CIO November 15 2012 Issue by Sreekanth Sastry

Leadership Business

GO CLOUD

Technology

VOL/08 | ISSUE/01

STAY securE

MOBILE

Big Data Choices Make the right storage decisions for big data.

HERE

LEAD november 15, 2012 | `100.00 w ww.CIO.IN

MANAGE

USE BIG DATA

START

BE A SUPER CIO IN 7 STEPS

COLLABORATE

source

Page 77

Fujitsu recommends Windows 8.

Perform with style lifebook.in.ts.fujitsu.com

The extensive Fujitsu LIFEBOOK portfolio offers you a wide range of mobile devices to meet every requirement. From elegant ULTRABOOKs guaranteeing highest security and boundless mobility to touch-based tablets providing ultimate versatility, every Fujitsu LIFEBOOK provides the greatest reliability for all business tasks either in the ofﬁce or on the move.

LIFEBOOK UH572

LIFEBOOK LH532

LIFEBOOK S792

LIFEBOOK T902

■ Up to Intel® Core™ i7 processor ■ Windows 8 Pro 64-bit ■ Stylish and slim design combined with small form factor at only 1.6 kg ■ Optional embedded 3G/UMTS, WLAN and Bluetooth

■ Up to Intel® Core™ i7 processor ■ Windows 8 Pro 64-bit ■ Stylish Matt soft Finish with 14” (35.6cm) HD Display ■ HD Camera, SpillProof KB & Anytime USB Charge

■ Intel® Core™ i5 vPro™ processor ■ Windows 8 Pro 64-bit ■ Maximum Security with Advanced Theft Protection (ATP), optional TPM module and ﬁngerprint sensor including Omnipass Security Software ■ Comfortable working thanks to anti-glare display and port replicator

■ Intel® Core™ i5 vPro™ processor ■ Windows 8 Pro 64-bit ■ Modular bay for a second battery, second HDD, DVD/Blu-Ray drive or weight saver ■ Optional integrated 4G/LTE or 3G/UMTS (incl. GPS)

with the 3rd Gen Intel® Core™ vPro™ processor family – Enriches your life.

To ﬁnd out more, call: 1800 102 3457 or email: marketing-india@ts.fujitsu.com Prices Start From `

23999*

The ultimate backup appliance.

It’s not the best in class, it’s the only one in its class. In the future, all backup will look like this. But until then, there’s the NetBackup 5220 appliance from Symantec— the only fully integrated backup, deduplication, and storage appliance with industry-leading, factory-installed Symantec software. So it’s practically ready to go right out of the box. It’s hard to believe anything this simple can be so technologically advanced. But it is. See for yourself at www.symantec.com/in/nbu

Confidence in a connected world.

Copyright © 2012 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, the Checkmark Logo, and NetBackup are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries.

From The Editor-in-Chief

PUBLISHER, PRESIDENT & CEO Louis D’Mello ASSOCIATE PUBLISHER Rupesh Sreedharan, Sudhir Argula E D I TO R I A L

Staying the Course

It’s been an honor to chronicle how much has changed in your life, and how much remains the same. Seven years ago in the inaugural issue of CIO, I’d made a promise to you on behalf of my colleagues and myself. That you would find in the pages of the magazine, and its companion website and our events, content that was solutions-oriented, which would offer insights into how your peers across verticals approach and solve issues and help you deal with the business of technology. What many of you have told me suggests that we have indeed redeemed that pledge quite substantially. Creating a knowledge-sharing platform for a community is not an abstruse science. Anyone with the right set of resources ought to accomplish that much. But staying true to your information requirements is not as easy as it appears. We achieved that by investing in building enduring relationships across the spectrum of Indian IT leaders. Those associations, and the bridges of trust that have resulted from them are the lifeblood of this magazine and everything associated with it. That is why you share with us your triumphs and failures; your public joys and your very private sorrows. That is why we’ve continued to be a relevant part of your life. And, that is why we tried in our way to help you get better at what you do; to help you get a stronger voice in the C-Suite; to make you better at championing business innovation. We have been fellow travellers on a path that’s seen the scenery change quite a bit over the years. And, it’s been a rare honor to chronicle how much has changed in your life, and how much remains the same. In this, our Seventh Anniversary special issue, we’ve looked at seven issues that are changing the dynamics of both your role and your business and bring to you field-tested learning from IT war-rooms the world over (page 34). Given how well we know what impacts you, we believe that the road to your personal nirvana is to be found among these pages. Let us know how these pan out in your organizations. I offer thanks for your suggestions and guidance that have kept us on track, and given shape and definition to this publication. Salud!

EDITOR-IN-CHIEF Vijay Ramachandran EXECUTIVE EDITOR Gunjan Trivedi, T.M. Arun Kumar ASSOCIATE EDITOR Yogesh Gupta DEPUTY EDITOR Sunil Shah ASSISTANt EDITOR ONLINE Varsha Chidambaram Special Correspondents Radhika Nallayam, Shantheri Mallaya Principal Correspondents Anup Varier, Gopal Kishore, Madana Prathap SENIOR CORRESPONDENT Sneha Jha CORRESPONDENTS Aritra Sarkhel, Debarati Roy, Eric Ernest, Ershad Kaleebullah, Shweta Rao, Shubhra Rishi CHIEF COPY EDITOR Shardha Subramanian Senior Copy Editor Shreehari Paliath COPY EDITOR Vinay Kumaar Lead Designers Jinan K.V., Suresh Nair, Vikas Kapoor Senior Designer Unnikrishnan A.V DESIGNERS Amrita C. Roy, Sabrina Naresh, SALES & MARKETING PRESIDENT SALES & MARKETING Sudhir Kamath VP SALES Parul Singh GM MARKETING Siddharth Singh MANAGER KEY ACCOUNTS Jaideep Marlur, Sakshee Bagri Senior Manager Projects Ajay Chakravarthy MANAGER- SALES SUPPORT Nadira Hyder Marketing Associates Anuradha Iyer, Benjamin Jeevanraj Project Co-ordinator Rima Biswas, Saurabh Patil Lead Designers Jitesh C.C., Pradeep Gulur Designer Lalita Ramakrishna events & A U D I E N C E D E V E L O P M E N T SR. MANAGERS PROJECTS MANAGER SENIOR EXECUTIVE PROJECT COORDINATORS

Ajay Adhikari, Chetan Acharya, Pooja Chhabra, Tharuna Paul Shwetha M Archana Ganapathy

F I N A N C E & O P E R AT I O N S FINANCIAL CONTROLLER SR. MANAGER ACCOUNTS Sr. Accounts Executive MANAGER CREDIT CONTROL Sr. Manager Products Asst. Manager Products Sr. Manager Production Sr. Manager IT

Sivaramakrishnan T. P Sasi Kumar V Poornima Prachi Gupta Sreekanth Sastry Dinesh P. T.K.Karunakaran Satish Apagundi

All rights reserved. No part of this publication may be reproduced by any means without prior written permission from the publisher. Address requests for customized reprints to IDG Media Private Limited, Geetha Building, 49, 3rd Cross, Mission Road, Bangalore - 560 027, India. IDG Media Private Limited is an IDG (International Data Group) company.

Vijay Ramachandran, Editor-in-Chief vijay_r@cio.in 2

N O ve m b er 1 5 , 2 0 1 2 | REAL CIO WORLD

Printed and Published by Louis D’Mello on behalf of IDG Media Private Limited, Geetha Building, 49, 3rd Cross, Mission Road, Bangalore - 560 027. Editor: Louis D’Mello Printed at Manipal Press Ltd., Press Corner, Tile Factory Road, Manipal, Udupi, Karnataka - 576 104.

IDG Offices in India are listed on the next page

Networks are complex. Your network performance management shouldnâ&#x20AC;&#x2122;t be. Decomplexify it with Riverbed Cascade.

Go to www.Riverbed.com/Cascade to see how Riverbed is Decomplexifying network performance management by enabling end-to-end visibility into the performance and troubleshooting of critical business applications. For any queries, please contact marketingindia@riverbed.com or +91 9845652826, +91 80 40300567

contents November 15, 2012 | Vol/8 | issue/01

How To

58 | Sourcing Outsourcing is still in. It might have taken on new names—like the cloud—but traditional sourcing isn’t extinct. Read on to find out how to leverage it.

65 | Leadership Leadership is an art. But it isn’t hard to master—once you realize that good leaders are great followers. If you want to be one, follow these suggestions.

71 | Mobility

Tame Big Data Manage Angry People Spot a Liar Stop Rogue Sales Become a BYOD Guru Choose a 3 Cloud Vendor Find Talent4

The mobile revolution has created a new world order. So much so that today businesses depend on it. Learn how to harness mobility’s potential.

79 | Security New technologies have opened doors to new threats. And to combat them you need new weapons. Here are some.

34 | How To COVER STORY | IT Strategy Hone your leadership skills, be a mobility guru, master cloud computing, tame big data, manage security, collaborate better. Get a step closer to being a complete CIO. By Team CIO

36 | Collaboration Cover design by vikas kapoo r

If you haven’t taken to social media and UC yet, you are an endangered species. Follow these tricks to make your business sociable.

44 | Cloud Computing You think you've seen and heard all about cloud computing? Wrong. You’ll be surprised by how much you don’t know yet. Flip over for some revelations.

51 | Big Data Big data is big trouble. But if handled with care, it can be a treasure trove of information. Here are some tips to make the most of big data.

nove m b er 1 5 , 2 0 1 2 | REAL CIO WORLD

Vol/8 | ISSUE/01

contents

(cont.) departments 2 | From the Editor-in-Chief Staying the Course By Vijay Ramachandran

9 | Trendlines

8 7

18 | Alert Skills | How to Be an Effective CSO Protection | How Not to Get Hacked

104 | Essential Technology

87 | How to Harness the Power

Disaster Recovery | How to Plan DR Better DR Drill | Gearing Up for Disaster

of Consumerization

Feature | IT Management So you’ve said yes to the use of personal tech. How do you make it work—for—and in your business? By Lynn Haber

98 | How to Boost Customer Loyalty

108 | Endlines Innovation | How to Know You’re Compatible By Jay Alabaster

Feature | Business Intelligence Guesswork no longer cuts it. Here’s how three smart companies used business analytics software to improve customer loyalty. Feature by Mary Brandel

Columns 27 | How to Be the Next CIO Strategic CIO Tackle some of the things that your own replacement would do. Remove some pain points and form the relationships that a new CIO would. Column by Bryson Payne

28 | How to Become a Better Communicator Staff Management Do you find that you or your IT team members aren't communicating as well as they could? Here are two powerful techniques. Column by Bob Kantor

nove m b er 1 5 , 2 0 1 2 | REAL CIO WORLD

Vol/8 | ISSUE/01

Farmers F rm Fa r ers r are rs r nott re

etting ett tti tt ting the t e right th rig ri ight price pri ric ri ice ce for f r their fo t eir produce. th pro r duce ro c . ce

Have we not heard this a million times now? Have an idea that can change this once and for all? It’s time to bring those ideas out in the open. CtrlS in association with iCongo introduces REX, a platform dedicated to Ideas for Action. Present your idea at REX CONCLiVE to be held on November 25-27, 2012 at Jesus Mary College Auditorium, New Delhi. Register to be a speaker at rexideas.com, and let’s actually get down to the task of changing our world. One idea at a time.

Speakers & Delegates REX CONCLiVE 2012 will have several speakers, each taking the stage for 15 minutes, and 12 alternative performances. Featuring Mary Mangte Kom (Indian Olympic Bronze Medallist), Alecca Carrano (International Fashion Designer & Entrepreneur), Mark Parkinson (Internationally Renowned Educationist), Michael Norton (Global Philanthropist & Author), Jaaved Jaaferi (Actor & Comedian), Gul Panag (Former Miss India, Actor & Founder of SOAP), Dr. Villoo Patell (CMD-Avesthagen), Josy Paul (Chairman–BBDO), Meera Sanyal (Banker & CEO of RBS), Amala Akkineni (Actor & Animal Activist), Vijay Mehta (Global Philanthropist, Author & Peace Ambassador), Swaroop Sampat (Actor & Social Activist), Marco Carrano (Global Architect, specialized in Energy-friendly Cities), Hansal Mehta (Movie Director), Arjun

Sajnani (Movie Director, Theatre Artist & Playwright), P. Sridhar Reddy (CMD-CtrlS) and alternative performances by Rekha Surya, Lorraine Aloysius, Olavo Rodriques, Arka Mukopahyaya, Saqlain Nizami and others.

Asia's Largest Tier IV Datacenter

CIO Online

.in CIO Advertiser Index

Lenovo India

[ Edi tor's PICKS ] The Chosen Ones

Canon India

To read the most interesting, exciting, and fascinating stories of the day, check out our Editor's Picks. Read the latest features, surveys, and interviews on emerging technologies, challenges and opportunities.

Ctrl S Datacenters

[ CI O TV ] Video Library From case studies to peer-to-peer advice, and from new technology developments to international events, our videos cover everything that's important to you. To keep yourself abreast of the happenings in the IT world around you, watch our online videos. cio.in/videos

[ S l i de S hows ] COMING Tech's 7 Scariest Monsters, India's Highest Paid IT Execs, and more. Watch this space.

IBC

Boston (India)

SOON

[ Su r veys ]

17 23,24,25 & 26

Check Point Software Technologies

61 7

EMC Data Storage Systems (India)

90, 91, 92 & 93

Fujitsu India

IFC

HID India

IBM India BC Microsoft Corporation (India) Cover gatefold Nelco

Oracle

Panasonic India

Polycom Technology R&D Centre

Riverbed Technology India

SAS Institute (India)

Sayouito France- AXII

Schneider Electric India

42 & 43

Symantec Software Solutions

By the Numbers

Trend Micro India

VMWare Software India

Wipro infotech

55, 56 & 57

Our surveys are a treasure trove of technology, staffing, security trends and beyond. They mirror economic realities and how they impact you. Visit the By the Numbers section online. cio.in/by-the-numbers

[ N EWS ] Our CIO World newsletter gives you a daily dose of everything that affects you, your staff, and your business. Log on to check out the latest news.

Don't receive our newsletter? Log on to our website to subscribe today!

>> cio.in/news

Read More@ cio.in 8

>> Case Studies >> Whitepapers >> Articles >> Strategy Guides >> CEO Interviews >> Events

N ove m b er 1 5 , 2 0 1 2 | REAL CIO WORLD

Catch our anniversary Special Online

This index is provided as an additional service. The publisher does not assume any liabilities for errors or omissions.

Vol/8 | ISSUE/01

EDITED BY shardha Subramanian

new

hot

unexpected

How to Prevent Traffic Congestion

QUICK TAKE:

The trial has been extended to three other locations, which covers 200 spaces in total that have infra-red sensor technology that identifies whether or not a car is parked there. This is then delivered to the back-end database in real-time so that the Council can visualize what the occupancy rate is. “We have had over 1,000 downloads in about three weeks. We have started to do an analysis of the data we have from the sensors to see how many vehicles we have had through the area, how long they have stayed, and we are just putting together the applications to take in feeds,” says Lewis Johnson, information analyst in the parking services division. —By Derek du Preez

trendlines

The Westminster City Council is running a trial in the West End of London using sensor technology and data analytics that could transform parking congestion in busy areas. The technology could give the Council insights that could lead to it to change its parking policies to help encourage different driver behavior. “We can now bring all the cashless information (data from mobile parking payments) and link it to the geographic information system,” says Jo Lodge, head of BI and GIS at the Council. “You start to notice that one street is occupied 100 percent of the time, whilst one around the corner is occupied 30 percent of the time. People obviously don’t know that there is parking close by.” The trial is being run on Savile Row, which is occupied 85 percent of the time, and Sackville Street, which has a 45 percent occupancy. Both have an equal amount of parking spaces and are a very short distance apart. The Council feeds this information to users in real-time using an app, and to marshals on the street so that they can advise drivers where they should go.

A n a ly t i c s

How to Use BI for Competitive Edge

There are few industries where analytics can make as large an impact as in retail. Gopal Kishore spoke to Mike McNamara, CIO, Tesco, to find out how the retail giant is building competitive strategies around data-driven insights.

S t r at e g y

promotions such as the coupon system. These promotions achieve redemption rates of 30 percent, which is phenomenal, compared to the direct marketing industry’s average response of 2 percent. The next step is to take customer analytics real-time, and have real-time pricing and promotion—which should happen in a few months.

How is analytics helping Tesco stay competitive? Analytics is helping Tesco earn and grow the lifetime loyalty of its customers and meet its core aim: To understand customers better than anyone. By using analytics to make better decisions, we have been able to identify our most profitable customers, accelerate product innovation, and optimize supply chains and pricing.

Vol/8 | ISSUE/01

REAL CIO WORLD | N o v e m b e r 1 5 , 2 0 1 2

image by photos.com

Is it driving sales? In the mid 90s, we introduced the concept of loyalty cards to the retail sector. We got a huge amount of basket-level data that we have been able to mine for the last 15 years. This information helps us to direct our

How does analytics help in procurement, inventory, and pricing? Our food supply chain system is probably the best in the world. On a weekly basis, we shift a billion items from thousands of farms and factories to stores. And getting this right calls for a very sophisticated analytics system. We create forecasts for special events such as holidays and take details such as the weather into account. For instance, our customers in the UK may purchase items for a barbecue if the weather is predicted to be sunny over the weekend. So we design our promotion around it. Our operational analytics system plays a key role in generating a time-phased order forecast. Mike McNamara 9

How to Avoid Burnout voices:

T i m e m a n a g e m e n t There’s no doubt that IT—in every shape and form—has trespassed into our personal lives, blurring the line between work and pleasure. With trends like consumerization of IT forcing employees—and CIOs—to work 24/7, there’s no off-time. This eventually leads to burnout. But how do CIOs keep themselves going? How do they deal with burnout? Shweta Rao asked some of your peers and here’s what they said:

Jayakumar M Head-IT, Eastern Condiments

trendlines

“I like to take time out and completely disconnect from technology now and then. I turn my phone off and stop checking e-mails. Also, creativity is a powerful antidote to burnout. Start a fun project or resume a favorite hobby or try something new.”

Arup Choudhury GM-IT, Eveready Industries “Not everyone is comfortable with yoga and meditation, but they work like a charm for me. Alternatively, I love playing games and never forget to laugh out loud everyday.”

Sanjeev Kumar Group CIO and GroupPresident Business, Adhunik Group “Ensure you have a repository of books that you can connect to when you have questions. For example, I always find my answers in the Bhagavadgita and another beautifully written book I accidentally came across called Getting Unsettled in Life by Chetan Walia.”

November

1 5 , 2 0 1 2 | REAL CIO WORLD

How to Work Under Pressure IT S t r a t e g y As a mountain of work builds around you, and the clock next to your family photo ticks faster, you start hyperventilating, you can feel your heart beginning to race, and your shoulders tighten. We’ve all been there. In the world of IT, pressure could be a result of mismanagement, focusing on the wrong problems, and—sometimes—bad luck and bad bosses. “Many teams that are under pressure usually have the resources to finish a project. The problem is that they stop exploiting them efficiently,” says Pradeep Kumar Yadav, CIO, ZTE Telecom. “That happens because they lose sight of the goal in the frenzy of reaching a deadline.” Yadav should know. His 25-year tryst with the telecom industry has given him an idea of how maniacal a CIO’s life can get. Here are three tricks Yadav uses to avoid pressure: Don’t Hesitate to Innovate: Just when teams most need to perform to their optimum capacity and deliver high-quality results, they begin to revert to the conventional. Yadav says that being shortsighted and going down the safer, standard way of working wastes remarkable opportunities. “The more generic our approach is, the more concerned we need to be. CIOs must not shy away from experimenting to approach a solution,” he says. Be Creative, Even Under the Gun: Creativity usually ends up being killed under pressure. “At ZTE, we value having unstructured, unpressured time to harness new ideas. Time constraints breed anxiety. Only building trust will help relieve the tension,” says Yadav. “For example, I tend to ensure that my team’s developer is confident that he will not be blamed for adopting an unconventional route to reach a solution if we hit an obstacle.” Prioritize. Don’t Procrastinate: It’s a good habit to create a priority list—but its importance is amplified when you are under pressure. It does two things: It gives you an idea of the amount of work and two, it ensures you are able to prioritize better. “My ultimate mantra is that COS (critical, operationand strategy-related work) remains a top priority. Even when all hell breaks loose,” says Yadav. —By Shweta Rao

Vol/8 | ISSUE/01

22.10.2012

17:28

PDF_QUADRI_300dpi_txvecto

How to Network Effectively

trendlines

Networking Let’s admit it: Few of us are born networkers. Yet, the need to build a web of connections only gets more important in an increasingly connected world. At work, at home, and socially, getting things done requires getting off our islands and collaborating. To do that, it’s critical to network and be remembered. Here are some tips to do that from Rohan Deshpande, CTO, Ogilvy & Mather Worldwide. Read Up. Remember it’s as important to be interested as it is to be interesting. Try to figure out what people are interested and take it from there. “For example, if I know that someone across me is comfortable discussing Sachin Tendulkar, then I’d like to be conversant in the topic,” he says. Not surprisingly, Deshpande’s phone receives RSS feeds from 18 news sources. “I try and skim through websites like Techcrunch, Wired, Mashable, Moneycontrol, the Economist and other sports and Bollywood websites on a daily basis,” he says. Be Memorable, But Be Yourself. Look to break free from the noise and be remembered. “I remember a break out session during a CIO event held in Dubai last year. I had volunteered to represent my group during one of the sessions and people from my group instantly recognized me thereafter. In fact, one of them even reserved a table for a few of us during the sit-down dinner at CIO 100 awards this year.” Just don’t try too hard, he says. “Let me put it this way: Don’t just be yourself, be the best feasible version of yourself,” he says. Leave Behind a Hook. A mental hook is very handy when you want to be sure to be remembered. “Basically, the idea is to include something unique about yourself in your introduction. It can be anything from what you do, to where you work. The point is to leave behind a simple, but interesting hook,” says Deshpande. Stay in Touch. Be it e-mail, voice calls, or SMS, keeping a connection alive is just as important as making it. “I’m still an SMS guy. I send texts to my close peers, vendors, and bosses on all festive occasions. Social media has made this easier. But do send only personalized messages. It lets people know that you’ve taken time out for them, and that makes a huge difference,” he says.

—By Shweta Rao 12

November

1 5 , 2 0 1 2 | REAL CIO WORLD

How to Drive an ATV Everyone needs an interest outside work; it keeps you sane and interesting. Ask most Indian CIOs and they’ll you they like to meditate, read, or listen to music. Then there is Burgess Cooper, CTSO, VIL, and his passion for ATVs (all-terrain vehicles). Cooper’s always had a thing for motorcycling and graduated to ATVs. In 2004, he created a world record for biking across four of the world’s highest passes—all above 18,000 ft—in 24 hours, and followed it up with an attempt to break the Guinness Record for the highest altitude reached on a motor vehicle. We asked Cooper what to watch out for if you want to drive an ATV. Safety first. Cooper who cut his ATV teeth in the rainforests of Australia—riding through rocky terrain, rivers, ranches, forests, steep mud falls and slush—and in Mauritius—when he had zebras and deer for company—has a strict ‘safety first’ policy. “The basic safety precaution of wearing a helmet should be adhered to,” he says. Then there is the roll cage. Unlike a car, if you turtle over in an ATV (not such an unlikely event), the entire vehicle can fall over you; and remember ATVs have no enclosures. “The only thing that can save you is a protective cage called a ‘roll cage’, an extra accessory. This is essential for people planning to do extreme stunts,” Cooper says. Know your machine. “Riding an ATV is slightly safer than riding a bike and far less safe than driving a car. It works in your favour if you’ve had prior experience in riding a bike or driving a car,” he says. There are two kinds of ATVs: 4x4 (with four wheels) and the 4x2 (two-wheel ride). “My advice to first-time riders is to get comfortable with an ATV and gain experience riding it before you graduate to riding the vehicle on a terrain of your choice.” Unlike motorcycles, which have throttles to accelerate, in an ATV you have a two-finger scrolling acceleration. Turning, says Cooper, can create quite a strain on your hands because of the lack of automatic steering controls. Cooper advocates considerable amount of proficiency in manual controls for riding an ATV. Legal hassles. Did you know? You don’t need a license to ride an ATV in India. RTOs in India do not accept ATVs for registration. “You cannot ride an ATV on Indian roads since it does not have a number plate,” says Cooper. “The only opportunity in India for professional ATV racing exists in the form of the Raid de Himalaya race.

Work-life Balance

—By Ershad Kaleebullah

Vol/8 | ISSUE/01

Runs Oracle

10x Faster

The World’s Fastest Database Machine •

Hardware by Sun

•

Software by Oracle

* But you have to be willing to

spend 50% less on hardware.

10x faster based on comparing Oracle data warehouses on customer systems vs. Oracle Exadata Database Machines. Potential savings based on total hardware costs. Oracle Database and options licenses not included. Actual results and savings may vary.

Print Ad Resize

22.23 x 27.6cm CIO (1st Right Hand Page Ad)

PUB NOTE: Please use center marks to align page. Job #: Ref #: Headline: Date: Project: Type: Live: Trim: Bleed:

113M_EXD_10xFaster_CIO 412M_EXD_10xFaster Runs Oracle 10x Faster* 07/12/2012 APAC Regional Fulfillment Magazine 20.32cm x 25.72cm 22.23cm x 27.6cm 22.86cm x 28.26cm

Fonts: Univers LT Std. 75 Black, 65 Bold, 55 Roman, 45 Light, 67 Bold Condensed, 57 Condensed

PRODUCTION NOTES

READER

LASER%

RELEASED

7/12 2012

Please examine these publication materials carefully. Any questions regarding the materials, please contact Darci Terlizzi (650) 506-9775

How to Put Your Laundry in the Cloud (And More) Panasonic showed its latest home appliances at the Ceatec electronics exhibition, and everything— washing machines, refrigerators, rice cookers—connects to the Internet. The company has released a steady stream of “smart appliances” this year, all of which use smartphones to connect with online services. The full lineup was on display at Ceatec, Japan’s largest electronics show, just outside of Tokyo. Panasonic’s first efforts to bring its profitable home appliance business into the modern age have had mixed results. The company’s cooking products, which include a microwave oven that can also steam food, and an advanced rice cooker, interact with an online menu service, and their cooking settings can be set to prepare a dish selected by the user. Data from its scales, pedometers and heart monitors can be uploaded and combined online to provide fitness graphs and a historical record of health

trendlines

Technology

indicators. Everything worked well together in demonstrations on the show floor, but the services are limited to Panasonic devices. In other cases, the “smart” features feel a bit forced. A washing machine can be set for users’ specific laundry detergents selected from an online database, and a refrigerator keeps track of how many times its door has been opened each day.

The products interact through the “Panasonic Smart App” which serves as a main control panel for the wired portion of appliances in its lineup. The app also provides ready access to instruction manuals and support help. Most of its products use NFC (near field communication) technology to interact with phones, the same “touch card” tech used in many train passes and e-payment systems. The technology is common in Japanese phones, but is still catching on outside of the country. Panasonic also showcased an air conditioner that can be fitted with a Wi-Fi attachment, then accessed remotely from a smartphone. Currently the only features available are checking the air conditioner’s settings and turning it off, but this could be useful in the future, for uses like cooling your home on the way home from work during the summer. —By Jay Alabaster

CIO S k i l l s It’s management 101, but let’s face it: How many managers truly know how to elicit feedback? Yet, as business outcomes depend increasingly on collective action, and as employees have more to say about how IT is run, CIOs will need to find ways to gather the opinions of their colleagues and staff members. Over the course of his career, C.V.G. Prasad, CIO, ING Vysya Bank, who runs a 60-man department, has picked up a trick or two in getting people to share their opinions. Redefine what you mean by feedback. For many companies, feedback collection often means putting up a suggestion box. That, says Prasad, allows less-than-thoughtthrough ideas to find their way into the mix. “The suggestions box is a dead end. In my personal view, the definition of feedback is that it’s a two-way process,” says Prasad. The feedback process, he says, needs to be a discussion, “otherwise it’s just a suggestion.” If you’re serious about feedback, it’s important to “close the feedback loop,” says Prasad. To do that you need to identify an issue, understand its cause, and find a resolution, he says.

November

1 5 , 2 0 1 2 | REAL CIO WORLD

Stop Blabbing. Encouraging people to speak up often requires time—and taking the lead in getting a discussion going. The danger with that is that soon you could be the only voice you hear. That’s exactly what happened when Prasad created monthly staff meetings to encourage employees to be more open. But it was important to forge on. “This created an environment where my staff could openly tell me that I was standing and talking for too long! One of them said ‘I think you’re talking a lot in these meetings, maybe you should also let other people talk.’ I never realized that and said brilliant!” In the new format—also an idea suggested by a staffer after Prasad prodded them—his direct reports present their points of view. Make yourself vulnerable. “A fundamental principle in getting feedback is trust. Without trust no one will open up,” says Prasad. To get that trust, Prasad is willing to put himself out there. So during an employee’s appraisal, he will also ask them for feedback on his performance. “The fact that I’m asking for feedback”, Prasad says, “allows the employees to be more receptive to giving feedback.” — By Eric Ernest

Vol/8 | ISSUE/01

imagE by PHOTOS.COM

How to Get Real Feedback

How to Be a Good Mentor Every great warrior, leader or superhero, has had a mentor—an influence in their lives who’s responsible for what they become. And as CIOs, grooming your prospective next-in-lines is as important as—if not more—generating revenue for your organization. But it’s hard to be a good mentor. Jitendra Mishra, CIO, Elder Pharmaceuticals, shares a few pointers on how to be one:

Leadership

Don’t Cherry Pick. It’s not wrong to be choosy. Separating the good fish from the bad ones is a hard—but a critical leadership trait. Even a bunch of talented people—and not just individuals—can be mentored. “If you find a way to do it, that is. And it isn’t easy,” says Mishra. In that case, wouldn’t mentoring only one person be easier? “Well, it breeds jealousy and apprehension in the team. Besides, how do you really know if your candidate is a sure-shot leader material? Today’s team spirit is far more vital to me than tomorrow’s probable leader,” he says.

Break Down Walls. Office lunches, informal team meetings, and even those occasional birthday parties—a good mentor makes the most of occasional team gatherings to develop camaraderie. “I strive till the point I can engage with my team on a personal level. People who take the initiative to respond are self-nominating themselves,” says Mishra. “Remember, there’s probably more for a mentor to learn in these informal gatherings than others.” —By Shweta Rao

How to Sell Drugs Better In a land where people swear by grandma’s secret potion, pushing medicines can be a tricky business. For Indian pharmaceutical companies, that’s made worse by the complexities inherent to the business, including the need to convince doctors to buy into their goods, and the difficulty of ensuring that drug stores don’t run out of their products. At Cipla, newly-appointed CIO, Arun Gupta, is taking those two challenges head on. Here’s how.

B u s i n e s s S t r at e g y

Focus on Customer Engagement One of the challenges Gupta’s facing is getting Cipla’s medical reps to meet doctors is the economy. “The global economic uncertainty has a ripple effect on the amount of time doctors are willing to spend 16

November

1 5 , 2 0 1 2 | REAL CIO WORLD

with medical reps, which has an effect on sales. We need to look within our processes to strengthen fragile customer relationships by understanding them better,” says Gupta. To do that Gupta believes that it’s time companies forget the credo of ‘managing customers’ and move on to get into their psyche. “The challenge is to figure out a way to go beyond e-detailing to engaging the customer,” he says. “As a technologist, my efforts are focused on providing medical reps with ample data to facilitate communication with senior doctors.” Gupta has implemented a Microsoft .Net framework with smartphones in the front end. “Cipla’s medical reps now carry data which helps doctors reinforce or differentiate one molecule over another,” says Gupta.

Ensure Drug Availability Today, the lack data available across the ecosystem to ensure drug availability to the end consumer is severely ignored. Hence, any pharmaceutical company primarily strives to ensure its drugs are available at every drug store its customer approaches. Accessibility invariably gets tied down to visibility. “Information visibility across the ecosystem ensures that everyone is aware of the decisions and status of the drugs. For this, we’ve used Microsoft .Net technology coupled with a cloud service provider.” While pharma companies globally reinvent the landscape with dynamic dashboards and smarter infrastructure supporting R&D and supply chain, it would be interesting to see how Gupta’s ingenious efforts bear fruits. —By Shweta Rao

Vol/8 | ISSUE/01

trendlines

Communicate with Empathy. It’s very important to acknowledge a mentee’s beliefs and understand their needs. “A bad listener is a bad manager, and hence a bad mentor. Humans can gauge the receptivity of a person from the first few minutes of a conversation,” says Mishra. “So, if a mentor’s empathetic listening skills aren’t honed then he better step back,” he adds.

