardin

Deep Dive | Data Loss Prevention to sanction your users when data is discovered leaking? Get Your Awareness Plan Updated Prepare to re-execute based upon your new and existing policies. a. Ensure you have procedures in place to execute the policies. b. Determine what and how you will investigate based upon business requirements (risk appetite). c. What is the communication plan to your user community on the deployment and use of these tools and their understanding of corporate policy and associated sanctions? Ensure Your Policies are Up-to-date a. Determine how you will consolidate the 20 copies you find of the same file containing intellectual property. b. Determine where you will store the copies. c. Determine who owns the information d. Determine access rules and rights. e. Determine any regulatory requirements over the discovered information including potential eDiscovery / legal hold issues. f. What data governance requirements and structure should you have in place to ensure success?

Seek Answers for a Successful DLP Rollout

Before implementing a DLP solution, get ready to field these questions. People Questions a. Are you trying to get me fired? This question should only occur if you have not included all the appropriate parties in the process. b. How could you allow this to happen? Doesn’t our existing infrastructure prevent this type of activity? Why don’t our employees adhere to our policies? c. How long has this been going on? Why are we just finding out about this now? d. Who has access to this information? e. Who have you told about this? f. Why did you deploy this and did I sign off on this? g. What is our liability? h. What are our competitors doing? Technology Questions a. What content filters are enabled first and across what protocols? b. What tools do you have that are not fully deployed with all features and functionalities? c. Will data merely be discovered leaking or will it be prevented from leaking and who will make these decisions? d. If I have encryption in place, will my DLP solution be able to interrogate encrypted data to validate it as fitting corporate policy for transmission? If I have this capability, will it be for all encryption solutions? e. What solutions do I have in place today to allow for the secure sending of information to appropriate recipients? f. What new solutions will I need once DLP is put in place and data is prevented from flowing? g. What end-point solutions will I need in addition to DLP to prevent the flow of sensitive data from the boundaries of my organization?

—J.B. Make Sure All Participating Organizations Know Their Roles Organizations will most likely need to define this but HR will need to determine what level of sanctions they may wish to employ. a. Legal will need to determine what they want to investigate and what they do not (they will also need to determine if they are going to disclose a discovered breach). b. Compliance, privacy, IT and security will need to determine the impact to their controls (or lack thereof) creating a punch list of counter-measures and finding out why the ones they have deployed are not working — and what the impact is to your regulatory, statutory and standards-based compliance programs. c. Internal audit will need to be informed since they may be asked how they have

Vol/5 | ISSUE/06

Deep Dive_April2010.indd 54

missed this over the years and they will then refocus their efforts. d. Ensure you have solid investigations protocols, procedures including chain of custody and rules of evidence. Be prepared to present a well defined governance model for this whole process or enhance the one you already have. Ensure you know how you will pursue who you will pursue without violating any internal codes, statutes or regulations. Be prepared to potentially throttle back on the depth of your discoveries. Sometimes the real truth is not desired. Sometimes a ‘defined’ level of due diligence is required. Establish a protocol for how you will handle the information that is found; where it will be stored; if it will be destroyed; and who has the authority to do so.

The successful implementation of DLP solutions is not as simple as just implementing a tool. I recommend a phased approach and plan that moves you to the proper level of DLP. Experience tells us that to successfully deploy a DLP solution, you must have the business, HR and legal fully aligned with the program and agree to the need for it based upon the defined risk. CIO

Jeff Bardin is VP and CSO at ITSolutions. Send feedback on this column to editor@cio.in

REAL CIO WORLD | a p r i l 1 5 , 2 0 1 0

4/13/2010 6:32:13 PM

Deep Dive | Data Loss Prevention

What Goes Into a Before embarking on a data loss prevention program, enterprises must first determine what the essential ingredients are. Here are five critical items for that perfect solution. Companies are clamoring for data loss prevention (DLP) tools to keep their data safe from online predators. But there is much confusion over what the true ingredients are. Most security vendors will tell you they have just the thing for your DLP needs. But some industry experts say enterprises often buy products that, once installed, don’t perform all the functions necessary to keep sensitive information safe. We talked to several IT security professionals in an effort to zero in on the true elements of an effective DLP program — from the technology to people policies — and how best to fit the pieces together. We focus specifically on five technological approaches that, when used together, offer a solid data defense. 98

a p r i l 1 5 , 2 0 1 0 | real CIo WorlD

Deep Dive_April2010.indd 55

DLP By Bill Brenner

Data Discovery, Classification and Fingerprinting Richard Stiennon, chief research analyst at IT-Harvest, says a complete DLP solution must be able to identify your IP and make it possible to detect when it is ‘leaking’. William Pfeifer, CISSP and IT security consultant at the Enforcement Support Agency in San Diego, agrees, calling data classification a prerequisite for everything that follows. “You cannot protect everything,” he says. “Therefore methodology, technology, policy and training is involved in this stage to isolate the asset (or assets) that one is protecting and then making that asset the focus of the protection.” Nick Selby, former research director for enterprise security at The 451

Vol/5 | ISSUE/06

Deep Dive | Data Loss Prevention

Group and CEO/co-founder of Cambridge Infosec Associates, says the key is to develop a data classification system that has a fighting chance of working. To that end, lumping data into too few or too many buckets is a recipe for failure. “The magic number tends to be three or four buckets — public, internal use only, classified, and so on,” he says.

Encryption This is a tricky one, as some security pros will tell you encryption does not equal DLP. And that’s true to a point. As former Gartner analyst and Securosis founder Rich Mogull puts it, encryption is often sold as a DLP product, but it doesn’t do the entire job by itself. Most IT leaders don’t disagree with that statement. But they do believe encryption is a necessary part of DLP. “The only thing [encryption doesn’t cover] is taking screen shots and printing them out or smuggling them out on a thumb drive. Not sure I have a solution to that one. It also leaves out stereography, but then is anyone really worried about that?” Pfeifer asks. Specifically, he cites encryption as a DLP staple for protecting data at rest, in use and in motion. Stiennon says that while all encryption vendors are not DLP

What CIOs Look Out for When Buying DLP Critical

Very important

A reliable product

52%

46%

Proven ability to deliver on promises

42%

52%

Price

34%

50%

13%

Vendor repuatation

15%

63%

20%

Use of leading technology

24%

50%

21%

Third-party recommendation

13%

51%

29%

Source: GTB Technologies

vendors, applying encryption is a critical component to DLP. “It could be as simple as enforcing a policy,” he says. “When you see spreadsheets as attachments, encrypt them.”

Gateway Detection and Blocking

This one would seem obvious, since an IT shop can’t prevent data loss without deploying tools that can detect and block malicious activity. Sean Steele, senior security consultant at InfoLock Technologies, says the key is to have something in place that provides real-time (or close to real-time) monitoring and blocking capabilities for data that’s headed outbound at the network perimeter, Level of Importance data at rest (“sensitive or interesting/ Critical frightening data sitting on my network Very Important file shares, SAN, tier Very Important 1/2 storage, etcetera,” he says); and data being used by Very Important human beings at the Very Important to network’s endpoints Somewhat Important and servers.

CIOs Rate the Importance of DLP to Meet These Targets Target Protect IP To protect my company’s reputation Avoid litigation Meet regulatory compliance Protect trade secrets Source: GTB Technologies

Vol/5 | ISSUE/06

Deep Dive_April2010.indd 56

Somewhatimportant

E-mail Integration Since e-mail is an easy target for data thieves, whether they are sending e-mails with links to computer-hijacking malware or sending out e-mails from the inside with proprietary company data, partnerships between security vendors and e-mail gateway providers are an essential piece of the DLP puzzle. Fortunately, Stiennon says, “Most DLP vendors formed partnerships with e-mail gateways early on.”

