www.expresscomputeronline.com
edit
ARTIFICIAL INTELLIGENCE SETTO CHANGE ENTERPRISE SECURITY MODEL In February this year, hackers managed to steal $81 million from the central bank of Bangladesh after hacking into SWIFT, the heart of the global financial system with a sophisticated malware. In January this year, press reports highlighted how highly destructive malware infected three regional power utility service providers in Ukraine, which led to a power failure. In an age of connected machines, these incidents show how hackers can cause irreparable damage. This is set to become more complex, as connected machines are on the rise. For example, Gartner has predicted that in 2016, 5.5 million new things will get connected every year. At the same time, with millions of threats being detected every day, most existing information security systems are playing a catch up game. Given the increasing volume and sophistication of cyber attacks, human security analysts are overwhelmed by the sheer volume of data they have to handle. That said, a ray of hope lies with the rise of a number of firms looking at using artificial intelligence in boosting security. Artificial Intelligence (AI) systems seek to address the gap between humans and machines. For example, human analyst based solutions are rulebased, which leaves them open to attacks which do not match the rules, such as say, zero-day attacks. On the other hand, automated systems place too much importance on any change in behaviour, which tends to create many false positives. AI systems merge these two worlds, by constantly learning and combining data from multiple points to understand the larger context or intent. A glimpse of the future of security shaped by artificial intelligence systems was revealed by MIT researchers, as they developed a system that predicted 85 percent of cyber attacks. Once an event is deemed suspicious by the AI system, it presents this analysis to human security analysts who then confirm if the event is an actual attack. This learning is incorporated into the system, which keeps on improving, as more data is fed into the system. This system was approximately three times better than previous benchmarks, and also succeeded in reducing the number of false positives by a factor of five. Unlike existing systems, AI-based systems search for subtle changes in behaviour of users, key applications and the network, to detect an attack. For example, if an employee logs onto a system that is beyond his normal working hours, and logs on to a system that he seldom logs in, and proceeds to download and mail information, then the AI system can flag this off as an exception, as it can look at the chain of events and understand the bigger picture. Over time, while human security analysts will continue to remain valuable, expect virtual security intelligence analysts to do the grunt work of combing through massive volumes of data and build accurate predictive models by continually learning from each incident.
T
UNLIKE EXISTING SYSTEMS, AI-BASED SYSTEMS SEARCH FOR SUBTLE CHANGES IN BEHAVIOUR OF USERS, KEY APPLICATIONS AND THE NETWORK, TO DETECT AN ATTACK
srikanth.rp@expressindia.com
EXPRESS COMPUTER
JUNE, 2016
3
contents
8
CYBER SECURITY
IS BECOMING ABOARDROOM AGENDA
With increased cyber attacks and newer incidents being reported regularly, C-level executives and board members are increasingly getting concerned about protecting their company's assets
cover story
column HOW TO CREATE A COMPELLING CUSTOMER EXPERIENCE VISION
52
OLIVE HUANG Research Director, Gartner
GAME CHANGING 54 THREATS NEED A ROBUST MULTI-PRONGED STRATEGY FOR EFFECTIVE PROTECTION 16
4
THE NEED FOR A SECURITY FRAMEWORK FOR DIGITAL INDIA EXPRESS COMPUTER
RAVI RAMAN SVP & head of engineering – security intelligence & analytics, Paladion Networks
JUNE, 2016
www.expresscomputeronline.com
opinion 20
interviews 14
22
PARESH SUKTHANKAR Deputy MD, HDFC Bank
The execution part of technology is sometimes underestimated
DO ENTERPRISES HAVE THE RIGHTAPPROACH WHEN IT COMES TO ITSECURITY? 24
CYBER ATTACKS AGAINST CRITICALINFRASTRUCTURE
30
JS SODHI VP & CIO,Amity Education Group and Executive Director-Cyborg Cyber Forensics & Information Security (CCFIS)
The next phase of cyber securityat AmityUniversityis Artificial Intelligence
26
VIMAL MANI
34
HOWTO DEFEND YOUR COMPANYFROM TARGETED ATTACKS: 5 TIPS FOR CIOs 28
THE FUTURE OFSECURITY: BUILDING TRUSTIN DIGITAL TECHNOLOGIES
ALEGALEYE ON INDIA’S AADHAAR LAW
A‘Defense-in-Depth’strategy is keyto combat APTs VINOD BIDARKOPPA
36
32
Group Chief Information Officer, Future Group
We are at the cusp of a breakout opportunityin modern retailing in India
MAKING CITIES SMART
news analysis
Chief Information Security Officer (CISO) of Bank of Sharjah
SHIV KUMAR BHASIN
39
Chief Technology Officer, State Bank of India
Cloud computing has brought in agilityfor serving end customers
46 48
MRIDUL SHARMA
DIGITALSTRATEGY- FOR TOP-LINE GROWTH OR REAL DISRUPTION?
HPE SEES HUGE GROWTH IN CLOUD ENABLED eHEALTH CENTERS
56
IndusInd is one of the fewbanks to have adopted a Bimodal ITapproach 44
60
SPOTLIGHTON BLIND CVs, ARTIFICIALINTELLIGENCE, GAMIFICATION,BIG DATA ANALYTICS FOR HR
Clarification : In the May Issue of Express Computer, Interview- Vikas Gupta, Head IT, Essar India, (Headline: Ample scope for the data localisation policy to mature), views are personal.