Avoid Hand Holding. Helping is one thing, but doing it for them is quite another. The best way for your protégés to learn is to let them do it themselves—even if they make mistakes. “As a mentor, I can help avoid mistakes—that I’ve committed over the years—with my insights. But in the process, I’m depriving them of the fun of learning. Many of us learn crucial lessons of our lives through experience and not from hearsay,” says Mishra.

alert

Enterprise Risk management

How to Be an Effective CSO A fter a challenging day at the office, many CSOs and CISOs spend their harried nights wishing for a better and easier way to accomplish the tough tasks they face at work. Here are the top eight pain points and how to get rid of them.

Keep it Simple

I MAGES by PHOTOS.COM

There’s simply too much going on in the IT world. New cloud computing, mobile, and social networking technologies and innovations are flooding the IT infrastructure. There are so many technologies in today’s businesses—at best soldered together—but definitely not talking to each other. Unfortunately, it is only getting worse. Declining operational efficiency and effectiveness affects the whole organization. Too many security solutions offer 1,000 features, but most people only leverage 100. To be effective, we need solutions that actu-

ally talk, share intelligence, and learn from each other.

Create a Risk Management Strategy

Firewalls, AV, IDS/IPS, load balancers, routers, switches, DLP, Web security gateways, MDM, e-mail gateways, Active Directory, thousands of apps, thousands of databases, etcetera. We are overwhelmed with data that we aren’t necessarily looking at on a regular basis. We’ve asked many CISOs: “What value are you getting from your IDS or firewall logs?” Most responded that they have little to no value because there is just too much data. And it isn’t going to scale for the future. Even items like SIEMs are not intelligent. They are complicated to run and they simply turn data into

information. But information isn’t what we need. You still need to collate and analyze the information to understand what actions to take. CSOs need a guiding compass that provides an effective overall risk management strategy.

Turn Data Into Wisdom CSOs need data, so they can use their wisdom to make the best security decisions. To get there, data needs to be translated into information. And that information needs to provide intelligence. Intelligence will help CSOs build their security wisdom. The more intelligence CSOs receive, the bigger the benefit. Unfortunately, many of the solutions listed above aren’t translating information to intelligence. They are simply providing information, which leads to reactive actions vs. proactive actions.

f i n di n g s

Given that people are the weakest link in the security chain, CSO and PwC People-led Security asked Indian CXOs how they were strengthening people-related security. Top 5 People-based Information Security Safeguards in Place Conduct personnel background checks

65%

Have people dedicated to employee awareness programs

60%

Have people dedicated to monitoring staff use of Internet /

58%

information assets Employ a CISO

55%

Link security to privacy and / or regulatory compliance

54%

33%

Of Indian businesses say employing a CSO is a top priority in the next 12 months.

Source: GISS

N o v e m b e r 1 5 , 2 0 1 2 | REAL CIO WORLD

Vol/8 | ISSUE/01

Ranked #1 in Server Security* yet again.

As businesses continue their journey to the cloud, analysts and security experts agree that risk management practices must change. Trend Micro leads the way in protecting businesses against today’s sophisticated cyber attacks by providing real-time, actionable threat intelligence and network-wide visibility and control. With our solutions you gain the ceratinty that your data is always secure across all environments-physical, virtual and cloud.

trendmicro.com/journey Scan to download IDC Analyst Connection: Server Security for Today’s Datacenters

For more information Call : 1800 103 6778 email : marketing_in@trendmicro.com Delhi : 91-11-42699000 Mumbai : 91-22-26573023 Bangalore : 91-80-40965068

*IDC, Worldwide Endpoint Security 2011-2015 Forecast and 2010 Vendor Shares ©2012 Trend Micro, Inc. All rights reserved. Trend Micro and the t-ball logo are trademarks or registered trademarks of Trend Micro, Inc.

www.trendmicro.co.in

alert

Enterprise Risk management

Create a Robust GRC There’s a pressing need for a risk-based approach that is simple to implement. Most of today’s buying decisions are gutbased on old experience and yesterday’s threat landscape. And while GRC solutions exist, usually these solutions are rule-based and are not intelligent, are overly complex, and don’t take a data-centric view. Many of the good risk and compliance solutions are also very expensive and few companies can afford them. We need a GRC solution that easier to deploy and manage. As more CSOs partner with others and continue cloud adoption, GRC will be the tool of the future to help manage risk because they will have less and less direct infrastructure control.

Enable BYOD CSOs want to enable the business by allowing BYOD, but most CSOs are not fans of mobile device management (MDM). They want security and data protection, but not necessarily to lock down or control the device. It makes it even harder when there’s pressure from executives to allow personal devices on the network. You need to be able to easily allow any device to access our network and data, but have full visibility and control of the data. The future is a hybrid of DLP and DRM mixed with virtual sessions. And

for certain applications, data is then routed back into the datacenter. The future is not MDM. It just applies all the old ways of endpoint security to a new paradigm of mobile devices. It doesn’t solve the real problem.

ing e-mails avoid your company e-mail system and target your CEO’s Gmail account. So you need a Web security gateway that can protect your user when they click on a spear phish link. There are very few Web security gateways that are spear phish-aware. This is key.

Stop Spear Phishing This is the number one way that most targeted attacks compromise users. Phishing may be an old method, but a researched, well-orchestrated socially engineered lure is very effective. We have asked 200 CISOs “How many of you feel confident you can stop a spearphish attack on your CEO?” And not one said they could. We have to think out of the box to solve this problem. The most successful way to solve this is by mixing science and humanities together. One great example is PhishMe.com. Depending on the technology and awareness, up to 70 percent of employees will click on a spear phish lure. Your security technology needs to be mixed with your awareness program because 15 percent will still click. You need an e-mail security solution that uses cloud-based spear phishing protection, which catches and inspects any never-before-seen URLs, before they hit your network. Your standard spam filters cannot do this. Lastly, many spear phish-

Protect Data 24/7 This is about the data, not the device or outlet. So whether it is on a handheld, a tablet or in the cloud, you need to know where your data is, who is using it, when it is accessed—even if it was just created. You also need control of the data. This includes enabling data collaboration, knowing when it leaves your partners, and having a kill switch if your data is not in the right place. You should be thinking about your security program from the ground up.

Market Your Success This is a big one. Security is a board room problem, but you have to be able to convince the board that it is a BOD problem, while measuring the trend to impart success. You have to address so many new security challenges and emerging threats. How can you possibly demonstrate your value to your CEO and Board of Directors? Put on your thinking cap. CIO Jason Clark is a CSO. Send feedback to editor@cio.in

[ONE :: LINER]

“Enterprises have been committed to ensuring that their networks are not used to send or receive indecent content. But solutions to identify such content are still in their nascent stages. Creating a culture of awareness can prevent this.” — Sunil Varkey, CISO, Idea Cellular

N o v e m b e r 1 5 , 2 0 1 2 | REAL CIO WORLD

Vol/8 | ISSUE/01

The

Logical Choice for Security

Convenience meets Security at the desktop. Whether your organization needs a contact smart card for secure log-in, digital signature or secure remote access, or you require the most convenient two-factor authentication solution, HID Global’s OMNIKEY® contact and contactless smart card readers provide a fast and reliable solution. Compliant with industry standards, OMNIKEY contact and contactless readers are compatible with virtually any smart card, any operating system and a variety of applications. Available in numerous form factors, OMNIKEY readers offer a risk-appropriate choice for any organization. For information on HID Global’s innovative line of smart card readers, visit hidglobal.com/smartcard/CIO

HID_Omnikey_CORP_CIO.indd 1

5/3/11 9:15 AM

alert

Enterprise Risk management

How Not To Get Hacked

The Weakest Link The hacking scheme exploited remote desktop software installed on the computers connected to the point-of-sale (POS) devices. Remote access software allows a third-party to access a PC or other device, usually for the purpose of updating, repairing, or monitoring said device. In this particular hack, Dolan identified vulnerable POS systems using the Internet. Next, Dolan hacked into these systems using the pre-installed remote desktop software, and installed key-logging software on them. The keylogging software allowed Dolan to record all of the transactions that went through the compromised systems, including customers’ credit card data. Dolan then moved the credit card data to dump sites, where it was used to make unauthorized purchases and transfers by Oprea and, to a lesser extent, Butu. In a similar—perhaps related—case in 2009, Romanian hackers targeted the POS systems of several Louisiana restaurants. These systems were also hacked via exploitation of remote access software, which had been installed by the devices’ reseller, Computer World, for the purpose of providing remote support. 22

N o v e m b e r 1 5 , 2 0 1 2 | REAL CIO WORLD

This type of hack is a cautionary tale for both consumers and small business owners, who may not even realize their point-of-sale devices are running preinstalled remote access software. Remote access software can be a godsend for business owners who aren’t all that tech-savvy, since it allows someone offsite to control and troubleshoot a device from afar. If your device has remote access software installed, take these steps to help keep the hackers away: Regularly check your Windows Task Manager to ensure that there are no shady processes running when they shouldn’t be. Change the default password of the remote access software. Update your computer regularly and use a good antivirus program, which

Japan’s Oops! Moment

wo Romanian hackers will serve time for targeting Subway in a $10 million (about Rs 55 crore) point-of-sale conspiracy involving 150 restaurants in 2011. Iulian Dolan pleaded guilty to one count of conspiracy to commit computer fraud and two counts of conspiracy to commit access device fraud, while Cezar Butu pleaded guilty to one count of conspiracy to commit access device fraud. Dolan was sentenced to seven years in prison while Butu received 21 months. The third alleged hacker is awaiting trial in New Hampshire, while a fourth remains at large. It’s not just the hackers who are to blame, however; Subway’s sloppy business practices left the chain vulnerable.

will help keep sketchy programs from being installed on your computer. According to Verizon’s 2012 Data Breach Investigations Report, 97 percent of data breaches are avoidable using simple measures, such as firewalls on all Internet-connected services, changing default credentials, and monitoring third parties that manage your business’s POS. In other words, if there is remote access software installed on your point-ofsale computer because a third party needs to access it, it’s very important to ensure that that third party also keeps its security up to par. CIO

Sarah is a freelance writer and editor based in Silicon Valley. Send feedback to editor@cio.in

An online debate has broken out over a Japanese mobile app that may have published as many as 760,000 address book records from its users in a publicly searchable database. The mobile app, called “Zenkoku Denwacho,” or “Nationwide Telephone Directory,” was a free piece of software for Android phones that says it provides a database of Japanese phone numbers, names and some location information for private individuals and businesses. One “feature” of the app was that it accessed the address books of users, including GPS data, then added that information to its public records. Japanese security firm NetAgent posted a blog entry calling the software “malicious” and saying it stole the data from users. But on download pages that were still online, the app’s description states that it is creating a national database and will “use” information from users’ address books and GPS readings, adding them to its existing database of 38 million records taken from other online databases. NetAgent said the app, which has been live since September, had been downloaded about 3,400 times and that as many as 760,000 address book records had been uploaded, without revealing how it reached those numbers. In blogs and Twitter entries, an online debate ensued about the app and its similarity to other popular services in Japan. —By Jay Alabaster

Vol/8 | ISSUE/01

Custom Solutions Group Canon

The Mag c of

Managed Print Services The potential of Managed Print Services (MPS) is still untapped in Indian organizations. But when implemented effectively, MPS can reduce costs, improve business workflows, create a predictable opex model, and enhance efficiency. rinting is hardly the most exhilarating technology the IT industry has to offer, but Gwenyth Taylor seems genuinely excited by the potential of managed print services (MPS). That strange statement may have something to do with the environmental and cost impact her employer has seen— some 37 million pages saved annually since 2004—during the five-years since it switched from plain old printers. It could also be the number of personal printers legal firm Allens Arthur Robinson has eradicated and the consolidated printer fleet that resulted, not to mention the improved efficiency and reduced requirements for end-user support. Most likely, however, it’s a combination of all of the above, and the continuing opportunities for improvements that make an almost evangelical example of why any company should switch to managed print services. Of course, like many firms, Allens Arthur Robinson is a big printer—a “sausage factory for documents” according to Taylor’s partner in crime, Peter McGrath—and it ultimately has a big stake in the printing arena. Still, it’s likely that more companies will exponentially increase their own stake in the near future. After all, the MPS market is booming. As that market grows, the number of vendors and the types of services on offer are likely to multiply, making the MPS-uninitiated a little uneasy, but McGrath says there is little argument against the service: “I’m amazed there are still some companies that aren’t doing it”.

Outsource the Boring Like the cloud conundrum; there are multiple connotations for managed print service. As a point of differentiation, Canon even scraps the term in favor of managed document services, indicating its focus on documents rather than printers. To follow the old adage, the cheapest document is one not printed.

“We’ve now got people coming into meetings with a one page agenda and other people looking at them and saying ‘did you really feel you needed to print that?’ It’s a cultural thing,” says Taylor. To add pressure to pain, analyst firm IDC refuses to refer to MPS as an isolated term. While MPS can be generally defined as enabling organizations to outsource print-related services and solutions so they can re-focus on their core competencies, IDC’s research manager of the Asia Pacific services team, Suchitra Naryan, argues “value-add MPS” is a more apt term for the wider market. In the value-added version, MPS is a proactive service designed to improve business workflows and reduce costs in a targeted manner. Beyond the basics of paper supply, and even hardware maintenance, the vendor or third-party supplied service often encompasses document workflow management, fleet consolidation along with financial and environmental assessment with a view to set key performance indicators designed to cut down both. The process, often available in five-year contracts, involves close negotiations with the customer to set service level agreements, deployment preparation, and ongoing communication to ensure the best efficiencies are met. In many respects then, there is some truth to Canon’s methodology. What is clear is that it isn’t about the bulky beige piece of plastic churning out pages. “A fundamental shift has occurred, however, in the way MPS is perceived in the market,” says Naryan. “It’s no longer about services that you buy bundled with hardware; it’s hardware that comes bundled as a services offering. It is a cost management solution that is able to provide a predictable opex model for the end-user.” A managed print service enables organizations to replace existing printers with a view to implement a more controlled system which provides granular reporting, down to who

printed what, when and how much color those aspects that aren’t particularly they used. Assumptions of control aside, appealing to IT staff. though, the end result is, ideally, a highly managed printing environment where Warming Up the waste is cut out. If there’s one piece of advice sucWhile some analysts suggest compacessful MPS customers have for “MPS is no longer nies with at least 100 employees should those looking to get into the game, it’s about services that consider adopting MPS, others find a around preparation and planning. you buy bundled low-level managed service can make “We had the planning, time and with hardware; improvements in any organization albethe development of the contract it in different orders of magnitude. The and statement of works so both it’s hardware that ultimate benefits of a managed service parties clearly knew what they were comes bundled as a will ultimately change based on how exsupposed to do and if something was services offering.” tensive the implementation and the size grey there was a process to ‘unof the contract is. grey it’, and that made it a pleasure Suchitra Naryan, Some may prefer to see it as a loss to work on,” says Allens Arthur Research Manager, Asia of management and subsequently Robinson’s McGrath. Pacific Services Research, IDC responsibility over printing within A lack of preparation, however, can the organization, but others naturally lead to unforeseen problems and unwouldn’t want to forgo the full valet accounted-for increases in rollout time. service in favor of a slightly managed “It wasn’t until we were about 80 approach. For Ben Knappstein of Burnside War Memorial percent through our process that we realHospital, the ability to implement device-agnostic print ized we were going to have a problem,” says monitoring software allowed him to scale a roll out of John Gilmore, project team lead of shared printers while looking to gradually implement printing services at roadside assistance and insurance group, RAC. restrictions as he saw fit, even past the length of his Though he found the company’s MPS implementation fairly current contract. early, they discovered during the rollout that the devices “We’re trying to achieve a further 10 percent [reduction] and back-end infrastructure being implemented wouldn’t in printing over the next 12 months and we’ve put some be compatible with the Oracle financial systems the comrestrictions in place to achieve that and so far it’s looking pany relied on. The issue—a make or break one for the pretty good,” he says. “Printing is now visible to each user; company’s accounting department—required a database there’s a little widget that sits on each user’s computer analyst to reset hard-coded parameters each time to enthat shows their print usage so they can monitor it and we able printing; hardly a workable solution. have set up pop-up alerts when users attempt to print a job “If we could have anticipated that problem we might either in color or simplex mode. They can override those have been able to take a week or so off the length of that alerts obviously, but there is now an end-user focus on reproject,” he says. sponsible printing and printing costs.” A solution was ultimately found in the form of middleware Vendors are seemingly more than happy to implement an that wouldn’t significantly alter implementation or existing open, rather than closed, system based entirely around their systems, but the lack of preparation in the first instance was portfolio of products. Canon has a long-standing relationship ultimately to blame. in the space which sees products offered to customers along Proper preparation, according to IDC’s Naryan, must fowith managed services. It is ultimately about fitting service to cus around clear communication with the chosen vendor, device to reach optimal efficiencies, and of course, to outsource concrete SLAs and a deep understanding of how the com-

Custom Solutions Group Canon pany’s existing systems would integrate with the planned services. Internally, establishing key performance indicators for reduction in cost, environmental impact, and paper use ahead of implementation would also likely determine whether the vendor’s supplied monitoring software would be suitable or whether additional systems are required to ensure those are met.

An MPS Blueprint

Depending on your business objectives, MPS is unlikely to enable a great many benefits in isolation. A combination of workflow and document digitization, employee recognition and moving to smaller offices has formed part of Allens Arthur Robinson’s attempt to cut its carbon footprint by five percent each year. Printing has certainly had its effect—the legal firm went from printing 61 million pages annually in 2004 to 24 million last year—but greater digitization, server virtualization and the deployment of widescreen monitors, helped to encourage the desired outcomes of the organization’s virtual corporate social responsibility team. It also needs to be remembered that MPS can be a long haul. The NSW Department of Education and Training, is yet to see a significant portion of the thousands of institutions it encompasses turn to the service, but support is accelerating. The “set and forget” mentality toward MPS is unlikely to yield many gains. Instead, taking the opportunity to review the rollout and identify potential areas for improvement—such as further outsourcing—have, in the case of RAC, proved beneficial. “It really is worth revisiting after about four to six months after things have been bedded in for a while and looking at your phase 2,” says RAC’s Gilmore. Deakin University has found a similar opportunity, with the impending staff rollout allowing Debbie Louttit to asses what went wrong over the previous 18 months, how to solve those issues, and what additional features or change management processes might be more beneficial in the second rollout. The vice chancellor’s initiatives have already set the wheels in motion for the educational institution, but the challenges posed by the initial rollout have also set the requirements in stone.

5 Tips to Prep for MPS 1

Develop a clear internal understanding of infrastructure, costs, and print consumption within the organization.

Internally develop policies in place like, duplexing, limit on color or environmental policies, and articulate these clearly to employees.

Understand the realistic cost savings that can be generated from MPS. It is not just about hard savings, but the soft costs such as paper, reduction in energy consumption and reduction in maintenance costs.

Study the capabilities of vendors and really opt for the right fit with the solutions you are looking for and their understanding of your business and the vertical you play in. Consider their clientele in the same industry and review any similar case studies.

MPS is also about managing a change in printing/copying habits of employees and needs to be managed internally to see benefits. Change management is often overlooked and ideally a project champion who sees through such policies would ensure success of such implementations.

Managed print services are unlikely to spark the same level of interest in all IT staff that it has in Gwenyth Taylor, but the enabling possibilities of the service will, at the very least, alleviate pressures on IT departments to focus on projects and daily processes that are more interesting and ultimately more important to the core of the business. Implemented effectively, MPS can see more than modest reductions in cost, paper use, environmental impact and required ongoing support from staff. The service may require some effort and could be challenging, but for those who have made the leap, it’s all worth it.

I was looking for a solution which supports

I was looking for a secure and

user mobility, reduces waste, ensures client confidentiality and protects personal information.

efficient print management solution which is

cost effective and environment friendly as well. Sudhir Reddy,

Priya Narayanan,

Chief information officer, MindTree

DGM-Information Systems, Cairn India

Canon Managed Document Services helped Cairn India to achieve

Canon Managed Document Services helped MindTree to achieve

Improved Information Security & user mobility Reduced printer footprint from 105 to 54 Simplified and centralized IT infrastructure print landscape

25% reduction in printing cost 50% reduction in paper consumption Total savings of USD 62000 annually

The Difference

Canon Makes.

Print is our passion. We work with all our customers to deliver Managed Document Services (MDS) that offer outstanding value, excellent control and continual improvement.

For Canon, MDS is a service-led approach to outsourcing the active management and continual optimisation of the document output fleet and related business processes. Real value with MDS Document production is typically one of the biggest expenses for an organisation, costing up to 3% of revenue. Yet many organisations don’t have the time, staff or expertise to effectively monitor or manage their print environment. With Managed Document Services, you can outsource the management of your document output and associated business processes. Analysts suggest that savings could be up to 30%, though in many cases, our customers find that the actual savings from an effectively designed and implemented MDS can be as high as 50% to 60%. At Canon, imaging is our core business. We combine the right people, the right technology and the right processes to deliver the services that allow you to operate with an efficient, flexible and cost effective printing environment. What’s more, the service we deliver for your organisation can reduce costs and improve productivity now and over the long term – even as you grow and your needs change.

Canon India Pvt Ltd. 7th & 8th Floor, Tower B Building # 5, DLF Cyber Terraces, DLF Phase III Gurgaon - 122002 Telephone : 0124-4160000, Fax : 0124-4160011

Bryson Payne

Strategic CIO

How to Be the Next CIO

n the six years I’ve been a CIO, I've do your customers have to jump through to Tackle some of the things heard countless statistics, jokes and deal with persistent annoyances in your IT that your own replacement other reminders of my job's typically systems and processes? What new options would. Remove some short shelf-life. Fortunately, I'm also a would a replacement CIO offer to get rid of pain points, eliminate tenured associate professor, so I'll get to opine lingering, minor hurdles in the technology some nagging issues, and about IT leadership long after my "best if used experience in your organization? form the relationships that by" date has passed. Don't let someone else come in as the hero. After about four years in the post, though, I Eliminate unnecessary inconveniences for a new CIO would. Don't stopped asking why CIOs are such a famously your users while you still have the chance. As wait for someone else to short-lived breed. I chose instead to focus on a plus, you won’t be known as a jackhammer. take all the glory. pressing problems at my organization from a The Relationship Rescue. What new perspective: What would the next CIO do? relationships would the next CIO, your It's one really simple question that produces searing clarity, successor, build, repair or transform to reconnect IT to the I’ve come to realize. I came up with three areas of concern to daily business of the organization? What partnerships would help me answer that question and focus on the long-term health your replacement strengthen or form to make information of my IT team and my organization as a whole. Here they are: technology more effective across your organization? The Pain Points. I asked myself what annoying problems This is an important area to focus on, because after all would my replacement fix? New leaders typically start by the processes and hardware is done, it’s people that drive fixing the most easily solved problems—the low-hanging fruit, businesses. If you strive to connect people more than you as it’s commonly known. It’s a great place to start. Of course, IT separate them, if you include people in prioritizing, planning, leaders have many other duties, such as strategic innovation, and preparation, if you reach out to people that others 24/7 operations and ensuring 99.999 percent availability. sometimes overlook, you'll build relationships that allow you But, along the way, it’s important for CIOs to stay connected to accomplish much more than you could eke out alone. enough to users to know whether there are pain points that Author and futurist Thornton May says, "Your network will need addressing. Your replacement will certainly start there, keep you safe." He's not talking about gigabit fiber optics. He so why shouldn't you? is talking about your human network, the one that will keep The Jackhammer Issues. What nagging problems do you connected to the organization, connected to your users, users deal with so often that they've tuned them out, like a connected to your customers—and, that, more than anything jackhammer operating right outside the building? When will keep you safe. It won't make you untouchable or invincible someone starts using a jackhammer within earshot, it's jarring or guarantee your job. Rather, your relationships will keep you and unpleasant. If the jackhammer continues every day, in tune with your organization's needs, which will focus your though, your discomfort eventually fades as you learn to filter vision on bringing the most value to your workplace. out the noise and work around the inconvenience. While you have the opportunity now, tackle some of the A new person would ask, "How can you work with that things you would do if you were the new guy. Remove some jackhammer running all pain points, eliminate some nagging jackhammer issues, and day?" but those who have start forming the relationships a new CIO would need to bring How to Get Ahead been there awhile might the most value to the role. Don't wait for someone else to take To find out what you can do to reply, "What jackhammer?" all the glory. CIO improve your role read CIO Role: What workarounds are Three Keys to Move Forward your colleagues and users on www.cio.in c o.in forced to use? What hoops Send feedback on this column to editor@cio.in

Vol/8 | ISSUE/01

REAL CIO WORLD | N o v e m b e r 1 5 , 2 0 1 2

Bob Kantor

Staff Management

How to Become a Better Communicator Do you find that you or your IT team members aren't communicating as well as they could or should? If you said 'yes,' here are two powerful techniques you can apply to significantly improve the way you communicate and the impact you achieve.

o you ever wish that your IT staff communicated more effectively? With key stakeholders? With each other? And with you? Do your team members frequently go into too much detail when they communicate? Talk too much and listen to little? Get hung up on arguing their point rather than building consensus? Walk away from conversations before they've achieved and confirmed a shared understanding? Do you ever find that you can't get past the second slide of your PowerPoint deck in a meeting? Or that your boss starts interrupting your answers with more questions, before you've answered her last one? If you answered "Yes" to any of these questions, know that there are powerful techniques to improve your communication skills.

The 'One-Two Punch'

Illustration by PHOTOS.COM

A few months ago I started a thread in one of the LinkedIn groups frequented by senior IT managers. I asked, "If your staff could magically improve just one leadership skill overnight, which one would you most want them to improve?" The question got a lively response from dozens of leaders over the next few days. Answers included prioritizing work, managing their time, delegating, managing employee performance, holding people accountable, and communicating. While there were many different opinions shared on the what, the why and the how, the single most common response was the fundamental importance of effective communication skills for a leader. Related to that was the shared belief that so many of our leaders today do not possess strong enough communication skills. 28

N o v e m b e r 1 5 , 2 0 1 2 | REAL CIO WORLD

Vol/8 | ISSUE/01

Custom Solutions Group VMWARE

Cloud Corner Thought Leadership

Combating the Challenges of Cloud Computing Nandkishor Dhomne CIO, Manipal Health Enterprises

Cloud computing still stumps organizations with a world of challenges, ranging from security, availability, and application performance. The cloud still poses some challenges which need to be tackled to support large and distributed enterprise applications. These challenges are related to integration with messaging services and legacy applications. Also, migrating business-critical applications could lead to downtime and this would have an adverse impact on revenue. Other challenges like application performance, availability, privacy, security, SLAs, and vendor lock-in are rampant. Then, there are issues related to scalability, load-balancing, DR, and integration across multiple applications and third-party services.

Among other things, the cloud also affects one’s ability to comply with various industry regulations. That’s why when CIOs gear up to move to a cloud environment, they need to evaluate their compliance needs. For example, if you are bound by a regulation that says your data cannot be stored outside the country, some cloud providers may not be able to accommodate this since their datacenters may fall under territories outside India. The bottom line is that while we evaluate cloud-based applications, regulatory mandates must be part of the overall evaluation process.

T. Srinivasan MD, VMware India & SAARC

The development of light-weight virtual infrastructures is weeding out concerns around application availability, security, and performance in the cloud. The cloud era is transforming applications. Today, most applications are built on Open Source, deployed on light-weight application containers, and run on virtual infrastructures. This is driving a transition in the type of technologies our customers are using to build, run, and manage these applications. This has weeded out concerns around application availability, security, and performance in the cloud. Our vFabric Suite seeks to address the complexity and cost associated with traditional Java platforms, providing a simple, light-weight development and runtime that is optimized for VMware cloud infrastructure.

Right now, there are no regulatory frameworks mandated for public cloud for BFSI, healthcare and telecom. But we can empower our partners to provision for it. Also, the VMware vCenter Configuration Manager is a policy-driven configuration automation tool that detects changes and checks whether those changes are compliant to industry, regulatory, or an organization’s self-defined policies. The VMware Service Provider Program is a cornerstone of VMware’s vCloud solution and was created for partners providing hosted services to end users, and those that provide Web services to third-parties.

Bob Kantor

Staff Management

We address only what we think our target audience needs to know, based on how we view a situation or issue. Then we're disappointed when our audience does not do what we want them to do. Sound familiar? The range of responses mapped pretty well to my experience coaching hundreds of IT leaders from entry levels up to the CIO level. The responses also reflected the universal importance and challenge of communicating well. There are two powerful techniques that anyone can apply to significantly improve the way they communicate and the impact they achieve. For the best results with these techniques, I suggest picking one and apply it for a few weeks. See what works for you and what doesn't work for you. Do more of what is working, and analyze what you can do differently with what is not working. Practice that technique until you are totally comfortable with it and it's consistently working for you. Then focus and work on the other one.

Don't Bury the Lead Newspaper journalists (remember them from a long time ago...?) are taught in Journalism 101 the simple idea called "Don't Bury the Lead." In its basic form, it means start your message with your most important point, and keep coming back to it. In traditional news media, that usually means having a good headline. In blogs and e-mail messages, it means having a good subject. In PowerPoint slides it means creating a strong title. Drilling down a level, it also means using a key related approach from journalism, often called the Inverted Pyramid Structure. Take a look at a good news story. It can be in a newspaper, magazine or blog. Do you notice that the headline tells the entire story, albeit at a very high level? It helps you decide if you want to learn more about that story, or not. Either way, it is effective in letting you know what the story is about. Now read the first three paragraphs. Do they answer the complete set of standard news questions, including Who, What When, Where and Why? If the story is well written, it should provide the next level of such detail after the headline. Again, just enough to tell the whole story, but at a very high level. As you proceed through an article that uses this inverted pyramid structure, each group of paragraphs should provide increasing levels of detail. That enables you to get the whole story, at whatever level of detail you decide meets your needs. That may be just the headline, the first few paragraphs, perhaps the first dozen paragraphs, or maybe the entire article. An example of doing this in a PowerPoint deck would be to make your complete presentation in about five slides. Slide 1 would be the presentation title or headline. Slide 2 would be the slide titles of slides 3, 4 and 5, maybe with a brief subtitle 30

N o v e m b e r 1 5 , 2 0 1 2 | REAL CIO WORLD

for each. Then the last three slides would tell your entire story. Period. End of main deck. Slide 6 would start your appendix. The appendix would contain as many additional slides as you might want for backup to support additional discussion, as your audience engages to learn more about the story that you completely presented in your first five slides. Don't think you can do this? Don't think this can work? Try it, no matter how weird it feels, and see what happens. If your experience is anything like mine and a large percentage of my clients, this will work magic for your ability to persuade and influence via PowerPoint presentations.

It's Not About Your Message... ...it's all about the audience's beliefs. The second most common error I see people make when they communicate is to focus entirely on crafting their message. They refine and finesse their message until it's ‘perfectly clear’. This overlooks the likelihood that your intended audience does not see the situation the same way you do. Nor are they likely to have your perspective, knowledge or beliefs. The way we usually commit this error is we address only what we think our target audience needs to know, based upon how we view the situation or issue. Then we're disappointed when our audience does not do what we want them to do after we've delivered our beautifully crafted message. Sound familiar? The missing element and critical success factor for technique number two, is to make the time and invest the energy to figure out and address what the audience believes. That is, what do they currently believe about this situation, what do they need to believe about it in order to do what we want them to do, and then what message do we need to craft to enable them to shift what they believe? For example, a management team kept refusing to fund a project to replace an older datacenter that had many environmental risks. The infrastructure operations team kept enhancing their analysis and business case with more and more data and statistics. And the management team kept giving them less and less time to make their case. One afternoon during a heavy rain, one of the datacenter managers took a few photos of the corporate "Quad" as it was called, totally under water and looking more like a lake than the familiar campus. He also took a photo of the ‘lake’ lapping against the top step of the main entrance to the datacenter.

Vol/8 | ISSUE/01

Bob Kantor

Staff Management

A few days later the project team went to the management team with three slides. The first showed the campus Quad on a sunny day. The second slide showed the â&#x20AC;&#x2DC;lakeâ&#x20AC;&#x2122;, which looked nothing like the first photo, even though it was shot from the very same position. The third slide was the close up shot of the water lapping against the top step of the main entrance to the datacenter. Once the management team understood that the first two photos were taken from the same position and represented an accurate before-and-after of a heavy rain (and not that unusual an occurrence), and then saw the actual height of the water at the datacenter entrance, they approved funding for the project to replace the datacenter. What had changed? In the earlier presentations, the IT staff were making a very rational case to prove that the magnitude of the risk of maintaining the old datacenter was not acceptable. However, the detailed statistics did not effectively communicate the reality of the risk to the management team, which was much further removed from the details than were the datacenter managers. Leveraging the old saw that one picture is worth a thousand words, the project team directly addressed the management team's belief that the risk was not as big as the datacenter managers were claiming. The three pictures changed that belief, effective communication occurred, and the desired action was taken.

