CIO July 15 2010 Issue by Sreekanth Sastry

Alert_DEC2011.indd 18

11/18/2011 6:46:13 PM

From The Editor-in-Chief

“Hands on experience in Oracle implementation and maintenance desired...” … at least one full cycle project implementation experience…” “Project execution, IT Infrastructure and tech support and implementation experience required…” “Candidate should be able to generate data timely…”

Desperately Seeking Tacticians India Inc. seems content looking for project managers.

Interesting, aren’t they? These are but a few of the gems I came across while browsing CIO job postings over the past week. Curiously, all pertained to large enterprises operating in India. If I were to restrict myself to the three-fourths of postings that contain job descriptions similar to the ones above, then I have to conclude that the IT function is far from being strategic—it is tactical and operationally-oriented. At least, this is what organizations seem to be looking for in a person who will get a better end-to-end horizontal view of the business, than any line-of-business head or even a CFO. So, where is the CIO role heading if corporates seem to be seeking project managers rather than strategists or innovators? Does India Inc. consider IT to be more a support function than a strategic enabler? Is a CIO’s role about ERP If not, why this obsession with or is it about helping hands-on project experience or domain an organization gain expertise? I know of a financial sector better understanding of CIO whose attempt to change career customer expectations? direction came to an abrupt halt because he lacked any steel industry experience. He did switch jobs but had to remain content to do so within the same vertical. And, is a CIO’s role about implementing ERP or cloud computing or Web 2.0 or is it about helping a FMCG organization increase rural penetration or helping it gain a better understanding of customer expectations? I would state the latter. To be fair, this perception of IT and its leaders being obsessed with technology rather than business is due, in part, to the way that some IT leaders have carried themselves— positioning IT as a black art that can only be mastered by specialists. Why then shouldn’t business look at CIOs as incapable of deciphering the needs of business? It’s up to you to change this view. First, by engendering a climate where business sees IT as a trusted partner, and then by engaging with your business peers as a business person, not as a techie. I believe that unless you are willing to push this agenda all talk of business-IT alignment will remain futile. After all, the business of IT is also business, isn’t it?

Vijay Ramachandran Editor-in-Chief vijay_r@cio.in

Vol/5 | ISSUE/09

Content,Editorial,Colophone_Page.indd 1

REAL CIO WORLD | J U ly 1 5 , 2 0 1 0

7/14/2010 5:43:34 PM

content JULY 15 2010- | -VOL/5- | -ISSUE/09

22 Legal

Case study

COVER STORy DEEp ShADOWS OF ThE LAW| 22

What do you do when cyber crime comes banging on your doors? Are you too scared to turn to the law? Is that because it has too many grey areas? How long can you afford to operate from a position of fear? Feature by Sneha Jha

CoVER: DESIGN BY VIKAS KAPo oR

Inside Case Files: When they fell victim to cyber crime, these three organizations weren’t sure how to nail the culprits. Their stories tell you what you can — and should — do. | 26 Interviews: Pavan Duggal, one of India’s leading experts in cyber laws, on why we need a better IT Act. | 32 Himanshu Roy, Jt. Commissioner of Police (Crime), on why the IT Act has what it takes to bring cyber criminals to book. | 36

J U ly 1 5 , 2 0 1 0 | REAL CIO WORLD

Content,Editorial,Colophone_Page.indd 2

LAnDInG In ThE BuDGET ZOnE | 46 How the manufacturers of Parachute, among the world’s largest coconut oil brands, ensured that their monthly expenses fell in perfectly with their yearly budget allocations. Feature by Anup Varier

It Value BRAnDInG IT | 42 Creating a slogan or even a logo might be the best way to promote your team internally. Feature by mary Brandel

deep dive mOBILITy | 61 Not very long ago, it used to play second fiddle to its wired cousin. But today the mobile phone is a world in itself. If you aren’t riding the mobile wave yet, you could be left behind. more » Vol/5 | ISSUE/09

7/14/2010 5:43:39 PM

content

Thrive | 88 Social Media| The New Age Mutant

Column by Mike Elgan

Mentor | 92 IT Strategy |What Makes a Business CIO?

Column by Pravir Vohra, ICICI Bank

From the Editor-in-Chief | 1 Desperately Seeking Tacticians

By Vijay Ramachandran

NOW ONLINE “We believe that IT will be key enabler in India’s rise as a manufacturing hub,” says Dr. V. Sumantran, executive vice chairman, Hinduja Automotive.

For more opinions, features, analyses and updates, log on to our companion website and discover content designed to help you and your organization deploy IT strategically. Go to www.cio.in

c o.in

Executive Expectations View From The Top | 38 Dr. V. Sumantran, Executive Vice Chairman, Hinduja Automotive, on driving innovation at Ashok Leyland and IT’s crucial role in making India a manufacturing hub.

Interview by Anup Varier

Strategic CIO Security Foundation | 20 Lawyers and security consultants have something in common: To be effective they can’t be brought into a project as the last building blocks are being put in place. Column by Scott Wright

J u ly 1 5 , 2 0 1 0 | REAL CIO WORLD

Content,Editorial,Colophone_Page.indd 4

7/14/2010 5:43:43 PM

Governing BOARD

Alok Kumar Global Head - Internal IT, TCS

Publisher Louis D’Mello

Anil Khopkar GM (MIS) & CIO, Bajaj Auto

Editor ia l Editor-IN-CHIEF Vijay Ramachandran EXECUTIVE EDITOR Gunjan Trivedi Associate Editor (Online) Kanika Goswami Features Editor Sunil Shah Assistant Editor Kailas Shastry Senior Copy Editor Shardha Subramanian Senior correspondent Sneha Jha CorrespondentS Anup Varier, Varsha Chidambaram trainee Journalists Debarati Roy, Supriyaa Uthaiah Product manager Online Sreekant Sastry

Anjan Choudhury CTO, BSE Ashish Chauhan Deputy CEO, BSE Atul Jayawant President Corporate IT & Group CIO, Aditya Birla Group Donald Patra CIO, HSBC India Dr. Jai Menon Director Technology & Customer Service, Bharti Airtel & Group CIO, Bharti Enterprises

Custom Pub l ishing

Associate Editor Arakali A Harichandan Senior Correspondent Gopal Kishore Correspondent Deepti Balani

Gopal Shukla VP - Business Systems, Hindustan Coca Cola Manish Choksi Chief Corporate Strategy & CIO, Asian Paints

D esign & Production

Manish Gupta Director-IT, Pepsi Foods

Lead Designers Jinan K V, Jithesh C.C, Vikas kapoor SENIOR Designers Sani Mani Designer Amrita C Roy. M.M Shanith trainee designer Visaka Vardhan Photography Srivatsa Shandilya Production Manager T K Karunakaran

Murali krishna K. Head - CCD, Infosys Technologies Navin Chadha CIO, Vodafone Pravir Vohra Group CTO, ICICI Bank

Events & Audi enc e Development VP Rupesh Sreedharan Senior program Managers Chetan Acharya Pooja Chhabra program Managers Ajay Adhikari Sachin Arora Management trainee Ramya Menon

Rajesh Uppal Chief General Manager IT & Distribution, Maruti Udyog

ju ly 1 5 , 2 0 1 0 | REAL CIO WORLD

Content,Editorial,Colophone_Page.indd 6

ADC India Communications

Amercian Power Conversion

IFC

Canon India

IBC

Check Point Software Technologies D-Link India

24 & 25

EMC Data Storage Systems Flap on Cover Emerson Networks Power Ltd 37 HCL Infinet

HP Enterprise Services

HP IPG NetApp IndiaPvt Ltd., Oracle SAS Institute Tata Consultancy Services Tulip Telecom

5 49 3 13 53 to 60 BC

Verizone Communications Reverse Cover

Gatefold

Western Digital

Sunil Mehta Sr. VP & Area Systems Director (Central Asia), JWT T.K. Subramanian Div. VP-IS, UB Group V. K Magapu Director, Larsen & Toubro V.V.R Babu Group CIO, ITC

IDG offices

Regional sa l es

Printed and Published by Louis D’Mello on behalf of IDG Media Private Limited, Geetha Building, 49, 3rd Cross, Mission Road, Bangalore - 560 027. Editor: Louis D’Mello Printed at Manipal Press Ltd., Press Corner, Tile Factory Road, Manipal, Udupi, Karnataka - 576 104.

Page No.

Shreekant Mokashi Chief-IT, Tata Steel

President Sales and Marketing Sudhir Kamath VP Sales Sudhir Argula General manager Sales Parul Singh Asst. GM BRAND Siddharth Singh ASSt. Manager Brand Disha Gaur ASSOCIATE MARKETING Dinesh P SR. Manager Client Marketing Rohan Chandhok Ad Sales Co-ordinators Hema Saravanan C.M. Nadira Hyder

All rights reserved. No part of this publication may be reproduced by any means without prior written permission from the publisher. Address requests for customized reprints to IDG Media Private Limited, Geetha Building, 49, 3rd Cross, Mission Road, Bangalore - 560 027, India. IDG Media Private Limited is an IDG (International Data Group) company.

Advertiser

Sanjay Jain CIO, WNS Global Services

Ma rketing & Sal es (National)

Bangalore Kumarjeet Bhattacharjee, Varun Dev, Pooja Nayak Delhi Aveek Bhose, Prachi Gupta, Punit Mishra Mumbai Ajay S. Chakravarthy, Dipti Mahendra Modi, Hafeez Shaikh

Advertiser Index

Bangalore Geetha Building, 49, 3rd Cross, Mission Road Bangalore 560 027 Ph: 3053 0300 Fax: 3058 6065 DELHI

410, Hemkunt Towers 98, Nehru Place New Delhi 110 019 Ph:011- 4167 4230 Fax: 4167 4233

MUMBAI 201, Madhava

Bandra Kurla Complex Bandra (E) Mumbai 400 051 Ph: 3068 5000 Fax: 2659 2708

This index is provided as an additional service. The publisher does not assume any liabilities for errors or omissions.

Vol/5 | ISSUE/09

7/14/2010 5:43:43 PM

new

hot

unexpected

Taming the ERP Beast e n t e r p r i s e a p p s CIOs have been talking about enterprise app integration for decades but according to a new Forrester Research report it seems they haven't had much success. Here's what's in the way. Limited Interoperability Outside the Suite. Most of the time, ERP apps can integrate with other packaged app from the same vendor. "But reaching out beyond the suite is often problematic," states the report. Middleware Choices Made by ERP Providers Promote Lock-in. "ERP vendors have long been committed to middleware solutions to help them manage their own broadening footprint and the galaxy of partners with which they engage," says the report. A Bewildering Range of Integration Strategies. Choice is a good thing except when it comes to ERP integration. "The

range of integration tools and approaches for harmonizing data processes and information services is more complex than ever, with multiple solution categories providing overlapping features," the report states.

Data Synchronization in Supplier and Partner Networks. Companies that run massive, extended value chains "must provide ubiquitous access to app services for their own and their partners' employees. However, providing access to a service like sales pipeline status may require rules to determine how to reconcile customer data for salespeople using cloud apps such as Salesforce.com with customer data used by credit controllers in the on-premise ERP." No easy task. Business Users Want Greater App Flexibility. The consumerization of IT has proven that users are no longer content to "get by" with rigid, nonintuitive apps so vendors have been "updating their application platforms and architecture to enable much greater flexibility," says the report. — Thomas Wailgum

Quick take

Satish Joshi on Enterprise Architecture To remain nimble footed, corporations need to ensure tighter alignment of IT with business objectives. And enterprise architecture (EA) is one way of getting there. Sneha Jha spoke to Satish Joshi, EVP and global head–technology and innovation, Patni Computer Systems, for his comments on the idea:

illustrat io n by MM shanit h

infrastructure

How has Patni benefited from having a formal enterprise architecture solution in place? IT investments are now streamlined and aligned with key business drivers, as a result cost variables are in tune with business fluctuations. We’ve seen a higher degree of automation in the execution of business processes. What were the challenges? Other than the usual IT challenges in implementing, and customizing the infrastructure, there were change management issues. Business processes were

Vol/5 | issu E/09

re-designed and re-aligned. This affected roles and responsibilities in some cases and it required people to be trained so that they could work with both new technology and differently designed business processes. How does EA help in reducing departmental fragmentation? EA looks at processes end-to-end and not in a fragmented fashion — unlike requirement analysis which focuses on understanding the needs of one group or department of an enterprise at a time. EA transcends the boundaries of internal organizational divisions.

Satish Joshi

When does it make sense for an organization to invest in an EA solution? Enterprise architecture is the master blueprint of an enterprise’s IT landscape. It captures the present and the intended future state of how IT can be a business enabler. Therefore, it always makes sense to formally define enterprise architecture — regardless of what state of IT maturity an enterprise is in. REAL CIO WORLD | j u ly 1 5 , 2 0 1 0

Is Google Docs an Enterprise-ready Collaboration Tool? Google has added several new settings to its Google Docs online document creation and editing software and amid growing competition from Microsoft’s online Office Anup Varier asked CIOs if it is ready to be an enterprise collaboration tool. Here is what they had to say::

IT M a n a g e m e n t

trendlines

“Microsoft Office remains the most powerful office productivity suite. Google Docs no longer allows offline access and it's still not as powerful as Microsoft Office.” G. Muthukrishnan DGM-IT, Madras Cements

“Google Docs supports considerable collaboration tools as well as improved editing and formatting options. The chat feature adds more value to it. It can be a great option for any enterprise that can work offline.” Vishwajeet Singh National Manager-IT, FCM Travel Solutions India

"I don't find any problems in casual document sharing for presentations, whitepapers, file sharing, and discussions using Google Docs. But moving confidential documents into the public domain is not allowed as per our current security policy." Capt. Sivakumar Associate Director-IT, Metlife India Insurance 8

Lend Your

j u ly 1 5 , 2 0 1 0 | REAL CIO WORLD

Trendlines_July15_10.indd 12

Voice

Write to editor@cio.in

The New

Value of IT CIOs have long struggled to measure and demonstrate the business value of IT investments. But there's a relatively new approach to making IT investment and operating decisions — and then proving their value to shareholders: the IT Capability Maturity Framework. The IT-CMF approach fills in the gaps of some better-known IT management framework schemes such as ITIL and Six Sigma, according to IT leaders who have used the new assessment tool. IT-CMF ranks organizations on the m aturity of the approach they use to handle 36 IT processes, giving them scores of 1 to 5 in each area, with 5 being the best. The processes are broadly divided into four areas: Managing IT like a business by focusing on customers Managing the IT budget to deliver better value Managing IT capabilities and IT-Capability developing core competencies. Managing IT for business Maturity Framework value by linking IT investments ranks organizations to overall business benefits. on the maturity of Vincenzo Marchese, group enterprise architect at oil the approach they giant BP PLC, says that he has use to handle 36 IT used portions of the IT-CMF processes, giving assessment for two years within an IT group that has them scores of 1 to 5 3,000 workers. IT-CMF is in each area, with 5 "a key measure to track how being the best. we do over time, but it is one measure," Marchese says. On one facet of IT management called enterprise architecture management, BP was assessed a Level 2 IT-CMF rating in 2008 and rose to a Level 3 in 2009 after making some changes, he says. In another example, when morale in BP's IT unit was fairly low after a restructuring, the IT-CMF assessment helped identify changes — such as adopting new training programs and welldefined career paths — that helped bring BP up to a Level 4 in that area, Marchese says. Andrew Agerbak, a principal at Boston Consulting Group, says he reviewed 120 high-level IT-CMF assessments performed on various IT groups, of which more than 20 were detailed assessments, and found the IT maturity level relatively low even though some companies that were studied had invested billions of dollars in IT. One trend Agerbak noticed is that IT shops show "tremendous maturity around getting technology processes approved" by the larger organization but are "weak" when it comes to their ability to track and describe the benefits of a system once it's deployed. — Matt Hamblen Governance

Vol/5 | ISSUE/09

7/14/2010 12:00:26 PM

Your Cloud Shopping List

trendlines

i t s t r a t e g y Facing strong concerns about control and security, the cloudcomputing trend has drifted somewhat away from the notion that all computing resources can be had from outside, and toward a vision of a datacenter magically transformed for easy connections to internal and external IT resources. Sales of cloud-related technology are growing at 26 percent per year — six times the rate of IT spending overall, though they made up only about 5 percent of total IT revenue this year, according to IDC's Cloud Services Overview report. Hybrid or internal clouds will be the rule, however; even in 2013, only about 10 percent of that spending will go specifically to public clouds, IDC predicts. As you prepare spending plans that line up with a move to the cloud, consider these four items as key for your list.

Application Integration Surprise: Software integration isn't the first thing most companies think about when building a cloud, but it's the most important one, according to Bernard Golden, CEO at cloud consulting firm HyperStratus. Integration means more than just batch-processing chunks of data being traded between applications once or twice per day the way that was done on mainframes, according to Tom Fisher, VP, cloud computing at SuccessFactors.com, a business-application SaaS provider. Being able to provision and manage user identities from a single location across a range of applications is critical, especially for companies that have never been in the software-providing business before and don't view their IT as a primary product, he says. Security The second critical factor in building a useful cloud is the ability to federate — securely connect without completely merging — two networks, Golden says. That requires layers of security, including multi10

j u ly 1 5 , 2 0 1 0 | REAL CIO WORLD

a large digital mapping firm."When you're in the development stage, having eight or 10 GB Ethernet cables per box is an incredible labeling issue; beyond that, forget it," Welty says. "Moving to virtual I/O is a concept shift — you can't touch most of the connections anymore — but you're moving stuff across a high-bandwidth backplane and you can reconfigure the SAN connections or the LANs without having to change cables." Concentrating bandwidth in one device saves space, power and cabling, Welty says, keeps network performance high and ultimately saves money on network gear.

Sales of cloudrelated technology are growing at 26 percent per year — six times the rate of IT spending overall, though they made up only about 5 percent of total IT revenue this year. factor authentication, identity brokers, access management and, in some cases, an external service provider who can provide that high a level of administrative control, according to Nico Popp, VP of product development at Verisign.

Virtual I/O Having to squeeze data for a dozen VMs through a couple of NICs will keep you from scaling your VM cluster to cloud proportions, according to Bill Welty, manager, IT Enterprise Architecture and Unix Operations at

Storage We mentioned it before, but storage continues to be the weak point — the hole into which one pours money — of both the virtualization and cloud-building world. "Storage is going to continue to be one of the big costs of virtualization," Golden says. "Even if you turn 90 percent of your servers into images, you still have to store them somewhere." —By Kevin Fogarty

Can You Keep Your Company's Secrets? IT pros believe that when access to business data is poorly controlled, it’s competitive information that is most at risk.

Data most vulnerable to theft Corporate intellectual property

57%

General business information

56%

Data from business customers

46%

Employee information

26%

Financial data

14%

Personal data from consumers

14%

sourCE : PonEMon institut E/aVEksa

Vol/5 | issu E/09

ID Management

priority no. o.1 1 1 1 security Identity 0 management projects are 1

illustrat ion by Vishak VarDhan

trendlines

getting the top attention in enterprises in terms 10001 101010 101110 of security spending 101001 0R1A1H0U1L.P0 0 priorities, according 10010101 1011 100100 1010100 to Gartner. 101101 101001 011001 01011 While identity 101010 010101 101010 0 management ranks first in the 1 top five priorities for security, the balance in the list includes data-loss prevention, anti-virus, firewalls and intrusion prevention. Identity management appears to be taking the lead as a top priority as businesses look to deploy some of the more advanced federated identity technologies both within the enterprise for single sign-on and as a way to potentially extend identity-based access control into cloud-computing environments. Gartner research director Vic Wheatman acknowledges he finds it "odd" that anti-virus, long established in the enterprise, would continue to be ranked in the top five list so highly in terms of IT security projects. But in terms of firewalls as a priority, he notes that there's a movement to install next-generation firewalls. In 2009, intrusion detection and prevention was ranked as highest priority, followed by vulnerability assessment, identity management, anti-virus and security events repairing. But in 2009, "some projects were put on the shelf because of the economy," he notes, leading to a scale back in large capital-intensive projects. The Gartner 2010 analysis of what organizations are spending on IT security as part of the overall IT budget is down 1 percent over the year before to 5 percent, but Wheatman says that's hardly considered dramatic and falls within the 3 percent to 6 percent range that Gartner believes is appropriate. IT security outsourcing typically ends up listed in personnel budgets, and there appears to be a slight uptick in that arena as well, Wheatman adds. Gartner also points out that in terms of what global CIOs at the end of last year said in a separate survey about the top technologies they were focusing on, virtualization took the top spot, followed by cloud computing, and Web 2.0. IT professionals at 308 companies participated in the survey. Gartner conducts the survey annually to assess trends, and this year it appears that projects that may have been put on the backburner because of the slowdown are now being put into action.