EXPRESS COMPUTER
EVP, Head- Technology, IndusInd Bank
SUBHRANSU MOHANTY
event DIGITALTECHNOLOGIES ARE TRANSFORMING CUSTOMER SERVICE IN THE BFSI INDUSTRY
42
Head HR, Everest Industries
Everest Industries adopts SuccessFactors for better Security,System reliability 50
VIVEK GAUTAM Research Manager, Software & Services, IDC India
Securityfeatures are increasingly being embedded into products JUNE, 2016
5
Vol 27. No. 6. June, 2016 Chairman of the Board Viveck Goenka Sr Vice President - BPD Neil Viegas Editor Srikanth RP* Delhi Mohd Ujaley, Ankush Kumar, Rashi Varshney Mumbai Jasmine Desai, Abhishek Raval DESIGN National Design Editor Bivash Barua Asst. Art Director Pravin Temble Senior Graphic Designer Rushikesh Konka Layout Vinayak Mestry, Rajesh Jadhav Photo Editor Sandeep Patil MARKETING Regional Heads Harit Mohanty - West and East Prabhas Jha - North Marketing Team Shankar Adaviyar Ranabir Das Ajanta Sengupta Amit Tiwari Mathen Mathew Navneet Negi Circulation Mohan Varadkar Scheduling Ashish Anchan PRODUCTION General Manager B R Tipnis Manager Bhadresh Valia
MUMBAI Shankar Adaviyar, Ranabir Das The Indian Express (P) Ltd. Business Publication Division 2nd Floor, Express Tower, Nariman Point Mumbai- 400 021 Board line: 022- 67440000 Ext. 527 Mobile: +91 9323998881 Email Id: shankar.adaviyar@expressindia.com Ranabir Das Mobile No. +91 9820097606 Email: Ranabir.das@expressindia.com Branch Offices NEW DELHI Prabhas Jha, Navneet Negi The Indian Express (P) Ltd. Business Publication Division, Express Buliding, B-1/B Sector 10, Noida 201 301, Dist. Gautam Budh Nagar (U.P.) India. Board No : 0120 6651 500, Ext:270 Direct No : 0120 665 1270 Fax No : 0120 4367 933 Mobile : 91-9899707440 Email id: prabhas.jha@expressindia.com Navneet Negi Mobile No. +918800523285 Email: navneet.negi@expressindia.com CHENNAI Mathen Mathew The Indian Express (P) Ltd. Business Publication Division 8th Floor, East Wing, Sreyas Chamiers Towers New No.37/26 ( Old No.23 & 24/26) Chamiers Road, Teynampet, Chennai - 600 018 Mobile No. +91 9840826366 Email: mathen.mathew@expressindia.com BANGALORE Amit Kumar Tiwari The Indian Express (P) Ltd. Business Publication Division 502, 5th Floor, Devatha Plaza, Residency road, Bangalore- 560025 Mobile No. +91 8095502597 Email: amit.tiwari@expressindia.com HYDERABAD Amit Kumar Tiwari The Indian Express (P) Ltd. Business Publication Division 6-3-885/7/B, Ground Floor, VV Mansion, Somaji Guda, Hyderabad – 500 082 Mobile No. +91 8095502597 Email: amit.tiwari@expressindia.com
KOLKATA Ajanta Sengupta The Indian Express (P) Ltd.. Business Publication Division, JL No. 29&30, NH-6, Mouza- Prasastha & Ankurhati, Vill & PO- Ankurhati, P.S.- Domjur (Nr. Ankurhati Check Bus Stop), Dist. Howrah- 711 409 Mobile: +91 9831182580 Email id: ajanta.sengupta@expressindia.com KOCHI Mathen Mathew The Indian Express (P) Ltd., Ground Floor, Sankoorikal Building, Kaloor – Kadavanthra Road, Kaloor, Kochi – 682 017 Mobile No. +91 9840826366 Email: mathen.mathew@expressindia.com COIMBATORE Mathen Mathew The Indian Express (P) Ltd. No. 205-B, 2nd Floor, Vivekanand Road, Opp. Rajarathinam Hospital, Ram Nagar, Coimbatore- 641 009, Mobile No. +91 9840826366 Email: mathen.mathew@expressindia.com AHMEDABAD Shankar Adaviyar The Indian Express (P) Ltd. 3rd Floor, Sambhav House, Near Judges Bunglows, Bodakdev, Ahmedabad - 380 015, Mobile: +91 9323998881 Email Id: shankar.adaviyar@expressindia.com BHOPAL Prabhas Jha The Indian Express (P) Ltd. Business Publication Division, Express Buliding, B-1/B Sector 10, Noida 201 301, Dist. Gautam Budh Nagar (U.P.) India. Board No : 0120 6651 500, Ext:270 Direct No : 0120 665 1270 Fax No : 0120 4367 933 Mobile : 91-9899707440 Email id: prabhas.jha@expressindia.com JAIPUR Prabhas Jha The Indian Express (P) Ltd. Business Publication Division, Express Buliding, B-1/B Sector 10, Noida 201 301, Dist. Gautam Budh Nagar (U.P.) India. Board No : 0120 6651 500, Ext:270 Direct No : 0120 665 1270, Fax No : 0120 4367 933 Mobile : 91-9899707440 Email id: prabhas.jha@expressindia.com
IMPORTANT Whilst care is taken prior to acceptance of advertising copy, it is not possible to verify its contents. The Indian Express (P) Ltd. cannot be held responsible for such contents, nor for any loss or damages incurred as a result of transactions with companies, associations or individuals advertising in its newspapers or publications. We therefore recommend that readers make necessary inquiries before sending any monies or entering into any agreements with advertisers or otherwise acting on an advertisement in any manner whatsoever.
Express Computer® Reg. No. REGD.NO.MCS/066/2015-17, RNI Regn. No. MAHENG/49926/90 Printed for the proprietors, The Indian Express (P) Ltd. by Ms. Vaidehi Thakar at Indigo Press, (India) Pvt. Ltd. Plot No. 1c/716, off Dadoji Konddeo Cross Road, Byculla (E), Mumbai 400027 and Published from Express Towers, 2nd Floor, Nariman Point, Mumbai - 400021. (Editorial & Administrative Offices: Express Towers, 1st Floor, Nariman Point, Mumbai - 400021) Editor : Srikanth RP (*Responsible for selection of News under the PRB Act.) Copyright © 2016 The Indian Express (P) Ltd. All rights reserved throughout the world. Reproduction in any manner, electronic or otherwise, in whole or in part, without prior written permission is prohibited.