Don't bury the lead. Start your message with the most key point, and come back to it. Putting Them Together and Taking Action Either of these two simple techniques will significantly improve the effectiveness of your communication. Combined, however, they re-inforce each other and can easily double the impact your communication efforts can have in delivering results. The two examples we used to illustrate the techniques referred to using PowerPoint to address a group. But the ideas apply just as well to a report, an e-mail message, or a one on one conversation. The key to success involves taking the time to think about how to best apply these techniques in one of your situations, and then to overcome your normal inertia and discomfort with doing something differently. Reading about these techniques is step one. Step two is putting them to useâ&#x20AC;&#x201D;allowing that a bit of practice may be needed to make them work for you and make you comfortable with using them. CIO Bob Kantor is an IT management coach and consultant, specializing in improving IT leadership effectiveness. His newest book is Shatter Your Leadership Limits--

Better Results in Less Time With Less Stress. Send feedback to editor@cio.in

Stephanie Moore

VENDOR MANAGEMENT

How to Vet Your Vendor There are several factors that need to be considered when thinking about a services initiative. CIOs need a structured yet flexible approach that evaluates a vendor's stability as well as its service, solution, and delivery capability.

oday, as companies seek to both consolidate their vendor relationships and multi-source, they tend to engage with a small number (typically two to nine) of preferred, very large IT services vendors that can be centrally governed. The strategic objectives of consolidation are important: Services clients can pre-qualify a few preferred suppliers that all users of IT services can easily and safely engage with. However, given the rapid pace of technology change, the need for agility, the new business stakeholders, and the rise of cloud services, a company's IT and innovation requirements are often best met by multiple best-of-breed suppliers. Vetting privately held vendors can be a big challengeâ&#x20AC;&#x201D;so much so that some Forrester clients are required to use publicly traded vendors only for critical services. However, in this technology environment, that approach will preclude you from accessing some of the best innovations. Instead, companies need a structured yet flexible approach that evaluates a vendor's stability as well as its service, solution, and delivery capability. CIOs who are thinking about a services initiative should consider several factors when evaluating their needs versus the needs of the marketplace. ILLUSTRAT ION BY P HOTOS.CO M

Start with Financial Stability While different types of services relationships require different types of evaluation criteria, all prospective services vendors must be evaluated for financial and legal stability. The last thing you need is for your IT strategy, data, and resources to be tied up with a vendor that's heading south. A vendor that has problems in any of these categories should be taken off the evaluation list. Don't overlook the importance of investigating the prospective 32

N O V E M B E R 1 5 , 2 0 1 2 | REAL CIO WORLD

Column_Vet_your_Vendor.indd 26

VOL/8 | ISSUE/01

11/16/2012 9:07:27 PM

Stephanie Moore

VENDOR MANAGEMENT

vendor's track record and talking with references. Companies must be prepared with meaningful questions related to the references' positive and negative experiences with the vendor. Clients should also endeavor to find other clients of the services provider rather than just the vendor-supplied references, since the vendor-supplied references are likely to be the most satisfied clients.

Evaluate the People Because services businesses are so people-dependent, it is essential to understand the vendor's human capital management approach and the quality of its people. While this action may be unnecessary for the large cloud-based solution providers (like Google and Amazon.com), it applies to virtually every company you plan to have a personal connection with. Be sure to evaluate the quality of technical personnel, internal training programs, and quality of account management personnel. Customers should also seek to determine how and under what circumstances a supplier will subcontract, and they need to ensure that they approve of all subcontracting activity. Say the supplier passed the analysis, but is it the right fit for your firm? Once financial and human capital elements are addressed, clients need to consider alignment with their own needs. To maintain a successful relationship, firms and suppliers should be on the same page regarding: Methodology/Knowledge Management: Companies should look at methodology as a library of best practices that can be used to provide consistent training for services providers' own internal consultants and as a means of achieving high productivity, consistency, and quality on client engagements. In best cases, consulting firms require and/or compensate consultants for depositing lessons learned into the company methodology or knowledge management system. This practice ensures that the methodology is living and constantly being refined. The Ability to Coach and Transfer Knowledge: The ability to transfer competency (for example, improved development processes) to clients is an important source of value in integration and outsourcing relationships. In the modern world of agile and software-as-a-service (SaaS), for example, knowledge transfer is still important, if not more so. Many corporate development shops, moving to more agile-like methodologies, will require coaching to make the engagement work and to prepare internal staff to use a new approach to software development. On the SaaS or platform-as-a-service (PaaS) front, companies have similar requirements since they need to learn Crash Course how to integrate these To learn more about vendor services and platforms management read Getting the into their existing Vendor Collective Right IT organization. on www.cio.in Make sure that you c o.in understand how your

VOL/8 | ISSUE/01

Column_Vet_your_Vendor.indd 27

If your project is much smaller than the vendor's norm, this is also a risk. Clients that fall into the "small fish in a large pond" category rarely receive sufficient management attention. vendors achieve the required knowledge transfer and seek references on their knowledge transfer capability. Functional Breadth/Depth: Integrators and outsourcers have varying degrees of expertise in their functional offerings. Functional offerings include horizontal capabilities, such as datacenter outsourcing and desktop asset management. The breadth of functional offerings is significant in large-scale engagements, like full-service outsourcing. In more cases today, the depth of the functional expertise will be a primary consideration. For example, you may be using a vendor such as ThoughtWorks for Agile application development. In this case, you would only care about the depth of its capability in this area and not about its breadth of offerings across the IT stack. Vertical Breadth/Depth: Deep vertical business expertise and technology capability is required to help clients optimize or innovate. Customers should evaluate a vendor's vertical capability not just by looking at revenue per vertical segment but by also looking at the credentials of the vendor's vertical consultants and experts and the customer references. Scalability: Companies must make sure that a prospective vendor is sufficiently large (or small) to accommodate their project. If the largest similar project the vendor has dealt with before is significantly smaller than the one you are considering, you need reassurance that the vendor can step up in terms of staff, infrastructure, and process. Conversely, if your project is much smaller than the vendor's norm, this is also a risk. Clients that fall into the "small fish in a large pond" category rarely receive sufficient management attention. Remember that some criteria will matter more to your internal IT and business contacts. While methodology may not seem as important as it relates to cloud providers or even very niche services providers, it is still very important to your internal customers. These customers will need to understand how to implement and integrate their cloud solution, and they will need to ensure that their niche services providers have the ability to consistently deliver on their promises. CIO

Stephanie Moore is a VP and principal analyst at Forrester Research, serving sourcing and vendor management professionals. Send feedback to editor@cio.in

REAL CIO WORLD | N O V E M B E R 1 5 , 2 0 1 2

11/16/2012 9:07:28 PM

Find Talent Be a Mentor Cover Story

Innovation

Work under Pressure Keep Meetings in Line

Run a Business

How SpotTo a Fraud Be a Mentor Network Effectively

Work under Pressure Keep Meetings in Line

Hone your leadership skills, be a mobility guru, master cloud computing, tame big data, manage security, collaborate better. Get a step closer to being a complete CIO.

Run a Business Reader ROI:

B y Te a m C I O

The business benefits of leveraging new technologies Tips to manage staff and spot talent

Say No to the CEO What you need to know to be a well-rounded CIO

Improve Customer Service

Manage Angry People

Use Twitter Better

ChooseYour Cloud Vendor

Become a BYOD Guru

Tame Big Data

Secure Sensitive Data

Spot a Liar Create an MDM Strategy Keep Staff Happy

Quiz Cloud Providers

Stop Rogue Sales Drive Sales With UC

Retain Customers Track Cloud Cost

Social media

Presence

CoLLABoRATIoN

How VoIP To App Video Conferencing If you havenâ&#x20AC;&#x2122;t taken to social media and UC yet, you are on the wrong side of the technology curve. Follow these tricks to make your business sociable.

Customer engagement

App Store Knowledge management

Decision-making DID YOU KNOW?

34 percent of Indian CIOs say they plan to implement Social media technologies in 2013, according to the Mid-Year Review Survey 2012.

Communication 36

N o v e m b e r 1 5 , 2 0 1 2 | REAL CIO WORLD

Vol/8 | ISSUE/01

Cover Story

Build a Private Social Network that Employees Will Actually Use

Vol/8 | ISSUE/01

IT Strategy

By Todd R. Weiss NASA could land humans on the moon and put exploratory rovers on Mars, but in the last three years, the agency just couldn’t find a way to build an internal social network that would encourage its employees to collaborate. Initially launched in early 2009, “SpaceBook” was supposed to be a place where NASA workers could go online anytime to get feedback, learn from others’ experiences, collaborate on projects and get to know each other better. But NASA ultimately squashed the effort this June, taking it offline for good. The problem, says Kevin Jones, a consulting social and organizational strategist with NASA’s Marshall and Goddard Spaceflight Centers, was that no one sufficiently explained to users what they could do with SpaceBook to move their collaboration forward. So it languished when users didn’t adopt it— even when it was re-launched with an updated user interface. That kind of crash-and-burn experience happens in enterprise IT when plans are established without understanding what users want or need. But it doesn’t have to be that way for your organization. What it takes to make a successful internal social network, they say, is strategic planning and a willingness to change direction as your users show you how they want to use the tools you’re giving them. The success of any social network depends on user engagement. If employees aren’t using it, even the most innovative internal network is a failure. Here are a few keys to success. Start with the easy stuff. One of the lessons Salesforce executives learned, when the company first developed its Chatter application, says Dave King, the company’s director of product marketing, was to do the easy things first to introduce users to the new system. “We started with a high-value process—global account planning—that was easy to implement from a change REAL CIO WORLD | N o v e m b e r 1 5 , 2 0 1 2

Cover Story

IT Strategy

management perspective,” he said. “It had been a total pain to deal with previously, then we put it into a Chatter group. It made everyone’s lives easier.” Next were other areas that could bring in quick wins with users, he says, including groups where employees could air grievances. Only then did the company begin to look at larger, more ingrained processes that would be harder to implement and take more time to finish. Consult users early and often. At BMC Software, internal social networking has been used for a year, with some 7,000 employees creating 965 groups in which

they collaborate and share information, says Hollie Castro, SVP of administration. The company uses Chatter from Salesforce and has found that it enhances communications with and among employees in several ways, she says. Castro says her company started small with a pilot program so that feedback could be collected and an internal buzz could be generated among employees. “We worked with groups of employees around the world to get input,” she says. “You learn along the way. One of the reasons we are getting good use by employees is that we really engaged our user groups up front.”

Drive Sales With UC Ask your average CIO about his business case for UC, and the likely answer will come down to cost reduction or avoidance—savings generated by voice-over-IP (VoIP) networks, bills lowered using instant messaging instead of toll calls. But the real value in UC—improved communications among employees and with customers—is rarely best expressed in monetary terms. When Richard Buss began exploring UC in 2010, his goals were straightforward: Simplify his telecom infrastructure, cut costs, harden his networks and reduce network redundancy. At the time, the VP of technology for environmental testing company EMSL Analytical was managing a hodgepodge of phone systems scattered around the company’s 43 sites. But as he pulled together his UC requirements, he found it wasn’t just the technology that was disjointed. “We hadn’t realized how ‘un-unified’ we sounded to our customers,” Buss says. Lab staff felt their time was wasted fielding unrelated customer calls. Elsewhere, those taking calls wouldn’t have access to information requested. Customers faced frequent transfers or would land in voicemail. “That experience wasn’t what our customers were looking for,” says Buss, adding that EMSL, whose clients include New York’s Port Authority, lost business as a result. EMSL was staffed with deep subject-matter experts—microbiologists, food scientists, geologists and chemists. But neither customers nor internal employees could find them. During the UC rollout, EMSL and its vendor collaborated to map out call flows that created virtual work groups out of like-minded experts. The vendor’s “follow me, find me” service for routing calls to employee cell phones, has been a revenue booster for EMSL. Buss delivered more hard cost savings than expected—cutting telecom costs by a third annually—but he’s wary of putting a number on increased sales or decreased customer churn for fear of taking too much credit. Still, there’s no denying IT’s strategic role. “No one knew how big a problem this was until IT took this on,” says Buss. “We see business problems the way no one else [does].” CIO

N o v e m b e r 1 5 , 2 0 1 2 | REAL CIO WORLD

Being responsive to employees’ feedback— and flexible enough to try out their ideas—is vital, King adds. “What kills these things is when people bring in their own new ideas for how to make improvements and they get shut down by executives or legal or HR,” he says. “Even when you’re not sure, give things a chance. It’s important not to manage it at an institutional level too closely. Inevitably what happens is that there are bright spots for users that pop up. You need to bring them in and encourage them.” Explain the benefits; don’t make more work. Another key to getting employee buy-in, King says, is to clearly explain to users what they can do and gain by using the social network. “Articulate where the value is and share those best practices, such as sales leaders telling how they sell more using Chatter. By doing this, these tools get adopted by others.” Better yet, make social networking integral to other tasks, advises Ethan McCarty, digital and social strategist at IBM. McCarty says all 400,000 global employees use IBM’s home-built social networking platform, Connections, which is also sold to customers. “You have to make it part of the work as opposed to a separate thing people do,” he says. “If it’s not integrated and is an additional task, it becomes a burden and hurts productivity.” Help employees get comfortable with it. McCarty says it’s also important to make sure that employees understand what the expected user etiquette will be under the systems you choose. “That understanding needs to be arrived at mutually and collaboratively” so that users feel comfortable posting their comments and profiles, he says. IBM has developed a system where less technical users can earn ‘merit badges’ as they gain experience and confidence with the capabilities of Connections, McCarty adds. “You have different groups of people who are going to use it differently. It builds confidence with those users. We want to reward them for their success using the system.” CIO

Vol/8 | ISSUE/01

Cover Story

IT Strategy

Create an Enterprise App Store By Shane O’Neill As personal mobile devices flood the corporate workplace, you’d think every company would have its own app store, right? Not so fast. Despite the obvious benefits of efficiently and securely distributing mobile apps to employees to use their personal smartphones, enterprise app stores are not widely in use. In fact, only an estimated 10 percent of enterprises have their own stores—though it’s worth noting that Gartner predicts that by 2014 private app stores will be deployed by 60 percent of IT

organizations. Some big companies such as CDW and General Electric have successfully implemented private app stores, and smaller niche companies, particularly in the healthcare field, are also looking at private app stores with help from big vendors like Cisco and SAP as well as smaller players such as AppCentral and Virtusa. However, despite the efficiency of the model, the enterprise store is still not at the core of the BYOD movement. The main reason seems to be shoddy implementations. More specifically, for example, this means having little to no social media

interaction and recommendations within the stores and not having a consistent user interface, to name a few reasons, says Rauf A. Adil, director of technology at Virtusa, an IT services and consulting company based in Wesborough, Massachusetts. “The fundamental reason users visit an enterprise app store is to discover apps and get other users’ feedback,” says Adil. If you’re not building your app store with that in mind, it’s likely to fail. Here are five mistakes that will quickly turn employees away from using enterprise app stores, according to Virtusa.

Forgetting Easy Discovery. The biggest mistake organizations make is they do not provide easy search and discovery for apps. This often goes unnoticed at first as the number of apps available is limited. But over time, as the numbers of apps grow, discovery becomes more important. Apps should be categorized with the capability to create bookmarks and favorites, and there should be a seamless search and discover capability to get to a specific app or a set of apps.Also, discovery helps in avoiding duplication.

Leaving Out Feedback or Ratings. Ratings and feedback are essential components of the enterprise mobile app. If you don’t provide this feature, then it is hard to track user satisfaction of the app. It’s important to get feedback and ratings from users separately and then tie that information to the app usage data, according to Virtusa. The app store should provide a view of where apps in a specific category such as human resources can be ranked by ratings in a search or on the dashboard.

Not Integrating it with Social Media. Many organizations are using social media for internal communications and sharing,

Vol/8 | ISSUE/01

REAL CIO WORLD | N o v e m b e r 1 5 , 2 0 1 2

Cover Story

IT Strategy

but they don’t tie it into enterprise app stores. The enterprise app store should integrate seamlessly with social media to facilitate the information, discovery, recommendations, likes and comments on the apps. This will only draw internal users to the app store. You should also provide a way to integrate feedback, comments, likes and recommendations from the internal social media sites and apps with the enterprise app store.

Overlooking Security and Privacy Policies. When an app is submitted for publishing on the enterprise app store, the administrative and review board should check it against a security vulnerability check list. It also recommends using software and programs to check apps against a security and cyber threat vulnerability assessment list. For example, if the company policy is to not allow unencrypted data links, then the app should not connect to third-party Web services over unsecured data links. Keep an up-to date “vulnerability assessment list” with newly-found and documented vulnerabilities. Similarly, you need to do an assessment on the privacy-related compliance requirements to ensure that no data is disclosed or leaked to unauthorized persons within the enterprise, to thirdparty sites, to apps via links or by using third-party services (such as geo-location or mobile check in).

Not Enforcing User Interface and Visual Design Best Practices. All enterprise app stores should live up to the organization’s published guidelines regarding user experience (UX), visual designs, color and navigation schemes and other UI (user interface) and UX guidelines. For instance, if an app has a different color scheme or variation in logo or font from the published guidelines, then the administrative and review board should reject it with feedback. CIO

N o v e m b e r 1 5 , 2 0 1 2 | REAL CIO WORLD

Hire a Social Media Specialist By Kristin Burnham As more businesses continue to increase their presence on Facebook, LinkedIn, Twitter and other social networks, social media jobs, too, are predicted to rise. Social media specialists—sometimes referred to as social media managers or social media marketers—bring a bevy of skills to businesses looking to beef up their presence and results on social networks. “Anyone can build a Facebook page, but it doesn’t mean it’s successful. These people go deeper and rely on analytics to run good campaigns, tying it all back to ROI,” says Gina Oliveri, senior consultant with executive staffing firm Bowdoin Group. Here’s a look at what social media specialists do, so you know what the one you want to hire should know. Social Media Specialist: Responsibilities Social media specialists are responsible for generating and maintaining a presence on social media sites, such as Facebook or Twitter, as well as building an audience through campaigns, ads and updates, Oliveri says. Just as important as the campaigns they run are the data points they derive. Social media specialists are often tasked with making the connection between statistics and how they translate to a campaign’s success, branding and, of course, money. Social media specialists likely reside within the marketing department, but usually work with a number of the business units. Job candidates often come from a junior or entry-level marketing or advertising position. Social Media Specialist: Skills Social media specialists should have a deep and personal familiarity with the two big social networks: Facebook and Twitter. But beyond that, they should have knowledge of other social networking platforms, such as Foursquare, Digg and Stumbleupon, Oliveri says. It’s also important that candidates understand the business’s audience—such as its demographics and interests, in order to target posts appropriately. Strong writing and presentation skills are also key as social media communications are customer-facing whether the specialist manages external or internal networks. Lastly, data analytics skills are becoming more necessary. “[Social media specialists] need to know not only how to run campaigns and ads, they need to know how it all ties back to ROI and how the business can generate revenue from it,” Oliveri says. “You need to be a number-cruncher at some level—put on headphones and look at the data, then come back with intelligent insight so the business knows what to do next.” CIO

Vol/8 | ISSUE/01

Cover Story

IT Strategy

Use Twitter to Improve Customer Service By Lauren Brousell Dealing with customer service via phone rarely wins companies high marks. All too often, calling that helpline means navigating an endless, automated screening system only to be routed to a call center agent with minimal ability to help. So why not turn to social media where you can tweet your grievances and move on? Young people in particular are doing this in increasing numbers—often receiving instant feedback, though not usually from the vendor in question. According to a survey by Our Social Times, a social media marketing consultancy, 60 percent of companies don’t respond to customers via social media, even when asked a direct question. Frank Eliason, SVP of social media at Citibank, which serves more than 100 million customers in 40 countries, saw as much room for improvement in how banks use social media as he did challenges. Too many banks offer cookie-cutter customer service, he says: “When we looked at banks and social, they all looked alike. The whole challenge was differentiating the service we provide to customers.” Customer service is a crucial aspect of any business, but can be an especially delicate matter for financial services companies because of the sensitive and private information they manage and the regulations around how they do that. Banks are already often the victims of phishing attacks and due to the open nature of social media sites, the risks there increase 10-fold. Instilling trust in customers that their accounts will be safe when they are discussed via a social network is not easy. Often, news breaks that another bank was caught up in an internet-based security breach. To be able to safely interact on Twitter, the first thing Eliason considered was security. He knew sending account information over Twitter could pose a massive risk for Citi and the customer. “The regulatory stuff presents challenges. Even if you send your account information via direct message, banks can’t do that, it’s considered private information.” So when Citi wanted to find a way to initiate dialogues between Citi customer service agents and customers and actually resolve issues via social media sites, Eliason sought help from LivePerson chat integration, an online engagement solution that facilitates live chats within Twitter. “If you’re having a dialogue with an agent [via Twitter], we want you to continue with that person,” he says. Citi’s first efforts with LivePerson on Twitter involved agents initiating a direct messaging with any customer that mentioned “Citi” or “Citibank” in a question or concern. Agents use the @AskCiti Twitter handle to send a link via Twitter direct message to the customer to start a live chat. The customer clicks that link and has to accept the application as they would with

Vol/8 | ISSUE/01

any other Twitter application, such as TweetDeck. Once that is done, they are brought to a secure chat within Citi’s website and can start discussing whatever issue they have with the agent. Because phishing attacks can be disguised and take on a copycat identity, banks need to be transparent with customers about where they are redirecting them. Eliason knew people would be hesitant about clicking on a link on Twitter that is somehow attached to their bank information. “We had to be cautious in how we implemented [LivePerson],” Eliason says. So he created a unique URL ending for Citi, Citi.us, in hopes the customer would know it was ok to proceed. Then he made it a standard to have all chats that initiate on Twitter be redirected back to the Citi site and continued only after the customer has securely logged into their Citi account. Adoption was initially slow when it was first rolled out in December 2011 and usage reached its peak in mid-April and did well with customers after a few bug fixes. Citi says it speaks with about 160 customers each week in conversations that originated on Twitter. Eliason says that although the number of customer interactions is about the same as before the LivePerson integration, more interactions are being resolved. “The interactions were more phone tag. We’re getting in touch with the customer the way they want. It’s something that’s easier and fits the customer’s style.” Eliason says he would like to expand the service to other social media sites and is looking to find out whether implementing a survey component will be a good addition to the Twitter integration. “When it comes to customer service, [companies] measure the wrong things. The return we are looking for is really raising [customer service] scores,” he says. CIO

REAL CIO WORLD | N o v e m b e r 1 5 , 2 0 1 2

ADVERTORIAL

Datacenter

Mistak s Poor datacenter management practices like not including your operations team in facility design, or not appropriately addressing staffing requirements can lead to inefficient, unreliable, and expensive datacenters. Here’s how to avoid that fate. Perhaps, more than ever, now is the time for enterprises to re-evaluate their datacenter operations programs. They must be able to clearly articulate operational requirements and design an operations program based on the risk profile of their datacenters. However, the road to creating an industry-best operations program isn’t easy, especially for those companies whose core expertise is not in business critical facilities. Here are 10 of the biggest mistakes businesses can make in operating a datacenter.

Not including your operations team in facility design In Schneider Electric’s experience, when operations teams are excluded from facility design, modification and repairs often become necessary. For example, a brand new datacenter had to be modified when the branch circuit design was determined to be inadequate, following a variety of maintenance actions. They also found that the generators were designed and installed in such a manner that simple maintenance activities became a challenge. On top of that air handling units were not able to provide the required airflow to the datacenter due to flaws in the design of the building. Such mistakes can be avoided by including an operations program perspective in the design process. When you in-

clude the operator in the design phase, you will build with the end in mind.

Relying too much on datacenter design Time and again, Schneider Electric has seen companies make the mistake of spending large sums of money on a robust, redundant design, then neglecting to properly fund their operational budgets. Operations, more than design, will keep a facility running, manage costs, and protect not only a company’s investment but also its reputation.

Failure to correctly address the staffing requirements Many companies estimate their datacenter staffing needs based upon typical building management criteria. Staffing needs should be based on your risk profile and budget. Likewise, hiring and retaining the right personnel is essential. Prospective team members need to be carefully screened, not only with traditional background checking but also to qualify their technical, administrative and communications capabilities.

Failure to train and develop talent Once you find qualified people to hire, it’s

important to provide them with proper support, training, and career development opportunities. Properly-trained personnel understand how a plant works, how to safely operate and maintain it, and what to do when things do not function as expected. By default, tradesmen and technicians usually end up training a few of the employees at the most basic level. In a typical on-the-job training environment, the newly trained employees then teach other personnel. In this scenario, it’s easy for poor methodologies and improper procedures to become standardized. What is needed is a program that effectively provides and verifies proper training in a format that increases the level of expertise for all individuals. Such a certification format could be structured as follows: Level 1 Qualification for basic supervised operations; Level 2 Qualification for routine operations and maintenance 3; Level 3 Qualification for advanced operations and maintenance; and Level 4 for subject matter expertise. Managers should realize that the cost and effort expended on typical training program development are more than offset by increased uptime, lower maintenance cost, and decreased employee turnover.

Failing to consistently drill and test skills An emergency situation is the last place to be unprepared—for both safety and fi-

Custom Solutions Group Schneider Electric

nancial reasons. In such a situation, you have the responsibility to make sure your staff is prepared to react as efficiently as well-trained emergency workers. The key is repetition by consistently setting aside time to conduct drills. These drills should be performed with all team members so that everyone knows exactly what to expect in a live situation.

Failure to overlay your operations program with documented processes and procedures Every action in a mission-critical environment must be documented and such a document must provide value by measuring an expected result, creating a foundation for corrective actions, or promoting proactive, continuous improvement. Vendor turnover documentation is a vital component of the operation, but just as important are detailed procedures that the critical environments team will need to perform. These include facility walkthroughs, routine operations, preventative maintenance, corrective maintenance, and emergency response. In addition, accurate as-built drawings are vital.

Failure to implement appropriate processes and procedures Change control processes must be used in critical environments to ensure that all system changes are assessed and approved prior to their implementation. This can only be accomplished with a formal set of procedures and processes that follow generally accepted guidelines for change and configuration management. Remember strong change control processes set the foundation for quality systems.

Failure to develop and implement quality systems Many companies err in thinking that process, once proven, is infallible. Continuous improvement is the only way to ensure your datacenter operations are efficient, reliable, and cost effective. A

program for quality systems consists of: Quality assurance—processes to ensure that errors are not introduced into the system, and quality control—measures taken at various stages of the process to proactively identify problems that could potentially lead to system failure. The level of excellence required to achieve zero downtime is not easily attainable. No process or procedure is perfect, particularly in its early stages. To provide a mechanism for fine-tuning the program, it is crucial to have a plan for continuous process improvement. Once your company’s processes are engineered in an optimal manner, you can focus on the power of automation to attain superior results.

Thinking you can build a best-of-breed program as quickly as a datacenter Many do not understand what it takes to build a best-of-breed program. Most organizations severely underestimate the amount of time it takes to build one starting from scratch. Most businesses lack years of data and experience to base a program on, much less the budget. However, if your company does have resources and expertise, then be prepared to make a significant investment in the areas of personnel, training, software management systems, procedure development and quality system, and process integration.

By implementing a good datacenter operation and management program, you will protect your capex and ensure stronger returns year after year.” Shrinivas Chebbi, VP-IT Business, Schneider Electric

Failure to use software management tools It is easy to cut costs by forgoing software management tools. However, the amount of documentation required to run a successful operations program is enormous and must be retrievable at a moment’s notice. A spreadsheet might work for a little while, but poor document management puts all your efforts at risk. Tools such as a well-implemented computerized maintenance management system can help in the scheduling, assignment, and tracking of all facility maintenance activities. The second management software tool is a document management system, which is used to provide electronic storage and retrieval of important facility documentation, such as methodologies, emergency response procedures, facility reports, etcetera.

If you are faced with recurring outages or other problem areas, or if your company is planning to build a new datacenter within the next 12 months, do not depend on your operational platform to be developed in time. It takes years to build a best-ofbreed program. Companies ill-equipped to quickly design a program of this magnitude should seek the assistance of mission-critical subject matter experts. By implementing a good program, you will protect your capital investment and ensure stronger returns year after year.

This feature is brought to you by IDG Custom Solutions Group in association with

Private

Public

PaaS

Hybrid

How IaaS To Provider SaaS Work under Pressure You think youâ&#x20AC;&#x2122;ve seen and heard enough and more about cloud computing? Wrong. Flip over to see how to take advantage of the cloud.

Hosting Outage

Exit Strategy Integration DID YOU KNOW? 47 percent of Indian CIOs have already invested in cloud

Pay-per-use computing, according to the Mid-Year Review Survey 2012.

n o v e m b e r 1 5 , 2 0 1 2 | REAL CIO WORLD

Vol/8 | ISSUE/01

Cover Story

IT Strategy

Choose Your Cloud Service Provider By Thor Olavsrud Many organizations have now gone so far as to dip their toes into the shallow end of cloud computing, and many more are thinking about testing the waters. Other organizations have jumped into the cloud with both feet. But whether you’re wading in or fully immersed, properly vetting your cloud service providers is essential. A recent study by IT industry association CompTIA found that even though many organizations are concerned about the security of their data in the cloud, a minority of companies perform a comprehensive review of their cloud service providers before sealing the deal. “Despite some of the concerns, only 29 percent of the companies in the study said they engage in a heavy or comprehensive review of the cloud service providers’ security practices,” says Tim Herbert, research vice president with CompTIA. That’s a mistake, says Charles Weaver, co-founder and president of the MSPAlliance, a 15,000-member strong organization that serves as a

Vol/8 | ISSUE/01

certification and standards body for managed service providers (MSPs). “Our chief concern right now is that we see a lot of new service provider entities who are coming into the scene with almost lax attitudes toward how they construct and deliver services,” Weaver says. “They appear to be mostly on the cloud side.” Weaver explains that these service providers tend to fall into two camps: Organizations at the SMB end of the spectrum that market themselves as providers of end-to-end solutions but are actually resellers, or service providers that are unaware of the standards established by MSPs long before the term ‘cloud

computing’ was coined. Weaver says organizations considering a cloud service provider should look for three things:

Trust. “They’ve got to trust them,” he says. “That comes through an affinity. You have to like the company and the principles and the people you’re going to be working with. It’s a very intimate relationship. There’s got to be a mutual respect and trust to work together.”

Technical expertise and understanding. The cloud service provider has to be proficient with both its technology and understand your business. “They have to have an understanding of what you’re

looking to do and match that up with their technical expertise,” Weaver says. “If you’re a CIO of a bank and you need to outsource some strategic element of your IT, your MSP needs to understand both banks and whatever it is that you’re going to outsource.”

A third-party compliance audit. Cloud service providers need to be able to show that they can live up to the promises they’re making. “This is a world where you go through more scrutiny and ongoing regulation to cut hair than you do to manage a corporation’s sensitive data and that of your end users,” Weaver says. While he doesn’t believe more government oversight would be helpful in the

REAL CIO WORLD | n o v e m b e r 1 5 , 2 0 1 2

Cover Story

IT Strategy

cloud services space, he does believe organizations should verify their providers’ capabilities with an audit. So what should you expect in an audit? The MSPAlliance offers the Unified Certification Standard (UCS) for Cloud and Managed Service Providers. It looks for a service provider to comply with 11 control objectives before issuing the certification. Organizations can use the UCS control objectives as a guide to what they should know about a provider. The control objectives are as follows:

identify and resolve problems or incidents covered by the service level agreement (SLA) between the provider and the client. Additionally, the provider must be able to demonstrate the existence of a problem management system that includes a help desk and ticketing platform integrated

Provider organization, governance, planning and risk management.

By Stephanie Overby

The provider has to demonstrate that it has a formal management structure, with organizational charts, risk assessment policies, formalized processes for analyzing third-party service providers and vendors, and an organizational structure that provides for adequate segregation of duties.

Documented policies and procedures. The provider has to demonstrate documented policies and procedures that are reviewed and updated annually. Employees must be required to attest and sign that they understand and adhere to the policies and procedures, and new employees must undergo a formalized training methodology to educate and test on the standards.

Event management. The provider must have access to a Network Operations Center (NOC) adequately staffed with trained personnel capable of providing the monitoring and management necessary to 46

with its monitoring/ management system. Also, the provider has to be able to show that it periodically conducts internal reviews of its incident reports.

