VOL/08 | ISSUE/10
VOL/08 | ISSUE/12 SHIVKUMAR PANDEY, Head-IT Infrastructure and Security, Star Union Dai-ichi Life Insurance, shares how his organization deals with BYOD’s security challenges.
BUSINESS
TECHNOLOGY
LEADERSHIP
SECURITY SURVEY 2013: WHAT THE NUMBERS SAY
It’s time to fight back. Here’s how to combat information security’s five big challenges. Page 36
VIEW FROM THE TOP Milind Deora on how IT can change India. Page 54
OCTOBER 15, 2013 | `100.00 W WW.CIO.IN
Consumer durables firm optimizes supply chain network Shrinking margins, rising material costs and pricing pressures are few of the key challenges that supply chains face today. In addition, running a supply chain business places extreme pressure on the network to remain highly available to both the company and its vendors. As one of India’s leading suppliers of consumer durable goods, Usha International was in a similar quandary. Usha’s data center facility was unable to accommodate its mounting space, power and cooling requirements as well as added management complexities of a growing SAP landscape. These issues were adversely impacting the productivity of its supply chain and Usha knew it was time to revamp its infrastructure. Dell’s detailed roadmap and long-term view of the data center was just what Usha needed in a partner. Another clinching factor was the fact that Usha could achieve a return on investment within just three years by moving to a Dell virtualized platform. Driving improved productivity and greater innovation with virtualization Dell helped Usha optimize the use of the company’s infrastructure and simplify IT operations and management through consolidating the data center environment. Dell Solution powered by Intel® technology utilized the powerful combination of its PowerEdge™ blade servers, PowerVault tape library, PowerConnect switches and VMware® vSphere™ 5 technology to create a highly available and virtualized architecture. Dell’s comprehensive solution has enabled Usha to consolidate the server infrastructure, enabling additional SAP modules and other core business applications being virtualized to run on a 80% lower server footprint. This highly scalable solution enables Usha to meet its long term requirements and has completely eliminated the need for additional investments, thus realizing a substantial savings of Rs 800,000. Usha has also seen a significant improvement in the speed and accuracy of sales forecasting, that earlier took nearly up to five days. This has made it easier to anticipate and plan for demand and reporting can be completed 60% faster, even during peak times. Greater energy efficiencies also imply that Usha can focus completely on improving its business and driving innovation. To know more on how Dell Enterprise Solutions & Services, powered by Intel® technology, can help you overcome your business challenges, visit www.dell.co.in/domore
The Challenge Inefficient data center
Complex application landscape
The Strategy Server consolidation & data center virtualization
Results Reduced server footprint by 80% Enhanced vendor relationships and client responsiveness
70% decrease in order approval time approval time
Improved supply chain planning through 60% faster report generation
CO2
Important Dell Details: DELL’s TERMS AND CONDITIONS: All sales subject to Dell’s terms and conditions, see http://www.dell.co.in/tnc OR provided on request. MISTAKES: While all efforts are made to check pricing and other errors, inadvertent errors do occur from time to time and Dell reserves the right to decline orders arising from such errors. MORE INFORMATION: Go to http://dell.co.in/details. TRADEMARKS: Intel and the Intel logo are trademarks of Intel Corporation in the U.S. and/or other countries. | © 2013 Dell Inc. All rights reserved.
FROM THE EDITOR-IN-CHIEF
PUBLISHER, PRESIDENT & CEO Louis D’Mello E D I TO R I A L
Whither Outcomes Outcome-based IT opens purse-strings like a charm, but could it throw the holistic nature of your strategy? Obstacles are those frightful things you see when you take your eyes off your goal. —Henry Ford Honest admission: I hate with a will the phrase ‘business-IT alignment’. In almost every single CIO forum that I’ve attended in the past decade its come up and I’ve cringed in response (and, I suspect so have you). A search on Google presents upward of 20 million results for us to ponder. While, on the subject, have you ever seen business-sales or business-finance or business-HR alignment come up for discussion? Ever? Yet, report after informed report, survey after learned survey continues to point this elusive juxtaposition being the holy grail that CIOs are or ought to be after. Not so long ago, over an excellent single malt, a CIO and I were exchanging bitter notes on business-IT alignment (BITA), when he let out a sigh of exasperation and quipped: “BITA ought to be treated like the four-letter word it is.” The other issue that miffs me no end is the assumption that the onus for the alignment somehow devolves to the CIO. Where’s the skin in the game, eh Business? Of course, there are realities that we have to confront. The economic mood of the past four years needs more than lithium to stabilize it. A growing chorus is chanting the mantra of outcome-based IT, believing that it increases the rigor and simplifies the process of justification, gets business truly involved and opens the budgetary purse-strings like a charm. That belief is not without merit. In the past, most organizations have seldom revisited the ROI figure for a project (given the number of spec changes, it’s difficult to stick the primary assumptions in any case). And, that has diluted the business value and in turn the strategic value of IT. What does bother me about outcome-based IT is that, like chargebacks, it has the potential to skew the mix toward only those projects that have offer tangible and hard ROI and those departments that are focused in that direction like production or sales. What do you think?
EDITOR-IN-CHIEF MANAGING EDITOR EXECUTIVE EDITOR ASSOCIATE EDITORS FEATURES EDITOR SPECIAL CORRESPONDENTS
Vijay Ramachandran T.M. Arun Kumar Gunjan Trivedi Sunil Shah,Yogesh Gupta Shardha Subramanian Gopal Kishore, Radhika Nallayam, Shantheri Mallaya PRINCIPAL CORRESPONDENTS Anup Varier, Debarati Roy, Sneha Jha, Varsha Chidambaram SENIOR CORRESPONDENTS Aritra Sarkhel, Eric Ernest, Ershad Kaleebullah, Shubhra Rishi, Shweta Rao SENIOR COPY EDITORS Shreehari Paliath, Vinay Kumaar LEAD DESIGNERS Jinan K.V., Pradeep Gulur, Suresh Nair, Vikas Kapoor SENIOR DESIGNERS Sabrina Naresh, Unnikrishnan A.V. SALES & MARKETING PRESIDENT SALES & MARKETING VICE PRESIDENT SALES VICE PRESIDENT SPECIAL PROJECTS GM MARKETING GENERAL MANAGER SALES MANAGER-KEYACCOUNTS MANAGER MARKETING MANAGER-SALES SUPPORT SR. MARKETING ASSOCIATES
MARKETING ASSOCIATE
LEAD DESIGNER SENIOR DESIGNER
Sudhir Kamath Sudhir Argula Parul Singh Siddharth Singh Jaideep M. Runjhun Kulshrestha, Sakshee Bagri Ajay Chakravarthy Nadira Hyder Anuradha H. Iyer, Archana Ganapathy, Benjamin Jeevanraj, Rima Biswas, Saurabh Patil Arjun Punchappady, Cleanne Serrao, Lavneetha Kunjappa, Margarate D’costa, Nikita Oliver, Shwetha M. Jithesh C.C. Laaljith C.K.
O P E R AT I O N S VICE PRESIDENT HR & OPERATIONS FINANCIAL CONTROLLER CIO SR. MANAGER OPERATIONS SR. MANAGER ACCOUNTS SR. MANAGER PRODUCTION SR. MANAGER IT MANAGER OPERATIONS MANAGER CREDIT CONTROL SR. ACCOUNTS EXECUTIVE
Rupesh Sreedharan Sivaramakrishnan T.P. Pavan Mehra Ajay Adhikari, Chetan Acharya, Pooja Chhabra Sasi Kumar V. T.K. Karunakaran Satish Apagundi Dinesh P., Tharuna Paul Prachi Gupta Poornima
All rights reserved. No part of this publication may be reproduced by any means without prior written permission from the publisher. Address requests for customized reprints to IDG Media Private Limited, Geetha Building, 49, 3rd Cross, Mission Road, Bangalore - 560 027, India. IDG Media Private Limited is an IDG (International Data Group) company.
Vijay Ramachandran, Editor-in-Chief vijay_r@cio.in 2
O C T O B E R 1 5 , 2 0 1 3 | REAL CIO WORLD
Printed and Published by Louis D’Mello on behalf of IDG Media Private Limited, Geetha Building, 49, 3rd Cross, Mission Road, Bangalore - 560 027. Editor: Louis D’Mello Printed at Manipal Press Ltd., Press Corner, Tile Factory Road, Manipal, Udupi, Karnataka - 576 104.
VOL/8 | ISSUE/12
contents OCTOBER 15, 2013 | VOL/8 | ISSUE/12
Case Files 66 | Cholamandalam MS
General Insurance
CRM Cholamandalam MS wanted to strengthen its insurance renewal mechanism. A CRM solution made that possible. It also brought new insights and enhanced customer-centricity. By Shubhra Rishi
more »
3 6 36 | Counter Attack
5 4
COVER STORY | SECURITY It’s time to fight back. Here’s how your peers in India and across the world are combating information security’s biggest challenges. By Team CIO
COVER DESIGN BY UN NIKRISHNAN AV
68 | V for VUCA FEATURE | IT MANAGEMENT Your IT survival guide for the new business normal: Four steps for mastering the world of volatility, uncertainty, complexity, and ambiguity. By Julia King
73 | Invasion of the Data Scientists FEATURE | ANALYTICS Leading HR departments are turning to ‘talent analytics’ for a wide range of staffing issues. CIOs are at the center of this data-driven transformation. By Stephanie Overby
4
O C T O B E R 1 5 , 2 0 1 3 | REAL CIO WORLD
VIEW FROM THE TOP: “The main thrust of the Telecom Policy 2012 is for ICTE services to have a transformational impact on the economy,” says Milind Deora, MoS of Communications, IT, and Shipping.
VOL/8 | ISSUE/12
Š Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. Intel and the Intel logo are trademarks of Intel Corporation in the U.S. and/or other countries.
Brought to you by HP & IntelÂŽ.
Optimized to set innovation free. Together, with IT professionals like you, we’re building a better enterprise. It starts with convergence. Servers, storage, and networking that integrate easily into your existing infrastructure. Managed intuitively, with built-in intelligence to optimize your enterprise IT. Deliver new applications rapidly. Spend less time maintaining. And more time doing what matters: innovating. Visit hp.com/go/CI
Your data center. Converged.
DEPARTMENTS 2 | From the Editor-in-Chief Whither Outcomes By Vijay Ramachandran
9 | Trendlines Innovation | Wine-powered Chips, and More Regulation | No Pvt. E-mail for Public Servants Mobile Apps | Mobile-controlled Datacenter Internet | Off to the Gallows Video | Video is Our Birthright Healthcare | Google Fights Age Space | Nasa Brings Dark Matter to Light Internet | Internet Hate Machine, It Exists By the Numbers | Deep in the Net
20 | Alert
6 2 62 | Chasing Big Business
79 | Essential Technology Mobility | Who’s the Boss? Mobile Security | i(n)Secure
84 | Endlines
CXO AGENDA | GROWTH Nellaiappan Thiruambalam, CEO, Personal Care and Foods Division, CavinKare, says the company targets to double its current revenue by 2015. He explains how he plans to get there with the help of IT. By Shubhra Rishi
Columns
Hacking | You Could Be Next Hardware | Invisible Attacker
52
25 | The Indian Idle FRANKLY SPEAKING Does rapid advancement in technology make us smart or dumb? Will it create jobs for us or make us unemployed? Or will it simply make us idle, obese, and redundant?
Printing | Follow the Money By Lauren Brousell
3 2
By T.M. Arun Kumar
28 | The Final Shodan! LEADING EDGE A search engine of connected devices is currently being used as a penetration-testing tool. But it has the potential to expose you to the dark underbelly of the Web. Beware! By Gunjan Trivedi
32 | Cloud Spiel CLOUD COMPUTING Sales personnel portray cloud computing to be a not-to-bemissed boon for organizations. But a profound technological perspective will paint a different picture. By Rodney Byfield
6
O C T O B E R 1 5 , 2 0 1 3 | REAL CIO WORLD
VOL/8 | ISSUE/12
CIO Online
.in CIO ADVERTISER INDEX
Canon India
[ Ca se S tudies ]
IBC
Dell India
IFC & 1
Solutions Galore
Emerson Network Power India
21
Fortinet
15
To know about the different business challenges that companies faced and how IT came to their rescue, read our case studies. Real problems. Real people. Real solutions.
HP EG Converged Infrastructure HP software IBM India
Lenovo India
Samsung India Electronics
Trend Micro India Vmware Software India
From case studies to peer-to-peer advice, and from new technology developments to international events, our videos cover everything that affects you. To keep yourself abreast of the happenings in the IT world around you, watch our online videos. cio.in/videos
[ S l i des hows ] From cloud tools to other tech projects, view our slideshows for all that and more.
[ Su r veys ]
7 BC
NetAppp India Marketing & Services 18 & 19
The India Hotels Co.
Video Library
11
Konicaminolta
SAS Institute (India)
[ CI O TV ]
5 23
Vodafone India
12 & 13 53 57 booklet 34 & 35 3 & insert
By the Numbers Our surveys are a treasure trove of technology, staffing, security trends and beyond. They mirror economic realities and how they impact you. Visit the By the Numbers section online. cio.in/by-the-numbers
[ N EWS ] Our CIO World newsletter gives you a daily dose of everything that impacts you, your staff, and your business. Log on to check out the latest news.
Don't receive our newsletters? Log on to our website to subscribe today!
>> cio.in/news
Read More@ cio.in 8
>> Case Studies >> Whitepapers >> Articles >> Slideshows >> CEO Interviews >> Events
O C T O B E R 1 5 , 2 0 1 3 | REAL CIO WORLD
FOLLOW US ON www.facebook.com/CIOIndiaIDG twitter.com/CIOIn
This index is provided as an additional service. The publisher does not assume any liabilities for errors or omissions.
VOL/8 | ISSUE/10
EDITED BY SHARDHA SUBRAMANIAN
NEW
*
HOT
*
UNEXPECTED
Wine-powered Chips, and More that could be powered by a bulb’s light. Low power doesn’t mean low performance, with Intel now thinking about microwatts, not
milliwatts, said Mike Bell, vice president and general manager of the New Devices group, during an appearance at the keynote. The goal of the demonstration was to show Intel’s progress in developing low-power chips. Bell’s group is also experimenting with a range of products such as embedded devices with sensors, smartwatches, and eyewear. The company introduced a line of extremely low-power processors called Quark for wearable and embedded devices, based on past chip research from Intel’s labs. Intel executives talked about how lowering chip power consumption on Quark will help it enter markets such as wearables. Such chips, which are about one-fifth the size and consume one-tenth the power of its Atom processors, could be used in eyewear and disposable medical patches that immediately send information about a patient’s vital signs to doctors. —By Agam Shah
TRENDLINES
I N N O V A T I O N In a new twist on strange brew, an Intel engineer showed off a project using wine to power a microprocessor. The engineer poured red wine into a glass containing circuitry on two metal boards during a keynote by Genevieve Bell, Intel fellow, at the Intel Developer Forum in San Francisco. Once the red wine hit the metal, the microprocessor on a circuit board powered up. The low-power microprocessor then ran a graphics program on a computer with an e-ink display. Further details on the offbeat technology were not available, but it is years away from practical implementation. It is just one of many projects in the works at Intel’s New Devices group, which is investigating business opportunities in the emerging markets of the Internet of things and wearable devices. Intel previously demonstrated a prototype solar chip
No Private E-mail for Public Servants
VOL/8 | ISSUE/12
Centre, which will be installed in the embassies and directly linked to a server in India. The minister was responding to concerns from the opposition about reports of large scale surveillance
of telephone calls and e-mails by the National Security Agency in the US. Former NSA contractor Edward Snowden disclosed through newspapers certain documents that suggested that the NSA had real-time access to content on the servers of Internet companies. The Indian government appears to have been very lax on security, despite having an e-mail service from the NIC, with some ministers listing their Gmail addresses on their websites. It is not known whether they use these addresses for official communications as well. —By John Ribeiro REAL CIO WORLD | O C T O B E R 1 5 , 2 0 1 3
IMAGES BY MAST ERFILE.CO M
The Indian government is expected to require that Indian bureaucrats use e-mail service provided by the National Informatics Center for their official work, as it tries to secure its communications infrastructure. The requirement will be part of a proposed new e-mail policy, said sources in government who declined to be named. India’s Minister for Communications and IT, Kapil Sibal, told Parliament that the government had decided that all its embassies would use mail servers from the government’s National Informatics
R E G U L AT I O N
9
Mobile-controlled Datacenter A mobile app could help UK datacenter managers do their job while on holiday in the Algarve, Hawaii, the Alps, or anywhere else in the world with an Internet connection for that matter. Emerson Network Power—a provider of datacenter software and hardware—claims that the mobile version of its datacenter infrastructure management (DCIM) tool, Trellis, will enable holidaying datacenter managers to do aspects of their jobs while abroad, provided they have an Internet connection. John Curran, Emerson Power Network VP of product management, told Techworld (sister publication of CIO magazine): “When datacenter managers are online, they can see what power is being consumed, how that power is connected and any problems that might be occurring,” said Curran. “So, there’s a lot of information right there if they need it.” The free Trellis Power System Manager mobile app (currently only available on iPad) aims to improve datacenter efficiencies and allow datacenter managers to monitor the performance of their facility in real time. Emerson Network Power claims that this gives them richer insights that can be used to reduce the risk of downtime and improve operational efficiencies. The app includes a virtual diagram of a power chain from the grid to the rack, which allows users to observe the entire power system, view capacity utilization in real time and predict energy consumption. The Trellis Power Manager app also details how much energy each bit of equipment is using in a datacenter. Emerson Network Power suggest that the app can be taken onto the floor of a datacenter to find, add, remove, and reposition racks without having to consult a desktop computer. The barcode scanning and image recognition technology means the mobile app can be used to deliver real-time updates, according to Emerson Network Power. While the app sounds interesting, Curran revealed that only four or five datacenters in Europe currently use the Trellis platform, which has been created from scratch over the past three years. There are also a number of other similar desktop-based DCIM solutions already on the market. However, 451 Research analyst Michelle Bailey said: “Adding new mobile access, image recognition, power management and asset management capabilities positions Emerson to address the escalating needs of the DCIM marketplace, while offering a tangible solution for a future datacenter.” — By Sam Shead 10
O C T O B E R 1 5 , 2 0 1 3 | REAL CIO WORLD
Off to the Gallows
In perhaps China’s toughest push to crack down on online defamation, authorities have unveiled measures that could send Internet users to jail for up to three years if found guilty of posting slanderous rumors. The measures were announced as part of a judicial interpretation of Chinese law. The measures were established by China’s Supreme Court and its top prosecution agency, which spent more than a year studying the subject. “In recent years, illegal activities that have used the Internet to commit crimes have increased daily,” said Supreme Court spokesman Sun Jungong in a televised press conference. “In particular, has been the prominent use of the Internet to commit crimes of defamation.” Under the new measures, Internet users can face defamation charges if their online posts have received over 5,000 views or been re-posted over 500 times. They can also be charged if their online statements caused self-harm or suicide to the victim. If found guilty, users face a jail sentence of up to three years, other forms of detention and the deprivation of political rights. The new measures are China’s latest effort to control public discourse on the Internet in a country already infamous for its strict censorship laws. The nation has close to 600 million Internet users, many of who use social networking sites including Twitter-like service Sina Weibo to connect with friends, read local news or hear about controversial topics. Many top Chinese websites censor content to comply with government rules. This includes deleting or blocking comments that touch on anti-government views or sensitive issues. But still, authorities have been heavy-handed in trying to stop alleged online rumors on the sites, going as far to arrest people involved.
INTERNET
—By Michael Kan
VOL/8 | ISSUE/12
IMAGES BY MAST ERFILE.COM
TRENDLINES
MOBILE APPS
WINNING THE POLE PARTNERSHIPS POSITION
Empowering the Workplace The rise of mobility—and tablets in particular—is opening up a host of opportunities for Indian companies. Leading CIOs show you how to leverage it for maximum benefit.
M
obility is taking the enterprise by storm. In the last two years, it went from being a technology that only forward-looking companies brought into their organizations to a trend that only the laggards did not get on. There are multip le reasons for this shift. First, and possibly the hardest to ignore, are the benefits that mobility introduces to enterprises. According to CIO reseach, 53 percent of Indian companies have already seen productivity gains from mobility; 58 percent have seen increased efficiency of business processes, 61 percent have improved customer support or services, and 69 percent have gotten a competitive/information edge. There are other reasons companies are turning to mobility. According to CIO reseach, the top three drivers for mobility within Indian organizations are: Employees and customers demanding real-time information;
an increased focus on innovation within organizations, and senior management needing access to business-critical information. Some companies are ahead of others in the race to leverage mobile devices to achieve increased efficiency, sharper competitive advantage, and happier employees. Here are three that have employed Samsung tablets to do just that.
Company: Asian Paints Benefits: Samsung tablets are being used successfully to build relationships with dealers and improve the quality and speed of the company’s communications. Today, sales officers are able to display the latest range of shades and signature patterns and showcase the company’s new product features to its dealers. They are also able to record complaints and orders, and explain scheme details on a real time basis. Asian Paints is one of those rare companies where innovation and efficiency thrive side by side. That’s part of what has helped it become India’s largest paint company and Asia’s third-largest paint company. With a turnover of Rs 11,736 crore, it manufactures a wide range of paints for
L
ess than 20 percent of Indian CIOs have a mobility strategy. The need of the hour is to understand businesses, processes, and apps that can be mobile-enabled to improve an enterprise’s competitive advantage. SAMEER GARDE, SVP, Enterprise Business, Samsung
CUSTOM SOLUTIONS GROUP SAMSUNG
WINNER ROLL CALL “We chose to partner with Samsung considering the high quality display of its devices, their robust build, and because support was available across the country.” its growing customer base. To help its customers decide which paints to use, Asian Paints’ field force used to carry color catalogs and price data sheets for product marketing, billing and dealer management to various customer sites. The challenge with this system was that order execution could only take place when field agents returned to the company’s offices. To increase the company’s efficiency, Manish Choksi, president-Home Improvement, supply chain and IT, Asian Paints, decided to equip the company’s sales force with Samsung tablets. In order to offer a holistic experience to Asian Paints’ customers, Samsung worked with a partner to provide a product catalog and sales order management solution on the tablets. ““In addition to helping with the sales process, we have also been able build engagement with our sales officers by facilitating learning and developments, and improving collaboration using applications which run on the tablets,” says Choksi. Additionally, in order to enhance security on the tablets, Samsung also partnered with SAP Afaria to provide a robust MDM solution to protect device data and help Asian Paints track field force activities.