6
EXPRESS COMPUTER
JUNE, 2016
COVER STORY
8
EXPRESS COMPUTER
JUNE, 2016
www.expresscomputeronline.com
CYBER SECURITY IS BECOMING ABOARDROOM AGENDA With increased cyber attacks and newer incidents being reported regularly, C-level executives and board members are increasingly getting concerned about protecting their company's assets BY ANKUSH KUMAR
A
s businesses continue to adopt newer technologies, they are also exposing themselves to several types of cyber security threats. Enterprises across the world are finding it challenging in getting resilient against such increased vulnerabilities. C-level executives and board members are naturally worried about the newly reported cyber attacks and incidents. For example, Target's CEO resigned, after a massive credit card security breach that affected more than 40 million customers. Cyber security, hence, is not the responsibility of the IT department alone. If a big security breach leads to loss of valuable corporate data, and can lead to violation of privacy laws, then it puts every executive board member equally responsible. According to ‘The Global State of Information Security Survey 2016’ report, released by PwC , the average number of information security incidents detected by respondents increased by 117 per cent over the previous year, up from 2,895 last year to 6,284 this year. In such a scenario, the role of the CISO (Chief Information Security Officer) becomes even more important in ensuring that the company's defence system is strong enough to combat such a menace. CISOs are now approaching the top management and making them aware about the threat level so that they are proactive in taking informed decisions.
Evolving Role of CISOs Over the past decade, the very nature of
EXPRESS COMPUTER
JUNE, 2016
9
COVER STORY
More funds are available to CISOs who are now responsible for managing 'cyber risks' for the enterprise Sivarama Krishnan Partner and Leader, Cyber Security,PwC India
With a securityexpert in the board,the securityleader can be detail oriented and logical Burgess Cooper Partner,Information & Cyber Security, Ernst & Young 10
EXPRESS COMPUTER
cyber security as well as the role of CISO has evolved to focus on value driven protection, business enablement and digital presence enhancement. “CISOs earlier reported to CIOs and CTOs in an organization. This is set to change in the near future as many CISOs now function outside the purview of CIOs/ CTOs and report to heads of risk, who have a share of voice in the board. Their stake in defining the organization's IT strategy is also set to increase as security is increasingly being incorporated at the 'design' stage,” says Sivarama Krishnan, partner and leader , Cyber Security, PwC India. Krishnan believes that, over the years the CISO role has transformed and is no more limited to addressing security concerns of an organization. "The CISO of today needs to not only focus on the agenda to protect the enterprise information, but also need to be innovative in digital enhancement and adding value to the business. Over the last decade, the threats were limited to virus and worm infections, but now they have taken the form of advanced persistent threats (APTs), backed by incidents of corporate espionage. More funds are available to CISOs who are now responsible for managing 'cyber risks' for the enterprise, and not only IT security. The share of cyber security, as a percentage of IT spend, has also seen an increase over the past few years.” A recent study of PwC reveals that there has been a shift in the attitude of top management towards cyber security. Increasing involvement of the board and the C-Suite has served as a big boost to security programs and has made it easier for CISOs to obtain funds. In large conglomerates, it can be noticed that the role of the CISO has moved from managing simple operations oriented projects to proposing and leading 'transformational' cyber security projects or even in strengthening the cyber defence postures of companies.
Security Posture of C-suite and Board Members Hacking and data theft from American organizations, Target and Ashley Madison, where millions of customers’
personal data were stolen, has resulted in the resignation of their CEOs and posed a severe security threat. “The shift and rise of the security expert as a C-level person has increased after the recent high profile breaches, which not only cost those companies and their partners millions of dollars, but also cost top executives their jobs. Hence, with a security expert in the board, the security leader can be detail oriented, logical, and sequential and think JUNE, 2016
www.expresscomputeronline.com
Spyware and malware can potentially make its wayinto an organization via social media usage, especiallyvia content sharing Himanshu Verma Chief Technology Officer, Yatra.com
like a ‘hacker’", informs Burgess Cooper, Partner Information & Cyber Security, Ernst & Young. In a modern enterprise, all C-suite and board member executives are responsible for their cyber security posture, even though they have no role in managing the company's security posture. For instance, chief marketing officers are generally focused on the efficient use of the social media and web EXPRESS COMPUTER
for various activities like email campaigns, website updates, mobile app development, blogs and search engine optimization. Even though these seem to be strictly promotional endeavors, but they can easily leave the door open for malware or other cyber attacks against unsuspecting customer's systems. Cyber security threats are rapidly changing, says Brijesh Datta, Senior VPCISO, Reliance Jio Infocomm Limited.
Increasing involvement of the board and the C-Suite has served as a big boost to security programs and has made it easier for CISOs to obtain funds JUNE, 2016
11
COVER STORY
With changing nature of attacks like "Ransomware" and "Business Email Compromise", even ordinaryfirms are getting targeted Brijesh Datta Senior VP- CISO, Reliance Jio Infocomm
As per the findings from Symantec's Internet SecurityThreat Report-volume 21,India ranks 3rd globally and 2nd in APJ for source of overall malicious activity.Every 6th social media scam impacts an Indian The importance of training the users on howto handle critical data with care is crucial while discussing information security Veneeth Purushotaman CIO,Fortis Healthcare
12
EXPRESS COMPUTER
“About 7-8 years back, hackers were targeting mostly consumers or firms dealing with consumer information or finances. Hence, the key management or the board in such firms providing financial services, Telco's or online eCommerce services or those acquiring customers privacy data, were always conscious about their cyber security responsibilities. However, with changing nature of attacks like "Ransomware" and "Business Email Compromise", even ordinary firms are getting targeted and these attacks are being widely reported in business newspapers. We now see boards of ordinary businesses also being aware and concerned about cyber
security.� Datta states that while it is not necessary that the C-level person in the corporate board needs to be a security expert, they should be aware of cyber security basics at the very least.