—By Ellen Messmer 12

j u ly 1 5 , 2 0 1 0 | REAL CIO WORLD

M a n a g e M e n t let's get this straight: Gen-y wants to work with you, not for you. y Gen-y yes, its members have short attention spans, their attention to detail is poor, and they expect instant access to any level of the organization. but they also have abundant energy, they are it savvy, and they want to work for organizations that are ethical. one final thing: they are ambitious. if you're the type of manager who can't deal with such mercurial types then there are rough days ahead. something omething else you may not know about GenGen-y y— they want real careers. this is one finding of recent research by recruiting experts hays. in a survey of 668 jobseekers, about half of GenGen-y y respondents said they are now less inclined to take career risks. "one ne big change in perspective for GenGen-y y has been the replacement of salary with career progression as the most important consideration when looking for a job," says Grahame Doyle, director of hays. "another change in their perspective came from the importance of an organization’s stability. Fifty percent s ta f f

When

Gen-YMeans

Business

of GenGen-y y said that when looking for their next role, a company's stability is far more important. this is likely because for the first time, GenGen-y y has seen first-hand how comforting employment with a stable company can be in times of broader economic turbulence." ibM Cio, steve Godbee, a baby boomer, says Gen-y Gen-y yss always come with certain motives. "they want a job that not only meets their professional expectations, but that also has added value — things to test them. When i went into my first job, people stayed with the same company for a long time. t today, people want more flexibility." angelo Grasso, a Gen-Xer, is not so sure about Geny's rationale."back in 2007, it was the law of the jungle," he says. "there here were lots of demands from GenGen-y y. they y. had zero loyalty because it was a seller's market. that changed through the GFC (global financial crisis), but now it's a seller's market again," he says. "We need to be aware of Gen-y, but don't be mesmerized by their wants. it's important to have some of them in your team because they have new ideas, energy and drive. y you should nurture them." says Grasso. —by Darren horrigan

Vol/5 | issu E/09

Social Media: At Your Own Risk As businesses increasingly try to figure out how to use social networking tools in the enterprise, an IT governance group has released a ranking of the top five risks social media poses to companies. The study, which lists the biggest risks businesses need to prepare for when they are using social media, was released by ISACA. John Pironti, an ISACA Certification Committee member, noted that many business executives have considered some of the risks, but few have considered all of them. The top risks, which are laid out in an ISACA research paper, are viruses and malware, brand hijacking and lack of control over corporate content. Rounding out the top five are unrealistic expectations of customer service at Internet-speed and non-compliance with record-management regulations. Pironti said ISACA isn't warning companies not to use Web

trendlines

internet

2.0 tools or to not fully embrace social networking. However, they need to go into it with their eyes wide open to the benefits as well as the risks. And he added that most of the risks stem from users not understanding how their own behavior could possibly impact the company. Pironti noted that it comes down to a need for organizations to educate users about how posting something could breach company security, hurt the company's

image or even open the company up to being hit by malware. "With social media, there are so many platforms and environments to learn," said Pironti. "What are the implications of what could happen? People don't think of the damage that could occur to an organization."And since workers, either on their own or with a corporate blessing, will use social networking sites such as Facebook and Twitter, Pironti said they need to understand the line between social and business. They also need to have set corporate guidelines about what information can be shared. Pironti said company execs also need to be aware themselves that workers are using social media sites and tools so they need to have a hand in it to better protect themselves. Executives can't be aware of what is being said about a company unless someone is paying attention. â&#x20AC;&#x201D; By Sharon Gaudin

a p p s Gartner is highlighting 10 mobile and wireless networking technologies that will play a big role in b2E and b2C interactions over the next couple of years. "these were selected because they will evolve in ways that affect corporate strategies, significant numbers of customers or employees will adopt or expect them in 2011," said nick Jones, VP and distinguished analyst at Gartner. Bluetooth (3 and 4): both bluetooth updates are coming by next year, with Version 3 exploiting 802.11 for a speed boost and enabling transfer of multimedia transmissions, and Version 4 featuring a low-energy mode that will allow devices to work with external peripherals and sensors, such as laptop autolocks. Mobile Web:look for much more widespread use of smartphone Web browsers as better screens on smartphones make surfing the Web more inviting from these devices. Mobile Widgets: these will rely on technologies such as Javascript and htMl to provide handset users with real time updates on everything from the weather to blog posts. Platform-independent mobile app development tools: these will be needed to enable apps to run across the increasingly dizzying array of mobile devices. Mobile

j u ly 1 5 , 2 0 1 0 | REAL CIO WORLD

Trendlines_July15_10.indd 18

App Stores: look for even more app stores beyond the most famous, apple's. Gartner expects organizations to create their own app stores in some cases to distribute apps to customers and employees. Enhanced location awareness: Gartner says GPs will be on more than three quarters of mobile handsets by the end of next year, and this should spur an explosion in apps to exploit location-awareness. Privacy issues will require constant attention though. Touchscreens: recent research shows that most smartphones now have touchscreens, so application developers will need to take this into account as they build programs. Machine-to-machine communications: advances here will enable new smart grid, security and retail applications and devices. Device-independent security: look for cloud-based security to help Cios better safeguard corporate data and devices. â&#x20AC;&#x201D; Computerworld Philippines

Vol/5 | issu E/09

illustrat io n by MM shan ith

Mobile tech of the future

alternative views B Y Va r s h a C h i d a m b a r a m

Desktop Virtualization Ayes vs Nays

“Even if your desktops are protected with the latest antivirus, they are still one-and-

half times more prone to attacks than virtual desktops.” V. Srinivas CIO, Nagarjuna Fertilizers and Chemicals

trendlines

Desktop virtualization facilitates

P hotos by S rivatsa Shandilya

IT infrastructure management a great deal since it reduces the complexity of managing individual desktops by centralizing them. More importantly, a virtualized environment makes it easier to manage software assets. Let’s agree that while IT policies dictate certain rules, there will always be a few individuals who deviate from them. In a desktop virtualized environment, the CIO centrally controls what applications and software are being used, thereby ensuring better compliance. Also, desktop virtualization offers greater flexibility to the IT department because it can now allocate computing needs according to a user’s requirement — instead of providing a standard amount of computing across. In addition, an enterprise has the advantage of better backups with a virtual environment. With individual backups you cannot take concurrent backups without investing in expensive software solutions. With desktop virtualization, a single backup at the server will ensure that all your organization’s data is safe. Finally, another aspect of desktop virtualization that is attractive is its security. Even if your desktops are protected with the latest anti-virus software, they are still one-andhalf times more prone to attacks than virtual desktops. However, enterprises and their CIOs need to carefully plan their desktop virtualization projects. It makes sense on machines which are about four- or five-years-old because they require replacement anyway. Opting for thin clients at the point of refresh will ease the maintenance and complexity challenges you face with your desktop environment. In fact, an organization can extend the life of its existing machines by converting them into thin clients.

J u ly 1 5 , 2 0 1 0 | REAL CIO WORLD

Trendlines_July15_10.indd 20

“Desktop virtualization will cut costs by about 25 percent by lowering operating and IT support costs. But licensing and upgrades will eventually drive up costs.” Dinesh Kumar Executive Director (IT), NTPC

The debate around desktop virtualization reminds me of when organizations provided users with terminals which gave them secure access to apps and data. The device didn’t need to be updated each time there was a change in operating system, application development tool, application framework, database tool or system hardware. However, the approach faced major issues including the high-graphic requirements of the devices. As a concept, desktop virtualization sounds promising since it will reduce the effort involved in updating software, maintaining systems and so on. But there is a downside: users feel neglected and that’s not healthy for an organization. With desktop virtualization, users feel that they have lost flexibility and that someone else is controlling their workstations. These days, users are very dependant on their desktops or laptops and tend to store lot of data like personalized reports, for instance. The allocation of computing power is another issue. High graphical performance requires reliable, relatively highspeed networks, which means an organization has a high dependency on the network. Moreover, ROI calculations for desktop virtualization is a problem area for IT organizations who’ve already invested a huge amount in procuring, configuring, and securing their current infrastructure. And when an organization moves to thin clients, disposing of existing hardware boxes becomes another headache. Server virtualization revolutionized the datacenter and reduce costs. However, the same may not be the case with desktop virtualization. Costs will come down by around 20-25 percent but that would be primarily due to lower operating and IT support costs. But the cost of licensing and future upgrades will eventually drive up costs.

Vol/5 | ISSUE/09

7/14/2010 12:00:43 PM

Adam Bookman

Project Management

Lower Your PMO's Center of Gravity The success of your PMO defines the success of your projects, which defines the success of your organization. What you can do to avoid it from tipping over.

roject management is booming. The Project Management Institute boasts a million members. Project management ranks among the most important skills CIOs want in their departments. At the center of all of this project management activity lies the PMO, the project management office. An obscure concept 20 years ago, PMOs are nearly ubiquitous today in a business environment focused on efficiency, standards, metrics, and repeatability. But all is not well in the PMO world. Resistance to PMOs runs high among line of business project teams. Projects still fail at a worrisome rate. Turnover among project managers remains high, creating inefficiency, and without project team cooperation, the PMO cannot perform its duties. Thus, the mission of the PMO â&#x20AC;&#x201D; to deploy a common set of project management processes and governance across the enterprise so that projects succeed on time and on budget â&#x20AC;&#x201D; has become jeopardized. The PMO can be saved, however, provided its leadership recognizes and avoids the following three common pitfalls that dog PMOs and their relationships with business lines and IT.

PMO Pitfall 1: The One-way Street Illustration by mm s hanith

Reciprocity is a staple of all human interactions. Offering value for value expected lubricates everything from commerce to marriage to the playground. How reciprocal is your PMO? They probably ask for a lot: a lot of forms, rules, meetings and deadlines. They expect timely reports and accurate information, all to be delivered by the project team. But do they report back to the project team with new information that drives better decisions? Do they offer 1 8 j u ly 1 5 , 2 0 1 0 | REAL CIO WORLD

Coloumn_PMO_Snares.indd 16

Vo l/5 | ISSUE/09

7/14/2010 5:46:05 PM

Adam Bookman

Project Management

personalized coaching to project team leaders running their projects more effectively? Do they work with the team leaders to make the PMO role understood? Are your PMO heads expected to exhibit skills like leadership, communications, and the ability to influence people? I have had project managers say to me, "I give the PMO all my information all the time, but I never see it again. I get what the PMO needs, but how does it help me be better at my business?" Bottomline: Give to get. Return value to your sources. Remember, you have two sets of customers — executive management and the project teams.

PMO Pitfall 2: One Size Does Not Fit All Massive projects are complex and risky, and they must be managed accordingly. When your company is spending multiple crores over five years in a competitive race to boldly enter a new business with new technology, you want a PMO that can get its arms around the whole monster. You

PMO Rule 3. How Am I Doing? PMOs are good at answering management's central PMO question: How are our projects doing? They tend not to be so experienced at answering another question, probably because management doesn't ask it often enough: How is the PMO doing — from the standpoint of its customers? If PMOs tend not to be concerned about resistance or even a low-level rebellion by the project teams, it may be because, rules trump relationships. If the PMO rules are satisfied, the PMO is doing fine. At one conflict-ridden PMO we were brought in to help, we asked the head to score his performance as he believed his business and IT customers would score it. He acknowledged running about average with the line of business project team, but he was confident that all of the team members in IT would rate the PMO as excellent. "IT gets us — they value what we do," he told us. We did a survey of the group VPs in IT. To a person, they said the opposite. "We'd be better off without

PMOs can't be the only place where poor working relationships have no negative effect on productivity and costs. PMOs need to know how their customers rate them. want detail-focused sticklers who value process as much as outcomes and who recognize the relationship between the two. No shortcuts, no apologies. But how many of your projects are of that magnitude — maybe ten percent? Most new projects are modest in scope. Most are routine maintenance or repair — low-risk projects performed by the same team that got it right last year. Even with small projects, costs and deadlines still need to be met and reported in standard fashion for the enterprise. But does your PMO, on encountering a routine, low-risk, low-cost project sensibly limit what it asks of the project team, omitting certain requirements that are standard on massive projects? Or do the same rules, protocols and forms apply across all projects, no matter what the size? The maturity of the project group should also play a part in the PMO's expectations. If a PMO staffed with long-time practitioners inherits a project led by employees who are new to the PMO environment, there are bound to be adjustments for both parties. They will unfold more smoothly if the PMO scales up its expectations over time, while the team builds its knowledge of the project and the PMO. Instead of asking, what is the full complement of information that will allow us to manage this project as we do others, ask, what is the most basic information we need for a successful launch of this project? Bottomline: Moderate PMO requirements according to the project's risk and the team's maturity.

Vol/5 | ISSUE/09

Coloumn_PMO_Snares.indd 17

the PMO," was the refrain. They complied with the PMO's demands, but that's all. With the business teams, the results were even worse. PMOs can't be the only place where poor working relationships miraculously have no negative effect on productivity and costs. Whether it's a formal blind survey, or informal but authentic questioning, PMOs need to know how their customers rate them and strive for better relationships. And management needs to know, too. Otherwise, what the PMO gains in project efficiency can be squandered on organizational dysfunction. Bottomline: Cultivate relationships along with rules. Both will benefit. Know how the PMO is valued by its customers. The complexities of big, difficult projects lend themselves to pitfalls like these, and they can be exacerbated by the constitutional differences of the people who tend to inhabit the business line versus the PMO. Just recognizing the pitfalls, and the damage they create among well-intended people, is halfway to avoiding them. CIO

Adam Bookman is a managing partner in Collabera LLC's consulting division. Send feedback on this column to editor@cio.in

REAL CIO WORLD | j u ly 1 5 , 2 0 1 0

7/14/2010 5:46:05 PM

Scott Wright

Strategic CIO

Security Foundation Lawyers and security consultants have something in common: to be effective they canâ&#x20AC;&#x2122;t be brought into a project as the last building blocks are being put in place.

Illust ration by mm s hanith

he other day, the subject of lawyers came up while I was stuck in traffic, listening to a business podcast in my car. The podcaster was discussing how lawyers only provide a certain, limited value for their business clients, considering how high their fees can be. While he spoke, it struck me that many people depend on lawyers too much for protection from risks. Perhaps this is one reason why lawyers get a bad reputation: They are misused. I started thinking about how this is also a problem with security consultants, and their reputations. When you make a quick tally, the number of similarities between lawyers and security consultants is almost scary: 1. Lawyers are pretty expensive if you pay them by the hour. So are security consultants, and their clients don't let them forget it. 2. If risk is a common issue in your business, it can be very worthwhile to hire lawyers as permanent employees. The same goes for security consultants. In fact, many are not really cut out to be in business for themselves at all. 3. Lawyers will usually tell you what the safest thing to do is, assuming you don't want to be exposed to any risk. Security consultants have a habit of thinking the same way. Just when you think you've covered all the issues, there's John at the back of the room with his finger waving at the sky saying, "Just one more scenario that you may not have considered..." (as all the eyes start to roll back in everyone's heads.) 4. Lawyers are good at coming up with wording that will protect you in almost every conceivable way. Bulletproof is the word that comes to mind. Security consultants, left unattended, have been known to propose a Fort Knox solution, when management was thinking more of a corner store ATM budget. 20

j u ly 1 5 , 2 0 1 0 | REAL CIO WORLD

Coloumn_Risk_Relay.indd 22

Vol/5 | ISSUE/09

7/14/2010 12:19:15 PM

Scott Wright

Strategic CIO

5. If you pay them enough for travel and meals, most lawyers will come and visit you in your place of business. I haven't met many security consultants who wouldn't take on an engagement in any location for the right fee, or any fee, for that matter. 6. Lawyers and security consultants don't usually accept much, or any, responsibility for the failure of a business initiative that they provided advice on. They always have a disclaimer that says, essentially, "It is YOUR responsibility to accept the risks that go with your decisions." Now, in case you're thinking you can solve that problem by making them a business partner, here's an interesting thing to consider: don't be surprised if your lawyer is smart enough to put an escape hatch in the JV agreement. Something like this: "Despite the fact that I'm on your team, you should really get independent legal advice.” Security consultants aren't that smart, however, and may be convinced to take on some of the risk in the venture. (They also don't get invited to be partners very often.) 7. Both lawyers and security consultants have a pretty shallow view over a broad range of businesses: an inch deep and a mile wide. Often, they are called in at the last minute to solve a problem. But they have not been involved in the entire business process that led to that problem. They try not to make you feel too stupid when they say, "It's too bad you didn't call me in before you decided to do this. But, don't feel bad. It's a common mistake." Despite this rather cynical look at lawyers vs. security consultants, I'm not negative on them at all. After all, I am one (or was until my colleagues read this column). But in reality, any expert advisors on risk can bring along the same pitfalls. It is good to have an objective viewpoint on the situation to give you a shot of reality. But it really is ultimately your responsibility to decide on whether your approach presents acceptable risk for your business. Input from anyone at a point late in the process of rolling out a business initiative has to be discounted a bit, simply because they were not intimately involved in the process. It's a bit of a paradox because if you don't look for objective outside viewpoints every once in a while you risk getting trapped in something psychologists call ‘groupthink’. This occurs when everybody in the room agrees or supports an idea for various reasons, so it becomes a foregone conclusion that the idea is, in fact, a good one, when it may not be. The paradox is summarized in a short, but sweet quote by the late author John Gardner: "Pity the leader caught between an unloving critic and an uncritical lover." As an example, imagine that everybody on the team of executives, managers, developers and sales people believes the market for an ‘Ethics-in- a-Box’ software is set to take off, in light of spiraling business morality trends (hypothetically speaking). But if the team had a market research analyst in the room, they might realize some more subtle undercurrent in the market is about to undermine their key assumptions. Or maybe the entire team just discounts the worst case scenario out of ignorance.

Vol/5 | ISSUE/09

Coloumn_Risk_Relay.indd 23

It’s feasible to have a lawyer and a security consultant review your situation on a regular basis, as long as they can temper their critical urges to emphasize every possible risk. Groupthink has probably been a factor in most new product failures throughout history. Everybody seems to think it is a good idea, but some important fact or risk has not been considered. The key is in understanding which risks from a wide range are important, and what you can do to mitigate them. While it would be nice to be able to afford a lawyer and a security consultant in every aspect of a business initiative, it would obviously be expensive. But having experts review your situation on a regular basis — throughout the business cycle — is still feasible, as long as they are able to learn quickly and temper their critical urges to emphasize every possible risk. The project won't get far with a bunch of naysayers. You need people with a can-do attitude. But they have to be able to put risks in perspective and be willing to listen. It's far more helpful for lawyers and security consultants to offer ‘critical success factors’ than to simply shoot down ideas as being risky. So, you would really like them to say is, "I've seen that approach fail before because, traditionally, any product trying to sell ethics does poorly. But if this is something you really want to do, you could try getting an endorsement from Lee Iacocca or the Pope… and perhaps have a contingency plan in place in case the product doesn't sell, like giving it away to non-profits and take a tax deduction for the list price." (Is that ethical? Not sure.) With this in mind, the next time you hear a lawyer or security consultant say "you will get sued if you do that" or "that's too risky", think about how intimately involved they were in your business decisions to that point, and think about how often they get called in to fix something after bad decisions have already been made. Business people who have a can-do attitude and a healthy respect for risks are encouraged to share their views and experiences, and to focus on identifying the ‘critical success factors’ for navigating the risks in any situation. In the end, no matter who you hire as an expert, the business owner still shoulders the risks. So you should do everything that's economically feasible to understand them, and your options. CIO Scott Wright is a security consultant, writer, speaker, and podcaster based in Ottawa, Canada. He is founder of The Streetwise Security Zone website and podcast, as well as The HoneyStick Project, and writes a blog called Scott Wright's Security Views. Send feedback on this column to editor@cio.in

REAL CIO WORLD | j u ly 1 5 , 2 0 1 0

7/14/2010 12:19:15 PM

Cover Story | Legal

What do you do when cyber crime comes banging on your doors? Are you too scared to turn to the law? Is that because it has too many grey areas? For how long can you operate from a position of fear?

By Sneha Jha

In the Deep Shadows of the

m a r c h 1 5 , 2 0 1 0 | REAL CIO WORLD

Cover_Story_JULY_OPTION2.indd 22

Vol/5 | ISSUE/05

7/14/2010 6:23:48 PM

Cover Story | Legal

ime to take stock. Let’s consider this: According to Symantec, cyber crime has surpassed drug trafficking as a way to make money. And with virtual traffic increasing by the minute, so are cyber criminals. If that doesn’t worry you, this will: India is home to the fourth-highest number of Internet users. A recent study by Internet and Mobile Association of India (IMAI), points out that Internet usage in the country jumped to 20 percent in 2009. And with it, India surged to the fifth spot in malicious activity in 2009 from 11th spot in 2008. “As the third-largest cyber country in Asia after China and Japan, India may become a soft target for cyber crime,” says N.S. Nappinai, advocate at Independent Law Practice and co-founder of Technology Law Forum. “We need a robust legal mechanism to curb the menace of cyber crime. The legal framework should provide relevant safety nets to users, empower law enforcement agencies and deter criminals,” she adds. And that legal framework is the Information Technology (Amendment) Act, 2008, (ITA). The Act, for its part, has cast a wide net to cover more offences, including cyber terrorism, data theft, Wi-Fi hacking, identity theft, and even spam. It also gives unfettered power to the government to monitor all e-traffic. “To add more teeth, the interception, blocking and monitoring powers have been

Vol/5 | ISSUE/09

Cover_Story_JULY_OPTION2.indd 23

26 Case of the Stolen IP

28 Case of the Missing Money 30 Case of the Faulty Phones

32 Interview: Pavan Duggal, Advocate, Supreme Court of India 36 Interview: Himanshu Roy, Jt. Commissioner of Police (Crime) more elaborately covered. However, it could have been better if certain activities like ‘hacking’ and ‘spam’ were dealt with more severely,” says Satish Warrier, CISO, corporate audit & assurance, Godrej Industries. Also, the inclusion of the concept of data protection, believes Sameer J. Ratolikar, CISO, Bank of India, is significant. Prior to the amendments there was no sensitization towards the concept of data protection. But is that enough? Not really. Both Warrier and Ratolikar feel that the Act still doesn’t come down heavily enough on cyber criminals. “Since offences with three years imprisonment are bailable, it may not discourage cyber crime to the desired extent. In an era where employees misuse confidential information, this could be a dampener for corporates since they cannot put their errant employees behind bars,” says Warrier. Neither is Ratolikar happy with the fact that the Act seems to lean towards the customer when it come to online frauds. “The law favors customers. Where online banking fraud is concerned, there is no clarity on whether the onus lies with the bank or with the customer,” he says. Reader ROI:

The surprising reach of the law Penalties and liabilities Legal ramifications of the new amendments

If there’s too much power with the customer, there’s more with the government. The Act has provided enhanced e-surveillance power to the state without adequate safeguards to citizens. “A lack of independent oversight makes these intercepting powers liable to misuse. Perhaps the most alarming aspect of the Act is its failure to put in place a safeguard mechanism that would stop the state from misusing it. The act vests huge powers without corresponding responsibility,” says Nappinai. Another thing that could encourage cyber crime is the abysmally low rate of reporting of crimes. This is largely because corporates fear negative publicity, which could damage their reputations irreparably. “They need to be more open-minded in reporting incidents of cyber crime and not just patching the vulnerabilities with quick fix solutions,” says Nappinai. Is a lack of knowledge of the law another factor discouraging corporates from reporting cyber crimes? Nappinai thinks so. Yes, the law is ambiguous and there is a need to clear the mist. And that’s what we’re attempting to do with this cover story. We recount three incidents of cyber crime that were perpetrated at three enterprises operating in different industry verticals — and what happened — or would have happened — when the law took its course. A crime that goes unreported is a crime that never happened. It’s time we stopped operating from a position of fear. REAL CIO WORLD | J U LY 1 5 , 2 0 1 0

7/14/2010 6:23:48 PM

Cover Story | Legal

CASE

Case of the Stolen IP

Hardware blueprints that could make or break a company. A young and ambitious man with few scruples. A country whose legislation was just coming to terms with cyber crime. Nishant Khetrapal thought he could get away with theft, until the law caught up with him. But did it? It was a warm summer morning and the eight o’clock sun shone so bright it hurt the eyes. Typical of a mid-week Mumbai day, the scene at Avenue Road was one of organized chaos. Pedestrians darted across the busy street as cars, taxis, auto-rickshaws and motorbikes jostled for space. Roadside tea stalls were doing brisk business as office-goers stopped for a quick cup of tea and vadapaus. Behind them, standing apart from the bustling background, stood a swanky, multistoried, granite and glass building. It was the corporate headquarters of ABC (name changed), an West Indian-based hardware and equipment manufacturing company. As the people sipped at their cups of tea and pored over the day’s newspaper, few noticed a metallic grey Honda Civic that halted in front of ABC’s office. As the car pulled up in front of the entrance, Nishant Khetrapal (name changed), a senior executive of ABC, stepped out, before it completely came to standstill. He was at work early on that morning and he was in a hurry. He nodded curtly at his driver and walked rapidly towards a bank of elevators. If there had been a camera watching the street it would have revealed a tall thin face charged with a strong sense of purpose and urgency.

Why was there no data leakage solution installed on Khetrapal’s PC? Digital rights management technology coupled with data leakage software, could have prevented this. And from physical security angle, when Khetrapal entered the ofﬁce to destroy evidence, his movements could have been captured using a CCTV. This would have helped ABC strengthen their case.” -- Sameer J. Ratolikar, CISO, Bank of India

VIEW

J U N E 1 5 , 2 0 1 0 | REAL CIO WORLD

Cover_Story_JULY_OPTION2.indd 24

As he strode into the landing of the fifth floor, he noticed that none of his colleagues were in and he heaved a sigh of relief. Khetrapal then walked towards the expresso machine situated at the centre of the floor. He waited impatiently as the machine hissed, gulped down two cups of almost scalding coffee and went straight into his cabin. Then pulled out his laptop and got to work. By nine o’clock his colleagues began trickling in. One of them, Jatin Arora (name changed) saw Khetrapal hunched over his laptop and knocked on his door. “How come you’re here so early?” he asked cheerfully. “I’m on a mission,” replied Khetrapal tersely as he logged off his machine. Seeing the perplexed look on Arora’ s face, Khetrapal laughed and said, “Just joking. You take me way too seriously. Don’t you remember we have an important meeting on product design today? I was just fine-tuning my presentation.” Arora wished him luck and shut the door. Khetrapal was an important man at ABC. During the eight years he had spent with the company, he had risen swiftly and currently headed the department that developed new products. That gave him access to business critical and confidential information so as a matter of routine he had been asked to sign an NDA clause which prohibited him from joining ABC’s competition. Over the last year, Khetrapal has worked hard to develop innovative equipment for the company. Today was a big day for him: he was taking his designs to the MD of the company. It was the culmination of six months of work and he knew it would impress the company’s top management. Smiling to himself, he looked at his watch, gathered his things and headed to the conference room. Two hours later, Khetrapal emerged. He had made an impactful presentation and had every listener sitting up attentively. The MD was especially impressed. The job done, Khetrapal called it an early day. He waved good bye to some colleagues as he exited the door — as an ABC employee for the last time. He was going to meet his future employers, who had already received plans for the prototypes that morning via e-mail.