Logical security. User access to the provider’s and client’s information systems and data

must be granted based on established policies and procedures, and reassigned or terminated employees must have their access revoked based on established and documented policies and procedures. The provider has to show documented controls for user authentication to information systems

Keep Staff Happy with a Private Cloud When you’re a global, engineering-driven firm in a competitive industry, the last thing you want is a group of 2,200 ticked-off designers. But that’s what Applied Materials’ CIO faced a few years ago. The $10.5 billion (about Rs 55,000 crore) maker of semiconductors and solar power cell equipment had moved to a fully integrated product lifecycle environment to streamline its engineering operations. But users said the new 3-D computer-aided design (CAD) systems made their jobs harder. They e-mailed the CEO about data integrity issues, complained about long load times, and some left the company altogether, calling out poor software performance in their exit interviews. According to one design leader, engineers were losing 30 percent of their productivity. “We had to stop the pain,” says CIO Jay Kerley. He had two options—blow up existing business processes or blow up IT infrastructure. “Changing the business processes would have been a much tougher row to walk,” says Oran Davis, MD of processes, methodologies and tools, including global product lifecycle management. The plan IT devised—move the CAD systems to a private cloud—was risky. Theoretically, it could provide everything engineering needed—reduced complexity and errors, improved cycle times, and real-time collaboration. Applied Materials’ solution was achieved by boosting engineers’ computing power, reducing latency to the data stores and having IT consolidate the five terabytes

n o v e m b e r 1 5 , 2 0 1 2 | REAL CIO WORLD

of engineering data into three datacenters, storing the huge CAD files on top-of-the-line NAS and SAN servers. When it’s time to work, users connect to one of the more than 1,000 CAD blade workstations with multi-core processors that also reside in the datacenter. To further improve speed and function, synchronization links were reduced from 10 to three. It was a long, phased implementation. Davis monitored transactions and workloads and reported the performance improvements to the designers. Application response The private time improved 200 percent, variance cloud enabled in response time was 50 times an additional better, and synchronization failures fell 90 percent. The private cloud 500-plus hours enabled an additional 500-plus of productivity hours of productivity each month, each month, which more than paid for the project in the first year. There are drawbacks. “The energy pull and requirements are significant,” says Kerley. IT support staff also had to learn new skills. But he says the relief for engineering outweighed temporary IT pain. Today, 2,000 engineers access CAD apps via the cloud, and the rollout continues. Engineers’ satisfaction with IT jumped from 43 percent to 79 percent. And no designers had to alter the way they worked. The only change was a new application window on their desktops. “Our mantra was that we would supply an environment patently identical to the one they were used to,” says Davis. That, it turned out, was the right decision. CIO

Vol/8 | ISSUE/01

Custom Solutions Group NELCO

EXECUTIVE VIEWPOINT

How to Get Your Own Fort Knox With customized, innovative, and integrated physical security solutions, Nelco provides organizations with greater control over costs, process management, and efficiency. How can companies look at a holistic integrated solution to manage their IT and non-IT infrastructure? Today, the need of the hour is to monitor an organization’s critical assets and ensure that they are secure. It’s to meet these requirements that organizations are waking up to the need for integrated security systems. Organizations need to be able to mitigate the risks of failure of their critical non-IT infrastructure. However, making sure that critical non-IT devices are in working condition is a daunting task. Imagine installing over 1,000 cameras and intrusion sensors across a large manufacturing campus and deploying guards to monitor them centrally and conducting physical checks. This is why it is important to integrate IT and non-IT devices.

and shield organizations from these threats, Nelco now offers systems integration expertise and managed services to enterprises across industries.

What benefits can CIOs derive from managed services? Monitoring IT systems and non-IT electronic devices is a Herculean task for CIOs. Managed services provide organizations with access to leading network technologies, managed integrated security and surveillance tools, and management expertise to deliver the reliability, availability, and efficiency. It also offers them the ability to monitor and manage critical assets like IT systems and non-IT electronic devices. In any organization, IT systems include Take control of datacenter equipment, your remote non-IT servers, and core netWhat challenges do comcritical assets, while working gear. Non-IT panies face in managing increasing efficiency, devices include security their critical facilities? reducing costs, and and surveillance systems, With the pressure to insupporting service and energy management novate and keep the lights delivery to customers.” systems and environment on at the same time, IT control devices like temdepartments find it hard perature controllers. to make security a priority. Imagine a scenario While there are hundreds where a bank wants to monitor access to lockof devices in an organization that can be er rooms and send pictures of it to its security monitored or managed remotely—because of team. Or a brown label ATM service provider dynamic business needs, shrinking IT teams, who wants to lower AC settings during off peak and rapid technology and application changhours to save power. In both cases and others es—CIOs aren’t able to dedicate enough time like it, dedicated solutions are required to cenand attention to meet such security needs. trally monitor and alert respective stakeholders Consequently, the need to manage critical of any threats, both for compliance and prevennon-IT devices shifts to the back-burner. tion needs. Thus, managed services help comThis exposes organizations to a plethora panies to focus on their core business. of security threats. To strengthen security

P.J. Nath ED & CEO, Nelco With over 25 years of experience in IT, telecom and system integration, Nath has worked in some of the biggest names in the industry. He has successfully carried out leadership roles for the last 14 years across different organizations. Prior to taking command at Nelco, he served as executive president for Enterprise Business for four years in Sify.

How can Nelco help secure organizations? There is a need to offer integrated end-toend customized management of indoor and outdoor security systems such as fire-detection and perimeter security systems, access and gates control, CCTV surveillance, scanning devices, etcetera into one centrally monitored and controlled package. Nelco offers control and monitoring of the indooroutdoor security systems under demanding work conditions, making it the perfect choice for industrial plants, power stations, broadcasting stations, telecommunications stations, airports, railways, and state borders. This simplifies common operating methods and reduces system costs. This Interview is brought to you by IDG Custom Solutions Group in association with

Cover Story

IT Strategy

and data, including password policies and upper management review. The controls have to exist for both internal and remote access. Additionally, the provider has to have a documented policy for administrator IDs, while vendor and third-party access policies are documented and subject to upper management review. This applies to both physical access to operations and datacenters as well as information systems and data. Additionally, the provider must have third-party assessments of provider or client information systems.

Change

management.

The certification requires that the provider demonstrate it has documented and formalized change management policies for making changes to information systems, including a formal process for requesting, logging, approval, testing and acceptance of changes prior to implementation. The provider must also show that emergency changes are under a formal review process.

Data integrity. The provider has to show that it has sufficient information security policies and procedures that are operating effectively. The poli48

cies and procedures must be reviewed, updated, approved and communicated to the provider’s personnel annually. This includes data backup and other retention policies.

Physical security. The provider must have documented policies governing physical access to its IT assets, including visitor/guest logs at applicable facilities. It also has to show security controls at each facility, including card key, CCTV, on-site security and other effective security controls. The provider has to show documented controls governing the access to provider and client facilities of terminated employees and those changing positions. The provider must show documented policies for physical access to co-location hardware maintained in its facilities, and it must perform physical security assessments at each facility annually. Additionally, its NOC and datacenters must be protected from disruptive events using environmental safeguards. The NOC must have effective redundancies for both connectivity and power, including a documented DR/ business continuity planning. SLAs. The provider must be able to show that it uses signed SLAs with its clients and that sufficient controls exist to track and monitor services provided to clients. The controls must also track modifications to the client’s setup within the provider’s systems and also track client reporting, billing and satisfaction. The provider

n o v e m b e r 1 5 , 2 0 1 2 | REAL CIO WORLD

must be able to show that it makes performance reports available to clients in accordance with signed SLAs, including invoices. Also, the provider must have verified references.

Financial health. The provider must be able to show that it is in a stable and

healthy financial position, with demonstrated profitability for a minimum of six previous months, or it must show sufficient capital to prove stability in the absence of profitability. It must also show a sufficient distribution of its revenues across multiple clients and geographies. CIO

Quiz Cloud Providers on DR By Stephanie Overby When Amazon Web Services (AWS) went down due to a storm, it left websites like Netflix and Pinterest inaccessible. That wasn’t the first—nor the last time—a cloud provider wil go down, so you need to protect yourself. Here are questions you can ask to make sure you are sheltered from potential storms in the cloud.

Does your baseline uptime SLA meet my business needs? Buyers used to five nines will be disappointed by the 99.9 percent uptime SLAs of cloud providers. “It’s one of the first terms they should ask their prospective provider to see if they can do better,” says Jim Slaby, research director of sourcing security and risk strategies for outsourcing analyst firm HfS Research. “Buyers should also negotiate well-defined RPO and RTO for each service in their contract.” You will have to pay more.

How do you define “uptime” and “downtime”? “Sophisticated customers will clearly spell out exactly what is considered downtime,” says Todd A. Fisher, partner with law firm K&L Gates. “Does it mean five percent of the end users are affected? Or 25 percent? Or 50 percent? What if the system is technically working, but is running so slowly that end users can’t do their jobs effectively?” Beware of overly broad exclusions. For example, telecom outages are typically excluded with no distinction between services purchased by the customer itself (a legitimate exclusion) and those of the provider who should provide redundant telecom architecture

Vol/8 | ISSUE/01

Cover Story

IT Strategy

Track Costs for Cloud Apps By Bernard Golden One of the most interesting aspects of cloud computing is the way it changes cost allocation over the lifetime of an application. Many people understand that pay-as-you go is an attractive cost model, but fail to understand the implications that

the new cost allocation model imposes on IT organizations. The pay-as-you-go model addresses several obvious and painful limitations of the previous model, which was based on asset purchase; in other words, prior to application deployment, a significant capital investment had to be made to purchase computing equipment (that is, servers, switches, storage, and so on).

The Shortcomings of Asset Management to prevent a single point of failure, says Dr. Jonathan Shaw, principal with outsourcing consultancy Pace Harmon.

What’s your disaster recovery plan? “Buyers should really be digging into this,” says Slaby of HfS Research. Request site visits and audits to estimate the vendor’s achievable recover time and recovery point and use that to calculate the impact on your business of a potential failure. “This analysis may simply preclude a cloud solution [if] it is not possible to recover the cloud application sufficiently quickly to avoid a businessjeopardizing event,” says Shaw.

How often do you test that plan? “Having a DR and BCP in place does not ensure that downtime will be minimized in the event of a disaster,” says Fisher of K&L Gates. “Unfortunately, some providers don’t regularly test their plan so they can’t be sure it will be effective in the event of a disaster.” Smart shoppers will include a contractual requirement for semiannual disaster recovery testing, compelling the provider to disclose the results to the customer and correct any deficiencies uncovered.

Can I walk away if I’m not satisfied? Customers should insist on a clause giving them the right to terminate without penalty if the provider cannot restore service after a predetermined period of time regardless of the cause of the downtime, says Slaby. “The absolute worst position to be in is to have a multi-year commitment to pay for a service that is not being delivered,” says Shaw.

Can I look at your books? Natural disasters, software bugs, and heavy traffic aren’t the only risks to reliable cloud service. The business itself can also fail. “If the cloud provider goes bankrupt and simply stops providing the service, the SLA gets you nothing,” says Shaw. “So financial due diligence and analysis of the business is also advisable.”

Vol/8 | ISSUE/01

It requires a large capital investment, which displaces other investment that the organization might make (that is, it forces a tradeoff between this application and other, potentially useful capital investments like new offices, factories, and so on). The capital investment must be made before it may be clear just how much computing resource will be needed when the application is operating; perhaps the application will experience much more use and there won’t be enough equipment, but perhaps the application won’t be used as forecast, and some or much of the investment will be wasted. Requiring a large investment upfront makes organizations more conservative, not wanting to invest in applications that may not be adopted; this has the inevitable effect of hindering innovation, as innovative applications are by definition difficult to forecast and therefore more likely to result in poor adoption. However, there is one big advantage of this approach: Once the investment is made, the financial decision is over. Assuming the application obtains the necessary capital, no further financial commitment will be needed. Of course, this has led to utilization issues, as applications commonly only used single-digit percentages of the computing resource assigned to them, but there were no ongoing bills or invoices for the application resources. Many people are excited about cloud computing because it uses a different cost allocation model over the lifetime of an application. Instead of a large upfront payment, you pay throughout the lifetime of the application; moreover, you have to pay only for actual resource used, thereby avoiding the underutilized capital investment situation typical of the previous approach.

The Advantages of Cloud Computing Little investment is required upfront. This means that cloud-based applications can be pursued without worrying about whether other, useful capital investment will be displaced by the decision. REAL CIO WORLD | n o v e m b e r 1 5 , 2 0 1 2

Cover Story

IT Strategy

This approach fosters innovation. Because little investment is at risk, innovative applications can be rolled out with less concern about predicting outcomes. If the application is successful, more resources can be easily added without requiring more investment; if the application is poorly adopted, it can be terminated and the resources returned to the cloud provider, with no ongoing payment needed. It can enhance agility, because no lengthy capital investment decision processes are needed prior to beginning work. The cliche is that all that is necessary to get started is a credit card and within 10 minutes you’re up and running. Anyone who has suffered through a capex decision process knows how miserable an experience it can be. Certainly the 10 minute approach is extremely attractive.

The Challenges of the Pay-As-You-Go Approach The first one is obvious: Instead of a one-time payment, users receive a monthly invoice or credit card charge. Every month there is reminder that there is a cost associated with running the application. The meter is always running. The costs are unpredictable. A CIO of a large media company said that his organization loved the ease of access to resources that Amazon Web Services (AWS) makes possible, but one of his projects experienced this: The first month of working on the application was great—immediate access and only $400 (about Rs 22,000) of cost; the second month, however, the fee came to $10,000 (about Rs 5.5 lakh). He noted that his firm could afford the $10,000, but wanted to understand what caused such a dramatic change in cost. Low resource utilization imposes ongoing wasted costs. While poor utilization in the previous model evinced inefficiency, at least there was no ongoing wasted money. When cloud resources are not actually used, but continue running, every month a bill comes for little productive work. It’s like running your air conditioner with the front door wide open. And the poor habits of previous computing regimens continue in the new world of cloud computing. At the recent Cloud Connect conference, a new cost tracking service called Cloudyn noted that its research shows that AWS resources are commonly used at 17 percent utilization. That’s a lot of wasted money. Add in the likelihood that these resources are not being tracked and spun up instances are often started and then forgotten about, organizations could easily experience years of extra costs.

What is the Right Approach? So what is the right approach for IT organizations to realize the benefits of cloud computing, but avoid the unfortunate cost 50

n o v e m b e r 1 5 , 2 0 1 2 | REAL CIO WORLD

effects outlined above? Here are five critical items to pay attention to: Design: Your application must be designed so that the appropriate level of resources can be assigned and used. Think of this as a “just-intime computing resource.” This implies that the application must be designed as a collection of small, finely grained resources that can be added or subtracted as application load dictates. Instead of one very large instance, the right design approach is to use multiple smaller instances that can grow or shrink in number as appropriate. Operations: Monitor utilization and terminate unneeded resources. As previously mentioned, lots of bad habits from the previous, upfront investment approach remain in cloud computing users. Probably the worst one is the habit of starting resources and never shutting them off, or, indeed, never monitoring them to determine whether they’re being used or not. In the pay-as-you-go world, every unused or underused resource is a hole down which you’re pouring money. A service such as Cloudyn or one of its competitors can be enormously helpful here, but the financial tracking needs to be married to an operational tracking in which developers and system admins are monitoring resources. Finance: Evaluate total organizational spend. A number of companies have many, many AWS accounts and don’t realize that by centralizing the spend, they would achieve greater discounts. While within some companies that decentralized approach is deliberate (aka “shadow IT”), everyone will benefit from lower prices, so it makes sense to move to a collective bill. Procurement: Negotiate pricing. While AWS posts its prices, if there is sufficient spend, it will demonstrate flexibility. Certainly every other cloud service provider (CSP) out there is very flexible on pricing, especially in a situation in which the account would be moving from AWS. Of course, it’s critical to ensure other critical elements of the application, like availability and security, can be achieved in another cloud environment. Management: Recognize that cloud computing is a new operation mode and cost tracking and application utilization monitoring are critical IT skills. Set up a group that examines financial performance to ensure maximum cost/benefit outcomes. Don’t staff the group with only finance people either. Technical skills are required to enable a full 360 degree evaluation of application, financial, and technical performance. Realize that IT is now in the service provider business, and service providers pay attention to operational costs all the time. CIO Send feedback to editor@cio.in

Vol/8 | ISSUE/01

Unstructured

Data How Storage Storage To Hadoop

Insight

Analytics

Marketing Big data can be big trouble if it isnâ&#x20AC;&#x2122;t handled with care. Here are

some tips to make the most of that treasure trove of information.

Petabyte Loyalty DID YOU KNOW?

This section is brought to you by

45 percent of Indian CIOs say they consider big data a

Architecture buzzword, according to the Mid-Year Review Survey 2012.

Vol/8 | ISSUE/01

REAL CIO WORLD | n o v e m b e r 1 5 , 2 0 1 2

Cover Story

IT Strategy

Gear Up for Big Data By Joab Jackson

You will need to think about big data.

Big data analysis got its start from the large Web service providers such as Google, Yahoo and Twitter, which all needed to make the most of their user generated data. But enterprises will use big data analysis to stay competitive, and relevant, as well. You could be a really small company and have a lot of data. A small hedge fund may have terabytes of data, says Jo Maitland, GigaOm research director for big data. In the next couple of years, a wide number of industries—including healthcare, public sector, retail, and manufacturing—will all financially benefit by analyzing more of their data, consulting firm McKinsey and Company anticipated in a recent report. There is an air of inevitability with Hadoop and big data implementations, says Eric Baldeschwieler, chief technology officer of Hortonworks, a Yahoo spinoff company that offers a Hadoop distribution. It’s applicable to a huge variety of customers. Collecting and analyzing transactional data will give organizations more insight into their customers’ preferences. It can be used to better inform the creation of new products and services, and allow organizations to remedy emerging problems more quickly.

Useful data can come from anywhere (and everywhere).

You may not think you have petabytes of data worth analyzing, but you will, if you don’t already. Big data is collected data that used to be “dropped on the floor,” says Baldeschwieler. Big data could be your server’s log files, for instance. A server keeps track of everyone who checks into a site, and what pages they visit when they are there. Tracking this data can offer insights into what your customers are looking for. While log data analysis is nothing new, it can be done to dizzying new levels of granularity. Another source of data will be sensor data. For years now, analysts have been speaking of the Internet of Things, in which cheap sensors are connected to the Internet, offering continual streams of data about their usage. They could come from cars, or bridges, or soda machines. “The real value around the devices is their ability to capture the data, analyze that information and drive business efficiencies,” says Microsoft Windows Embedded General Manager Kevin Dallas.

n o v e m b e r 1 5 , 2 0 1 2 | REAL CIO WORLD

You will need new expertise for big data.

Big Data doesn’t require organization beforehand.

When setting up a big data analysis system, your biggest hurdle will be finding the right talent who knows how to work the tools to analyze the data, according to Forrester Research analyst James Kobielus. Big data relies on solid data modeling. Organizations will have to focus on data science, says Kobielus. They have to hire statistical modelers, text mining professionals, people who specialize in sentiment analysis. This may not be the same skill set that today’s analysts versed in business intelligence tools may readily know. Such people may be in short supply. By 2018, the United States alone could face a shortage of 140,000 to 190,000 people with deep analytical skills as well as 1.5 million managers and analysts with the know-how to use the analysis of big data to make effective decisions, McKinsey and Company estimates. Another skill you will need to have on hand is the ability to wrangle the large amounts of hardware needed to store and parse the data. Managing 100 servers is a fundamentally different problem than handling 10 servers, Maitland points out. You may need to hire a few supercomputer administrators from the local university or research lab.

CIOs who are used to rigorously planning out every sort of data that would go into an Enterprise Data Warehouse (EDW) can breathe a little easier with big data setups. Here, the rule is, collect the data first, and then worry about how you will use it later. With a data warehouse, you have to lay out the data schema before you can start laying in the data itself. “This basically means Vol/8 | ISSUE/01

Cover Story

IT Strategy

Tame Big Data Flow By Michael Ybarra

you have to know what you are looking for beforehand,” says Jack Norris, vice president of marketing for MapR. As a result, “you are flattening the data and losing some of the granularity,” he says. “Later on, if you change your mind, or want to do a historical analysis, you’ve limited yourself.” “You can use a [big data repository] as a dumping ground, and run the analysis on top of it, and discover the relationships later,” says Norris. Many organizations may not know what they are looking for until after they’ve culled the data, so this kind of freedom “is kind of a big deal,” he says.

Big Data is not only about Hadoop

When people talk about big data, most times they are referring to the Hadoop data analysis platform. “Hadoop is a hot button initiative, with budgets and people being assigned to it,” in many organizations, Kobielus points out. Ultimately, however, you may go with other software. Recently legal research giant LexusNexus, no slouch at big data analysis itself, open sourced its own platform for analysis, HPCC Systems. MarkLogic has also outfitted its own database for unstructured data, the MarkLogic Server, for Big Data style jobs as well. Another tool gaining favor in the US is the Splunk search engine, which can be used to search and analysis data generated by machines, such as the log files from a server. “Whatever data you can extract from your logs, there is a good chance that Splunk can help,” notes Curt Monash of Monash Research. CIO

Vol/8 | ISSUE/01

Mike Brown, the CTO at ComScore, knows a bit about managing big data. Every day 12 terabytes of information rushes into his cluster of 80 servers running the open-source software Hadoop, which sorts and analyzes the data for a host of clients who want to know things like which online vendor sold the most e-cards or how fast Facebook is growing in Brazil. “We ingest 32 billion new rows of a data a day,” he says. The torrent of data is swelling fast enough that Brown plans to be running 200 servers by the end of the year—and without the right dataintegration software, he thinks that number could double. Brown has been wading through an ocean of information ever since he joined ComScore as its first software engineer in 1999, shortly after the startup landed its original venture financing. Today, the Internet market research firm reports $232 million (about Rs 1,276 crore) in revenue a year. “Our growth is pretty darn linear and should continue,” Brown says. ComScore started off on a homegrown grid processing stack and in 2000 added Syncsort’s data integration software, the current version of which is DMExpress. “We were up and running in weeks,” Brown says. “It literally made our software run 5-10 times faster. You’re not just adding storage, but you’re adding compute as well.” In 2009 , ComScore began migrating to Hadoop, becoming an early adopter of the technology, which has recently begun gaining traction in the enterprise market. “We decided it was better to leverage the community than invest in building our own,” Brown says. “In general, Hadoop is harder to bring into an enterprise when you have mixed operating systems. DMExpress, with their connector, is helping to solve this issue.” That’s a typical experience, notes James Kobielus, in a recent report for Forrester Research, where he was an analyst. Hadoop, he wrote, “lacks some critical enterprise data warehouse features, such as realtime integration and robust high availability. The Hadoop market includes many vendors that have focused on these and other deficiencies in the core Hadoop stack. Vendors have, of necessity, either built proprietary extensions to address these requirements or have leveraged various NoSQL tools and open-source code to provide the requisite functionality.” In ComScore’s case, Brown found that Syncsort’s software made the Hadoop migration a piece of cake. “You don’t have to change any code, except the push code,” he says. “We use DMExpress in [more than] 30 different apps. It’s our tool for any situation [where] we have to adjust the data.” “We can store twice as much data on the cluster,” he continues, “and we also use it to improve performance. One big problem it solved was the ability to chunk and split the large files we have into files that fit perfectly into the chunks on Hadoop. This enables us to have a higher rate of parallelism on compressed files while reducing our costs for disk on the cluster.” That, Brown says, translates into saving 75 terabytes of data storage a month. That, too, is big data. CIO REAL CIO WORLD | n o v e m b e r 1 5 , 2 0 1 2

Cover Story

IT Strategy

Use Big Data Analytics for Marketing By Reda Chouffani

Marketing has evolved tremendously over the years, largely because technology has enabled it to reach, when the situation calls for it, either a bigger audience or a more specific, targeted audience. The Internet has helped businesses reach audiences at much faster speeds and lower costs than more traditional advertising methods. Simply having a Web presence and using the right keywords will drive search engine users to a website. Unfortunately, this has a side effect: More brands than ever are competing for consumers’ attention. That makes it even harder for businesses to ensure a memorable and impactful encounter with potential customers. To that end, today’s marketing departments face many challenges. Organizations are still identifying methods 5 4 n o v e m b e r 1 5 , 2 0 1 2 | REAL CIO WORLD

to make their products more customerand market-driven, while businesses are pressured to drive more qualified leads to their sales teams and to work with product development to ensure they’re delivering the products and services clients are asking for. Addressing these issues requires a creative strategy and a platform that makes it easier to close the gap with the competition, increase brand awareness and reach customers at the right time.

Big Data for Marketing Some have identified marketing analytics as a way to resolve these challenges. A recent survey directed by Professor Christine Moorman and Sr. Professor of Business Administration T. Austin Finch with Duke University’s Fuqua School of Business, found that marketing executives in the Fortune 1000 and Forbes 200 plan to increase their

spending on marketing analytics in the next three years, some by as much as 60 percent. Many will be starting from scratch, as only 35 percent of respondents currently use marketing analytics. Marketing analytics used in conjunction with big data will help many organizations properly evaluate their marketing performance, gain insight into their clients’ purchasing habits, market trends and needs and make evidence-based marketing decisions. As one example, look at how politicians are using big data to identify their target audience and reach out to the so-called “silent majority.” With big data, there are several ways marketing executives can leverage existing data that’s available internally, as well as external information received from a third-party vendor, in order to track the effectiveness of various marketing efforts. Vol/8 | ISSUE/01

Cover Story

IT Strategy

Marketing departments should engage IT departments, and IT leadership, to help them accomplish these new goals. CIOs can then assist in creating a strategy that builds upon the data that’s available internally. Such collaboration between forwardthinking CIOs and CMOs will become the basis of both competition and growth in

organizations, as employees will look to use big data to find unique ways to outperform their competitors and peers. It’s safe to say that businesses of all sizes have access to platforms that in turn provide access to data and analysis. While in some cases internal systems may not have all the transactional and historical data regarding

operations, customer purchasing habits and marketing performance, many of today’s systems do provide an easy, cost-effective way to get a head start on big data, as there are numerous open-source big data technologies in the market. For large data sets, there are several scalable pay-as-you-go services that can process and host data.

Retain Customers with Analytics By Stephanie Overby There’s no shortage of technology at work when you call a customer service line, including customer relationship management systems and voice-recognition programs. From the second you dial that toll-free number until the moment the agent answers, a slew of tools is whirring in the background to make the interaction as helpful as possible. But anyone who’s endured a less-than-productive call center experience knows these tools don’t always get you to the right person— let alone the best person—right away. “It’s a thousand-mile journey between when a customer picks up the phone and when they land on a customer service representative’s desktop,” says Cameron Hurst, a 15-year veteran of call-centertechnology management. Assurant Solutions, where Hurst is vice president of targeted solutions, provides specialized insurance products from its base in Atlanta, and it has developed a better way to match customers and call center agents using analytics. Most call centers are heavy users of rules-based analytics, such as systems that route calls based on “if-then” formulas. For example, if a call is made between 8 am and 5 pm, you’re routed to Boise instead of Bangalore. This wasn’t enough for Assurant Solutions, which sells and supports debt-cancellation products, credit card insurance, and other financialprotection products. The company has a high acquisition rate—most of its products come with a trial period—and a high customer churn rate. Seven years ago, it retained just 16 percent of its customers. So it turned to model-based analytics. The company created a proprietary system that analyzed the attributes of all calls over six months to create models of the successful ones. It then examined a host

of customer variables—such as age, account balance, creditto-balance ratio, and persistence in calling—to create models of different customer “clusters.” “The models are reduced to algorithms [which become] Java code, and that code powers a matching engine,” Hurst explains. “It scans thousands of agents and finds that one optimal match. It’s kind of like eHarmony— there’s someone for everyone.” Unlike most matching systems, Assurant’s looks at agents who are already on a call—not just those who are available—and determines if they will be wrapping up in time to deal with their next customer soul mate. Since implementing the system, Assurant’s customerretention rate has jumped 190 percent to around 47 percent. Most customer-service-related technologies promise a 10 percent to 25 percent improvement in customer retention, says Hurst, who was formerly a CIO at a large community bank. The system and its processes—now patented—showed enough promise that IBM partnered with Assurant to create a tool called the Real-Time Analytics Matching Platform (RAMP) which it began selling earlier this year. Assurant signed a revenue-sharing agreement with Big Blue (IBM) for future RAMP sales and became the system’s first buyer. Hurst expects to see a lot of interest, particularly among financial services companies desperate to “squeeze the most juice out of the lemon” with their customers. “They’re deep into analytics,” says Hurst. “But this is the one thing they’re missing that’s very, very important.” CIO

Cover Story

Different Sectors, Different Uses The data that must be captured varies for marketing purposes. For online retailers, Web server logs, referring sources, page views, navigation patterns—basically all activities on the website—would be very beneficial. This lets retailers identify what keeps clients interested and what pushes them away. For some retails, there’s even the potential to mine a visitor’s historical browsing patterns and searches and display items that she might have previously been interested in, as well as similar items that will likely interest her, when she returns to the site. Brick-and-mortar retailers, on the other hand, face a different challenge. Loyalty cards have been, and remain, a popular method to capture shoppers’ behavioral data. However, as stores increasingly offer free Internet to their customers, as well as mobile apps that provide electronic coupons, this provides data of great value to the retailer (not to mention a helpful service to the customer). Behind the scenes, the app gathers information that will help create a profile of the shopper. The app can also increase sales through the use of display ads. In some cases, stores are implementing “soft surveillance” programs. Here a shopper who’s not using a loyalty or reward card but who does use a retailer’s mobile app is photographed as he or she walks through the main entrance. The customer can now be tracked throughout the store; the retailer can identify the sex, ethnicity and age of the shopper and, using that information, push customized ads to the mobile app. The data that’s collected can be used in a couple ways. The first model is a real-

time response and feedback mechanism meant to influence a customer’s purchases through video prompts related to his or her demographic information and based on observations made throughout his or her walk. For example, a young man in workout clothes picking up a sports drink could be reminded that the store also sells vitamins designed specifically for high-energy sports enthusiasts, or someone picking up diabetic medication at the pharmacy could be pointed to healthy, low-sugar food choices. Identifying individual items that particular shoppers are likely to buy can impact the bottom line. The second model requires a retailer to analyze all the data that’s captured over time, identify patterns in how shoppers make purchasing decisions and determine what influenced their buying decisions. For politicians, meanwhile, it is critical to connect and engage with voters. Having the ability to say the right thing to the right individuals and groups is a must if you seek votes. As noted above, this year’s election is making use of electronic data. Different people with different interests can visit the same candidate’s website and see completely different messages and themes for them based on their visitor profiles. Big data takes things a step further. Sites such as Klout can identify influencers real-

IT Strategy

time, allowing campaigns to target them with specific content to ensure so they can push the message downstream. In addition, real-time sentiment analysis during and after public speaking engagements lets PR machines educate candidates on what topics best connect them to voters, and what topics should be avoided, by monitoring both social media sites. While in some cases it is far easier to focus on using data to increase market exposure and discover insight, it won’t be uncommon to see firms using data they have collected from clients to sell access and insight they have gained from it. For example, the data that manufacturers collect on faulty products can be sold, as it offers insight into how a component may behave under certain conditions. This data can easily provide a value-added service for a manufacturer, not to mention a new revenue stream. Finally, telecommunication firms, free Wi-Fi providers and mobile carriers all retain information regarding customer’s Web browsing habits. This information has tremendous value and can potentially be de-identified and sold—or, if the fine print states that information can be shared, then a consumer’s information may be used and sold to telemarketers. The value that big data offers marketing executives, combined with the competition that drives businesses to seek market advantage, means we should expect to see increased investment in digital infrastructures. Such technology can help retailers optimize and narrow the gap between what their clients want and what they actually receive. Financial services, healthcare and many other sectors will seek the opportunities and benefits that big data offers as well. CIO Send feedback to editor@cio.in

Outsourcing

SLA

Contract

RFP

How Contract Insourcing ToVendor

Consulting

RFP Insourcing Outsourcing is still in. It might have taken on new names—like the cloud—

but traditional sourcing isn’t extinct. Read on to find out how to leverage it.

Innovation DID YOU KNOW?