Device Management Given the mobility of workers and their computing devices these days — including laptops, smart phones, USB sticks — security tools that help the IT shop control what can and can’t be done with mobile devices is a key ingredient of DLP. Stiennon is particularly concerned about USB devices that could be used to steal data. “Being able to control the use of USB devices is a key requirement of a DLP solution,” he says. CIO

Send feedback on this feature to editor@cio.in

REAL CIO WORLD | a p r i l 1 5 , 2 0 1 0

4/13/2010 6:32:13 PM

Deep Dive | Data Loss Prevention

HALF

SALE

02 Rs 2,

0 0 7 , 4 s R

Rs 2 ,100

PRICE

Rs 2 ,020

5 7 1 , 1 Rs 0 0 7 , Rs 4

By ellen messmer

With more players in the market and increasing competition, DlP vendors are slashing prices on their once expensive products.

ata-loss prevention products can potentially save organizations a bundle by preventing the escape of sensitive information. But the six-figure starting price for a typical enterprise deployment of host and gateway-based DLP is tough for many to swallow. The good news is that prices are expected to fall as more vendors enter the fray and more choices for how to roll out DLP emerge. “If you’re dealing with a couple thousand seats for DLP, expect $250,000 (about Rs 1.1 crore) to half a million (Rs 2.25 crore),” says Forrester Research analyst Andrew Jacquith. “But we will see price erosion because of competition.”(Of course, vendors are fond of pointing out that even today’s prices aren’t too high when you consider the cost of responding to a data breach. A Ponemon Institute study has tagged this at more than $6 million (about Rs 27 crore) on average, plus the loss of good reputation and possible lawsuits.) The market to prevent data leaks got going in the early 2000s and has gained momentum of late, though even successful vendors still tend to Vol/5 | ISSUE/06

Deep Dive | Data Loss Prevention Cost of Buying Per User

Cost of Implementing Per User

8% boast of customer numbers in the hundreds rather than thousands. The market is dominated by traditional anti-malware vendors that bought out DLP start-ups, though independents such as Verdasys remain in the mix as well. Newcomers will include the likes of anti-malware vendor Sophos, which is expected to introduce a DLP offering of its own making. Jacquith says when enterprises determine an immediate need for DLP, the usual course has been to first turn to a security vendor they already rely on for other things. “If it’s a big McAfee shop or a Symantec shop, they’ll look there first,” he says. In Forrester’s analysis, the market leaders are Websense, McAfee, Symantec, CA, EMC security division RSA and Verdasys. In addition to DLP becoming available from more vendors, it will wind up getting embedded in existing software and hardware, including switches, servers and even laptops. It may all lead to the “contentaware enterprise,” a phrase coined by Gartner analyst Eric Ouellet, who says, “It’s about sprinkling DLP everywhere.”

Buying Into DLP For those investing in DLP today, the need is straightforward. “We need to protect patient information or other business information,” says Larry Whiteside, CISO at New York City-based Visiting Nurses, which has 13,000 employees, with 3,500 nurses providing home assistance and facilitating hospital transition care for some 30,000 patients in the greater New York area. Visiting Nurses, which had already been making use of the Websense Security Gateway, recently added the vendor’s DLP gateway functionality. Using the DLP discovery tool, Visiting Nurses has determined where sensitive data is located in its 30 file servers for the purpose of detecting and blocking breaches, including inadvertent ones. Plans are to add DLP data-blocking capability into mobile computers used by nurses. Any alerts would be collected

Vol/5 | ISSUE/06

Deep Dive_April2010.indd 58

6% 15%

38%

28%

21%

17% 22%

23%

22% Less than $25 (Rs 1,175)

More than $ 100 (Rs 4,700)

$25-$49 (Rs 1,175 - Rs 2,300)

Don’t know

$50-$100 (Rs 2,350 - Rs 4,700)

Cost of Maintaining Per User 4%

Cost Of DLP Per User Average price of buying a DLP solution (per user): $45 (Rs 2,100) Average implementaion cost (per user): $43 (Rs 2,020) Average monthly cost of maintaining a DLP solution (per user): $10 (Rs 470)

21%

30%

21% 24% Less than $5 (Rs 235) $5-$9 (Rs 235 - Rs 420) $10-$20 (Rs 470 - Rs 940) More than $20 (Rs 940) Don’t know

Source: GTB Technologies. Exchange rate $1 = Rs 47 (Applicable rate in August 2009 when the survey was conducted)

into the firm’s Symantec security-event management system, Whiteside says. “If a user attempts to send a file, we would want it stopped at the gateway, with an alert generated and sent to the [management system],” he says. Support from business managers for DLP has been solid, especially as IT is also under constant pressure to grant more open access, Whiteside says. “From the data stewardship standpoint, it’s on my staff to make sure people are doing what they’re supposed to do,” he notes, adding he does expect it to take up to half a year to deploy DLP widely. And DLP does nothing if not give an organization a clear picture of how content

gets distributed internally and to the outside. “The visibility you get is incredibly useful,” Jacquith notes. “Some people even talk about using it for chargeback.”

What Misses DLP’s Eye While the accuracy of DLP products is regarded as good, the tools aren’t impervious to being tricked. James Wingate, director of the Steganography Analysis & Research Center in Fairmont, West Virginia, says it’s possible to hide a file inside another using steganography tools and “DLP tools will not detect it.” Dave Meizlik, director of product marketing at Websense, acknowledges data hidden through steganographic tricks may REAL CIO WORLD | a p r i l 1 5 , 2 0 1 0

101

4/13/2010 6:32:18 PM

Deep Dive | Data Loss Prevention slip through a DLP system. Encryption also is problematic in that a scrambled document would have to be decrypted to have its content inspected. In some cases, that can be set up under an authorized encryption method. Documents that have been encrypted with unauthorized methods could be flagged as suspicious. Gijo Mathew, vice president of security management at CA, says encryption can be regarded as a weak point in DLP today. “If it can’t read it, it can’t analyze it to block it.” In fact, the role of encryption looms large in DLP, with the more sophisticated systems designed to block and hand off e-mail that should be encrypted to other security products the organization might use. CA DLP, for instance, works with products from Voltage, PGP and BitArmor so data tagged as sensitive can be automatically handed off for encryption before transmission. Visiting Nurses is considering such interaction between its Websense Security Gateway and Cisco IronPort appliance.

Where to Put Your DLP Whether to install DLP at the gateway or host level — or buy a multipurpose security gateway with DLP or a stand-alone device — is a topic for debate among IT and security leaders.