Company: Marico Benefits: The FMCG major turned to Samsung when it needed to replace PDAs used by its 3,000-strong sales force with smartphones. The new devices have ensured a higher commitment to sales and support. It’s impossible to live in India and not have heard of Marico. Generations of children have grown up using the company’s iconic coconut oil, and today, one out of three Indians uses a Marico product. In the last two decades, the company has developed expanded and built many new brands. Its head-IT, Girish Rao has been instrumental in adopting nascent, yet valuable, technologies to create products for its customers. When it comes to mobility, the company has been an early adopter. In the past, Marico had enabled its sales force with PDAs. After its vendor stopped manufacturing these devices, Rao needed to look for an alternative. “We decided to put our bets on Android-based smartphones,” says Rao. That was when Marico chose Samsung smartphones for its 3,000-strong field force. With the help of its skilled internal IT team, Marico developed its own sales force application to work on the Android phones. Since the deployment of Samsung smartphones, Marico has reaped a number of benefits such as tracking sales and order booking and ensuring better work efficiency. Marico has employed a single-vendor strategy to make management easier. “Not only was Samsung’s total cost of ownership much lower but its commitment to sales and support is also far superior to that of other vendors in the market,” says Rao.
MANISH CHOKSI, President-Home Improvement, Supply Chain and IT, Asian Paints
“Not only was Samsung’s total cost of ownership much lower, but its commitment to sales and support is also far superior to other vendors in the market.”
GIRISH RAO, Head-IT, Marico
“We wanted to deploy a product catalog, insurance policy marketing guide, and Lead Tracking using native applications on the tablets.”
THOMSON THOMAS, SVP-IT, HDFC Life
Company: HDFC Standard Life Benefits: The insurance company chose Samsung tablets to equip its sales agents and serve its large customer base across the nation. HDFC Life is India’s leading long-term life insurance solutions provider offering a range of individual and group insurance solutions that meet various customer needs. HDFC Life has the widest reach with about 450 branches in India touching customers in over 961 cities and towns. To empower the sales force, Thomson Thomas, SVP-IT, HDFC Life, initiated the roll-out of tablets. “We wanted to deploy a product catalog, insurance policy marketing guide, and Lead Tracking using native applications on the tablets.” says Thomas. It wasn’t as simple as just loading apps on a tablet. HDFC Life was already working with a partner for sales force automation (SFA), but faced some issues with application and its integration with tablets. Samsung roped in its R&D team and resolved all technical issues and integrated the SFA application on the Samsung Android tablets. Srikanth R, VP-IT, HDFC Life, who is the project owner says, “We faced some challenges on this journey but our partners like Samsung helped us solve these quickly.” In addition, Samsung supported the BYOD process that allowed HDFC Life’s field force to buy their own tablets, which ensures that more users now access the application, increasing their productivity.
Video is Our Birthright
TRENDLINES
V I D E O If your company’s video technology strategy isn’t up to par, you could be losing out on top talent, especially as the next generation of executives comes into their own. That’s the takeaway from a recently released study, 2013 Cisco Global Young Executives’ Video Attitudes Survey, conducted by Redshift Research (and sponsored by Cisco), which polled 1,315 executive-track employees from the US, the UK, and Europe. Angie Mistretta, director for Cisco’s telepresence marketing team, says while business-class video always has been used to help organizations stay better connected, that the technology is increasingly seen by younger executives as a ‘must-have’ at their current and future firms. “The study showed that 87 percent of these executives would choose to work at an organization that invested more heavily in business-class video, even if presented with another job offer with a higher salary,” Mistretta says. “That’s huge—these executives said they felt an organization that invested in video cared more about using technology to fuel growth, and that is important to them.” Business-class video, Mistretta says, is different from consumer video solutions like YouTube, Facetime, and Vines. Business-class video is extremely high-quality, reliable, secure, and lifelike. The ‘lifelike’ aspect is critical, Mistretta says, as executives see video less as just a content-delivery medium and more as a comprehensive collaboration tool that can help them gain a competitive advantage. —By Sharon Florentine
Success Standards S O C I A L M E D I A Just like different organizations use social media for different purposes, they also use different metrics to gauge the success of the engagement. Here are the top four metrics that Indian organizations consider.
81% Platform-specific parameters
7.1% Leads/Sales goals
4.8% Change in sentiment
7.1% Brand visibility Source: EY
14
O C T O B E R 1 5 , 2 0 1 3 | REAL CIO WORLD
Google Fights Age Google is reaching out beyond search, Android, Maps and even computerized glasses. The Internet company is putting its considerable muscle behind healthcare with a particular focus on aging and the diseases that accompany it. “OK... so you’re probably thinking wow!” wrote Larry Page, co-founder and CEO of Google, in a Google+ post. “That’s a lot different from what Google does today. But as we explained in our first letter to shareholders, there’s tremendous potential for technology more generally to improve people’s lives. So don’t be surprised if we invest in projects that seem strange or speculative compared with our existing Internet businesses.” Google recently announced a new company, dubbed Calico, that will focus on the somewhat amorphous subjects of health and well-being, though with a particular focus on aging and its related diseases. Arthur D. Levinson, the chairman and CEO of Genentech and the current chairman of Apple, will be the CEO and a founding investor for Calico. “For too many of our friends and family, life has been cut short or the quality of their life is too often lacking,” said Apple CEO Tim Cook, in a statement . “Art is one of the crazy ones who thinks it doesn’t have to be this way. There is no one better suited to lead this mission and I am excited to see the results.” In his Google+ post, Page said he’s excited to tackle the issue of aging and its related illnesses. “These issues affect us all—from the decreased mobility and mental agility that comes with age, to life-threatening diseases that exact a terrible physical and emotional toll on individuals and families,” he wrote. “And while this is clearly a longer-term bet, we believe we can make good progress within reasonable timescales with the right goals and the right people.” Zeus Kerravala, an analyst with ZK Research, said that he doesn’t find healthcare or medical research to be too far out of Google’s realm. The company just might have the money and muscle to make serious research inroads. “Google is great at analyzing large amounts of data and so much of medical research, in many ways, is data analytics,” Kerravala said. “They have the resources and they have the analytical capabilities. One of the things that always holds back medical research is resources and funding, of which, Google has plenty.” —By Sharon Gaudin
H E A LT H C A R E
VOL/8 | ISSUE/12
Network Security Vendor of the Year
Bangalore Chennai Delhi Mumbai Government Telecom
Rakesh Viswanathan Binu Ninan Sanjay Salman Navin Mehra G B Shaik Saurabh Chopra
rakesh@fortinet.com bninan@fortinet.com sanjay@fortinet.com nmehra@fortinet.com gbshaik@fortinet.com schopra@fortinet.com
+91 96868 12345 +91 98400 36767 +91 99711 12865 +91 98925 60700 +91 93904 40966 +91 98200 98248
High Performance Network Security Fortinet: 18/10 Cunningham Road, 302 SALEH CENTER , Bangalore 560052. Tel: +91-80-4132-1699 Fax: +91-80-4132-1689
NASA Brings Dark Matter to Light NASA’s Hubble Space Telescope has found the largest known group of spherical star clusters, a discovery that may provide clues in the effort to solve the mystery of dark matter. Scientists estimate there are about 160,000 star clusters “swarming like bees” in the center of a giant grouping of galaxies called Abell 1689, NASA said. Globular star clusters are dense bunches of hundreds of thousands of stars and are the earliest galaxy residents. Since nearly 95 percent of globular clusters formed within the first 2 billion years after the birth of the universe, they are believed to contain some of the oldest surviving stars. Scientists know that dark matter, mysterious and so-far elusive matter that is thought to make up a quarter of the universe, neither emits nor absorbs light. But scientists know it exists because of its gravitational influence on the rest of the universe. Beyond that, they know little about it. An understanding of dark matter could offer valuable clues to how the Milky Way will evolve and whether
TRENDLINES
POPULAR SCIENCE
the universe will stop expanding at some point.“We show how the relationship between globular clusters and dark matter depends on the distance from the center of the galaxy grouping,” said Karla Alamo-Martinez of the Center for Radio Astronomy and Astrophysics, in a statement. “In other words, if you know how many globular clusters are within a certain distance, we can give you an estimate of the amount of dark matter.” Studying the ancient star clusters could also provide data on the early days of the universe, and help in understanding how galaxies were formed. “The globular clusters are fossils of the earliest star formation in Abell 1689, and our work shows they were very efficient in forming in the denser regions of dark matter near the center of the galaxy cluster,” said John Blakeslee of the Herzberg Institute of Astrophysics, in a statement. “Our findings are consistent with studies of globular clusters in other galaxy clusters, but extend our knowledge to regions of higher dark matter density.” —By Sharon Gaudin
Internet Hate Machine, It Exists It’s not just your imagination: The Internet is an angry place, at least if you buy into research from Beihang University in China. If you’ve been on the Internet for more than a day, you probably noticed it’s a bit... angry. All the time. On its best days, there’s a thin layer of snark coating the famed series of tubes. On its worst days, well, the Internet tries to get someone fired for giving a game a 9/10 rating instead of a 10/10 or Anna Gunn has to write a New York Times op-ed about receiving death threats because people hate her Breaking Bad character. According to a group of researchers at Beihang University in China, the problem might be intrinsic to the way people interact on the Internet. People are literally making each other angry INTERNET
16
O C T O B E R 1 5 , 2 0 1 3 | REAL CIO WORLD
on a daily basis. As reported in MIT Technology Review, Rui Fan, Jichang Zhao, Yan Chen, and Ke Xu culled data from Weibo—basically China’s version of Twitter. Over the course of six months, the team collected approximately 70 million posts from 200,000 users, then filtered the collection using emoticons. The team separated posts into four emotions: Joy, sadness, anger, or disgust. Then they charted how much each emotion spread beyond its originator. Sadness and disgust are not very influential—at least in China. Weibo users rarely retweeted depressed or disgusted posts with friends. Happiness fared a bit better. These posts experienced more activity than sad or disgusted brethren, and people who came into contact with happy posts were more likely to write
their own cheerful posts afterward. But the king of cool? Our old friend anger. Angry posts have a strong tendency to spread at least three hops (degrees) away from a person’s network. Furthermore, those with angry friends become similarly irritated, write their own angry posts, and spread the cycle. If these results replicate worldwide and aren’t confined to one Chinese social network, it means the Internet is essentially whipping itself into a frenzy each day simply because a few people woke up in a bad mood. Something to keep in mind the next time you write up that tweet about how angry you are when you’re late to work: You could be responsible for the entire Internet’s hatred that day. —By Hayden Dingman
VOL/8 | ISSUE/12
C O M P I L E D B Y A N U P VA R I E R
Best Practices
Deep in the Net
TRENDLINES
The Internet started booming nearly two decades ago, and interestingly, it’s still continuing to grow exponentially.
F
Few technologies have seen as explosive a growth as the Internet has, in India. The KPCB 2013 Internet Trends report bears testimony to this fact. Its findings trace the growth story of the Internet in the Indian terrain and paint quite a rosy picture. According to the report, India currently ranks second in Internet user addition between the years 2008 and 2012. The country added 88 million Internet users, touching a current total of 137 million Internet users, with a 26 percent YoY growth. But on the other hand, India also has among the lowest Internet penetration—11 percent as opposed to the 45 percent figure of other nations in the BRIC (Brazil, Russia, India, China). The report also sheds light on mobile devices’ role in the Internet growth story. Mobile traffic as a percentage of global Internet traffic is at 15 percent, growing 1.5 times per year, and likely to maintain trajectory to reach 30 percent by end of 2014. One interesting fact to note here is that with a base of over 67 million and a YoY growth of 52 percent, India ranks fifth when it comes to the total number of smartphone subscribers. Ironically, the figure accounts for a mere 6 percent of the total mobile subscriber base in the country. Globally, digital information being created and shared in the form of photos, videos, audio and data is expected to reach a volume of 8 zettabytes (1zettabyte = 1 trillion GB) by 2015.
1
TACKLE the growing openness of Internet users.
2
GEAR UP for the next wave as even before the smartphones and tablet markets fully mature, the technology world is entering the cycle of wearables, drivables, flyables, and scannables.
3
MOVE mobility and BYOD to your top priorities list with regard to enterprise IT.
4
EXPEDITE/STRATEGIZE apps development to ensure easier and quicker information consumption for end-users.
Internet Penetration in the BRIC Region
88
Million
45%BRAZIL in
49%RUSSIA in
11%INDIA in
42%CHINA in
The total number of Internet users India added between the years 2008 and 2012.
SOURCE: KPCB 2013 INTERNET TRENDS
VOL/8 | ISSUE/12
REAL CIO WORLD | O C T O B E R 1 5 , 2 0 1 3
17
INDIA INNOVATING
SDDC and SDS:
The Infrastructure of the Future Manoj Mishra, Head-Infrastructure Engineering, Siemens Industry Software (India), explains why SDDC and SDS are going to be areas of focus in the near future and how they are redefining the storage landscape.
How has Siemens scaled its IT infrastructure in the last decade? What are the key milestones that you have touched? Siemens Industry Software India is the Indian entity of Siemens PLM Software, which is a leading global provider of product lifecycle management (PLM) software. Siemens Industry Software India’s Pune office is the largest office worldwide, which started very small in the late 90s. The setup started with 20 people, 40 desktops, and five servers and has now scaled up to over 1,200 employees in the Pune office, over 400 physical servers across different OS platforms, over 600 virtual servers, database servers, and storage systems (NAS). This level of scaling of our IT Infrastructure, in the last decade, has been smooth and that’s because of two reasons: Our selection of the right technologies for our operations, and timely support from our IT partners and vendors. We have leveraged enhanced productivity and uptime through different solution providers, including NetApp. As a milestone, the Pune office has reached a level where it is critical and indispensable to the success of Siemens PLM Software as a global company.
SDDC is poised to be one of the best solutions for integrating existing legacy enterprise systems and new virtualized cloud computing infrastructure, offering seamless protection to
existing investments.”
How do you view the evolution of the softwaredefined datacenter (SDDC)? How will this help Siemens in the long run? We are aware that cloud computing, big data, business analytics, and BI are important trends in the technology world today, and we all agree that these are, and will, be the differentiators contributing to the success of businesses. But let us understand that the scale of operations at which these technologies will work and continue to get stretched will have no limits. In order to sustain and continuously grow the outcomes beneficial to business,
CUSTOM SOLUTIONS GROUP NETAPP
The Virtues of Software-defined Datacenters In the near future, software-defined datacenters will establish an open-ended environment for innovation.
Y
ou know the story of how the Internet was created: The military wanted a redundant “network of networks” and figured out how to do it with a new protocol using existing networking equipment. Something nearly as historic is happening now, again using existing infrastructure: The software-defined datacenter. The key enabler of the software-defined datacenter is virtualization. You can now virtualize and pool the three key components of computing: Servers, storage, and networking. At the same time, we are reaching a critical mass of sophistication in being able to slice, dice, and compose those pooled virtual resources. The least mature technology to enable the software-defined datacenter has been network virtualization. But work is under way to allow virtual networks to be
the underlying infrastructure has to offer agility for which the traditional roadblocks imposed by hardware limitations, capabilities, and boundaries need to be broken. This is something which can be done successfully only at the software level and this is why we believe that the evolution and adoption of SDDC will play a key role in the success of our business. SDDC will also be a key player in breaking vendor lock-in or proprietorship, which has been a big hurdle for organizations. It will also drive vendor-independent architectures for unmatched scalability through seamless integration. SDDC is also poised to be one of the best solutions for integrating your existing legacy enterprise systems and new virtualized cloud computing infrastructure, offering seamless protection to existing investments. At Siemens Industry Software, we have already adopted virtualization and cloud computing in the form of IaaS and increasing the SDDC footprint is our target in order to derive optimized infrastructure benefits.
provisioned, extended, and even moved within and across physical networks as quickly and easily as we now create and migrate virtual servers. What does it mean to be able to create software-defined datacenters? Imagine if, based on the requirements of key applications, you could wave a mouse and provision a datacenter to match, configuring pooled resources to meet those requirements point by point. Multiple software-defined datacenters could use overlapping physical infrastructure so that each tenant could have its own virtual network with its own authentication and authorization scheme, without the availability and scalability limitations of conventional VLANs. As network virtualization matures, the software-defined datacenter will establish an open-ended environment for innovation.
In your opinion, why aren’t major datacenter and enterprise players making the big leap to SDDC? What are the fears and challenges that have to be surmounted in order to scale up to the next level? At the outset, big leap adoption of SDDC requires certain fundamental technological building blocks to be well-laid out and wellintegrated. These basic building blocks are server virtualization, network virtualization, and storage virtualization. All organizations are at different levels of the adoption curve as far as these basic building blocks are concerned. Also, laying out a good framework for implementation of these building blocks in itself is quite challenging. Also, these technologies come with a steep learning curve for IT teams—which involves deep knowledge and skills—on cross-platform expertise is another challenge. While OEMs and vendor partners are trying their best and supporting organizations to make this shift, it is going to be a slow and
steady, but a perfect move. The fears and challenges that should be addressed are many. These include technological learning curves, existing investment protection, openness across OEMs and technologies for better integration, information security, and current infrastructure limitations. Large service providers can use the strength of SDN, SDDC, and SDS to give value-added services to their customers. How will Siemens leverage these tools? Large service providers are the first level of adopters for SDDC and can use its strength in offering value-added services. We believe that it will be widely adopted and accepted in the Indian context. Customers in India recognize and acknowledge the strategic importance and competitive advantage of better time-tomarket and hence are not concerned with whether the services are coming as a result of traditional methods or through adoption of SDDC by large service providers. This is very much applicable to us as well because time-to-market and value-to-market are of utmost importance to us as it gives us competitive advantage. How critical is Software Defined Storage for you as a conglomerate? How will you make the transition to SDS? Software Defined Storage involves separating the storage capabilities and services from the storage hardware. By doing so, SDS helps with increased flexibility, automated management, and cost efficiency. SDS becomes important for us because the pooled storage infrastructure resources in an SDS environment can be automatically and efficiently allocated to match the application needs of an enterprise. Currently, in order to realize the full potential of our internal private clouds, we are working towards removing the complexity and rigidity at infrastructure levels. For this, we are considering gradual evaluation and adoption of software-defined networking and software-defined storage. These are at very initial stages right now. And so we will have to wait and watch.
alert
ENTERPRISE RISK MANAGEMENT
You Could Be Next! I
IMAGES BY MASTERFILE.COM
t’s every CTO’s worst nightmare. When Bruce Tonkin, CTO for the world’s sixth largest domain registrar, Melbourne IT, woke in Melbourne on Wednesday, August 29, to learn some of his biggest clients, including the New York Times and Twitter, had been hacked, it was not a good start to the day. And a US-based reseller was responsible. Staff of the un-named reseller “unwittingly” responded to a spear phishing attack which allowed attackers to access sensitive information, including usernames and passwords. This was used to access the reseller’s account on Melbourne IT systems. As a result, the global media were banging down Melbourne IT’s door. “It’s the worst nightmare when I hear that there has been a security breach, but it’s an even bigger nightmare for the CIO of the
company that has been breached,” says Tonkin. “I feel for the customers more than anything else. The CIO would have been frantic. They were probably looking for someone who had accessed their website.” The New York Times and Twitter had been the victims of an elaborate spear phishing attack from pro-Assad regime “hacktivists”, The Syrian Electronic Army. Spear phishing is a term for a targeted phishing-attack where hackers zero-in on individuals they have identified as having access to sites they want to infiltrate. In this case, they spoofed the e-mail address of somebody who was familiar to the reseller’s staff, and sent out an e-mail with a link to
Prudent about Privacy FINDINGS
Ways to Ensure Privacy Compliance
Requiring employees to certify in writing
61%
66%
Requiring employees to complete training in privacy policies
61%
Imposing disciplinary measures for privacy violations
57% Accurate inventory of locations where data is stored
20
70%
Employing chief privacy officer or a similar executive
O C T O B E R 1 5 , 2 0 1 3 | REAL CIO WORLD
what looked like a news story. Staff then “unwittingly” entered login details.
Flip-flopping Tonkin says he was made aware of the breach through a US reseller partner. “The reseller said a change had been made to the DNS record and that they were having trouble changing it back,” says Tonkin. “It was flip-flopping. We saw it was modified and moved it into a registry lock. It took an hour or two to analyze what was happening and we identified a spear phishing e-mail. We are now going to make a couple of changes on the security side, but the big thing is educating our staff to be very aware of spear phishing types of e-mails,” he adds.
Contrary to popular belief, a good number of Indian organizations do invest time and effort in making sure employees do not compromise data privacy. These figures corroborate the fact.
31%
Of organizations require even third parties, including outsourcing vendors, to comply with their privacy policies. SOURCE: Global Information Security Survey 2013
VOL/8 | ISSUE/12
alert
ENTERPRISE RISK MANAGEMENT
Tonkin says commonly targeted websites, such as big IT companies, banks and government, were already on permanent registry lock. This effectively puts the domain in manual mode and requires staff to make changes. It also costs more. “The issue is if names were on registry lock, the changes would not have been made,” he says. “Unfortunately, it’s often when people are attacked that they take up higher security.” The message is stark: It could happen to you, and to your customers—big or small. The Ponemon Institute’s 2013 Cost of Data Breach Study showed that on average, Australian and US companies had data breaches that resulted in the greatest number of compromised records (34,249 and 28,765 records, respectively), closely followed by India, where the figures stood at 26,586. Kiandra IT security specialist Daniel Weis says it is a “wake up” call for the industry. “This incident has reinforced that integrators can no longer maintain the ‘It won’t happen to us, why would we be a target” mentality,” he says. “Every company, not just resellers, should be concerned about this. Resellers in
particular have to take an extremely proactive approach, because we are a prime target.”