Tackling risks arising from Social Media and Mobility As per the findings from Symantec's Internet Security Threat Report-volume 21, India ranks 3rd globally and 2nd in the APJ region for source of overall malicious activity. Every 6th social media scam impacts an Indian. Last year, the country witnessed one of the biggest cyber crimes in Mumbai. According to press reports, the Oil and Natural Gas Corporation
JUNE, 2016
www.expresscomputeronline.com
Limited (ONGC) lost around Rs 197 crore as cyber criminals duplicated the company's official e-mail address with minor changes and used it to convince a Saudi Arabia-based client to transfer payments to their account. “Applications exposed to the Internet should be monitored and secured to the extent possible. Cyber threats will continue to remain a challenge for companies and security teams as they will continue to grow in complexity. The basic expectation of data availability anytime and anywhere for a mobile workforce on multiple devices and platform all put together makes securing the data very difficult,” opines Veneeth Purushotaman, CIO, Fortis Healthcare. Besides ensuring that the security systems are updated, it is also equally important to sensitize employees. Hence, employees must be given training on how to handle critical data with care. Use of social media by employees does pose a potential risk for the organization due to hacking and spyware, states Himanshu Verma, Chief Technology Officer, Yatra.com. “As employees use the same laptops/ desktops/ mobiles to access social media and company's infrastructure, they can become an inadvertent conduit to mount an attack on the company's infrastructure. A fair amount of spyware and malware can potentially make its way into an organization via social media usage, especially via content sharing.” Verma is of the view that organizations need to protect their IT assets from such risks by creating a clear separation between systems directly used by employees and production systems so that a compromised laptop or mobile does not harm the production systems in anyway. “We don't have a well defined BYOD policy as yet as we don't normally allow employees use their own laptops in the office. However, they are allowed to use their own mobiles, but only for accessing their emails.” Security has a direct and tangible correlation to the company's financial health, thus making it an important aspect that the leadership team needs to focus on. Erosion of customer trust due
EXPRESS COMPUTER
PRESENTING ABUSINESS CASE TO THE CEO/ BOARD MEMBERS
A
s cyber security is now being treated as one of the most important factors in business expansion and mitigating risks, a business case for getting funds for information security solutions becomes a crucial source of security strategy for the top management. For any CISO, getting the approval of the board for a cyber security project can be a tough task. But there are certain ways to make a business case more effective.There are some logical tricks that CISOs can always utilize. Having a clear cut understanding of what makes it business oriented, and the way in which it can be presented to the board can help in getting a project across the line. Express Computer spoke to two prominent CISOs, who share key points to keep in mind when presenting a business case to the CEO/ Board:
Venkatesh Subramaniam, CISO (Chief Information Security officer), Idea Cellular
● Do adequate research and have all required data points ready ● The business case should provide objective data (either on the
benefits of doing the proposal or the impact of not doing it) ● It has to be non-technical and bring out the impact to the business - (highlight specific use
cases it will address for the business) ● Presentation has to be crisp (not more than 8-10 slides) and preferably visual ● Lastly, be honest. Sell the case only if you very strongly believe in it.
You need to be perceived
as a trusted aide.
Uday Deshpande, CISO (Chief Information Security officer),Tata Motors
Information Security is usually an investment for data protection. Every organization has to create basic tools and best practices to calculate their Return on Security Investment (ROSI).The organization needs to calculate the cost of an incident by taking into account all the relevant costs if an incident occurs (reputational costs, loss of customers, data records cost) and the probability of incident occurrence. It also needs to measure cost of security measures/controls, and the level to which the risk of this incident would decrease because of such mitigation. So security investment is judged to be profitable if the risk mitigation effect is greater than the expected costs. For every tool or technology, the above exercise needs to be conducted and it is often better to extrapolate from the organization’s historical data on incidents so that future requirements are taken care of. Also, the senior management needs to be made aware that the average time to resolve a cyber-attack is around one month, with an average cost to organizations estimated to be approximately 150K$ over this period. Results show that malicious insider attacks can take more than 50 days on average to detect and contain. Depending on the type of incident, damages can grow exponentially over time. So earlier the investments, lesser are the losses. to a security breach can be catastrophic and almost irrecoverable, and therefore, enterprise security has indeed become a
boardroom agenda. ankush.kumar @expressindia.com
JUNE, 2016
13
INTERVIEW PARESH SUKTHANKAR HDFC BANK
www.expresscomputeronline.com
In the digital era, it is a question of how banks will structure their products around technology and go beyond the basic product and understand the customer’s needs, says Paresh Sukthankar, Deputy MD, HDFC Bank to Shobhana Subramanian from Financial Express
The execution part of technology is sometimes underestimated Given that you have the digital edge, will new customers be drawn to private sector banks? You’re right, when it comes to new customers, coming into the banking fold, aspirational, from a convenience perspective, will they get drawn to banks which offer these new services? Absolutely. Since you have a larger number of private sector banks that are strong on technology that shift which is taking place may accelerate. Certainly for some customer profiles. That is a reality. Some public sector banks may get share, like SBI and some others, because they do have the full range. Will there be a slightly faster shift if public sector banks don’t respond? I think that is certainly the case. Therefore, technology and digital is equally a threat and an opportunity depending on where you are. Those banks that are not gearing up and not giving customers a choice, forget not acquiring customers at the same pace, they will lose some of their best customers because customers will move to where there is greater convenience. For players who are making that transition, relationships are becoming stickier. When people ask, what about the threat from independent wallets, well, they have their strengths but from a limited perspective. How fast is digital technology changing the way banks work? The change in the way customers interact with banks has happened over a period of time. In the last year or so, the number of transactions enabled on the mobile has gone up significantly. The part we now call digital is about how the customer is dealing seamlessly across channels. From a bank’s point of view, if you look at the lifecycle of a customer, even before you have sold her a product you have a database telling about the customer. It’s a different customer experience altogether and that’s the power of digital—rather than 14
EXPRESS COMPUTER
transacting via an ATM or via net banking on a stand-alone basis, it’s across all channels. Given that IT is accessible to all banks, what will be the differentiator? It’s a question of how each player structures the product around technology; essentially going beyond the basic product, understanding the customer’s needs. Also, the larger part of anything that is retail is the sheer execution. For a large number of customers you need to get them to use it. The execution part of technology is sometimes underestimated. In this digital era what is the role of branches? It’s true that in Europe, branches have been rationalised. But everyone now accepts it’s not one or the other, but an Omni channel. Also, it’s hard to say what kind of ratio—of branches to customers—we should have. For new customer acquisition, the branch is important not necessarily because you’re originating everything there but because the customer will not start a relationship without one. So, if I go to a new city, and don’t have a branch but I say the bank has ten ATMs, the customer won’t be happy. He would say I need to go somewhere to bang the table, if I need to.
In the last year or so,the number of transactions enabled on the mobile has gone up significantly.The part we now call digital is about how the customer is dealing seamlessly across channels.