Discover, Monitor, and Protect You must watch and monitor and track a thousand security issues every single day. But remember, the data breach you prevent may be your own. Here are four points to address. First, explain to your workers why DLP matters and the penalties for mistakes. If workers don’t know which files need protection, they can’t protect them. Clip and save a couple of news articles that outline the data breach laws, penalties and costs of customer notification. Emphasize how each employee may have to call customers and apologize for sending their credit card information to the hackers by accident. Second, move all critical files off individual computers. Enterprise DLP system software runs on every desktop and laptop, and monitors local and networked file activity. Until you can afford that, remove temptation by vigorously tracking all critical files on local computers and moving those files to networked storage of some kind. Third, upgrade your local shared storage access controls. Management knows how to do this, because they don’t put payroll information in the public file area. Treat all your critical files as if they were payroll files, and you’ll be better off. The better the system, the more granular and secure the access rights controls. Even the cheapest shared storage box allows you to password protect volumes at a minimum, making it easy to put, say, all accounting and payroll files on a separate volume that requires a username and password different from the public file storage areas. Fourth, talk to your e-mail host about filtering outbound attachments. If you run your own e-mail server, dig into the manuals to figure out how to block all e-mail attachments. Third-party spam and virus protection services usually have these services, so ask them. However, never underestimate the creativity of idiots, and especially idiot users. Talk to your security consultant and see what you can put in place. —By James E. Gaskin

skin

A p r i l 1 5 , 2 0 1 0 | REAL CIO WORLD

Deep Dive_April2010.indd 59

Vol/5 | ISSUE/06

4/13/2010 6:32:23 PM

Deep Dive | Data Loss Prevention Installing a DLP gateway is “a no-brainer,” Forrester’s Jacquith says, noting it’s the least expensive and easiest way to get started. But some vendors say there’s been too much emphasis on the gateway when you take into account the mobility of employees. TrendMicro’s global product marketing manager, Mark Bloom, voiced some dismay that his company (which acquired Provilla’s LeakProof) is considered a niche player in DLP by Gartner because “we’re focused on the endpoint.” Trend Micro expects to offer DLP for the gateway in the near future. While LeakProof is a stand-alone DLP agent, the DLP functionality will be moving into Trend Micro’s OfficeScan products in the early 2010 timeframe. “We’re seeing a big push to have a content-aware endpoint,” Bloom says. “We should have a single agent.” In fact, there’s a broad march underway by IT vendors to integrate DLP functionality into existing security host and gateway products. These include: McAfee’s host DLP software can be used alone or as an add-on to its flagship anti-malware security software that’s part of its Total Protection for Data Endpoint suite. McAfee is looking at integrating the DLP engine into its Web gateway, e-mail gateway, firewall and intrusion-protection gear.

Vol/4 | ISSUE/23

Deep Dive_April2010.indd 60

$6 million

(about Rs 27 crore) Is the average cost of responding to a data breach, which is a lot more than the cost of a DLP solution. Sourc e: Ponemon Institute

Microsoft and VMware anticipate integrating RSA DLP technology into future products, though this is still in the early stages. RSA is the security division of EMC, which is the majority owner of VMware. Symantec, which integrated DLP into its Brightmail e-mail security gateway, has also begun integration with its Altiris management software. Altiris 7 can be used to deploy and troubleshoot endpoint DLP Prevent and Discover agents so that there’s communication between the DLP endpoint and the Symantec Endpoint Protection agent, its flagship security software. Integrating DLP into Symantec storage systems can be expected in the future. Symantec DLP Discover, for instance, has

already been integrated into Backup Exec System Recovery, and Symantec intends to introduce some open APIs for DLP. HP, which acquired outsourcing giant EDS last year, has a strategic partnership with Symantec on DLP. EDS supports Symantec DLP in outsourcing arrangements with enterprise customers and even manages the DLP system for Symantec itself, which selected EDS as its outsourcing partner. A focus now is integrating some of the Symantec DLP capability into HP ProCurve switches and deploying DLP in HP datacenters, he notes. Whitener points out that sometimes organizations don’t want the company’s CSO or IT support in the middle of handling data-loss issues since this is seen as a possible conflict of interest. The changing world of DLP is something that Phil Moltzen, senior security architect at the US Department of Energy, is keeping an eye on. He says there’s a growing awareness that attention must be paid to monitoring content that’s leaving the network as well as all the work that’s done to stop attacks related to phishing, hackers and malware from coming in. The cost of DLP does present a barrier to large-scale adoptions today, but he adds, “DLP is really just starting to take off.” CIO Send feedback on this feature to editor@cio.in

REAL CIO WORLD | N ov e m b e r 1 5 , 2 0 0 9

4/13/2010 6:32:25 PM

Deep Dive | Data Loss Prevention

VS By nate e evans and Benjamin Blakely

There are DLP solutions and then there are DLP solutions. Each offers something good â&#x20AC;&#x201D; sometimes at the expense of something not so good. To help you figure which is best suited for your organization, we pit four products against each other and test them against four parameters including ease of configuration, performance, fingerprinting, and reporting. Here are the results.

104

a p r i l 1 5 , 2 0 1 0 | real CIo WorlD

Deep Dive_April2010.indd 61

Vol/5 | ISSUE/06

Finding the right perimeter-based data loss prevention tool means striking a balance between speed, accuracy at detecting and blocking sensitive data from exiting the network, and adequate coverage across a broad range of rule-sets and protocols. DLP products come in three categories: perimeter-based, client-based, and those that take a combined approach. In this test, we evaluated perimeter-based appliances from Fidelis Security Systems, Palisade Systems, Code Green Networks and GTB Technologies. The DLPs were set up inline (except for Code Green’s Content Inspector, which doesn’t support in-line mode) between a simulated WAN and LAN and were configured with a set of 10 rules. We then ran about 1,100 files through each device, waiting about a minute between each file, to determine how accurately the device detected and blocked a total of 276 ‘bad’ files and to what degree network performance was affected by the inline DLP. Code Green’s Content Inspector scored highest when it came to detection. Code Green also scored high on ease of configuration. But Code Green was limited in the range of protocols it could block. Our Clear Choice winner is Fidelis’ XPS because of its easy-to-use interface, flexible rule-set, amazing reporting, and better-than-average detection and blocking ability. Palisade’s Packetsure and GTB’s Inspector were somewhat unrefined by comparison, requiring more work to understand the rule structure and adding unneeded complexity to the overall process. But they were still very competitive when it came to detecting harmful files.

installation Generally DLP vendors deploy engineers to the customer site to set up and configure the device, but we decided to do it ourselves to get a hands-on understanding of how the product works from installation through reporting. For Packetsure and Content Inspector, the basic installation was fairly straightforward and the products were setup with little to no trouble. For the other two products, basic installation was a little more difficult,

Vol/5 | ISSUE/06

Deep Dive_April2010.indd 62

test Center: Key Findings All of the products did an effective job at detecting harmful files that were sent over the specific protocols that the product supports. But not all products support a wide range of protocols. Some of the products that did well at detecting harmful files were less adept at blocking. none of the products were able to analyze or block encrypted traffic. There’s a network performance hit that needs to be taken into account when running these products in-line. — nate Evans and Benjamin Blakely

requiring numerous contacts — via e-mail and phone. But they eventually all were set up without the need for a technician to show up on-site. After each product was set up and could pass data between the simulated LAN and WAN, we configured the device to our filtering specifications. This included a sample set of 10 rules chosen to test some of the basic features and blocking potential. The DLPs were set up to look for Social Security and credit card numbers, certain pieces of source code, and five words in a row from a short story, which would be used to prevent any part of a specific report from leaving the network. We also set up rules to check for maximum file sizes or .mp3 files. And we fingerprinted a data set containing a list of customer names, addresses and Social Security numbers and set up a rule blocking any combination of the three.

Configuration ease: Code Green is Tops Code Green’s Content Inspector was the easiest product to configure and write rules for. The rule language is simple and the graphical interface is very usable. Code Green breaks rule creation down into two categories: data and policy. One defines data to be blocked using a variety of tools, and then configures a policy to check for it. This was very straightforward and easy to change, with no need to restart the device or reload the settings. In the configuration simplicity arena, Code Green goes above and beyond all the other products.