Vol/5 | ISSUE/09 ISSUE/08

7/14/2010 6:23:58 PM

Cover Story | Legal

LEGAL EAGLE Commentary from one of India’s top cyber lawyers: Pavan Duggal.

The Crippled Arm of the Law It was almost a week before Khetrapal’s colleagues started worrying about his absence. The organization’s efforts to connect with him ended in vain. More days passed and still there was no trace of Khetrapal. By the third Monday after Khetrapal had disappeared, the lines of worry showed visibly on the face of ABC’s MD, Mukesh Singh. He was banking heavily on the prototypes Khetrapal had created and with him missing the future of his company was in jeopardy. Outside his tinted windows, the pre-monsoon weather, with its dense rain clouds and sudden gusts of wind, didn’t help Singh’s heavy mood. Then at 11 o’clock the phone in Singh’s plush office rang. The caller confirmed Singh’s worst fears: his competition had obtained the prototypes ABC was working on and was planning to launch products based on them. For the MD of ABC, it was his worst nightmare come true. He knew that it was only a matter of time now before his rivals captured ABC’s marketshare. A key business advantage had slipped from ABC’s hands like sand. He was dumbfounded. Singh quickly got into action. He picked up the phone and asked friends in the industry to unearth Khetrapal’s whereabouts. He got his answer soon enough. Khetrapal had joined competition and in order to win favor with his new employers he had flouted the terms of the NDA he had signed with ABC. Singh started examining ABC’s electronic records and discovered that Khetrapal had sent a few company-confidential e-mails from his official e-mail ID to a personal e-mail ID and also to the competition. Armed with that information, Singh lodged an FIR against Khetrapal with Mumbai’s cyber crime cell. A criminal case was registered under the IT Act and Khetrapal was soon arrested. But the amendments to the IT Act allowed Khetrapal to be released on bail. Within days of his arrest he was out. In the meanwhile, police personnel — grossly ignorant of the need to preserve electronic evidence — had not taken Khetrapal’s laptop into police custody. The machine that had vital evidence lay in the company’s basement. When Khetrapal was released on bail he had just one objective in mind: He had to destroy all traces of his crime. He bribed one of the security guards to give him access to the office after business hours and got an office boy to tell him where the laptop was. It took him a few minutes to replace the laptop’s hard drive and walk away.

Vol/5 | ISSUE/09 ISSUE/08

Cover_Story_JULY_OPTION2.indd 25

This is a classic case of unauthorized sharing of protected electronic documents and breach of confidentiality by an employee. If an employee who has access to business-sensitive, confidential data shares that information in an unauthorized manner, he can cause an irretrievable damage to a company. In today’s highly-competitive market, a corporation’s confidential information and intellectual property have a significant business value. Hence, diminishing the value of information assets residing in a computer system is a punishable offence. When your confidential corporate information — in an electronic form — is misused or transmitted in an unauthorized way by an employee, that amounts to an illegal activity and breach of trust. Such an act committed with malicious intent is specifically covered under the IT Act. It’s an offence under Section 66 of the Information Technology Act 2000 and is punishable by three years imprisonment and a fine of Rs 5 lakh. This is a bailable offence but if such an act is committed by an employee then it could also be clubbed with Section 406 and Section 408 of the Indian Penal Code because the act is tantamount to criminal breach of trust by an employee. In addition, when an employee indulges in such an act, he should be prepared to be sued for damages by way of compensation of upto Rs 5 crore under the amended IT Act 2000, should his identity come to light. These proceedings do not even have to go before a court of law, but can be heard by adjudicating officers. If an employee misuses sensitive data in an electronic form and shares it in an unauthorized manner, he needs to be prepared for a twin exposure to the law. The first is a civil exposure where the company could seek damages by way of compensation of up to Rs 5 crore. The second exposure is criminal exposure where a case of cyber crime can be registered by the company under the IT Act. And punishment could range from three to 10 years of imprisonment. That said, post the amendments, corporates have been put in a disadvantageous position because such crimes have been made bailable offences. Culprits are entitled to bail as a matter of right. And when the accused is out on bail, he could delete any electronic evidence that incriminates him. I think corporates need to be more vigilant because the law has now leaned on the side of the offender. They need to safeguard their information assets more proactively.

By the time the police came scouting for the laptop, they found that it contained nothing but games. Not only has Khetrapal tricked his company, he also deceived law enforcement agencies. The case was dismissed due to a lack of evidence and Khetrapal got off scot-free.

(This case study is based on a true story. The names of the characters and the organization have been changed because the case is sub judice.) REAL REALCIO CIOWORLD WORLD || JJUUNLY E 15, 2010

2 57

7/14/2010 6:24:15 PM

Cover Story | Legal

CASE

Case of the Missing Money

Gulfam Mustafa was afflicted by affluenza: a viral disease among the young that forces them to spend more than they could earn. He was sure of one thing: he wasn’t going to work for the rest of his life. So he hatched a plan that would rock the nation and bring the operations of many BPos under the scanner of the law. “Sure, let’s go to the cafeteria,” replied Khan. “Not today. I want to try that new roadside Chinese food stall. I need some Chinese,” said Mustafa. Khan was a little surprised. The two had never frequented a roadside eatery in the last three months. And it made little sense to walk all the way to a roadside stall when their office cafeteria had much better — not to mention cleaner — food. But Khan wasn’t in a mood to debate the point. At any other time of the day, the Chinese stall would have been a beehive of activity. But at seven in the morning, it wore a deserted look. Mustafa and Khan were the only customers and they quickly placed their order. As they wolfed down their food, Mustafa told his friend. “I have a master plan to get rich fast.” “You mean that old uncle of yours? Don’t count on it. He’s a tough nut,” replied Khan. Mustafa asked him to shut up and said, “I see no point in slogging it out all my life. I want to make some money really quick and fulfill my dreams. I want to own a car, a nice house and travel a little,” he said. Khan, who had noticed a change in the pitch in Mustafa’s voice, asked, “What’s your plan?” “I have been serving customers diligently for the past three months and now I ought to get rewarded for it,” said Mustafa, feeling the need to justify the idea he was about to broach. “What reward are you talking about? Why should the customer give you a reward? Are you out of your mind?” asked Khan. Irritated, Mustafa said, “Do I have to spell everything out to you? We will use our customers to get rich super fast. It’s simple. We deal with their financial accounts everyday. It shouldn’t be too hard to sweet talk some gullible customers into The BPo should have made employees giving us their financial details.” aware of the legal consequences under the Suddenly aware of their surroundings, IT Act and carried out a risk assessment the duo lowered their voices. They swapped and classiﬁcation of their information and ideas of how they could dupe customers secured more sensitive data. It should have also educated into giving them their bank details and clients not to divulge sensitive data. Rotating employees is how they would transfer money into bogus accounts that they would open for also a good idea.-- Nadeem Qureshi, CISO, Tata Motors themselves. Part of the plan was to involve

It was five o’clock on a fine Wednesday morning. The nip in the air hinted that winter had set in prematurely. The well-lit corporate buildings located at the Global Business Park stood tall in the mellow winter sun. But there was nothing mellow inside the five-storied offices of ValueServices BPO (name changed). The 2,500-strong BPO outfit, which handled customers for about 65 clients, including PBI Bank (name changed), was bursting with activity. Even at the crack of dawn, BPO executives were frantically responding to customer queries, focusing their bleary eyes on computer screens and downing endless cups of coffee to keep sleep-laden eyes from shutting. Gulfam Mustafa (name changed) was one such customer relationship executive responding to incessant queries. The 22 year-old had joined the BPO firm three months ago and catered to the US-based customers of PBI Bank. A college dropout by choice, Mustafa was a victim of ‘affluenza’: the desire for material objects that forces you to spend more than you can earn. He had joined ValueServices because his family refused to shell out for his extravagant lifestyle. Although Mustafa belonged to a new breed of frustrated and disoriented workers, he had excellent people skills. And this won him favor with customers and team-mates alike. Salim Khan (name changed) was his closest friend in the team. They often hung out at the office cafeteria, trading jibes and planning the future. Today was no different. After an eight-hour shift Mustafa couldn’t stave off the gnawing pangs of hunger and walked over to Khan’s cubicle. “Wanna get a quick bite? I am starving,” Mustafa asked.

Cover_Story_JULY_OPTION2.indd 26

VIEW

Vol/5 | ISSUE/09

7/14/2010 6:25:11 PM

Cover Story | Legal

LEGAL EAGLE Commentary from one of India’s top cyber lawyers: Pavan Duggal. other team-mates and share from an account-holder The crime was obviously committed using unauthorized the money. who was denied a money access to the ‘electronic account space’ of customers. It With, their plan in place, withdrawal. Three other is therefore firmly within the domain of cyber crimes. they returned to work the account holders quickly Under Indian IT Act 2000, the offence is recognized next day. As the day went by, followed suit. All of them both under Section 66 and Section 43 (penalty for Mustafa used his persuasive denied having withdrawn damage to a computer or computer system). Accordingly, the amounts the bank’s skills to gain the confidence the persons involved are liable for imprisonment and of his customers, including records showed. as well as a liability to pay damage to the victims to the the personal identification Alarmed by these reports, maximum extent of Rs 1 crore per victim for which the numbers (PINs) of four the New York Branch of PBI adjudication process can be invoked. (Adjudication is a US-based accountholders of Bank sensed something fishy process by which an arbiter or judge reviews evidence PBI Bank on the pretext of and traced the transactions and argumentation set forth by opposing parties to come helping them. Because call to India and alerted their to a decision which determines rights and obligations center employees are frisked Indian counterpart. The between the parties involved.) when they step in and out BPO outfit was informed The case (on which this case study was based on) was of the office, he could not jot about the cyber crime registered under Section 66 of the IT Act. In addition to down the account numbers that had been perpetrated this, various other sections like Section 406, 408, 409 and made a mental note of the by its employees. The (all these three deal with criminal breach of trust), 420 PIN numbers. Once outside officers of PBI Bank and (cheating), 379 (stealing), 120B (criminal conspiracy) of the building, he went straight the MD of ValueService the Indian Penal Code can be invoked in such a case. to a cyber café from where he filed a complaint with Further when the culprits went ahead and did salami accessed their accounts. the local cyber crime cell. transaction they had forged electronic records. Electronic Then with the help of The police swung into forgery is an offence under Sections 463 (forgery), 464 some of his team-mates, action immediately. (making a false document), 469 (forgery for purpose of they prepared false cyber The police contacted the harming reputation), 470 (forged document or electronic identities and used forged banks where the money record), 471 (using as genuine a forged document or documents to open benami had been transferred to electronic record) of the Indian Penal Code. Under accounts (accounts in other and notified them about section 79 the BPo and the corporate were at fault on the people’s names) in various the act of fraud. The bank grounds of lack of due diligence. (Section 79: “Nothing is banks in and around the authorities instantly froze an offence which is done by any person who is justified by city. The conspiracy finally the perpetrators accounts law, or who reason of a mistake of fact and not by reason took shape when Mustafa and agreed to let the police of a mistake of law in good faith, believes himself to be started carrying out salami know when any of the justified by law, in doing it.” Basically, it protects the BPo transactions (siphoning off account-holders turned up from the law because it acted on good faith. ) small amounts) by illegally to withdraw money. transferring money out of In the meanwhile, Mustafa those customer accounts into had retuned from his holiday the bogus accounts of the gang’s members. Soon, Mustafa and decided to go to the bank to withdraw some cash. He was in the mood to buy a car. When he reached the bank, the and his team-mates siphoned off Rs 1.35 crore from the bank manager informed the police who rushed to the spot accounts of PBI Bank’s New York-based customers. and detained Mustafa on grounds of suspicion. Since it was his idea, Mustafa took a lion’s share of the After a six-hour interrogation, Mustafa confessed his money, quit ValueServices and went to Hawaiian islands for crime and revealed the names of all the 15 accomplices a month-long vacation. His accomplices decided to continue who helped him commit fraud. The police personnel with their job for a couple of months because they knew that conducted a full scale enquiry into the matter and the sudden departure of so many employees would raise brought the accused to book. suspicions.

The Price of Greed In the meanwhile, trouble started brewing at the New York office of PBI bank when it received a complaint

Vol/5 | ISSUE/09 ISSUE/08

Cover_Story_JULY_OPTION2.indd 27

(This case study is based on a true story. The names of the characters and the organization have been changed to protect the reputation of the company.) REAL REAL CIO CIO WORLD WORLD || JJ UU NLYE 11 55 ,, 22 00 11 00

22 97

7/14/2010 6:26:38 PM

Cover Story | Legal

CASE

Case of the Faulty Phones

It was just another working day for head of IT infrastructure and facilities, Rachit Dolia, until his facility manager barged into his room with fear written all over his face. Could it be possible that they had been hacked? Had somone got into their infrastructure? Could they trust the police to help? Time was running out... The facility administration manager was a worried man. A deeply worried man. On his desk was a composite telephone bill of the multiple lines his organization had used in the last month. It had just arrived and his surprise at the thickness of the envelope was overshadowed by the shock he received 20 seconds later. Vikas Deshmukh (name changed) frowned at the envelope. The telecom provider’s utter disregard for the environment was annoying. Sending him a paper bill with 42 supplements! Imagine that! As he opened the envelope, his trained eyes automatically searched for the total. When his eyes locked on the number his face crumpled. A sharp inhalation of breath was followed immediately by an expression of utter shock. His jaws refused to clamp as his lips quivered and his eye brows struggled to meet his receding hairline. It was hard to shock Deshmukh. In the last five years, as an employee of one of India’s leading software services companies — and being based in the country’s financial capital — he had seen every trick in the book. From experience he could guess his company’s telephone bill to the nearest ten. But, this bill, for the month of August, threw his estimate out of the window. He was looking at a bill pointed to additional calls originating from headquarters amounting to no less than Rs 12 lakh! As Deshmukh’s mind reeled at the figure, something told him that external fraud was afoot. That’s when it hit him. He recalled an obscure e-mail he had received from the company’s telecom provider hinting at some unusual activity on the company’s centralized EPABX system, which handled both external PSTN calls and the internal VOIP network. He mentally kicked himself. If he had not lost that important tip-off under the grind of

the daily routine, he could have probably prevented this from happening. But he was not going to make the same mistake again. The distraught administration manager wasted no time and rushed to the office of the CIO who headed both the company’s IT infrastructure and facilities. Rachit Dolia (name changed) was conducting an update meeting with his team. The company was in the midst of a large enterprisewide implementation and some project management best practices had been ignored in a rush to meet an intermediate deadline. Those actions were coming back to haunt them. “I understand the need for damage control but…” Dolia cut off one of his direct reports with a raised hand at the sight of the perturbed Deshmukh. “It’s important. You really want to see this,” said Deshmukh, looking hard at Dolia. The sudden tension was apparent to everyone and without having to be told, they nodded at Dolia and filed out of the room. As soon as they left, Deshmukh handed over the telephone bill, and watched Dolia’s head push back in disbelief. Dolia quickly recovered. He flipped the multiple paged bill looking for a pattern, and he found it soon enough. Most of the originating calls were time-stamped after office hours on weekdays and almost throughout the day and night during the weekends. His darkest fears were confirmed: his organization was under a damaging telecom hack attack. And things could worsen, if he didn’t move fast. He closed his eyes, leaned back into his chair, and took a deep breath. It was going to be a long day and he needed

I don’t agree with the reaction of the company. It shut down its EPABX service for three days. That, in my opinion, is an extreme reaction; the situation did not warrant such a measure. Also, as standard practice, I would have monitored calls on a daily basis to identify patterns. That way I would have be alerted if I saw a pattern like late night calls, high billing or an increased number of outgoing calls. -- Vishal Salvi, Senior VP & CISO, HDFC Bank

VIEW

J U N E 1 5 , 2 0 1 0 | REAL CIO WORLD

Cover_Story_JULY_OPTION2.indd 28

Vol/5 | ISSUE/08

7/14/2010 6:26:50 PM

Cover Story | Legal

LEGAL EAGLE Commentary from one of India’s top cyber lawyers: Pavan Duggal. to stay calm. He made a mental checklist and set his jaw determinedly. No one was going to take on his infrastructure. He picked up the phone, barked off orders to his team, and then dashed off a confidential e-mail to key senior managers apprising them of the situation.

Hitting Back Despite the churn in his mind, Dolia knew his challenge was two-fold. First, he had to counter the attack and curtail further damages. Second, he had to keep all of this under wraps because the company’s reputation was at stake. If an inkling of the hack reached their offshore consumers, it would create a devastating dent in both their bottom and top lines. As he took control of the situation, he set out two very clear instructions: PULL THE PLUG. NOT A SINGLE WORD. Following his instructions, all the company’s telecom connections were severed and the EPABX system brought offline. The organization was now completely isolated. Key personnel were told about the telecom attack and sensitized to the risk of its news spreading. Because employees would be asked by customers why they were not contactable, they were also informed and cautioned. Letting customers assume that there was a communications breakdown in India was less damaging than allowing them to know their EPABX system had been hacked. In the meanwhile, the CIO and team went to work on the bills. They pored over call lists. By the time the communication blackout entered its third day, the IT team — in collaboration with the telecom provider — had figured out that a very large number of calls, originating from an Eastern European country, were entering the EPABX system. And for every incoming call there was an outgoing call for the exact same duration going to Zimbabwe. Their investigation also revealed that the telephone numbers of the incoming and outgoing calls were masked as ‘Do Not Exist’ numbers. It became clear that the calls were being routed through the hacked EPABX system and piggybacked on unmarked international calls over the network. And for all practical purposes, the calls were originating from the organization. Forensics was run to further analyze all the other possible security breach angles to the incident. The EPABX system along with the communications ecosystem was strengthened, and the organization’s telephony procedures and practices were re-looked. Thanks to the concentrated efforts of Dolia and his team, they were able to track down the last-known location of the perpetrators. But Dolia was unsure of the legal recourse his organization could take given that the incident involved international jurisdictions. After some thought, they decided not to risk its reputation and closed the case.

Vol/5 | ISSUE/09 ISSUE/08

Cover_Story_JULY_OPTION2.indd 29

If this had gone to court, it would have been dealt with under Section 66 of the IT Act. At the time of the incident, the IT Act of 2000 was in force; it was a non-bailable cognizable offence, which was punishable by three years imprisonment and Rs 5 lakh fine. This is so because the EPABX system had been hacked. In the eyes of law, the EPABX system itself is like a computer because it performs the same functions as a computer. It deals with data in the electronic form and it processes data. So the law will treat the hacking of an EPABX system exactly as the hacking of a computer. And that being so, apart from criminal liabilities to the culprit, the company concerned could also seek damages by way of compensation of up to Rs 1 crore under the old IT Act and under the current law it could seek compensation of up to Rs 5 crore. The law puts an obligation on an intermediary or a network service provider. In this case the service provider was negligent in discharging its duties. The telephone service provider is both an intermediary and a network service provider. Under section 79, the intermediary is liable: They should have done due diligence. In this case, the biggest challenge would be that the accused was located outside the territorial boundaries of India. It would have been very difficult to get a prosecution. Because the accused was outside India, it would not be feasible to get the accused to Indian courts for prosecution. This would have been one of the reasons why the company saved itself from the bother of reporting this case. Had this case been reported, the police in India would have had to interact with agencies that existed in the Eastern European country and also Zimbabwe and through Interpol they would have used the 24X 7 Network Point of Contact and would have tried to get information. The best way would be to extradite the person concerned. Had India signed the Convention on Cybercrime of the Council of Europe, then this case originating from an Eastern European country would come under the cyber crime treaty and a lot of information could have been exchanged. Where confidentiality is concerned, the company could have avoided revealing its real identity by reporting the case online. But the bigger challenge would be to keep the identity of the company a secret on government records.

And once again a cyber attack case went unreported. Once again, the perpetrators got away, only to successfully bring down another corporate communications network and illegally piggybacking on their network. And for many CIOs that’s the only recourse they have: be proactive and make sure you’re never the victim. Even with a seemingly harmless EPABX system. It’s a lesson Dolia would never forget. (This case study is based on a true story. The names of the characters and the organization have been changed to protect the reputation of the company.) REAL REALCIO CIOWORLD WORLD| | JJUUNLY E 1155,, 22001100

23 91

7/14/2010 6:27:07 PM

Cover Story | Legal

It’s a Toothless Wonder” Pavan Duggal, Advocate, Supreme Court of India; President, Cyberlaws.Net and one of the country’s leading expert on cyber law builds a case for a better IT Act. By Sneha Jha

: For every 500 cyber crime incidents, only 50 are reported and only one is registered with the police, says a recent survey. What’s behind these low numbers? : The number of cases of cyber crime convictions in the whole country can be counted on your fingers. In the last 15 years, we have only three cyber crime convictions in a country of a billion-plus people. The fourth one is on its way. It’s shameful. A variety of factors are responsible for this dismal scenario. First, the concept that cyber crime is a serious offence is largely nonexistent among law enforcement agencies in India. If you go to the police to complain about a hacked e-mail account or the misuse of your Orkut account, they are likely to dismiss you with ridicule. Also, police personnel’s promotions are determined by the number of cases they crack — not the number they register. This makes the police hesitant to register cases, especially those with an extra-territorial element which they are not reasonably sure they can crack. This hesitance acts as a strong deterrent to people who want to complain. Another reason is that under the IT Act 2000, only a limited number of cyber crimes were covered. These included hacking, damage to computer source code, publishing obscene electronic information, breach of protected systems and also offences pertaining to publishing false digital signature certificates for fraudulent purposes. Under the IT Act 2000, investigative powers were only given to a deputy superintendent of police or above. But experience shows that DSPs and 32

J U LY 1 5 , 2 0 1 0 | REAL CIO WORLD

Cover_Story_JULY_OPTION2.indd 30

above are too busy and did not have the time or inclination to register cyber crimes. Another reason was that lot of cyber crimes were not covered under the IT Act of 2000. That’s because cyber crimes which could be reasonably foreseen did not find any place in the law. How can that be changed? By and large we need more convictions to restore people’s confidence. Separate cyber crime courts need to be set up. Merely setting up a handful of cyber crime cells will not do. We also need to have a citizencentric approach. One of the biggest reasons people do not want to register is the fear of harassment from the police and bad publicity. Confidentiality needs to be strongly emphasized in cyber crime investigations. People need to be encouraged to report cyber crimes online, which allows them to mask their identity. To combat the inadequacy of investigating infrastructure, we need to make concerted efforts to create more awareness among the judiciary and law enforcement agencies about cyber crimes, their detection, registration, investigation and prosecution. Getting the right lead and interpreting it correctly are both very important in solving cyber crimes. And for this training is key. Law enforcement personnel should have the required orientation to understand the criminal mindset and know the basics of gathering evidence and they also need to ensure the anonymity of victims. That is a tall order. You need resources and budgets. Then we also need to have cyber crime courts. They will enable more uniformity; right now sporadic cases are coming in different parts of the country. For more uniformity, we also need sensitization and for this training needs

Vol/5 | ISSUE/09

7/14/2010 6:27:17 PM

Cover Story | Legal

to happen at the judiciary level. The focus needs to be on educating the police and district judiciary. IT institutions like Centre for Development of Advanced Computing (CDAC) can play a role in this area. Which cyber crimes are most common? There are four broad categories of cyber crimes in India. The first is the cyber crime against property, which could be a computer or a database.