On average, Indian organizations have 1.2 outsourced IT employees for every IT

Cost-cutting staffer on their payroll, according to the Mid-Year Review Survey 2012.

n o v e m b e r 1 5 , 2 0 1 2 | REAL CIO WORLD

Vol/8 | ISSUE/01

Cover Story

IT Strategy

Know Your IT Outsourcing Provider Wants to Dump You By Stephanie Overby Some of the biggest IT service providers have programs to extract themselves from relationships with the bottom 10 percent of profitability. “Providers today are much less likely to live with bad deals or money-losing accounts,” says Stan Lepeak, KPMG’s director of research for advisory services. But breaking up is hard to do. The termination clauses of a contract may make it prohibitively expensive for unilateral provider pullout. So the vendor may back away from the account in more subtle ways, either to protect its margins or nudge the customer toward termination—or both. “When deals become unprofitable, the vendor must try to raise the profitability,” says Adam Strichman, founder of sourcing consultancy Sanda Partners. “When they start to take very aggressive actions toward profitability, this is the first—and best— signal that the deal is unprofitable. When their actions become too aggressive, that can also be interpreted as trying to get out.” “If the client’s only goal is to squeeze the rates as much as they can and they start playing up to get penalty awards for subpar performance, they quickly become not only unprofitable, but also at risk for spreading a poor image of that provider’s performance into the market,” says Phil Fersht, founder of outsourcing analyst firm HfS Research, who estimates that one in five outsourcing customers falls into that category. “Their providers quickly start to figure out how to either ‘lose’ them at renewal to a competitor or simply churn them via an arbitrator if this bet really bad. [But] there are many more examples where providers are having a terrible time trying to service clients which simply make them no money and they can’t get rid of them”

Vol/8 | ISSUE/01

So how do you know if you’re one of the ‘problem’ clients? Here are 10 telltale signs your IT outsourcing provider wants to dump you. They’ll Say: We Need to Talk. “The one thing that is relatively certain when a

customer falls to the bottom 10 percent of a vendor’s portfolio is that the vendors will not be shy about letting them know,” says Steve Martin, partner with outsourcing consultancy Pace Harmon. “In these problem scenarios, a provider’s first course of action REAL CIO WORLD | N o v e m b e r 1 5 , 2 0 1 2

Cover Story

IT Strategy

is generally to voice their concerns to their customers and attempt to propose remedies through the standard governance process, rather than immediately developing subtle termination plots. They may also attempt to renegotiate the deal or work through critical issues in executive-level meetings.” They’ll Do Death by Change Order. Watch out for a provider that’s getting hyper-technical about what is included in the scope of the contract, says Edward Hansen, partner with law firm Baker & McKenzie. Even clauses intended to address scope-related issues, like a ‘sweeps clause’, intended to enable the buyer include within the contract scope additional services that are incidental or inherent to those laid out in the statement of work, “just seem to stop working when the vendor gets into economic trouble,” Hansen says. “’Death by change order’ is a telltale sign that they’ve fallen out of love with their customer,” says Pace Harmon’s Martin, partner with outsourcing consultancy Pace Harmon. A weary vendor might also refuse to respond to new technology requests or other scope expansions, until another portion of the existing deal is ‘fixed’ or ‘addressed’,” says Strichman of Sanda Partners, They’ll Stop Sales. If the outsourcer is making few attempts to sell more work, upsell services or develop a long-term roadmap, chances are the vendor wants out, says KPMG’s Lepeak. “All leading service providers today are focused on growing business in existing accounts,” Lepeak says. “It’s cheaper and more efficient from a sales standpoint, creates a more sticky relationship, and often creates opportunities to get involved with more strategic work.” According to KPMG Sourcing Pulse survey, 80 percent of IT service providers said that they are pushing hard to expand the scope of current accounts. They’ll Send in the Lawyers. Provider counsel may chime in occasionally on even the best deal. But when they’re suddenly omnipresent, even on the smallest issues, “you know there’s a problem,” says Strichman of Sanda Partners. They’ll Push Governance Rollbacks. It’s rare that vendor governance costs are 60

n o v e m b e r 1 5 , 2 0 1 2 | REAL CIO WORLD

Mine Better With IT Outsourcers By Stephanie Overby The growth of the developing world will likely require as many mineral resources over the next 25 years as have been used since the dawn of the Industrial Revolution. But those scarce minerals will become increasingly difficult to recover from the earth. It’s a basic problem of supply and demand, but the solutions are anything but basic for John McGagh, head of innovation for mining company Rio Tinto. “We look for big problems,” he says. “My shop is not about incremental innovation. We ask ourselves one question: What can’t we do today that, if we could do it tomorrow, would fundamentally change the business?” Mining practices have remained largely unchanged for more than a century. So when Rio Tinto began developing its Mine of the Future program to bring new automation and remote operations to the 139-year-old company, McGagh looked outside for help.“We don’t believe our strategic advantage is design,” says McGagh, whose team of 100 people is aided by at least 10 times that outside the company. To overcome that, “we build networks.” Those networks include a center for mine robotics and automation at the University of Sydney, an advanced mineral recovery research program with London’s Imperial College, and General Electric’s Ecomagination initiative to deliver lower-carbon solutions for surface mining. The ideas have come fast and furious, but just two of every 100 ideas make it to pilot, and even those often don’t get adopted. Suggestions include a laser scanner that drives around a mine pit to produce a real-time 3-D model of the environment and an autonomous explosives truck programmed to create precise blast holes. The goal is a safer, more efficient and more effective mining environment where people work like airtraffic controllers—supervising drills, loaders and trucks from hundreds of miles away. “It became obvious that we needed a partner to accelerate our surface mining, data mining and robotic technologies,” says McGagh. That’s where an Indian IT service provider came in. “We wanted a partner who could look outside the closed world of mining and say, ‘Here’s ideas from biotech or automotive or aerospace,’” says McGagh, who prefers PhDs and MBAs working on the project. McGagh refuses to use the word outsourcing. “We were looking for technical capability insourcing—a way to bring on board an innovation center, which happens to be in Pune and happens to be operated by our partner,” he says. “We had to build a lot of cultural and technical links, and it was a challenge to bring this much larger group [into the fold].” His team has evolved to better manage the relationship, such as by incorporating “people who can speak the language of our business and translate to our network partners,” says McGagh. While some Rio Tinto competitors do develop emerging technologies in-house, McGagh prefers his way. “If we tried to do it internally, it would be miners thinking like miners,” he says. “Have you been to a mining conference? It’s downright dull.” CIO

separately called out in an outsourcing contract. “This makes governance an easy target for cost cutting,” says Hansen of Baker & McKenzie. Cutbacks in management oversight are an early sign the vendor is backing out of the relationship.

An increase in delivery or account team turnover, particularly among more senior members and with little advance notice, is also a bad sign. “While providers will always attempt to roll their best people off to reduce costs, keep them fresh, to pursue Vol/8 | ISSUE/01

Custom Solutions Group CHECK POINT

ADVERTORIAL

How to Guard Your enterprise Against DoS Attacks How well are you prepared against the wide range of DoS attack techniques and tools? Check Point offers you a fivestep program to arm your enterprise against DOS attacks. y now, it’s clear that there is no silver bullet solution for a complete defense against DoS attacks. DoS attacks typically hit without warning, which only increases their impact. This emphasizes the importance of ground work. To begin with, every CIO needs to ask: “If a DoS attack hits us and our systems don’t respond, what would we do?” Answering this forms the basis of a plan of action to defend against DoS attacks. Developing a ‘DoS Attack Response Plan’ is critical to mitigate a DoS attack. But just as important is to ensure that the entire IT team is aware of the plan. Consider the following elements of a sound DoS Attack Response Plan:

Determine Who is in Charge From the outset and throughout the DoS ordeal, it is important to have already appointed clear and proper leadership. Choose an incident response team with clear roles and appoint someone to direct the team.

Decide What Actions Should be Taken The first step is to analyze traffic. Use existing vendor and in-house tools to analyze traffic and identify the profile of the attack. Your analysis should identify suspicious geographic sources, cross-reference suspicious IP source addresses with known bad IP addresses, identify spikes in traffic types, application traffic, and traffic geo sources, among others, and finally, it should identify connection patterns that vary from the norm.

The next step is to implement blocking rules. Set rules to block traffic that meets the identified attack profile. For example, you should block all traffic from the list of suspicious source countries, and block source IP addresses that are known bad IPs. You should also block all identified suspicious traffic/attack types and block all traffic based on the identified suspicious connection pattern and/or all connection patterns that vary from the norm.

Again, identify and engage these providers to understand what services they offer. For example, document the steps to redirect all Internet traffic through their facility for a ‘clean pipes’ service should you face a volumetric attack.

Contact the Authorities Contact authorities in the event there is an opportunity for legal action. Be sure to retain logs and other evidence that could be useful in identifying and prosecuting the attackers.

Types of DoS Attacks

There are two primary categories of DoS attacks: Attacks that target the network and attacks that target applications. While application attacks have become more common in the last year or two, network flood attacks were always popular.

Network Flood DoS Attack

Also known as a volumetric attack. These attacks send enormous volumes of irrelevant UDP, SYN or TCP traffic to consume network bandwidth and flood network equipment, rendering the network segment and even the entire network unusable.

Application DoS Attack

These attacks target applications and flood them with seemingly legitimate requests until they become unresponsive. Most often these attacks go completely unnoticed because they drive a small volume of traffic that slowly consumes resources until the application fails.

Seek Service Provider Assistance Service providers can offer tremendous assistance in mitigating DoS attacks, but the time to understand what services they provide, what they cost and their processes are before—and not during—a DoS attack. Contact your service providers to understand what DoS protection services and tools they offer to block a DoS attack. Also note how the services are charged. They can be incident, by amount of data, or by a quarterly or annual premium.

Contact Third Party Mitigators Beyond service providers are third-party vendors. They offer specialized DoS mitigation services that are called ‘clean pipes’. These services are sometimes the only viable option for mitigating a large, network consuming volumetric DoS attack.

When you fall under DoS you will either know exactly what to do from the instant the attack is identified, or you will be caught under an overwhelming wave of panic because your systems are not responding. And so, creating a plan of action against DoS attacks is by far the most important step you can take to defend against an eventual attack and its importance cannot be overemphasized.

This feature is brought to you by IDG Custom Solutions Group in association with

Cover Story

IT Strategy

other business, providers looking to build and grow long-term strategic relationships will do less of this,” says KPMG’s Lepeak They’ll Move More Offshore. If allowed by the contract, a troubled IT outsourcing provider may replace onshore resources with lower-cost offshore staff, says Martin of Pace Harmon. In some cases, they may not even be required to notify the customer of the shift. They’ll Allow Dysfunction on the Ground. “When the operational people stop solving problems, and start finding constant fault with each other, this is a sure sign that something may be trickling down,” says Hansen of Baker & McKenzie. “Once you start seeing the operational people showing problematic behavior, you may be going down a road that is very difficult to reverse, even if the management of both companies ultimately decides to continue working together.” If the provider refuses to assign a new project executive, even when interactions with the current executive have broken down, you’ve probably hit bottom. “This happens because they can no longer find anyone who will take-on the challenge and because they really don’t want to send the signal that they will bend over backwards to fix it,” says Strichman of Sanda Partners. “I have personally seen a lead vendor executive driven to tears after months of client meetings, finally admitting that nothing could be done to get things back on track. The deal was terminated within six months.” Their Executives Never Meet You. If the last time you heard from the provider’s top brass was at the contract signing, the relationship is on the rocks. “Good provider execs spend a lot of time in the field with the best, largest or highest priority accounts,” says KPMG’s Lepeak. “If a client isn’t seeing the provider’s execs, this could be a sign of lessening account interest or priority.” They’ll Permit Project Delays. IT project interruptions happen in the best circumstances. But repeated delays—particularly around development projects or new technology rollouts— spell trouble. Severe and repeated delays are “a favorite way to ‘meet the contract’ with half the number of resources required,” says Strichman of Sanda Partners. “[The vendor] can always claim that there are unforeseen technical difficulties when what they are really doing is desperately trying to meet profitability targets by broadly cutting resources.” CIO 62

n o v e m b e r 1 5 , 2 0 1 2 | REAL CIO WORLD

Be Popular with Your IT Outsourcing Provider By Stephanie Overby While you may not want to be your outsourcing provider’s favorite client (that probably means you’re making them the most money with the least effort), you don’t want to be on their black list either. The very important customer roster is where you want to be. “Being at the top of your provider’s priority list will inevitably be to your benefit over the long haul,” says Steve Martin, partner with outsourcing consultancy Pace Harmon. “And figuring out how to get there without having to buy your way into this elite club is worthwhile.” There are some simple, but often overlooked ways, to show your outsourcing provider a little love and get more attention in return—without giving away too much. Be Reasonable in Negotiations. You set the tone for the outsourcing engagement long before the contract is signed. “This is a long-term relationship. There’s no need to fight for every point in the negotiation,” says Shawn Helms, partner in the outsourcing and technology transactions practice of law firm K&L Gates. “Taking a hard line approach or asking for unreasonable, out-ofmarket terms creates ill will from day one.” Open Up. There’s nothing like a post-nuptial revelation to ruin a good relationship. A coveted customer will provide full disclosure of their environment during the due diligence period, says Pace Harmon’s Martin, including an accurate asset inventory, current performance levels, and number of resources supporting operations. “A subtle, but important, ingredient in the buyer-provider love fest is a buyer that has a solid handle on their process baseline and a definitive total cost of ownership model prior to engaging the provider,” says Michael Engel, partner with Vol/8 | ISSUE/01

Cover Story

outsourcing consultancy Sylvan Advisory. “Being able to provide a comprehensive view of value being delivered to your client, based on their data, is an absolute love potion for the provider.” Put the Contract Away. Avoid hyper-technical interpretations of the agreement. Valued outsourcing customers “live the spirit of the [outsourcing] agreement and not just the words,” says Edward Hansen, partner and co-chair of the global sourcing practice at Baker & McKenzie. “If you conducted your contracting process in an optimal fashion, you should have a contract that embodies a great working relationship that you forged as you were working through the problems that arise during negotiations. Bringing this problem-solving attitude into the way you manage your vendor after contract signing is a great and fair way to keep the relationship on track.” Offer Rewards. “Providers will show you the love if you show them the money—or at least the potential to earn it,” says Martin of Pace Harmon. “Reward strong vendor performance and service with opportunities to pick up additional revenue and make clear the linkages between their financial prospects and their performance. Go Public. Outsourcing can be a dirty word these days, but the sound of a satisfied customer is music to a supplier’s ears. “Quality client references will win many more clients and help them move to higher value services,” says Phil Fersht, founder of outsourcing analyst firm HfS Research. The customer VIP will go even further. “We have a number of clients where the executive sponsor has stayed so intimately involved in the initiative that they will go on sales calls with the provider,” says Michael Engel of Sylvan Advisory. “We have another client who participates in an advisory capacity in the provider’s internal service offering development process.” Be the Change. You want collaboration? Create a team-based environment. Seeing innovation? Invite key provider personnel to strategize. “Never underestimate the human side of the relationship,” says Martin of Pace Harmon. “Providers are more likely to engage if they feel their customers are actively partnering with them everywhere from day-to-day tactical activities through executive business development initiatives.” Loosen the Purse Strings. If you want more, pay more. “Customers should understand that changes in scope can increase the cost to a service provider in a way that was not originally accounted for in the service provider’s business plan,” says Helms of K&L Gates. “The customer should want its service provider to make money and maintain its margins—that leads to better service.” Give a green light to justified change control requests. Lend a Hand. If your vendor starts failing to meet its commitments, hold off on the finger pointing and try to help them resolve the issue. “A well-executed outsourcing agreement is an ecosystem where everything depends on everything else,” says Hansen of Baker & McKenzie. “If you allow your vendor to fail in one area, you are setting the business up for misery and the vendor up for failure.” Pay Your Bills (On Time). Sounds simple enough, but plenty of customers delay large payments to their IT providers to help their own cash flow. “Service providers have little recourse,” says Helms of K&L Gates. “It ends up being a real annoyance—or problem—for the service provider.” Be Nice. It’s not unusual to see a provider go above and beyond to create a smooth outsourcing transition only to get nailed to the wall by the customer the first time their performance lags. Don’t be that customer. “This doesn’t mean that you should tolerate sub-optimal performance,” says Hansen of Baker & McKenzie. “But it’s important to remember that you are doing business with people, and people appreciate some good will every once in a while.” CIO

Vol/8 | ISSUE/01

IT Strategy

Cut Outsourcing Consulting Costs By Stephanie Overby IT outsourcing consultants don’t come cheap. If IT leaders aren’t careful, the cost of third-party assistance in setting up an IT services deal can quickly spiral out of control. While it may be unlikely that IT executives would set up a major outsourcing deal without third party consultation—at the very least, to incorporate current market intelligence and pricing—there are ways to cap consulting costs. “Although many larger consulting firms talk about their unique process and wealth of experience, the dirty little secret is that they are just skilled temporary labor,” says Adam Strichman, founder of outsourcing consultancy Sanda Partners. “The moral of the story is that it can be done with fewer consultants, if you have internal people to dedicate to the effort 100 percent.” Here are nine ways to rein in the consulting fees on your next outsourcing engagement. Set Clear Expectations. “I have come into situations where

REAL CIO WORLD | N o v e m b e r 1 5 , 2 0 1 2

Cover Story

IT Strategy

people have milked the request for proposal (RFP) process and it is unfortunate,” says Mark Ruckman, outsourcing consultant with Sanda Partners. “The customer and consultant need to be clear up front about expectations and timing before the RFP process begins, otherwise you will have scope creep and dissatisfaction.” Expect a simple, straightforward deal to take about a month, midsize deals to take two-three months, and deals of $500 million (about Rs 2,750 crore) or more to take four to nine months. Lose the busy bodies. An outsourcing contract will require two to seven full-time professionals. Most IT shops can’t afford to lose that many folks for long, so in come the consultants. However, only one or two of those are actually skilled IT services professionals, says Strichman. “The rest are just skilled busy bodies assembling financial information. The majority of what they do can be done by anyone.” Consider taking care of that inhouse. “Many people have dealt with IT outsourcing issues by now,” Strichman says. “Even midsized companies usually have internal folks with a wealth of experience, if you can find them and redirect them.” Take Control. When Honorio Padron was an outsourcing customer, he was a fan of the ‘lift and shift’ model. “Give it all to the consultants and then give it all to the outsourcers. But 80 percent of those deals have sub-optimal performance,” says Padron, now the global business services practice leader at the Hackett Group. “There aren’t the right incentives or knowledge in place.” Padron advises putting an internal employee in charge of the outsourcing selection process and making a subject matter expert from the business the project manager. Nix the Presentations. Beware the PowerPoint black hole. “Many organizations require layer upon layer of executive involvement [in an outsourcing deal], each requiring new presentations,” says Strichman of Sanda Partners. “It is all too easy for the consultant to get drawn into this, which eats up enormous time.” Hire Your Own. IT leaders embarking on big outsourcing deals or engagements with

multiple providers should consider hiring their own IT services experts full-time. “If you can find someone who has lived and breathed it, it can be expensive in the short term,” says Scott Holland, principal in the IT transformation group at the Hackett Group. “But longer term, it will pay for itself in no time.” Just make sure they have the opportunity to stay on top of trends in the marketplace, advises Padron. Pick and Choose. Outsourcing consultants may tell you they can provide value only if they remain engaged for the entire process. If you want to keep a lid on costs, don’t buy it, says Strichman of Sanda Partners. Tell them where you need help, what your budget is, “and they will do it,” he says. DIY First, Consult Later. “An interesting approach that hasn’t been widely accepted by the market is to have the client negotiate their best deal with the sourcing provider, and then have the consultants come in and adjust the pricing and terms and uncover the pitfalls,” says Ruckman of Sanda Partners. It will bring down consulting costs, but may extend the time to complete the deal. Consider a Fixed Price Arrangement. Some consultancies—and even a few law firms—offer outsourcing advisory services at a fixed price. Unexpected issues will come up, and you’ll have to pay more when they do. “But in the end, you will spend far less than the hourly rate game,” says Strichman of Sanda Partners. Choose Wisely. “Take the time to look at the value a consultant can bring and then to carefully choose the right consultant for the job,” says Edward J. Hansen, partner at law firm Baker & McKenzie. “The right consultant may not be the least expensive consultant—or the most expensive for that matter—but has the potential to create value in ways that may not be fully understood without the years of experience that person brings to the table. If a consultant is providing good value during the selection process, the fees will be repaid exponentially in areas like transition cost avoidance and value realization.” CIO Send feedback to editor@cio.in

n o v e m b e r 1 5 , 2 0 1 2 | REAL CIO WORLD

Vol/8 | ISSUE/01

Entrepreneurship

Keeping Calm

Crisis solving

Mentoring

solving

How Spot To Liar

Talent management Leadership is an art. But it isnâ&#x20AC;&#x2122;t hard to master, once you realize that good

Emotion intelligence leaders are great followers. If you want to be one, follow these suggestions.

Refuse the CEO Personal development DID YOU KNOW?

56 percent of Indian CIOs say collaboration and influence are leadership competencies that their organizations need the most, according to the Mid-Year Review Survey 2012.

Relationship-building Vol/8 | ISSUE/01

REAL CIO WORLD | n o v e m b e r 1 5 , 2 0 1 2

Cover Story

IT Strategy

How to Spot a Liar

Watch What They Say—and How They Say It

By Daintry Duffy We’re used to seeing interrogation scenes on TV—the bare lightbulb, the sweaty, hostile detective, you know the drill. But how do investigations play out in the corporate world, when the questioner wears a suit rather than a gun holster, and the chilling environs of a police room are replaced by the bland layout of a corporate office? Here are four things to know about conducting interviews and interrogations that yield results.

Know What You’re Stepping Into An interview and an interrogation serve very different purposes, so treat them differently. In an interview, the questioner is still gathering information. The investigation is ongoing. In an interrogation, an investigator believes he already knows what the subject did. The goal is to get a confession or a confirmation about what happened from the subject himself. Mixing interviewing with interrogation is a common mistake even among seasoned law enforcement professionals, says Nathan Gordon, co-author of Effective Interviewing and Interrogation Techniques. During an interview, the investigator asks questions but lets the subject do most of the talking. An interview should last no more than 20 or 30 minutes, the length of the average person’s keen attention span. The mood should be non-accusatory. “Once you become accusatory in an interview, you have biased everything you are collecting. And when you ask informational questions in an interrogation, you’re saying that you don’t know whether that person did it,” says Gordon. “You’re looking at a disaster.” An interrogation on the other hand goes as long as is necessary. You do 95 percent of the talking, presenting your evidence and 66

n o v e m b e r 1 5 , 2 0 1 2 | REAL CIO WORLD

concept of an interrogation is that I know you did it and I’m here to help you,” Gordon says. “I don’t believe in yelling, screaming or threatening.”

coaxing a confession from the subject. To be successful, you have to recognize the battle going on within a guilty subject and use it to your advantage. Subjects are torn between the desire to relieve their conscience by confessing and the fear of punishment. If you take a non-threatening approach, you can diminish a subject’s fear of punishment and increase his desire to confess. “My

It’s a given that most employees who are brought into an investigative interview are going to be nervous, whether or not they have done something wrong. (Remember, they have also seen the cop shows you have.) Asking simple questions like name, address, marital status, schooling and so on gives you a chance to analyze the subject’s truthful behavior in this heightened state and establish your own authority. You should also take this opportunity to create some rapport with the subject. “People who are alike, like,” says Gordon. If you can get the subject to relax early on it will make any stressful or deceptive behavior she exhibits later all the more clear. Gordon developed the Forensic Assessment Interview and Integrated Interrogation Technique, or Faint, a test composed of approximately 30 questions that can fit almost any investigative interview. The format gives interviewers the chance to analyze a subject’s verbal and non-verbal responses for truthful or deceptive behavior. As you progress further into the interview, start asking more projective questions, like “What is this interview and investigation about?” and “When the person who did this is caught, what do you think should happen to him or her?” These questions allow you to analyze common verbal cues so that you can be alert for signs of deceptive behavior. Here’s a tip: Truthful people are usually more helpful and talkative and will try to narrow the investigation. Your demeanor as an interviewer influences the outcome. If the interviewer seems competent, a truthful person will become less nervous as his fear of being wrongly accused dissipates. In that same situation, a guilty person becomes increasingly nervous as his fear of being Vol/8 | ISSUE/01

Cover Story

IT Strategy

Find the Talent Your Business Needs By Martha Heller Like it or not, we are in the midst of yet another technology talent crisis, and when your CEO is demanding more out of your team, you really need good people. Here, three CIOs share their successes. Refocus your team. When Reed Sheard, CIO of Westmont College, started at Westmont, his unreliable infrastructure demanded tremendous effort to maintain. By moving services to the cloud, he reclaimed precious hours. Case in point: One person used to spend 30 hours a week managing some 40 handheld devices for campus VIPs. With wireless syncing, the team now spends one hour a week managing more than 1,500 devices. Grow your own. Westmont’s plan to deliver many services on mobile devices requires new skills. Rather than recruit a mobile developer, Sheard selected someone in the public affairs office with the acumen for the job. “This person was not in IT, but I sent him to Big Nerd Ranch for iOS development,” he says. “He is now indispensable.” Get your project managers certified. Bill Brown joined Avid as CIO in 2011 and found a team that was having trouble consistently delivering successful projects. So Brown signed his project managers up for Project Management Professional certification and mandated that all IT employees had to take at least one certification course. Project success rate has climbed to 93 percent. Develop your leaders. Brown is also taking his 15 global IT managers through a leadership program that stresses competencies such as delegating, and acting with honor and

correctly identified as the culprit increases. When asked what should happen to the culprit, a truthful person will often make a strong decisive response: “He should be fired, required to repay the money and serve time in jail.” A deceptive person usually responds in vaguer terms: “Well that’s not up to me. It depends on why he did it.”

Watch What They Do A subject’s physical behavior during an interview can also provide you with a great deal of information. The non-threatening questions that you used to open the interview are critical because they give you a chance to make a baseline observation of a subject’s physical demeanor and record any

Vol/8 | ISSUE/01

character. “Whether you are a manager in Singapore or San Diego, you are all learning these competencies together,” he says. Brown feels the key to the success of the program is in giving it constant care and feeding, and reinforcing the message to the team. “Project management and leadership training are part of the team’s goals and objectives; we string it through everything,” he says. At CareFirst’s Service Benefit Plan Administrative Services Corporation, many of the IT staff have been with the company for more than 30 years. The issues that concern CIO Usha Nakhasi are, “How do I retain all of that knowledge when my people retire and how do I update their skills in the meantime?” Use the buddy system. When Nakhasi hires new people, she pairs them with her veteran workers. The veterans document what’s in their head as they train the new hires, who in return teach the more senior staff new skills. This fails unless both parties are committed, she notes. “If the older person believes they are documenting their way out of a job, it won’t work. They have to see the mutual benefit.” Customize onsite training. The company’s IT group is also keeping technical training in-house after trying external solutions. “You can’t create change when you teach Java to only two people at a time,” says Nakhasi, who instead hired a firm to customize onsite training on specific topics. The challenge? “People would return from class, and with nothing relevant to work on at the moment, they would forget what they learned.” So, Nakhasi is building a lab where her team can practice. “This way, if it breaks, it’s not the end of the world,” she says. CIO

changes that take place as the questions get more sensitive. Gordon breaks physical behaviors down into three categories: Emblems, illustrators and adaptors. An emblem is a non-verbal response that expresses a person’s complete feelings with no words required. For example, when asked how he feels about being interviewed, the subject puts a hand to his face and scratches his nose with the middle finger extended. He may not be conscious of the message he has sent, but the raised middle finger means the same thing here that it means when he does it on the highway at rush hour. “Emblems are very accurate to a person’s true feelings,” says Gordon.

Illustrators and adaptors are non-verbal responses that accompany a verbal response. Illustrators enhance the listener’s ability to understand the meaning of the verbal message. Adaptors distract from it. When a subject puts his hand on his heart and says, “I didn’t do it!” that physical gesture reinforces his statement. Illustrators are generally a sign of honesty. If that same subject professed his innocence while wiping his hand over his mouth, that would be an example of an adaptor. This physical response makes his verbal message harder to understand. In this case, this would be a sign of deception. By observing a subject’s body language during an interview, you can glean quite REAL CIO WORLD | n o v e m b e r 1 5 , 2 0 1 2

Cover Story

IT Strategy

a bit of information. Truthful people tend to present an open posture, while deceptive people will cross their arms defensively or stretch out their legs to increase the distance between them and you. A subject who gestures away from her body while speaking may be subconsciously trying to distract you from herself as the topic of conversation. Stressed people often pat themselves on the leg or stroke their own arm for tactile comfort. The crossing and uncrossing of legs can be a sign of discomfort. Yawning also can signal a person’s stress as the fight-or-flight response kicks in and a nervous subject’s body requires more oxygen. A yawn can also mean fatigue, or convey a defensive posture. Finally, you have to be aware of your own body posture during an interview. People will often subconsciously mimic the body posture of a superior to curry favor. Make sure you present an open body posture during the interview. This does two things. First, it prevents a subject from accidentally mimicking a defensive posture. Second, if a subject deviates from truthful posturing to

a deceptive posture, it makes that change more meaningful.

Pick the Right Setting The location of the encounter can also contribute greatly to its success. Again, it’s important to know what kind of questionand-answer session is appropriate. Interrogations should always take place in your office, never at a subject’s home or office where he feels more secure and is less apt to confess to wrongdoing. The location of an interview, on the other hand, may vary. Here are some more tips for designing an appropriate interview space: The room should be non-threatening and not too small. Gordon suggests a 9-by-9 space. The room should contain a desk, a few chairs and bland artwork. There should be nothing on the wall that the subject will face. Two chairs should be set up with nothing between them so that the subject has no

barrier to reduce stress and so you can view the subject’s entire body language. The chairs should be a social distance apart (3 to 4 feet) for an interview. For an interrogation, use chairs on casters so that you can move into the subject’s personal space. Your chair should be higher than the subject’s chair to create a sense of superiority. Also, if you have others in the interview room—whether it’s a subject’s supervisor, or a representative from legal or HR— have those people sit quietly behind the interview subject so as not to be a distraction, says Gordon. CIO

Think Like an Entrepreneur By Madeline Weiss & June Drewry Pundits say one of the roles CIOs must play is entrepreneur. But what does it mean to be an entrepreneurial CIO? To figure that out, the Society for Information Management’s Advanced Practices Council invited a successful entrepreneur—Bryan Mistele, CEO and cofounder of Inrix—to a recent meeting. Seven years ago, Inrix was merely a dream. Today, it’s a leading global provider of traffic information and services, helping drivers avoid major traffic delays. It has the largest traffic-information network in the world. Its’ customers include Ford, BMW, Mercedes-Benz, Volvo, Garmin and Apple. Here’s what CIOs can learn from Mistele’s entrepreneurial work. Think about customer needs in new ways. Historically, traffic data was collected from roads through magnetic coils in the pavement. They are costly to build and maintain, and supply only a limited amount of information on a limited number of roadways. To achieve Inrix’s scope and reach, Mistele thought beyond that network of coils to find other sources of traffic data. How might you think differently about your company’s products and services? Could you create an information service? For example, Medtronic saw that its 68

n o v e m b e r 1 5 , 2 0 1 2 | REAL CIO WORLD

implantable pacemaker could also collect data and transmit it to physicians and clinical staff. Build ecosystems with business partners. From the beginning, Mistele sought ways to get incumbent businesses to complement and extend Inrix’s capabilities. He obtained traffic data from commercial vehicles (such as taxis and delivery trucks) already equipped with GPS devices. He also negotiated a Vol/8 | ISSUE/01

Cover Story

IT Strategy

How to Manage Angry People By Debarati Roy During WWII, the British government created a series of posters called ‘Keep Calm and Carry On’ to raise the morale of the British in the event of a Nazi invasion. It’s hard to say how much that advice worked on soldiers dodging bullets, but the ability to be calm, ask the right questions, and contain the urge to lash out, are important lessons for CIOs who have to deal with angry colleagues every so often. Here are some tricks your peers use to diffuse angry colleagues.

Don’t believe the other person. This doesn’t mean you should suppose an angry person is lying. They probably have good reason to be angry—but that’s not always the

reason they give you. Rajesh Chopra, SVP-IT, EIH, says that his first instinct when dealing with an angry person is to give them a patient hearing and attempt to find why they are really angry. “Once you have figured the real reason, you should then try to hash out the real issue,” he says.

Detach, Distract, Diffuse. “When ego over takes sense, anxiety develops. Once you sense another person’s anger, shift to some other subject. Allow for a light moment,” says Saradindu Paul, AVP Corp IT, Electrosteel. Watch out though, this tactic could get you branded as someone who avoids having tough conversations—or worse—someone who tends to make light of real problems. Paul says that after a light moment, you should go back to the problem. “Gradually,

swap with digital mapping company Tele Atlas: Inrix gave Tele Atlas traffic data and, in exchange, got 12 blue-chip customers, $1.5 million (about Rs 55 lakh) in revenue and a 50-person sales force. Last year, Inrix acquired a competitor, gaining 200 customers in 30 countries. Can you think of creative ways to build an ecosystem that complements and extends your firm’s capabilities? Leverage data and predictive analytics. Inrix has real-time data about traffic, weather, construction schedules and sporting events. But the customer value hinges on using that data to make predictions and answer questions such as: Which route should I take home from work today? Mistele found the ideal predictive analytic software while watching his kids play soccer. Chatting with another parent, he learned that Microsoft had developed a predictive engine that was built on sophisticated algorithms, but the company had no intention of using the software. Mistele quickly secured an exclusive licensing agreement. How are you exploiting the power of big data and predictive algorithms? Hedge funds are experimenting with scanning comments on Amazon product pages to try to predict sales. How widely are you searching for sources of algorithms and talent? Experiment. Mistele’s first experiment was a software startup that he launched from his apartment while he was at Harvard Business School. Later, at Microsoft, he developed Home Advisor, a website to assist and inform homebuyers, but the dotcom implosion scuttled its release. Mistele’s experience at Inrix has also included experiments—with technologies and partnerships—that weren’t always successful. But entrepreneurs have a special quality that allows them to cope with setbacks and failures. Can you build that capability into your makeup and that of your company? CIO

Vol/8 | ISSUE/01

come back to the point being discussed and quickly connect it to an organizational priority. Demonstrate your own ‘zero ego.’”