Fidelis’ XPS sensor has a ‘Command Post’ server to handle management and configuration, a mail sensor server (provided via built-in Postfix SMTP proxy), and a Web sensor (implemented via a third-party BlueCoat Web proxy appliance). Rule creation is straightforward and simple using a Web GUI. XPS is the only product that allows you to submit sample files in order to test each rule before you make it live. If you ever have a question about a specific rule or a page you are on, Fidelis has built in wonderful help links on each page that explain each check box or button. This is a life-saver and allowed us to create the majority of the rules without any technical support contacts. Palisade’s Packetsure provided a simple wizard to help with setup and was the only product to have such a helpful starting point. However, if one wants to add or change a rule outside of the wizard, the sailing is not quite so smooth. Part of the problem may be that Packetsure is really two products trying to work together as one: there is a content analysis engine and a protocol analysis engine. The Palisade protocol analyzer only inspects the packet payload (instead of re-assembling the data stream as the content analysis does). This two-pronged approach helps isolate each rule, but it makes managing the product difficult. Also, in our testing the rules did not always work as expected. For example, one ‘content analysis checkbox’ means packet analysis and another content analysis real CIo WorlD | a p r i l 1 5 , 2 0 1 0

105

4/13/2010 6:32:25 PM

Deep Dive | Data Loss Prevention checkbox actually re-assembles the data stream before it analyzes it (similar to all the other products). Packetsure has a ‘connect to home’ functionality which the user can enable right out of the box. This feature can be very useful when calling tech support or even with the initial setup as it allows Palisade to assist using a secure VPN. GTB’s Inspector has the most difficult configuration process of the four products. In order to write a rule, one must edit a text configuration file, add some regular expressions and format each line very specifically. For example, in order to write a rule to check for the words ‘Top Secret’ in a file, a regular expression had to be written in a large text box on the Web management interface. There is no wizard and no graphical interface. The other limiting factor with GTB’s Inspector is the fact that its rule-set functionality is very limited. In our test it could only implement about half of the desired rules. Even a simple rule such as looking for specific filenames or maximum file size was not supported.

Performance: Fidelis is Fastest; Code Green Wins the Detection Test We tested how accurately the product blocked a total of 276 harmful files that we sent, or roughly 30 files for each of the nine protocols (including HTTP, SMTP, POP, IMAP, FTP and Telnet) in our test bed. We also measured how fast the product could pass data through the device, starting with a baseline of 581Mbps, which is the capacity of our network without any device present. The best performance from a detection perspective was Code Green’s Content Inspector, which detected 90 percent of the data we threw at it. And the 10 percent Content Inspector missed was because of the lack of support for encrypted traffic streams (SSH sessions), which no product supports. However it can only block files on four of the tested protocols: HTTP, Secure-HTTP, FTP and SMTP. The first three are done using a third-party BlueCoat Proxy device and the SMTP is done using a built-in mail relay. This lack of blocking ability across a wide variety of protocols was the major drawback

in Code Green’s Content Inspector. But if your company is only worried about those four protocols, this product would be recommended. Fidelis’ XPS had an 84 percent success rate in detecting and blocking across all protocols and streams of data. The marketing line for this company states that they can block data on all 65,535 ports and we would have to agree. This product blocked virtually everything it could detect, only failing on one file type: an archived Web site. The product handled obfuscated data very well — catching four of five files. POP and IMAP provided a little bit of trouble, but after a few custom patches from the engineers, it worked as expected. The choice faced by all these products is a tradeoff between performance and blocking effectiveness. When data moves through a DLP device, the product can choose to either cache it, determine that it’s good and then let it out, or try to do analysis on the fly, and suffer some data leakage. Fidelis chose performance and won our speed test, passing traffic at 90 percent of

What’s this DLP Product Good For? Find out the strengths of each product across four parameters — and what it traded off to excel in that area. Fidelis XP XPs: overall winner Fidelis xPS was the most developed DP product among those that we tested in overall features, general flexibility and its ability to block. It has a ‘command Post’ server to handle management and configuration, a mail sensor server (provided via built-in Postfix SMTP proxy), and a Web sensor (implemented via a third-party Blue Bluecoat Web proxy appliance). Installation isn’t simple, but it didn’t take more than a few hours to get xPS set up and running. The built-in help links are very useful when writing rules and the xPS includes the ability to test rules that you write. The xPS does a great job of remaining flexible across all protocols yet still maintaining the ability to block on these protocols. The management interface allows you to easily create rules and see reports. 106

a p r i l 1 5 , 2 0 1 0 | real CIo WorlD

Deep Dive_April2010.indd 63

This product was the fastest we tested, blocking 80 percent of harmful files, while only taking a 10 percent performance hit. If you are looking for a product to block a variety of protocols and applications, in addition to the standard hTTP and SMTP, look no further.

Palisade’s Packetsure: t two Products in one Palisade’s Packetsure product seems to contain two products in one: a protocol analyzer and a content analyzer. Packetsure had a high detection rate, but the slowest speed, performing at 50 percent of maximum bandwidth. This product has some interesting features such as the ability to help set up the product via a VPn and a useful graph showing data passing in and out of the network. Installation was simple and straightforward, accomplished in less then an hour. The initial setup was assisted greatly by the use of a wizard. however, altering rules after using the wizard is bothersome and reporting is more difficult and clunky than it could be. Vol/5 | ISSUE/06

4/13/2010 6:32:25 PM

network capacity. However, occasionally pieces of sensitive data leaked from the network. All the other products chose to prioritize blocking over speed. Palisade’s Packetsure is targeted at the basic protocols of HTTP, SMTP and FTP, and showed a high blocking rate on those specific protocols. But Packetsure, possibly because it seems to contain two products in one, was the slowest product, performing at only 55 percent of the allowable bandwidth. Furthermore, blocking a specific protocol and scanning based on content analysis work as expected, but when you combine the two, problems emerge, creating unexpected results. For example when you try to limit content analysis to a certain protocol, you have to choose between using a weaker content analysis system (which won’t re-assemble the stream) or not limit your blocking based on protocols. The latter is the best way to handle this problem, but doing so reduces the flexibility and blocking capability of the product. GTB’s Inspector was the most consistent product. What it detected and blocked on

Product Fidelis’ XPS

Packetsure

Content Inspector

GTB Inspector

Price*

Rs 132,800

Rs 30,000

Rs 31,000

Rs 20,000

Pros

Fast in-line device, useful management interfaces.

Helpful wizard, excellen real-time reporting graph.

Highest detection rate,flexible and easy interface for writing rules.

Consistent product able to block all protocols.

Cons

Some protocols are not fully implemented; blocking occurs after data is detected so there is some leakage.

Slowest in-line device; reporting is tedious and not very flexible.

Does not support any blocking except SMTP (e-mail) unless an external proxy is used.

Limited in rule generation and protocol scanning; complex configuration.

Score

3.9

3.1

3.4

ScorE BAS ED on A WEIG hTED AVErAGE oF FoUr PArAMETErS : EASE oF US E, FEATUrES, PErForMAncE, In STAll AT Ion

* PrI cES ArE AProxIMATES onlY one protocol it detected and blocked on every protocol with no extra work. The problem with this product was it only could check based on certain rules and those rules were limited. About half of our detection tests failed on this product because the rule types are not supported. However, even with its lack of rule support, it still caught 62 percent of the illegal files. Across supported protocols, Inspector was the only product to score a 100 percent

Code Green’s Content Inspector: tops t in Detection content Inspector was the best product tested when it comes to detecting data leakage. however because it can only block a few protocols, the detection is not well used. Installation was very simple and configuration was easy to understand without reading any manuals. This is the only product that allowed every rule to be implemented. This product was able to detect 90 percent of the data we threw at it, which is almost double some of the other competitors. The 10 percent they missed was because of lack of support for encrypted traffic streams (SSh sessions), which no product supports. however it can only block files on four of the tested protocols: hTTP, hTTPS, FTP and SMTP, three of which are done using a third-party Bluecoat Proxy device and the last is done using a built in mail relay. When blocking using one of these methods, this product was flawless, blocking every file it could detect. however this lack of blocking ability across a wide variety of protocols was the largest drawback in code Green’s content Inspector.