Vol/5 | ISSUE/09

Cover_Story_JULY_OPTION2.indd 31

The second is the cyber crime against people, this includes cyber defamation, cyber harassment, cyber nuisance and cyber stalking. The third is cyber crime against nations and includes cyber wars or cyber terrorism. The fourth is cyber crimes against social media sites. These are a distinct category by themselves where the environment of social media is being used as a medium to launch criminal activities and attacks. REAL CIO WORLD | J U LY 1 5 , 2 0 1 0

7/14/2010 6:27:25 PM

Cover Story | Legal From 2000 to about 2005, we only witnessed cyber crimes against people. This was a result of generation Y coming on the Internet and abusing the limits of anonymity it provided. Since 2005, I’ve seen a sharp increase in cyber crimes pertaining to property. Right now, cyber crime against property is really big. And social media cyber crimes are beginning to catch up. I see social media cyber crimes far outstripping other kinds of cyber crimes in a country like India where people mindlessly engage in social media. It’s a phenomenon that is likely to catch on in the next four to five years. Are the police armed to deal with cyber crimes? The new amendments allow any police officer of the rank of a police inspector and above to register or investigate a cyber crime. So the police force will need to equip — and sensitize — itself to handle cyber crimes. The system is only as strong as its weakest link. The nation has some brilliant police officers but if you look at the larger police force, I think they are grossly ill-equipped to deal with cyber crimes. The maturity curve is very low and as a result there is no uniformity of approach within law enforcement agencies on questions like detecting, investigating, and prosecuting perpetrators. Police personnel are clueless on how to detect and pick up electronic evidence and how to preserve it so that it can be used in court. Take for example when people misuse pre-Web-based e-mail accounts for defamation. If the service provider is Indian, he can be tackled. But if he is not then the police are clueless about whom to contact. And when they have to pick up electronic evidence they do not take precautions. For example, when they seize evidence they shut down a computer being oblivious to the fact that when you shut down a computer there are changes that happen on to the hard disk. Appropriate safeguards are not taken when seizing hard discs. They are not kept in aseptic environments, instead they are often kept in dusty police malkhanas (a storehouse in the police station). Invariably you will find some police inspectors still pouring hot wax around hard disks and magnetic drives (to help seal evidence) thereby irretrievably impacting electronic evidence. In a majority of cases relevant computers are not picked up and worse sometimes police officers take these computers home or use it in their offices thereby raising questions of the authenticity of electronic information. I think we need a large amount of resources, effort and time to ensure that the maturity level comes to acceptable international levels. What about jurisdiction? The Internet has made geography history. Cyber crimes can be done from anywhere on the network. In cases with an international angle, the judiciary can look at Section 75 of the Indian IT Act, which applies to offences committed out of India irrespective of a person’s nationality so long as the offence involves a computer system or computer network that is physically located in India. For example, if a cyber defamation e-mail can been accessed from a computer within India, then Indian courts can assume jurisdiction. If a defamatory blog posting can be accessed within India then Indian courts can assume jurisdiction. In this matter, the USA has had a distinct advantage because the Internet was born there and a majority of the servers are still located in USA. But there’s been a lot of work done internationally that India 34

J U LY 1 5 , 2 0 1 0 | REAL CIO WORLD

Cover_Story_JULY_OPTION2.indd 32

can piggyback on. India could, for instance, be a part of The Convention of Cybercrime of the Council of Europe, which has been signed by over 45 nations. India is a part of the G8 24X7 Point of Contact Network (a network of G8 countries to facilitate international cooperation for cyber crimes) but I think that relationship needs to be better harnessed. The mechanics and the structure exists. However, it requires more proactive adoption and a wider interpretation of Section 75 to assume jurisdiction in a variety of cyber crime cases. Have the 2008 amendments to the IT Act plugged any loopholes that existed earlier? The amended IT Act is a classic case of one step forward and three steps back. The law has attempted to plug a few problems but defective legislative drafting has opened far more glaring loopholes. If you compare the IT Act 2000 with the 2008 legislation you will find that the 2000 Act was far better. Take for example, how the new amendment has made cyber crimes a bailable offence: It has effectively opened the door for tampering with electronic evidence. I’ve personally seen cases

in which the accused was released on bail and deleted electronic records. And ultimately, it means a criminal can pay his way to freedom. The first loophole exists under Section 84A which talks about the modes and methods for encryption. Encryption is such a complicated phenomenon that it needs to be dealt with a distinct piece of legislation. A second loophole exists in Section 79 pertaining to the liability of intermediaries. The ambit of the section was very limited and only pertained to service providers. This has now been widened to include intermediaries, which is a very wide definition. It’s a feel-good legislation which has brought in far more categories of stakeholders within the ambit of the legislation. Under Section 69 and 69A, huge powers have been given to the government to monitor, intercept, and block traffic; but the appropriate safeguards for the same do not exist. The law does not deal effectively with issues relating to data protection and privacy. Further the issue of privacy, under Section 66E, only talks about the privacy of physical parts of the body. It’s a primitive way of looking

Vol/5 | ISSUE/09

7/14/2010 6:27:35 PM

Cover Story | Legal at privacy; the concept of data privacy has not been looked into at all. Section 66 (E) is grossly inefficient. The powers of controller certifying authorities (the authority that certifies the technologies and practices of all the certifying authorities licensed to issue digital signature certificates) have not been clipped under Section 28. The section on electronic signature has not been notified yet. The problem has been compounded because much power has been vested in the hands of the computer emergency response team of India without any adequate checks and balances. I would say that the 2008 legislation is a perfect example of defective legislative drafting. The efficacy and teeth of the IT Act have been taken away. A wrongful message is being given to the world that India does not take a serious view of cyber crimes. We need to ensure that tribunals under the IT Act are far more proactive. There are a number of complicated legal issues that have still not been covered under either the IT Act or various IT Rules. India has to face the challenges of cyberspace and its regulation in a bold, prompt, and decisive manner if it wants to become an IT superpower.

to be dealt with. The current treatment of cyber security is shabby and superficial. We have attempted to broadly deal with the concept of cyber security in Section 70B but cyber security needs far more comprehensive treatment. A lot of emerging social media cyber crimes have not been covered at all. Issues relating to the misuse of identity also need a more comprehensive treatment under the law. How does the law help enterprises? Earlier if your data was misused, corporates could seek damages by way of compensation up to Rs 1 crore. Now the compensation has been raised to Rs 5 crore. If you are a criminal then you are likely to feel the pinch because the law has made cyber crimes bailable. Criminal exposure is liable to life imprisonment or conviction for three years. Section 43A of the law says that if a company holds or possesses sensitive data and loses it due to negligence then the body responsible for the negligence is liable to pay the company by way of compensation.

Police personnel’s promotions are determined by the number of cases they crack — not the number they register. This makes them hesitant to register cases, especially those with an extra-territorial element which they are not reasonably sure they can solve.

But technology keeps changing. How can the law keep pace? This can be done by more innovative and futuristic legislative drafting. If we have provisions which are broad, generic, and include emerging trends within its ambit, the law can catch up with technology. Do the amendments give any teeth to the law? I don’t see any amendments that can give sharp teeth to the law. On the contrary, the amendments have broadened the umbrella by increasing the legal exposure under Section 79 of the Act. Rather than giving bite to the act, the legislation’s incisors have been knocked off by the new amendments. It’s a toothless wonder. What quick fixes can be done to improve the law? First and foremost, we need to make clear legal distinction between major and minor cyber crimes. We need to make almost all cyber crimes non-bailable. Provisions pertaining to data protection and privacy need

Vol/5 | ISSUE/09

Cover_Story_JULY_OPTION2.indd 33

How important is it for CIOs to work closely with their legal departments? CIOs need to work in complete harmony with the legal department because they are going to be in the line of fire if there is a breach of cyber security within the company’s network. And, if a company is an intermediary and is not diligent about third-party data, then under Section 2 of the IT Act, it is open to civil and criminal liability. CIOs need to appreciate that they will have to do documented due diligence, comply with the requirements of the law, and work closely with legal departments. I think we need far more sensitization within the CIO community. There is a need for ensuring compliance to the law because otherwise a company’s exposure will be tremendous. CIO

Sneha Jha is senior correspondent. Send feedback on this interview to sneha_jha@ idgindia.com

REAL CIO WORLD | J U LY 1 5 , 2 0 1 0

7/14/2010 6:27:50 PM

Cover Story | Legal : Aren’t there very few cyber crimes that are reported? : I see a general awareness being created among citizens about cyber crimes and hence an increase in victims reporting crimes. As far as prosecution is concerned, there are no separate or designated courts for trials of cyber crime cases. The local Metropolitan courts hear such cases in addition to the regular ones. Is our police force ready to take on cyber crimes? I can assure you that the police officers and staff at the Cyber Crime Investigation Cell and the Cyber Police Station of the Crime Branch at Mumbai are all technically sound and well-trained to tackle offences in cyberspace. Continuous and thorough training is being imparted to all the police officers and staff across the city. We actively seek help from various institutes and associations, such as C-DAC, NASSCOM, and the Asian School of Cyber Laws. What are the emerging trends in cyber crimes? We are seeing a clear trend in three areas:

The IT Act is Comprehensive” Himanshu Roy, Jt. Commissioner of Police (Crime), who heads Mumbai’s Cyber Crime Investigation Cell, says there is little that is grey about the IT Act.

a. Hacking and tampering with source codes b. Perpetrating obscenity through electronic and digital media c. Credit card-related fraud and cheating Are our cyber laws equipped to deal with the growing number of cyber crimes in India? The latest amendment to the IT Act covers almost all the challenges that occur in cyberspace. Moreover, there are certain additions to the Act that give it more teeth. Some of these special sections are: 1. Child pornography, covered in Section 67B 2. Cyber terrorism, covered in Section 67F 3. Violation of privacy, covered in Section 66E 4. Identity theft, covered in Section 66C 5. Powers to investigate offences under IT Act are being given to police inspectors under section 78 of the IT Act. It allows a very large number of officers to carry out investigations. But doesn’t the IT Act clash with the Criminal Procedure Code? I’ll have to disagree with that. The Criminal Procedure Code gives the 36

J U LY 1 5 , 2 0 1 0 | REAL CIO WORLD

Cover_Story_JULY_OPTION2.indd 34

procedure of law enforcement in different Acts. There is no clash of rules between the Criminal Procedure Code and the IT Act. Depending on a crime, the IT Act may sometimes be read along with the Indian Penal Code, the Copyright Act, and other Acts. This never adversely affects the investigation of a case or produces any kind of volatility in the case or its investigation. What equipment does the police use to investigate cyber crimes? We leverage a number of tools. At the Crime Branch, we use advanced applications such as Encase and Whinex for mirror imaging and data recovery, a host of password recovery software and Stegno tools to recover data hidden inside pictures, and Disk Investigator software to retrieve deleted data from a plethora of storage media. Armed with state-of-the-art tools and adequate training, we are adept at investigating credit card fraud, cheating, threatening, hacking, and child pornography cases. Recently, we successfully traced and nabbed a Lt. Col. in the Indian Army in a case of child pornography, after receiving complaints from the Interpol and the CBI Wing, New Delhi. CIO Sneha Jha is senior correspondent. Send feedback on this interview to sneha_jha@idgindia.

Vol/5 | ISSUE/09

7/14/2010 6:28:00 PM

Trendline_Nov11.indd 19

11/16/2011 11:56:19 AM

VIEW

from the TOP

Dr. V. Sumantran, Executive Vice Chairman, Hinduja Automotive, on driving innovation at Ashok Leyland and IT’s crucial role in making India a manufacturing hub.

Driving

Innovation By Anup Varier A meeting with the accomplished Dr. V. Sumantran can be confusing. Until you realize that his soft-spoken nature hides the vocal academic in him. With a doctorate degree in Aerospace Engineering and a Master’s degree in Management of Technology, his work with the Science Advisory Council of the Prime Minister of India and the Scientific Advisory Committee to the Cabinet illustrates his caliber. Private about his personal life, Dr. Sumantran likes to let his work speak for itself. And it has. As a member of the board at Ashok Leyland, he has worked behind-the-scenes to ensure the four-fold growth in profits the company has raked in during the last quarter of 2009. He is also actively involved in Ashok Leyland’s efforts in its joint ventures with Nissan and John Deere. Passionate about innovation, Dr. Sumantran was instrumental in the launch of the Indigo Marina and the CRDi Safari during his previous stint at Tata Motors. Today, as the executive vice chairman of Hinduja Automotive (UK) and chairman of Defiance, he lends over 25 years of experience to drive the delivery of high-end innovative technology solutions. In this interview, Dr. V. Sumantran talks about innovation and the role of IT in making India an important player in the global auto industry.

What is the place of innovation in a company as large as Ashok Leyland?

View from the top is a series of interviews with CEOs and other C-level executives about the role of IT in their companies and what they expect from their CIOs.

j u ly 1 5 , 2 0 1 0 | REAL CIO WORLD

View_FTT_July_2010.indd 82

Dr. V. Sumantran There is innovation throughout the company. We are continuously innovating with product development within the core company and also in terms of frugal and cost-effective

measures through our joint ventures. In the field of advanced electronics in mobility and transportation we have entered a JV with Continental. To cater to green technology needs we have set up a 100 percent entity called AlbonAir in Germany, which is oriented towards clean exhaust. As India moves to a hub-and-

Vol/5 | ISSUE/09

7/14/2010 5:47:37 PM

spoke transportation system, we looked at the light vehicles segment and moved into a joint venture with Nissan. We are also simultaneously looking at the huge spend in infrastructure in a JV with John Deere. There are a fair amount of new projects and ideas that are being harnessed in each of these domains. We looked at our investment landscape and as a transportation-oriented group we had our core investments in trucks and buses through Ashok Leyland. We expanded into the defense mobility area a few years ago. That gave us an opportunity to build some stability and diversification. Also, to drive innovation within the knowledge economy of the future, we singled out the investment in Defiance. We believe that the combination of creating IT and engineering solutions, and leveraging technology for business excellence has become a platform.

Is innovation a top-down or bottom-up process? In India, if you give a challenge to engineers, it is remarkable how they come up with innovative solutions. The orientation towards innovation from the top has more to do with direction setting, defining horizons, and defining stretch. That then creates an environment where innovation is unleashed within the company. Whenever we have set an aggressive challenge to a team of young engineers, the boys and girls have come up with phenomenal outputs; I have seldom been disappointed. More often than not, the top management of a company becomes a hurdle to innovation and the best way they can foster it is by setting the direction and developing internal culture.

What else is driving Ashok Leylandâ&#x20AC;&#x2122;s growth? First of all, I must say that it is very heartening to see India come out of these

Vol/5 | ISSUE/09

View_FTT_July_2010.indd 83

Dr. V. Sumantran expects IT to: Facilitate customer understanding Help make India a manufacturing hub Create more efficient systems

REAL CIO WORLD | j u ly 1 5 , 2 0 1 0

7/14/2010 5:47:40 PM

View from the Top

last 18 months or so in the manner that it has. It is strong and robust across various industry sectors. There is confidence among customers as well as the industrial sector. Freight movement has started to pick up and mobility has increased. Also, the government’s stimulus for urban mobility and development through its investments in buses has also had a big impact. All said and done we are finding a broadbased forward movement of the economy. It must also be said that the company has really tightened a lot of its internal processes. Every time anybody goes through a downturn, the important questions are: How much did you learn and how much did you improve? The company has also benefited from a lot of changes that have been made over the past 18 months.

Can you give us an example of such a change? Companies like Ashok Leyland have spent a lot of money in tuning up their IT systems. If you just take the area of customer intelligence and the whole domain of understanding customer needs, I think they have been hugely benefited by the changes that they have made and this definitely includes harnessing the power of IT.

So how did Ashok Leyland have a supply-shortage problem earlier this year? Inertia. As a whole, the country has witnessed a high inertia in the entire system. The slowdown has been a roller coaster ride. From a very aggressive yearon-year growth till 18 months ago, the economy suddenly slammed the brakes and we saw a 40 percent drop in commercial vehicle demand. Now, with the recovery, the demand is back to full throttle. It must be noted that Ashok Leyland cannot perform as a single entity but an enterprise that relies on its tier-1 supply chain which in its turn depends on a tier 2 supply. This entire chain has some lag. The downturn was severe enough and some of 40

j u ly 1 5 , 2 0 1 0 | REAL CIO WORLD

View_FTT_July_2010.indd 84

“We believe that IT will be key enabler in India’s rise as a manufacturing hub.” — Dr. V. Sumantran the weaker smaller elements of the supply chain actually got taken out of business. So, even as we look to our tier 1, they were looking down the chain for signs of a ramp up. When you have a large economy expanding and then suddenly halt that rate, then to get on the gas again takes a bit of time. So I think it’s nothing more than the inertia in the system. I believe that things are getting back in shape. I’d still rather have the situation in India than the situation in many other parts of the world where the recovery is rather sluggish.

What do you think of all the talk about India as a manufacturing hub? We will continue to be globally attractive as a manufacturing base only if we continue to demonstrate cost efficiencies. I say that because quality is no longer considered as a special attribute. Quality is considered a hygiene factor; you need to have the requisite quality systems in place to even begin to compete at the global level. Beyond that, for at least the next decade, we are primarily going to compete on cost efficiencies as we progressively pick up our technological spread. For this we will need

to have manufacturing efficiency which is truly as good as anywhere in the world. We do have some disadvantages. If you look at India compared to China, no matter how fast we seem to be growing, the difference in scale is still enormous. While we hope to celebrate 2 million cars in India this year, China will cross the 10 million mark. India will work, for some time to come, on a smaller scale with more flexible production systems, smaller lots of production, and reconfigurable, agile investments. This then puts a tremendous amount of emphasis on manufacturing architecture and this is where I feel the CIO can play a huge role.

Can you elaborate? Everything else being same, Indian auto manufacturers would have a disadvantage in coming up with smaller production lots and a smaller scale of production compared to China. However, if we tap into what is a huge advantage in India — our familiarity with IT and the cost effective IT resources — then we can get a leg up on China by configuring systems that are intrinsically more efficient and use that as the USP which propels our competitiveness globally. In the future, there are also going to be other demands. Apart from quality and productive systems, the question that remains is going to be: How green are we in our manufacturing? Again, IT can play a huge role. Our group company, Defiance has solutions in this area which allows us to aggregate information right from the PLC (programmable logic controller) levels in the manufacturing shop floors all the way to the dashboards to drive systems related to production and business strategy. We also have a green technology platform that will help people monitor, audit and certify the extent to which an organization has been able to reduce their CO2 footprint. In all of this, IT plays a pervasive role. And this is one of the reasons why we have had the conviction in our investment in Defiance. By investing in these areas, we

Vol/5 | ISSUE/09

7/14/2010 5:47:42 PM

View from the Top

put our money where our mouth is. And we believe that IT will be key enabler in India’s rise as a manufacturing hub.

Can auto manufacturers look at China as an investment opportunity? No doubt we can. In fact in both my previous roles and in my current tenure I have spent a fair amount of time looking for opportunities to enter China. We looked at opportunities for investment, acquisitions and joint ventures. However, in the auto industry it is very difficult. While in India we have Hyundai coming and setting up a 100 percent entity for manufacturing, the same path is not available for manufacturers especially in the automotive space in China. To enter China you need a 50:50 partnership where one 50 percent chunk has to be held by a Chinese partner. Many companies have been trying very hard to make investments in China. This is somewhat easier in the tier 1 and tier 2 supply community but at the apex vehicle manufacturer level whether it’s a company like GM, Ford, or Honda they need JV partners. The only time an auto manufacturer can own a 100 percent entity is if it’s completely export-oriented. The situation has been difficult. But like everything else I think it will go through changes. In the long term, it is inevitable that in many domains India and China will be competitors for market and access to resources. But it is also true that in other domains the two countries can and will learn to be partners and investors in each other. We are going through a period where hopefully openness will increase and we will do more business with each other.

How can you create product differentiation by using IT that is itself commoditized? This is an age where we seem to propagate the n=1 theory, which implies that you can no longer target consumers

Vol/5 | ISSUE/09

View_FTT_July_2010.indd 85

SNAPSHOT Ashok as a group, but need to be track and trace their benefits. Leyland able to cater to individual We have to find ways to choices and preferences. trace and attribute value to Primary Business: In the commercial vehicle improvements so that IT’s Commercial Vehicle Manufacturing sector, the heavy commercial visibility is enhanced. vehicles segment already The next most important Founded: operates that way. We are thing is to celebrate case 1948 forced to sub-divide customer studies. The biggest example, Employees: groups. For instance, we have the entire learning about just11,500 separate solutions oriented to in-time inventory, came about Headquarters: people who transport cement through the celebration of the Chennai and steel. We are forced to Toyota production systems. configure and adapt products So many people in the world Sales Turnover: Rs 7,244 crore* to narrower segments are inspired by such examples *2009-10 because we want that and that is because it was a differentiation to contribute highly-celebrated case study. to the customer’s business success. IT drove home the value of kaizen among Now, if you trace this entire chain it starts other things. We, too, will need to identify with understanding what the customers specific case studies, celebrate them and want — and really going beyond superficial use language that is simple enough to get needs. You then need to link it to production broader group of people to appreciate systems which are flexible and configurable IT’s value. enough to manage many varied products at fairly short lead times. This in turn should What’s your advice to autolink to the product data structure that sector CIOs in general? allows configuration and managing very I know many CIOs in the industry. They large product variety out of a fairly high are very smart people and clearly know common platform. So in every element of what they are doing, which is why I would the chain you see a huge role for IT either hesitate to offer them any advice. But I in the form of CRM in understanding what do hope that in the coming years IT gets the customer wants, or an MES system to better integrated with business strategy. back the manufacturing, or an IPMS to The perception that IT is a cost center link the supply chain with a just-in-time is an old philosophy and we are seeing approach and then the link to PLMs and many areas where IT will be inevitably configurators that integrate design systems integrated. I hope that more companies to manage the creative parts. embrace the fact that IT needs to be part of core business strategy. With this the role of the CIO will become much more Yet IT is seen as a mere important and lend more contribution to enabler for the most part. How can CIOs change that? the success of the company. CIO We need to change the language we use within the IT community especially to communicate what we mean by benefits. Benefits to some extent are not very clearly visible. That’s something we need to articulate better. Second, there are huge sums of money deployed to tune large IT system Anup Varier is correspondent. Send feedback on this deployments but we have been unable to interview to editor@cio.in REAL CIO WORLD | j u ly 1 5 , 2 0 1 0

7/14/2010 5:47:44 PM

If youâ&#x20AC;&#x2122;re looking for innovation, dial 314 (IT).

Brand-building 101: Decide one strength you want to sell, make a promise, pick a logo and get started!

What do you want IT to be known for? Being creative? Providing security? Or being reliable? Tip: Limit yourself to one message.

IT for Security

Reliable as the Sun BY MARY BRANDEL

Creating a slogan or even a logo might be the best way to promote your team internally. 56

Feature_Branding_IT.indd 82

J U N E 1 5 , 2 0 1 0 | REAL CIO WORLD

VOL/5 | ISSUE/08

7/14/2010 5:56:15 PM

IL LUSTRAT IO N BY MM SHANITH

IT Value

aking an IT organization act Worth a Thousand Words like a business is no small job. Using images and catchy slogans, these Letting your internal business organizations hope to forge a strong customers know you’re doing association between the services users enjoy so is just as crucial, particularly today, and who’s providing those services, says when business leaders are scrutinizing the Carolynn Benson, a consultant at Ouellette performance of every department. & Associates. “When you market IT, you’re Enter the idea of making IT a brand. setting the vision of ‘Who do we want to As IT works to transform its culture from be?’ And then you try to capture that in a serving technology to serving customers, logo, through an image and a slogan.” some leaders are concluding that the best Benson said that in a recent O&A way to communicate is to put a face to workshop on IT marketing strategies that the department. In the spirit of Nike (Just Do she ran, an IT group took its business’s It), Philips (Let’s Make Things Better) and corporate logo and expanded on it to depict a nearly every product or service sold today, scene of two pieces of land joined by a bridge, some CIOs are looking at the idea of creating with the slogan “Your Bridge to Success.” logos and slogans not only to convey who IT Logos and slogans can be especially is and what it can offer, but also to ensure useful when IT’s image is in need of that business clients won’t forget it. improvement, Benson says. “IT can be At the Oregon Department of viewed as non-communicative, behindTransportation, CIO Ben Berry has been the-scenes, unprofessional,” she says. “But working for more than a year to redefine when the business units see something his IT organization and develop a plan to sharp and crisp and creative coming out of market the services it offers. The project IT, they say, ‘Look at that; maybe they could will culminate this summer in the rollout transition that creativity into an innovative of an interactive portal that, among other solution for me.’ It helps IT appear to the things, will trumpet IT’s success in meeting business as, ‘We’re similar to you.’” service levels and provide a conduit for twoOf course, image-making can be way user communication. accomplished without a logo or branding, Splashed on the portal Web page, and says Thomas Druby, an IT executive on any communiqué emanating from IT, and former CIO at a large insurer. But a will be a logo and a slogan that — Berry graphical image can help close the gap that hopes — will convey the essence of the often exists between the general perception transportation department’s IT unit and of IT and the actual value it’s delivering. sear it in the minds of users throughout Branding can make an IT organization the agency. “It’s a new concept, but we’re feel as though it’s establishing its own changing our culture, and it’s something we identity, he says. IT workers “have a bigger think is necessary to make our customers sense of accomplishment, because they aware of our services,” Berry says. start looking like a part of the company At a recent gathering of CIOs, several they own.” alluded to using logos or simply new names for their IT groups. Johnson & Johnson Look Before You Leap CIO LaVerne Council, for instance, spoke But before getting your creative juices of branding the company’s IT department, flowing, make sure you can deliver on the including creating a logo, as part of an IT goods your logo and slogan promise. “The centralization effort. worst that can happen is you Reader ROI: And an IT executive at brand an organization that How to build an IT Procter & Gamble noted isn’t working well, is not well brand that there is no more ‘IT received and doesn’t have Tips on building your department’ at his company its act together,” says Scott own logo — now it’s IDS: Information, Archibald, managing director What to watch out for Decisions and Solutions. at Bender Consulting.