Take Notes. Use a notebook and scribble down someone’s complaint. When people see you writing they know they’re being taken seriously. Plus, seeing someone take notes prompts angry people to talk more slowly and focus their thoughts on what they would like to convey—which calms them. Also, it avoids you asking an angry person to repeat themselves, never a good idea.

Make Realistic Promises. Often someone is angry with you because you haven’t kept a promise. When confronted, most people tend to get rid of the angry person by ensuring immediate resolution to the problem—yet another promise they can’t keep. “Convincing or promising that you will resolve an issue in two hours when you’re fairly certain it will take more time is like stepping on an axe,” says Mukul Jain, SVP & head-IT, DLF Pramerica Life Insurance. He suggests that one should choose the harder path by making a realistic promise. “Patiently explain why something will take time. I also ensure that I inform the concerned person once the job is done,” he says.

Recognize Silent Treatment. Sometimes people are not ‘in-your-face’ angry. This makes it tough to identify an angry person and even tougher to fix. Hard as it sounds, Jain , says it’s not an impossible situation to deal with. “If someone congenial suddenly turns aloof or less responsive, it doesn’t take rocket science to know that something’s up,” he says. Jain says that in a situation like this it’s wise to be the one to break the ice. And if that doesn’t work, there are enough processes today within enterprises to figure out what didn’t get done and why someone is unhappy. CIO REAL CIO WORLD | n o v e m b e r 1 5 , 2 0 1 2

Cover Story

IT Strategy

Say No to the CEO By John Glaser & Stephanie Overby When someone asks you for something, I don’t care if you’re dealing with a child or a CEO, you can’t just say “No,” or “What are you, nuts?” That is not a real response to a query made in earnest. To avoid that, I approach every conversation—whether it’s with my direct report or the chairman of the board—as a conversation between peers. Even if I’m not sure we ought to do what someone is asking us to do or I’m vehemently opposed to doing it, it is still someone asking me an earnest question. And chances are he’s trying to fix a real problem. He may have come up with a less than optimal solution, but you’ve still got to start a dialogue and address the underlying problem. More often than not, that conversation can be as simple as suggesting further analysis of the situation: “Let’s bring a consultant in,” or “Let’s ask Sally and Herb to take a look at this.” No matter what the words are, what you’re saying is, “Let’s explore this a little further before we make a decision.” Chances are the people you’re dealing with will be responsive to this approach. In one case, one of the senior members of our medical staff thought the IS department should lead the charge in reducing medical errors. I knew this was something that the medical leaders needed to address. It wasn’t appropriate for the IS guy to go in there and say, “Hey you guys are making too many mistakes, and we’re going to fix that.” This was a very senior member of the executive team with enormous influence and power, but I knew he was just frustrated. The organization wasn’t moving fast enough, and he thought 70

IS could speed things up. While there are some cases where IT should be the mover, I knew that given the issue and the way our business community works, our medical department should lead this effort, and I told him that by saying, “Now will I help you with this? Damn straight. But let’s talk about how we move this along together.” There are situations in which a person holds to her beliefs and the collegial approach won’t work. At the very least you should invoke what I call the “arbitration rule” and get the opinion of two other folks on the situation. Every now and then, you will get stuck with a person who is going to say, “We’re going to do this no matter what.” But that ought to occur in the low single-digit percentages. I remember long ago, when we were trying to get out of an outsourcing agreement, my boss wanted to bring in attorneys, play hardball, and yell and scream about it. I wanted to take more of a high road. I went over his head to explain why [to his superior as well as to him] and told him that if I was wrong we’d go back to his plan, which we eventually did. And I think that the months of keeping to the high road made it easier to play hardball when the time came to do so. If all else fails, ignore the request. Really. Wait and see if the issue comes up again. If it doesn’t, it was just a flash in the pan. But if it comes back, it’s real. Many years ago, we were going to buy some new financial systems and someone suggested, “Hey, why don’t we write them instead.” Now I certainly did not want to have to write them, but I listened dutifully. Then I just let it slide. It never came back. CIO

Send feedback to editor@cio.in

n o v e m b e r 1 5 , 2 0 1 2 | REAL CIO WORLD

Tell If IT and Marketing Have a Good Relationship By Minda Zetlin

IT and marketing jointly fund projects. According to research by Frank Cutitta, CEO of the Center for Global Branding, marketing technology projects go most smoothly when the funding comes from both departments. “When both had budgetary skin in the game, there was an acceleration factor in implementation and higher success rates,” he says. “So key process indicators related to time-to-market and [staying] on-budget for new initiatives were positively affected.”

Vendor costs are down. When CIOs and CMOs collaborate, they report significant savings from reducing duplicate expenses and from getting greater leverage with existing vendors, Cutitta says. “As more of these legacy vendors add social media solutions to their existing portfolios, this leverage will become more important.”

Marketing efforts are co-ordinated across multiple channels. Many vendors can assist marketing with, say, a social media campaign. But to co-ordinate a message across multiple customerfacing venues is something only IT can do, Cutitta says. “If a marketing campaign is only executed in one channel—say the website but not the call center—that’s a bad sign.”

Better products get introduced more quickly. “If you create an environment where IT and marketing can form a partnership, you’re going to see faster time-to-market for new products,” says John Murray, CIO at Genworth Financial Wealth Management. “And the products will more fully exploit their technological capabilities.” CIO

Vol/8 | ISSUE/01

TabletsWireless BYOD

Mobiles

How BYOD Speed To Apps

RFID MDM Device The mobile revolution has created a new world order. So much so that businesses depend on it. Learn how to harness mobilityâ&#x20AC;&#x2122;s potential.

DID YOU KNOW?

68 percent of Indian CIOs say mobility initiatives should provide their organizations with competitive edge, according to the State of Mobility Survey 2012.

Consumerization Vol/8 | ISSUE/01

REAL CIO WORLD | n o v e m b e r 1 5 , 2 0 1 2

Cover Story

IT Strategy

Develop Apps for the Mobile Cloud By Bill Claybrook What’s expanding at the same blistering rate as your company’s mobile workforce? How about the demands those users are making for a software experience that rivals the one they get on a desktop? For many companies, a private cloud is the answer. But if you decide to power your mobile workforce centrally with a private cloud, your mobile applications need to be developed with that infrastructure in mind. Several factors are in play here, especially if you want applications that can work on all mobile devices, desktops and notebooks. What is required to get existing applications to work with mobile devices when the apps are running remotely on a cloud? How do you resolve the problem of fitting data from an application designed for the desktop onto the smaller mobile device screen? Should you develop for mobile devices first, and only then port to notebooks and laptops? Tony Iams, SVP at Ideas International, a computer-systems research consultancy, says it is important to determine what part of the application’s state—the code and/ or data itself—is being moved up to the cloud from the mobile device. “Moving state to the cloud gives you back-end manageability benefits because you do not have to maintain that state on the mobile device,” he says. In other words, all changes or application updates are made centrally. Mobile cloud computing means that the processing of applications—and the storage and retrieval of data—are being performed by a cloud-based infrastructure. It results in TCO savings because IT staffers don’t need to spend time updating individual devices—the client software environment 72

n o v e m b e r 1 5 , 2 0 1 2 | REAL CIO WORLD

is running on a server in the cloud, and making changes there ensures they show up on every client. From a user point of view, there is a convenience benefit, too, because you can now get to your desktop—a virtual desktop in the cloud—no matter where you are, through a browser on a mobile device. As Iams says, “You always have the same desktop environment no matter what remote device you are using.” Because there are different types of users and different types of devices, you have to be ready to support multiple versions of your apps. This means being prepared to support different screen sizes and mobile device manufacturers.

Get Thee to a Mobile Platform According to Jeff Deacon, director of corporate strategy at Verizon Business, this is where a mobile platform comes in handy. A mobile platform is the software between

the mobile device and the app/data. It runs on the mobile cloud and does some tasks specifically for mobile devices, such as converting the data into a user-friendly interface for the device and making sure everything fits well on the screen. It also has an authentication mechanism that reaches all the way down to the device so that if the device is lost or stolen it can be wiped remotely. With a mobile platform, a corporation’s back-office apps are isolated from unauthorized users who might back into the applications via Multiprotocol Label Switching. The platform secures the mobile device and then does the conversion. These mobile platforms are more formally called mobile enterprise application platforms (MEAP). They allow you to deploy mobile apps across a variety of devices without having to implement an app for a specific device. They also allow you to selectively run applications natively on the remote device when it is Vol/8 | ISSUE/01

Cover Story

IT Strategy

Become a BYOD Guru By Sandra Gittlen

very important to take advantage of key remote device features or when it is difficult to emulate native functionality on a mobilecloud server. This is one of the directions that the market is moving toward, but MEAP tools are in the early adoption stages and most corporations, as a rule, still aren’t knowledgeable about these technologies. Deacon says Verizon uses a multitenant system from a vendor to reduce the complexity in developing and deploying mobile apps across a variety of mobile devices and back-end enterprise servers. There are a number of MEAP or MEAPlike platforms from multiple vendors.

Other Development Techniques Mobile apps come in one of two forms: Those native to a specific device, and those accessed through a browser (also known as mobile Web apps). A mobile Web app is usually built with HTML (today this would be with HTML5), CSS (Cascading Style Sheets) and JavaScript. Style sheets provide the look and formatting for documents written in a markup language such as HTML5. A native mobile app is built specifically for a particular device and its operating system. It can take advantage of built-in location features including GPS, compass, accelerometer, gyroscope and others. Mobile Web apps running on servers in mobile clouds are not always able to take advantage of these kinds of location features and when they do, need to emulate them. Kamesh Pemmaraju, an analyst at The Sand Hill Group, says in addition to MEAPs, two other solutions, hybrid and HTML5-based, are emerging for developing mobile applications

Vol/8 | ISSUE/01

Engage peers via discussion groups. No one knows BYOD better than IT leaders who have already ventured into these waters. Drop into any discussion group on the topic of mobile security or MDM and you’re bound to glimpse back-and-forth about BYOD. Jeremy Pollack, director of IT at The University of Connecticut’s Business School, which has been backing bring your own device since 2000, engages his peers through one of his vendor’s product forums. LinkedIn and other social media sites enable IT leaders to broach the BYOD topic openly with their peers in a controlled environment, according to Randy Gross, CIO of CompTIA, a non-profit association focused on IT education and certifications. “With BYOD, there is something new coming out every day, so it’s good to be able to reach out and bounce ideas off of other folks in the industry,” he says. Find help at industry conferences. In 2012, when the RSA Conference added a half-day mobile security track—for the first time—they had “had lines out the door,” says Program Committee Chairman Hugh Thompson. BYOD permeated almost every session’s discussion, including how to deal with mobile malware, e-discovery and seizure of an employee’s device. In addition to hearing vendors and industry leaders speak, conferences give IT the opportunity to network with peers during breaks and birds-of-a-feather sessions. If you can’t get away from the office, most conferences offer online access to streaming or recorded sessions that can be equally valuable. Check out industry knowledge centers and standards. Some of the foremost industry groups, including the SANS Institute, NIST and CompTIA, post standards, guidelines, white papers, case studies and sample policy templates to help IT leaders understand BYOD’s role in their organization. The SANS Institute’s Security Consensus Operational Readiness Evaluation is a comprehensive checklist for BYOD practitioners. Highlighted are essential security actions, benchmarks and scoring tools, study guides, incident handling forms, and a law enforcement FAQ. CompTIA supplies basic training guides in topics such as mobility and IT security for free and as well as more advanced materials for members. Browse white papers, surveys and case studies. Analysts and vendors frequently study the impact of BYOD on various aspects of IT. For instance, Gartner looked at how BYOD has affected the use of hosted desktop infrastructure. Gartner also put together a toolkit to streamline the creation of mobile device usage policies and procedures. Vendors who are even tangentially involved in MDM or security collect resources for customers, including case studies and polls. However, SANS Institute Senior Director Joshua Wright says one of the most overlooked areas in BYOD education is operating system security. IT leaders first have to decide if their data protection requirements can be met by a mobile device’s platform such as Apple’s iOS. All platforms have unique features that might clash with corporate security policies. Becoming a BYOD guru isn’t an overnight proposition—it’s something that takes initiative, persistence and time. It’s an evolving discipline, so be prepared to give BYOD your ongoing attention. CIO REAL CIO WORLD | n o v e m b e r 1 5 , 2 0 1 2

Cover Story

IT Strategy

with cross-platform capabilities. Hybrid application development blends native and mobile Web app approaches. With a hybrid mobile app, most of the user interface— or even the entire thing—is in a browser window with a native app wrapped around it to provide access to native device features not available with the browser. To a user, a hybrid app looks like a native app. But to developers there’s a big difference. Rather than re-writing the entire mobile app for each mobile device, some of the code is written in HTML5, CSS and JavaScript and then reused across different devices.

Dealing With Slowness and Access Issues Verizon’s Deacon says latency and intermittent access problems can occur when mobile devices access applications on a cloud, but usually not for many of the business applications people are using in the field. Most often, applications with latency issues involve voice and video and aren’t the ones that read e-mail or even those that query databases, which are much more typical in a corporate setting. “So while latency and intermittent access may be bothersome, it is not that big of a deal for many users,” Deacon says. Eric Miller, SVP IT and CIO at Erie Insurance, has had some issues with intermittency in the company’s mobile applications, primarily those used by its claims adjusters. One application has intermittent activity because it collects information in the field, stores that data and forwards the information when there is a connection. HTML5 can help with intermittent access issues by using something referred to as on-device caching. This feature allows data to be stored offline on the remote device for further processing, reducing the problems of discontinuous user experience. The net result is that on-device caching means fewer round-trips are required between the remote device and the mobile cloud server, allowing apps to run effectively on the mobile device even during periods of discontinuity in mobile connectivity. 74

n o v e m b e r 1 5 , 2 0 1 2 | REAL CIO WORLD

Create an Enterprise MDM Strategy By Todd R. Weiss Enterprise IT leaders who have been working to build MDM programs inside their companies offer these ideas for how to get started. Decide what devices your workers will use, whether they’ll be corporate-issued devices or bring-your-own devices that will be supported by the company. Make sure that whatever devices you choose can handle the level of security that your business requires. Create and implement strong security and device use policies and be sure to communicate them with employees from the start. Be sure that your devices include remote wiping capabilities and automatic remote alerts that can tell you if unauthorized users are trying to access or hack the devices. Examine how your MDM plan terms will be viewed legally wherever your company does business to be sure that you abide by all applicable laws. Explain to employees which applications will be approved and permissible on employee devices. Don’t be surprised if there is some disgruntlement from some employees when the new MDM strategy is implemented. Make sure to educate, train and, if possible, offer some benefit with the new approach. Remember that your MDM plan will never be finished, but will need to constantly evolve as new devices and technologies are introduced. CIO

Making Sure the Back End Can Handle It All Generally speaking, enterprise clouds are up to the task of handing mobile applications, says Bernard Golden, CEO of consultancy HyperStratus. If you have some sort of cloud-based infrastructure that already has virtualization and automation, you should be able to add services like identity management to handle mobile devices, he says. “Part of your IT strategy should be to extend your core services,” like IAM (identity access management), so that the services can be used by any application running on any device, he says. “In effect, you need to create APIs that can be called by applications, no matter what form factor they are running on.” The APIs need to be in mobile-ready formats that can be used by both mobile developers—internal and third-party—and the apps they create. The goal is not to approach this as, “I need to build a custom extension for the iPad,” Golden says. “The iPad is just one device. There will be dozens, so you need application APIs and components that are portable.”

Outsourcing Mobile Development Richard Peltz, CIO at real estate investment service Marcus & Millichap, says his company doesn’t build its own mobile apps. It has so far outsourced this task to AT&T because AT&T already has the expertise, he explains. Marcus & Millichap is currently implementing a CMS developed by SiteCore that will automatically render to any mobile device, removing the need for Marcus & Millichap to write device-specific, native apps like it has done for previous mobile apps. The company expects to implement the CMS by early 2013 in its private cloud, at which point the corporate website as well as the intranet will migrate to the new CMS platform. End users in various departments and business units will manage the content.

Developing Mobile First Erie Insurance’s Miller says his firm thinks mobile first for all of its applications and Vol/8 | ISSUE/01

Cover Story

then ports them to PCs when possible and when it makes sense. Erie is moving strongly toward the use of mobile devices, so developing for mobile first is a good strategic move, Miller says. But this strategy does present challenges. The mobile device generally has much less memory, CPU power and so on than does the PC, making for design constraints that aren’t present in other platforms. In addition, mobile apps are often targeted to certain activities and can use native features to improve performance and provide certain functionality that may not be readily available on the PC. One of the problems that Erie’s usability group has to wrestle with, Miller explains, is, “Do we build a Web portal that adapts itself based on the device that is coming into it, or is it a specific app?” Another issue, he says, is that “part of the problem is that you are performing a balancing act with respect to which devices to support.” Analytics tools help them

determine which specific devices are used to visit the corporate website, and Miller’s group then develops mobile apps for the top two or three devices. Most uses of mobile devices at Erie Insurance involve submitting data to a backend application that just collects it. Erie has only a few back-end apps that let mobile devices access data, send it out to the mobile device and maybe store it temporarily on the mobile device. Data downloaded to a mobile device is encrypted and a certificate is downloaded to the mobile device that authenticates the phone user. Miller says app developers and back-end people have to work together. “What we don’t want is to have the back-end people to be too confused [about] what device is being used,” he explains. The company has developed a common interface that both the developers and back-end folks use as an internal standard. Some service providers such as Google already provide mobile cloud services, which

IT Strategy

are accessed through a browser running on a smartphone or tablet. But most mobile apps are downloaded from a vendor’s app store and run in native mode on the mobile device. This requires development efforts for each type of mobile device. Using a mobile cloud enables users to run directly from the cloud, viewing the client interface through the mobile device browser. The use of mobile clouds, however, still requires companies to develop a mobile app once that can be accessed by many kinds of mobile devices. New kinds of development tools and platforms, including HTML5, help here. Although not all smartphones yet support HTML5, it’s only a matter of time before they all do. One potential effect of mobile apps and their data being stored and run on a server is that less powerful, less expensive smartphones will become the preferred corporate tools. Stay tuned. CIO

Avoid BYOD Bandwidth Woes By John S. Webster While nobody is predicting that the proliferation of mobile devices in the enterprise will create a full-blown bandwidth catastrophe, IT will have to move quickly to ensure satisfactory performance for employees accessing company data over wireless links. The biggest issue is ensuring that data is available when users want it, and that wireless connections are secure and reliable. While this is also true for wired networks, mobile computing poses an additional burden on IT. “Mobile computing offers a unique challenge. We can’t predict where users are going to be, and we have to be prepared to support users anywhere, all the time,” says John Edgar, VP-IT, US Postal Service. Here’s how you can ensure your enterprise can BYOD without bandwidth worries. Vol/8 | ISSUE/01

Ensure connectivity. If anyone is juggling massive numbers of mobile users, it’s UPS. During peak periods, between Thanksgiving and Christmas, mobile employees can number up to 160,000 over wireless connections. Although the company’s mobile infrastructure is largely built around a custom device called the DIAD V, which helps drivers track routing of standard small packages, among others, the issues are similar to those associated with standard offthe-shelf devices. “To help manage wireless traffic, we provide two connection options for the DIAD. Specifically, the device supports two different radio technologies—GPRS and CDMA. This allows us to stay connected and better manage our wireless costs,” says Todd Brown, a project manager at UPS. In addition to the 100,000 DIAD devices used worldwide in the field, over 14,000 company managers use smartphones. Customers are also tracking shipments using mobile devices: REAL CIO WORLD | n o v e m b e r 1 5 , 2 0 1 2

Cover Story

IT Strategy

More than 2,500,000 of the company’s mobile apps have been downloaded for iPhones, BlackBerries and Androids. To ensure satisfactory performance for mobile users, UPS has had to address two major issues, says Brown. “Two of the biggest issues tied to mobility are reliability and availability. Getting data is critical, but providing information fast keeps our customers happy. To ensure quality of service, we look at the carriers in a region and make sure the DIADs have more than one communication option,” says Brown. Count on carriers. Of course, carriers and network operators carry the bulk of the bandwidth onus, and IT leaders recommend diligence when it comes to capacity. “We have devices everywhere, which we tie to capacity. We work with the carriers if we start to see packets dropping because we run out of buffer space. There can be congestion at the tower, for example. We ask the carrier if they have a cost structure around the high end because the site needs back up. An area where we’re cautiously concerned is tablets and LTE,” says Brown at UPS. Working with carriers is a common theme in order to ensure that users are getting the performance they need, says Jean-Claude Delcroix, an analyst at Gartner. “IT can set up a small, manageable list of key performance indicators to keep tabs on coverage, access to data inside and outside the company, uplink and downlink times and support. For performance, [IT managers] should keep it simple, and both the company and its carriers can measure those things. They need to be able to tell the carrier what kind of data users access. For example, delineate the requirements for tablets,” he says. According to Brownlee Thomas, an analyst at Forrester Research, this is especially important over wide-area networks, where increases in mobile users accessing company data is mostly over cellular connections. “The mobility explosion will continue, but this doesn’t impact the corporate network unless the company has built out a WAN environment to accommodate on-premises mobility using PSTN for both mobile voice and data services. This is an area where the cellular network operators have a long way to go to ensure strong application performance,” she says. VPNs can help. VPNs can help to ensure that an increase in Internet-based data access by mobile users doesn’t slow down. A combination of dedicated Internet access services and a selfmanaged VPN—as long as data at the site doesn’t require high performance—is a satisfactory solution. This is especially true for emerging technologies such as WiMax and LTE wireless. “Sites using applications that require more performance predictability or business critical applications, such as ERP, require MPLS VPNs. These are increasingly managed externally by their network operator service providers. A definite trend is increasing bandwidth requirements for new communications technologies like VoIP, videoconferencing and UC,” says Thomas. It’s up to the IT department to monitor how well a carrier handles the variegated mix of users and the kind of data they need to access over mobile connections. IT should monitor and track performance of their carriers, says Gartner’s Delcroix. 76

n o v e m b e r 1 5 , 2 0 1 2 | REAL CIO WORLD

“A mobile carrier has to support everything from my workforce to field reps and execs, all of whom use different profiles, and that even includes the repair guy accessing forms, manuals and photos. Management has to keep an eye on performance, monitor that and make sure carriers track it. They have to keep their carrier on its toes,” he says. With two and a half million customer visits to its mobile Web and mobile app during the past year and nearly 300,000 firsttime downloads of its mobile app, Aetna, the insurance giant, has had its hands full. More than a third of the company’s employees telecommute full time, and the company provides multimedia, video streaming and telepresence through contact center consolidation and a virtual desktop infrastructure, says CTO Richard Leonard. “Our internal network includes dual-carrier MPLS connectivity to all datacenter and office locations. Inter-datacenter connectivity is provided through Dense Wavelength Division Multiplexing (DWDM)-based fiber supplied by diverse carriers, and Internet access is provided through dual carrier OC-48 circuits. This makes us well positioned to handle the connectivity requirements of our mobile application portfolio,” he says. Elsewhere, IT managers at Pfizer expect a 200 percent increase in mobile users accessing company data. Last year, 50,000 mobile users accessed that data over wireless connections and as these numbers have increased, authentication became an issue. “Probably the area that got over-subscribed was authentication services. Companies we acquired had distributed authentication but we’re moving toward centralizing that. The former blew our gaskets. ,” says Beth Boucher, senior director, infrastructure, at Pfizer. Throughout all this, mobile device management (MDM) is key. “We’ve implemented MDM so we’re looking at both the devices and the users themselves. We are validating both the user and the device—not just who you are but what is your device?” says Fogl. CIO

Vol/8 | ISSUE/01

Sensitive data Risk DLP

How GRC To Public cloud

Vulnerability

Enforcement

New technologies have opened doors to new threats. And to combat them you need new weapons. Here are some.

Policies Malware

Certification Compliance DID YOU KNOW? According to the Mid-Year Review Survey 2012, 60 percent of Indian CIOs say improving security and risk management was one of their top five

Cybersecurity

Vol/8 | ISSUE/01

REAL CIO WORLD | n o v e m b e r 1 5 , 2 0 1 2

Cover Story

IT Strategy

Secure Sensitive Data ByThor Olavsrud Are you doing enough to secure your organization’s sensitive information? If all your security measures are focused on the volume level rather than the file or document level, chances are the answer is ‘no.’ While the security risks associated with sensitive files and documents have been around for as long as sensitive files and documents have existed, a confluence of today’s corporate environment—businesses are increasingly relying on mobile workers and collaboration between geographically dispersed workers and business partners— and technologies like mobile devices and browser-based file-sharing applications have increased the scope of the risk. “A lot of the issues have been around 80

n o v e m b e r 1 5 , 2 0 1 2 | REAL CIO WORLD

for a while, but the playing field has changed,” says Larry Ponemon, chairman and founder of research think tank Ponemon Institute, which recently released its 2012 Confidential Documents at Risk Study, a survey of 622 IT and security practitioners with an average of more than 11 years of experience. “Everyone wants to connect and they want to do it anywhere and immediately.”

What Puts Information at Risk Common business practices, frequently leveraged by employees seeking to be more productive, are often responsible for putting information at risk. Five scenarios are among the most common, according to the Ponemon Institute’s study. The

scenarios are as follows: Employees attach and send confidential documents in clear text from the workplace using Web-based personal e-mail accounts. The Ponemon Institute’s survey found that 68 percent of respondents believe this happens frequently or very frequently, and 71 percent say it results in the loss or theft of confidential documents. Employees download, temporarily store and transfer confidential documents in clear text from a workplace desktop to a generic USB drive. Sixty-five percent of respondents say this happens frequently or very frequently, and 68 percent say it results in the loss or theft of confidential documents. After registering with Dropbox, employees move several large files containing confidential business information to the application without permission of the employer. The survey found 60 percent of IT and security practitioners say this happens frequently or very frequently, and Vol/8 | ISSUE/01

Cover Story

57 percent believe it can result in the leakage of confidential information. Employees download confidential documents to a public drive, thus allowing other employees to view and use this information from various mobile devices. Sixty-two percent of respondents say this occurs frequently or very frequently, and 56 percent say it can result in the loss or theft of confidential documents. Employees download confidential documents to a public drive to collaborate with business partners and view and use the information on tablets. Fifty-five percent of the respondents say this happens frequently or very frequently and 51 percent say it results in leakage of these documents.

Data Loss? An Everyday Affair And these risks are not merely academic. The Ponemon Institute’s study found that 90 percent of organizations experienced leakage or loss of sensitive confidential documents during the last 12 months. Security firm Symantec, in its 2012 State of Information Global Survey, released in June, found that two-thirds of businesses had lost important information in the past 12 months due to causes ranging from human error, hardware failure, software failure and lost or stolen mobile devices. Symantec also found that two-thirds of businesses had exposed confidential information outside the organization in the past year, and almost one-third had regulatory compliance issues related to their information in the same period. “It’s really unstructured information that is the lifeblood of most organizations,” says Ryan Kalember, chief product officer at WatchDox. “Financial documents, image files, PDFs—all of this incredibly sensitive information exists in file or document form. Businesses have done a lot of work in securing information in databases, but we haven’t really taken a look at files because they’re so much harder to secure.” And in many cases, it is an organization’s employees that are putting that life’s blood at risk, often because they are trying to be more productive. Network security

Vol/8 | ISSUE/01

IT Strategy

Secure Your Enterprise Mobility Platform By Jason Bloomberg Several years ago, the National Security Agency (NSA) in the US wished to develop secure mobile communications for intelligence and defense purposes, so it spent millions of dollars developing the Secure Mobile Environment Portable Electronic Device. SME-PED took a hardware-centric, circuit-switched approach to security, which renders it obsolete in today’s 4G (and beyond) mobile-enabled world. As a result, it’s now time to replace SME-PED. It appears that the NSA and, notably, the Department of Defense (DoD) have learned several important mobile security lessons from SME-PED. And there are some important lessons for any organization looking to balance security concerns with the power of mobile communications. Here are four highlights. . Focus on software, not hardware. Even though the DoD’s long-standing policy was to leverage hardware-based encryption technologies, the DoD Mobility Strategy centers entirely on software-based security. As a result, the devices themselves are purely commercial off the shelf. This fulfills the desires of DoD personnel and also helps future-proof the strategy. . Encourage interoperability. The DoD Mobility Strategy calls for “composable” solutions. In other words, the agency is expecting and encouraging interoperability across mobile apps, as well as among mobile, cloud, and traditional on-premise apps. While traditional thinking is that closed technology is inherently more secure, today’s approach is to embrace openness and develop secure approaches that work in open, dynamic environments. As a result, if the answer to the question “Is there an app for that?” is Yes, then there should be a way to securely use the new app within the appropriate security context. . Consider all end users. The new strategy focuses on needs of different constituencies. SME-PED, on the other hand, was essentially a one-size-fits-all solution. It may have been worth the trouble for certain command-and-control communications, but it was overkill for the everyday business of the DoD. In contrast, today’s mobility strategy expressly calls out the different needs of executive, tactical, and enterprise users. . Think globally, act locally. The new mobility strategy handles governance and management differently as well. Taking a page out of SOA governance best practice, the DoD Mobility Strategy calls for centralized management of secure devices and distributed enforcement of security policies. On the one hand, the DoD requires the ability to remotely wipe and disable lost devices, an example of a key centralized management capability. On the other hand, it’s also counting on its extensive user base to understand and implement mobile security policies in the field. As a result, training and human management are central elements of the new strategy. CIO

specialist Palo Alto Networks studied application usage in 2,036 organizations worldwide between November 2011 and May 2012 and found an average of 13 different browser-based file sharing documents on each network. The Ponemon

Institute’s study found that 51 percent of respondents said their employees use at least one browser-based file sharing tool, and 34 percent said they did not know the extent to which these tools were being used in the workplace. REAL CIO WORLD | n o v e m b e r 1 5 , 2 0 1 2

Cover Story

IT Strategy

IT and Security Practioners at a Loss The data suggests that IT and security practitioners are well aware of the problem, but seem to be at a loss when it comes to getting it under control. The Ponemon Institute found that 71 percent of IT and security practitioners believe that controlling sensitive or confidential documents is more difficult than controlling records in databases, and 70 percent believe documents accessed by mobile data-bearing devices like smartphones and tablets present a significant security risk. Furthermore, 70 percent say that employees, contractors or business partners have frequent access to sensitive or confidential documents, even though access to that information is not a job or role-related requirement. Fifty-nine percent say their organizations’ controls are ineffective at monitoring employees, contractors or other insiders who access confidential documents. “We basically saw that people recognize the problem, but they’re almost fatalistic about it,” says Ponemon. “They see this problem as on the verge of being unsolvable.” “Organizations are struggling with ways to manage or mitigate the risk,” he adds. “The only way to solve it is a combination of a technical solution and having smart people that are monitoring it. It’s not really a security issue as much as a workflow issue. People have a job to do, and they feel IT is not being very supportive of them, so they turn to alternatives. That’s why it’s important to have tools that allow people to operate securely.”

Locking Up Because sharing and collaboration have become essential to a productive workplace, Ponemon says the solution to mitigating the risks associated with sensitive documents and files is not to attempt to stop it, but rather to put solutions in place that keep sensitive documents and files secure without requiring draconian end-user security measures that stifle the productivity businesses want to encourage. He recommends organizations consider an 82

n o v e m b e r 1 5 , 2 0 1 2 | REAL CIO WORLD

approach that includes the following: Identifying information that needs to be secure and protected at all times and enabling full control over every protected document Preventing documents from being accidentally or maliciously forwarded Accessing, sharing and controlling all important documents across the extended and mobile enterprise on any device Allowing employees to access their

documents on devices with an intuitive interface that displays docs on any screen Enabling users to send files and

collaborate with business partners or other outside parties Keeping third parties from transmitting documents to other third parties Removing access to documents at any time, even from an unsecured PC or mobile device These recommendations, says Ponemon, will help organizations secure their sensitive documents more effectively. CIO

Land a Cybersecurity Job By Carolyn Duffy Marsan Cybersecurity jobs are plentiful, from government, financial services and utilities to manufacturing and retail. We asked the experts to come up with a list of four tips for landing a top-notch cybersecurity job.