Vol/5 | ISSUE/06

Deep Dive_April2010.indd 64

catching every single file we could send through the machine at 80 percent of the allowed bandwidth.

Fingerprinting: GTB Inspector Gets High Marks Fingerprinting is a concept that is implemented fairly well in these DLP products. Fingerprinting will hash a file and look for parts of that file leaving the network.

GtB Inspector: Consistently solid GTB’s Inspector was a very consistent product but is limited in rule generation. Installation was a headache, taking nearly eight hours to set up. however after the product was set up and configured it was extremely consistent. What it detected and blocked on one protocol it detected and blocked on every protocol it supported. The problem was that it was only able to check based on certain rules and those rules were limited. About half of our detection tests failed on this product because the rule types are not supported. however, even with its lack of rule support, it still caught 62 percent of the illegal files. Across supported protocols, this was the only product to score a 100 percent catching every single file we could send through the machine at the 80 percent network bandwidth it allowed. Another redeeming quality is that GTB’s Inspector has a very powerful and robust fingerprinting ability allowing all sorts of customization.

— nate Evans and Benjamin Blakely real CIo WorlD | a p r i l 1 5 , 2 0 1 0

107

4/13/2010 6:32:26 PM

Deep Dive | Data Loss Prevention Fingerprinting is used to prevent sensitive data from leaving a network and at the same time to reduce false positives. For example, most organizations want to prevent Social Security numbers from leaving local networks. But a lot of things can look like a Social Security number (e.g., a mistyped phone number or an online order number). Fingerprinting takes any sensitive information you may have on your network and looks for a number of pieces that specifically correspond with it, to make it a piece of information that you don’t want erroneously leaving your network. One could fingerprint a list of names, addresses and Social Security numbers and, instead of triggering on any nine-digit number, the DLP will only trigger when a

Social Security number is sent out with the associated full name. Or, instead of looking for a specific word phrase, it can look for a few sentences from a report. All of the tested products support this feature, but GTB Inspector is the most powerful and flexible — customers can fingerprint data from a variety of flat files, databases or spreadsheets. That power and flexibility, however, comes at the cost of simplicity. GTB has its own program which one must use to fingerprint data, as opposed to other products that allow an administrator to upload and fingerprint a file from the main management interface. While Palisade’s Packetsure can scan and hash the usual range of files that most of the others support, when it comes to database

test Parameters A small network containing a router and a server was set up containing some of the services one would commonly expect to see running on an enterprise network including: FTP, hTTP, Secure-hTTP, Mail (PoP, IMAP, & Exchange) and SSh. Each vendor was required to ship its product and all required components to the lab. no vendor was permitted to do an on-site installation. Support for the D DlPs was obtained on an ‘as-needed’ basis, and vendors provided standard documentation. Towards the end another test was run with the vendor on-site. The DlPs were set up in-line between a simulated WAn and lAn n and were configured with a set of 10 rules. To connect these products in-line, we used a network critical V-line (Bypass) Tap. This device allows the D DlP to be placed “virtually” in-line -- if the DlP should fail, traffic continues to flow. If you plan to hook your product up inline, this is a recommended method. Some of the products also required a separate proxy product to assist with the blocking. We did not take into account the configuration of the proxy when testing the products, but it will be reflected in the cost. We also tested the speed at which we could pass data through the device. We started with a baseline of 581MBps, which is what we could get out of the network without any device present. Then we activated a rule, which we knew worked, and sent a flood of e-mails of a variety of sizes from 1KB to 1GB through the device. We measured how quickly these e-mails made it out. Using a machine sitting out on the simulated WAn, we attempted to access a variety of files via each protocol and a variety of ports on lAn services and pull data out of the protected network. We tested each product by running about 1,000 files through it, waiting about a minute between each file. Some of these files contained blacklisted data (about a quarter of them) and some contained harmless data. We recorded which files made it out, which files were blocked, and which files where flagged (but not blocked).

—nate Evans and Benjamin Blakely 108

a p r i l 1 5 , 2 0 1 0 | real CIo WorlD

Deep Dive_April2010.indd 65

fingerprinting — linking two fields in a relational database — it requires the files to be exported into a flat file for analysis. Fidelis’ XPS included the ability to test your fingerprints once you created them. Code Green’s Content Inspector could fingerprint data of all sorts and allowed you to set up scenarios on when this data would trigger an alert. For example, if you fingerprinted names, addresses and Social Security numbers, you could say alert me when you see two Social Security numbers and one has a matching name. No other product had as much granularity and yet remained simple to use.

reporting: Code Green, Fidelis Are Tops One of the most useful parts of a DLP product is its reporting feature. For an administrator, knowing what a product is seeing and blocking is extremely useful. Code Green’s Content Inspector and Fidelis’ XPS have the best reporting systems. Both do a great job of allowing flexibility, ease of use, exporting capabilities and beautiful (and meaningful) graphs to help make this data easy to digest. Plus, Code Green’s product allows for simple integration into many alert software applications (such as Crystal Reports) or even custom applications, as it uses a simple Postgres database. Palisade’s Packetsure tries to implement the functionality needed in report generation, but doesn’t quite get there. The interface seems very clunky and there is an annoying wait of 3 to 5 seconds whenever you want to generate a report. However, Packetsure has a very useful protocol graphing tool that allows you to see, in real time, what kind of traffic is moving across your perimeter (even allowing an administrator to drill down to specific applications). It would be nice if this was tied to the blocking feature in some way, but it’s not. GTB’s Inspector lagged behind the competition in terms of reporting. It provided acceptable, straightforward reports and even included the ability to generate graphs to help interpret the data. It doesn’t miss the mark on reporting; it just wasn’t nearly as impressive as the other three products. CIo Send feedback on this feature to editor@cio.in

Vol/5 | ISSUE/06

Trendline_Nov11.indd 19

11/16/2011 11:56:19 AM

Toward

Innovation Snapshots from the second season of CIO's Leadership Summit. â&#x20AC;&#x2DC;Let's get innovative.â&#x20AC;&#x2122; How many times have you heard that said in a meeting with your peers? With people whose resumes are packed with knowledge and whose faces are lined with experience. You would think they better. The problem is, as nice as the phrase is to say, it's a label that people use to close a subject on a difficult conversation. But how many of our enterprises can really pull off honest-to-god innovation? And how many can do it on a regular basis? To meet today's increased need to think beyond the obvious and give customers something to wow about, CIO put together a set of people who live and breathe innovation. Here they are. Learn from the pros. Time to get innovative.