VOL/5 | ISSUE/09

Feature_Branding_IT.indd 83

Rotating staff between IT and business departments is the most costeffective way of marketing IT, according to a survey of CIOs. “Branding is not about logos — it’s about how others perceive your behavior when they come into contact with you,” agrees Patty Azzarello, founder of Azzarello Group, a consultancy in California. CIOs often grimace, she says, when she tells them that the help desk represents 90 percent of IT’s brand. “That’s where most people interact with IT, and if it’s confusing and hard to use, you have a bad brand.” Therefore, she says, IT needs to sit down, brainstorm on the impression it wants the business to have of the organization, and determine what it must do to convey the right image. “The logo is just one visual element,” she says. When he worked at the insurance company, Druby and his IT organization made an effort to build the IT brand, first defining a menu of services and eventually creating a logo and slogan. The key themes the group planned to emphasize were IT’s role as an enabler and a partner and its ability to help with competitive differentiation. “You need to rebuild yourself into a service-type organization and then put a brand on it,” he says. At the Oregon Department of Transportation, Berry says his group is focusing on three things: increasing the availability of information, improving on data timeliness and engaging users. “Many of our 4,500 employees have ideas, and we’re trying to give them a platform to tell us what they think,” he says. REAL CIO WORLD | J U LY 1 5 , 2 0 1 0

7/14/2010 5:56:32 PM

IT Value IT is still developing its slogan and logo, but two leading ideas so far are “We Deliver Information” and “Data Done Right.”

Mission Possible Writing a mission statement is essential to helping IT sharpen its brand identity, according to Ouellette & Associates’ Benson. “Get an understanding of what clients expect from you as the IT department, whether it’s operational excellence or innovators of new technology,” she says. An IT department at a company that had suffered badly during the downturn, she

says, focused its message on its ability to be innovative with the resources it already had. Another O&A client wanted to emphasize how easy the IT department was to work with, so it created a logo and a slogan and had them emblazoned on company-colored polo shirts; an oval over the pocket featured the new slogan: “Tech IT Easy.” IT mission statements vary dramatically depending on the business you’re in, says Azzarello. “Nobody cares how hard you work — you have to do things that show you understand what’s important [to the company],” she says.

Get a Reality Check While many IT professionals might deny being creative, Benson says that in the workshops she holds, it never takes more than 20 minutes for a group to brainstorm some solid ideas. She urges CIOs to involve the technical staff in logo development, since it’s a great team-building exercise and increases their level of buy-in. However, it’s a good idea to also involve other groups — including the marketing and legal departments — before making any final decisions, she says. Marketing, for instance, can help you stay consistent

IT Marketing Methods: A Breakdown Do you want to know which marketing activity will give your department the most sizzle for your money? A survey of your peers tells you which. Now there’s no more reason to procrastinate.

Easy Wins

Unknown Gems

Rotate staff between IT and business departments

Employ IT-dedicated communications professional

Host IT “lunch and learn” sessions

Worth It

CIO is a regular member of the executive committee

CIO conducts “walk arounds” to check-in with stakeholders

CIO and senior staff cultivate relationships with stakeholders to facilitate informal communication

Embed IT staff in business departments

External media coverage (e.g. CIO magazine articles)

CIO or senior staff speak at company meetings

Host IT open houses or showcases

IT staff are trained in customer service skills and reminded of their role in creating a positive image for IT

x x

Publish case studies

IT contributions to financial top and bottom line are mapped to IT systems and processes

Brand and publicize specific IT/business projects

Brand and publicize IT organization and its services

Long shot

SOURCE: CIO EXECUTIVE COUNCIL

J U LY 1 5 , 2 0 1 0 | REAL CIO WORLD

Feature_Branding_IT.indd 84

VOL/5 | ISSUE/09

7/14/2010 5:56:34 PM

IT Value with how the company brands itself for its customers, Archibald says. And you may need to check with legal about restrictions on using elements of the corporate logo. This is particularly true if you have any plans to market IT services outside the company, Druby says. His former IT organization planned to establish external centers of excellence and incorporate that into its eventual logo. “You don’t want to have to do your logo all over again, so you need to think that through,” he says. Marketing professionals may also be able to give advice on the latest color trends or the psychological impact of color and shape, Benson says. “Right now, it’s all about greens, tans, browns and oranges — colors reflecting the earth, whereas 10 years ago, bright colors were popular,” she says. And men and women tend to respond differently to shapes, she adds. For example, studies have shown that triangles yield high retention rates among both men and women, but men associate the triangle with mystery and power, while women associate it with threat and danger. The oval seems to appeal to both sexes. Gender reactions to colors are more similar, Benson says — blue scores low for both men and women in terms of reaction and recollection, while red scores high, even though men associate this color with excitement and women associate it with intimacy. Berry plans to involve users with the final decision on the Oregon transportation department’s IT logo. His staff developed the two prototypes, but he plans to get user feedback on the interactive Web portal before making a final choice. Berry does have his own preference, but he says, “I don’t want to force that on folks.” That’s a good approach, says Azzarello. “Develop a few samples and ask people, ‘If you saw this, what impression would you have?’ If you want to be known for responsiveness or always meeting service levels, ask if the logo supports that,” she says. Likewise, if your IT operation is decentralized, it’s important to check with the other groups before developing a logo. Bender Consulting’s Archibald says that he once worked at a Fortune 20 company where the decentralized IT units each came up with the idea to brand themselves on

VOL/5 | ISSUE/09

Feature_Branding_IT.indd 85

7 Salesman Tips Kumud Kalia, CIO at Direct Energy and a member of CIO’s executive council offers some advice on selling internal IT successfully. Be brave. Being totally transparent shows bad news as well as good. But people see the honesty and respect that you’re not hiding things or trying to spin them, and this builds trust. Have something to communicate. People want stories, not statistics. Make the communications multi-level. (Different messages to different constituent groups) but then stay consistent with regularity of messaging. Admit failures and don’t only publicize successes. But show what you learned from the failures and how you will not repeat them. This makes any organization stronger. Keep inviting feedback on improving your content and its delivery. People may say the level of communication is ‘adequate’ but they never say ‘excessive’ — that is, you can’t overdo it. So keep the marketing machine running. Make sure you can continue what you are doing to market IT. Once you start, expectations are immediately raised, and then you can’t disappoint your audience. Expect to get a few things wrong! Because let’s agree something will.

their own. “It became clear we were not one organization but many. It was confusing to employees throughout the company.” Similarly, developing a logo for a small technology group might alienate it from the larger IT organization. Druby recalls a Web group at his former employer that proposed a logo and a separate name to create its own identity for showcasing its work. “It was a good idea, but I put a stop to the effort because it needed to be done for all of IT, not just a certain group,” he says. On the flip side, Archibald has seen a decentralized IT operation pull together on a branding effort that represented IT as a united front. The logo was in the shape of a triangle bounded by arrows representing the three regions of the company. The arrows suggested that while each IT group reported to an individual region, it was a continuous organization.

After All That Work, Use It Prevailing wisdom says people must see or hear something seven times before they’re fully aware of it, Benson says, so be sure to use your branding on any communication that comes out of IT. You might even consider creating extra communication

channels for this purpose. Examples are promotional items such as “leave-behinds” (business cards, flyers or tent cards that IT staffers could leave with users every time they fix a PC) or giveaways (USB sticks, mouse pads and the like). But make sure none of your swag appears too costly, she warns, because that could give users the impression that you’re overspending. An obvious place for a logo, Azzarello says, is the help desk website, which could also be a good place to display your performance metrics for the three most important business services, updated in real time. “If people consistently see a strong logo and positive performance on things they care about, that’s a good brand message,” she says. And if you happen to host a webinar or podcast, make sure your logo is on the screen, Benson adds, and even repeat your slogan in an audio reminder of who is driving the event. Archibald expects the IT branding practice to pick up over the next two to three years. “It’s a way to direct users back to the positive experience of using your service,” he says. CIO Send feedback on this feature to editor@cio.in

REAL CIO WORLD | J U LY 1 5 , 2 0 1 0

7/14/2010 5:56:44 PM

Landing in the

Budget Zone BY ANUP VARIER AND SUNIL SHAH

How the manufacturers of Parachute, among the world’s largest coconut oil brands, ensured that their monthly expenses fell in perfectly with their yearly budget allocations.

Unless you’re one of those people who uses nothing but foreign goods, it is pretty likely you have been touched — figuratively and literally — by Marico’s products. According to the manufacturers of Parachute, one of the world’s largest coconut oil brands, their products are used by one out of every eight Indians. In a country of over 1.15 billion, that’s a big number — and a lot of bottles of oil. Which would gladden the hearts of the folk at Marico, unless you were part of a budgeting exercise. Planning budget for production on that scale was a humungous task. At Marico, budgeting yearly expenses — like how much to set aside for its trademark blue plastic bottles — was a three-month exercise — and potentially a huge waste of time if the company couldn’t stick to numbers

J U N E 1 5 , 2 0 1 0 | REAL CIO WORLD

Case Study_Marico.indd 48

VOL/5 | ISSUE/08

7/14/2010 5:49:31 PM

Case File

it promised to spend. But how do you ensure you stay within budget when the price of your raw materials fluctuates? It’s a question the Rs 2,660-crore company needed answers to fast.

ILLUST RATION BY VISHAK VARDHAN

Slippery Data As a major FMCG player, Marico has seen growth rates of over 25 percent in the last year. Still, it wanted to do better and there was certainly room to grow. The Indian FMCG market is currently estimated at around Rs 192,600 crore (about $ 42.8 billion), according to the Associated Chambers of Commerce us a ballpark figure, which didn’t help much and Industry of India (ASSOCHAM). And in course correction,” says Rao. The company also wanted an easier way to it’s poised to touch about Rs 333,000 crore (a growth of 1.7 times) by 2018, says a FICCI- manage detailed calculations and comparisons of the cost effectiveness of individual plants Technopak report. To keep up with that growth, Marico at the subcontractor level. “As we grew in needed to run a tight ship. Which meant that scale, the number of subsidiaries increased if it penciled in a number for its expenses at and subsequently the data load became the start of the year, it needed to stick to it. unmanageable,” recalls Rao. That’s a feeling that Ravin Mody, headKey to doing that was watching its COGS: the cost of goods sold. Also referred to as cost of treasury and direct taxes, International sales, COGS is what it costs a company to Business Group, Marico, echoes. "Trying to produce goods, including material and direct consolidate the financials of 11 companies across six countries in three different ERP labor costs. But monitoring COGS for a month’s worth systems is nothing short of a nightmare of Parachute, for example, is hard because on spreadsheets." it depends on the cost of raw materials and packaging, which are volatile. “The cost Oiling the Wheels of packaging, for instance, is This is when Rao and dependant on the cost of petrol, his IT team launched because Parachute is packaged Project Edge, their bid to in PET bottles,” says Girish Rao, redefine Marico’s financial Head-IT, Marico Industries performance management. What made it harder was If they could get a more that the company used an Excelfrequent and more accurate based approach. Collating all the picture of monthly different costs that goes into a production costs, it could final product data — from the cost course correct and stay of oil to the cost of PET bottles — within a yearly budget. SNAPSHOT from multiple stakeholders was They set off by trying to Marico hard and inaccurate work. As a understand the company’s Industries result, the company didn’t have budgeting and reporting HEADQUARTERS: Mumbai an expenses-vs-budget check as process in a three-day, REVENUE: frequently as it wanted. “It was in-house workshop. That Rs 2,660 crore an ad hoc exercise — about once confirmed a hunch they HEAD-IT: Girish Rao every quarter — and it only gave had: Marico’s budgeting EMPLOYEES: 1,500 VOL/5 | ISSUE/09

Case Study_Marico.indd 49

“Getting a reality check of our expenses was an ad hoc exercise — about once every quarter — and it only gave us a ballpark figure, which didn’t help in course correction.” Girish Rao, Head IT, Marico Industries

process was structured, but it was largely manual. That made no sense to them, especially because IT solutions for financial planning management (FPM) had evolved over the years and were well-tuned to fit the needs of most organizations. So they got a core user team to evaluate four leading products in the space and select one that best suited their needs and had a reasonable TCO. Post-selection they implemented the solution in an incremental manner, which took about five months, says Rao. He says that they did not face any issues in integrating the tool with their ERP system. Between December 2008 to March 2009, Marico’s yearly budgeting period, Rao ran the legacy budgeting process and the new reporting tool in parallel. By the start of the next financial year, in March 2010, budgeting was performed entirely on the new tool, Rao says. Quicker data turnaround time from using the tool meant that various departments spent less time on mundane tasks like data entry and ensured that information was more consistent. The solution covers eight global subsidiaries and supports between 25 and 30 key number crunchers. “All decision-makers will not use it but they certainly depend on the analysis brought out by people who do,” says Rao. The bill of materials was also configured into the planning system. This removed the need to move out of the reporting system for a COGS calculation. Raw material and packing material costs were also integrated into the REAL CIO WORLD | J U LY 1 5 , 2 0 1 0

7/14/2010 5:49:39 PM

Case File reporting system. These features ensured that they were running operations based on up-to-date monthly numbers. As a result, the company spent 8 percent less than it estimated it would in 2009-2010. In comparison, in the previous financial year, it overshot its budget by about three percent. "This would not have been possible without an efficient enabling tool like Cognos," says Rao. Also, as an organization with global operations, currency exchange rates had a major impact not only on planning numbers but also on the actual reported numbers. Earlier, these exchange rates were forecasted but now with the reporting tool, more up-to-date numbers are introduced in the planning and reporting system, creating a more accurate financial picture. This also gave global locations the flexibility to prepare their financials in their local currency and when the reports went to India, they would automatically be converted in INR. The tool also helped automate the initial creation of templates. Users no longer have to waste time thinking what format to enter the data in. “Design level work is already taken care of by the tool. And report creation is also automated,” says Rao. He adds that the tool was flexible enough to keep pace with changing consumer demands, was low-maintenance and enabled quality analysis. All of which went a long way in getting people to move to the new tool, a challenge Rao expected. What also helped was generating different views of the same data in the tool itself so that people using it could see it in a way they wanted. It also gave them upload options so they could directly port data from spreadsheets. “Because the front-end was very similar to the spreadsheets, users were not distracted by the fact that they are using something entirely different,” says Rao. Moreover, thanks to in-memory analysis options available at the back-end, what-if analysis and slicing and dicing of data can be done more easily. "We see significant reductions in the duplication of work as well as reconciliation efforts thereby enabling faster group level reporting," says Pawan Agarwal, head-corporate MIS and accounts, Marico. The lead time for releasing a budget has also been reduced from five days to four hours.

4 8 J U LY 1 5 , 2 0 1 0 | REAL CIO WORLD

Case Study_Marico.indd 50

Budget Killer Budget control. It’s an obsession with some of the best CIOs. Are there other ways you can help your business strengthen the bottom line by watching your expenses? Here are four. IBM Canada's strategic initiatives executive, Chris Pratt, has five top IT budget killers for businesses and offers tips on how companies can improve their bottom lines. Storage expansion: In today's day and age of information and storage, the amount of data is growing at a constant and consistent pace. IT can help by enforcing meaningful policies for storage management, in addition to offering consolidation and virtualizing data and devices, Pratt says. Data can also be compressed and de-duplicated to help save space, he adds. Information intelligence: It's easy to find information in the public domain, he says, but trying to find information internally within the business poses a greater challenge because business intelligence solutions and the like are needed. Hardware sprawl: Organizations tend to spend money on hardware, which ultimately leads to hardware sprawl. "We've put in too much hardware to solve problems because hardware is typically less expensive than software," Pratt says. "The more (hardware) units you put in, the more money needs to be spent to maintain them." To help minimize hardware sprawl, Pratt suggests that businesses work to consolidate, virtualize and optimize the amount of infrastructure they have within the business. System complexity: A lot of businesses are spending their money on just operations. "Consultants tell us that between 70 to 80 percent of an organization's budget is being spent just keeping the lights on," he says. "If organizations can reduce their servers through virtualization, then that's a quick way to see their savings." Businesses can address this issue by automating basic functions on their existing solutions, such as standardizing on toolsets. Automation will help free up money so businesses can use their savings in other areas of the company that may need it. — Maxine Cheung

Slick Planning Rao isn’t resting on his laurels. “This year is the second phase of the implementation and we will include non-financial data in the planning and forecasting system,” he says. They have already started tracking their budgeted expense versus their actual expenses where ‘actuals’ are drawn from the ERP. Getting this reality check on its planned vs. actual expenses is also helping monitor profitability. Fluctuating raw ingredient prices is a challenge most FMCG companies face. Yet, at the consumer end, prices have to remain steady given the price-sensitive nature of their markets. Britannia, for example, has kept the price of its Tiger biscuits steady for years, despite the rising cost of raw ingredients like sugar. At Marico, refusing to change the price of its flagship product, Parachute, for instance, was important to

the company, but it still needed to know how much it was absorbing. "In today’s environment of volatility, it is critical to have a robust planning and review system which improves the speed and quality of decision making. Project Edge enables us to do both", says Milind Sarwate, chief of finance, HR and strategy, Marico. It can also measure whether there is a disproportionate allocation of resources in any particular area and also whether these expenses can actually be reduced or adapted to the company's current condition. Good news for a company that consumes one out of every 15 coconuts grown in India. CIO

Anup Varier is correspondent. Send feedback on this feature to anup_v@cio.in

VOL/5 | ISSUE/09

7/14/2010 5:49:39 PM

Trendline_Nov11.indd 19

11/16/2011 11:56:19 AM

Cloud Computing

JUNK YOUR

OLD

G N I C R U O S T U O There are countless obstacles to achieving anything resembling innovation when outsourcing IT, but the biggest barrier is inertia. To combat the status quo, customers and suppliers have to shake things up, especially the traditional process for procuring IT services. BY STEPHANIE OVERBY

j u n e 1 5 , 2 0 1 0 | REAL CIO WORLD

Feature_Junk_Outsource.indd 82

Vol/5 | ISSUE/08

7/14/2010 3:00:57 PM

Outsourcing

departments say they want innovation from their outsourcing vendors, and the vendors say they want to provide it. So why is innovation in outsourcing so rare?

“One of the root causes behind lack of innovation in outsourced environments is an over-emphasis on stability from buyers and service providers,” says Phil Fersht, founder of outsourcing analyst firm Horses for Sources. “After the contract is signed, buyer executives don’t want noise because they want to avoid second-guessing. The provider’s delivery executive wants all their dashboards to have green indicator lights. Every action taken by both parties promotes stability, but hinders — even suppresses — innovation.” To achieve innovation in IT outsourcing, customers and suppliers have to shake things up. And that starts with the traditional IT service procurement process of gathering requirements, issuing an RFP, selecting a vendor and signing a contract — that Holy Writ of the outsourcing relationship. Ironically, contracting for innovation has precious little to do with the contract itself, say outsourcing experts and attorneys. While the contract codifies deal doctrine, in the most successful and innovative IT outsourcing relationships, it quietly gathers dust after the ink is dry. The contract is a consequence of a much more important negotiation — one that establishes a relationship between IT outsourcing customer and provider that will produce innovation while the legal documents sit on a shelf. To achieve that ideal relationship, all parties need to throw out the old notions that govern the traditional IT services procurement process and instead take the following approach.

Il lUSTRATIo N BY MM SHANIT H

Delay the RFP In today’s world of urgent costcutting and ‘speed sourcing’, there’s a rush to get the RFP out the door. But IT outsourcing customers need to decide upon innovation goals before even thinking about soliciting

Vol/5 | ISSUE/09

Feature_Junk_Outsource.indd 83

proposals or structuring the vendor selection process.“If the enterprise wants any innovation, they should understand that the cookie-cutter RFP with the pricedriven negotiation is not an effective vehicle,” says Bill Bierce, co-founder of technology law firm Bierce & Kenerson.

Define Innovation

It’s easier to agree on what innovation isn’t than what it is. “Innovation is not the service provider meeting or exceeding service level commitments,” says Fersht. “Those service levels are a component of the contractual agreement between the provider and the buyer, and thus should be met, plain and simple.” True innovation might mean continuous process improvement, emerging technology implementation, new best practices, IT transformation or competitive advantage. A clear definition of innovation is required so that the contract will reflect the appropriate financial and other terms associated with it, says Daniel Masur, a partner at law firm Mayer Brown. The sad fact is, many IT departments have grown so consumed with keeping the lights on over the past few years that they “have lost touch with the innovative spirit and the knowledge of what innovation means to their firm and industry,” says Fersht. So, they rely on the outsourcer to define innovation for them, which puts the vendor in a difficult position, Fersht adds. A vendor can’t be expected to deliver significant innovation without knowing what types of innovation would help his client attain and maintain its strategic objectives, he says. (See: 3 Reasons Your Vendor Won’t Innovate.) Fersht recommends drawing up a strategic innovation plan and a process for updating it. It should outline the outsourced environment and the activities that have been Reader ROI: retained internally. Why your outsourcers don’t innovate What else you can get out of outsourcers

Use Outsourcers as Consultants

Why innovation in outsourcing isn’t cheap

Attorney Bierce recommends to his clients that they approach IT service innovation as a

consulting project and solicit suggestions for change from potential providers. “This poses some challenges for outsourcers who claim to have trade secret processes for industry verticals, and that they would be exposed by putting out their trade secrets into an environment where the enterprise customer would then just bid out the work to a third party on a commodity pricing basis,” says Bierce. “But this risk is small compared to the business opportunities.” “I think the best [IT service providers] start by seeking to understand the complex and sometimes unique needs of IT and business professionals,” says Forrester Research senior analyst Chris Andrews. Michael S. Mensik, partner in the Chicago office of Baker & McKenzie, believes IT departments could better ensure true innovation by spending more time with vendors up front, before the contract is signed, examining and modeling precisely how innovation will be achieved. He says both parties should discuss the processes that will need to be put in place to further innovation, the investments that each party will need to make and the change management measures that will be required. While suppliers may be willing to put in a little extra work up front to get your business, much of this consultation will come at a price. “Whatever the competitive pressures, there is just so much that the vendors will do as part of an RFP process,” Mensik says. “But I think in many cases the ROI on such an investment will be considerable.”