Get certified.

Security-related certifications are a pre-requisite for most commercial cybersecurity jobs and all defense-related IT security jobs. These credentials range from basic CompTIA Security+ to the gold standard ISC2 Certified Information Systems Security Professional (CISSP). “There are a lot of security certifications that are very well accepted and are extremely beneficial to the individual,” says Jacob Braun, president and COO of Waka Digital Media, a Boston-based IT security consultancy. “Some of those certifications are more than written exams. They have some practical components, which are an additional hurdle to achieve.” “I like to see the CISSP,” says Dave Frymier, Unisys CISO. “Somebody who has the CISSP

Vol/8 | ISSUE/01

Cover Story

IT Strategy

Improve Your Application Security Practices By Thor Olavsrud Organizations talk a good game when it comes to security, but many still focus the majority of their security resources on the network rather than their applications—the vector for most data breaches. Many organizations dedicate less than 10 percent of their IT security budget to application security, according to a study by research firm the Ponemon Institute, released earlier this year. The reasons for this gap are multifaceted, says Jeremiah Grossman, founder and CTO of WhiteHat Security, provider of a continuous vulnerability

how to do is protect the network.” Second, regulatory compliance and the cruft that comes with regulations based on past threats also play a role in Grossman’s view. “Organizations must comply,” he says. “They spend the lion’s share of their budget first on firewalls and antivirus because the compliance regulators mandate it.”

assessment and management service for thousands of websites, including the websites of dozens of Fortune 500 companies. First, he says, many security professionals

has passed a pretty comprehensive test and is likely to share terminology with you so you can make sure you are both talking about the same things.”

Learn SAML.

The issue of information security, identity and access management in the cloud is a major concern for CIOs, who are deploying SaaS applications such as Salesforce and Concur to complement their enterprise applications. They are looking for employees who understand how to extend their directory services to control access to cloud applications. One specific skill related to cloud security that’s in demand: SAML. The Security Assertion Markup Language is an emerging standard that allows enterprises to extend their directory, authentication and identity management systems into cloud-based applications. “We want individuals who understand the technology, who understand the policy and who understand the intelligence side of things,” Braun says. “If someone has experience deploying security solutions in a new business model, such as the cloud model, that’s very valuable.”

Master mobile security. As more organizations adopt BYOD policies, they are facing

Vol/8 | ISSUE/01

have a blind spot for software. “Most of the security guys out there are not software people,” he says. “They come from an IT background. All they really know

Prioritizing App Security: A Challenge It is often difficult for the organization to prioritize application security over revenuegenerating development work, he

a host of challenges including how to secure information stored on a range of devices that they don’t own. “The people who understand mobility at a very deep level tend to be very young, often right out of college. What we find is that we need to pair them up with more senior people who understand backend systems,” Frymier says. “You have all of these sexy streams of data on mobile apps. You need to understand how it gets in and how it gets out and how authentication is done and who has access to it.”

Learn to analyze data.

Cybersecurity pros are masters at finding needles in haystacks. They need to deal with huge volumes of data gathered by security devices and find anomalies that indicate security breaches are occurring. “Cybersecurity experts need to understand and analyze the trends in the log data to find anomalies and other signs of security breaches,” Braun says. “They need to understand how data comes in and leaves an organization and how it should be handled. They need to understand how partner organizations work and competitive organizations work, so they’re in the best position to identify when something is malicious or a threat.” CIO

REAL CIO WORLD | n o v e m b e r 1 5 , 2 0 1 2

Cover Story

IT Strategy

says. Even when organizations identify serious vulnerabilities in their websites, it’s not necessarily a simple decision to fix them. “The organization has to fix it themselves,” he says. “The business has to decide: ‘Do we create revenue-generating features this week? If we don’t deliver those features on time or at all, we will for a fact lose money. Not fixing the vulnerability may potentially cost the business money.’ They have to make a decision.”

Application Vulnerabilities on the Decline Even with these challenges, Grossman says the application security landscape shows signs of improvement. While 2011 was dubbed the Year of the Breach-based on a multitude of high-profile breaches of companies like RSA, Sony, Facebook and Citigroup, not to mention the CIA and FBI— 2011 was also a year in which the average number of serious vulnerabilities in websites showed a marked decline. For 12 years, WhiteHat has put together its WhiteHat Security Website Security Statistics Report based on the vulnerabilities it finds in the websites it assesses. The 2011 installment, based on the examination of critical vulnerabilities from 7,000 websites across major vertical markets, found an average of 79 serious vulnerabilities per website, a drastic reduction from the average of 230 it found in 2010 and 1,111 it found in 2007. “These are real-world websites,” Grossman says. “I would guarantee that you have accounts and data in many of the sites we test.” Of course, that single statistic doesn’t tell the whole story. 84

While the average came in at 79 serious vulnerabilities, the standard deviation was 670: Some websites expose a lot more vulnerabilities than others. Also, according to Netcraft, there are roughly 700 million websites on the Internet and tens of millions more are coming online each month. While it’s a large sample, 7,000 websites is just a tiny fraction of the whole. Still, WhiteHat’s findings paint a picture of the state of website security today; a picture in which website security is slowly improving. The banking vertical continued to show its dedication to security: Banking websites again possessed the fewest serious vulnerabilities of any industry with an average of 17 serious vulnerabilities per website. Banking also had the high-

n o v e m b e r 1 5 , 2 0 1 2 | REAL CIO WORLD

est remediation rate of any industry at 74 percent. Every industry, with the notable exceptions of healthcare and insurance, showed improvement from 2010. Additionally, time-to-fix showed vast improvement, dropping to an average of 38 days-much shorter than the average of 116 days in 2010. “The developers know that 38 days is actually a really, really good number because they know how long it does take,” Grossman says. “But to the end users, 38 days is unacceptable.”

Improve Your Security Posture To improve your application security posture and make the best possible use of your IT security budget, Grossman suggests you first determine

whether you are a target of opportunity or a target of choice. Targets of opportunity are breached when their security posture is weaker than the average organization in their industry. Targets of choice possess some type of unique and valuable information, or perhaps a reputation or brand that is particularly attractive to a motivated attacker. “On the Web, if you’re doing business of any kind, you’re going to be a target of opportunity,” Grossman says. “Everybody has something worth stealing to a bad guy these days. Other companies are a target of choice because they have something the bad guys want: Your credit card numbers or IP or customer lists. This aligns with how secure you need to be. No one needs perfect security.” If you determine you’re a Vol/8 | ISSUE/01

Cover Story

target of opportunity, Grossman says, you need to make sure that you are a little bit more secure than the average business in your category. He notes organizations can use the data in its WhiteHat Security Website Security Statistics Report to benchmark where they need to be. Targets of choice, on the other hand, need to make themselves as secure as they possibly can and then prepare plans for how to react when they are breached

so they can minimize the damage as much as possible. Grossman also recommends that organizations hack themselves in an effort to understand how attackers will approach their websites. Additionally, he says organizations need to understand their benchmarks: Which vulnerabilities are most prevalent in their websites, what’s their time-to-fix, their remediation percentage, average window of exposure, etcetera.

If you consistently see vulnerabilities of a particular type, like cross-site scripting or SQL injection, it’s a sign that your developers need education in that issue or your development framework may not be up to snuff. If your time-to-fix is particularly slow, it’s a good bet that you have a procedural issue—your developers aren’t treating vulnerabilities as bugs. If you consistently see vulnerabilities reopening, it suggests you have a problem

IT Strategy

with your ‘hot-fix’ process— high-severity vulnerabilities get fixed quickly but the change is back-ported to development and a future software release overwrites the patch. “Understand your software development cycle,” Grossman says. “Understand where you’re good, where you’re bad and make your adjustments accordingly.” CIO

Ease Public Cloud Security Concerns By Nari Kannan Organizations can optimize their approach to public cloud security by deciding how mission critical an application is, as well as how secure the data for that application needs to be. Here are 10 ways to strengthen public cloud security to support enterprise use.

1. Select the Right Apps for the Public Cloud. Some businesses, including most start-up companies, begin by using the public cloud for all applications, including missioncritical apps and their data. Palo Alto, California-based Pinterest, the fast-growing social media sites with 150 AWS instances and more than 400 TB of data at last count, is one such start-up with all applications on the public cloud. However, public clouds are not for every organization. Within an organization, they’re not for every application, either. Generally speaking, the enterprise applications suitable for the public cloud aren’t subject to stringent security requirements. In these cases— such as websites, application development, testing, online product catalogs and product documentation—the default security provided by most cloud service providers (CSPs) will be more than adequate for these kinds of applications.

2. Evaluate and Add Security, If Necessary. CSPs provide significantly different levels of public cloud security. Pay attention to this while evaluating CSPs. The ISO/IEC 27000 series of standards provides guidelines for systematically examining information security risks, taking into account the threats, vulnerabilities and impacts, for designing and implementing a

Vol/8 | ISSUE/01

comprehensive suite of information security controls, and for adopting management processes to ensure that guidelines are followed. Organizations considering moving sensitive applications and data to the public cloud may need to evaluate and compare different CSPs based on these standards. If necessary, security measures that are used in an organization’s internal private cloud may need to be extended to their public cloud instances.

3. Identify and Use the Right Third-Party Auditing Services. When it comes to security compliance, organizations need not simply take the CSP’s word for it. Third-party auditing services can audit the actual, and consistent, application of security standards, processes and procedures at a CSP and compare them to the ones promised to the client. SAS 70 Type II standards specify that these kinds of audits last for a minimum period of six months but could last longer. Moving a few applications to the public cloud and performing the audit over an extended period of time can give an organization the comfort REAL CIO WORLD | n o v e m b e r 1 5 , 2 0 1 2

Cover Story

IT Strategy

level needed to move more sensitive applications and data to the cloud confidently.

8. Streamline Logging and Monitoring. Exploring the monitoring and logging of physical cloud instances with CSPs is another key to ensuring public cloud security. Comparing one CSP’s logging and monitoring practices with another before you sign a SLA may reveal subtle differences in the security that’s provided.

4. Add Authentication Layers. Most CSPs provide good authentication services for public cloud instances, but some SaaS products can help add an additional layer of authentication. Here’s where you need to weigh the benefits of better public cloud security against the costs of increased network latency, possible performance degradation and additional points of failure.

5. Consider How Additional Security Will Affect Integration. Default security with most leading CSPs is already strong. Adding public cloud security measures on top of that may affect overall application performance. It could also complicate your identity and access management efforts. These considerations are all the more crucial if you are working with mission-critical applications that need to integrate with other business applications—end users will not be pleased if their applications are not available when they need them.

6. Put Security at the Forefront of Your SLA. When you run a private cloud, you have (or should have) the tools to know when and where security breaches occur. How would a CSP customer ever come to know of these kinds of security breaches? Public cloud security guarantees with CSPs are no good unless they are written as service level agreements in your contract— and, unless transparent monitoring and reporting functions are available to the cloud customer, the contract itself may be useless.

7. Insist on Transparent Security Processes. The need for transparent and verifiable security processes, procedures and practices within your SLA goes far beyond potential data breaches. When you rent hosted servers, there is at least a physical facility, a rack and a set of physical servers you can visit. With public clouds, on the other hand, you may not know the exact physical whereabouts of your cloud instances, so all you can rely upon is the information that the CSP is making available to you. This is why transparency is critical.

n o v e m b e r 1 5 , 2 0 1 2 | REAL CIO WORLD

9. Add Encryption. You may want to employ your own encryption instead of, or in addition to, the ones provided by the CSP. While the CSP will encrypt information that is sent over the public Internet and stored in the public cloud, the CSP will be providing the encryption key. This may make your organization uncomfortable, as the key could fall into the wrong hands. A number of installable products or SaaS vendors can do this type of encryption on the fly. (VPN-enabled cloud instances fall under this category of augmented public cloud security.) When this happens, only the customer and the third party know the key; the CSP does not.

10. Spread Risk with Multiple, Redundant CSPs. It is common practice to procure high-bandwidth Internet connections for your datacenter from multiple vendors, precisely because you want to spread the risk of outages among many providers. If one is down, the other has a good chance of being available. Cloud provisioning tools these days come already integrated with leading CSPs. You can spin up additional instances of servers with multiple CSPs automatically on demand, as sites such as Pinterest (afternoons and early evenings) and Netflix (weekends) do during peak usage. Here, additional instances are turned on if average CPU utilization reaches a certain threshold and turned off once utilization drops. When spinning up additional instances, it may make sense to use different CSPs in a round-robin fashion. For example, the first may come from AWS, the second from RackSpace, the third from OpSource and so on. That way, events such as Amazon Web Services outage will not adversely affect your applications. CIO

Send feedback to editor@cio.in

Vol/8 | ISSUE/01

How to Harness the Power of

Consumerization So you’ve said yes to the use of personal tech. How do you make it work—for—and in your business? By Lynn Haber

The self-provisioning of technology in Reader ROI: the workplace by employees, more commonly How consumerization improves customer engagement known as consumerization, is the most dramatic opportunity disguised as a challenge that How it prevents rogue IT businesses should embrace. Along with the The difference between consumerization of IT and BYOD infiltration of unsanctioned personal devices, applications, and Web services inside the organization, companies are gaining workers who are increasingly self-motivated to be more empowered, engaged, and resourceful. After all, what enterprise should say no to a self-starter?

Vol/8 | ISSUE/01

REAL CIO WORLD | N o v e m b e r 1 5 , 2 0 1 2

IT Management None should. Consumerization is here, and it’s not going away. Savvy companies will recognize the consumerization trend for what it is: The opportunity to put in place the security and support mechanisms to nurture this new breed of worker to leverage benefits such as innovation, increased productivity, and—ultimately—growth and increased revenue. In 2011, 40 percent of devices used to access business applications were personally owned by the employee, according to IDC’s 2011 Consumerization of IT study. That’s up 10 percent from 2010. At the same time, the percentage of company-owned devices used by the employee fell by 10 percent, from 69 percent in 2010 to 59 percent in 2011. Undeniably, the line between personal IT and work IT has blurred. More important, whether sanctioned or not, employees are rapidly increasing the use of their personally preferred mobile devices—such as smartphones, tablets, and laptop—as companion devices to their PCs. For example, at Needham Bank it’s common to see employees opt to use bank-sanctioned Apple iPads at their desk rather than their desktop

PC. “They get in, get out, and get what they need to do, done,” says James Gordon, vice president of IT at the Massachusetts bank. At a minimum, today’s workers expect the same technology and capabilities inside the office as they use outside the office. Certainly, they don’t expect less. “The fact that we sanction the use of iPads and smartphones spurs a level of excitement, even on the warehouse floor,” says Neil Goodrich, director of business analytics and technology at Holly Hunt, a designer and producer of luxury home furnishings. The defensive business reflex to the consumerization trend—based on a perceived loss of control and legitimate concerns about risk and security—is to protest too much, to push back too hard, or to impose old and rigid standards. Successful organizations will instead adopt an offensive strategy to make consumerization a win-win for all.

Reaping the Benefits Companies that embrace consumerization can expect to see both internal and external benefits.

CoIT is Not BYOD Have you noticed that the term BYOD is on the rise and has become virtually synonymous with the much broader and deeper term “consumerization of IT” (CoIT)? It’s a common misconception that CoIT is merely the trend toward employees using their own smartphones, laptops and tablets for work tasks like accessing corporate e-mail, contacts, calendars and apps. But while mobile hardware is the starting point of CoIT, there’s far more to it. Underlying CoIT is a trend some have called “m-business.” It’s a “work-style” shift involving businesspeople using mobile devices as their primary means of connecting to the Internet, accessing corporate data and communicating with colleagues. The new work-style, which mixes home and work activities through days, evenings and weekends, has profoundly changed the way people work and is beginning to affect the expectations that companies have of their employees. There are management and HR issues and very real concerns about work-life balance and how that might affect the productivity and well-being of employees. So CoIT is not merely about a different type of hardware; it’s about a different way of working. 42

N o v e m b e r 1 5 , 2 0 1 2 | REAL CIO WORLD

Internally, the business gains from embracing consumerization are broad, including potential cost savings, moresatisfied employees, productivity gains, a stronger recruitment position, increased innovation, and investment in technologies that they might not otherwise buy into, or at least not as quickly. The overarching external benefit is improved customer engagement. Used as part of a multi-channel strategy to reach out to customers, business partners, and suppliers, consumerization tools and technology can make it easier for existing customers to do business with you and to create exposure, such as through social media, for new customers to find out about your business’s services and products. Embracing consumerization and reaping its benefits begins with a road map that plans for success and then sharing it with employees. “We recommend establishing a center of excellence where IT partners with the lines of business identify the greatest benefits of consumerization to the company and how to get there,” says Phil Garland, a partner in PwC’s CIO Advisory Services group.

It’s also a movement toward simpler interfaces, inspired by social media, mobile apps and cloud-based apps and services. The rise of app stores overflowing with free or inexpensive problem-solving tools is reshaping user expectations about what software is and what it does. Many IT departments are adopting single-purpose apps adapted to enterprise use. The look and feel of social media software, as well as its people-powered nature, has a huge influence on consumerization—and it has nothing to do with businesspeople bringing their personal devices into the office. Public clouds aimed at end users are another important aspect of CoIT. The syncing of e-mail, calendars and user data across multiple devices is perhaps the best example of consumer-oriented cloud services used for business purposes. Of course, CoIT raises security concerns. Most smartphones and tablets aren’t built with enterprise-class security—though that is starting to change. But it’s not just about hardware security features; when you welcome all manner of devices, the potential for security snafus multiplies. It’s also easy to lose a mobile device or have it stolen. All of these factors threaten corporate data. Public clouds and Web-based apps also create security risks. The vaguely derogatory term BYOD probably started off as some IT person’s joke, a takeoff on a similar acronym that rhymes with it. “Bring your own device” takes the end user’s point of view, not IT’s. But it defines a very narrow aspect of CoIT—and misses some of its most important aspects. — By Scot Finnie Vol/8 | ISSUE/01

IT Management Turning Users Into IT Deputies Although IT organizations admit to feeling besieged by consumerization—80 percent of IT executives say consumerization increases IT workload, according to IDC—the trend is inevitable with no signs of letting up. “The form factors of today aren’t the end of it,” says Danielle Levitas, a senior analyst at IDC. The good news for IT is that the democratization of the workplace offers benefits for the IT group. The technologysavvy employee bent on selecting his or her own mobile device and apps can be an asset, one that PwC describes as helping turn “shadow IT” into “deputized IT.” In other words, IT gains an army of user assistants who turn to each other to solve problems with their devices and apps rather than lean on IT. This self-support not only reduces the burden on IT but also offers the IT organization partners in innovation and testing and inside-thebusiness technology analysts. That’s the approach being taken at Holly Hunt. It’s kicked off a series of marketing and training groups with IT for people to trade ideas and to identify gaps in the tools available to employees designed to improve productivity. “These users are the new litmus test for new application development,” says business analyst director Goodrich. Goodrich contends that consumerization makes users less tolerant of poorly made software, so IT needs to tackle that issue head-on. By focusing less on devices and more on apps that target improved business processes, the partnering of IT and users can drive productivity through better tools—the bull’s-eye of consumerization.

The Always-On Employee By tapping into an existing base of technology aficionados willing to use their always-on, easy-to-use, 24/7-accessible devices for work—even if just a quick activity here and there—businesses will inevitably see a productivity advantage. Already, employees admit that no place is sacred when it comes to using consumer technologies to conduct work. IDC survey respondents admit to squeezing in work time while on vacation, in bed, during commute time, at family gatherings, while watching TV, and even at a place of worship.

Vol/8 | ISSUE/01

The defensive business reflex to the consumerization trend—based on a perceived loss of control and legitimate concerns about risk and security—is to protest too much, to push back too hard, or to impose old and rigid standards. “While not quantified, businesses can reap huge benefits from [consumerization] because it’s hard to turn the device off when it’s also being used for personal use,” says IDC’s Levitas. Ask any enthusiast just how easy is it to check e-mail, update Facebook, and collaborate with business peers.

The Socially Savvy Business Many employees have already mastered social media, and as business hones its skills, social media is an avenue to enhance operations and exploit new market opportunities. A 2011 McKinsey report confirms increased adoption rates of social tools and technology, with 72 percent of respondents using at least one social technology tool and 40 percent reporting the use of social networking and blogs. Measurable benefits of using social tools internally include increased access to knowledge, a reduction in communication costs, and faster access to internal experts, especially when integrated in the employee’s day-to-day work. Similar results are reported among companies that reach outside of the organization to partners, suppliers, and experts. Organizations using social networking to reach out to customers report more effective marketing, increased customer satisfaction, and reduced marketing costs. Developing communities of interest via the use of social networking is a huge potential shot in the arm to innovation for any organization that plugs in employees as well as business partners, customers, and suppliers. But a key caveat to realizing the benefits from social media is that it doesn’t happen organically. “Beyond the technology there’s the functional capability of how to use it effectively to drive results,” says Ryan

McCune, senior director of innovation and incubation at Avanade, an IT consultancy. Perhaps the easiest and quickest social medium to start with is corporate microblogging, he notes. Consider Needham Bank. Today, it encourages employees to use LinkedIn, low-hanging fruit to gain competitive advantage and reap immediate business value. It also uses Microsoft SharePoint’s My Site feature for internal collaboration. “We have to do it 100 percent right and manage the risk appropriately before we jump [to Facebook],” says business analytics director Gordon.

The Appy Place Consumerization’s productivity advantage is ultimately about the apps: Delivering the right applications and data to the right set of users and managing it accordingly—which goes back to creation of a center of excellence to identify the applications that deliver the greatest benefit. Many in IT are concerned about needing to gain expertise in multiple mobile and cloud platforms, but the good news about mobile apps and social cloud is that new apps can be developed quickly and at a lower cost than traditional enterprise apps. “It’s easier to experiment because the focus for development is on the front end, tapping into existing enterprise apps such as CRM, ERP, and HR, for example,” says PwC’s Garland. At the same time, developers can fail fast while taking a smaller bite out of the R&D budget. The bottom line is that a progressive attitude toward consumerization is good for business. So get progressive. CIO Send feedback on this feature to editor@cio.in

REAL CIO WORLD | N o v e m b e r 1 5 , 2 0 1 2

Honed and Ready for Growth With growth and automation on the horizon, ITC’s underlying infrastructure needed to be better equipped. Here’s how ITC’s IT team worked with EMC to ensure that its infrastructure could support the gargantuan company’s future plans.

Company ITC

Industry Diversified

Revenue

Over US$ 7 billion

ITC is a diversified multi-business enterprise with a market capitalization of over US$ 33 billion and a turnover of over US$ 7 billion. It has a diversified portfolio of businesses spanning fastmoving consumer goods, paper and packaging, hotels, agri-business and IT. Currently, the ITC group employs more than 29,000 people at over 60 locations across India. But more importantly, today, ITC is recognized as a global example for its sustainability practices. ITC has not only created sustainable livelihoods for over 5 million people, but is also the only company of comparable dimensions in the world to be water-, carbon- and solid waste-recycling positive. All ITC’s business units have strong ERP (enterprise resource planning) systems that support their daily functions. ITC’s IT landscape is fairly diversified, which is probably why it’s managed by an in-house IT shared service team. In a bid to make its expansion as smooth and swift as possible, ITC wanted to automate its processes and reduce manual intervention wherever feasible. However, automation brought with it a greater dependence on technology and “we had to look at developing a

Custom Solutions Group EMC

While there were other solutions that matched our requirements, when we considered the existing landscape and the challenges we might face during migration, we decided that EMC VMAX was the right fit for ITC.” Partha Sengupta,

Head-ITC IT Shared Service

disaster recovery (DR) strategy for data, which was in line with ITC’s business continuity plan and could provide a near-zero RPO (recovery point objective) and less time to recover,” says Partha Chakraborty, Manager-IT Project for ITC IT Shared Service. A firm with a market capitalization of US$ 33 billion can’t afford the luxury of downtime measured in hours and this made business continuity a factor it could not compromise on. In case of an unforeseen disaster, the company needed to ensure that the data at its DR site was not more than an hour old. ITC also wanted to leverage data to track its past performance and unlock the latent potential of the information it collected with predictive analysis. Again, its disparate IT landscape lent to occasional hiccups in terms of the planning cycle for sales, and distribution being delayed. This needed to be overcome. For that the company needed a storage infrastructure layer that delivered fast response

times and low RPO, while seamlessly catering to the information needs of multiple applications. “It was important for us to find the right solution, one which could meet ITC’s need of optimally managing data growth across different landscapes, while also providing faster responses,” says Chakraborty. A tall order.

Plan to Deliver In order to fulfill the business’s demands, the first and foremost mandate for the IT shared service team was to ensure that ITC’s business units were not constrained by IT infrastructure. “We knew that in order to deliver the performance the business wanted—in an auto-pilot mode—the technology needed to be very reliable,” says Partha Sengupta, Head-ITC IT Shared Service. “In people dependent processes there are usually ways around a problem, which makes it easier to solve a roadblock. However,

in a highly-automated environment, the technology has to be fail-proof.” The storage infrastructure that catered to ITC’s IT requirements was nearing end-of-life and needed to be migrated on to a new-age solution. Sengupta’s extensive IT experience had ingrained in him the importance of planning prior to any deployment. The clarity the IT team had from the businesses in terms of performance requirements helped them map out the new IT landscape. The company’s global ERP vendor’s consulting team was also included in the discussions about the migration. “All the details pertaining to the number of disks that were to be configured in the file system layout, and the overall architecture were vetted by them, ensuring that we were in line with the business requirement,” says Chakraborty.

Bespoke Fitting Once the assessments were made, a request for proposal based on business requirements and operational challenges was created and ITC’s IT team evaluated multiple solutions. “While there were other solutions that matched our requirements, when we considered the existing landscape, which was based on EMC solutions, and the challenges we might face during migration, we decided that EMC VMAX was the right fit for ITC,” says Sengupta. Some of the features ITC was looking for, which tilted the balance in favor of EMC’s solutions, were the

The new storage solution delivers response times of less then 5 milliseconds, from over 20 milliseconds. This has a huge impact on ITC’s planning and distribution.

strength of its storage on virtualization capabilities, support for federation within and across the datacenter, the ability to facilitate storage tiering in a virtualized environment, and a technology roadmap on the product line, says Sengupta. With the product finalized, the IT team got approval from ITC’s management to migrate to a newer platform. “They knew that businesses were adopting automation along with ERP, and that other enterprise applications were also being rolled out. Hence, there was very little room in the existing infrastructure to satisfy the future needs,” says Chakraborty. Chakraborty and his team started working out the process of implementation, and as they lay their thoughts on paper it became clear that a phased approach was needed. “We realized it would be better to migrate the smaller landscapes with less data first, and then assess how it worked on the new storage before we migrated our most critical landscapes on to it,” says Chakraborty. Emphasizing the benefits of a phased approach as opposed to a big-bang one, Sengupta says, “In a phased approach, even if we faced challenges, we could immediately rectify them—before we migrated the larger landscapes.” “We have gone in for three-site architecture for our datacenter with our primary and near-site in Bengaluru and the DR site in Kolkata so that at no point could there be a storage-level failure for ITC,” he adds.

A Solid Foundation The migration to the new storage saw ITC’s landscape being converted to a three-tier architecture, with the top tier catering to high-end applications running on EMC Symmetrix VMAX, the mid-tier on EMC Symmetrix DMX, and the bottom-tier on EMC CLARiiON CX handling low-tier storage requirements. This worked out well for ITC as it allowed the company to migrate to better technology for its storage—without having to declare end-of-life for its previous storage. With a three-tier storage architecture, the company’s older storage continues to be a part of the mid-tier, which caters to middlelevel applications. “This allows me to do a cost optimization and apportionment on the basis of the tier of storage,” says Sengupta. The fact that the technology refresh coincided with business growth helped matters and ITC was able to avoid an impact on its TCO (total cost of ownership).

A Robust Backbone “All the jobs that were previously constrained by storage are now being completed well on time. Defined timeframes are being met because of the correct sizing of our storage infrastructure,” says Sengupta.

Custom Solutions Group EMC

Response times have a direct impact on the planning cycle for sales and distribution, and ITC wanted a 5 millisecond (ms) response time. The dispatch of finished goods to distributors requires daily planning and the associated jobs for the same need to be completed early in the morning. But with response times close to 20 ms this was not being achieved. However, with the newer storage, which delivers a response time of less than 5 ms, this activity is completed on time, which has led to a business advantage. “The sales and marketing information application system is also hosted out of this EMC VMAX so when they push orders they also enjoy a better performance,” says Chakraborty. Two of the most important capabilities that Chakraborty and his team identified were the ability to run on a thin provisioning and storage tiering. “Previously, we utilized a thick provisioning for the ERP to run. But now we are

using virtualization and thin provisioning even for our ERP,” says Chakraborty. This helps ITC optimize its investment with the most expensive storage systems and reduce the gap between allocation and utilization while provisioning for performance. “Automated storage tiering is also very helpful as it moves ‘less used’ data to low cost disks and the ‘more used’ data is kept on high performance ones,” says Chakraborty. This helps reduce operational costs because instead of buying the most expensive Fibre Channel (FC) disks, less used data can be moved to SATA disks. ITC had also emphasized on the need for better RPO which was hovering near double digits in terms of number of hours. It wanted nothing greater than 30 minutes at its disaster recovery site. Today, it enjoys a 70 percent performance enhancement. “Deploying EMC’s storage solution has outperformed our RPO and response time requirements,” says Chakraborty.

Making Sense of Big Data Arun Ramachandran, Country Manager, Data Computing Division, EMC India & SAARC, says CIOs must take a fresh look at managing data to be able to derive significant results from big data analytics. Most CIOs today want to redefine the way their organizations consume information. How can this be made possible? This is possible through five key foundational layers of a big data architecture. The first is sources of data, especially new sources of data such as social data, external data, and machineto-machine conversations. The second layer is data governance. The third layer is to select and implement a big data

platform which handles structured, unstructured, semi-structured data and does it with scale-out capability. Next, think about analytics tools on top of that. And then you need to think about data scientists—which should live in the business and which should live in IT. What are some of the best practices while dealing with a pool of structured and un-structured data? CIOs need to step back from trans-

CIOs need to step back from transactional data and take a look at other sources of data that are—or need to be—core to their business.” Arun Ramachandran,

Country Manager, Data Computing Division(DCD), EMC India & SAARC

actional data and take a look at other sources of data that are—or need to be—core to their business. Also, CIOs need to take a fresh look at how they manage data—if the data that is going in is incomplete or dirty, then analytics will reflect that. Put in a data czar and a team that is responsible for keeping data clean, taking care of rules, regulations and governance, and around who data sets and data structures can be changed. Can organizations employ big data and cloud computing in a manner that they complement each other? Of course. In fact, cloud computing makes big data possible by providing an elastic pool of resources to handle the massive scale of big data. Another benefit of the cloud is that it makes IT resources more efficient and IT teams more productive—freeing up resources to invest in big data.

VIEW

from the TOP

Gurcharan Das, author and former CEO of P&G India, says the government has plenty to learn from IT companies.

Back to the

Basics By Eric Ernest

Whether itâ&#x20AC;&#x2122;s leaving his job as the CEO of Proctor and Gamble, or revisiting the moral lessons of the Mahabharata in his book, The Difficulty of Being Good, Gurcharan Das continues to chart unorthodox waters in his quest to combine "knowledge of history, philosophy and sociology" to better understand today's world in general, and India specifically. Das, who graduated with honors from Harvard University, and the Harvard Business Schoolâ&#x20AC;&#x2122;s Advance Management Program, made a career with companies such as Procter & Gamble, and Richardson Hindustan, a career that spanned 30 years and covered six countries. In his latest book, India Grows at Night: A Liberal Case for a Strong State, Das writes that while the country has grown in spite of ineffective governance, this current way of doing things isn't sustainable. He makes the case for a government that gets its priorities right by focusing on governance and acts decisively to provide the necessary public services to its citizens.

Why did you choose to retire early and become a full-time writer?

What do CEOs and other C-level executives expect from you? Read all about it in View from the top. Visit www.cio.in/ceointerviews

n o v e m e b e r 1 5 , 2 0 1 2 | REAL CIO WORLD

Gurcharan Das Well, there were a number of reasons. For one, I had worked for 30 years and when I reached 50 I thought it was time to do something else. I enjoyed my work, but there was a big world outside

and it was time to do something else. At the time, reforms had taken place and I saw that nobody was selling them to the people. So I became a cheerleader for reforms. Also, there is only so long an adult can come to work and look at the market share of Vicks Vaporub, Pampers, Tide, and Ariel (laughs).

Vol/8 | ISSUE/01

Gurcharan Das expects I.T. to: Create transparency Introduce efficiency

Photo by s rivatsa shandilya

What's your take on the govt’s recent reforms? They are not sufficient. They are just the beginning of what’s needed; there are many more to do. And they should have been done five years ago. But it's not just reforms that’s needed. Look at our whole process of approvals that leave so many projects stuck. You don't need reforms to make sure that the coal arrives in time for a power plant.