Threat on the Rise Weis says the threat is “definitely” on the rise. But despite that, most organizations have a major lack of awareness training, monitoring, and protection mechanisms, he said. “No one wants to do business with a company that has been hacked. Sometimes, a breach is all it takes to completely destroy a company’s reputation. The scary reality is you can’t stop a hacker, but you can make it as difficult as possible for them to compromise your organization with a multi-layered approach to mitigate security breaches, including intrusion prevention systems, security assessments in addition to the more traditional anti-malware and filtering solutions. Incident Response and containment should also form a major part of IT security policies. IDC analyst, Vern Hue, says, while there was bound to be “finger-pointing”, now is a time for the industry to examine its security posture and to make sure the relationship between vendors and resellers remains a stable and
co-operative one. “Needless to say, Melbourne IT has a lot to answer for and it will need to re-examine a lot of its policies,” he says. “However, there is a lot of reputation at stake here and attacks like these are not unique to Melbourne IT and it won’t be long before there is a similar case so we really need to be vigilant here. Remember, your IT security is as strong as your weakest link.” However, in the information security domain, vendor/partner security has always been a weak point in overall security, according to Southern Cross Computer Systems, consulting services general manger, Ashutosh Kapse. “The partner is a ‘trusted’ entity by the target organization and sometimes can work as an ‘easy’ point of entry,” he says. This incident has resulted in highlighting the issue and giving it prominence. Resellers generally hold at least some critical customer data on their networks— this could range from customer network details, IP addresses, configuration details, architectural diagrams and so on. All of these could be used by hackers to perpetrate further attacks. CIO
Brian Karlovsky is a senior journalist for IDG Communications. Send feedback to editor@cio.in
[ON HOW SURVEILLANCE INITIATIVES CANNOT SHAKE THE FOUNDATION OF THE INTERNET]
“We can’t allow genuine concerns about cybersecurity to be used as a pretext for intrusive government regulation. That suppresses freedom of expression. The Internet has become what it’s become despite governments which have the power to damage it.” — FRANCIS MAUDE, BRITAIN’S MINISTER FOR THE CABINET OFFICE
22
O C T O B E R 1 5 , 2 0 1 3 | REAL CIO WORLD
VOL/8 | ISSUE/12
CUSTOM SOLUTIONS GROUP HP
EXECUTIVE VIEWPOINT REDEFINING ENTERPRISE SECURITY SOLUTIONS New technology trends in enterprise IT bring a world of security challenges. Here’s how HP can help your organization create a strong security backbone. How do you map the current landscape of enterprise security attacks? The modern security breach market has a very specific behavior. While breaching an organization, cyber criminals work in an organized way. Today, individuals are becoming smarter with access to more sophisticated tools. Their main targets are large sectors such as government, financial services, and telcos, but small retailers and medium businesses without sophisticated security measures are more vulnerable to attacks as well. About 85 percent of breaches in the enterprise segment today come from the mass market. Newer technologies such as cloud, mobility, and big data initiatives are the other pet avenues for cyber criminals. How is HP reinventing security solutions for newer types of attacks? The most vulnerable part of a company— cause of more than 80 percent of all breaches today—is the application side. HP provides Fortify security technology, which proactively identifies and eliminates the immediate risk in legacy applications; ArcSight technology, which improves visibility and monitors user activity to detect advanced and insider threats; and TippingPoint platform next generation intrusion prevention systems, which ensure protection across network devices, VMs, OSes and business-critical applications. HP is trying to make a shift in people’s minds regarding security by providing platform integration to manage risk, security monitoring to detect incidents, and helping companies to be proactive rather than reactive.
Big data is gaining a lot of attention these days. How is it relevant to security? As a marketing tool, big data is gaining a lot of attention. But it is incredibly relevant in the security space as well. By looking at user behavior, we can get a lot of information regarding security threats. For example, if a user is behaving differently from usual, you can spot some loopholes in security. With big data processing platforms, like HP’s core engine, you can process a lot of data to gain security insights. To strengthen our existing portfolio of security solutions for big data, HP has introduced a series of updates including HP ArcSight Threat Detector 2.0 with outof-the-box threat profiles and threat profile intelligence, and HP ArcSight Threat Response Manager 5.5 with cloud-ready, closed-loop capabilities for accelerated threat detection and response to mitigate APTs. In addition, HP ArcSight IdentityView 2.5 has been enhanced with expanded correlation of user identity, roles, and activities across events and security incidents. Mobility is one of the top trends today. How is HP helping enterprises manage risks associated with it? Mobility is bringing in new OSes and platforms into enterprise systems. With the new platforms, the enterprise IT team has to manage a variety of user-deployed unknowns, which will also bring in a lot of vulnerabilities. As the number of users increases, vulnerabilities will also increase. Thus, in a large organization with a huge number of users, IT managers will find it difficult to manage users, network access, protect sensitive assets etcetera. This calls for a sea change in IT network security. HP is helping companies attain
CALVIN HOON Regional Director & GM for South Asia &India-Enterprise Security Products, HP Asia Pacific Japan
this high visibility with its Fortify and TippingPoint technologies. What security challenges would enterprises face in the next few years? There will be increased connectivity: Everything will be connected to everything over time, and networks will expand. There will be a ten-fold increase in the number of things that are going to be connected in the next few years. However, security measures for this are insufficient. There should be better understanding about the network and there should be greater visibility. Also, there should be stronger identity and access control for information protection. There should be better control for information movement as well. HP is actively working in this space. Additional information about HP Enterprise Security Products is available at www.hpenterprisesecurity.com This Interview is brought to you by IDG Custom Solutions Group in association with
alert
ENTERPRISE RISK MANAGEMENT
Invisible Attacker
24
O C T O B E R 1 5 , 2 0 1 3 | REAL CIO WORLD
Previous research papers have described hardware trojans consisting of small to medium-sized integrated circuits added to a chip during what is known as the hardware description language layer of the manufacturing process. In contrast, the latest research shows how a hardware trojan can be introduced at a later stage of the design process by changing the “doping” on a few transistors on the chip. Doping is a process for modifying the electrical properties of silicon by introducing tiny impurities like phosphorous, boron and gallium, into the crystal. By switching the doping on a few transistors, parts of the integrated circuit no longer work as they should. Because the changes happen at the atomic level,
Bank on Me, NOT!
A
team of security researchers from the US and Europe has released a paper showing how integrated circuits used in computers, military equipment and other critical systems can be maliciously compromised during the manufacturing process through virtually undetectable changes at the transistor level. As proof of the effectiveness of the approach, the paper describes how the method could be used to weaken the hardware random number generator on Intel’s Ivy Bridge processors and the encryption protections on a smartcard without anyone detecting the changes. The research paper is important because it is the first to describe how someone can insert a hardware trojan into a microchip without any additional circuitry, transistors or other logic resources, says Christof Paar, chairman for embedded security, Department of Electrical Engineering and IT at Ruhr University in Germany. Hardware trojans have been the subject of considerable research since at least 2005 when the US Department of Defense publicly expressed concerns over the military’s reliance on integrated circuits manufactured abroad, Paar says. Often, the individual circuit blocks in a single microchip are designed by different parties, manufactured by an offshore foundry, packaged by a separate company and distributed by yet another vendor. This kind of outsourcing and globalization of chip manufacturing has led to trust and security issues, the paper notes. Over the years, more attention has been paid on finding ways to detect and defeat hardware trojans deliberately introduced during the manufacturing process, especially in the case of chips used for military and other critical applications. Somewhat surprisingly, less attention has been paid to how someone might build and implement such hardware trojans in the first place, he says.
“the stuff is hard to detect,” Paar says. “If you look at it optically there is nothing different,” so the trojan is resistant to most detection techniques. Security researcher and cryptographer Bruce Schneier calls the sabotage the researchers describe “undetectable by function testing and optical inspection.” There are several other scenarios where an integrated circuit can be modified to make it function in an unexpected fashion, he said. Detecting the modifications would require an additional level of testing of circuits, he added. CIO
Jaikumar Vijayan covers data security and privacy for CSO. Send feedback to editor@cio.in.
A Barclays Bank employee has received a fine of £3,360 (about Rs 3.39 lakh) for illegally accessing customer data. Jennifer Addo, 27, was prosecuted under section 55 of the Data Protection Act for 23 offences, including passing on details of a customer’s children. The bank was initially alerted when the customer contacted the bank to report that information taken from his account was passed on to his partner at the time. Following an investigation launched by Barclays, it was discovered that Addo had illegally accessed the customer’s details on 22 occasions, between 10 May 2011 and 8 August 2011. It is said that Addo had contravened Barclay’s staff rules which state that employees should not access customer accounts unless required. She was subsequently fired from her role at the bank as a result of the findings of the investigation. ICO head of enforcement, Stephen Eckersley, highlighted the risks of data security, despite the efforts of banks, and called for stronger punishments to deter offenders. “The banking industry has rigorous procedures and safeguards in place to make sure customers’ details are kept secure,” he said. “However banks rely on the honesty and professionalism of their staff to ensure that the privileged access given to their records is not abused for personal gain.” — By Matthew Finnegan
VOL/8 | ISSUE/12
TM Arun Kumar
FRANKLY SPEAKING
The Indian Idle Does rapid advancement in technology make us smart or dumb? Will it create jobs for us or make us unemployed? Or will it simply make us idle, obese, and redundant?
W
IMAGE BY MAST ERF IL E
hat does all the advancement in technology mean to us as humans? Well, on the one hand it makes life easier and simpler, like doing a banking transaction while slouching on your couch with a handheld device or charting a route to your holiday destination while driving to it. Or doing many similar things, which during earlier times would have meant paying a visit to a place or two or speaking with a couple of perfect strangers. On the other hand, does this advancement in technology make us lazy and idle? Perhaps, that is also equally true. We are no longer on our feet as much as we used to be. That’s all thanks to a lack of the need to move much more than just our fingers for many things. Forget the good old TV remote, today even toilets are smart—they flush themselves! But, smart TVs and smart toilets are just the proverbial tip of the iceberg. There is more to come. All kinds of gadgets and appliances from light bulbs to refrigerators are turning smart--if there is no one in the room, the light will automatically switch off; when the milk is running low, the refrigerator will automatically place an order for more milk at the grocer. All done without human knowledge, let alone intervention. How smart, indeed. And if these aren’t enough, in the not-so-distant future, we may not even need to drive our cars ourselves. Thanks to Google’s self-driving cars—and the traditional auto makers are also acquiring this technology fast—coupled with maps from Google or Garmin or other such providers, reaching from point A to B might just mean sitting in a car and pushing a few buttons or perhaps just giving verbal instructions. So, what will we humans do? With technology driving up productivity and efficiency and, in many cases, simply
VOL/8 | ISSUE/12
REAL CIO WORLD | O C T O B E R 1 5 , 2 0 1 3
25
TM Arun Kumar
FRANKLY SPEAKING
replacing humans, will the advancement in technology also make humans less employable in future? In their book Race Against the Machine, Erik Brynjolfsson, a professor at the MIT Sloan School of Management, and co-author Andrew McAfee, associate director of the MIT Center for Digital Business at the Sloan School of Management, argue that impressive advances in computer technology—from improved industrial robotics to automated translation services—are largely behind the sluggish employment growth of the last 10 to 15 years. They believe that rapid technological change has been destroying jobs faster than it is creating them, contributing to the stagnation of median income and the growth of inequality in the United States. And, they suspect, something similar is happening in other technologically advanced countries as well. According to them, for the last 15 years or so, while productivity has continued to rise robustly, employment has suddenly wilted, meaning economic growth with no parallel increase in job creation. They call this as the ‘Great Decoupling’ and attribute technology to be behind both the healthy growth in productivity and the weak growth in jobs. They say that digital technologies allow for the substitution of less-skilled and educated workers. And as computers and robots get more and more powerful while simultaneously getting cheaper—and readily available—this phenomenon spreads, to the point where economically rational employers prefer buying more technology over hiring more workers. And the situation will only accelerate as robots and computers learn to do more and more, and to take over jobs that we currently think of not as ‘routine,’ but as requiring a lot of skill and/or education. But, this doesn’t end with replacement of blue-collar jobs. W. Brian Arthur, a visiting researcher at the Xerox Palo Alto Research Center’s intelligence systems lab and a former economics professor at Stanford University, calls this the “autonomous economy.” It’s far more subtle than the idea of robots and automation doing human jobs, he says. It involves “digital processes talking to other digital processes and creating new processes,” enabling us to do many things with fewer people and making yet other human jobs obsolete. He says that digital versions of human intelligence are replacing even those jobs once thought to require people. “It will change every profession in ways we have barely seen yet,” he warns. So, does rapid advancement in technology make us humans smart or dumb? Will it create jobs for us or make us unemployed? Or will it simply make us idle, obese, and redundant? The jury is out and perhaps our children or grandchildren will find the answer. But, it’s certainly worth thinking about. CIO Arun has covered the IT industry in India since the time 80386 was cutting edge, MS DOS was the predominant desktop OS, and Internet was still a few years away. Follow him on twitter @aruntm
26
O C T O B E R 1 5 , 2 0 1 3 | REAL CIO WORLD
VOL/8 | ISSUE/07
NOVEMBER 26-28, 2013
KOCHI
3 DAYS/3 NIGHTS
WHERE INDIA’S IT ROADMAP GETS DECIDED !
4
FOCUS AREAS
The Ultimate
Technology Showcase
EVOLVING THE ROLE OF THE CIO
The Year Ahead is the most popular forward looking assembly of leading CIOs and IT heads where they examine the latest trends
MANAGING OUTCOME - BASED IT
in technologies and deliberate on their IT roadmap for the coming 12 months. CIO is pleased to announce the seventh edition of the program this November. The program will be hosted in Kochi where India’s leading CIOs will be exposed to 12 special technology sessions
HANDLING USER DELIGHT DRIVING CUSTOMER CONNECT
that will shape their IT roadmap for 2014. All this while ensuring that they have a lot of fun along the way.
By Invitation Only.
+
12 TECH
SPOTLIGHTS
ANALYTICS BIG DATA BYOD CLOUD
For further details, visit www.cioyearahead.in
COLLABORATION CONSUMERIZATION CONVERGED INFRASTUCTURE DATACENTER 4.0
MANAGED SERVICES SECURITY SOFTWARE DEFINED TRANSFORMATION VIRTUALIZATION 3.0
Gunjan Trivedi
LEADING EDGE
The Final Shodan! A search engine of connected devices is currently being used as a penetration-testing tool. But it has the potential to expose you to the dark underbelly of the Web. Beware!
S
IMAGE BY MAST ERF IL E
hodan. I first heard of this term was many, many moons ago, probably just before I got into one of those fights that were famously arranged during recess at our all-boys, Catholic school. A bullying remark here and a bruised ego there was all it needed to stoke the fire in such school fights. My opponent was a shodan-rank black-belt in Shotokan, a style of karate. I, on the other hand, was fresh out of summer training camp that had boxing on its curriculum, and had just begun my tryst with powerlifting. Almost 18 years later, I heard the term all over again. But this time it was in bizarrely different scenario. It had nothing to do with the word that means 'first' or 'beginning' in Japanese. This time, it sounded sinister and potentially much more dangerous. In fact, an article earlier this year in CNN Money dubbed Shodan the scariest search engine on the Internet. For the uninitiated, Shodan (www.shodanhq.com) searches for devices that are connected to the Internet. It can be loosely described as a Google for the Internet of Things. While regular search engines index content, Shodan crawls the Web to identify devices that can be accessed publicly, perhaps with enough vulnerability to sneak in. Mike Wheatley’s article published in SiliconANGLE states that it primarily focuses on SCADA (supervisory control and data acquisition) systems, and is capable of finding anything from standalone workstations to wide-area networking configurations. TechnoBuffalo’s Adriana Lee goes on to say that someone even discovered command and control systems for a nuclear power plant, a particle-accelerating cyclotron using the search engine, as well as a French hydroelectric plant and a city traffic control
28
O C T O B E R 1 5 , 2 0 1 3 | REAL CIO WORLD
VOL/8 | ISSUE/12
NOVEMBER 26-28, 2013
KOCHI
3 DAYS/3 NIGHTS
WHERE INDIA’S IT ROADMAP GETS DECIDED !
4
FOCUS AREAS
The Ultimate
Technology Showcase
EVOLVING THE ROLE OF THE CIO
The Year Ahead is the most popular forward looking assembly of leading CIOs and IT heads where they examine the latest trends
MANAGING OUTCOME - BASED IT
in technologies and deliberate on their IT roadmap for the coming 12 months. CIO is pleased to announce the seventh edition of the program this November. The program will be hosted in Kochi where India’s leading CIOs will be exposed to 12 special technology sessions
HANDLING USER DELIGHT DRIVING CUSTOMER CONNECT
that will shape their IT roadmap for 2014. All this while ensuring that they have a lot of fun along the way.
By Invitation Only.
+
12 TECH
SPOTLIGHTS
ANALYTICS BIG DATA BYOD CLOUD
For further details, visit www.cioyearahead.in
COLLABORATION CONSUMERIZATION CONVERGED INFRASTUCTURE DATACENTER 4.0
MANAGED SERVICES SECURITY SOFTWARE DEFINED TRANSFORMATION VIRTUALIZATION 3.0
Gunjan Trivedi
LEADING EDGE
system. In fact, the online traffic system was found to be easily manipulated—a user could have put it in ‘test mode’ by entering a simple command—despite the ‘Death May Occur’ warning on the opening screen of the system. However, the privately developed search engine, Shodan— while is ironically named after the main antagonist of the System Shock video game series that has been voted one of the best villains of all time—isn’t an illegal endeavor. All it does is collate and display information that is readily available in the public domain. Aaron Weiss of eSecurity Planet explains how. He writes in his article: When you connect to a server listening on a given port, the server usually responds with a ‘banner,’ which is a block of text with details about the service. What Shodan’s crawler does is query IP addresses around the world, looking for and saving banner responses at several common ports. Shodan lets users query keywords in these banners, filtered by metadata like port and IP address or domain name. Any vulnerability revealed by Shodan comes down to the information in the banners. In his interview with Vice, Shodan’s creator John Matherly admitted that its usage has evolved far beyond what it was created to do: Allow companies to track where their software is being used. Now, he believes, Shodan has ended up being used to provide empirical basis for security analysts’ arguments.
And, since Shodan isn’t an anonymous service, it does keep criminals away. Interestingly, Weiss says that Shodan is not the only way for hackers to discover these devices. Even though Google indexes content rather than server banners, hackers have long known that particular query strings can reveal misconfigured devices. These query templates are known as “Google dorks” and they long predate Shodan. According to Lee, Shodan is used for the most part by security professionals, researchers and law enforcement, who typically employ the service to alert companies about these security vulnerabilities. But that doesn’t mean some rogue Shodan user won’t do harm, she warns. I distinctly remember ending the school-fight with that shodan in a jiffy. After a blatant display of high kicks and fast moves, it was all over with a massive shoulder push and a relatively damaging right hook to the chin. I am sure it will take more than that now, as devices get increasingly connected to the Internet and tools like Shodan lowering the barrier significantly to make their discovery easier. Beware! CIO Gunjan Trivedi is executive editor at IDG Media. He is an awardwinning writer with over a decade of experience in Indian IT. Before becoming a journalist, he had been a hands-on IT specialist, with expertise in setting up WANs. Reach him at gunjan_trivedi@idgindia.com
3 DAYS/3 NIGHTS
NOVEMBER 26-28, 2013
KOCHI
WHERE INDIA’S IT ROADMAP GETS DECIDED !
4
FOCUS AREAS
The Ultimate
Technology Showcase
EVOLVING THE ROLE OF THE CIO
The Year Ahead is the most popular forward looking assembly of leading CIOs and IT heads where they examine the latest trends
MANAGING OUTCOME - BASED IT
in technologies and deliberate on their IT roadmap for the coming 12 months. CIO is pleased to announce the seventh edition of the program this November. The program will be hosted in Kochi where India’s leading CIOs will be exposed to 12 special technology sessions
HANDLING USER DELIGHT DRIVING CUSTOMER CONNECT
that will shape their IT roadmap for 2014. All this while ensuring that they have a lot of fun along the way.
By Invitation Only.
+
12 TECH
SPOTLIGHTS
ANALYTICS BIG DATA BYOD CLOUD
For further details, visit www.cioyearahead.in
COLLABORATION CONSUMERIZATION CONVERGED INFRASTUCTURE DATACENTER 4.0
MANAGED SERVICES SECURITY SOFTWARE DEFINED TRANSFORMATION VIRTUALIZATION 3.0
Rodney Byfield
CLOUD COMPUTING
Cloud Spiel Sales personnel portray cloud computing to be a not-to-be-missed boon for organizations. But a profound technological perspective will paint a different picture.
O
ILLUST RATION BY MASTERF ILE
ver the past year, I’ve had so many conversations about the merits of cloud computing. Many comments are along the lines of: “It’s so much better than on-premise computing or SaaS ever was” or “Cloud computing is young and needs time to mature.” But I don’t buy it. I now find sales pitches around cloud computing funny rather than irritating, but I do tend to think that often the majority of the “innovation” is in the sales pitch, not the service itself. Many years ago, when I started in the IT industry, it was quite common to go through a period of “hazing.” I’m referring to “haze tasks” that we would ask of any new employee—silly yet amusing requests to go and grab a long weight from the store, some left-handed screws, stripy paint or a steam bucket. The intention was to frustrate, but it was also designed to test the mettle of the newcomer; to see how well they took the frustration and whether they could see the lighter side of it. So let me test the mettle of the cloud and try to frustrate its boundaries a little. I’ll start with where cloud computing gets its momentum. The general consumer thinks the cloud is awesome. It’s a huge hit that connects mobile-to-mobile, mobile-to-app or mobile-toapp-to-mobile, offering multiple solutions from the end-user to the interface. Many of the social electronics utilize the cloud so heavily that if you disconnect them, they become somewhat useless. Don’t get me wrong, I’m all app’d up. In addition, the age group and social dissection of app users cannot be argued with: Tweens, teens, parents, and grandparents. And, with many apps being free, there is very little socio-economic favouritism. I feel pretty confident
32
O C T O B E R 1 5 , 2 0 1 3 | REAL CIO WORLD
VOL/8 | ISSUE/12
Rodney Byfield
CLOUD COMPUTING
in saying that the consumer cloud has exceeded almost every expectation. But the fact is that consumer solutions and corporate solutions have, at the core, very different focus points. While I agree that, at some level, they are starting to merge through initiatives such as BYOD, there will still always be the responsibility caveat for the enterprise that contains the issue of privacy and security. Most salespersons, at this stage, would start berating me with features/mobile access/ease of use and all the support options. Three of those options should be supplied regardless of the pitch but the support option is one that is very important, alongside some others, which I have listed below:
Picking on Cloud Security This tends to be a lengthy conversation and very quickly gets into severe tech speak, with bits flying and adding up all over the place until you have a 2048-bit twice encrypted “how to make a sandwich.docx” that apparently is spread across datacenters from Amsterdam to Australia. Accordingly, safety is said to be in the sandwich spread. In theory, it’s very hard to piece it all back together due to the location diversity. Somehow, the portal you use seems to be able to tie all that remote diverse information together in a millisecond—something that a hacker would have no hope of doing (You hope). Levels of security might not be a huge issue for some, but with the stringent standards on privacy, it is going to become necessary to prove how secure your data is in the cloud. This will require SLAs and NDAs that dictate what happens to your data in the cloud.