Where is HDFC Bank adding branches? If you look at the branches, we have added last year and this year it’s roughly 50:50 between those in semi-urban and rural areas and branches in urban metropolitan centres. And if about 55% of our branches are semi-urban and rural, it means their disbursements would be 25%. Although the ticket sizes may be smaller and the overall revenue potential smaller — given the market potential —the costs are also lower. So from a profitability point of view, or time to break-even or a cost to income ratio point of view, they would be as good as those in an urban location. JUNE, 2016
COVER STORY
THE NEED FOR ASECURITY FRAMEWORK
FOR DIGITAL INDIA
16
EXPRESS COMPUTER
JUNE, 2016
www.expresscomputeronline.com
An integrated architectural framework is critical for addressing the challenge of heterogeneity and complexity in managing cyber security infrastructure in the age of digitization BY MOHD UJALEY
I
n the past two-months, two websites – a microsite of the Railnet page of the Indian Railway and the library web-page of Jawaharlal Nehru University's (JNU) – were hacked. The hackers defaced the pages with a customized message and claimed to have intercepted the government’s web directory. The claim may be exaggerated but these incidents show the growing vulnerability of cyber infrastructure. The huge push by the Government for making the country digital coupled with initiatives such as ‘Digital India’, ‘Make in India’ and the drive towards creating smart cities has further increased the surface of this vulnerability. This necessitates the need for a strong cyber security mechanism to keep the data and modern infrastructure safe and secure. And, this is what government organizations and technology giants are gearing up by creating an integrated framework to address the challenge of heterogeneity and complexity in managing cyber security for government organizations and businesses in India. Whether you speak to a government's security head or a private company's CISO, they all believe that the time has come to shift towards a more architectural approach. However, every firm has different vendors and they all invest and spend a lot of energy in figuring out ways to correlate all the threat information promptly to deal with threats. This is why security vendors are acquiring innovative startups to strengthen their existing security platforms. Simultaneously, government EXPRESS COMPUTER
Securitydoes not stop at having the right person and right solution in place.There should be frequent assessment and external audits for ensuring a proper information security management system Vijay Devnath General Manager (Infra & Security) & CISO,CRIS
organizations are focusing on building a security framework to protect data or information for government projects, specially e-governance projects, where service providers (SP) or PPP partners are involved. The focus is to create a strategic control within government departments to have sustainable security enforcement. “In the past organizations have defended themselves by buying lot of technology solutions from many different vendors and that hasn’t served them particularly well. It has created lots of complexity and therefore the cost of operating is high and has relatively low effectiveness. So, a best of breed strategy has not really served organizations well. If one looks forward, and thinks about what is going to happen in the next five years, we see the digital transformation of organizations further complicating the existing security landscape,” opines Stephen Dane, Managing Director of Cisco’s Global Security Sales Organization (GSSO) for Asia Pacific, Japan and Greater China. With the success of digital initiatives, the government has realized that technology intervention can help them in improving governance. One prime example is the initiative of Unique Identification Authority of India Aadhaar, which is one of the fastest and one of the largest programmes across the globe. Because of Aaadhar, the government now has the data. The government can now design and deliver welfare schemes in a much more efficient and faster way. Similarly in the Digital JUNE, 2016
17
COVER STORY
Government organizations should understand their requirement,their process and their function to create a robust operational model for security Rudramurthy KG CISO – Digital India,Ministry of Home Affairs,Government of India
India programme, apart from the focus on the nine pillars, the backend process is also getting digitized. But having achieved these objectives, the government now has to ensure that the information collected remains secure. “Today most of the processes are automated and the number of access points have increased. Similarly, data generated has increased tremendously. As we are dealing with sensitive and personal data of citizens, we have to ensure a better information security framework in protecting this information,” states Rudramurthy KG, Chief Information Security Officer (CISO) – Digital India, Ministry of Home Affairs, Government of India. Agreeing with the views of Rudramurthy, Golok Kumar Simli, Head Technology, Passport Seva, Ministry of External Affairs, Government of India, says “The concept of Digital India is made of two phases – the citizen interface and the backend interface. Both the interfaces have to be secured enough to deliver service without any hassles. I personally feel that government departments are ready with the security of the backend interface, but the major challenge is coming from the cyberspace.”
The need for a security framework
Government departments must understand that outsourcing job to service partners does not mean outsourcing responsibilityof the organization Golok Kumar Simli Head - Technology,Passport Seva, Ministry of External Affairs, Government of India 18
EXPRESS COMPUTER
To fight these challenges, the government has taken a number of steps. Recently, the Government of India has developed and issued National Information Security Policy and Guidelines, which can be taken as a reference by all the ministries and departments of states, and PSUs for developing their own information security and control mechanism. “First of all government organizations should have a proper strategy in navigating access controls. They should understand their requirements, their process and their functions. They should also understand the kind of users they have, and the type of data they need. Accordingly, they should create an operational model for operational security control. As far as technical controls are concerned, there could be some automated way of controlling the
access,'' says Rudramurthy, adding that the implementation of the security framework is not an easy task and government departments need to have a dedicated responsible person for this. An ideal framework is also constrained by the fact that across the world the concept of security is changing. Vijay Devnath, General Manager (Infra & Security) & CISO, CRIS, says ''Security does not stop at having the right person and right solution in place. Organizations need to check themselves, how good they are from the day they started. There should be frequent assessment and external audit for ensuring the right information security management system framework.” Security hence, is moving beyond firewalls. The old rule of anything inside firewall is good and outside is bad, and network as a perimeter is now diminishing. Now organizations are focusing on continuous monitoring of the cyber infrastructure for predicting things in advance. That is bringing in huge challenges to pure play security vendors because an era of embedded security has begun.
More stakeholders means more risk All the government projects, especially IT related project are executed either through a tender or through the PPP mode. Additionally, most of the government departments involve a consultant for project management. This increases the number of stakeholders and the risk for the data. “The moment you have a third person involved, it is highly essential that you take a proper information security measure and you should consider these measures as part of your contract itself. Hence, a service provider must be completely checked, prior to onboarding. Service providers must also be monitored on a continuous basis during execution. Government departments also need to have complete clarity around intellectual property rights, data protection rights and technology retention,” says Rudramurthy. Adding that the controls generally does not need to be only liquidated damage, one should consider proactive, corrective and JUNE, 2016
www.expresscomputeronline.com
reactive mechanism. On the continuous assessing the service provider, Simli, says ''Government departments must understand that outsourcing job to the service partners does not mean outsourcing responsibility of the organization.'' Simli gives an example of the passport department that has set rules and regulations for issuing the passport. He asks, “Do you really feel that this knowledge will come from the private partner?” He says that the knowledge has to come from the government side and it is a continuous transformation. “Even for any ICT enablement, the flow and direction must come from the government,'' he adds.