Survival Tactics Anil Dua, Hero Honda

Page 114

Systematic Innovation Prof. Rishikesha T. Krishnan,IIM-B and Vinay Dabholkar, Catalign Innovation Consulting

Page 116

Marketing the Value of IT Vijay Ramachandran, IDG Media

Page 117

Workload Balance Workload Management

Page 118

Long Distance Unified Communication

Page 119

Security Vs Access Risk Management

Page 120

Road to Agility Infrastructure

Page 121

110

A p r i l 1 5 , 2 0 1 0 | REAL CIO WORLD

Event_Report_Roundtable.indd 110

Vol/5 | ISSUE/06

4/13/2010 7:49:38 PM

Leadership LeadershipSummit SummitIICXO CXOVision Vision

Survival Tactics Anil Dua, Sr VP, Marketing and Sales, Hero Honda, shares success mantras that helped his company zoom profit during the slowdown. A lot of people ask me that at a time when every industry was feeling the crunch as America declared a ‘global recession’, how did Hero Honda manage to continue to post good figures and beat the industry’s top line growth? Call me philosophical, but I believe optimism and a positive attitude are the key pillars of Hero Honda’s phenomenal success story. Believe in the Fundamentals: In the slowdown, we re-learnt the basics. In India, we are fortunate that the fundamentals of all our industries are very strong. According to the IRS (Indian Revenue Service) report of 2009, less than 17 percent of households in the country have two wheelers. And this is true for most of the popular consumer items like TV, refrigerators, and telephones etcetera. There is a huge untapped market there waiting to be explored. After all, the Indian economy has been growing rapidly and there is — and was — a lot of disposable income in the hands of our consumers. We didn’t let the doomsayers shatter our faith in the market’s potential. Not All Spends Equal Investments: Therefore, we pursued an aggressive marketing strategy introducing new products and investing in existing campaigns. At a time when most people were cutting down on infrastructure costs, we doubled our investments on ground. Three years back, we had 2,000 servicebacked dealer touch points, we expanded them to 4,000. Why did we do that? Because we believe that people had not stopped buying; they had just postponed their plans for better times. By increasing our presence, we built a strong sense of optimism and created aspiration value for our customers. We remodeled all our showrooms across the country so that they bore a festive look. We knew that our objective would be achieved if a person traveling

When most were cutting down on infrastructure costs, we doubled our investments. Why? Because we believed that people had not stopped buying; they had just postponed their plans for better times. 112

A p r i l 1 5 , 2 0 1 0 | REAL CIO WORLD

Event_Report_Roundtable.indd 112

in a bus gets attracted enough to step inside our showroom that has opened newly in his locality. Challenge the Norm: When every brand is jumping to associate their name with cricket being the real money spinner in India, we took the road less traveled and put our money in hockey. It may not have made immediate business sense, but the kind of ownership and pride it created in our customers was incredible. And we wanted to associate our brand with those sentiments. Not many watched the semi-final of the hockey World Cup after India was knocked out, but almost everybody saw the advertisement. A bike is not just a product; it is the extension of your personality. In a slowdown, enterprises tend to concentrate on the few top brands that bring in the maximum cash. But then you run the risk of ignoring the individual. Traditionally, bike advertisements have been very similar, but we have broken the barrier. Our advertisements speak to the target group whether it is the adventure bike category or the utility rider. For example, we have several outlets in the country, which are ‘manned’ by an all-women staff called “just for hers”. It might contribute to less than 15 percent or so to total sales but it adds up to a lot in the long run.

Vol/5 | ISSUE/06

4/13/2010 7:49:44 PM

Prof. Rishikesha T. Krishnan and Vinay Dabholkar explaining the intricacies of innovation.

systematic innovation Rishikesha T. Krishnan, Prof. Corporate Strategy & Policy, IIMB and Vinay Dabholkar, President, Catalign Innovation Consulting, tell you how to introduce systematic innovation into your enterprise.

Study ideas that are offered seriously to check if they are visibly aligned to the targets, goals, and aspirations of the organization as a whole — and not only in tangible terms but also in the qualitative aspects. Create an idea management system that pools together innovative thoughts so that they can be preserved. A seemingly irrelevant suggestion today may have significant value in the future.

Going About Systematic Innovation The Building Blocks of Systematic Innovation Rather than being a standalone entity, innovation should be a process which includes: Identifying problems that need to be solved or pain areas which need some improvement. Coming up with ideas which need not necessarily be unique from all the ideas in the past. Taking concrete steps to implement and bringing those ideas into action. Measuring the benefits derived from the implementation of the idea.

Creating an Environment for Innovation In order to have an environment that is favorable to innovation the following needs to be taken care of: Recognize the constraints within which an organization exists. Not all ideas can be applicable across all organizations. Make an active effort to award and motivate people to come up with new ideas even if some of their ideas have flopped in the past. 114

A p r i l 1 5 , 2 0 1 0 | REAL CIO WORLD

Event_Report_Roundtable.indd 114

Step One: One way of going about this is by first establishing ‘use’ cases. This can be achieved through keen observations of similar problems being tackled in different segments of the industry and coming up with ideas that can be transferred to your specific scenario. Step two: Develop a portfolio and focus only on the task at hand. Any unrelated ideas should be discarded for the time being and all energies should be focused on developing a practicable design for the idea. Step three: Draw practical experiments on these designs. This will give rise to a working model and once a demo gains acceptance a commercial model can be developed to monetize the idea. Another more modern way of setting out on innovation is: gauging the scope of a possible solution by looking at a problem or a possible problem your enterprise might have. This is different from the first way of approaching innovation because it doesn’t look for almost-constructed, existing solutions in a certain industry. The benefit of this approach is that the idea will almost certainly hold commercial interest. And it can be worked upon to bring out a product with targeted or mass appeal.

Vol/5 | ISSUE/06

4/13/2010 7:49:55 PM

Marketing the Value of I.T. The pros and cons of creating an annual report from the IT department.

IDG's editor-in-chief talks about the different benefits of an annual IT report and fields questions on how it can be done. There is no doubt in anybody’s mind that businesses need to be told about the value that IT brings. How best to go about this, however, is open to debate. One way of going about it is similar to how the IT leaders at Intel and CA articulate the value of their departments. They bring out an annual report for IT from the chief information office. These reports include various details, chief among which is accounting for the budgets allocated and investments made. It’s an idea that finds resonance with S. Srinivasan, Sr. GM-Business Strategy and Systems, TVS Sundaram Fasteners, but he adds that a mere expense sheet is not enough. “A comparative performance analysis both internal and external maybe of greater interest rather than merely an in-house performance review,” he says. “A key data point could be the percentage of IT spend compared to the competition. If it is low, then one definitely stands to gain favor with the other senior executives.” The value addition that can be brought about by a report is strongly supported by Gopal Rangaraj, VP-IT at Reliance Life Sciences. “A report should focus more on the value addition that IT brings to the organization rather than just giving a list of expenditures and details on where money is spent,” he says. This should be backed by feedback from senior management and end users to establish credibility, he says. Also, a clear understanding of the benchmarks and industry trends is a must along with a clear view of the competition’s progress. Not everyone agrees that even if IT leaders could get the numbers needed for such a report, that it would be received well. Ravishankar 116

A p r i l 1 5 , 2 0 1 0 | REAL CIO WORLD

Event_Report_Roundtable.indd 116

Subramaniam, director-IT, ING Life, for example, unequivocally states that it is difficult. “Numbers are viewed skeptically and hence one needs to have robust systems in the back-end which will stand up to scrutiny. Computing the tangible benefits derived out of IT is also not so easy. Explaining these can be even more difficult,” he says. Keshav Samant, VP & head-IT, Financial Technologies, seconds that point of view. “The CMO and CFO know their numbers much better than a CIO. So it is better to present the value that IT provides in a simple and easily understandable language rather than trying to impress them with calculations. Simple stories that convey the model are the need of the hour.” Some even feel that such an attempt falls outside the general purview of IT. “CIOs generally lack the marketing and presentation skills hence it is advisable to outsource these to professionals who are good at it. Moreover, a third-party view of IT’s affairs will be considered impartial and more likely to get greater acceptance. Honestly, when I get into my office and am handed my to-do list, report generation and selling IT to the senior management takes a back seat,” says V. Balakrishnan, CIO, Polaris Software Lab. That said, the general consensus among CIOs is that an annual report is a good idea and if generated with quality, it could serve to showcase transparency and enable easier access to funds. CIOs would however need to budget for a comprehensive — but not expansive — report at the very start. Vol/5 | ISSUE/06