What Happens If You Want to Back out of a Contract? This is not only pertinent to your disaster recovery plan on the cloud, but also relevant for e-mail and documents, which are stored with a third-party provider. How easy is it to migrate out of the cloud to another provider or back in-house? If you intend on storing a lot of data, you best make sure you understand this process before you start uploading. It will certainly affect how long it will take you to get your data out. There is a bevy of questions that can be tapped onto this line of questioning that should be covered off in any contract that you enter into. For instance, what happens if the cloud provider becomes insolvent? One thing’s for sure: Don’t ever make the cloud your only source for disaster recovery. What Level of Physical Support Will You Receive? Vendors seem to be pushing well away from the traditional “call a techie” helpdesk and more towards the online chat, online ticket or e-mail. The phone support, in some cases, is now a paid extra. For many small to medium businesses, this may not be an issue. Nevertheless, you need to detail your internal requirements and make sure you get the level of support you need when it matters most.
I can’t stipulate how critical this is; you are entrusting your company data to a third party. It’s important that you make a clear decision based on well thought through information.
Physical Access to the Cloud Who exactly has physical and/or remote access to my data when it’s stored in diverse locations? This is a question that most cloud vendors can’t answer, and would rather walk away from than work this one out. The fact is that physical access is one of the worst kinds of security risks. If I don’t know who and how many people have physical access, then how can I determine the risk? I have no control over the people or persons employed by the cloud provider; this leads me to do more digging. One of the more important questions that had developed when I was considering physical access is, “Who owns the datacenters?” I quickly realized after asking a few cloud vendors that many of them rented or leased rack space and datacenters from other providers. This adds an entirely different perspective on who has physical access.
VOL/8 | ISSUE/12
It’s worthwhile checking the around-the-clock support if you have the requirement and making sure that the after hours helpdesk is not just an overseas call center that logs a job for tomorrow’s techies. Ultimately, whether the cloud is right or wrong is not the point. My intention is to help you understand whether it’s right or wrong for your organization. Having run the cloud around a bit, you should have a clear understanding of what your options are as well as a clear definition of what your risks are in using certain providers with a comparison of cost versus risk per provider. I can’t stipulate how important this is; you are entrusting your company data to a third party and possibly more. As a leader within the business, it’s important that you make a clear decision based on well thought through information. CIO
Rodney Byfield is CIO at Metro Tasmania. Send feedback to editor@cio.in
REAL CIO WORLD | O C T O B E R 1 5 , 2 0 1 3
33
WINNING THE POLE PARTNERSHIPS POSITION
Going Virtual for Real Gain Virtualization is still one of the best ways for companies to save costs and optimize their resource utilization. VMware’s expertise and its product portfolio are helping CIOs achieve just that.
D
oing more with less has never been more in fashion than it is today. As businesses try to keep their heads above the water in a bad economy, IT leaders are battling budget crunches. The need of the hour is to be resourceful and find ingenious ways to survive in a tough environment. One of the best ways to do that is to use existing resources optimally. And virtualization still stands as one of the best ways to achieve that. A favorite among CIOs who want to save costs and provide their businesses with scalability and flexibility, virtualization is the best bet in tough times. Some organizations have recognized the power of the technology and have implemented it in their organizations. Today, virtualization has lived up to their expectations. Here are some IT leaders from India’s top firms who have implemented virtualization solutions and are reaping benefits.
Company: KPIT Technologies Benefit: VMware’s solutions helped KPIT enhance user productivity by allowing the company to implement BYOD, and at the same time, strengthen information security. KPIT is a product engineering and IT consulting firm. Since 2011, the company has maintained a steady growth rate of more than 40 percent per annum. This had placed considerable stress on the company’s IT infrastructure. As a result, customer demands weren’t being met and it was becoming untenable to continually renew the physical infrastructure. To fix this, Mandar Marulkar, VP-IT, KPIT, turned to virtualization. He chose VMware to set-up a private cloud architecture to support KPIT’s various business objectives. Marulkar also implemented vCenter Operations Manager, to simplify the management of virtual machines. Today, software license compliance has become a much more manageable task and KPIT can now quickly upgrade operating systems and deploy applications on a large scale. Now, provisioning new servers is only a matter of minutes. This has improved service delivery.
W
e continue to evolve the SDDC architecture to address IT’s critical needs— enabling them to build infrastructure that is radically simpler and more efficient while delivering the agility and flexibility to support the velocity of their businesses.” B.S. NAGARAJAN, DIRECTOR-SYSTEM ENGINEERING, VMWARE INDIA SAARC
CUSTOM SOLUTIONS GROUP VMWARE
WINNER ROLL CALL "Virtualization has enhanced productivity and improved security, and helped the organization carry out activities more efficiently.” KPIT also chose to implement a VDI solution, for providing better performance to users and to implement better security across the organization. Marulkar implemented VMware’s Horizon View along with VMware Site Recovery Manager to automate DR. Users now have the flexibility to work from anywhere using any device without having to compromise on security. The company now runs around 1,600 virtual desktops. “This was one of the key projects for KPIT, which has substantially benefited user productivity and information security, and helped the organization carry out activities more efficiently,” says Marulkar.
Company: Zensar Technologies Benefit: With VMware’s virtualization solution, Zensar Technologies can now implement projects for its clients much quicker than before. Zensar Technologies is a global software services and solutions provider that employs over 6,500 associates, catering to the needs of over 400 customers. The company had set-up an internal cloud called ZenCloud that was physically distributed between the Pune and Hyderabad delivery centers. Some of the physical servers used here were nearing end-of-life, so Sanjay Marathe, executive vice president and head-Business Transformation Group, Zensar, started looking for a virtualization solution to better optimize resource utilization. He chose VMware’s vSphere virtualization solution because, according to Marathe, VMware is the industry leader in virtualization. Another reason that prompted Marathe to opt for VMware was the need for a flexible solution. Since, the company was running servers on both the Windows and Linux platforms, it needed a virtualization system that would support this hybrid environment. VMware’s vSphere solution helped the company by granting it the flexibility it needed. “Earlier, whenever we got a large order, the time taken to requisition the necessary hardware and software would take anywhere between five to six weeks. Now it can happen in one or two days,” says Marathe. VMware’s solution also helped the company control costs through the distributed power management functionality that shut down servers by dynamically sensing the load they had, thereby saving power and cooling costs. By using the virtualization solution from VMware, Zensar has been able to keep its customers happy through faster provisioning.
Company: Mahindra Vehicle Manufacturers Benefit: VMware’s vSphere and VCOPS together provided Mahindra Vehicle Manufacturers with a virtualization solution that was easy to use, scalable, and cost-effective. The company was able to save substantially higher and also create a new benchmark in the auto industry.
MANDAR MARULKAR
Vice President-IT, KPIT Technologies
"Earlier, it would take five to six weeks to turnaround a large order. Now it takes only one or two days."
SANJAY MARATHE
EVP & Head-Business Transformation Group, Zensar
"In the automobile industry today, people are using our virtualization project as a reference to implement similar projects.”
B. VENKATAKRISHNAN
Head IT-AFS Pune Hub, Mahindra Vehicle Manufacturers
Mahindra Vehicle Manufacturers was set-up in 2007 to push technology to the edge. It’s a Greenfield facility at Chakan, near Pune, which manufactures Mahindra & Mahindra’s entire medium and heavy commercial vehicle range. Being a Greenfield facility, the company was looking at doing things differently from the rest of the industry. To that end, the company wanted to deploy its factory automation application on a virtual platform. The virtualization platform which it chose, after considering all the possible solutions, was VMware’s vSphere. “We were looking for easy operability and support from the vendor and we got exactly that from VMware,” says B. Venkatakrishnan, head IT-AFS Pune Hub, Mahindra Vehicle Manufacturers. The company implemented VMware’s vSphere in 2011, with the VCOPS functionality for monitoring the health of the virtual system being put in place in 2012. If the company had taken the traditional route to deploy its factory automation tool, it would have had to spend substantially more than it needed to in setting up about 40 servers. On top of that, it would have taken 90 days to procure and deploy them. Now, the company can run the factory automation app virtually by setting up just five physical servers, and save Rs 4 crore. Also, the period for procurement and deployment of servers has come down to less than 10 minutes. VMware provided Venkatakrishnan with a flexible, scalable, easy to operate solution that allows Mahindra Vehicle Manufacturers to save costs. “In the automobile industry today, people are using our project as a reference to implement similar projects,” says Venkatakrishnan.
security special
COUNTER
AT A TTACK It’s the festive season. It’s that time of the year when the country unites to celebrate the triumph of good over evil. In that spirit, there couldn’t have been a better time for CIOs and CISOs to sound the bugle and declare war on the biggest, strongest, and the most powerful enemies of information security. Today, the list includes a weak economy—that has increased security threats—budget crunches, and a harsh business environment. And at the same time, enterprises are grappling with BYOD, 36
O C T O B E R 1 5 , 2 0 1 3 | REAL CIO WORLD
mobility, insider threat, security awareness, and funding. This multiple front war has toughened CISOs. And, in small pockets, within corporate walls, a revolution is stirring up. CISOs are fighting back and giving security more importance. According to the Global State of Information Security Survey 2013, conducted by CSO magazine (CIO’s sister publication) and PwC, VOL/8 | ISSUE/12
Security Awareness 38 Insider Threat 41 Mobile Security 44 Budgeting 47 Reader ROI: Why this is a good time to up the security ante Ways to get around information security's top bug bears.
BYOD 50
73 percent of Indian executives say security spending will increase by 10-30 percent in the next 12 months. What’s more? Over 60 percent of Indian organizations have cyber insurance—a concept that’s unheard of in India. That's just a sampling. Read on to find out how CISOs are leveraging the growing maturity of the security function to beat information security’s five biggest challenges. VOL/8 | ISSUE/12
REAL CIO WORLD | O C T O B E R 1 5 , 2 0 1 3
37
Security Awareness
SEVEN REASONS
FOR SECURITY
AWARENESS
FAILURE
Most security awareness programs are rife with problems, but it doesn't have to be that way. Eliminate these seven mistakes and be on your way to an effective program in your organization.
t
BY IRA WINKLER AND SAMANTHA MANKE
There is a great dichotomy in security awareness. Most CSOs believe that one of
their top priorities is to improve their organization's security culture—in other words, the behavior of their users. Similarly, there’s study after study talking about how humans are the primary attack vector for advanced attacks. Some studies indicate that human exploitation is the key enabler in as many as 90 percent of attacks. Buzzphrases, such as protecting and attacking "Layer 8" have emerged. Yet, periodically the media entertain notions that challenge the value of security awareness. While there are notable security awareness failings, awareness, like all security efforts, is about risk mitigation not complete prevention and needs to be implemented properly.
38
O C T O B E R 1 5 , 2 0 1 3 | REAL CIO WORLD
Reader ROI: How to ensure you have a strong security awareness program Why you should tweak awareness programs to suit your audience The importance of soft skills
VOL/8 | ISSUE/12
Security Awareness
That’s why it is important to proactively realize what might cause programs to fail. Even if you attempt to implement good practices, you have to ensure that you are not executing practices that subvert your program before you start. Here are some practices that you should watch out for proactively to prevent failure. In this case, failure generally translates to major losses.
NOT UNDERSTANDING WHAT SECURITY AWARENESS REALLY IS This is probably the most fundamental reason for the failure of most awareness programs. There is a basic lack of understanding in the industry as to what security awareness actually is. There is a major difference between security awareness programs and security training. Training is about providing a set body of knowledge and typically tests for shortterm comprehension. The primary purpose of security awareness is to change behavior. There is no test of short-term comprehension. The only "test" is how a person behaves on an ongoing basis in the real world. The mere act of providing a set body of knowledge does not change behavior. Information must be provided in a way that relates to how employees think and behave. There must be a personal association of how the knowledge would impact their actions. There is also a difference in providing an individual information on a one-time basis, and delivering information in different formats over the course of time to effect change. In short though, it is rare for an organization to actually understand and implement a program that intends to actively engage the employee with the sole purpose of striving for a better security culture.
RELIANCE ON CHECKING THE BOX Any good CSO will tell you that compliance is just a start for any security program. Security compliance standards do not guarantee security in any way; they just provide a minimum level of security
VOL/8 | ISSUE/12
62%
Of Indian organizations have people dedicated to employee awareness programs for internal policies, procedures, and technical standards.
"IT can implement the best technology and processes but the weakest link is people. Staff training is integral to a good IS program." Parag Deodhar, Chief Risk Officer, Bharti AXA General Insurance
countermeasures. Candidly, most compliance standards do not provide reasonable security, and it is especially true regarding security awareness. The compliance standards for awareness are almost universally vague. They usually state something as broad as, "The organization must have a security awareness program in place." There is often nothing regarding the content or structure of such a program, and it generally falls upon the auditors to determine what is compliant. Auditors tend to know little about what constitutes a good awareness program, and tend to almost always approve the once a year, 10 minute awareness video, as long as it has a quiz at the end and you can verify that all employees have passed the quiz. At best, these programs are examples of short-term retention, and provide no reinforcement or actual proof that people exercise the appropriate behaviors as a result of watching the video. We have heard first hand that to satisfy such standards, a group of employees will assign one person to take the training, write down the answers to the quizzes, and then provide the answers to other people within the organization, so that the other people "don't waste their time reading the slides." This situation is not unique. In short, saying your awareness program is compliant does not necessarily equate to create the desired behaviors.
NOT ACKNOWLEDGING THAT AWARENESS IS A UNIQUE DISCIPLINE You can usually tell if a security awareness program is going to be a success or failure by the person assigned to run the program. It is not the individual's fault, as you as the CSO need to know whether or not the person has the right knowledge, skills and abilities (KSAs). As awareness involves changing behaviors, you need someone with a competence in what most technology professionals would consider "soft skills" such as communications and marketing. As CSOs and CISOs typically assign a person to run the awareness program, they usually assign people out of their standard pool of people, who are technical. Rarely is REAL CIO WORLD | O C T O B E R 1 5 , 2 0 1 3
39
Security Awareness
it a person who was hired or assigned the position, because they have the right KSAs. Since security awareness seems to involve soft skills, most security professionals believe that anyone can pick up the job. A good security awareness professional will have good communications ability, be familiar with learning concepts, understand that awareness is more than a check the box activity, knowledge of a variety of techniques and awareness tools, an understanding that there is a need for constant reinforcement of the desired behaviors, among many other KSAs. Just as you would not want to assign a person with no experience or decent technical ability to maintain a corporate firewall infrastructure, you do not want to hire a person without any awareness experience or communications ability to run an organizational awareness program.
LACK OF ENGAGING AND APPROPRIATE MATERIAL As previously mentioned, many or most awareness programs rely on computer-based training carried out once a year. CBT can vary greatly in quality. Sometimes an organization acquires posters and newsletters. When there is a check the box mentality, lowest cost is frequently the deciding factor in determining which program to use, and the low cost option is not always very good. Additionally, the materials might not be appropriate for the organization. Even when low cost is not the deciding factor, you need to ensure that the materials are appropriate for the culture of your organization. Sometimes the person acquiring the materials has a bias for a particular presentation style, which is only engaging to a small segment of the organization’s employees. For example, awareness materials appropriate for an Internet company will not be well received by investment bankers. More important, it is critical that multiple versions of security awareness materials be implemented, as there are generational issues to consider. Research shows that younger employees respond better to blogs and twitter feeds, while older employees respond better to traditional materials like newsletters and posters. 40
O C T O B E R 1 5 , 2 0 1 3 | REAL CIO WORLD
NOT COLLECTING METRICS Without metrics, there is no way to know whether or not a program is truly successful in achieving its goals. You do not know whether you are wasting money or proving value. You do not know whether you are decreasing the number of losses. By collecting regular metrics, you can adjust your program to the measured effectiveness. By determining what is working and what is not, you can tailor future programs based upon lessons learned. Without such data, you are acting blindly and potentially proliferating failure. The appropriate metrics also allow for the determination of which components are having the desired impact. They should be taken prior to starting any engagement effort, at least once during the engagement,
"We need to engage everyone in the organization to build a sense of accountability." Satpal Singh, HeadIT (SWA region), Mitsui & Co. India
and also post-engagement. Without such metrics, you will waste time, effort, and money. For example, if no one is reading your newsletters, there is no need to continue to create them.
UNREASONABLE EXPECTATIONS Every time there is a security awareness failing, people bemoan the value of security awareness as a whole. While it would be great if security awareness could prevent all incidents arising from the exploitation of humans, it is not realistic. No security countermeasure will ever be completely successful at mitigating all incidents. There will always be a failure. With the collection of metrics, you can prove the effectiveness of the program, and determine the most important aspect of the awareness program; whether the program is saving more money than it’s costs.
RELYING UPON A SINGLE TRAINING EXERCISE Similar to relying on the once a year CBT, many companies have begun to incorporate social engineering or phishing simulations to their awareness programs. While there is nothing wrong with these simulations as a form of training exercise, they only address a single awareness concern. We identified 17-24 unique awareness topics related to user behavior, dependent on the organization's industry sector. Focusing your efforts on a single attack vector leaves your organization wide open to other attack vectors. Admittedly, the simulations are used specifically because they do create metrics, which is incredibly valuable. However, they should not constitute the entire awareness program. Most security awareness programs are doomed from the start, but it doesn't have to be that way. But you first have to remove any impediments to success. By setting the proper foundation, you will be able to implement a program that has a true return on investment and mitigates what is described as the top vulnerability exploited by advanced attacks. CIO Ira Winkler is president and Samantha Manke is SVP of Secure Mentem. Send feedback to editor@idgindia.com
VOL/8 | ISSUE/12
Insider Threat
PROTECTING DATA FROM ANGRY EX-EMPLOYEES A large portion of security breaches are caused by insider threat and an important chunk of that comes from ex-employees. How you can defend your company against them.
t
BY JOHN S. WEBSTER
The vast majority
of employees who leave a company are honest, upstanding corporate citizens. But you never know when someone might leave on bad terms and then attempt to hack back into your corporate systems. Protecting company assets from former employees is more difficult in today’s world where corporate data can live in so many places, from the cloud to the employee’s BYOD smartphone. Here are steps to protect corporate data from former employees.
DE-PROVISION ALL DEVICES According to Joe DiVito in PricewaterhouseCoopers’ risk assurance practice, de-provisioning should be the first step in protecting data. "Many organizations wrestle with de-provisioning. They may do well at the network level, but the application level can be left open. The administration of application-level access is often decentralized and resident with application owners or business units," says DiVito He adds that companies need processes in place that provide notice of terminations to all application owners." DiVito cautions that de-provisioning can be tricky, especially when access administration and associated controls are split between a central IT function and the data owner. "There is a level of control risk associated with the design and operation of user provisioning controls. The organization needs to have an accurate accounting of the access assigned to an employee. Determine who owns the authorization and ongoing access to that data and ensure that you
VOL/8 | ISSU E/12
Reader ROI: How to protect data from former staffers Why it’s vital for systems to talk to each other Where mobile fits in
REAL CIO WORLD | O C T O B E R 1 5 , 2 0 1 3
41
Insider Threat
communicate amongst the parties when access needs to be modified or revoked. Often times the solution to managing that risk requires nothing more sophisticated than improved communication," he says. At Steelcase, the office furniture company, a custom .NET tool handles the task of de-provisioning. And IT is tightly coordinated with HR. According to Steelcase CIO Bob Krestakos, “The .NET tool uses as many standard APIs as possible to reach various systems and disable or remove user accounts. For example, e-mail accounts can be suspended or removed, access to our Active Directory can be removed, SharePoint access is removed via this application. Access to internal social media and product development systems are managed this way, too.� The .NET tool also eliminates SAP IDs, as well as the PTC product data vault in product development, he adds. In addition, he adds, the application automatically sends e-mail notifications to the user accounts manager, creating an audit trail. "The .NET tools make it easy in a large IT environment to turn off access to all systems. It automates quite a few steps," says Krestakos. He adds that the whole process is triggered by the HR department. "When someone is leaving or resigns, especially if they're in data-sensitive departments like corporate strategy or product development, we might start the de-provisioning process before they leave. In other cases, we let the manager of their department know, and we leave the accounts in place until he or she says it's OK to shut them off," says Krestakos.
USE AUTOMATED TOOLS "When an employee leaves a company for any reason, that information should be immediately and automatically relayed by HR to IT for de-provisioning access to all accounts within the organization. There are many mature user provisioning programs available for this purpose," says Sally Hudson, an analyst at IDC. In addition, say analysts, a number of off-the-shelf software applications can help ensure high-level employees 42
O C T O B E R 1 5 , 2 0 1 3 | REAL CIO WORLD
"To deal with BYOD, organizations must have written agreements with employees to ensure they do not retain any corporate data and scrub their devices." Shivkumar Pandey, HeadIT Infrastructure and Security, Star Union Dai-ichi Life Insurance
in particular get shut off from corporate systems. These include software from IBM, Oracle, Quest Software (now owned by Dell) and CA Technologies, plus pure play vendors such as CyberArk and Xceedium, which provide PIM solutions that are widely used in Fortune 2000 organizations. "There are checks and balances: Privileged identity management software makes sure that highly authorized former employees, including executives and systems admins are not able to exploit their former high levels of access and account privilege to do damage or mischief within the corporation," says Hudson. A holistic approach to de-provisioning is recommended by some. According to Michael Suby, an analyst at Frost and Sullivan, without going the holistic route, the identity and access management process can be ineffective. "The location of data is getting so dispersed, it's difficult to maintain oversight. You also need to segment data, which is part of data governance. If I'm a business with plenty of employee information, such as their phone number, salary and personnel records, but I need to make sure that's stored separately in a physically separate system. And things like business plans and mergers and acquisitions are cordoned off from the general population. You need to manage access to that information. If you do it after the fact, it's like leaving the barn door open." he says. IDC's Hudson adds, "A basic element of housekeeping for all large enterprises should be an automated attestation process, whereby all line of business owners attest to who has access to what based on their roles assigned within an organization. This used to be done manually with spreadsheets, but now software is available that automates and updates these inputs and sends out automatic alerts when anomalies are detected." The IT department at Cisco also automates much of the de-provisioning process. As soon as an employee tells HR they're leaving, and HR acknowledges it, a series of actions takes place to prevent employee access to corporate data,
VOL/8 | ISSUE/12
Insider Threat
they have an exit interview with HR where a checklist is run through. HR collects all technologies issued to an employee and reminds them they're not allowed to keep corporate data on any personal device," he adds.
says Brett Belding, senior manager, IT mobility services. "After notifying HR, there's a whole series of actions that happen to employee access to data. Employees who decide to leave will hand in their corporate laptops and will lose system access to things like AnyConnect VPN, our ERP, HR system, and everything else they previously had access to. The length of time is different in different countries, but within the last week of employment is the common point. We shut off access to the VPN, for example, ahead of time," he says. Adds Forrester analyst Andras Cser, "There has to be rapport between the application owners and HR. IT also has to maintain compliance with regulators.”