Securing the talent Most of the experts we spoke with, are of the view that the top management of the government has to scale up. Scale up in terms of human resource talent and its technical expertise to understand the technical nitty-gritty of the scope of work given to the service provider, so that they know, what is expected during implementation, and how to get the work done. Right now, most of these controls are under an administrative hand. Ideally it should be taken care by the technical person. “These could be addressed when the talent become the part of the government itself,” asserts Rudramurthy. Explaining the challenge under the PMU set-up, Simli, says that the major problem with a PMU set-up is that the employee is hired on a contract basis without any assurance of contract renewal. He explains, “People who have sufficient experience, may get the job immediately even after their contract EXPRESS COMPUTER
gets over. But what about a young career oriented person - somebody who has twothree years experience only. They suffer in case they do not get an extension. That is why, it is very tough to find quality young talent in this setup. The problem is that we don't have a good mechanism which ensures the welfare of the staff of the PMU setup,” he adds.
Awareness and road ahead Above all the challenges, in the recent past, the awareness level among the general public, business and the government department has increased. Especially after the incident of Edward Joseph Snowden, whose disclosure on numerous global surveillance programs run by different governments has led to an intense debate on data security and privacy, which has finally catalysed the concept of data localization, leading to different government departments taking steps to beef-up their cyber security mechanism. “Indeed, the awareness level has increased but on the technical front, lot of maturity and continuous assessment is needed,” says Rajiv Prakash Saxena, ExDeputy Director General, National Informatics Centre (NIC). Agreeing with Saxena, Simli, says “Awareness is key but we also need a robust security layer for critical projects like passport or defense projects. For this, we are dependent on the products and operating systems but unfortunately, we do not have our own product or operating systems. It mostly comes from the third party service provider. Sooner or later, we should have our indigenous security product in our security layer.” mohd.ujaley@expressindia.com
In the next five years, we see the digital transformation of organizations further complicating the existing security landscape Stephen Dane Managing Director,Cisco’s Global Security
Awareness level has increased but on the technical front,lot of maturityand continuous assessment is needed Rajiv Prakash Saxena Ex-DDG,NIC JUNE, 2016
19
OPINION KARTIK SHAHANI RSA – INDIA & SAARC
DO ENTERPRISES HAVE THE RIGHTAPPROACH WHEN ITCOMES TO ITSECURITY? It is critical to shift the security investments from a maniacal focus on prevention, towards greater balance on monitoring, detection, and response capabilities
Many of the advanced attacks last year did not even use malware as a primary tactic 20
EXPRESS COMPUTER
I
nformation technology (IT) is vital to the global economy. Every major industry is heavily dependent on IT. Unfortunately, due to the dynamic nature of today’s IT environment, these evolving technologies and modes of communication also represent one of our greatest threats. Therefore, it is not surprising that cyber security has become an important economic and national security issue. As a provider of security solutions, we are witnessing rapid evolution of the threat landscape, with more diverse targets, and in many cases, more advanced technologies and tactics than before. This expansion in risk is threatening to erode the trust in digital commerce, communication and collaboration that we all take for granted today. Enterprises continue to witness rise in cyber-attacks. Attackers today don’t limit to monetary benefits or just acquiring information, they have evolved further to data manipulation. In light of such ever growing threats we are presented with one obvious question – “Are we doing enough to limit cyberattacks?” or is there a need for change in approach towards security altogether? In my opinion organizations till date have only looked at perimeter security – which is required for hygiene, but there is also a need to look at security from inside and not just externally which requires a radical change in thought. Security today is more of a mindset problem and less of a technology issue and sooner we understand this, better it is for the business. Many a times CISO/CIO’s look at legacy approach to combat cyber-attacks; approach which has – not seen much success lately, however, continues to give organizations a false sense of security. A survey of
CISO’s, CIO and security professionals revealed that the mature companies have moved to the next level of security by adopting security analytics as the primary tool while the companies at the other end of the spectrum still end up spending almost 80 percent of the budget on prevention and only 20 percent on detection. This leaves no or very little money for responding to the security threats. In case there was a threat detected in an organisation how would it stop or mitigate the same if there are no resources allocated to response. It is critical to shift the security investments from a maniacal focus on prevention, towards greater balance on monitoring, detection, and response capabilities. It’s become cliché to say that breaches are inevitable and that faster detection and more accurate incident scoping is the way forward, but too many organizations are trying to do these very different tasks using the technologies and processes they have on hand…not designed nor capable of answering their need. The industry’s current approach can be compared to a mindset stuck in the Dark Ages, whereby companies employ security strategies and solutions that no longer map to the business and threat environment we face today. The attackers have evolved to sophistications like manipulating or altering the data within the organization without extracting it. Data drives decision making for people and computer systems. When that data is unknowingly manipulated, those decisions will be made based on false data. Consider the potentially devastating consequences of misrepresented data on the mixing of JUNE, 2016
www.expresscomputeronline.com
compounds, control systems, and manufacturing processes. Many of the advanced attacks last year did not even use malware as a primary tactic. The industry continues to seek a technology solution to what was/is fundamentally a problem of strategic approach. Some of the ways the security industry could address shortcomings and better combat advanced threats are: Stop Believing that Even Advanced Protections Are Sufficient No matter how high or smart the walls, focused adversaries will find ways over, under, around, and through. Adopt a Deep and Pervasive Level of True Visibility Everywhere – from the Endpoint to the Cloud We need pervasive and true visibility into our enterprise environments. You simply can’t do security today without the visibility of both continuous full packet capture and endpoint compromise assessment visibility Identity and authentication matter more than ever In a world with no perimeter and with EXPRESS COMPUTER
Our adversaries are not beating us because they have better technology, they are beating us because they are being more creative, patient and persistent fewer security anchor points, identity and authentication matter more than ever. At some point in [any successful attack] campaign, the abuse of identity is a stepping stone the attackers use to impose their will External threat intelligence is a core capability there are incredible sources for the right threat intelligence [which] should be machine-readable and automated for increased speed and leverage. It should be operationalised into the security programmes at organisations and tailored to an organisation’s assets and interests so that analysts can quickly address the threats that pose the most risk Understand what matters most to your business and what is mission critical. You must understand what matters