4/13/2010 7:50:07 PM

Leadership Summit I CIO Discussions

Workload Balance

P hotoS by Sr IVatSa ShandIlya

More intelligent avatars of workload management solutions are being created. but will the concept catch on with CIos?

ntelligent Workload Management, which promises enterprises increased flexibility of their virtual applications with it’s ability to share the workload of a failing server, is receiving mixed responses from IT leaders. There are takers from the likes of Suresh Kumar, CIO and Partner, Grant Thornton. “The biggest attraction in IWM is that it seems like DR in a box,” he says.

That's a point of view K.R. Bhatt, GM-IT, NABARD shares. “IT management generally works like a fire service. Pre-emptive measures to tackle a problem that might arise in the future are not given much importance. If there is a fire, we rush to the scene and douse it. But a DR running automatically instead of running it manually may be a good idea.” But others see less merit in the idea. “My primary requirement is to ensure that my applications run with zero downtime and an application like IWM only introduces more complexity. We have very little expertise in this domain and are just taking the first step towards virtualization, which seems to be the prerequisite for IWM,” says Ravishankar Subramanian, director IT, ING Life Insurance. There are other apprehensions surrounding the technology. “Heterogeneity of IT infrastructure is a disturbing factor and if IWM does not run on a particular hardware then none of our business critical systems can be managed using this,” says Manoj Making IT work as one. It’s what sets us apart. Srivastava, VP-AtGroup IT,taking Reliance ADAto Group. Novell, we’re interoperability a whole new level. We believe every person, partner and every piece of your mixed IT world should work as one. Our EnterpriseDespite theirevery position, CIOs have interested — if the price is wide Linux, Identity and Security Management, Systems Management, and Collaboration solutions easily integrateand with almost any IT with infrastructure. That way, can lower cost, right. “I have major concerns anxiety respect toyou losing complexity and risk on virtually any platform and make your IT work as one. control to an automated process and we are not ready to do it unless we are completely sure of what it is and what is being done through it,” says Srinivasan, Sr. GM- Business Strategy and Systems, TVS Sundaram Fasteners. But he adds “The real catch is: what’s in it for me in terms of money. The economics of the model and the investment in it should make business sense to the organization in terms of returns.”

Making IT work as one. It’s what sets us apart. At Novell, we’re taking interoperability to a whole new level. We believe every person, every partner and every piece of your mixed IT world should work as one. Our Enterprisewide Linux, Identity and Security Management, Systems Management, and Collaboration solutions easily integrate with almost any IT infrastructure. That way, you can lower cost, complexity and risk on virtually any platform and make your IT work as one.

www.novell.com Making IT Work As One™

For more information please contact indiamarketing@novell.com or call us at 080 - 40022300

REAL CIO WORLD | m A r c h 1 5 , 2 0 1 0 Copyright © 2009 Novell, Inc. All rights reserved. Novell and the Novell logo are registered trademarks and Making IT Work As One is a trademark of Novell, Inc. in the United States and other countries.

Event_Report_Roundtable.indd 118

118

Leadership Summit I CIO Discussions

Long Distance

P hotoS by Sr IVatSa ShandIlya

last year saw a resurgence of UC in enterprises, primarily because of the clamp down on travel. but only a cultural shift can connect UC with enterprises, say CIos.

he arguments in favor of traditional wired communication have waned through the years, simply because advancements in technology have forced organizations to move beyond the conventional. What makes its case weaker is the fact that employees, especially senior management, spent a bulk of their time getting to places, not to mention the money spent on tickets and phone bills. But today, technologies like unified communication (UC) have helped erase the distance making communication cheaper, faster and more efficient. “Unified communication, with automatic re-routing has brought in agility in the enterprise space. But it still warrants a huge cultural shift from the users end,” says V.Balakrishnan, CIO, Polaris Software. Despite its benefits, adoption of UC hasn’t really taken off. And Vizak Badhniwalla, head-technology, Everstone Investment Advisors, feels that one of the main reasons is the fact that, “Management still prefers to travel,” he says.

Vol/5 | ISSUE/06

The problem is mindsets haven’t kept pace with the evolving technologies. Sudhir Reddy, CIO, MindTree, points out that apart from a mindset change users aren’t educated about the nuances that accompany UC. MindTree has been conducting their global annual team leaders’ meets completely on web conference. “The success of any web conference depends on many small factors: the camera's positioning, availability of sufficient lighting, behavioral etiquette, etcetera. In the beginning, people would keep their screens switched off; sometimes two people would talk at the same time,” he says. The other big factor hindering adoption of UC is data security. Regulatory compliance for high risk industries like BFSI does not allow data to be transmitted over the Internet. UC is oft marketed as a cost saver, but Tarun Pandey, VP-IT, Aditya Birla Financial Services, doesn’t agree. He says traditional networks do not have the bandwidth to support high data intensive applications like UC. This is where organizations need to make a calculated decision. UC is a good idea when the cost saving potential and resultant increase in productivity and efficiency for the organization is higher than the infrastructure investment it requires. After all, the success of any collaboration tool depends on how enterprises mature and adapt it to leverage the best possible benefit from it.

brought to you by:

REAL CIO WORLD | A p r i l 1 5 , 2 0 1 0

119

4/13/2010 7:50:31 PM

Leadership Summit I CIO Discussions

Security Vs Access bullish businesses want to decentralize decision making — putting data security on the back burner. It’s up to CIos to maintain a balance.

PhotoS by Sr IVatSa ShandIlya

he old challenge of balancing security with access to information is rearing its ugly head again with the renewed push to leverage the upturn. As employees are given more decision-making power — and access to data including client lists and sales information — the need to ensure they don’t misuse that access grows. In some organizations that balance tends towards security taking a hard stance. But V. Balakrishnan, CIO, Polaris Software Lab, warns that, “Hard implementations will only lead to hard repercussions. What we need is a way to compartmentalize information and provide separate access to different user groups; something like an automated flagging mechanism based on the study of behavioral patterns especially when there is a very thin line that separates personal and official data.” This approach makes even more sense for IT leaders in certain verticals like Sriram Naganathan, CTO & COO of Reliance General Insurance.“It is very important for us to share data,” he says. “While implementing DLP measures and rights management, the cultural factor of the organization kicks in. While we agree that security is integral to IT infrastructure we also believe that draconian measures will only be counter-productive.” Despite this, few CIOs will agree to anything but a zerotolerance policy to the non-compliance of policies. Some are 116

A p r i l 1 5 , 2 0 1 0 | REAL CIO WORLD

Event_Report_Roundtable.indd 120

even willing to make public examples of offenders. “Rather than having a negative effect this helps improve the brand value of the organization among its partners and clients as they see the honesty and transparency,” says Tarun Pandey, VP-IT, Aditya Birla Financial Services. The technology answer to the problem is an effective information security system which has a range of policies, security products, technologies, and procedures. That said people at different levels react differently to restrictions and generally one size doesn’t fit all as Manoj Srivastava, VP-Group IT, Reliance ADA Group, points out. “It is generally accepted that not all people in an organization need access to everything. Information should be available on a need to know basis. Yet, it largely depends on who formulates the information policy: whether it’s the owners or whether the decision is governed by a common policy.”