KEEP AN EYE ON THE CLOUD
SCRUB OR WIPE DEVICES In BYOD environments, departing employees generally either have their devices wiped of data by IT departments, or handle the task themselves. But before that can happen, IT must know what data is on the device. "Organizations need to determine what data is on the physical asset, such as the ID on a mobile phone. But even by examining that, some organizations struggle to know what should be scrubbed. Companies that are subject to regulatory oversight are better at it. Those like manufacturing are not as advanced,” says Pricewaterhouse Cooper’s DiVito. Steelcase requires employees who bring their own devices to sign an agreement that they'll wipe them after they leave the company. With 3,000 mobile users in North America, half of them on the BYOD program, this has worked, says CIO Krestakos. "Employees must agree to certain things via a written agreement. We don't have anything in place to make sure they don't retain corporate data, and we don't have solutions to monitor that, just their agreement. The agreement asks that the employee password protect their phone and maintain some type of applications that allow them to remotely access and wipe the contents." As at Cisco, HR also gets involved. "When an employee leaves the company
VOL/8 | ISSUE/12
"Insiders have always been critical threat actors. The advent of the cloud, BYOD, and other technologies, is giving CIOs and CISOs nightmares." Mithilesh Singh, Head-IS, Global Security Services, Wave Crest Payment Technology
33%
Of Indian companies say that former employees were the source of security incidents.
Employee access to the cloud can make for thorny issues after the departure of the worker, since the cloud is an uncontrolled channel. Having policies in place before an employee leaves eases the whole procedure, says Frost and Sullivan's Suby. "An organization has to have a policy and procedure, and say what are the sanctioned Web sites, and if they aren't, you have to block them. You need to determine how to stop movement of data into places where you don't have visibility, like Dropbox or another cloud service." At Cisco, internal and external cloud services are tied to its mobile application stack. The way IT gets around people tampering with data in the cloud is to send only the presentation of an application, not the actual bits, says Belding. "A lot of our mobile application stack is tied to cloud services, either internal or external. If you want to see financial data, you aren't downloading the actual data, only the presentation. We call it bits versus pixels. For cloud and mobile data, you only want to download pixels. That way, there's less and less data on the device. If you're editing a spreadsheet in the browser, that's all in pixels, and when I turn off the service, you can't access it anymore," he says. Steelcase limits the types of data that can be uploaded to the Google Drive cloud used by the company. Corporate strategy and product development data are among the most critical data types, and that data can't be stored in on Google Drive. "People are advised they are working on sensitive project areas and asked to take precautions to protect the information," Krestakos says. CIO
Send feedback on this feature to editor@cio.in
REAL CIO WORLD | O C T O B E R 1 5 , 2 0 1 3
43
Mobile Security
FIVE MUST-HAVES FOR YOUR MOBILE SECURITY POLICY Mobile is the new endpoint in IT. But organizations are still struggling with mobile security. Here’s what you need to know to create a formidable mobile security policy.
i
BY STEVE RAGAN
In the US, a couple of months back, news broke that Samsung was pushing into the federal
space and is close to inking a deal with the FBI and the US Navy. While that story hinges on the shift from BlackBerry to Android and Apple in the secure mobile space, it also singles out the fact that BYOD isn't a buzzword—it's a reality within IT operations. However, as the network expands outward from the office walls into hotels, conferences, and even the home, the IT department (or the security staff within) gains additional workloads as they are charged with protecting new assets and lines of information. According to research from Forrester, 29 percent of the global workforce are information workers. Information workers use three or more devices, work from multiple locations, and use several apps in order to get the job done; a familiar description to anyone who has ever managed an IT department. And, apart for a precious few, a familiar nightmare. In fact, Forrester notes that before the end of the year, BYOD will impact more than 600 million employees worldwide, all of them falling under the category of information worker. Such growth will see enterprises moving to alter existing policies or adapting new ones in order to include mobile. In an e-mail exchange,
44
O C T O B E R 1 5 , 2 0 1 3 | REAL CIO WORLD
Reader ROI: What it takes to create a strong mobile policy The importance of MDM What to ask when implementing a mobile security policy
VOL/8 | ISSUE/12
Mobile Security
Aaron Rhodes, senior security consultant at Neohapsis, a security and risk management firm that specializes in mobile and cloud computing, offered five steps that, he says, all organizations need to take when developing corporate security policies that focus on or include mobile.
SET A STRATEGY "Start mobile initiatives with a fully fleshed-out plan; your strategy should take a holistic view of security with an overarching security framework. Inventory the types of data your mobile workforce accesses on phones and tablets, and treat smartphone and device security just like you would internal systems on the network," says Rhodes. As sensible as that sounds, in reality many companies tend to jump into the mobile world, driven by 'one-time' projects or by top executives' needs to get e-mail and apps on their phones. When it comes to an "overarching security framework the idea is to make sure that smart devices that store sensitive data have a home within the rest of the organization's security policies and strategy, adds Rhodes. "Simply, a section of the policies and process decisions should be devoted to mobile devices. Consider the mobile IT footprint of your organization in the context of the rest of your assets." According to the Global Information Security Survey, only 21 percent of Indian organizations say the use of mobile devices is part of their security policy. Questions to answer for such considerations include what types of access do the various mobile devices on the network have? What types of data are stored on them? Who is using them? How are they currently being managed, is that enough or does it need to change? When it comes to treating smartphones as if they were internal systems, Rhodes said that one example is how similar mobile devices are to the systems already in place on the network. It's a simple fact that mobile devices can maintain connections to internal corporate assets and services, and those channels and the
VOL/8 | ISSUE/12
21%
Of Indian organizations say the use of mobile devices is part of their security policy.
"Integrating mobile devices into existing security infrastructure and managing them like other end points will maximize its ROI." Ramkumar Mohan, Head-IT & CISO, Orbis Financial Insurance
devices that use them need to be protected and managed. "A smartphone may contain a mobile VPN client which allows the user to access internal resources on the corporate network such as internal Web applications in the same way they would from an internal desktop machine on the company LAN," he says. Addressing another point, CSO (CIO’s sister publication) asked Rhodes to offer his advice for creating an inventory of data, as well as his advice for such steps when it comes to prioritizing and Mobile Application Management and Mobile Device Management. His first thought turned to risk, noting that it is important to identify the types of exposures that could cause harm to the company. For mobile, the most common event is the loss of a mobile device due to a mistake on an employee's part or outright theft. "The MAM/MDM solutions that I've worked with have policy options which can help to mitigate the risks from corporate data leakage when devices go missing. Policies such as requiring encryption of on-device email, PIN number entry, and even 'remote wipe' features can help when a device is lost," he says. "As far as prioritizing the exposure of mobile devices compared to the rest of the infrastructure, it's important to keep improving the overall security posture of your network, and considering mobile devices another piece of that."
PLAN WELL "Set a specific timeline, with goals and milestones along the way. Put aside time for research, too. If you're getting new products such as MDM and MAM systems, consider which is the easiest to integrate with your current IT architecture," says Rhodes. Expanding on this, Rhodes says there’s a list of things to avoid or look for when it comes to research. For example, what are some areas that may seem harmless, but are actually signs of incompatibility or something that may cause problems later? "One thing to look for when considering your mobile management strategy is to determine if you already have existing REAL CIO WORLD | O C T O B E R 1 5 , 2 0 1 3
45
Mobile Security
tools that fit the bill for managing your mobile devices. Get involvement from the technical leadership on your IT staff, and determine what capabilities you may already possess," he says. "For example, Microsoft Exchange has capabilities to interact with mobile devices and enforce security policy on them to improve the security of mobile e-mail. When you are shopping for MDM/MAM solutions, realize there are a plethora of offerings out there. [Perhaps] an existing vendor you already use has an MDM offering that could make integration easier. Examine the feature sets, and make sure that the mobile devices in use at your organization are supported," he adds.
ESTABLISH POLICY "Creating and administering guidelines will help prevent confusion about how company data and e-mail can be used on mobile devices, and this, in turn, will encourage users to exercise caution. More importantly, if there's a problem, they can't claim ignorance," says Rhodes. When it comes to enforcement, Rhodes says that there are two primary ways for this to take place. The first is via technical controls that are implemented to prevent security problems— such as encryption, PIN codes, the ability to wipe the device remotely, and so on. "Additionally, there is a user awareness component to computer security that should be remembered as well. Building good habits in your users through awareness training and reminders can help improve your organization's security as well." Moreover, says Rhodes, there are four more common line items that mobile security policies should have: Mobile devices must be password protected, they must use device encryption before accessing corporate e-mail, they may not be "rooted" or "jailbroken", and mobile devices must be managed by the corporate IT department using the corporate approved MDM system.
TRAIN "Most people simply aren't aware that their actions on mobile devices (companyowned or not) can have dire consequences 46
O C T O B E R 1 5 , 2 0 1 3 | REAL CIO WORLD
"Mobility and access to corporate networks any time, any where is essential to an organization to maintain systems/ services uptime." Dr. N. Rajendran, CTO, National Payments Corporation of India
for the entire organization. Teaching your employees about the risks and how to mitigate them can help avoid catastrophe," says Rhodes. Some examples of risks include code running from untrusted app stores, also known as side loading, running programs received from untrusted parties via e-mail, failure to use passwords, losing a device, and ignoring popup warnings when using an untrusted Wi-Fi connection. But when it comes to awareness training, what are some areas that are essential for organizations to focus on? "The phrase 'if you see something, say something' comes to mind. Simply telling employees that there are risks, and giving them good contact points to call in case they have a security-relevant event (lost device, malware, etcetera) is critical. Prevention is important but not foolproof, so having proper response processes in place is essential."
COMPLY "Keep compliance requirements in mind when deciding company policy. Remember, all company data housed on mobile devices is subject to the same regulatory mandates as other IT systems," says Rhodes. During the research phase, this should be one of the main things to look for when it comes to MDM and MAM offerings. It's important to note how well such offerings can be implemented on the existing infrastructure, and the kinds of additional overhead they'll produce. "Compliance rules do tend to drive security requirements in organizations that fall under them. Some MDM/ MAM offerings have special features of their products which support legal requirements. Using existing infrastructure is definitely important as well. If a system is put in place that fits well into your infrastructure, it is more likely that operators will use the system to its full capability to improve security," says Rhodes. CIO
Steve Ragan is a staff writer for CSO Online (CIO’s sister publication). Send feedback to editor@idgindia.com
VOL/8 | ISSUE/12
Budgeting
SECURING FUNDING FOR A FUNDING SECURITY PROGRAM Security funding has always been a bug-bear for CIOs. Here’s how you can get your financial team on board with your security funding strategy.
a
BY DOMINIC NESSI
Ask any cyber security specialist what their biggest challenge is, and
you will get a variety of answers—ranging from strengthening network security, to managing internal threats, to protecting against cyber espionage. But upon further investigation, you may be surprised to learn that the unanimous pick for the biggest challenge cybersecurity professionals face is simply getting the funding necessary to carry out a security program. There are a great deal of resources and technical support available on how to deal with the never-ending list of threats that arise daily; and we have plenty of opportunities to learn and digest security best practices. However, little information or guidance is available to prepare one for the dreaded budget discussion when new or continued funding is necessary to maintain a strong cyber security posture. In almost all security funding negotiations, good communication is a critical ingredient for success and results in the necessary funding, over a period of years, to establish and maintain a workable security program. Most budget requests are accompanied by an ROI (return-on-investment) analysis. This is the language your financial team understands and with which they are most comfortable. A positive ROI is usually the difference between a positive and a negative decision on funding. However, cybersecurity budget requests are more difficult to quantify. Security ROI is typically expressed by comparing security investments with the potential liability caused by security breaches. This is similar to calculating the financial benefit of insurance for physical assets, such as buildings and equipment. To start the budget discussion, you must stress on cost avoidance rather than profits and you will
VOL/8 | ISSUE/12
Reader ROI: Tips to get your security budget passed The importance of security certification Why you need to keep finance team in the loop
REAL CIO WORLD | O C T O B E R 1 5 , 2 0 1 3
47
Budgeting
need hard, empirical evidence to depict the business risks and associated costs. Interestingly, the specific nature of the threat, while critical to the security team, does not resonate with the financial staff. Their primary concern is the financial impact to the organization. Therefore, the best way to approach senior management to fund your cybersecurity program is to cast the expenditures using an ROI approach. However, simply providing a welldefined ROI doesn't always guarantee success. There are a number of additional considerations when approaching senior management and your financial team when seeking funding.
SET THE FOUNDATION FOR FUNDING BEFORE YOU NEED IT If you haven't established a good working relationship with the financial decisionmakers in your organization, you are already behind the curve. It is far better to have that relationship in advance of a budget request. If the first time they see you, your hand is out looking for funding, your chances of success are drastically reduced.
DON'T USE SCARE TACTICS They may work at first, but eventually, if you are successful in keeping your organization safe, this tactic may actually backfire. Your financial officer will only see that he provided funding and nothing happened.
safeguards. And don't be afraid to share some of the non-technical materials you come across with senior management.
51%
RELATE YOUR RISKS TO THE BUSINESS
Of Indian organizations say that their security spending is completely aligned with their company’s business objectives. Interestingly, 44 percent say that IS spending is justified by client requirements and common industry practice.
Identifying the technical aspects of malware threats, hacking, and Denial of Service (DoS) attacks will be almost incomprehensible to your senior management and financial decisionmakers. Relating the threats to the impact on the business is far more meaningful. For example, if you rely on the Internet for sales and you have to shut down your Web portal, the specific cause is not a priority to senior management. The fact that you had to shut off your primary business conduit is the critical point. According toGlobal Information Security Survey, 31 percent of
HOW INDIA INC MEASURES THE EFFECTIVENESS OF IS SPEND 45% 38%
35%
33%
30%
ESTABLISH YOUR CREDENTIALS It is important for both you and your security team members to acquire security credentials, such as the Certified Information Systems Security Professional (CISSP) and the Certified Information Security Manager (CISM). This gives your financial team confidence that you have the expertise to identify the risks and are able to plan and implement a security program that meets the threats facing your organization. Take advantage of the plethora of security seminars, webinars, and magazine articles that provide the most current information on threats and 48
O C T O B E R 1 5 , 2 0 1 3 | REAL CIO WORLD
27%
45% Professional judgment
33% Reduced security incidents
38% Return on investment
30% Improved security metrics
35% Total cost of ownership
27% Payback period
VOL/8 | ISSUE/12
Budgeting
have an emergency and need immediate funding. Continually provide information to the financial team regarding the state of the cyber security world and your organization's place in it. This can be anything from a brief discussion in the hallway to forwarding an e-mail on the latest threat.
Indian companies say security incidents caused direct financial losses.
OUTLINE THE NEED IN PLAIN ENGLISH Never speak in technical terms to senior management or your financial team. In order to establish a strong communication channel, you need to have two-way communication about security issues, not a one-sided description of technical challenges. To have a two-way conversation, you need to frame the discussion with language that everyone can understand.
USE OUTSIDE RESOURCES If you are met with skepticism on your funding request, suggest that you bring in an outside cybersecurity expert to develop an independent third-party analysis or audit. If that doesn't work, bring in peers from other organizations in your vertical and have them conduct a peer review on your security operation. An "outside" opinion often seems to have more weight than that of internal staff.
CONSIDER FINANCIAL CONSTRAINTS When meeting with the financial team, remember that very few organizations are free of financial constraints. According to the Global Information Security Survey, 43 percent of Indian companies say that economic conditions is a factor that drives their organization's information security spending. It is unlikely that your organization has unlimited funds. You can show your understanding of their constraints by doing a little research on organizational funding practices and demonstrating your desire to make reasonable requests. They will likely appreciate your desire to understand the constraints in their job and will be more willing to assist you in performing your job.
ONCE YOU GET THE FUNDING, FOLLOW THE PLAN YOU OUTLINED One of the most important things you can do to build trust with your financial officer is to use the funding provided exactly as you had outlined you would in your presentation. Nothing reduces the confidence in your approach more quickly than saying you need the funding for one thing and then spending it on something else. And, if changes become necessary, do consult with the financial team. Never surprise them with expenditures for things on which they have not previously been briefed.
EMPHASIZE: SECURITY ISN'T AN IT ISSUE
"Security sells only if a threat is visible to the buyer and cost of control is affordable. It sells faster if the controls add value and save cost for the organization." K.K. Chaudhary, SVP, Group Head IT and IS, LANCO Group
Of all the considerations, this is perhaps the most important. Cybersecurity is not only addressed through the IT department, but also through human resources in the form of personnel policies; your legal counsel through the enforcement of policies; and your senior management team, who must always insist that their employees follow company policies and rules and who may be accountable to stakeholders and/or compliance organizations to meet laws and requirements. In a distributed environment, you are likely to have numerous parts of the organization continually adding and modifying new technologies, all of which can cause changes to your overall security posture. Senior management and your financial decision-makers understand risk and dollars. Establishing good communication and maintaining it is critical to receiving the funding necessary to implement and maintain a sound cybersecurity program. CIO
PROVIDE FEEDBACK Bring the financial team into your world as much as possible. Don't wait until you
VOL/8 | ISSUE/12
Dominic Nessi is the CIO for Los Angeles World Airports. Send feedback to editor@idgindia.com
REAL CIO WORLD | O C T O B E R 1 5 , 2 0 1 3
49
BYOD
AVOIDING BASIC BYOD
BLUNDERS Most companies have figured out how to sidestep BYOD security errors—have you?
f
BY MICHAEL FITZGERALD
For all the sophistication
and power of the modern cell phone or tablet, people think of them more or less like pens: You can use the generic ballpoints they have at the office, or you can bring the one you like from home. That's a consequence of high technology becoming pervasive. People use technology widely, and they might prefer what they use on their own time. Pens, of course, can't access corporate networks (yet). But cell phones and tablets represent powerful computing devices; people might even be able to get more done using their personal devices for work. That's given rise to the BYOD (bring your own device) phenomenon. About five years ago, in January 2008, only 10 percent of US companies responding to an Aberdeen survey said they allowed workers to use their home devices. In July 2012, that jumped to more than 80 percent of US respondents. According to CIO India research, 43 percent of Indian organizations offer only limited support to employee-owned mobile devices. Companies mostly allow BYOD for mobile phones and tablets, aiming to get the productivity benefits of mobile technology without having to shell out a lot of money for corporate cell phones. Notebook computers still tend to be provisioned by corporations. One looming problem with BYOD: Just because workers have smart phones does not mean they'll be smart about security.
50
O C T O B E R 1 5 , 2 0 1 3 | REAL CIO WORLD
Reader ROI: Why BYOD is a good thing The importance of ensuring BYOD doesn’t blindside you What to watch out for
VOL/8 | ISSUE/12
BYOD
"I have no trouble with people bringing their own machines to work if, and only if, they are competent to run them," Dan Geer, a security researcher and chief information security officer at In-Q-Tel, the CIA's venture capital arm, said in an email. "If they are mere subscribers with a penchant for shiny things, then keep them out of the network." The trouble is, when the worker who likes shiny things is the CEO, and wants to use his or her new iPad to run business intelligence dashboards, it creates real pressure on a CISO to respond. Common sense would say, "of course, the CISO will do the right thing and preserve the security of the network." Common sense would be sadly disappointed. "When I started here a year ago, we had execs with an iPhones or iPads and they'd bring it in and hook it up and walk around with it," says Ben Haines, CIO at Pabst Brewing in Los Angeles. Haines said that when he pointed out the risks inherent in walking around with insecure connections, the executives immediately understood the issues. Haines set up a mobile device management policy and found a provider to handle it, and in two weeks it was up and running. Pabst is far from alone in its approach to BYOD. In fact, Aberdeen found more than half of the US companies that allow employees to BYOD set no restrictions on devices. In India, that’s a much lower number: Only 7 percent of organizations say they have no defined policy, according to CIO research. "Look, scream it from the rooftop, we know that mobility gives a real competitive advantage," says Andrew Borg, an analyst at Aberdeen. "But it appears that 'we've gotta go mobile now, we'll figure it out later' appears to be what many organizations are doing." Borg says there's no reason for companies to take such risks. Borg and another analysts interviewed for this story acknowledge that we have not seen a major incident with BYOD devices publicized yet. But why be the headline, Borg asks. The challenge for CISOs is palpable. For one thing, it's hard to keep up with best practices, says Adam T. Shapiro, CTO of Breakthrough Technology Group, a managed service provider.
VOL/8 | ISSUE/12
54%
Of Indian companies say employee use of personal devices is part of their security strategy. Another 28 percent say that it's a top priority over the next 12 months.
"A standard infrastructure layer at the enterprise level with security controls is something many people miss while adopting BYOD." Sachin Jain, CIO and CISO, Evalueserve.com
Shapiro was previously in charge of Citigroup's Client Infrastructure Engineering, where the company's efforts to allow remote work showed a huge thirst for BYOD. The company used a virtualization client, to allow for remote access. Once in place, "you saw every single person that was a Mac user start to use their personal Mac," Shapiro says. He also says technology is moving too fast for policies to keep up. "There were people coming in with early releases of Windows Tablets" and other new devices, he says. Then they would complain that they couldn't get access. "Best practices are no longer even best practices. It's an evolving game," he says. Citigroup had not done things willynilly—it had a process of meetings and discussion to develop a BYOD model that went through a wide variety of use cases, and built custom wireless networks to help. Even so, the organization was surprised by how 'creatively' some people decide to use technology. "There were some use cases where you would say, 'Really, people do that?'" Shapiro says. Citigroup's example illustrates that each company will have its own complexities, with technology and policy decisions to iron out. At any rate, don't be the headline. Emulate smart companies and avoid BYOD's most basic blunders.
BLUNDER 1: JUST JUMP IN, THE WATER'S FINE! In fact, the water is murky. Companies that just open their networks to BYOD without a plan might hit riptides, stingrays, sharks even. Do you have a lifeguard? Do you even know who should be on the beach? "Step back and think about your company and what the mobile worker population of the company might look like," says Stacy Crook, an analyst at International Data Corp.
BLUNDER 2: TAKE ON ALL COMERS It's a great concept for an Ultimate Fighting Championship special, but why do you want your network exposed to every device known to humankind? REAL CIO WORLD | O C T O B E R 1 5 , 2 0 1 3
51
BYOD
"Companies shouldn't recommend what type of phone employees get, but some Android phones are better than others," says Dan Shey, an analyst at ABI Research.