to your business and what is mission critical. You have to defend what’s important and defend it with everything you have. Our problem is not completely a technology problem. Our adversaries are not beating us because they have better technology, they are beating us because they are being more creative, patient and persistent. What we need is a mind shift change. While we can hold on to the traditional ways of securing ourselves, we also need Behavioural Intelligence to hunt these attacks in real time and respond to them quickly. Need of the hour is to detect quickly and respond even quicker before there is a major damage to business. – Kartik Shahani - Sr. Regional Director – RSA – India & SAARC JUNE, 2016
21
OPINION KAUSHAL DALAL FIREEYE
CYBER ATTACKS AGAINST CRITICALINFRASTRUCTURE ARE NO LONGER JUSTTHEORIES Growing digitization – amplified by initiatives such as Digital India – is resulting in an increasing dependency on IT networks across critical infrastructure sectors
In the absence of clear and strong regulations, it has become important for industries to assess their own environments and cyber risk potential 22
EXPRESS COMPUTER
S
ummer is here, and with it come inevitable daily power shutdowns across the country. If a two-hour power cut makes you uncomfortable, imagine a complete, deliberate blackout imposed by hackers backed by a hostile nation. Communications will break down, commerce will grind to a halt, public services – including medical services, media and government – will eventually face a forced shutdown. That may sound far-fetched, but nations around the world are seriously considering how prepared they are for nightmare scenarios caused by cyber attacks against critical infrastructure – power, telecom, nuclear stations, transport networks and other utilities. Growing digitization – amplified by initiatives such as Digital India – is resulting in an increasing dependency on IT networks across critical infrastructure sectors. As technology becomes missioncritical to their operations, however, their defenses against attacks are outdated and ineffective. Unfortunately, it’s become all to easy for threat actors to take advantage of this vulnerability to target the organizations that countries runs on. This isn’t fantasy. We’ve seen these attacks in many countries around the world, including those believed to have sophisticated cyber defenses. In 2015, a cyber attack on Ukraine’s power grid left 700,000 people without electricity for several hours. The actors behind this attack were previously seen
conducting attacks against the U.S. energy sector. In March 2016, the U.S. Justice Department indicted seven hackers tied to the Iranian regime. These hackers staged a coordinated cyber attack that targeted 46 major financial institutions and a dam outside of New York City. Investigators recently reported cyber intrusions where actors were able to alter settings related to water flow and the amount of chemicals used to treat the water – perhaps the most unspeakable of scenarios. As early as 2013, the Indian petroleum ministry alerted heads of oil companies to the threat of advanced attacks and asked for counter measures to be put in place. Similarly, the Indian government has made some attempts to define critical infrastructure sectors and direct them to advance their cyber defenses. However, we’ve already seen attack groups such as APT30 – who successfully carried out a decade-long cyber-espionage operation against India and ASEAN countries – compromise our most sensitive sectors such as military and defense. Knowing the adversary during their early years of attack would have helped our military and defense organizations create effective strategies that could have prevented the compromise of the most sensitive sectors. If their networks can be breached with ease, and for long periods of time, it’s only a matter of time before equally sophisticated attackers target sectors that are critical to the economy, security and safety of the nation. JUNE, 2016
www.expresscomputeronline.com
In the absence of clear and strong regulations, it has become important for industries to assess their own environments and cyber risk potential. One way to do that is through compromise assessments or Industrial Control System assessments. These tests search the environment to identify whether or not a hacker is currently in the system. If a breach is identified then the organization can work to stop it and secure their system before any valuable information is taken. Intelligence also helps breached organizations understand the adversary, their motives, and prepare response strategies by providing context on the attack – who did it, when, and what else they have done. This helps organizations understand the adversary, their motives, EXPRESS COMPUTER
Investigators recently reported cyber intrusions where actors were able to alter settings related to water flow and the amount of chemicals used to treat the water – perhaps the most unspeakable of scenarios
and prepare their response strategies. Organizations could also perform “red team” operations. In this assessment, a team of experts attempts to hack into an environment and, if successful, they can then reverse engineer security features to make sure that a real hacker cannot gain access to the system. Our nation’s critical infrastructure is at risk. As recent events have demonstrated, these cyber attacks are no longer just conceptual – they are very real and have the potential to be extremely dangerous. When it comes to assessing cyber security and improving cyber defenses for critical infrastructure, there is no time to waste. – Kaushal Dalal, Managing Director, India, FireEye JUNE, 2016
23
OPINION DHANYA THAKKAR TREND MICRO
HOWTO DEFEND YOUR COMPANY FROM TARGETED ATTACKS: TOP5 ACTION POINTS FOR CIOs W By using guidelines and defensive measures provided by different statutory bodies, we list down five points for CIOs to defend against targeted attacks
Cybersecurity spending is on the upswing, and it is time for company executives and CIOs to finally take control of their company networks 24
EXPRESS COMPUTER
hen Japan’s pension system was hacked on June 2015, personal information of 1.25 million pensioners were stolen because agency employees opened a malware-ridden attachment sent to their email accounts. In the same year, in the US, tens of millions of Anthem insurance employees had their names, birthdays, social security numbers, and other data stolen in a breach considered the largest in the healthcare industry to date. These incidents show the varied risks that organizations face when dealing with targeted attacks. In the case of Japan’s pension system, victims were left with a nagging sense of distrust for the system despite promises that the issue will be resolved. The incident also dug up issues of public outrage on a similar incident in 2007, which contributed to the defeat of the Liberal Democratic Party during elections. Victims of the Anthem breach were left to fend off fraudulent banking transactions and stolen tax refunds. The company also suffered losses in its shares following the breach. Targeted attacks leave huge dents in an organization’s financial capacity, resources, and reputation. As a result, more companies have invested in security in 2016. According to The Global State of Information Security Survey 2016 conducted by the International Data Group, Inc., more than half of the companies have already put a CISO (54%) or CSO (49%) in charge of securing their data. CISOs and CSOs are relatively new roles that were brought about due to the