Will a revolution be required to change things?

Vol/8 | ISSUE/01

I don’t think there will be a revolution. In fact, I don’t think a revolution is a good idea because once revolutions are unleashed, they can get out of control. Sixty-five years of democracy has created a lot of safety valves. Also, it won't happen because of the nature of our country, our democracy, and the temper of our people. We are not a revolutionary people (laughs). We are a little more relaxed; we are a tolerant country. The Anna Hazare movement is really a movement against corruption. It’s a movement that is the voice of the new

middle class, of the IT people. And they are impatient. They have tasted success through their hard work and they see the contrast between private success and public failure. So they ask: Why can't we make our public life the way we have our private life'?

Talking about IT folk, will the IT industry continue to strengthen India? It will continue to be a driving force. The entire IT and ITeS industry will be a driving force, at least for a couple of decades.

REAL CIO WORLD | N o v e m b e r 1 5 , 2 0 1 2

View from the Top

Can technology help achieve the new state envisioned in your book? Of course I think that technology can help! E-governance is about technology. The Aadhaar/UID project is about using technology to improve governance. What technology does is it creates transparency. The corrupt thrive in opacity rather than transparency. If you put all land records on the Internet, then a lot of the source of corruption goes away. Technology creates transparency and that helps accountability. It also removes human errors, so it contributes to efficiency.

What can the government learn from how Indian IT companies are run? The lesson is that you require a strong, decisive, determined executive. What we are missing in India, what we forget in our constant drive for accountability, is that the state was created to act. It's this action that we have forgotten. Let me give you an example. The Anna Hazare movement was meant to bring about more accountability. But that drive for accountability has paralyzed the executive. Bureaucrats are scared of putting their signatures on paper because they think that 10 or 20 years from now someone will catch them for something.

Switching to enterprises, how should business leader's view technology? I think it's always necessary to be openminded. Human beings, as they get older, tend to get comfortable with what they have. It’s the youngsters who want the latest cellphones and the latest technology. It's very important to be open, flexible, and to be able to learn continuously. Technology expects you to be a student for all your life.

What advice do you have for today’s managers? I’d say that looking at the example of Manmohan Singh is a good lesson for 96

N o v e m ebe r

1 5 , 2 0 1 2 | REAL CIO WORLD

"What leadership needs more than thought is action. What’s more important than intelligence is willpower." —Gurcharan Das all CEOs. What we can take from the example of Manmohan Singh is this: What leadership requires more than thought is action. What’s more important than intelligence is determination and willpower. Manmohan Singh has a Phd in economics from Cambridge, but look what a failure he has been as a leader because he just didn’t have that determination. He showed that determination only once on the nuclear deal and just now in these modest reforms. If you’re hiring somebody keep in mind that intelligence is an over-rated virtue. Don’t look at their resumes, and be awed if they came out of IIT or IIM or at the top of their class. You have to find out whether someone has fire in the belly; whether that person has the quality of determination, and the stubborn willingness to stick to the issue.

Can the Indian economy grow by 7 to 8 percent, as you have forecast? Our base case is 7 to 8 percent growth.

I think that our savings rate is still high; it’s over 30 percent. Our investment rate has to pick up because the economy is far stronger than the investment sentiment. Initially, the investment sentiment was high, then it lowered because of government paralysis. It will recover in time. One of the things we have to understand is that India is a consumer-driven economy. For a consumer-driven economy interest rates are very important since people have to take mortgages for houses, take loans for cars, or motorcycles, or scooters. Our interest rates went too high and they have to recover. I think they will normalize, and if they normalize we will be back to growing.

What can we take away from Singapore's style of governance? We can take a lesson in how they reformed their bureaucracy, their judiciary and their police. All that Singapore does very well. They have a meritocratic bureaucracy. For our bureaucracy, the entry point is meritocratic. But after you get in, then everybody gets promoted at the same time— everybody. They don't differentiate whether you work an hour a day or 12 hours. Everyone is rated good and outstanding, as a result people who don’t work, or perform poorly, or are lazy, also get promoted at the same time and get the same increments as the others. So then employees start asking why they work or why they can’t be absent. We can learn good governance from Singapore. The principles of good governance don’t depend on whether you are a dictatorship or a democracy. Those principles are technical principles of merit, of rewarding merit, and of punishing failure. CIO

Eric Ernest is correspondent. Send feedback on this interview to eric_ernest@idgindia.com

Vol/8 | ISSUE/01

E V E N T R E POR T

Custom Solutions Group wipro & CISCO

A Private Cloud Affair: Making business rain Much has been said about the potential of the private cloud but its ability to provide businesses with an edge is worth reiterating. The Wipro-Cisco roundtable did just that.

one are the days when cloud computing was associated with everything dark and murky. Today, it’s a game changer. That’s because organizations have begun to appreciate the benefits of the cloud—especially private cloud. It is now a means of getting rid of rigid systems and providing businesses with competitive edge. To understand how the cloud revolution is sweeping enterprises and the technology’s roadmap, CIO, in association with Wipro and Cisco gathered some of the brightest minds in the Indian ITeS sector. Today, CIOs are constantly walking a tightrope. They have to ensure that their organizations are agile and, at the same time, keep their IT assets—built over the years—relevant to new technologies. Mohan Sundaram, GM-IT, Alcatel-Lucent, said his organization has recognized almost 250 applications to decommission and create a new product development platform, due to a strong push toward virtualization. “Legacy systems tend to constrict business agility, yet replacing them involves a substantial commitment of resources that straddle hardware, new applications, staff and vendor time,” he said. Here’s where the cloud could lend a hand by infusing agility. But more than that, some CIOs like Darshan Appayanna, CIO, Happiest Minds, feel the cloud has the potential to make appli-

cations more secure. In fact, at Happiest Minds, most of the company’s IT infrastructure is delivered from the cloud—with a team of five to support more than 600 employees. “We find that running applications on the cloud is sometimes more secure than keeping them on-premise,” Appayanna said. But not all large organizations turn to the private cloud unlike smaller companies that look up to it for competitive edge. “Some large enterprises are hesitant in

We find that running applications on the cloud is sometimes more secure than keeping them on-premise. Darshan Appayanna CIO, Happiest Minds

Among other things, the cloud has helped IT to become a strategic business enabler. Valerio Fernandes GM-IT, Continental Automotive Components India

adopting cloud computing, while smaller enterprises leap-frog their competition using the same platform,” said Rohit Adlakha, GM and BU head, Wipro. Whether they are large or small, said Rajesh Shetty, VP, Cisco India and SAARC, organizations need to focus on business problems more than technology solutions. “Instead of pushing products, we help enterprises and service providers develop a strategy, justification, and roadmap for addressing complex challenges and maximizing business opportunities.” All the CIOs seconded the fact that the private cloud does bring benefits to the table. They said that it is transformative and opens new doors for innovation. This event report is brought to you by IDG Custom Solutions Group in association with

How to Boost Customer

Loyalty

Business Intelligence

Guesswork no longer cuts it. Here’s how three smart companies used business analytics software to improve customer loyalty. By Mary Brandel In today’s intensely

intrigued by something new with a different company, so in order to keep them happy, we’re always looking for creative ways to give them something new and different.” To that end, T-Mobile uses a Teradata database and analysis tools to collect and analyze customer data, including current plan rates, the number of family plans versus individual plans, credit ratings, network usage metrics and statistics comparing the amount of talking time and the amount of texting time. It then segments the customer base, builds focused campaigns for different customer profiles and presents offerings via its various sales channels, including stores, call centers and websites. The marketing team then analyzes how customers respond to these campaigns to project financial returns and fine-tune the offers. To do that, it feeds data into the Hana real-time data analytics appliance, which uses in-memory computing to perform rapid analytics on large data sets. This allows statistics modelers and business analysts Who: T-Mobile to query the data and—if they find something unexpected—query What IT did: Combated customer churn further, without involving IT. How IT Helped: By segmenting the customer base, it helped “You don’t have to pre-think what types of analytics you’re going to build focused campaigns for different customer profiles. As a do or pre-build the aggregation tables that you build with traditional result, it lowered its customers-lost-to-customer-gained ratio. BI solutions,” Bessho says. Plus, the data can be loaded more quickly into the appliance than it can with traditional analytics platforms, For wireless providers, customer churn can be a killer. According and the queries run 55 times faster than with a traditional database. to research from Strategy Analytics, at the end of 2011, the That speed encourages analysts to explore creatively, she says. “A lot percentage of mobile customers who switched service providers of the benefit is finding the unknown,” Bessho says. “So it’s important every year reached 44 percent, its highest level ever. that the tool is responsive and cuts through rows of data quickly.” T-Mobile is one carrier that has been feeling that pain. Dwarfed Analysts can now determine the types of campaigns that by AT&T and Verizon Wireless in market share, the company was work best for various customer groups. “We now know how to losing one customer for every customer it gained in early 2012, go to different customers with [different] offers,” according to a statement by former CEO Philipp Bessho says. For instance, one way to segment Humm earlier this year. To offset that trend, T-Mobile Reader ROI: customers is by how close they are to the end of is digging into its customer data to better understand Different customer-related problems IT can fix their contracts. Knowing this—as well as what buyer behavior and more precisely target customer type of plans they have, what their credit scores needs. “Customers have so many dynamic options The impact of analytics on the bottom line are, and where they live—T-Mobile can, for right now,” says Alison Bessho, director of IT How to cross-sell and up-sell enterprise systems at T-Mobile. “They can easily get competitive and fast-changing marketplace, companies can no longer rely on gut instinct, guesswork or “business as usual.” Across all industries, businesses are turning to data analytics to quickly and accurately respond to—and even predict—buyer behavior in their quest to grow revenue while securing customer loyalty. The desire to engage with customers more effectively is fueled in part by what many see as a shift in power from sellers to buyers, thanks to social media and the rise of mobile computing. In IBM’s most recent Global CEO Study, more than 70 percent of CEOs said they were seeking a better understanding of individual customer needs and improved responsiveness to those desires. Here is a look at three companies that are striving to capture the loyalty of their customers through the use of analytics.

Continued on Page 102

Vol/8 | ISSUE/01

REAL CIO WORLD | N o v e m b e r 1 5 , 2 0 1 2

Partners

Business Intelligence Continued from Page 99

example, send phone upgrade offers to long-term customers and offers for different rate plans to newer ones. These offers can go out via text message, e-mail, the call center or physical stores. “When the customer is on the phone or walks in the store, we get more fresh data about them to help reps select the best offer at that specific time,” Bessho says. “We can take advantage of historical data, as well as dynamic data, to create personalized, focused offers based on customer trends and behaviors.” T-Mobile also uses BI to produce dashboards and detailed operational reports for marketing leaders. It will soon launch a mobile BI capability so marketing execs can view the current performance of marketing campaigns on their tablets. T-Mobile still faces challenges, including the need to recover from its failed buyout deal with AT&T and the June departure of its CEO. But the company is betting on customer insights to bolster its future prospects. It plans to add 300 more customer data attributes to the system to deepen and broaden its analytic capabilities. In the first quarter of 2012, T-Mobile saw 187,000 net customer additions, compared with 99,000 net customer losses in the first quarter of 2011. “Our goal is to reduce churn, enhance loyalty, upsell and crosssell new devices and rate plans, and make customers happier, while achieving better financial results,” Bessho says.

Who: SuperValu What IT did: Better met people’s needs How IT Helped: By figuring out what communication mediums different customers prefer and also by determining when during the day stores needed re-stocking, ensuring shelves were never empty. For grocers, the concept of loyalty has historically been tied to the ‘loyalty card’—those ubiquitous laminated cards that give shoppers automatic discounts. But market forces are driving grocers like SuperValu to kick their customer loyalty games up a notch. According to Wesley Story, group vice president of consumer insights and loyalty at SuperValu, competition is heating up, especially as more types of retailers—from big-box stores to discounters—add grocery items to their shelves. About two years ago, SuperValu launched an effort to become more customer-centric by creating a hassle-free shopping environment, offering more freshly prepared foods and matching product lineups to local tastes. Customer data gathered from loyalty cards is key to this strategy, Story says, because it reveals buying trends and demographic shifts. “If you’re not careful, all of a sudden the customer that was your target no longer lives around you,” he says. SuperValu has long used a data warehouse and traditional BI tools to analyze transaction and customer data. But it recently set up a big data analytics lab to accommodate faster, more complex, ad hoc queries against all types of data, including unstructured data from social media. The lab’s tools include an analytic appliance, which collects data from operational systems and puts it in a nonproduction database optimized for analysis; Hadoop, an open102

N o v e m b e r 1 5 , 2 0 1 2 | REAL CIO WORLD

The old-school approach was to ask customers which channel they prefer to be reached on. But, it’s far more accurate to watch their behavior. For a highly digital customer, you increase activity where they respond the most— maybe text and social media— and drop it in the rest. source analytics platform that uses parallel processing to quickly analyze large data volumes; and a visualization tool designed to rapidly deploy dashboards that mash up various types of data, including information from external sources. With this setup, SuperValu no longer needs to know how data will be structured or what questions it needs to ask. “If a query doesn’t work, we can just throw it away because the investment is minimal versus weeks and months of development,” Story says. The grocer is already better able to keep popular items in stock by studying out-of-stock data from its inventory management system, peak shopping times from its transaction data, staffing levels from the labor management system and customer perceptions from its ‘voice of the customer’ system. It has determined that certain stores needed to add a mid-day re-stocking shift to accommodate the rush of traffic between 4 pm and 6 pm. Analytics also enables SuperValu to engage with customers through the most effective medium, be it e-mail, text messaging, mobile apps or social media, Story says. The old-school approach was to ask customers which channel they prefer; however, it’s far more accurate to watch their behavior, he says. So, for a highly digital customer, you increase activity where they respond the most—maybe text and social media—and drop it in the media where they’re less active, like e-mail and snail mail. Predictive analytics is the next step, Story explains. The grocer is experimenting with segmenting customers and predicting their behavior by overlaying loyalty-card data with demographic, psychographic, behavioral and economic information from external providers. By seeing, for instance, the effects of the recession on shopping patterns, SuperValu can better predict which customers will switch to lower-priced items during a downturn and proactively market store brands to them. The company is also reaching out to digitally-savvy consumers via mobile apps and social media. “That’s the secret sauce,” Story says. “Bringing it all together to understand what the redemptions are, how we offered them, through which vehicle, where they [were] redeemed, which [channels] customers are most active in—and their social media influence if they are a highly connected consumer.”

Vol/8 | ISSUE/01

Business Intelligence Who: Overweis Dairy What IT did: Improved customer retention and improved

and the Internet. Bedford says that many customers who signed up for home delivery in response to direct mail campaigns and door-to-door visits canceled the service after 180 days, but that store service and profitability was not the case for those who responded to Internet campaigns. How IT Helped: By figuring out why customers canceled their The Internet was the only channel through which the company home delivery service after 180 days and why lines in the store did not offer a $100 (about Rs 5,500) discount in the form of free were so long. deliveries for six months. The marketing team hypothesized that attrition rates spiked at 180 days because the value of the freeGut-feel decisions are no longer enough for businesses today, even delivery offer had been depleted at that point. for a nearly 100-year-old, family-owned company like Oberweis To counter this trend, Oberweis devised a new promotion that Dairy. Oberweis operates more than 40 ice cream/dairy stores, a offered identical savings of $100 but through a year-long reduced wholesale distribution business and a home delivery business. In charge of 99 cents per delivery. After determining that the response 2010, when the company needed to make some changes, it invested rates for the two offers were the same, the company tested their in a system from SAS to make sure its efforts would pay off. respective effects on customer loyalty. The results were dramatic: So far, the system has helped Oberweis improve customer Among customers who responded to the 99-cent offer, there was retention in its home delivery business and increase store a 35 percent improvement in the retention rate at the nine-month profitability and service times, according to Bruce Bedford, VPmark, “which is worth millions of dollars in incremental revenue marketing. “We’re blessed with customers who are brand-loyal, gain,” Bedford says. Analytics also enabled Oberweis to speed but it’s also because we listen to their needs and respond quickly,” service in its stores. “Customers were getting up to the cashier he says. “In that effort, analytics tools have been tremendous.” and not knowing what they wanted to order,” Bedford says. The Oberweis turned to analytics when it discovered a customer culprit, the marketing team determined, was the menu board. attrition problem in its home delivery business. The company So last fall, the marketing team came up with four designs that reaches out to customers through direct mail, door-to-door visits led customers through the decisions of ice cream serving size, flavor and cone type, and featured images of six popular sundaes. The designs also highlighted products with high profit margins. “We Engage your customers. Bruce Temkin, managing partner of the Temkin Group, a customer didn’t want to guide someone toward a experience (CX) research and consulting company, says companies need to reach out to simple sundae or traditional ice cream customers through varied channels: “Listen in on calls, read feedback from surveys, and learn cone instead of our waffle cone, which how to integrate this into the development of IT,” he says. AT&T did this when it revamped its is an upsell,” Bedford says. Using SAS CX in retail stores. “We had customers provide direct feedback about the technology,” says CIO modeling, the company tested the designs Thaddeus Arroyo, whose team also learned from videos of customers interacting with sales reps. in several stores. When the best one was rolled out, Oberweis saw an average Do more with analytics. Ideally, you’ll know your customer so well that you can predict what profit increase of 3 percent on fountain they’ll do next. “With predictive analytics, we can understand across 100 different elements purchases and an estimated 30 percent why customers give [satisfaction] scores,” says Temkin. Companies need to be present where improvement in service time during customers are, including on social media. Dell, for example, has added 3,500 social media peak hours. “It’s good for the customer employees to handle the 25,000 comments it gets per day. Temkin says it’s crucial to analyze because it’s an uncomplicated and quick this data and get back to customers through social media channels. experience, and we’ve been able to drive incremental profitability,” Bedford says. Keep the technology simple. Temkin says complex technology can hurt your CX Through predictive analytics, strategy and be a major turnoff. “If you don’t make it usable, you’re throwing away your entire Oberweis has also determined investment,” says Temkin. AT&T’s CIO Arroyo agrees customers want technology to work that store customers who intend to immediately and without instructions. “You don’t want surprises.” purchase just a bottle of milk are most receptive to offers of discounted quarts Happy customers may be your ROI. Customer loyalty is the ultimate goal of CX strategies, of ice cream. “Before, we had no idea but it’s also one of the toughest to achieve, says Temkin. CIOs have to get the executive team that would be beneficial to do, but the on board before making a significant CX investment. “The biggest challenge is getting the story was lying there in the data, and by organization to make trade-offs between short-term financial goals and long-term customercombing through it with the right tools, loyalty goals,” Temkin says. Arroyo says the investment has been worth it at AT&T. “Customer we could draw it out.” CIO

4 Ways to Improve CX

satisfaction has improved across the board,” he says. “We’ve even exceeded expectations, to be more effective [at] selling.” — By Lauren Brousell

Vol/8 | ISSUE/01

Send feedback on this feature to editor@cio.in

REAL CIO WORLD | N o v e m b e r 1 5 , 2 0 1 2

103

Essential

technology image by photos.com

A CLOSER LOOK AT Disaster Recovery

Cloud services, virtualization, mobile devices, and social networking can keep your business going when catastrophes hit. Hereâ&#x20AC;&#x2122;s how these tech trends can help you better your DR and BCP planning. 104

N o ve m ber 1 5 , 2 0 1 2 | REAL CIO WORLD

How to Plan DR Better By Bob Violino

Disaster Recovery | As we've seen in recent years, natural disasters can lead to long-term downtime. Because earthquakes, hurricanes, snow storms, or other events can put datacenters and other corporate facilities out of commission for a while, it's vital that companies have in place a comprehensive disaster recovery (DR) plan. DR is a subset of business continuity (BC), and like BC, it's being influenced by some of the key trends in the IT industry, foremost among them: Cloud services, server and desktop virtualization, the proliferation of mobile devices, and the growing popularity of social networking as a business tool. These trends are forcing many organizations to rethink how they plan, test, and execute their DR strategies. IT and security executives need to consider how these developments can best be leveraged so that they improveâ&#x20AC;&#x201D;rather than complicate, DR efforts.

Cloud Services As organizations use more internal and external cloud services, they're finding that these resources can become part of a disaster recovery strategy. Marist College in New York, provides numerous private cloud services to internal users and customers. It also hosts services for 17 school districts and large enterprise clients. "The cloud configuration allows us to perform software upgrades across the multiple tenant systems quickly, easily and without disruptions,"

Vol/8 | ISSUE/01

says Bill Thirsk, vice president of IT and CIO at the college. "Because our storage is virtualized, we can replicate data across SANs that we have placed strategically on our campus in numerous locations and in our datacenter. A loss of a SAN means only that production operations switch over to another." Because Marist can perform server-level backups across partitions, it can move data from one server platform to another should an event occur, Thirsk says. There's big potential value in cloud-based DR services, says Rachel Dines, senior analyst, infrastructure and operations, at Forrester Research. Cloud-based DR has the potential to give companies lower costs yet faster recovery, with easier testing and more flexible contracts, Dines says. In a 2012 report from Forrester, the firm says cloud-based DR threatens to shake legacy approaches and offer a viable alternative to organizations that previously couldn't afford to implement disaster recovery or found it to be a burdensome task. Perhaps the biggest downside to the cloud from the standpoint of DR are

their disaster recovery strategies, rather than relying on public cloud services, Morency says. "They worry about being left out in the cold during a disaster" if service providers are not able to provide service, he says. Morency notes that this is only true in the case of DR subscription services that provide floor space and actual equipment at a specific geographical location. "Given the more distributed and virtual nature of public clouds, this is much less of an issue," he says. What the cloud has done for traditional disaster recovery service providers is making testing of their backup capabilities more flexible and less costly, Morency says.

Virtualization For many organizations, server virtualization has become a key component of the disaster recovery strategy because it enables greater flexibility with computing resources. "Virtualization has the potential to speed up the implementation of a DR strategy and the actual recovery in a disaster," says Ariel Silverstone, an independent information security consultant and former CISO of Expedia.

Virtualization has the potential to speed up the implementation of a disaster recovery strategy and the actual recovery in case of a disaster. concerns surrounding security and privacy management. "You still see with some major events, such as the lightning strike in Dublin [in 2011] that took out the cloud services of Amazon and Microsoft, that there can be some temporary loss of service," says John Morency, research VP at research firm Gartner. "The cloud shouldn't be considered 100 percent foolproof. If organizations do need that 100 percent availability guaranteed they need to put some serious thought into what they need to develop for contingencies." A growing number of larger companies with complex IT infrastructures are putting in private clouds and using these as part of

Vol/8 | ISSUE/01

"It also has the ability to make disaster recovery more of an IT function rather than a corporate audit-type function," Silverstone says. "If you have the right policies and processes in place, [with virtualization] disaster recovery can become part of automatically deploying any server." For Teradyne, a supplier of test equipment for electronic systems, virtualization has been an enabler for a much improved DR capability, says Chuck Ciali, CIO. "We have leveraged virtualization for DR significantly," Ciali says. Using virtualization technology, Teradyne can seamlessly fail over to redundant blade servers in the case

45%

Of Indian CIOs say BCP and DR drive their organizations' information security spending. Source: Global information security survey

of hardware problems. It can also use the technology to move workloads from its commercial datacenter to its research and development datacenter in case of disasters. "This has taken our recovery time from weeks [or] days under our former tape-based model to hours for critical workloads," and saves $300,000 (about Rs 1.6 crore) per year in DR contract services, Ciali says. Marist College has deployed virtualization, and one of the benefits is avoiding system unavailability. "We do all we can to avoid any event that would cause users dissatisfaction, loss of access or loss of functionality," Thirsk says. "To do so, we utilize massive virtualization of our processors, our network topology and our storage." Because Marist IT can now provide a virtual server and a virtual network, as well as spin out storage, "our systems assurance activities move along at a very rapid rate," Thirsk says. "If at any point of testing something goes horribly wrong, we can decide to trash it and start over or continue forward, all without much trouble at all on the system side." On the whole, server virtualization has made DR a lot easier, Dines says. "Because virtual machines are much more portable than physical machines and they can be easily booted on disparate hardware, a lot of companies are using virtualization as a critical piece of their recovery efforts," she says. REAL CIO WORLD | N o ve m ber 1 5 , 2 0 1 2

105

essential technology

There are lots of offerings in the market that can perform tasks such as automating rapid virtual machine rebooting, replicating virtual machines at the hypervisor layer with heterogeneous storage, and turning backups of physical or virtual machines into bootable virtual machines, Dines says. "Ultimately, virtualization means companies can get a faster RTO [recovery time objective] for less money," she says. On the downside, the popularity of virtualization has led to virtual machine sprawl at many organizations, which can make DR more complex. "Companies have the [virtualization] structure in place that gives them the ability to create many more images, including some they do not even know about or plan for," Silverstone says. "And they can do so very quickly."

Mobile Devices From a disaster recovery standpoint, the growing use of mobile devices such as smartphones and tablets facilitates the continuation of IT operations and business processes even after a disaster strikes. "People will carry their mobile devices with them," says George Muller, vice president, sales planning, supply chain and IT at Imperial Sugar, a processor and marketer of refined sugar. "I might not carry my laptop wherever I go, but if all of a sudden we've got a disaster I've probably got my BlackBerry in my shirt pocket. Anything that facilitates connectivity in a ubiquitous way is a plus." One of the positive impacts of the prevalence of mobile devices is that it gives people a greater ability to work remotely and communicate using their devices in an emergency, says Malcolm Harkins, vice president of the IT group and CISO at microprocessor manufacturer Intel. But mobile device proliferation has also made disaster recovery slightly more complex, Dines says. "Along with mobile devices comes more datacenter infrastructure, such as mobile device management and [products] such as the BlackBerry Enterprise Server, which are often very critical," she says. "This becomes 106

N o ve m ber 1 5 , 2 0 1 2 | REAL CIO WORLD

one more system that must be planned for and properly protected." Another possible negative with mobility in a disaster recovery scenario is that some critical enterprise applications, such as payroll, might not be available for mobile devices, Silverstone says. Harkins notes that there are potential security risks, such as non-encrypted mobile devices being lost or stolen, and unauthorized access to corporate networks from these devices. But these risks can be overcome by the ability to wipe out data on devices remotely over the Internet.

Social networking Like mobile devices, social networking gives people another way to stay in contact during or after a disaster. "We've seen instances such as a couple of years ago when we had major snow storms on the East Coast and a lot of businesses shut down and employees kept in touch with each other via Facebook and Twitter vs. e-mail," Morency says. In some cases it might take days or weeks for a corporate datacenter to recover after a disaster. And if the company is relying on internal e-mail systems that might put e-mail service out of commission, Morency says. "Assuming that either public or wireless networks are still available you can now be using social media to communicate, as an alternative to in-house e-mail which may not be available," Morency says. "If you're using a service like Gmail than it's less of an issue. But if you're using an Exchange-based internal e-mail or directory services, then social media may be a more available alternative." During a recent disaster test that Marist College performed, "we were curious to see how social networking would be used in case of an actual event," Thirsk says. One early morning the IT department launched an unannounced disaster drill. "While we had warned staff we would be doing this, they had no idea how real we were going to make it," he says. First, Thirsk sent a message that the college was experiencing a massive system

How to Survive a Cloud Outage Use Multiple Availability Zones. Amazon Web Services offers "availability zones" (AZ) in each of its regions and for each of its services. The company describes AZs as each running on its own physically distinct, independent infrastructure. "They are physically separate, such that even extremely uncommon disasters such as fires, tornados or flooding would only affect a single availability zone." During last year's outage, about 45 percent of customers who used only a single AZ for the Relational Database Services were impacted, compared to less than 3 percent of customers who used a multi-AZ approach, AWS said in a post mortem report. Use Multiple Cloud Providers. Still don't feel protected even with a multi-AZ, multi-region approach? Use multiple cloud providers then, advises Drue Reeves, a Gartner cloud analyst. This comes with caveats, since some service providers share common datacenter resources. Outline Availability in SLAs. Customers can also take non-technical steps, such as negotiating with their cloud service provider regarding service-level agreements (SLA) that specify penalties to be paid in the case of a disruption. If a customer is using a cloud provider for disaster recovery services, the SLA might mandate as much as 99.999 percent availability. If You Can't Take the Heat, Stay Away From the Fire. If a user is extremely concerned about high availability of data and applications in the cloud, Steve Hendrick, an IDC analyst, says perhaps that means the customer isn't ready for a public cloud. Hendrick says it's a simple equation: The more mission critical the data and compute resources, the more protections for resiliency and high availability the customer should put in place. â&#x20AC;&#x201D;By Brandon Butler

Vol/8 | ISSUE/01

failure. Due to building conditions, staffers could not report to their workplace or to the datacenter. "We shut down our enterprise communications systems and then watched how the staff responded," Thirsk says. Managers quickly began communicating to their staff via outside e-mail accounts, chat rooms, Facebook, and Twitter. "They even found my personal e-mail account off campus and began messaging me," Thirsk says. In a matter of 20 minutes, all staff had reported to a command center in the campus library, where they were tasked with performing a number of system checks, verifications and processes. "All of this activity occurred using alternate communications methods," Thirsk says. "We documented this exercise and now use it as part of our plan." Forrester says there are several reasons why social networking should play a role in an emergency communications strategy. For one thing, social technology adoption is increasing, and a greater portion of employees and customers have continuous access to social sites such as Twitter and Facebook. In addition, social channels are essentially free. It costs very little to set up a Facebook, Twitter, or Yammer profile, recruit followers, and send out status updates. Social media sites can also facilitate mass communication with external parties, the firm says. Typically, during a crisis immediate communication is limited to internal staff. However, companies should also plan for situations that call for communication with partners, customers, public officials, and the public at large. Social media sites make it easy to establish these external connections. Finally, the environment of social discussions provides mass mobilization and situational awareness. The value of social networking sites offers unique advantages in the crisis communications arena, Forrester says. CIO

Gearing Up for Disaster DR Drill |Los Angeles World Airports (LAWA), the department that oversees three airports in the LA area, recently implemented a BCP and DR plan for the Los Angeles International Airport (LAX). As part of the effort, the organization conducted a tabletop exercise on what would happen if an earthquake struck LAX. The initial step in the planning was a business impact analysis (BIA). The key component of the BIA was to develop the RTO and the RPO of each business process. The BIA forms the business case for a business continuity program. The second step was to develop 13 business continuity plans, the IT disaster recovery plan, and the IT incident response plan. The two major components of the BCP were the manual workaround procedures and the roles and responsibilities of each participant. Each business unit was required to submit a manual workaround procedure for each of their business processes. This is required to continue business operations when IT systems are unavailable. This was the most detailed task of the project, says Dominic Nessi, deputy executive director and CIO of LAWA. This was the scenario the company used: At approximately 9:30 am, an earthquake began in the Pacific Ocean about 30 miles southwest of Malibu, at a magnitude of 6.7 on the Richter scale. The epicenter of this quake was 53 miles from the Civic Center and had a significant effect on the area around LAX. The buildings sustained moderate to severe structural damage.The participants in the exercise represented the LAX department managers and selected staff for which BCP and DR plans had been established. Participants were gathered in a single room and asked to address recovery solutions based on the information in their plan. They were able to question other departments to determine if there was available support for any dependencies. â&#x20AC;&#x153;We identified the roles and responsibilities of each team, established communication flow to exchange dependencies information, and discovered missing or incorrect recovery information,â&#x20AC;? says Nessi. â&#x20AC;&#x201D;By Bob Violino

Send feedback on this feature to editor@cio.in

Vol/8 | ISSUE/01

REAL CIO WORLD | N o ve m ber 1 5 , 2 0 1 2

107

image by photos.com

essential technology

Staying Prepared

endlines innovation

* By Jay Alabas ter

Technology is now promising to figure out one of mankind’s long-standing questions: Am I compatible with my partner? And it’s doing it by checking your brainwaves. If you thought this requires, undergoing a battery of tests, you’re wrong. At the Tokyo Game Show, couples were asked to try a new app for the iPad that checks if their brain waves are compatible. The application, called Brain Kiss, uses a headset made by US firm NeuroSky, which has a sensor that sits on the forehead and another that clips on the ear. The premise is simple. You and your partner put on a Bluetooth headset that reads your brain waves. Then you activate your iPad, sit back and look deep into each other's eyes. After a few seconds, you check your iPads for the results. Word of advice: Keep your fingers crossed. In one demonstration, the results of the test showed that a man was very attracted to a woman. Both the man and the woman were attendants at one of the booths at the show. The woman? Not so much. Awkward. All you match-makers out there, watch out.

108

N o v e m b e r 1 5 , 2 0 1 2 | REAL CIO WORLD

Vol/8 | ISSUE/01

image by p hotos.co m

How to Know You’re Compatible