Lock Everyone in a Room When it comes to the quest for innovation in IT outsourcing, the phrase “too many cooks spoil the broth” doesn’t apply. Invite all key business and IT stakeholders and vendor executives to a conference room, advises Forrester Vice President and Principal Analyst John McCarthy. Then lock the door and hash out the laws that will govern the outsourcing relationship. This approach ensures commitment from key internal stakeholders, which is important for outsourcing success, particularly transformational deals. “Any organization needing change has constituencies that REAL CIO WORLD | j u LY 1 5 , 2 0 1 0

7/14/2010 3:00:58 PM

Outsourcing will resist change,” says Bierce. “This is not the outsourcer’s problem but becomes its problem by default if the groundwork is not in place.” Arguing over — and ultimately agreeing on — details of the deal establishes a framework for the conflicts destined to come up over the course of the relationship, says McCarthy. “I asked a CIO from a Fortune 500 company who had just led his company through a huge transformation project with

a leading services firm what he would have done differently, and he said, ‘I would have involved business decision makers in the process much, much earlier. I needed their insight and support to make this project work,’” says Forrester’s Andrews.

Loosen the Purse Strings The average outsourcing selection and negotiation process focuses on one point above all else — price. But if you want innovation, you’re going to have to pay for it. “Innovation

3 Reasons Your Vendor Won’t Innovate You Don’t Know What You Want Everyone wants innovation, but no one knows what it is. In talking to IT service providers, Forrester Research Senior Analyst Chris Andrews, found that most agreed that innovation should help clients achieve “a new and disruptive business impact,” but the scale and scope of such initiatives fluctuated. If you want your outsourcer to innovate, you must define innovation in the context of your corporate objectives, says Andrews. A good way to start is to think about the various innovation stakeholders in your company — executives, line-of-business leaders, IT, product development, marketing — and what innovation looks like to them. For the C-suite, it may be transformation efforts that improve shareholder value or create long-term strategic advantage. For business stakeholders, it could be projects that increase sales or improve customer satisfaction. “With that understanding, the innovation discussion can be clarified,” says Andrews.

You Chose the Wrong Provider Just as a tiger can’t change its stripes, a body shop won’t ever innovate. “If the client has literally picked an IT services provider only to get cost savings, they are somewhat unjustified in turning around and asking the supplier to bring them greater levels of innovation,” says Andrews. “This is a big complaint from the service providers themselves: we can innovate, but our clients won’t pay us for it. Cost-cutting and innovation can co-exist, but they do not do so easily.” Once you’ve figured out what innovation means to you, seek out providers that line up with your definition. But remember that vendor-developed processes and methodologies around customer-specific innovation can be helpful in illuminating a provider’s experience and approach, but they aren’t compulsory. Most importantly, says Andrews, look for an outsourcer that’s enthusiastic about the innovation challenge. If you’re frustrated with the lack of interest in innovation in your existing relationship, take your concerns to senior executives at the outsourcer. If you still encounter resistance, he says, it’s time to look for a new innovation partner.

You Didn’t Set Up Effective Innovation Metrics Outsourcing customers have to define their unique desired outcomes and tie those objectives to service levels in the contract. That’s easier said than done. “Clients realize that a variety of internal and external factors could impact a business metric — not just the work of the service provider — and they are hesitant to link the dollar value of the contract to such a complex metric.” There are pockets of new innovation-related metrics activity in the IT services industry. One large Indian provider for instance is starting some of its engagements with metrics discussions. “Instead of dictating a traditional IT metric, they are honing in on a client problem statement such as, ‘We want to reduce our days-sales-outstanding,’” says Andrews. “That helps the provider’s delivery team think about ways to affect that metric with their technology capabilities.” — Stephen Elliot 52

j u LY 1 5 , 2 0 1 0 | REAL CIO WORLD

Feature_Junk_Outsource.indd 84

costs the local account team money in terms of leveraging experts, process advancements or new technologies,” says Fersht. “But buyers are often reluctant to spend adequate funds on these efforts.” Everyone wants value from outsourcers, particularly when times are tough, but stingy clients will get what they pay for, particularly if they haven’t been able to clearly define innovation pre-contract. “The interests of the parties must be aligned,” says Masur. “It is not realistic to expect a service provider to deliver the lowest possible price and still fund innovation initiatives.” Even if you think you’re paying a premium for innovation, it pays to verify the employee incentives put in place by the vendor. “Often the account team is very motivated to achieve a profit target and innovation is fluff that cuts into their discretionary funding,” says Fersht. Talk to the provider about unique compensation plans that encourage innovation on your account.

Share the Wealth Of course, the provider as a whole needs some inspiration to innovate, too, particularly of the profit-boosting variety. The concept of gain-sharing — rewarding the vendor when the client benefits from lower costs, increased revenue or improved efficiency — has always been a controversial one among outsourcing customers. But if there were ever a time to consider it, it’s when you’re seeking something above and beyond outsourcing. “I know how hard it is to consider gainsharing. The discussion becomes a minijoint venture, with issues of risk, reward, etcetera,” says Bierce. “But this kind of discussion can be valuable.” You might set up a jointly funded pool to pay for agreed upon innovation initiatives or sharing of savings generated by innovation projects, says Masur. And the client doesn’t necessarily have to take a financial hit. The IT outsourcing customer might allow the provider to use the resulting products or systems to deliver services to other customers or waive its right to benchmark if a vendor consistently achieves high innovation scores. CIO Send feedback on this feature to editor@cio.in

Vol/5 | ISSUE/09

7/14/2010 3:01:06 PM

everything you wanted to know and more

In Mobile Mode Not very long ago, it used to play second fiddle to its wired cousin. But today the mobile phone is a world in itself.If you aren’t riding the mobile wave yet, you risk being left behind.

Vol/5 | ISSUE/09

Deep Dive_JULY2010.indd 61

What’s Inside Deep Dive Features The Mobility Effect ��62 Which Way Will You Go? ��70 House Rules �� 74 Column What’s Your Security Code? ��66 Case STudy The Mobile Lifeline ��78

REAL CIO WORLD | j u ly 1 5 , 2 0 1 0

7/14/2010 6:19:30 PM

The Mobility Effect From a talk-n-text device to linking your ERP on the phone, the mobile storm has left no stone unturned with its enormous possibilities. Itâ&#x20AC;&#x2122;s little wonder then that the mobile phone has cemented itself in every organizationâ&#x20AC;&#x2122;s business strategy. BY JOHN MARK V. TUAZON

Deep Dive_JULY2010.indd 62

7/14/2010 6:19:37 PM

Deep Dive | Mobility Visionary CEO Steve Jobs ushered in a new era in mobile computing with the introduction of the legendary iPhone back in 2007, and nothing has been the same ever since. Increasingly, smartphones have crept into the enterprise space, what with the platform’s innovative offerings that allow for more worker productivity. This is the enterprise story of today: more and more workers are being driven out of the office space, in an effort to cut on costs. Conversely, new technology offerings also allow for more productivity in communication and collaboration using mobile devices, ringing in new forms of innovation for the enterprise. By 2013, IDC predicts the number of Internet-capable mobile devices that will go online to reach 1 billion. Shipments of that figure were already reached in 2009, as 1.2 billion mobile devices went around the world. ABI Research expects that number to double in five years. Out of all mobile devices, smartphones enjoy a comfortable lead over mobile Internet devices, netbooks, consumer electronics, and cellular modems, IDC says. In the latter part of 2009, smartphone vendors shipped a total of 43.4 million units to users around the world, up by 4.2 percent sequentially despite the debilitating effects of the global financial crisis. “By 2013, mobile phones will overtake PCs as the most common Web access device worldwide,” according to research firm Gartner. “The total number of PCs in use will reach 1.78 billion units in 2013. By 2013, the combined installed base of smartphones and browser-equipped enhanced phones will exceed 1.82 billion units and will be greater than the installed base for PCs thereafter.” This renewed preference for smartphones over PCs is ushering in a new era of computing and employee productivity — but how are modernday CIOs coping with the fast-paced use and development of mobile devices in the enterprise?

Empowering the Sales Force In the case of Philusa Corporation, a marketer and distributor of personal care, pharmaceutical, baby care, and household

Vol/5 | ISSUE/09

Deep Dive_JULY2010.indd 63

What the Future Holds

Forrester research tells you what shape mobiles will take in the coming years. Here are seven pointers.

The top-tier mobile operators will be ramping up 4G network (3G in India) investments, and looking to business and vertical apps as high value offerings for users who appreciate much faster download speeds and reduced latencies.

Machine-to-machine (M2M) apps and services will be available from most top tier mobile carriers. And they’re expecting a big uptick in business, fueled by the spread of IP-based wired and wireless networks into whole new areas. one big one: so-called green IT and the overall trend toward “smart grids” to manage and reduce electric demand. Consumer M2M applications will cover remote monitoring of homes, appliances, automobiles; enterprise M2M will take off in focused vertical markets like healthcare, energy, transportation.

Mobile devices based on the Google Android operating systems will take 10 percent of the mobile device market in 2010. According to Forrester that uptake will be due to “heavy industry support” from Qualcomm, Verizon, Motorola and Google, as well as the growing embrace of the open oS by developers.

About 15 percent of non-mobile employees in 2010 will pressure IT to support their personal mobile devices for work activities, compared to 10 percent currently, according to Forrester. Smartphone-class devices are becoming more available and affordable, and their users want easy access to easy-to-use email, calendars, and corporate portals.

Mobile “app stores” will become a key software distribution channel for small-medium businesses, in addition to consumers. If permitted, smartphone users with app store access will be searching, buying, downloading and using a growing wealth of tools like expense management, staff approval and other productivity applications.

To cost-effectively manage this growth in mobile users, devices, and data, IT will look to emerging cloud-based mobility services. Rather than creating in-house device management, deployments, end-user support and security management, IT will look to a new breed of third-party managed services for these functions. A related trend: cloud services that reach deeper into the enterprise to deliver information on demand to smartphones, and coordinate the user’s identity and information across several devices and applications.

Without any specifics, Forrester expects enterprise mobility vendors, especially application vendors, to continue merging or going out of business. Service providers and systems integrators will invest more in mobility solutions for vertical markets.

—John Cox

care products, the use of mobile devices is central to their business process. In 2007, the 43-year-old company with a deep experience in wholesale business operations decided to overhaul their sales process, in response to the growing need to streamline the entire firm’s operations. “Prior to deploying mobile units for our sales force, the process was done purely on paper,” relates Arlan Dimalanta, the company’s IT manager. The process goes as follows: the sales person gets the customer’s order, logs it on to a sales order form, and brings or faxes the report

to the office. Then, the office personnel keys in the order and prints it out, and the designated officer approves the order. “Before, it took more than a week for some orders to be submitted, processed and completed,” Dimalanta laments. “That resulted in customers ordering products from us only once a month.” Philusa Corporation implemented a mobile solution by arming their sales force with Palm Treo smartphones. These mobile phones are equipped with a custombuilt application created by a third-party developer that connects seamlessly with real CIo World | j u ly 1 5 , 2 0 1 0

7/14/2010 6:19:38 PM

Deep Dive | Mobility their ERP software, enabling sales orders to be inputted automatically to the system, as well as call planning and reporting from people in the field. The approval system of orders has also been automated. The devices were initially rolled out to their pilot team in Central Luzon, Philippines, consisting of seven sales employees. “Within eight months of deployment, we were able to equip 80 sales personnel for a nationwide implementation,” Dimalanta says, adding the first three months were relegated for refinement of the system. The immediate effects of the new system were patently overwhelming. For the customers who used to have a oncea-month sales-order cycle, the company is now able to take orders and deliver twice in the same period. “It’s a win-win situation for us and for our customers,” shares Dimalanta. “Quotas are being hit, so 2009 proved to be a good year for us.”

Change Management For their part, Dimalanta says deploying the system was easy, “but user adoption, that, more than anything else, is the common system implementation challenge.” Dimalanta says he had to do thorough change management, because the system was not an IT project, but a business project aimed at improving the sales process. “Not all our sales people are technologysavvy,” Dimalanta points out. “So we had to think of a buy-in.” To encourage their sales agents to be open about the new system, Dimalanta and the Business Process Development and Implementation team conducted trainings pooling young and old sales people alike. There was also wisdom in starting off with a pilot team: “Sales people listen to sales people,” Dimalanta shares. “So when they saw the pilot team at ease with the system, they welcomed it. It was also important that the sales head was also driving the project forward.”

Guarding Data Keeping employees productive even beyond office walls is becoming a widespread trend, but it also poses new concerns for the IT division, especially 64

j u ly 1 5 , 2 0 1 0 | real CIo World

Deep Dive_JULY2010.indd 64

By 2013, mobile phones will overtake PCs as the most common Web access device worldwide, says Gartner. in terms of keeping their data intact. “According to Symantec’s latest Internet Security Threat Report, 63 percent of vulnerabilities reported in 2008 affected Web applications,” shares Luichi Robles, country manager, Symantec Philippines. “In 2009, we also saw the first smartphone botnet that took advantage of users’ contact lists to spread itself via SMS.” As smartphone adoption in the enterprise continues to boom at breakneck speed, cyber criminals see opportunity in targeting early adopters of the technology. Dimalanta says there is no data leak prevention system installed just yet, “but security is addressed more on the policy and user education aspects.” In terms of overall network security, the company policy remains as a complete lockdown. “Our gateways and firewalls are accessible only on corporate-issued devices,” Dimalanta explains, adding that end-users can’t just simply bring their devices in and connect to the network. “We are not 100 percent sure of the security features on these personal laptops [and other mobile devices], so we are not risking it.” Totally blocking off the network from other mobile devices, however, can be a management feat in a time when cell phone and smartphone prices are falling steeply and very quickly.

different kinds of devices in their attempt to take a bite off the mobile devices market pie, end-users would have a bevy of mobile devices and brands they can use in the enterprise, given there is an open system. “With a growing workforce, IT is tasked to support a greater number of [mobile] device types and user types at any location,” recalls Nicolo Hallare, managing director and COO of Sybase Solutions. Hallare says IT leaders are coming down with pressure from executives and end-users alike to support additional mobile platforms and personal mobile devices. This is a given, considering the wealth of brands and types of mobile devices out there. Having to manage a densely heterogeneous and interoperable mobile environment, however, becomes the trade-off. “Blackberry, Symbian, and Windows Mobile continue to be strong platforms but the strong entrance of iPhone and Android will make it exciting to watch,” Hallare relates. “

Mobility for Growth

Reducing Complexities

Philusa Corporation’s Dimalanta reveals that they are planning to phase out their Treo units in favor of newer mobile devices that provide more features, such as Blackberry, Windows Phone 7, and the iPhone. “In 2007, hands down, the Palm OS was more stable and easy to use compared to other operating systems,” he shares. “There were no viruses for the Palm OS, and the interface is easier to use, lowering the learning curve.” The non-availability of Palm OS devices in 2009 prompted the change, according to Dimalanta. Incidentally, just recently, Palm offered itself up for sale after a lackluster performance in the mobile race, succumbing to now-industry giants Apple, Google Android, and the Windows Phone. “If enterprises open their eyes and look at areas to be improved by mobility, then they stand to reduce costs and increase their sales,” Dimalanta notes. “Solutions are all around, and we have proven that it can be done. It’s time for more enterprises to adopt the technology.” CIo

Security, however, is just one side of the twofaced coin of issues that CIOs have to address. As more handset companies manufacture

Send feedback on this feature to editor@cio.in

Vol/5 | ISSUE/09

7/14/2010 6:19:40 PM

by kenneth van wyk

Deep Dive | Mobility

What’sYour Security Code? I.T. STRATEGY | Love them or hate them, there’s little disputing that devices like Apple’s iPhones, iPods and iPads herald a vast mobile wireless world. We haven’t built this exciting new world without considering security, have we? I sure hope not. Of course, to be fair, there’s a lot more in this field than just Apple’s products. Indeed, the mobile wireless world as a whole has exploded in the

networks we use them in give us plenty of opportunities to make silly mistakes. But a knowledgeable consumer has a variety of settings and tools available to do things securely. If, as an IT leader, you aren’t taking advantage of them, read on. One of the biggest risks with mobile devices is that they will be lost or stolen. Another is the dreaded “coffee shop attack.” Mobile devices are, of course, highly portable. Their size makes them easy to

document or two, that’s fine, but don’t use the mobile device for long-term storage of sensitive data. And if it’s too sensitive to lose, don’t put it on the mobile device in the first place. Find-me services. Some mobile devices have features, such as Apple’s MobileMe service, that allow you to search for the device if it’s lost. The moment you realize your device is lost, go straight to the find-me service and see

our devices and networks give us plenty of opportunities to make silly mistakes. But knowledgeable users have a variety of settings and tools to do things securely. last few years. Wi-Fi hot spot usage has skyrocketed, and all the big telco players are providing pretty respectable 3G (and 4G) coverage. Not only are there tons of mobile wireless products out there, but we’re starting to use them for more and more important tasks. They’re far more than simple mobile phones and rolodexes these days. Indeed, I started out writing this column on my iPad while waiting for a meeting in a local Starbucks. My iPad has become not just a delightful, entertaining toy, but a real productivity device for me. But how secure are we as we move around and do all of these important things? Certainly, our devices and the 66

j u ly 1 5 , 2 0 1 0 | real CIo World

Deep Dive_JULY2010.indd 66

misplace, and easy for someone else to snag them. There’s a decent chance you or one of your employees will at some point lose a smartphone, tablet or other mobile wireless device. It’s trivial to drive to the nearest store and buy a new one, but what happens with all that important information on the device? How can we protect it? Here are a few tips to consider: Lock the device. Pretty much every mobile device can be locked down, requiring a password to access it. Some will even wipe out their data after some pre-set number of failed log-in attempts. Learn your device’s lock settings and use them to their fullest. Minimize the data you store on the mobile device. If you’re editing a

if you can find out where it is. MobileMe allows you to remotely wipe the data on a lost or stolen device. Do that without hesitation — before you try to negotiate the safe return of your device. And then there’s that coffee shop attack. You take your shiny new mobile device to your favorite coffee shop (or hotel, airport lounge, etcetera), log in to the Wi-Fi service, and start doing cool stuff on the Net. But anyone on that same Wi-Fi segment can eavesdrop on all of your communications. With many configurations, it’s quite likely that the attacker can collect your usernames, passwords and other sensitive session credentials for Web sites, e-mail services and applications. Vol/5 | ISSUE/09

7/14/2010 6:19:40 PM

by Kenneth van Wyk

Deep Dive | Mobility The coffee shop attack is absolutely trivial to execute. Your attacker only needs some freely available tools like Snort, Wireshark or any of dozens of others to make every packet of data on the wireless net his for the taking. And it’s shocking just how many popular sites don’t use encryption to protect your sensitive data while it is in transit between your device and the site. But again, there’s good news to be found. Most mobile devices these days support several options that can help us keep our sensitive stuff safe. Here are some things to consider: Encrypt your network data. The best defense against the coffee shop attack is a virtual private network (VPN). Even if you’re not accessing company resources, it’s still a good idea to enable your VPN. All your data on the local Wi-Fi should then be traveling in an encrypted tunnel, safe from the coffee shop attackers. Most large companies have VPNs in place these days, but even small companies can get a VPN-ready router or server that isn’t that pricey. In fact, individual users can easily put VPN server software on their home PCs. (Just be sure you’re not violating your ISP’s acceptable usage terms.) Alternatively, there are several free VPN services available on the Internet. Of course, somewhere upstream, where your VPN resides, any normally unencrypted traffic will exit the VPN envelope and become unencrypted again, but that still protects the data from the coffee shop attack. Encrypt your application data. Even with a VPN, it’s still a good idea to turn on encryption whenever feasible. Many e-mail services offer SSL-encrypted options. Use POP3S instead of POP3; use IMAPS instead of IMAP; and use SMTPS instead of SMTP. It generally takes some jiggling with the e-mail configurations, but if your server supports SSL of these protocols, you’ll be further protecting your log-in credentials and e-mail traffic as they travel through the network. Unfortunately, there aren’t too many options for encrypting the locally stored application data on the iPad and iPhone yet. I hope that changes over time, 68

j u ly 1 5 , 2 0 1 0 | REAL CIO WORLD

Deep Dive_JULY2010.indd 68

3 Tips to Tighten Mobile Security

Experts say many mobile phone applications leave security holes wide open. Here are three tips for building secure mobile applications. While mobile applications are cropping up for every use, security has failed to catch up, according to Chris Clark, a principal security consultant at iSEC Partners. He offers five simple application security tips: Tip 1: Consider the unique risks of mobile devices. “One of the risks developers don’t think about is simply the mobile form factor and the risks that come with it,’ says Clark. “Mobile devices are more easily lost or stolen than a computer. Since mobile devices are more likely to go missing, mobile applications should be built with that in mind. The application should use the device’s encryption functionality to protect data at rest. Tip 2: Don’t allow sharing of authentication information between sites. Clark says studies have shown that entering a secure password on a mobile device takes 31 key presses, as opposed to just 12 on a computer keyboard. The point is: Mobile passwords are notoriously insecure. If users use the same password on both mobile and main applications, and it is cracked on the mobile device, that means the password for the main application is also revealed. The most successful and secure mobile applications are ones that do NOT implement all of the functionality of the main application into the mobile version. Tip 3: Don’t expose line of business apps to your mobile workforce without the proper security in place. So many organizations now are rolling out mobile extensions of already in-use business applications so that road warriors can have access to them from anywhere. As a result, and in their haste, many organizations take line-ofbusiness applications that were originally engineered to intranet standards and expose them on the internet. Instead, security needs to be considered before placing a mobile translation layer in front of legacy applications and exposing them to the internet. —Joan Goodchild

but for now, you do need to know that documents, presentations and most other application data stored on the device is most likely not encrypted. That is why you need to minimize your exposure, as suggested above. Avoid the really sensitive stuff when you’re mobile. It’s probably not a good idea to do high-stakes work while you’re wireless in your favorite coffee shop. There is, after all, another type of coffee shop attack you should be careful to avoid — someone physically seeing sensitive data on your screen. A mobile phone or small camera can quickly and easily take a snapshot of the data on your screen for later examination, and probably without you noticing. So forget about doing things like filling out a credit application for a new car at the local hot spot; you don’t know who might

be hanging around just waiting for the chance to grab people’s names, Social Security numbers, addresses and other high-value, sensitive data. Of course, these lists are just a starting point, but they should give all of us food for thought while we enjoy exploring these amazing toys business tools. CIO

Kenneth van Wyk has more than 20 years of experience in the information security field. has published two books on information security and is working on a third. He is the president and principal consultant at KRvW Associates. Send feedback on this column to editor@cio.in

Vol/5 | ISSUE/09

7/14/2010 6:19:41 PM

Deep Dive | Mobility

Which Way Will you

Go? As mobility’s popularity continues to spread, a mobile-applicationfor-everything fad can take over your IT department. How to weigh the pros and cons of your mobile strategy.

his was certainly unexpected: When Alex Betancur, general manager of Publisher’s Clearing House (PCH) Online Network, looked at the sweepstakes giant’s Web site logs in late 2008, he was surprised by an upsurge in visitors using mobile browsers. What caught Betancur’s eye was that the users were entering extensive information — first and last names, addresses, ZIP codes — on tiny screens. “I said to my staff, ‘If this many people are going through this process on a tiny screen, this might be an avenue that needs to be addressed.’ “ So Betancur asked IT to create a mobile-browser-friendly site, first for the iPhone and next for the BlackBerry. PCH Online also worked with a contractor to create two game apps — a slots game and a trivia game — to be distributed via the iTunes Store. The strategy, Betancur says, is two-pronged: Support current users who embrace the mobile Web, while also reaching out to younger smartphone users through entertainment-oriented applications. A future goal is to support “geotargeting,” or delivering content tailored to specific mobile users based on their locations. Like many companies, PCH Online is making its first foray into interacting with customers via their mobile phones. So 70

j u ly 1 5 , 2 0 1 0 | real CIo World

Deep Dive_JULY2010.indd 70

By Mary Brandel far, it has avoided the missteps of early adopters by basing its strategy on known customer behaviors and sticking to its core competency: providing the experience of winning sweepstakes. “Our challenge is to translate the excitement of winning to the mobile phone,” Betancur says. We’re still in the early days of mobile customer strategies, says Julie Ask, an analyst at Forrester Research, noting that companies spend less than 1 percent of their interactive marketing budgets on the mobile channel. But only the foolhardy would not establish a mobile presence by this year or next, Ask says, given the explosive increase in consumers adopting mobile devices for data services. ABI Research predicts that mobile marketing expenditures will grow from $1.8 billion (about Rs 8,100 crore) in 2008 to $24 billion (about Rs 108,000 crore) in 2013 — a growth of 13 times. Vol/5 | ISSUE/09

7/14/2010 6:19:41 PM

Deep Dive | Mobility

“There are more retailers getting into m-commerce every day, and it will grow exponentially,” agrees Tom Nawara, managing director at Acquity Group LLC, a digital marketing consultancy. And they’ll approach mobile commerce in a variety of ways, including SMS texting campaigns, mobile banner ads, mobile Web sites, mobile coupons, or iPhone, BlackBerry or Android applications, he says.