BLUNDER 3: GIVE EMPLOYEES ACCESS TO EVERYTHING Do all your employees really need access to all applications? Really? It's one thing to open up access to e-mail, another to give access to ERP, says Shey, an analyst at ABI Research. E-mail "tends to be a closed system— you can connect to it and not connect to corporate systems and databases," he says. As Crook notes, once consumer devices enter the enterprise, consumer applications and corporate applications can commingle. What if employees want to dump things into Dropbox? Using geo-sensing policies, where devices only have access to applications and data when in a certain zip code or GPS coordinate, can be helpful in some circumstances.
"I urge all CISOs to insist that their MDM vendors provide evidence on regulatory clearance and complying with lawful interception rules before implementing a product." Sesanka Pemmaraju, IS Director and CISO, Hitachi Consulting
BLUNDER 4: FAIL TO TRAIN EMPLOYEES "That's a big no-no," says Crook. Employees need to have some guidance on what they should and shouldn't do with their devices on the corporate network. That's obviously true for companies that have compliance requirements, like healthcare and financial firms. But any company can have employees overstep their bounds. Give them education and training, and then ask them to sign a document about complying with your company's policies. Without those things, "you're setting yourself up for lawsuits." Especially if you commit sin number five.
BLUNDER 5: ASSUME PEOPLE WON'T LOSE A DEVICE They do, and they will. What kind of attachments might be on e-mail? What if there's a password file on the device? Or authentication for the network?
BLUNDER 6: EXPECT YOU CAN JUST WIPE YOUR HANDS There are lots of tools that let you wipe systems remotely, ranging from features in Microsoft Exchange to mobile device management software. 52
O C T O B E R 1 5 , 2 0 1 3 | REAL CIO WORLD
Remote wiping is a powerful tool, but when you zap all their personal data, even employees who leave on good terms could end up suing you. Mobile device management software is useful, but should you really just wipe
the box? Or can you revoke access to specific applications?
BLUNDER 7: ASSUME THE WORST AND BAN BYOD BYOD is manageable. CISOs can mitigate risks. They just need to have a plan and a process that meets the needs of their company. Finally, learn from those who've gone before you. One of the first companies to allow BYOD is IBM. It started back in 2000 with the Blackberry, and after trials made BYOD a corporate initiative in 2004. It has more than 130,000 employees using their own devices, primarily smart phones and tablets. IBM has a set of corporate security guidelines its workers must follow. Managers approve BYOD requests. The company then assigns workers an eightdigit alphanumeric password, and it has full remote wipe capabilities if someone loses their device, or has it stolen, though it has 'containerized' its applications so that it does not have to wipe an entire device to protect its data. IBM also limits the applications people can access, usually to things like email and IBM's collaboration suite. "We don't deliver the keys to the kingdom," says Bill Bodin, IBM's chief technology officer for mobility, who is responsible for the company's BYOD initiative. By the end of 2012, all workers who want to use their own devices will have to become 'certified.' IBM has developed about 45 minutes of video modules on the principles of secure mobile computing, and workers have to pass a test on the videos to be eligible to use their own devices. It's also developing a "persona" app for its internal app store, so that employees can download IBM-specific apps that match their roles. Bodin's advice for BYODers? "I would start small. Qualify a particular device. Ask, 'what are my core capabilities I need to mobilize?' And don't put the company's data at risk." CIO
Send feedback on this feature to editor@cio.in
VOL/8 | ISSUE/12
VIEW
from the TOP
Milind Deora, MoS of Communications, IT, and Shipping, says the technology growth curve in India is promising and that the government is focused on leveraging the new trends in IT.
The State
of IT BY SHUBHRA RISHI
Milind Deora is a very busy man. That's not surprising considering he is the Minister of State of Communications, IT and Shipping. He is also a charismatic politician and the voice of reason for the new generation. He tackles issues with the poise of a veteran which is evident from his views on corruption, policies, infrastructure and the economy. He is responsible for a number of IT initiatives such as the G-cloud, e-governance, and the recently launched national cyber security policy, among others. In this interview, Deora, a blues musician, and the youngest Lok Sabha minister, shares how IT can change India.
CIO: What do initiatives like the CMS hope to achieve, considering that privacy is a major concern?
What do CEOs and other C-level executives expect from you? Read all about it in VIEW FROM THE TOP. Visit www.cio.in/ceointerviews
54
O C T O B E R 1 5 , 2 0 1 3 | REAL CIO WORLD
Milind Deora: There are a lot of misconceptions around the Central Monitoring System (CMS). But what it really is allowing us to do is create better security safeguards. There shouldn’t be any opposition to that. Under my Ministry, we are providing a technology input through the CMS which will improve the existing method of legal interception of calls as well as preventing illegal interceptions. The CMS will also automate the manual process of taking the authorization to a
telecom service provider’s nodal officers who provision interception and monitoring. In the automated process, provisioning will be done centrally at the CMS by DoT officials, resulting in quick provisioning and ensuring confidentiality. The implementation of the CMS will not, in any way, invade the privacy of Indian citizens because the automated process of the CMS will be subjected to the same regulatory scrutiny as is available in the present manual system under Section 5(2) of the Indian Telegraph Act and Rules 419A. Additionally, it will also hold the added advantage of creating a safeguard against any illegal provisioning by telecom service
VOL/8 | ISSUE/12
MILIND DEORA EXPECTS I.T. TO Automate processes Tighten national security Help bridge digital divide
providers in the present system, however remote it may be.
PHOTOS BY DR LOHIA
How does the CMS affect Indian businesses? The intention of the CMS is not to adversely affect any business, be it Indian or foreign. As the interception and monitoring through the CMS will be subjected to the same regulatory scrutiny as is available in the present manual system under Section 5(2) of Indian Telegraph Act and Rules 419-
VOL/8 | ISSUE/12
A, under which directions for intercepting any message or class of messages under the said act shall not be issued except by an order made by the respective Secretaries to the Central or State governments of the respective Home departments. In unavoidable circumstances, such order may be made by an officer, not below the rank of a Joint Secretary to the Government of India, who has been duly authorized by the Union Home Secretary or the State Home Secretary, as the case may be.
Several analysts say the IT Act and its amendments are unconstitutional. The section 66A was included in the IT Act for multiple purposes. Other than a few cases in media scrutiny, there has been no complaint about the misuse of section 66A. In those cases also, particularly in Maharashtra and West Bengal, appropriate action has been taken. Besides, the Department of Electronics and IT has issued an advisory to all states to obtain permission
REAL CIO WORLD | O C T O B E R 1 5 , 2 0 1 3
55
View from the Top
from the Inspector General of Police or Superintendent of Police depending upon each case. Such an advisory has also been endorsed by the Supreme Court for strict compliance by the state. As per the report available, all the states are implementing the advisories. Hence, no action of misuse of section 66A has come to our notice in the last couple of months.
How’s the govt. addressing new initiatives in the IT and communications sectors? The government is focused on making use of new trends and technologies. For instance, as a part of our mobility initiative, we have introduced the Mobile Service Delivery Gateway which is a standardsbased middleware infrastructure and aims at providing secure messaging between various departmental applications. The National Gateway has been successfully implemented by CDAC and is live in production since August 2008. To harness the benefits of cloud computing, DeitY has initiated a project known as ‘MeghRaj’ to create a common repository of cloud-based infrastructure resources and applications available on demand. The G-cloud is envisaged to enable optimal utilization of ICT infrastructure, allow speedy development and deployment of e-gov applications, and allow quick replication of successful applications such as hosting certified applications like e-Gov App Store. The first phase of implementing National Cloud has been approved at a cost of Rs 99 crore and will be launched in 2013. We have also launched an e-Gov App Store with 20 applications in May, 2013.
Akash and UIDAI have drawn flak from several quarters. A committee headed by IIT Mumbai has submitted a study to look into the matter. The study report is currently under examination with MHRD. We have a well-defined strategy aligned to new initiatives. The primary objective of the National Telecom Policy 2012 is to maximize public good by making available affordable, reliable, and secure telecommunication and 56
O C T O B E R 1 5 , 2 0 1 3 | REAL CIO WORLD
What roadmap do you have for the software exports and hardware markets?
“The main thrust of the Telecom Policy 2012 is for ICTE services to have a transformational impact on the overall economy.” — Milind Deora broadband services across India. The main thrust of the policy is to have a multiplier effect and transformational impact of ICTE services on the overall economy. It recognizes the role of such services in furthering the national development agenda while enhancing equity and inclusiveness. Broadband is one of the main thrust areas of this policy. It sets the target of 600 million broadband connections by 2020. It lays special emphasis on providing reliable and affordable broadband access to rural and remote areas. To ensure broadband coverage to Panchayats, the government has approved a scheme for the creation of a National Optical Fiber Network (NOFN) for providing broadband connectivity to all 2,50,000 village panchayats. The aim is to extend the existing optical fiber network which is available to Gram Panchayat level by utilizing the Universal Service Obligation Fund. The cost of the initial phase of the NOFN scheme is estimated to be about Rs 20,000 crore.
For promotion of telecom exports, the Department of Commerce has a number of schemes such as marketing development assistance scheme, market access initiative scheme, focus product scheme, focus market scheme and interest subvention for SMEs exporters. They provide incentives on export of telecom equipment including mobile phones of up to 5 percent. During 2012-13, the export of telecom equipment, including mobile phones have been in the order of Rs 22,000 crore. The Telecom Equipments and Services Export Promotion Council has been set up by the Department of Commerce to take effective steps for promotion of export of telecom equipment and services.
What do you envision for the Indian IT sector? We have already implemented the National Policy on Information Technology in 2012. As approved by the Cabinet in September last year, it aims to boost investment in the IT/ITES sector and expansion in other markets. As a result, direct employment has reached nearly 3 million with an addition of 200,000 employees during this year. The sector revenues have grown from a mere 1.2 percent in 1997-98 to an estimated 7.5 percent in FY 2012. In the next few years, we wish to increase revenues of the IT/ITES industries from a current $100 billion to $300 billion and expand exports from $69 billion at present to $200 billion by 2020. We also wish to promote innovation and R&D in cutting edge technologies and development of applications and solutions in areas like localization, location-based services, mobile value-added services, cloud technology, and social media. One of the key areas that we wish to explore is to make India a global hub for development of language technologies, to encourage and facilitate development of content accessible in all Indian languages, and thereby help bridge the digital divide. CIO Send feedback to shubhra_rishi@idgindia.com
VOL/8 | ISSUE/12
Chasing
Busin
CXO Agenda | Growth Thiruambalam’s Agenda: To double CavinKare’s revenues—from Rs 1,200 crore to Rs 2,100 crore— by 2015.
CavinKare made a place for itself in business history by popularizing the sachet. But while the world got stuck on that story, the company has continued to grow from strength to strength. Now, the new director and CEO of its Personal Care and Foods division, (he joined CavinKare in April 2013) Nellaiappan Thiruambalam, has set the company yet another target: To go from Rs 1,200 crore to Rs 2,100 crore by 2015. And Thiruambalam, the former CMD of HJ Heinz’s Indian unit, plans to use every trick in the book to get there, including calling in IT.
BY SHUBHRA RISHI CIO: In an interview last year, you said you plan to make CavinKare one of the top three players in the personal care and food segments. Are you on track?
Big
ess VOL/8 | ISSUE/12
N.THIRUAMBALAM: I would like to think so. As you know, several of our product categories have come about through acquisitions. In 2003, we forayed into the foods business by buying out Ruchi Agro Foods. This was followed by the acquisition of Salem-based soft drinks manufacturer Maa Fruits India in 2008. We then diversified into the dairy business and expanded our foods business by acquiring Mumbai-based Garden Namkeens in 2009. I think we are progressing reasonably well. By the end of this year, our plan is to maximize productivity across all our businesses, product categories, and the entire supply chain. We also want to increase our focus on our distribution chains, specifically how we transport products from factories to customers. There’s also a lot of scope to increase synergies across our sales teams, and making them more productive. What are some of the new products you have in the pipeline?
Plans to launch new products in the hair wash segment, and the hair color and skincare categories are in the offing. Innovation, constant growth, and changes in mindset have all contributed to our business and brought us where we are today compared to where we were 25 years ago. We have set ourselves an ambitious goal of doubling our revenue to Rs 2,100 crore by 2015. All our different segments are going to contribute towards REAL CIO WORLD | O C T O B E R 1 5 , 2 0 1 3
63
CXO Agenda | Growth about 15 offices across India—including two big factories located outside the south; one in Haridwar and the other in the outskirts of Mumbai. Even our sales and marketing office is based out of Mumbai.
that goal. Personal care is going to occupy a significant share in that growth. Is it true that the personal care business needs constant attention?
The personal care segment is very competitive and requires relentless attention. At CavinKare, the genesis of the company goes back to personal care and it’s still a big chunk of our consumer business. It has been a major driver for CavinKare, especially our brands such as Chik and Nyle. In the past, profits from our personal care business were re-invested into businesses that CavinKare was concentrating on. But recently, with private equity funds, we have a renewed interest in this segment and it will occupy a large amount of the time—and effort—of our management team. That said, all businesses need constant focus in terms of understanding consumer needs, understanding trade intricacies, and understanding competitive intensities. Does IT have a role in driving growth and product innovation at CavinKare?
Innovation at CavinKare is very consumer-centric. Although it cannot be put in the same category as SAP or other transaction automations, consumer research has some elements of IT. For instance, logging sample sizes of products, and maintaining records and recipes has IT at the backbone of these activities. But it’s still more of a data capturing and monitoring exercise rather than a processing one. CavinKare has been dominant in the south of India. How do you plan to create a similar impact in the north?
Today, if you look at a lot of our personal care business, our products are spread across a number of regions including West Bengal, and UP among others. Also, Chik and Nyle are more dominant in the northern and western regions of the country. Between 60 and 70 percent of our snacks business comes from western India. I point these out to show that our footprint is already changing and we’re now beginning to look like a pan-Indian company. We also have 64
O C T O B E R 1 5 , 2 0 1 3 | REAL CIO WORLD
What’s your strategy to create greater customer connect with your brands, going forward? Do you plan to leverage social media and other platforms?
"Changes in information consumption make social media vital to the way a company engages with its customers. We are increasing our investment in new mediums like social networks."
Conventional media outlets such as TV and radio still make up a large chunk of our investment. But today’s changes in information consumption and media habits are making social media very important to a company’s engagement with its customers. Therefore, we are increasing both our investment and focus in these new mediums, including social networks. Alternately, our sales force makes more than 60,000 calls everyday to support our distributors and retailers. We are also focusing on how we can use some of our IT-enabled systems to support our consumers and customers. We are slowly moving in that direction. CavinKare has multiple product segments. What’s been your strategy to manage these businesses?
We have appointed category heads to manage each business. If you look at the broad classification of products at CavinKare, our brand portfolio consists of shampoos (Chik, Meera, and Nyle), fairness creams (Fairever), deodorants and talc powder (Spinz and Hi5), pickles and snacks (Ruchi and Chinni’s), hair color (Indica), beverages (Maa), dairy (Cavins), and beauty salons (Green Trends and Limelite). Next, we have set up different sales divisions which are divided on the basis of customer type. For instance, we have different types of retail formats including convenient stores, kiranas, chemists, bakeries, and juice parlors. The third aspect of our strategy involves managing the supply chain. Products in the personal care space have a long shelf life. Therefore, we use carrying and forwarding agents, like any other FMCG. But for our other businesses, especially the food segment, which have products
VOL/8 | ISSUE/12
CXO Agenda | Growth that are perishable and have a relatively shorter shelf life, the model is slightly different. In these businesses, we carry out operations with fewer intermediaries. By and large, we send these from the factories to distributors without a set of agents to act as go-in-betweens. So for every segment, the strategy, category management, and selling and distribution levels vary according to the nature of the product. Talking about your company’s strong distribution footprint, how do you plan to leverage it going forward? Is IT going to play a role?
We run over three million outlets through 6,000 stockists located across India. With so many distributors, getting sales and production data can become a tedious task. IT has been the backbone of our company for more than a decade. CavinKare was one of the early adopters of ERP, we had it at a time when none of our competitors did. We have set up an ERP across the entire business chain and it runs very efficiently. Now, if you look at our transactions with distributors and retailers, you’ll find
“We are focusing on how we can use some of our IT-enabled systems to support both our customers and consumers." that we deal with between seven to 10 lakh retail stores directly. Our transactions with them has increased a lot lately, as have sales and support transactions. For instance, inventory monitoring, and input and output plan settings are some of the transactions that we plan to automate. Currently, we are in the process of
automating transactions that distributors carry out with our retailers. We have more than 1,000 distributors who make sure that our customers get what they want and where they want. IT is going to be playing an important role in carrying out these transactions between distributors and retailers. How has your past experience helped you in your new role?
What I learned from my past experiences certainly comes handy. At CavinKare, working for a passionate promoter always brings new challenges and opportunities. You get to see the energy and passion of the shareholder in the overall scheme of things. As a consumer product company, we are always working towards introducing innovative brands and products to the market. We have a mindset that strives for uninterrupted growth. This is what has helped our businesses reach where we have in the last 25 years and it continues to propel us forward. CIO Shubhra Rishi is senior correspondent. Send feedback on this interview to shubhra_rishi@ idgindia.com
casefiles REAL PEOPLE
* REAL PROBLEMS * REAL SOLUTIONS
A CHANGE
AGENT
Cholamandalam MS General Insurance Company wanted to strengthen its insurance renewal mechanism. A CRM implementation not only made that possible, but also brought new insights and customer-centricity. BY SHUBHRA RISHI The Organization: As an insurance arm of the Rs 225 billion Murugappa Group, Chola MS has done exceedingly well in recent years. Posting a steady growth of 20 percent in FY2012-13, it’s one of the fastest-growing general insurance companies in India. With over 93 branches across India and a salesforce which includes 7,000 agents, the company wanted to continue its great run. The Business Case: Chola MS has a large set of existing customers which has the potential to propel the insurance company on the fast lane to growth. But, the one thing that could put a spoke in the wheel was the lack of a single view of the customer. The company’s primary means of engagement had been through its insurance agents. As a customer’s policy expiration date would draw closer, a Chola MS agent would go to the customer’s house, collect the premium, and renew the policy. It was a manual process which was anachronistic to the needs of the present-day digital age. Due to this, there were several inconsistencies. For instance, if a Chola MS policy holder wanted to buy a health policy and renew an existing one, two agents would end up approaching the customer; one to sell the new policy, and the other to renew the old one. Weighing in factors like these, Sundar Venkitakrishnan, VP at Chola MS, decided to initiate a CRM project with an additional focus on process automation. To accomplish the task, the insurer roped in the global consulting arm of IBM as it had considerable experience in phasing CRM implementations and workflow at large BFSI companies. Once the strategy was defined, it was established that Chola MS would require four years to fix issues such as technology change, scalability, and organizational sustainability to derive the long-term benefits of the implementation.
66
O C T O B E R 1 5 , 2 0 1 3 | REAL CIO WORLD
VOL/8 | ISSUE/12
After chalking out an effective blueprint, Chola MS sat down to choose the right solution. Venkitakrishnan insisted that the implementation partner must possess extensive domain knowledge. For this very reason, the company went back to IBM, which has a strong insurance CRM practice. “The value proposition was to get on board an implementation partner who could bring the benefits of best practices,” he says. The Solution: The CRM initiative was to be implemented in two phases. The first phase consisted the implementation of three modules: Renewal management, partner enrollment, and lead management. A number of sub-initiatives such as agent performance management system, agent on-boarding system, etcetera, were also identified.The second phase includes campaign management, service management, and mobile CRM. This is expected to be completed by the end of this year. Additionally, Chola MS is enabling lead and renewal management on a mobile platform to enhance agent efficiency. “Today, we know which competitor we lost a customer to and why. We can drill down the reasons which can include our price points, services, or other customerspecific issues,” says Venkitakrishnan. The company is also able to run analytics and find where it went wrong. For example, if price is a cause of concern for customers, it can now revisit and revamp the pricing model without impacting profitability. The Benefits: The biggest advantage of the implementation is that a month before the renewal cycle starts, the company knows how many customers are supposed to renew their policies, their policy details, and premiums to be collected. It has increased its customer policy renewal rate by 18 percent in the last six months. The implementation has facilitated improved traction, processes, and customer awareness as well as enhanced Chola MS’ ability to cross-sell and up-sell. The company is now able to manage its partners
VOL/8 | ISSUE/12
Sundar Venkitakrishnan, VP, Chola MS General Insurance Company, enhanced customer experience and savings by implemeting a potent CRM solution.
effectively, monitor their performance, and also train them. One of the challenges that Venkitakrishnan anticipated during the CRM deployment was change management. However, the company started conducting atleast one session on CRM during its annual meetings and performance reviews. It identified 35 people as change champions and trained the rest of the employees across the 93 branch offices. The company’s efficiency and
productivity has also gone up significantly because of workflow automation and CRM implementation which resulted in 12 percent savings. “Our target is to reach 25 percent,” says Venkitakrishnan. Currently, Chola MS has over 322 licensed CRM users and about 900 agents using the system. CIO Shubhra Rishi is senior correspondent. Send feedback to shubhra_rishi@idgindia.com
REAL CIO WORLD | O C T O B E R 1 5 , 2 0 1 3
67
V
for
Reader ROI: Why the VUCA lifestyle isn’t going away How to prepare for it The importance of asset-lite IT
6 8 OCTOBER
1 5 , 2 0 1 3 | REAL CIO WORLD
VOL/8 | ISSUE/09
IT Management
VUCA Your IT survival guide for the new business normal: Four steps for mastering the world of volatility, uncertainty, complexity and ambiguity. BY JULIA KING
E
very time Stuart Kippelman’s 10-year-old daughter gets into the car with her father, she insists the Bluetooth isn’t working. It takes about 10 seconds to sync and power up the music, and to a preteen, 10 seconds equals broken. Today’s youth are, of course, tomorrow’s customers. “They demand immediacy, which is driving what IT has to deal with,” says Kippelman, who is CIO at Covanta Energy. But the need for speed is just the tip of the iceberg. Across all industries, IT teams are up against unprecedented volatility, uncertainty, complexity and ambiguity, also known as VUCA. A term that originated in the military, VUCA aptly sums up what CIOs face every day in today’s turbulent business environment. “VUCA includes currency devaluation, natural disasters happening all over the place and, from an IT standpoint, a big proliferation in data and cyber attacks,” says Linda Clement-Holmes, SVP of Global Business Services at Procter & Gamble. “We have to deal with all of these things.” The list goes on: Thanks to cheap and ultra-efficient technology, new competitors can come out of the woodwork; global privacy rules and industry regulations are continually changing; and users’ expectations--driven largely by their experiences with consumer technology--are through the roof. “In the old business model, big ate small,” says John Sullivan, a professor of management at San Francisco State University and former chief talent officer at Agilent Technologies. But in the VUCA world, “fast eats slow,” he says. “Facebook didn’t exist six years ago, and now, a billiondollar company is run by someone who didn’t graduate college and wears a hoodie. Before, you always knew your competitor, but now, dominant players might come from any industry and come overnight.” Here’s an IT survival guide for the age of VUCA.