brought to you by:

Vol/5 | ISSUE/06

4/13/2010 7:50:48 PM

Leadership Summit I CIO Discussions

Road to Agility We live in a fast world. and if organizations don’t create fleet-footed infrastructure and cater to changing user needs, they won’t fit in.

head, Reliance Tech Services. But apart from the infrastructure, agility also means catering to changing user needs. In the age of Web 2.0, user behavior is also rapidly changing and CIOs have to deal with the tricky issue of tackling access while retaining control. “Most of our users have more sophisticated notebooks than what we can provide. Some of them prefer smartphones over computers. Today, when the concept of ‘work from home’ is becoming popular, tackling end points and ensuring they are updated and compliant with company policies is proving to be a big problem,” said Sebastian Joseph, executive VP and head-IT, Mudra Group. brought to you by:

PhotoS by Sr IVatSa ShandIlya

IOs have long been battling the strain of dealing with an inflexible IT architecture. But technologies like virtualization and thin provisioning have made their enterprises more agile and their jobs a lot easier. However, the rapid growth we are witnessing today and changing user habits demand that IT infrastructure embrace agility even more. And in an agile world, Dhiren Savla, director-technology, CRISIL, pointed out that even ‘long-term’ means “not more than 18 months.” And that’s because business demands efficiency, delivered with speed. That’s when, T.G. Dhandapani, CIO, TVS Motors, introduced the concept of ‘shelf engineering’ which struck a cord with many CIOs. He defined agility as the ability to reduce the time from conceptualization to final execution. But how you get to agility depends on which route you want to take. For example, for Gopal Rangaraj, VP-IT, Reliance Life Sciences, the standardization of processes across his IT infrastructure helped in bringing much needed flexibility. “Post-standardization, we realized that we were sitting on tons of storage. We were able to free it up and allocate it to different business units. Now we urge users to demand storage,” he said. Another path to follow is to merge different apps to build a tighter infrastructure. “We have tried building our disaster recovery application on to a completely different system. This has allowed us to aggregate the systems and build more value in the same infrastructure,” said Ishita Sen, VP, center-

Vol/5 | ISSUE/06

Event_Report_Roundtable.indd 121

REAL CIO WORLD | A p r i l 1 5 , 2 0 1 0

121

4/13/2010 7:51:00 PM

y o u r l i f e & c a r e e r pa t h

Talking Right By Maryfran Johnson A few minutes into the speech, you notice it. Maybe it's a phrase the speaker keeps repeating, or a podium death-grip making the microphone wobble. Maybe it's a swiveling chair that never stops moving, or the constant twirling of a lock of hair. These 'speaker ticks' are unfortunately the best-kept secrets in public speaking â&#x20AC;&#x201D; a secret only the hapless presenter is unaware of. Everybody in the audience probably noticed the distracting tick. But honest feedback is the most endangered species on the speaker frontier. "Even if you did a terrible job, the host or the moderator won't tell you it was bad. It's rare for them to feel it's their role to give that insight," says Scott Berkun, author of Confessions of a Public Speaker, a behind-the scenes look at his own successful speaking career. "It's especially difficult for executives to get good feedback. Nobody wants to tell them, 'Hey, Joe, you didn't do this or that so well.'" One way to fill the feedback vacuum, Berkun suggests, is to make your own 'Things Not To Do' list of speaker ticks while you're watching someone else's presentation. "Maybe it's someone reading their slides, or never making eye contact," he says. "Use the things you find annoying to make your own checklist."

c o m m u n i c at i o n

IllUSt ratI o n by M M Shan Ith

thrive

Speakers crave useful critiques of their talks yet most people shy away from offering helpful feedback.But good speakers are always looking to fine-tune their craft.

122

a p r i l 1 5 , 2 0 1 0 | REAL CIO WORLD

Thrive_April_2010.indd 88

Vol/5 | ISSUE/06

Professional speech coaches use a video recording to demonstrate whatever needs improvement. The same is recommended for a do-ityourself critique.

Send feedback on this column to editor@cio.in

threeminute coach Help ! I’m having a hard time playing referee between my team and business users, whose constantly changing needs are driving my team up the wall. Ashok Panikkar is the founder and executive director of Meta-Culture, India’s first specialized conflict and relationship management consulting business.

ALWAYS: Remember that there are at least two sides to a story, if not more. Be curious about where the pain points are for your department and try to understand what is “driving them up the wall”. Have a constructive conversation with your business users about their own challenges and concerns. Identify the gaps in expectations and interests between your team and the business user. Help both parties move from blaming each other to negotiating agreements to deal with these converging interests and needs. SOMETIMES: When either your team or the business user is stuck within their own story, ask them what they would do if the shoe was on the other foot. Help them see how the other’s experience and perspective can be as frustrating and legitimate. You may have to advocate strongly with your own team about being sensitive to the business user’s needs. If the business user is unbending you may have to show them what the costs might be to the project, of being inflexible and not meeting some of your team’s genuine interests. NEVER: See only your own team’s point of view, likewise, never bend backwards to meet only the customer’s demands, particularly if they seriously compromise your team’s needs. Successful projects are a result of cooperation between customers and delivery teams. Do not hesitate to bring difficult issues to the table and don’t shy away from difficult conversations. Just make sure you have heard all sides and dug out enough relevant information before you move into problem solving. Never leave someone feeling that their story has not been heard. CIO

thrive

I moderate about a dozen CIO events every year, which puts me happily in proximity with dozens of good-to-great speakers — most of them CIOs, but many industry experts, consultants and authors, as well. I've found that the best speakers really probe for feedback afterward, so I've eased my way into offering very direct, specific suggestions. For example, one CIO friend who is outstanding on stage was unwittingly using the phrase "At the end of the day..." multiple times during his talk. Once I pointed it out, he asked me to keep a count during his speech. Afterward he proudly noted only using it twice. Nope, I had to tell him, he actually said it six times. Our speaker ticks are sometimes more ingrained than we realize, but still, this was progress. Professional speech coaches will often use a video recording of their clients to demonstrate whatever needs improvement. That same technique is highly recommended for a do-it-yourself critique, but the experience can be unnerving if you're not sure how to fix what you see going wrong. CIO Ramon Baez of Kimberly Clark (KMB), had that experience last year when he watched a recording of one of his talks. "I had this tendency to hum on stage when it was quiet, and I had way too much nervous energy going on," he recalls. "It was like watching that Purina Cat Chow commercial, with my legs doing this Tango back and forth." With his company's support, this already accomplished speaker sought additional training with ExecComm, a New York-based executive coaching firm, where he learned to use ‘the Arc of Silence’ to eliminate nervous humming. "See it, save it, say it" is the mantra for this technique of glancing at your next talking point, taking a second to absorb it and then saying it to the audience. "It's much higher impact, doing it this way," Baez says. "I learned to be purposeful about my pauses." This kind of fine-tuning is what good-to-great speakers are always willing — actually eager — to do. Keep that in mind the next time you have a chance to offer some helpful, honest feedback. I guarantee you, it will be welcomed. CIO

Send queries you might have to vijay_r@cio.in

Vol/5 | ISSUE/06

Thrive_April_2010.indd 89

REAL CIO WORLD | a p r i l 1 5 , 2 0 1 0

123

4/13/2010 7:59:49 PM