Do Your Homework But mobile strategies must be well conceived — based not on the behavior of ‘typical’ mobile phone users but on the actual behavior of your own customers. “There’s too much ‘Let’s do an SMS campaign’ or ‘Let’s build an iPhone application,’ “ Ask says. “Plans need to be more substantially based on data.” Success will require the IT department’s participation and involve lots of groundwork. Among other things, you must: Study your customers’ demographics and mobile behaviors. Explore mobile-specific functionality such as location awareness. Decide whether to build a site that’s compatible with multiple devices or optimized for specific types. Make sure all of your customer channels feature a consistent look and feel, while being sensitive to the fact that the interfaces on small devices must be easy to navigate. Integrate the mobile applications with backend systems that hold customer, inventory and product data. Learn which technologies you need to support, either in-house or through contractors. They include Objective C for iPhone apps and Java for Android systems. At Western Corporate Federal Credit Union (Wescorp), IT is the driving force behind a mobile banking effort. That’s a good thing, considering the complexity of the back-end integration between Wescorp’s headquarters and its 1,100 credit unions. Christopher Barber, CIO at Wescorp, is a firm believer in mobile banking, asserting that “smartphones are the PC of the future.” His vision is for Wescorp to provide a mobile 72

j u ly 1 5 , 2 0 1 0 | REAL CIO WORLD

Deep Dive_JULY2010.indd 72

There’s too much

‘Let’s do an SMS campaign’ or ‘Let’s build an iPhone application.’ Mobile plans need to be more substantially based on data.

banking application that its credit unions can re-brand for their members. Although the membership base is aging, he says he wants to create applications that not only are useful but also demonstrate a “wow factor” that could help attract a younger demographic.He foresees applications that, for example, allow people to make mobile payments — with the consumer’s mobile device acting as an electronic wallet — support person-to-person payments, enable networking between credit union members, and allow credit unions to launch geotargeted marketing campaigns in which they can send shoppers coupons and directions to nearby stores. “You can start thinking about payments in a different way if you know where the person is standing at the time,” Barber says. Building a front end for mobile banking on the iPhone wasn’t a problem, he says, nor will it be difficult to build front ends for other devices. The challenge is securely and cost-effectively connecting transactions initiated on mobile devices to the credit unions’ heterogeneous back-end systems. But Barber says a mobile strategy is key to Wescorp’s success. “If the biggest problem the credit unions are having is drawing in younger customers, and we can help, we’re living up to our mission,” he adds. Scottrade Inc. also faced a big technology decision when it started devising its mobile strategy. The online investment firm recently announced Scottrade Mobile, which lets customers manage accounts and research and process trades from any mobile device.

Mobile-friendly Websites When digital marketing consultancy Acquity Group LLC audits a retailer’s mobile Web site, it asks the following questions: Does the site use a .mobi top-level domain? Can the site automatically detect a mobile browser or device? Does the mobile site offer different functionality than the desktop site? Is the site optimized for mobile browsers? Does the retailer’s main Web site have a landing page that details the company’s mobile offerings? Does the retailer offer downloadable apps for the iPhone or BlackBerry, or for Windows Mobile and Android devices? While Scottrade intends to someday create sites geared toward specific smartphones, it decided — based on the current behaviors of its customers, and its own customer strategy — to start with a WAP-enabled site for a broad base of users. “It’s critical that your mobile offerings align with your customer strategy,” says Kevin Dodson, director of online financial services at Scottrade. “We looked at our customers and said, ‘How are they accessing us, and are there new things we can offer?’ “Dodson says it was more important for Scottrade to reach the largest possible audience than it was to focus on specific devices. During a two-month beta period, customers accessed the mobile site using more than 50 different devices. It’s also much less costly to support one WAP site than it is to offer multiple device-specific ones, he says. Although PCH Online took a different tack than Scottrade, its decision to build mobile sites optimized for individual devices was equally sound, in that it was based on its own strategy and the behavior of its customers. Its logs revealed not only that a majority of its customers were iPhone users, but also that it needed to maximize the graphics and sound of the individual mobile platforms in order to create an appealing experience, says Betancur. Another key consideration in building a mobile site, Dodson says, is ensuring that the user experience is consistent no matter Vol/5 | ISSUE/09

7/14/2010 6:19:41 PM

which device is used and that it’s similar to what customers encounter in other channels. At Scottrade, programmers took great pains to emulate the Web experience, he says, so that “if you know how to use any Internet browser, you already know how to use m.Scottrade.” But that doesn’t mean the mobile site should be a clone of the non-mobile Web site. As Acquity’s Nawara puts it: “Mobilize, don’t miniaturize. The goal is not to shrink down the Web site but to understand the three to five top activities that customers really want to do on the mobile device. These needs can range from the urgent — finding an ATM — to the casual, like wanting to pass time with a game.” “If a task is not time-critical, they probably aren’t going to do it on a mobile device,” says Kevin Dulaney, an analyst at Gartner. “If they can wait until they get home, they will.”

Simplicity Rules Given the smaller real estate on mobile screens, simplicity is a virtue. “You can’t use complicated navigation structures. It has to be, ‘Log in, click on the task, and you’re done,’ “ says Dodson. According to Dulaney, complexity is what sank many early mobile efforts. His rule of thumb: For every level of navigation required on a mobile app, you lose half your audience. “In the early days, companies were providing things like sports scores and banking, but once people saw the complexity of the application, they went back to their PCs,” he says. For example, if you have a tool that locates the cheapest gas station, don’t ask people to enter an address, Dulaney says. Use a GPS chip to do that. “If there are a bunch of steps, people generally won’t use it,” he says. Dulaney extends that thinking to mobile coupons. “If I can take a photo of a product and get a coupon, that’s useful,” he says. “But if I have to scan the bar code, I may not use that capability.” Of course, the only constant in a new area like mobile computing is change. “You must be willing to change, because the industry is moving so fast,” Dodson says. “We’re always augmenting, adding and

Vol/5 | ISSUE/09

Deep Dive_JULY2010.indd 73

mobile strategy Best Practices solstice Consulting’s managing partner tells you what to keep in mind when creating your company’s mobile strategy. Know “why” one of the first important questions to ask is “Why?” The mobile context is significantly different that the desktop world. What’s driving your move to mobile? Simply porting your existing desktop content or creating miniature versions of existing websites for mobile is not a wise move. The content you are providing needs to be useful in the mobile setting. Your end consumer has different needs in the mobile context; visitor context is a huge factor when considering what to develop. decide what business functions should be mobilized What functions will give you the biggest bang for your buck? When determining functionality to port into the mobile context, you want to pick something with a measurable RoI or something that gives your business a competitive advantage. Show value early to help build your business case for expanding into more mobile functionality. And keep in mind that the mobile users want to find, not browse. deploy useful functionality incrementally This shouldn’t be a six-to-12 month initiative. You need to build and release quickly, solicit feedback, and refine. Think about how to break-up functionality into small, agile releases. The sooner you get functionality out there, the sooner you can start improving on its utility. Consider piloting to a limited set of users on specific mobile devices. Start expanding audience and supported devices once it’s been around the block a few times and you’ve had a chance to kick the tires. develop standards As an enterprise it’s important to establish technical standards early, before they are decided for you. Don’t wait till the enterprise has momentum with mobile to start figuring out what your standards. Factors, such as security standards and selection of supported devices, should all be up for consideration when defining mobile guidelines. decide how App or mobile website? The answer to this question is important, and highly dependent on the device capabilities of your end-users. If you are targeting an audience that will be using a common device than the robust offerings of a native device application may be the right answer. Native apps allow you to fully exploit the capabilities of the device for an optimal end-user experience. But for supporting cross device compatibility, a mobile website might be the best approach. Although more testing time should be factored in, a mobile website offers the widest range of possibilities for a broad user base. — Kelly Manthey

reprioritizing as more people adopt mobile capabilities.” His group is now building an app geared toward the needs of a niche group of active traders. Keeping up with ever-changing browser technologies is also a challenge. “As networks get faster and browsers allow greater access to data, you have to move all the time to take advantage of the latest technologies,” Dodson says. The biggest misstep is failing to do your homework, Nawara says. Amidst all the

hype, it’s tempting to jump in too quickly, without having a firm grip on how mobility can truly benefit your business strategy and your customer base. “There have been some initial forays that didn’t convey the right thing for the brand or yield the desired end result,” Nawara says. “That can be done away with if you do the upfront planning.” CIo

Send feedback on this feature to editor@cio.in

real CIo World | j u ly 1 5 , 2 0 1 0

7/14/2010 6:19:42 PM

Deep Dive | Mobility

What to do — and what not to — when building your company’s mobile strategy.

by robert Zhang

dvanced mobile devices — iPhone, BlackBerry and other handhelds — have created a growing wireless mobility environment for business, personal communication and entertainment. However, their growing use has also led to a faster increase in the depth and breadth of mobile security threats. Using a mobile device to access corporate information systems can potentially create a hole to corporate security if not protected and used properly. In a recent report from CSI, the theft or loss of corporate proprietary and customer information by mobile devices is nearly half of all sources. Data breaches are real to nearly 74

j u ly 1 5 , 2 0 1 0 | real CIo World

Deep Dive_JULY2010.indd 74

every organization of virtually any size, from the big multinational corporation to the small to medium business, including device loss, theft, misuse, and unauthorized access to corporate network and data disclosure. Enjoying many advantages in productivity, efficiency and flexibility, many current security efforts in organizations may lag behind exposures and risks. Organizations are either not fully aware of existing security issues facing the organization or simply treating these issues as a sole IT task. Very likely, such issues often remind IT leaders to look into a number of technologies or software tools, such

as firewall, antivirus software, and file encryption among others. Not surprisingly, this often leads to an insufficient or failed effort. Merely focusing on technologies cannot conquer the organization’s weaknesses in employees’ behavior, and inherent gaps in policy and management processes. The rapid development of mobile technologies and applications has increasingly changed the way organizations do business, as well as their risk management environment. To effectively minimize an organization’s security risks requires a corporate wide effort in security strategy, policy development, employee training Vol/5 | ISSUE/09

7/14/2010 6:19:50 PM

Deep Dive | Mobility

and revised IT infrastructure. Here are five steps of how to achieve effective mobile security governance.

Knowing Your Mobile Environment Risks Using mobile devices to get a job done anywhere as you move is a great benefit to many organizations. But the reality is that organizations at the same time also face a variety of unprecedented exposures and risks. These risks are a result of potential exploitations of weaknesses in technology, organization and its employees. Each year, millions of mobile devices are lost, stolen or discarded with personal information still in device memory. Loss of a mobile device that contains personal identity and network access credentials opens an organization to unauthorized network access and intrusion. Mobile data disclosure of business confidential information and personal records puts an organization at high risk of legal and regulatory compliance issues. To develop an effective mobile security strategy, it is essential to understand an organization’s mobile security risk profile. The fundamental questions include: Which corporate mobile data assets require protection? Which, how and where are the corporate data systems that are accessed by mobile employees? How are mobile devices being used, protected and managed? Do employees know the procedures in responding to an incident? To fully determine your organization’s mobile security posture, you need to do a comprehensive security assessment against your organization’s specific business environment.

Developing an Effective Mobile Security Policy Lack of an effective mobile security policy is a fundamental root cause 76

j u ly 1 5 , 2 0 1 0 | REAL CIO WORLD

Deep Dive_JULY2010.indd 76

A careless or security-unconscious user can easily put an organization’s confidential information at risk. for many failed security efforts. The policy must be risk-based, covering all identified risks on mobile devices, both organization-issued and individually owned, and all user groups, including regular employees and others like temporary contractors. The policy development process should determine which applications are to be made available to which mobile user group and on what types of devices. Typical mobile applications may include e-mail, sales force automation, field service applications, dispatching, and extended CRM among

Tried and Tested Advice from people who practice what they preach.

DON’T:

Assume smart phones should only be given to senior management. Deploy devices for enterprise use without proper protections and control. Block all third-party applications. Have a process to approve applications. Create a whitelist for approved applications. Allow unmanaged devices to access and retrieve classified data (and if you do not have data classification, please do). The data on the unmanaged devices should be treated as lost (they will be). Install more than one security clients on mobile devices. If it is possible, do not install a client, they are already slow. Make these devices more slow or more complicated for end users, your projects will be terminated regardless of the security merits. Allow every single carrier. Try to standardize endpoint device types and the carrier.

others. It’s important to note that these applications can drive productivity and revenue growth if deployed and managed securely. An effective security policy needs to clearly translate regulatory compliance requirements into organization’s risk management processes and procedures to protect data from loss or compromise. It also needs to speak clearly on user’s responsibility for device configuration, its usage, data backup and protection. The information stored on a mobile device should be limited to what is required while on the move. In addition, the policies must be enforceable via active IT monitoring and software tools. Organizations should regularly review the policies to take into account any new security threats associated with business environment changes.

Ensuring Employees’ Responsibility and Awareness The employee is a great factor for both good and bad in mobile security. In a recent CSO (a sister publication to CIO) survey, 28 percent of all mobile users use their mobile devices to access the Internet, and 86 percent of them admitted to having no mobile security. A careless or security-unconscious user can easily put an organization’s confidential information at risk. Lack of mobile user training and awareness is a major factor that contributes to many user errors and incidents that lead to security issues. A less-trained user may not even know the procedure to handle security. In some cases, a mobile user may simply bypass any required Vol/5 | ISSUE/09

7/14/2010 6:19:51 PM

Deep Dive | Mobility

Tried and Tested Advice from people who practice what they preach. configuration procedures in order to get a job done. Employee education and awareness should become a valuable corporate culture. A well-trained employee can help an organization to greatly minimize mobile security risks. It is critical that all security policies get buy-in from lines of business leadership, end users and support team across the organization. Organizations should put employees in the driver seat for an effective security governance effort. They can become the most critical layer of security defense in any risk mitigation strategy in the organization.

Establishing a Baseline Security Configuration As the use of mobile technologies in business increases, more and more critical business and sensitive personal information is being collected, processed and transmitted over shared wireless networks. Mobile devices need to be configured adequately to protect the device itself and data on it from unauthorized use, data disclosure and malicious attacks. During a planning phase of mobile device deployment, all devices should be considered to meet a baseline requirement in terms of corporate security policy. A baseline security configuration may include: Password protection at power-on File or directory encryption VPN for e-mail and other internal network access On-device firewall AV software Latest security patches Enforcing the baseline security configuration for all devices can help an organization to establish a bottom-line of defense from each device. Similar to an Internet facing device hardening, on-device resources, wireless interfaces — like WiFi, Bluetooth, RFID, wireless

Vol/5 | ISSUE/09

Deep Dive_JULY2010.indd 77

applications, their roles have been quickly shifting from e-mail access to business-oriented transactions with back-end database systems, Monitor security vulnerability tracking feeds for for example ERP, CRM and SFA. new attacks on mobile devices. In the meantime, the growing Ensure devices in the field can be updated quickly business mobility is taking to fix security issues. traditional IT boundary outside Make central management a mandate. an organization’s perimeter. Unmanaged devices should not have access to Organizations need to implement corporate data. strong authentication and user roleManaged devices should be managed over the air. based data access and distribution. Remote policy pushes over a carrier network must Strong password enforcement, work. End-user profiles should be encrypted with no including two-factor authentication options for local modification. — like a software token — for a Central logging should enforce a policy with at particular user group for additional least the following items: mobile data encryption, security, should be performed. lock timeout settings (screen-saver lockout); E x i st i n g n e t wo rk- b a s e d authentication/password policy; Bluetooth policy; segregation or zoning should be remote wipe; allowed applications; policy for social revised to be data centric and media and cameras. extended to mobile users and their Try to expand your endpoint security policy to other devices. mobile endpoints (URL filtering/AV/media handling/ To avoid increased integration firewall) but do not get overexcited, only deploy the cost, and later challenges in software solutions that work. It is a good idea to implement support and upgrade, organizations these solutions at the enterprise gateway (proxy all should plan a centralized device network connections) instead of limited resource management solution at the time mobile devices. of device deployment, ideally to be Expand corporate phone system to your smart directly integrated with existing IT devices. There are soft clients that expand into systems for network, application, mobile devices seamlessly so that all voicemails/ server and device. extensions/DIDs do work on your smart phones. A number of advanced solutions This expansion will carry over your existing security exist today that can support to mobile devices. multi-platforms on a centralized Do 802.1x on the wireless VOIP clients on the enterprise console. IT leaders can smart phones. achieve proactive controls over device usage, configuration setting, software update and security patching among other things. printer, and application functions — In particular, remote password reset, should be minimized to reduce the device lock and wipe are necessary likelihood of wireless attacks. features in many cases. Such solutions should be deployed with little or no Building a Mobile Aware IT user involvement, easy integration with infrastructure existing directory structure and good Organizations may have well-defined scalability for a large number of users IT tools in place to manage enterprise with diversified devices and on different systems (for example, servers, networking wireless networks. CIO and storage). As advanced mobile devices become increasingly used in business Send feedback on this feature to editor@cio.in

DO:

REAL CIO WORLD | j u ly 1 5 , 2 0 1 0

7/14/2010 6:19:51 PM

Trendline_Nov11.indd 19

11/16/2011 11:56:19 AM

Deep Dive | Mobility

By Al Sacco

The

Mobile Lifeline

At the DCVA medical center, a mobile app not only helps in saving the lives of heart-attack victims, it also reduces the average length of cardiology patient-stays, and brings down overall healthcare costs. Hereâ&#x20AC;&#x2122;s how.

Deep Dive_JULY2010.indd 78

7/14/2010 6:20:00 PM

Deep Dive | Mobility

90minutes

Modern medicine and technology go hand-in-hand. For years, we’ve come to associate a hospital with doctors, but also the machines and gadgets that aid doctors and nurses. But wireless technology is really just now coming of age in the medical field. For example, emergency room physicians and surgeons are some of the few modern professionals who still carry around pagers. Yes, pagers. That seems to be changing, however. In fact, doctors and nurses are surrendering their antiquated gadgets in exchange for today’s powerful, cutting-edge smartphones, says Fraser Edward, BlackBerry-maker Research In Motion’s (RIM) Manager of Market Development for Healthcare. Many medical professionals have resisted the move from traditional feature cell phones, pagers, recorders and other old-school gadgets to smartphones due to security concerns and comfort with existing technologies, says Edward. This made BlackBerry an attractive device for moving to the next wave of mobile technology. Dr. Divya Shroff, chief of staff for informatics at the Washington DC Veterans Affairs Medical Center (DCVAMC), agrees. In fact, 11 DCVAMC cardiologists have been successfully using a custom BlackBerry application for heart-specialists for more than six months.

IMAGING BY MM SHAN IT H

Smart Move DCVAMC is one of the US Department of Veterans Affairs’ (VA) 153 nation-wide medical centers. The department also has some 737 community-based outpatient clinics, 225 vet centers, 135 nursing homes and 47 domiciliaries. Because of its enormous size, communication definitely was a huge problem. That’s where Dr. Shroff comes in. She came to DCVAMC as an internal medicine

Vol/5 | ISSUE/09

Deep Dive_JULY2010.indd 79

The window doctors have between the time a heart-attack patient arrives and treatment is administered. Any longer and recovery rates drop dramatically.

physician a little more than six years ago. She quickly “fell in love with the IT side of medicine,” and has become the center’s de facto ‘CMIO’, or Chief Medical Information Officer. She works closely with the center’s CIO, but still regularly sees patients. “The US VA has been on the cutting-edge of technology advancement for the past decade,” Shroff says, citing its widespread use of electronic medical records (EMR), as an example. The DCVAMC’s Electrocardiogram (ECG) Smartphone Project is just the latest illustration of the VA’s commitment to medical technology, according to Shroff. Due to the department’s robust EMR initiative, much of its patient data is already available electronically. Such an online format creates fewer challenges in the effort to bring such information to mobile devices, Shroff says.

Matters of the Heart In the consumer world, mobile devices are hot. As she watched the evolution of smartphones, Shroff started to envision ways in which they could be used to help DCVAMC’s staff do their jobs better. After some research, perusing the available smartphone apps and the mobile platforms on which they run, Shroff decided on mVisum and BlackBerry. She saw huge potential in the app for cardiologists and their patients. RIM’s proven security safeguards built into its BlackBerry Enterprise Server (BES) also made BlackBerry devices a natural choice — though Shroff was quick to note that neither she nor the VA is stuck

on BlackBerrys by any means. Dr. Shroff and her team launched mVisum in January 2009. mVisum helps cardiologists remotely diagnose heart-attack-types and quickly communicate with relevant people who are working to help the patient. mVisum can vastly decrease the time it takes to get patients into appropriate treatment by making high-quality — and secure — ECG readings available to cardiologists on their smartphones. In the past, DCVAMC staff had to first locate — and occasionally wake up — off-site interventional cardiologists and then determine the quickest and most efficient way to distribute ECGs for diagnoses. One other upside: mVisum can also potentially reduce hospital stays for patients, saving time and money for all involved, and getting those patients home faster. To sum up a fairly complex subject, there are various types of heart attacks, most of which require immediate treatment or else the chances of full recovery drastically decrease. The American Heart Association (AHA) defines a ST-elevation myocardial infarction (STEMI) as: “A severe heart attack caused by a prolonged period of blocked blood supply that affects a large area of the heart. These attacks carry a substantial risk of death and disability and call for a quick response.” A STEMI requires a door-to-balloon time of 90 minutes. This is the total time between when heart-attack patients arrive at the medical center admittance desk and when accurate diagnosis is made and treatment administered. If it takes longer, recovery rates drop dramatically. mVisum securely delivers highquality (ECG) images, as well as built-in messaging capabilities, to cardiologists who are away from the hospital. It’s both simple to use and fully compliant with the Act (HIPAA). mVisum integrates with a real CIo World | j u ly 1 5 , 2 0 1 0

7/14/2010 6:20:06 PM

Mobile Trials DCVAMC cardiologists retrieved and analyzed 506 ECGs via BlackBerrys with the following results:

95%

505

of Cases

of the 506

ECGs

transmitted from the server to BlackBerrys without any issue

eCG transmission to the devices took less than 3 minutes

few existing DCVAMC systems, including the organization’s GE MUSE server, a cardiology information system, its VistA digital imaging system, and the DCVAMC’s BES. This is important for the continuity of information. For example, an ECG taken in one of the center’s hospital rooms is simultaneously transmitted via MUSE to the VistA imaging system and the mVisum server on site. The BlackBerry server then retrieves that ECG when the appropriate cardiologist logs into the app and requests it. No ECG or other sensitive information is ever stored on physicians’ BlackBerrys. As for costs, mVisum says it depends on the nature and size of the configuration. Though not providing specifics, she said the price was “reasonable.” The DCVAMC’s two main objectives in launching mVisum were to maintain security and preserve image quality while providing remote access to ECGs. On one hand, the DCVAMC must legally protect its patients’ medical information. And on the other, provided you shore up the security angle, an ECG on your phone is worthless if it’s not readable or (worse) serves up inaccurate results, according to Shroff. “We put a lot of emphasis on patient security, but in reality it’s much more important to save their lives,” Shroff says. “There’s no way you could do something like this and not prove that it works. Like a new drug, it must go through trials before 80

j u ly 1 5 , 2 0 1 0 | real CIo World

Deep Dive_JULY2010.indd 80

90%

98%

of instances

Patients

doctors were able to correctly interpret cardiac rhythm

approval. That’s the same concept that needs to be applied here.” So that’s exactly what Dr. Shroff and her team did for mVisum’s clinical verification. DCVAMC cardiologists retrieved and analyzed 506 ECGs via BlackBerry smartphone with the following results: 505 of the 506 ECGs were transmitted from the mVisum server to doctors’ BlackBerry devices without any issue. ECG transmission time was less than three minutes in 95 percent of cases. Acute STEMIs were correctly diagnosed in all cases. Cardiac rhythm was correctly interpreted in about 90 percent of all cases. Cardiac conduction was correctly interpreted in about 98 percent of all cases. Shortly after the trials were deemed a success, Dr. Shroff and her team went live with mVisum in January 2009.