Learn Flexibility The only way to manage the chaos is to become super highly adaptable, IT leaders say. Throw out your five-year strategy; VUCA defies long-term planning. Also jettison multimillion-dollar project plans and technology investments. Strive instead to become “asset-light,” relying on IT services you can quickly expand or unplug as business conditions blink. Perhaps most important-and most counterintuitive--you should simultaneously pursue competing goals. In a VUCA world, “what used to work for five years might work for six months. Because you can’t plan for
VOL/8 | ISSUE/12
REAL CIO WORLD | O C T O B E R 1 5 , 2 0 1 3
69
IT Management a particular thing, you have to plan for a range of things,” says Sullivan. “Moving in different directions at the same time must become the norm.” VUCA, CIOs say, impacts everything--from the way you structure an IT organization and hire talent to how you cut costs, boost productivity, and launch new revenuegenerating products and services. John Halamka, CIO at Beth Israel Deaconess Medical Center and Harvard Medical School, also says the rise of VUCA presents a golden opportunity for innovation.
Find Opportunity in Chaos In healthcare, new regulation, privacy legislation and radical changes to the International Statistical Classifications of Diseases (ICD), an industry bible used to categorize virtually every diagnosis and medical procedure, “our business requirements have been utterly redefined,” says Halamka.
John Halamka, CIO at Beth Israel Deaconess Medical Center and Harvard Medical School, believes the phenomenon of VUCA will only get more intense.
70
O C T O B E R 1 5 , 2 0 1 3 | REAL CIO WORLD
“Obamacare, for example, funds medical centers not on what operations they perform but on quality and wellness outcomes,” he explains. “Hospitals know how to take care of people when they’re sick but not how to take care of them when they’re well. There’s VUCA for you.” VUCA leads to opportunity because “no one in the industry has any idea how to do this right,” Halamka argues. “What an incredible opportunity for innovators and risk-takers,” he says. Also a plus is the fact that “there’s a whole new generation of tools and technologies, which now means we are able to do some of these business processes successfully,” he adds. Two years ago, it was unclear precisely how all of the various proposed rules and regulations would ultimately play out. So Halamka and his team made what he calls “an educated guess,” and began aggregating all of the data across the sprawling Beth Israel Deaconess community into a central care management repository. Today, that repository is the foundation of the medical center’s electronic health records system and information exchange. Now, Beth Israel Deaconess is figuring out how to help physicians grapple with the more than 170,000 billing codes in the revised ICD, which takes effect in October 2014. “Doctors will have to document entirely differently, so we’re asking questions like ‘Is a doctor able to remember 170,000 codes?’ and ‘How can we blow up the way it’s done now and use things like natural language processing so the computers read what a doctor writes and suggest a code?’ “We’ve had to completely rethink in a natural way the approach to clinical documentation with a timeline of one year to have it go live,” Halamka says. To be successful in the escalating VUCA environment, two things are required, he says. The first is management that doesn’t get frustrated by the need for agility, but instead gets empowered by it. The second is an “extremely resilient” senior team, which Halamka says he has. “We’ve learned that every time a new project or new imperative comes up, you don’t say, ‘Woe is me, I’m a victim.’ Instead, you study the possibilities and understand how it fits into the context of what you’re doing. It requires almost daily reprioritization of activities.” The swift embrace of the bring-yourown-device movement at Beth Israel Deaconess is a prime example. “We support
VOL/8 | ISSUE/12
IT Management 7,000 iPhones and 2,000 iPads, and I didn’t buy a single one,” Halamka notes. “We’ve had to rapidly innovate layers of security that keep the balance between ease of use and confidentiality with regulatory compliance. That meant redoing the operating plan with extra dollars and staff focused on security issues. That wasn’t in the [original] plan. That’s something society inflicted on us.”
Be a Chameleon Unable to completely control her environment, P&G’s Clement-Holmes has embraced a management strategy based on what can be controlled. “VUCA is a lot about what you don’t know. What we want is for people to focus on what they do know and can control,” she says. For example, rather than waiting to get 20 people together for a meeting, which could take as long as 12 months given conflicting schedules, “get the people you have now and trust those people to start working on the problem,” she says. “In VUCA, you’re making things up as you go along. We tell people not to wait for everything to be 100 percent perfect and don’t make the simple complex. Go with your gut and your best professional instinct,” she adds. As an IT leader in a VUCA world, Clement-Holmes says her totem is a chameleon, the lizard whose eyes can rotate and focus separately to observe two different objects simultaneously. This is because IT must pivot between longterm growth and short-term efficiency gains, “regardless of VUCA,” she says. “At P&G, we have to increase revenue by billions every single year, and we’ve had our share of headwinds like commodity costs, the global recession and economic instability in Europe. There are a lot of levels of uncertainty, and it will never go back to the way it was,” she says. “The pace of change is also different. Before, the windows were wider and longer and you had more time.” At the same time, IT must aggressively drive cost savings and productivity improvement. That means much shorter planning cycles and a need to continually reinvent the IT organization. “Predicting what the business will be five years out is not realistic,” she says. “Five years is forever. IT years are like dog years.” Two years ago, P&G created an incubator organization called FLOW, which Clement-Holmes describes as “a kind of special forces to quickly address really wicked business problems with dedicated full-time staffers with the right skills.” In a FLOW initiative at the 2010 Winter Olympics in Vancouver, members of the team quickly set up a P&Gsponsored house where Olympians could visit with family members. “They needed to have it up and running in two weeks,” she recalls. “With FLOW, we can staff a project with the right staff with the right skills in less than two days.”
VOL/8 | ISSUE/12
Dealing With VUCA John Halamka has absolutely no illusions that VUCA will abate anytime soon. In fact, he says, it will only get more intense. “We live in a world of shrinking resources and growing demand. The pace at which we have to communicate is only getting faster,” he says. In April, for example, after the Boston Marathon bombings, personnel at Beth Israel Deaconess were using Facebook, Twitter and other social media outlets to communicate with first responders at the scene. So how is a CIO to stay grounded, sane, balanced? “I write every Thursday about my farming activities,” says Halamka, who keeps 50 animals and maintains an apple orchard that he writes about on his blog, “Life as a Healthcare CIO.” “I spend my weekends hauling wood and shoveling manure,” he says. “Spending 13 or 14 hours a day doing farm work lets me come in Monday fresh to talk about new projects, new budgets and new imperatives. I think of my role as CIO not as a job, but as a lifestyle, and you have to make sure that lifestyle includes ways to decompress and maintain equanimity.” —J.K.
She likens the group to a medical triage unit. “They assess what you need and get you going out the door to the right place. But if they need to do surgery on the spot, they can do that, too.” Every year, 20 percent of FLOW team members are transitioned out of the unit “so we have more people with a mindset of agility,” she says.
Lighten Up At Pearson PLC, a London-based company that offers education services worldwide, globalization and a seemingly insatiable consumer appetite for online learning are driving VUCA to new levels. “One of the biggest shifts has been from a local to a global focus,” says Pearson CTO Graham Calder. For example, with demand for English language training skyrocketing, particularly in Brazil and China, he says, “We’re teaching English in a consistent way on a global scale.” The new and growing demand has prompted a seismic shift in IT strategy and technology investments, from on-premises enterprise systems to cloud-based and consumer technologies. “We put consumer technology at the heart of our technology strategy and made the decision to embrace cloud knowing that it can mean compliance challenges,” Calder says. This kind of “asset-light” computing infrastructure enables Pearson to expand quickly into new markets. An added benefit is the ability to “fail fast” and move on quickly, because the technologies are cheaper and easier to drop when something isn’t working out. REAL CIO WORLD | O C T O B E R 1 5 , 2 0 1 3
71
IT Management
IT in the Age of VUCA Tip: Move Fast and Break Things If Yodle stuck with its original business model eight years ago, it would have failed. But today, it’s a $130 million marketing technology and services company that thrives on blowing things up to get them right. “That was actually one of the driving forces behind setting up our systems and processes,” says CTO John Merryman. “It’s the case for many tech startups: You don’t know what comes next.” In other words, VUCA is just business as usual. Groupon, for example, started as an idea for fundraising and turned into a business built on group coupons, Merryman points out. Facebook is still tweaking its revenue model. “Trying lots of things is how you end up with better answers,” he says. “Doing the same things better won’t solve the problem.” In a nutshell, Yodle is the digital world’s answer to the old Yellow Pages. When the world went online, big companies could afford to build and run their own websites. Small local businesses couldn’t. Enter Yodle, which has built a technology platform with which it can quickly provision websites for local businesses. But first, Yodle set out to be an online business directory, launching a service called Yodle Local. “Our idea was about having a direct consumer relationship and developing leads. We tried it and there were some promising signs, but then Google changed their algorithms in such a way that they tended to decrease the ranking of directories. It wasn’t working nearly as well,” Merryman says. So the company quickly switched business gears. It also decentralized IT as a way to stay agile. “As you scale a nimble organization, and every startup is nimble, there are certain inflection points at which you have to change,” he says. “One thing we’ve done that I think is critical to agility is decentralize the process of building products and servicing business units.” To this end, IT at Yodle doesn’t have “one big priority list.” “That leads to a whole lot of discussion about the relative priority of things that are incredibly hard to trade off, like achieving audit compliance versus building a new product feature that might make the company $100 million,” Merryman says. “People spend their time arguing rather than getting work done.” Instead, IT at Yodle is divided into feature teams, each of which is responsible for a particular business constituency. “The relative spending on business areas doesn’t change much, but what does change is how [money] is spent. In the services marketing area, for example, there are all sorts of ideas that come up all the time, and because they have their own priority list, they’re free to quickly shuffle priorities around,” Merryman explains. “They’re innately familiar with the business challenges in that area; the engineers know the customers because they’re on calls. They get it.” In contrast, “with a centralized backlog, if your feature makes it to the top and you’ve won, you’re incredibly de-motivated to stop that development,” he says. “It makes people less willing to change priorities. A features team approach reinforces that you should always use your resources for the ultimate business value.” —J.K.
In comparison, when there’s a big financial investment that would have to be written off if a project were cancelled, “it makes people continue longer down the path than they should,” says Calder. The cloud, he says, “enables a fail-fast culture because it’s asset-light. You can quickly figure out whether it has legs, and if it does, build it out.” 72
O C T O B E R 1 5 , 2 0 1 3 | REAL CIO WORLD
While building a new messaging collaboration platform, for example, Calder’s team made several midstream course changes. “We lost maybe two to three weeks but didn’t write off anything of significance. Often these kinds of things happen on a regular basis and don’t get elevated to leadership,” he says. “In some ways, that’s a measure of success. A big decision can be made because the failure identified is relatively small and constrained and doesn’t need a lot of executive support to authorize it.” But an asset-light strategy is a major mindset shift, especially for executive leadership. To be successful and agile, top management must stop viewing technology as a cost to be managed and instead see it as an opportunity to be exploited, he says. “When you start to view technology through that lens, you come to different decisions about how to govern it. As an IT leader, you have to trust your staff’s knowledge and choices.” “CIOs used to talk about enterprise-grade technology. Now, it’s all about consumergrade,” says Vince Campisi, CIO and Lean Leader at GE Intelligent Platforms. “It’s all about whether technology can stand up in a consumer environment. Twitter and Facebook are how people are connecting, and it’s really starting to change how industries operate,” he says. “Now you have business leaders motivated and understanding and paranoid about how this stuff can disrupt their industry.” At Covanta, failing fast and delivering projects in chunks are both cornerstones of IT’s strategy for delivering business value as quickly as possible in today’s VUCA environment, says Kippelman. Over the past two years, IT created and delivered more than two dozen applications using a tool called QlikView. Each of the applications took no more than two weeks to develop. “I’d rather release something 10 times over seven or eight months than have one release in eight months,” he says. “In a world where Facebook updates their software in some cases every day, I think business is coming around to understanding this. There’s more support for it.” CIO Send feedback on this feature to editor@cio.in
VOL/8 | ISSUE/12
Analytics
Invasion of the Data Sci entists Leading HR departments are turning to ‘talent analytics’ for a wide range of staffing issues. CIOs are at the center of this data-driven transformation. BY STEPHANIE OVERBY
When General Motors was looking for someone to lead its global talent
Reader ROI: How HR departments can use analytics for recruiting talent What they need to do to find the right person for the right job The various areas that can benefit from talent analytics
VOL/8 | ISSUE/12
and organizational capability group, the $152 billion (about Rs 9.58 lakh crore) carmaker clearly wasn’t looking for a paper-pushing administrator. Michael Arena, who took the position 18 months ago, is an engineer by training. He was a visiting scientist at MIT Media Lab. He’s a Six Sigma black belt. He’s got a Ph.D. This is not your father’s human resources executive. But it is a sign of where the corporate HR function is headed. Arena is dedicated to the hot field of talent analytics—crunching data about employees to get “the right people with the right talent in the right place at the right time at the right cost,” he says. “Talent management is a soft space. Historically, we haven’t been able to measure definitely the things that we intuitively believe to be true,” says Arena. “But businesses are mandating it.” The age of “trust me, this will work” is over, says Arena. “HR is being held accountable to deliver business results. And the language of the business is analytics.” The growing importance of sophisticated analytics to HR— not simply reporting what already exists in an organization but predicting what could or should be—is a result of “the recognition that the efficient use of labor and deployment of resources is critically important to the business results of the company,” says Mark Endry, CIO of Arcadis U.S. He recently spent six months as REAL CIO WORLD | O C T O B E R 1 5 , 2 0 1 3
73
Analytics interim senior vice president of HR at the $3.3 billion (about Rs 20,790 crore) company. In recent years, enterprises have developed more mature techniques for applying analytics to customer information. “They’ve been able to see—with relatively little data—how much they can do and how powerful the results can be,” says Ben Waber, author of People Analytics: How Social Sensing Technology Will Transform Business and What It Tells Us about the Future of Work. “When you think about what’s going on within companies, you have potentially billions of records generated every day about each person. They’re starting to see how valuable and important that data is.” IT must be at the center of the unfolding data-driven transformation. Not everyone has an HR data scientist like GM. Arena emphasizes the importance of his partnership with Bill Houghton, GM’s CIO for global corporate functions. “A big piece is integration—ensuring the right systems are connected so we know where to draw the data from,” says Arena. “IT has to play a role in that.” Indeed, GM’s CIO is counting on a new enterprise data warehouse—and hiring more IT professionals with a business intelligence background—to support HR’s efforts. “Right now the analysis is being done by small group of smart people,” says CIO Houghton. “The next step is how do we make the analytics more available to the everyday manager or the organizational leadership. We want to get this out of the hands of the rocket scientists and into the hands of managers.”
new projects, uncovering the characteristics of high-performing individuals or teams, and even predicting who’s likely to head out the door. “The way I think about it is using data to understand how people get work done,” says Waber, CEO of Sociometric Solutions, a managementservices firm that was built on his work at MIT Media Lab and that helps companies in one niche of the talent analytics field: collecting and analyzing sensor data to improve workforce performance. Companies have collected employee data for years—from satisfaction surveys to ethnography. But, says Waber, this “next generation of stuff is moving away from those qualitative assessment modes into much harder behavioral modes, using digital data from email or sensors or ERP systems. That gives us radically more powerful information.” Historically, HR used data to report headcount or turnover information. “We’re so far beyond that now,” says Crumley of CocaCola Enterprises. “HR wants to expand its capabilities to help the business grow. To do so, we need to be able to be more precise and surgical about our interventions. That’s where workforce analytics is huge—helping you determine where to place your bets.”
Laying the Foundation Employees generate petabytes of data about themselves every day, says Waber. But that data sits in disparate systems in different formats and is often messy. “To make it work, you need access to all of this information in real time,” Waber says. “IT is the backbone for this entire process.” Implementing a single version of an HR information system itself may not sound revolutionary, but it’s a critical first step for companies interested in more advanced analytics. Jo Stoner, senior vice president of worldwide HR for Informatica, knew predictive talent analytics could benefit the growing data-integration company. “A lot of companies don’t make it past a billion [in revenue]. We were starting to hit those awkward teenage years,” she explains. Managing the company’s assets would be critical to maintaining momentum. But “we don’t own buildings or raw materials,” says Stoner. “Our greatest asset is our talent.” First, though, the company had to bring all its HR data together, applying the master data management services Informatica delivers to clients to its own internal employee data in order to layer analytics atop it. For most companies, just arriving at a single version of the HR truth can be beneficial. Paul Lones, senior vice president of IT at Fairchild Semiconductor, says that two years ago, managers at the chip maker lacked a single system that could provide an accurate tally of employees worldwide, let alone show the amount of employee turnover. Reports had to be compiled from multiple systems. Succession planning took place in Microsoft Word documents. Compensation decisions might be made in isolation. Now that the company has implemented cloud-based Workday, managers can access data on all 9,000 employees in one place,
“HR is being held accountable to deliver business results. And the language of the business is analytics.” -Michael Arena, Director of Global Talent and Organizational Capability, General Motors
CIOs are the key to helping the organization figure out what data matters, says Terry Sullivan, director of applied research and consulting at office furniture maker Steelcase. “Everyone is thinking about big data and collecting all kinds of data to try to figure out how to create smarter people. CIOs can drive this effort.” IT leaders are uniquely qualified to help their corporate counterparts navigate the minefield of issues associated with these nascent technologies and processes—including data quality, systems integration, security, privacy and change management. “The partnership with IT is critical,” says David Crumley, vice president of global HR information systems for Coca-Cola Enterprises. There’s a broad array of uses for talent analytics: Screening new hires, figuring out who should get promoted, efficiently staffing 74
O C T O B E R 1 5 , 2 0 1 3 | REAL CIO WORLD
VOL/8 | ISSUE/12
Analytics
Michael Arena (left), director of global talent and organizational capability at General Motors, depends on Bill Houghton, CIO for global corporate functions, to provide the integrated systems required for HR analytics.
including succession plans, turnover trends and salary information. “A manager in the Philippines considering a raise and promotion for an employee can see in seconds how that will compare with others in the group and with local compensation trends and make that decision,” says Lones. It may not be rocket science, but it’s a start—one that’s been a long time coming for many HR groups. Chiquita Brands, for example, had multiple homegrown and manual HR systems. “It was a cobbled-together thing,” says Kevin Ledford, Chiquita’s CIO. “People spent 90 percent of their time figuring out where the data was and 10 percent on analyzing it.” In 2008, the company moved to a global HR system (Workday), which came in handy when Chiquita moved its headquarters from Cincinnati, Ohio, to Charlotte, N.C., and lost 75 percent of its corporate employees. “It was very tumultuous. We threw all of our monkeys in the air, and they all came down in different buckets,” says Ledford. “It would have been a nightmare [without the global HR system].” Now that the company is exploring predictive HR analytics, that success with master data management “is everything,” says Ledford. At Arcadis, Endry has connected his cloud-based workforcemanagement system to 11 other pieces of software, including ERP, learning management, payroll and an active directory. The combined data helps the company, which provides engineering services regarding infrastructure, water, environment and buildings, to staff
VOL/8 | ISSUE/12
client projects more efficiently and effectively. “In the past we couldn’t tell who was mobile,” says Endry. “Now when we have a giant project in Ohio, we can see on a dashboard that we’ve got these three people in Boston willing to move there.” Marc Franciosa, CIO of Praxair, has tied the company’s HR and employee performance systems to non-HR systems like SharePoint as a foundation for the company’s talent analytics initiative—no small task for the $11 billion (about Rs 69,300 crore) industrial and medical gases company with 26,000 employees in 50 countries. “The underlying data and processes have to be consistent to be able to do any real analytics with confidence,” says Franciosa. “For companies that are fairly mature that haven’t had a global environment before, it’s going through that initial normalization and standardization process to make sure that this certification, for example, means the same thing around the world,” says Franciosa. (He implemented SumTotal’s HR management system and ElixHR platform to link disparate data.) “The cleanup has been a challenge.” Now, when Praxair wants to make a bid or sign a new customer, managers can analyze HR implications first. Do they have people who speak Portuguese, have the necessary certification, and are willing to relocate to Rio de Janeiro? “We can do some modeling of the skill sets to determine if it’s doable or if we will have to recruit externally,” Franciosa says. REAL CIO WORLD | O C T O B E R 1 5 , 2 0 1 3
75
Analytics At GM, Arena has been implementing a three-phase analytics plan. First, integrate systems in a way that ensures highly accurate data is available. Next, push much of that data into standardized reporting tools and dashboards that business managers can use on their own. Then start building models. One of the first projects Arena implemented was a means-based comparison analysis of the top talent pool. The model examines every employee data field in the PeopleSoft database to look for important insights, Arena says. “Five or six experiences may jump out. Having international experience may statistically matter. Then we dig deeper. Are there certain types of international experiences that matter more than others? Does that need to happen earlier versus later?”