Call of the Future While the DCVAMC chose the BlackBerry because of its security strengths, Dr. Shroff won’t limit the hospital to one phone or mobile platform; she’s interested in any device that helps doctors serve their patients — as long as those devices meet the VA’s strict security standards. Devices with larger screens, like the iPhone, could be better suited for interpreting medical images and reading small text in the future, she says. She considered the touch-screen BlackBerry

cardiac conduction was correctly interpreted

Storm, but concerns over hardware functionality quickly turned her off. The motivation behind mVisum and any other mobile app DCVAMC might launch in the future is to improve patient-care overall, as well as to empower those patients to take a more active role in their own healthcare, Dr. Shroff says. She sees many of the tasks currently being performed on laptops in medical settings making their ways to smartphone platforms as well. Possible future uses for mobile applications for physician’s include remote order entry, remote chart changes, and the ability to read and make notes in real-time on medical materials from anywhere, to name a few, Dr. Shroff says. On the patient side, Dr. Shroff envisions a future where all or most of the paper work typically required when new patients check in could be filled out via patients’ smartphones. This would reduce the need for paper, and speed up the admittance process — though she admits such a reality is a long way away. That said, the DCVAMC is already working on an iPhone app for patients, though Dr. Shroff didn’t share specifics. “Right now, we’re using [smartphone technology] in a really small application to see if we can make a difference,” Dr. Shroff says. “But there’s potential for much more.” CIo

Send feedback on this feature to editor@cio.in

Vol/5 | ISSUE/09

7/14/2010 6:20:07 PM

Event Report I Money Matters Presenting Partners

MONEY GAME It wasn’t very long ago when the BFSI sector was fighting for survival. Today, it’s back on its feet, thanks in part to innovative IT and CIOs who have an eye on the future.

“Today in the BFSI sector, IT is being looked at as a strategic manager; I believe the needle is shifting.” SRIRAM KRISHNAN, EVP-IT, ING LIFE INSURANCE

“The infrastructure in rural areas isn't ITfriendly. So, we resorted to solar energy and VSATs.” ANANTH PADMANABHAN, AGM-IT, KARNATAKA BANK

VOL/5 | ISSUE/09

Event Report_BFSI.indd 39

IT’S IMPORTANT for the financial sector to shield itself from all kinds of risk. But over time, the sector has witnessed extremely bold open source deployments, innovative use of GPRS technology, and revolutionary examples of virtualization. In fact, IT leaders in the BFSI sector are steering technology investments to positively impact the bottomline, while some vendors are developing technologies to streamline these efforts. “The growth of the Indian BFSI sector over the past two decades makes for an interesting study,” said Nagarajan Narasimhan, director research, CRISIL, during his presentation at CIO's Money Matters summit for IT leaders in the financial and banking sector. His talk covered the incredible growth of the industry and the role of IT in its future. The financial services sector, he said, has seen a seven-to-eightfold increase between 2003-04 and 2007-08. Another indicator of the growth of the sector is the fact that Indian banks maintained a capital adequacy ratio (CAR: a ratio of a bank's capital to its risk, REAL CIO WORLD | J U LY 1 5 , 2 0 1 0

7/14/2010 3:11:09 PM

Event Report I Money Matters

which regulators track to ensure that banks can absorb a reasonable amount of loss) of around 13 percent — during a period when many large financial institutions around the world were toppling. “Indian banks have a CAR of almost 13 percent compared to their foreign counterparts who maintain a CAR in single digits. So even if we don’t add a rupee into the net worth of these banks, they would still be able to sustain a 20 percent credit growth for the next two to three years,” he said. Narasimhan also pointed out that the total assets of all scheduled commercial banks at the end of March 2010 touched about Rs 40, 90, 000 crore — about 65 percent of the country’s GDP. These phenomenal figures, he said, will continue to touch new record highs

“We support a large number of small companies. Connecting all of them on a common platform is an issue.” K.R. BHATT, GM-IT, NABARD

“When you save energy your cost comes down. So, saving energy isn't just about CSR, its also about profitability. MURALI RAMALINGAM, MD, CONNECTM

“The slowdown gave us the opportunity to revisit the IT infrastructure to upgrade systems and bring in cost effectiveness.” SRIRAM NAGANATHAN, CTOO, RELIANCE GENERAL INSURANCE

“Not securing your desktop is like having a safe inside your home but leaving the front door open for anyone to walk in.” BOBY JACOB, SOLUTION ARCHITECT, NOVELL 82

J U LY 1 5 , 2 0 1 0 | REAL CIO WORLD

Event Report_BFSI.indd 40

in the years to come and IT has an important role in that growth. “There is a need to invest in infrastructure to assist other economic sectors to perform well,” he said. And that’s where IT comes in, he said. Large-scale IT deployments can help banks acquire a larger customer base, improve asset-liability management and sharpen anti-money laundering measures. This will create more operational efficiency among banks which will boost profit margins — and ultimately a bank’s ability to extend credit for infrastructure development. Another salient feature in the Indian banking scenario, Narasimhan said, is increasing international competition. India has seen a large number of global banks controlling significant market share. And they bring capital, technology, and management skills with them. IT could provide competitive edge over these foreign entities, he said. Narasimhan also spoke about the role of banks in capital investment. The ‘trickle down’ theory works well, he said, when an economy has healthy financial and banking institutions that ensure the development of the economy as a whole. That requires banks to invest huge amounts in infrastructure, which they have been doing. For example, the credit disbursement by banks to the infrastructure sector (primarily to power, roads and ports, and telecom) has grown at an impressive CAGR of 31 percent during the last six years. The maximum growth in credit was witnessed in the last two years at 43 percent and 36 percent. Here’s another indicator: Over the last six years, the proportion of bank credit to the infrastructure sector has increased from 10.8 percent to 14.6 percent. Narasimhan also shared CRISIL’s six-point index to assess the performance of the companies in the BFSI sector. The index called CRAMEL which stands for Capital adequacy (which is at a healthy 13 percent), Resource availability in terms of liability and flexibility, Asset quality (the risk components of assets), Management quality, Earnings (both fund and non-fund based), Liquidity and asset liability. Basing itself on these indicators, CRISIL says that the Indian economy is reviving after the slump. Narasimhan said that CRISIL is also pointing to higher capacity utilization, growth in revenues, and improved profitability among Indian enterprises. Also, the growth of GFCF (gross fixed capital formation: an indicator of the amount of new assets added to an economy), after being subdued for over two years, is expected to grow by 12.5 percent in 2010-11, he said. The entire approach towards technology-based banking has shown a significant improvement since the initiation of reforms in the 1990s. The introduction of the Real Time Gross Settlement (RTGS) system not only resulted in better implementation of Basel compliance but has also paved the way for risk-free, credit-pushbased fund transfers settled in real-time. In addition, Core Banking Systems, he said, have also helped financial institutions tap vast swathes of the rural sector where VOL/5 | ISSUE/09

7/14/2010 3:11:25 PM

Event Report I Money Matters

setting up physical branches has been a huge investment concern. Leveraging technology in innovative ways can make up for the existing lack in infrastructure and help banks reach remote areas and reduce the cost of expanding their businesses. It is widely recognized that the core banking functions alone do not add to the bottom line of banks — value-added services are slowly but steadily emerging as a substantial opportunity for banks to exploit. It is unlikely that customers will hesitate to use such services in view of the convenience they offer. Finance and banking, he said, can make substantial use of IT to improvise on their existing models of operation and ensure growth. What Lies Ahead: After bearing the gnawing pressures of the global meltdown, CIOs are now geared to revise their priorities as the global economic recovery gains steam, said Pradeep Udhas, head IT/BPO sector, KPMG. “IT value forms the cornerstone of the CIO agenda for 2010,” he said. His observations were based on a new KPMG report that looks at the priorities of CIOs and IT decision-makers across the Americas, Asia Pacific and Europe. The survey report titled, From Cost to Value: 2010 Global Survey of the CIO Agenda, is aimed at providing relevant insights to CIOs and help them set their priorities for 2010. The results were categorized into eight areas of priority with one to eight being: IT value, the CIO profile, the value of people, process improvement, risk and compliance, sourcing, collaboration and finally optimism.The survey report underscored the fact that CIOs are beginning to reposition IT. They are shifting their focus from

“We brought down our policy data entry costs from Rs 150 to Rs 15 just by re-engineering our processes.” C. MOHAN, CTO, RELIANCE LIFE INSURANCE

“Unless one monitors one cannot optimize. Monitoring your data and processes helps identify bottlenecks.” BYJU JOSEPH, AVP-IT, FUTURE GENERALI INDIA

J U LY 1 5 , 2 0 1 0 | REAL CIO WORLD

Event Report_BFSI.indd 42

cost-based efficiency to value generation. “With 80 percent of the respondents placing IT value highest on their agenda for the future, it is clear that IT is no longer about cost cutting — it is about creating value,” the report said. However, in their quest for IT value, CIOs have not lost sight of the fact that the value of IT can be exploited by a highly adept people force. That’s why, 89 percent of the respondents mentioned ‘people’ as a major component of IT value. But to harness the value generating potential of technology, CIOs need a highly skilled workforce. “Successful IT value creation needs to integrate and align the organization’s technology, processes and people agenda. One of the major potential pitfalls is the inability of many organizations to find suitably skilled people to drive the IT-enabled business transformation agenda. Often precious time and the ability to create value are lost as organizations embark on ambitious projects with the wrong people at the helm,” explained Udhas. But the agenda of the future doesn’t just hinge on a skilled workforce. The survey report highlighted that the profile of a CIO is also an important factor. To a large extent, the daily focus of any CIO depends on the sector in which he or she operates. “CIOs in the financial sector are comparatively more involved with daily operations, while those in the manufacturing sector are increasingly looking at ways to innovate and transform by capitalizing on IT,”said Udhas. Results showed that a CIO focusing on operations also puts other related themes high on his or her agenda, including IT sourcing and cost optimization. The latter surfaced as a frequently cited priority with 56 percent of respondents viewing it as a competitive weapon. CIOs are also increasingly becoming critical of their sourcing providers. Some respondents mentioned they are paying much more attention to price-quality ratios. A significant majority of respondents indicated they intended to increase pressure on sourcing partners. Also, within the financial sector, risk and compliance are clearly higher on the agenda than in other sectors. “Eighty two percent of the respondents expect the costs of compliance to increase in the next few years, with the majority expecting an increase of between 10 and 20 percent. There is value in regulation. The cost of compliance has rocketed as companies moved from writing policies and discharging responsibilities to testing and demonstrating operation effectiveness,” he added. Udhas felt that IT can help address this. “IT can and should drive enhanced automation, analytics and reporting that are designed to reduce compliance costs,” he said. When it came to their plans for the future, the survey found that CIOs in a dynamic internal environment were more inclined to try new concepts and technologies such as collaboration management and the appointment of a dedicated portfolio manager. With online services growing rapidly, CIOs expect use of collaboration tools to increase significantly over the next five years. Cloud computing VOL/5 | ISSUE/09

7/14/2010 3:11:34 PM

Event Report I Money Matters

generated significant interest with 72 percent of respondents saying that they consider it a good way of outsourcing IT functionality. However, the barriers to adoption were a lack of clear understanding and confusion around regulation. This is especially true for financial organizations. On the whole, CIOs are optimistic about the future. “They expect both their project success ratios and their ROI to grow in the coming years,” said Udhas.

(FROM LEFT): JONATHAN ANDRESEN, Director, Product & Solutions Marketing, Asia-Pacific, Bluecoat, KAUSHAL MASHRUWALA, VP, South Asia, Progress Software, VIVEK SUBRAMANYAM, CEO, iCreate Software

Science of Persuasion: “Maybe we don’t have to be CEOs, maybe we can just be CIOs and make a contribution and create impact,” said Karthi Marshan, headmarketing, Kotak Group. The science of persuasion when chanted increases the power of a CIO, stressed Marshan. To understand and deliver on a path we set for ourselves, there are certain key techniques we need to master. Elaborating on this theory he compared each individual in the room to a cicada and a mayfly. Years of evolution, he said, has taught the cicada to emerge from its underground abode only during its prime years to dodge its predators. This is similar to how a CIO surfaces occasionally, resolves a crisis and drills back into the underground to make sure that his company’s engine is running smoothly. A mayfly on the other hand is nature’s way of helping us understand the importance of single-mindedness. This insect’s only focus is to mate since it knows it has only 24 hours to live. The adaptability and focus displayed by these two insects are essential to survive in the competitive and ever-changing business world. People in the IT sector are labeled left-brained whose area of expertise starts and ends with logical, sequential, rational and analytical objectivity. Their stereotype says that they only access a part of the larger picture. Whereas people in the marketing division are considered right-brained, this makes them random, intuitive, and holistic: Individuals blessed with the ability to look at the larger picture. “If you ask me, this is a load of crap but the stereotype exists,” said Marshan. Breaking the stereotypical image of a CIO and distinguishing him beyond the circumference of his role, was Marshan’s purpose of discussing the science of persuasion. Practicing it’s principles of likeability, reciprocity, consistency, social proof, authority and scarcity, in any organization can help establish and achieve one’s career goals. Emphasizing on this point, Marshan asked the audience: Why does a banker get more respect than a CIO? Is it because he dresses better? It could be one of the reasons, he said, and continued to discuss the importance of grooming oneself and using one’s smile to increase their likeability quotient within their organizations. “In marketing we call

VOL/5 | ISSUE/09

Event Report_BFSI.indd 43

it mirroring: Dress, talk and stand like your customer,” said Marshan, while highlighting the importance of speaking the language of your listener. “Speak outcome deltas and not CRM; growth in revenues attributable to TAT and not TAT,” he advised. Not just the manner but the mindset around a CIO needs to change as well. And to do so, CIOs need to showcase evidences of social proof to back their ideas; they need more authority. “We respect authority. For example, in a Plane who would you trust more the captain or the airhostess if you were asked to turn your phone off?” asked Marshan rhetorically. He used his own example to show how by using matrix, growth reports, and internal surveys and by pitching employee performance against each other, drove home efficiency and earned him credibility and authority among his co-workers. Another means of creating a healthier work environment is by removing the ‘members only’ signs off the doors in companies and creating an inclusive work environment. To persuade by adopting the code of diplomacy ‘saam, daam, dand, bhed’ enables the successful execution of a plan. Kotak is soon going to have its first green headquarters at the Bandra Kurla Complex in Mumbai, he said, only because he used these four codes: pacify, charity, divide and punish, to his advantage making sure he got an LEED certification for their new office. While diplomacy goes a long way, the science of reciprocity according to Marshan ensures that when you “Do something nice for somebody, they will do something nice for you. They are compelled to!” he said. And when you turn reciprocity on its head the words of Benjamin Franklin fit perfectly: “Get someone to do you a small favor which is specific to them and they’ll like you more." To conclude, Marshan threw light on the importance of having a specific goal in mind. He used the example of a CIO who might want to gain entry into his organization’s strategic planning. An individual in this position according to Marshan, needs to draw attention to his achievements, tabulate and share them using the science of persuasion. This is the best way to break the divide between the CIOs and the executive table. REAL CIO WORLD | J U LY 1 5 , 2 0 1 0

7/14/2010 3:11:50 PM

Y O U R L i F e & C A r e e r PA T H

The New Age Mutant BY MIKE ELGAN Have you ever tried to get an older person to use Facebook? We bought my grandmother an iPad for her 98th birthday last week. Tellingly, she was able to use it very quickly and easily. She immediately started reading and sending e-mails, and playing some of the games we installed. She loves the iPad. Facebook? Not so much. My wife has a friend in her 80s. She's super smart and in many ways lives like a young person. She uses e-mail and has no trouble with other facets of modern life. But Facebook? She won't do it. My wife and I gently urged her to get into Facebook and trotted out all the benefits. Finally, she came out with it: "I understand that it's great, but I just can't and won't do Facebook." Here's the interesting bit. Some older people respond to Facebook in exactly the same way that younger people respond to not using Facebook. It's all about brain wiring. Have you ever seen the Four Eyes Illusion? It's a picture of a young woman digitally altered with an extra pair of eyes and an extra mouth. The image is shockingly uncomfortable to look at. And thatâ&#x20AC;&#x2122;s because our brains are hardwired to recognize the human face. Once we burn into our brains that faces have two eyes and one mouth, we cannot accept one with four eyes and two mouths. It challenges the foundations of our mental firmware. And that's what's happening with Facebook. Many people over 60 established very early on a clear understanding about communication: There are two kinds. The first is one-to-one and private: SOCiAL NetWOrKiNG

IllUST RATIoN BY M M SHANIT H

thrive

If you're between the ages of 20 and 60,chances are you're a hybrid human â&#x20AC;&#x201D; when it comes to social networking.

J u ly 1 5 , 2 0 1 0 | REAL CIO WORLD

Thrive_July_2010.indd 88

Vol/5 | ISSUE/09

7/14/2010 3:14:50 PM

We're the only generation in human history capable of fully enjoying Facebook and also functioning without it.

threeminute coach Help ! How should I prep for my performance review? Windy Warner, President, Procoach

Always review your established performance goals a few days prior to the meeting. This gives you time to gather information about your accomplishments that you don't have on hand. When reviewing goals, identify those you completed, including measurable results, and those you did not complete. If you did not complete any goals for legitimate reasons, identify why and what you will do to bring them to completion. Be objective and truthful. Put yourself in your manager's shoes. Write this evaluation down and bring it with you to the meeting so you're not relying on your memory. At the end of the review, ask what more you can do to increase your contribution to the organization. Sometimes your performance plan is stated broadly without specific and clear expectations. In these instances, you should identify your specific accomplishments and results and present these during the review. If your current performance plan is not specific, make sure the next one is. If your manager doesn't delineate specific goals, do it yourself and ask for comments, alterations and agreement. Never make excuses for not meeting a goal. Admit you didn't get it done and state what you will do to achieve the goal. If you don't agree with your manager's assessment, never argue. If you start feeling defensive, back off — your emotions will get the better of you, and arguing won't change your manager's mind. If you think you have a truly valid position, suggest another time to review the issue. Then objectively evaluate what was said. If you still disagree — for reasons other than your ego — revisit it when you can keep your cool. CIO

thrive

Letters, phone calls, telegrams. The second is one-to-many and public: TV, radio. A person with this hardwiring has no trouble with e-mail, which is understood to be an electronic version of the postal system. They also have no problem with YouTube, which is viewed as an Internet version of TV. When some older people try to mentally grasp Facebook, it's like looking at the Four Eyes Illusion. It's neither one-to-one nor one-to-many. Facebook communication is any-to-any. Not using Facebook is similarly disorienting to teens, and always will be. People younger than 20 were born more recently than 1990. That means one of the first objects they recognized as toddlers was the personal computer. By the time they were old enough to talk to grandma on the telephone, they did so with a cell phone. Kids under 20 have been hardwired with a new understanding about communication. It's pervasive, mobile and any-to-any. Is it public? Private? Whatever. There's so much of it that nobody cares. People older than 60 tend to be 'Real World People'. They're comfortable with technology as long as it correlates with objects in the real world. People under 20 are 'Virtual World People'. They're comfortable with the real world as long as it's augmented by digital technology. People between the ages of 20 and 60 are unique in human history. We are hybrid, mutant creatures. We have the mental wiring of both Real World and Virtual World Peoples. We're a transitional generation, and the only ones in human history generally capable of fully enjoying Facebook and also functioning without it. The reason is that we had time to adjust. When we were young children, there was no cell phone usage, social networking, chatting, or texting in our environment. We were taken step-by-step through the development of pervasive technology, one product or service at a time. But, we're all going to have to deal with young people as they enter the workforce. Their obsession with constant communication and comfort level with informal relationships isn't the result of stupidity, laziness or lack of character. It's brain wiring. I'm going to say this as plainly as I can: Young people will use Facebook at work. Period. They will never accept company rules that prevent constant social networking. They believe that the only reason such rules are in place is that the people who made those rules entered the workforce before Facebook existed. And they're exactly right. But the good part is that it's easier to change ourselves than expect them to give up what they have grown up with. The faster we accept that, the better it is for us. CIO

Windy Warner works with CIOs and IT managers to Mike Elgan writes about technology and global tech culture. Send feedback on this feature to

improve their image as business professionals. Send

editor@cio.in

feedback to editor@cio.in

Vol/5 | ISSUE/09

Thrive_July_2010.indd 89

REAL CIO WORLD | J u ly 1 5 , 2 0 1 0

7/14/2010 3:14:50 PM

Insights from Members of the CIO Governing Council

Pravir Vohra

As the Group CTO at ICICI Bank, Vohra focuses on the alignment of technology with business goals and helps the ICICI Group remain agile, flexible and competitive. Prior to this, he worked with Times Bank as VP-corporate services group. A postgraduate in Economics from St. Stephen’s College, Delhi, Vohra began his career at the State Bank of India where he worked for 23 years.

What Makes a Business CIO? ICICI Bank’s Group CTO Pravir Vohra, says IT should borrow business principles, instead of running IT like an independent corporate structure.

Photos by Srivatsa Shandilya

IT Strategy A P&L is definitely one way of running IT like a business, but it is a fairly extreme method. To me, running IT like a business has a far broader meaning. It includes: an IT department that is capable of understanding the P&L of the organization, knowing how it is contributing to the company in terms of saving or reducing costs, and quantifying the value of its own initiatives. The intellectual property that IT creates has to be commercialized. And to do that, the IT department should be guided by the finance and accounting principles of the organization rather than functioning as an independent corporate structure. At ICICI Bank, we believe — and our businesses tend to agree — that we run technology like a business. For example, when the business comes to IT with a request for an enhancement or a change, IT asks it to present a business case. Once IT delivers what is required, it will check around six months later whether the benefit expected was achieved. This creates a sense of awareness. We do not maintain a separate P&L for technology. But every year we quantify in rupee or dollar terms, the business value that IT has brought to the organization under categories like cost savings, revenue, new products, new markets entered and so on. 92

Mentor_July2010.indd 90

J u LY 1 5 , 2 0 1 0 | REAL CIO WORLD

Also, we measure the downtime of every system and ask the IT owners to work with the businesses to come up with a business loss number on per minute or hour basis for every system. Then they print a monthly P&L that generally only talks about the losses incurred. For instance, if the CRM system goes down, an automated response informs us about the outage and its duration. This is then converted into a rupee value. So, at the end of the month, every outage is added up and a value is attached to it. This helps us to focus on reducing outages. Usually, most people in the organization are not aware of what happens in other departments. So internal marketing, if only just to project the facts, is a part of running IT like a business. Chargebacks on the other hand, will depend largely on the nature of the business. At ICICI Bank, we do it across P&L entities. According to us, chargebacks make the businesses aware of the technology costs

We need to build a culture of trust and a feeling that IT and the business are on the same side. but if a company's costs are relatively low then businesses can actually become dismissive of small amounts of chargebacks. This will lead to greater transparency of the department. We'd rather be transparent — even though it might mean that the ugly side of IT is exposed. But one needs to do it intelligently. Running IT like a business enables trending, sensitizes users and makes technology more efficient. It also drives innovation by building a culture where every aspect can be classified as a revenue or cost. This does involve a lot of change management. But one can easily overcome those challenges. In the end, one needs to build a culture of trust and dependency and a feeling that IT and the business are on the same side. CIO As told to Anup Varier Send feedback on this column to editor@cio.in

Vol/5 | ISSUE/09

7/14/2010 3:16:17 PM