Divining Interventions The real power is in applying predictive analytics to a corporate population. “Everyone’s talking about it,” says Chiquita’s Ledford, “looking at all this data you have and trying to figure out the future.” “The typical data warehouse approach is looking back, but what we wanted to do was start looking forward,” says Praxair’s Franciosa. “What are the leading indicators we should be looking for? What are those metrics or data sets we don’t have but, if we did, would really help us? What external data sources could we use to drive better decision-making?” For example, Praxair is growing by double digits in China. “Rather than hiring a ton of people and trying to recreate the wheel [there], what I’ve been driving is how do we replicate rapidly those things that have made us successful in our mature geographies,” says Franciosa. “There’s a huge opportunity to use predictive analytics based on where we’re best-in-class.” The predictive analytics market for HR is nascent and wideopen. “We partner with them all, from IBM to SuccessFactors to PeopleSoft,” says GM’s Arena. “They’re all trying to play in the space, but I don’t know that any of them have figured it out.” Arena’s team has built a model that predicts what changes in attrition rates will mean for GM’s workforce. Previously, if someone proposed hiring a bunch of young engineers, no one could be certain if that was the best decision. “Now we can say, let’s see what that looks like five years from now,” Arena says. “What are the dividends if we hire 200 entry-level engineers? Might we be better off hiring 50 advanced engineers? We can take that information to the head of engineering and say, ‘Here’s what it will cost you.’“ Arena thinks that analyzing the interactions of networks of employees holds the most promise. The process starts with a survey. “We ask questions of a given network: Who do you go to when you want to shop a new idea? Where do you turn when you need resources to get things done? Then we run the analytics,” Arena explains. “We can tell you who the brokers are, who’s central in that network, who are the bridges across silos. We can even predict who’s a flight risk based on where they sit in the network.” And by identifying which employee networks are most productive, Arena says there’s a chance to improve performance across the company. At Coca-Cola Enterprises, Crumley is integrating business data with HR data for predictive purposes. “That’s where you can really get sexy with it,” he says. While working with IT to clean and 76
O C T O B E R 1 5 , 2 0 1 3 | REAL CIO WORLD
Talent Analytics 101 IT and HR leaders who have deployed workforce analytics systems offer these eight tips for success. Lay the foundation. Aim for a single source of HR information, if possible. Account for imperfections. “We’ve got our foundational issues, for sure, but if you wait until it’s completely perfect, you won’t get anywhere,” says Michael Arena, GM’s director of global talent and organizational capability. IT can build reconciliation processes and automated audits to help HR with data issues. Start small. Marc Franciosa, CIO of Praxair, began with an analytics pilot to map the company’s high-potential employees. “If we had tried to do one big-bang workforce analytics project, it would never have gone anywhere,” he says. “You have to get some traction in order to get credibility.” Tap internal experts. Both Franciosa and Arena have taken advantage of statisticians and others from their corporate R&D groups to develop their talent analytics programs. Share the load with HR. Take advantage of HR and IT’s complementary skills. IT can focus on vendor management, security and deployment, while HR might manage requirements gathering, process standardization and communication. Bring in business know-how. David Crumley, VP of global HR information systems for Coca-Cola Enterprises, works with business leaders from functions such as supply chain, sales and finance to determine what data will drive talent analytics. Hire external change-management help. Typically, HR leads change management in an organization. But avoid DIY change management in analytics efforts, warns Mark Endry, CIO of Arcadis US, who recently spent six months as interim SVP of HR. Hire external help to guide HR through its big changes. Take action. ”Everyone wants to have more data, but we have to ensure that folks know how to use it,” says Crumley, who had to do more hand-holding than he initially anticipated. “It’s not that anyone is pushing back, but you have to embed the use of the data into the [corporate] DNA.” —S.O.
VOL/8 | ISSUE/12
Analytics standardize all the data, Crumley is partnering with each corporate to find out how people work and what impact that can have on function to find out what business metric might be the key measure of business outcomes. “The barrier at this point is not the technology,” success for their employees. By combining those business metrics with says Waber, whose Sociometric Solutions is an early provider of people data, he hopes to be able to “reverse engineer what a successful sensor-based analysis. “I can tell you how much more money a employee is, so we can get the best candidates in the future.” company makes when two employees eat lunch together. We can do Employee engagement is a leading indicator of talent retention at extremely sophisticated things. The challenge is that organizations Coca-Cola Enterprises. And one of the biggest boosters of employee are not used to looking at themselves this way.” engagement numbers is access to on-the-job learning, so Crumley’s When GM’s Arena was senior vice president of leadership team is trying to figure out how to make training opportunities development at Bank of America in 2010, the financial services more universal. For example, why are folks in this shift at this company used sensors to track 90 call-center workers over the course plant not taking classes as much as other employees in that line of of several weeks and found that those in the most cohesive networks business? With answers to questions like that, HR can intervene were the most productive. By switching from solo to group break to address the core reason, whether that’s an accessibility problem times, encouraging more socialization, agents improved efficiency or a manager who needs more coaching. Crumley says the effort by 10 percent. “As silly as it sounds, it worked,” says Arena. “The will gain even more steam when HR is able to show, through data analytics told us it was probably the right thing to do.” Sometimes analytics, a correlation between taking a specific training course it’s as simple as moving desks closer together, says Waber. Steelcase’s and an improvement in sales or productivity. Sullivan has discovered that the size of lunch tables can have an At call-center provider NOVO 1, CTO Mitchell Swindell has impact on productivity. You can’t force people to interact more, says implemented a predictive hiring tool from Evolv. Applicants Waber, but based on the data, you can “engineer serendipity.” complete a Web-based application that screens for attitude, Although Arena conducted a number of experiments using propensity for customer service, and voice capabilities. The software sensor data at BofA, he’s not quite ready to start tracking workers also shows the candidate what it’s like to work in a call center in at GM. “I’m a huge advocate of sensor work,” Arena says. “But it’s hopes of screening out those who would be a poor fit in the high-turnover industry. The tool then gives the candidate a red, yellow or green rating, at which point candidates rated green or yellow are invited for in-person interviews. The hiring decision is still in the hands of a human, but -David Crumley, Vice President of Global Human Resources, the system has predicted with 80 Coca-Cola Enterprises percent accuracy the company’s
“What’s really happening right now is a shift in HR from an art to a science.”
top performers, based on 90day follow-up data on the hired employees. Since introducing the algorithm-enhanced hiring system, tenure is up by 25 percent, agent productivity has increased 30 percent, and the overall staffing budget has decreased 11 percent. Swindell has integrated Evolv with the company’s payroll, workforce-management and proprietary quality systems to help develop a more nuanced profile of the best employees. At Chiquita, Ledford is exploring predictive analytics to help the company find, train and retain its “bananaeros”—experts in growing bananas. “Those guys are really hard to find, as bananas have taken a backseat to coffee and tourism,” says Ledford. Analytics could enable managers to predict which lower-level employees “could become our next wave of banana folks,” says Ledford, and determine the right training and grooming to make that happen.
Employee Tracking There’s also a gold mine of information in how people move through an organization, and a handful of companies are looking at physically tracking employees—often via RFID-enabled badges—
VOL/8 | ISSUE/12
laden with trust and privacy issues and a lot of organizations just aren’t ready for that. It can be a bit of a slippery slope.” Praxair is conducting a pilot using sensors on its remote workers. The system will measure how long it takes a worker to, say, install a tank for a customer, by monitoring their movements via a sensor on their protective equipment. The sensor also monitors workers for exposure to harmful gases. If gas is detected, an alarm goes off and the monitoring center will attempt to communicate with the worker. Franciosa envisions integrating the sensor data into other corporate systems to uncover correlations between events and particular locations, types of employees, or certifications.
The Importance of Transparency Franciosa expects employees to put up some resistance to being physically tracked, much like the pushback the company encountered when it was first placing computers onboard its trucks. “It was viewed as Big Brother wanting to know how fast I drive or how hard I brake,” says Franciosa. “The way to alleviate that is REAL CIO WORLD | O C T O B E R 1 5 , 2 0 1 3
77
Analytics
Chiquita CIO Kevin Ledford is exploring predictive analytics to help the company find, train and retain its “bananaeros”—experts in growing bananas.
want your picture or your talent profile,” Franciosa says. “That goes a long way toward gaining both credibility and traction.”
The Role of Data in the People Business
transparency. People won’t like being physically monitored if they think we’re trying to find out how long their break was. So we have to be completely transparent that we are using this for safety and longterm productivity. They’ll recognize the value in that.” HR collects all kinds of sensitive employee information, but employees see physical tracking as particularly intrusive. “It is the boundary to cross,” says Steelcase’s Sullivan. All of Steelcase’s sensor-related experiments are opt-in. Company analysts see only aggregate data, not individual histories. And Sullivan’s team communicates the process and the intentions not just to those who have signed up, but also to everyone on the campus. “In the US, employees don’t really legally have protections around this data. A company can track you wherever you go and listen to all your conversations,” says Waber. “But that defeats the purpose of this approach, which is trying to help people work better, be happier and stay at their jobs.” Communication is critical with any collection and analysis of people data—not just sensor data. “I don’t think we’re doing anything that people haven’t been trying to do for years,” says Informatica’s Stoner. “But we have to say what we will do with that data.” Praxair’s Franciosa has a close partnership with his legal teams around the world to navigate the various data privacy and protection issues in each country. “But even once we understand that we can have this data, we have to be very transparent and say, here’s why we 78
O C T O B E R 1 5 , 2 0 1 3 | REAL CIO WORLD
“What’s really happening right now is a shift in HR from an art to a science,” says Crumley of Coca-Cola Enterprises, who’s currently exploring how social network data and gamification might become part of his HR analytics platform. “A lot of HR teams are trying to figure out how to make that shift quickly so it’s no longer HR sitting around waiting to be pulled in, but HR coming to the table with nuggets of wisdom.” Data analytics could enable HR to elevate itself from a tactical support function to a business partner on strategy, which ought to sound pretty familiar to CIOs. But there are limits to HR’s data-driven transformation. “[Analytics] are all about probability, and there’s just so far you can go with probability,” says Crumley. “If you want to figure out how many employees you need to launch a new product, it can get you in the right ballpark. When it comes to predicting turnover, it’s not an exact science. People are people.” “It’s never black-and-white when you’re talking about people,” says Stoner of Informatica. While some folks get stars in their eyes when talking about big data, Stoner often sees a bigger haystack to sift through. But analytics, she says, help point companies in the right direction. “In HR, we live in a world where data brings more questions. You always have to look beneath it,” she says. “It’s not an exact science. But at least it gets us looking at the right part of the haystack so we can get to the answer faster.” That’s why GM’s Arena says his talent analytics will never be fully automated. “Sometimes we get projections wrong for all kinds of reasons. It can take several iterations. But HR still loves it, because it equips them to make intelligent decisions for their business partners.” CIO Stephanie Overby is a freelance journalist. Send feedback on this feature to editor@cio.in
VOL/8 | ISSUE/12
ESSENTIAL
technology ILLUSTRATION BY PHOTOS.COM
A CLOSER LOOK AT ENTERPRISE MOBILITY
Mobility touches multiple facets of IT: Platform choice, application development, customer engagement et al. Does it make sense to put one person in charge of it all?
VOL/8 | ISSUE/12
Who’s the Boss? BY HOWARD BALDWIN
MOBILITY | IOn this we can agree: Mobility is a matrix of madness for enterprise IT. The current explosion of tablet, smartphone, netbook and laptop options creates a complicated hardware equation. Cross-platform or OS-specific application development affects software, security and management decisions. The desire to give both customers and employees access to back-end enterprise applications is just one more monkey wrench in the mix. “Mobile is changing all the rules, whether you’re on the IT side or the line-of-business side,” says Bob Egan, CEO of Sepharim Group, a Boston-based mobility consulting firm. “We’ve gone from a homogeneous environment to a heterogeneous environment with multiple screens and OSes. It’s a capacity issue, a security and authentication issue, and a policy issue. It’s a brave new world for organizations to deal with.” So how do you manage the madness? While there is no one right answer to this, IT managers and analysts agree the stakes are high. Mobility is no longer tactical, it’s strategic, and that requires a higher level of consideration. “It went from being niceto-have—something that executives and users really loved—to being a mainstream initiative,” says Ojas Rege, vice president of strategy for MobileIron, a mobile enterprise management vendor. REAL CIO WORLD | O C T O B E R 1 5 , 2 0 1 3
79
ESSENTIAL technology
Who’s in Charge of the Ball of Wax? Before you can corral mobile, you need to figure out who or what group should do the corralling. But even that decision is not easy to make. Take the issue of support. Mobility is not solely a hardware issue, so it doesn’t necessarily make sense to drop it in the desktop team’s lap. “In the tablet world, IT can’t push just Apple iOS,” says Rege. “It’s not technically possible.” And it doesn’t make sense to put the e-mail team in charge of mobility, because mobile devices are used for much more than e-mail these days—you have to take into account security, device management and more. Beyond that, it’s one thing to offer technical support to your company’s employees; it’s another to offer the same kind of support to the exponentially larger customer base you’re trying to engage. Then there’s the age-old schism between marketing and IT. As Egan points out, “marketing’s first responsibility is to
in IT, on the other hand, want to ensure consistency across access methods and within the code base, so they think about deployment schedules in terms of months. Moreover, marketing might have the budget to do mobile applications, and IT might not. But those two groups need to collaborate to ensure that applications work consistently, both within the user interface and in how they access backend applications. The challenge is rationalizing the conflicting demands of timetable, budget, and focus. “Organizations that are doing it right are getting both IT and marketing to realize they both simultaneously share responsibility for the needs of employees and consumers,” says Egan. “They both have to drive revenues and extend profits. That’s new thinking for most organizations.”
Avoiding Helpdesk Hell Even if specific LOBs have their own development efforts, they must have a
Organizations that are doing it right are getting both IT and marketing to realize theyboth share responsibility for fulfilling the needs of end-users. drive the persona of the brand through all channels and geographies. IT’s responsibility is to protect the brand, not extend it. Its goal is to protect profits, not drive revenue.” When it comes to mobility, customerfacing applications are generally managed by the sales and marketing teams, and employee-facing applications are generally managed by IT. The people in sales and marketing want applications up and running quickly so the company can keep abreast of the competition; when they think about deployment schedules, they think in terms of weeks. The folks 80
O C T O B E R 1 5 , 2 0 1 3 | REAL CIO WORLD
liaison with IT for a variety of reasons. Among other things, it makes sense to coordinate the efforts of multiple departments on the front-end, and when it comes to technical support. The alternative is helpdesk hell. “When someone has a problem with a mobile application, they call the helpdesk,” says Rege. “If you have 17 different groups building applications, that’s going to be an existential crisis for all the teams.” Rege cites several simple examples. One relates to the security APIs built into Apple iOS, which provide automated encryption. “If the LOB hires outside
44%
of Indian organizations offer only limited support for employeeowned mobile devices. SOURCE: CIO RESEARCH
developers, they might not use those APIs,” he says. “The same issue applies with application distribution. If someone in the LOB builds an application, how are they going to get it to the employees? Through the company’s app store— but IT has to provide the certification for those applications to download properly.” David Nichols, IT transformation leader for consulting firm EY (formerly Ernst & Young), frequently sees duplicate development efforts within a single enterprise. “As far as ownership of mobility goes, it’s still more bifurcated than you would think in companies that have internal back-office operations and client-facing technology as well. Those are owned, managed, and governed by two different organizations that don’t always move at the same speed. They wind up duplicating a lot of efforts because the right hand doesn’t know what the left hand is doing.”
Three Approaches to Control the Chaos Experts agree that companies need to put in place a mobile model that encapsulates best practices and consistent capabilities—but no one agrees (yet, anyway) on exactly how to get there. We asked three companies how they handle mobility management and found that
VOL/8 | ISSUE/12
ESSENTIAL technology
each takes a different approach. Here’s a summary of each. One, create a dedicated team to establish the groundwork for a cross-departmental mobility effort. Two, put the effort under the aegis of a dedicated mobility manager reporting to the CIO. Three, create a center of excellence focused on mobility that will maintain the necessary consistency from the front-end interfaces to the back-end architecture.
Approach 1: Dedicated Team Lincoln Wallen, currently CTO at DreamWorks Animation, opted for a dedicated team when he was CTO for mobile and online at Electronic Arts, from 2004 to 2008. The EA board of directors “perceived mobility as a major disruption to the games business,” he says, which led to the idea of creating a mobile business unit inside the existing major operation. The division had its own marketing, product development and general manager, who reported to the head of studios. Keeping it separate helped it flourish into a $200 million (about Rs 1,260 crore) division, says Wallen. After the group established itself, EA—as it had planned at the outset— “integrated its activity back into the business, because mobility is foundational, not siloed,” he says. “It affects every aspect of the business. You need a vertical approach to incubate approaches and solutions. But in the end, you have to consider it pervasive. Mobility is no longer evolutionary. It’s the world we live in.” MobileIron’s Rege has also seen this tactic work. One of his company’s customers is a global 2000 manufacturer based in Europe. “The CEO believes in mobile, so he created a five-person mobile team reporting directly to him with accountability for all mobile projects. Sometimes to get the effort kicked off, you need to do that.” The company’s CIO provides the budget, and the group is still working separately. 82
O C T O B E R 1 5 , 2 0 1 3 | REAL CIO WORLD
Approach 2: Dedicated Mobility Manager As mobile strategies gain importance, the idea of a chief mobility officer, on equal footing with the CIO and reporting to the CEO, is gaining traction in some circles. However, IT executives we spoke to weren’t fans of such a position, reasoning that strategic issues such as mobility are the CIO’s job. “You obviously have to have somebody, but if you name a chief mobility officer, you’re saying they’re at the same level as the chief information officer,” says Wallen. EY’s Nichols has seen companies putting mobility under the control of the chief technology officer, who in turn reports to the CIO. “The CTO has responsibilities for research and
the ability to access registration databases and their grades,” he says. A chief technology architect reporting to Henderson is responsible for looking at technologies and strategies and opportunities, and works with the design organization. “They look at solutions, evaluate them, and make recommendations,” Henderson says. “It’s really a group effort for our organization.”
Approach 3: Center of Excellence Even more than creating a position dedicated to mobility management, though, Nichols prefers setting up a mobile center of excellence (CoE), or a shared services center under the CIO. “If you do it right, you can bundle development, creativity, and
As mobile strategies gain importance, the idea of a chief mobility officer, on equal footing with the CIO, is gaining traction in some circles. development of client-facing technologies for many companies, and companies are relying on that position to get across the chasm of duplication. They rely on the CTO to bring the best thinking from one group to the other.” Mark Henderson, COO at Case Western Reserve University in Cleveland, uses that tactic. “We’ve been dealing with device issues forever, because all of our students come with their own mobile devices, as does the faculty.” Besides supporting a BYOD environment, his 110-member IT department has deployed two separate wireless networks, one requiring authentication and one for guests, and is looking at developing more mobile applications for both students and administrators. “The university’s marketing communications department wants a mobile app to communicate better, and we want to give the students
strategy,” he says. “It will take some time to codify issues such as back-end access, identity and access management, but once those issues are out of the way, they don’t have to be dealt with again. That helps bring the deadline expectations of external and internal groups closer together.” James Gordon, VP-IT at Needham Bank, Massachusetts, concurs. “When you have such a group, they think about mobility first,” says Gordon, who has deployed mobile devices across all departments of the bank, and has also developed customer-facing applications for smartphones and tablets. Needham Bank’s IT team is small enough (just Gordon and four other people) that “everyone is responsible for mobility,” he says. “When we originally deployed our online applications, we built them to be experienced on a laptop. Now we have to re-imagine it. We launched a new website recently, and we wanted a site that would
VOL/8 | ISSUE/12
ESSENTIAL technology
scale down, with content still there, whether you were on a monitor, laptop, tablet, or iPhone.” Gordon’s small group was able to double-down on those mobile priorities with commitment and focus, he says. Sepharim Group’s Egan also likes that setup. “When everybody has an agreed-upon set of requirements for an application, it means that everyone understands how they can achieve the goal, everyone is taking shared responsibility, and you get away from fingerpointing. Everyone has to agree on what features are important for an application.” But one caveat, according to some experts, is that a CoE should have influence beyond its name. “There’s a right way and a wrong way to do a CoE,” Rege says. “I’ve seen situations where no one consulted the center b ecause it had more security expertise than application expertise.” There has to be a balanced operational focus across multiple areas, he adds. Nichols agrees. “You have to put in the infrastructure to make sure it can be viable and successful,” he says. The person in charge, in other words, has to have some influence, not just an advisory capacity. “If you don’t,” he adds, “the people within it will be all hat and no cattle.”
No Time to Tarry Whatever path companies take to manage mobility, they can’t tarry—the technology is simply changing too quickly. “Mobility hasn’t leveled off the way the Web did after a couple of years,” says Nichols. “The next two years are going to be fascinating.” Egan adds, “The one thing you can count on in mobility is that it moves fast and changes often. The minute you start, you have to think about what’s next.” IT executives need to “be ready for the big wave,” says Gordon. “These are just the small ones. Mobility is going to get serious next year, with more content, collaboration, wireless printing, and app management. There is no turning back.” CIO Howard Baldwin is a freelance writer. Send feedback to editor@cio.in
VOL/8 | ISSUE/12
MOBILITY VULNERABILITY
i(n)Secure MOBILE SECURITY| Apple’s Touch ID authentication system can be defeated using a well-honed technique for creating a latex copy of someone’s fingerprint, according to a German hacking group. The Chaos Computer Club (CCC), which hosts an annual hacking conference and publishes computer security research, writes on its blog that their experiment shows that fingerprint authentication “should be avoided.” Apple has introduced Touch ID with its latest high-end iPhone 5S. A person’s “fingerprint is one of the best passcodes in the world. It’s always with you, and no two are exactly alike,” says the company’s website. A hacker who goes by the name Starbug found that while Touch ID scans at a higher resolution, it can be beaten by increasing the resolution of the victim’s fingerprint. The CCC has also posted a video of what it says is a successful attack. Faking the print involves photographing the victim’s fingerprint at 2400 DPI. The image is inverted and laser printed at 1200 DPI onto a transparent sheet using a “thick toner setting,” according to the CCC. Pink latex milk or white wood glue is smeared into the pattern created the toner. After it cures, a sliver of latex is lifted from the sheet, and blowing on it gives a bit of moisture like that on a human finger. It then can be placed on the iPhone’s fingerprint sensor, the CCC informs. The technique is not new. “This process has been used with minor refinements and variations against the vast majority of fingerprint sensors on the market,” the CCC says. Security experts have long warned that fingerprint authentication should not be solely relied upon, but rather used in concert with other technologies. Photos of fingerprints and molds have successfully bypassed fingerprint checks. Touch ID is intended to reduce the number of times a person must enter a passcode, but Apple still requires a passcode in some circumstances, such as restarting the phone and if the devices hasn’t been unlocked in two days. — Jeremy Kirk
REAL CIO WORLD | O C T O B E R 1 5 , 2 0 1 3
83
endlines PRINTING
* BY LAUREN BROUSELL
During the three to four weeks it takes to make paper money, sensors on machines at the Bureau of Engraving and Printing (BEP) ensure that watermarks, serial numbers, special colors, and textures are produced accurately on each bill. BEP used to track this multi-step manufacturing activity with paper and a 25-year-old mainframe, a process that was outdated and far from precise, says Peter Johnson, former CIO at BEP. “People were running around with clipboards and they weren’t capturing the true raw data,” he says. Now sensors on the 50 printing presses in BEP’s two plants in Washington D.C., and Fort Worth, Texas, provide 35,000 data points in real time on aspects of the process such as quality, temperature, paper and ink levels. Employees receive alerts about problems, allowing them to reduce manufacturing errors and fix problems faster, he says. With the old system, he says, “If something went wrong, it wouldn’t be found until it got to the next step a week later.”
84
O C T O B E R 1 5 , 2 0 1 3 | REAL CIO WORLD
VOL/8 | ISSUE/12
PHOTO BY MASTERFILE
Follow the Money