risks of cyber attacks. While often confused as alternatives or executives under CIOs, a CISO/CSO plays a different role. CIOs ensure company operations run smoothly, while CISOs/CSOs make sure it does so while minimizing risks. Majority of companies surveyed by IDG (91%) have also adopted a risk-based cybersecurity framework. These companies usually follow guidelines provided by the ISO 27001, the US National Institute of Standards and Technology (NIST) Cybersecurity Framework and SANS Critical Controls. Cybersecurity security spending is on the upswing, and it is time for company executives and CIOs to finally take control of their company networks. Based on the guidelines and defensive measures mentioned, we list down several essentials for CIOs to defend against targeted attacks:
Five action points for CIOs #1 Form the right security mindset To develop an aptitude for tracking down ongoing attacks, you need to first understand what makes a targeted attack. Know how you can catch and recognize each of the six components of a targeted attack. Be updated on how past attacks were accomplished and new innovative ways by which attackers get their hands on company data. Also understand which attack goal and motives apply to your organization to know how best to protect potential data targets. JUNE, 2016
www.expresscomputeronline.com
#2 Strengthen network infrastructure Companies need to break their network down into separate and logical segments to minimize the impact of compromise using stolen credentials, brute force, or insiders. Limit user account and workstation access via the leastprivilege model. Make sure to also keep logs and analyze network traffic via behavioural analysis to trace if an attacker is moving inside or stealing from your network. Network flaws and legacy software issues should also be addressed at all times. Form an incident response team whose members come from various departments such as human resources, legal, public relations, and threat intelligence. #3 Protect company data Watch out for company data across all platforms and devices such as smartphones, tablets, laptops, and EXPRESS COMPUTER
CIOs ensure company operations run smoothly, while CISOs/CSOs make sure it does so while minimizing risks removable drives. This can be done by securing all endpoints including mobile devices, integrating data loss prevention (DLP), encrypting data, and encrypting email communications. #4 Create an incident response team Form an incident response team whose members come from various departments such as human resources, legal, public relations, and threat intelligence. Assess security skills of critical responders and perform trainings or hire specific skill sets to address gaps. The team should be able to stop attacks, make sense of logs, and provide updates in case of a crisis.
#5 Build threat intelligence This is a proactive measure to prepare your network and response teams in case an attack occurs. It builds context around the behaviour of your network on various times of day, while doing any activity, and in relation to any user. Using threat intelligence, you can catch behaviour outside of the normal conduct of your infrastructure and mitigate possible risks. This can be done by combining internal data about attacks, third-party data about new campaigns and threats, and insights from trained security analysts. – Dhanya Thakkar,Managing Director and VP,Asia Pacific,Trend Micro JUNE, 2016
25
OPINION
THE FUTURE OFSECURITY: BUILDING TRUSTIN DIGITALTECHNOLOGIES These are dynamic times and businesses need to ensure they have in place a security strategy that is able to adapt to new threats as they emerge
I
Security is not like any other business function; organizations must be able to trust the freelancers and service providers they use completely when it comes to sensitive work 26
EXPRESS COMPUTER
f businesses are to meet the challenges of an increasingly complex security environment, then they must seek new ways to become more effective - mitigating threats and shutting down cybercriminals. We are placing an increasing amount of our data in the hands of businesses operating online. Every byte of data we leave with these companies – whether bank or retailer, social network or content provider – constitutes an act of trust; we trust that brand will work hard to protect our personal data and use any derived insights from our data properly. When brands fail in this duty, the effects are immediate and significant: a loss of trust that can ultimately lead to brand damage, customer churn and revenue loss. Security is the essential foundation enabling protections and proper insight management making digital business initiatives successful. Change is the new normal. According to our annual Tech Vision survey of more than 3,100 IT and business executives, 86 percent of the executives anticipate that the pace of technology change will increase rapidly or at an unprecedented rate in their industry over the next three years. These are dynamic times and
businesses need to ensure they have in place a security strategy that is able to adapt to new threats as they emerge. Exacerbating this challenge is the growing cyber security skills gap, whereby up to 45 percent of companies say they find it increasingly difficult to source qualified people. Digital businesses must therefore find a way to do more with less; empowering a handful of skilled professionals to create a robust, customer-centric security environment capable of protecting against new and emerging threats is essential. As discussed in Accenture’s recent Security Technology Vision report, over the next five years, new trends are going to emerge that will fundamentally reshape the profession of cyber security, making digital businesses better placed than ever to build that all-important trust. Two trends in particular are well suited to meet the challenges of the modern security environment: the emergence of intelligent automation and a liquid workforce.
Artificial Intelligence and Security Automation Intelligent Automation applies artificial intelligence (AI), process automation JUNE, 2016
www.expresscomputeronline.com
and visualization to enhance a security professional’s capabilities. When it comes to automation, AI will enable security professionals to leave most of the threat detection tasks to their security system. AI models will be capable of determining whether any given activity on the enterprise network is suspicious and whether or not to block it; essentially mimicking how a security professional thinks and learns as it goes, adapting to new threats. This means many day-to-day security tasks can be automated, giving security professionals more time to focus on high value activities. Another important role for AI revolves around its ability to enhance data visualization. The human brain is adapted to picking out visual patterns quickly and finding anomalies in those patterns. AI will help present data to security professionals in just such a visual way by rapidly sorting through huge volumes of data, ‘knowing’ what to keep and what to discard, and then creating a report that security professionals can digest at a glance. Today, visualization technology is still young, but within two years the security professional will be able to visualize the entire enterprise and immediately make sense of even the largest of data sets. Indeed, by combining AI-assisted automation with AI-assisted visualization, security professionals will be able to understand the larger context of a breach and anticipate its subsequent evolution. The security environment within the enterprise will be automated to such an extent that security staff can concentrate on the major threats rather than ancillary tasks and minor issues.
A more dynamic security workforce Businesses are struggling to find employees with the skills needed to keep their organizations secure; In fact, a 2015 SANS Institute survey revealed that 59 percent of respondents cited a lack of skills and dedicated resources as the main obstacles to discovering and acting on cybersecurity incidents and breaches. As security teams modernize over the next four years, technology is only part of EXPRESS COMPUTER
Lisa O'Connor
Ryan LaSalle
the transformation. Equally important are more flexible and dynamic working practices. This is why organizations need to rethink the nature of the workforce and adopt a ‘liquid’ model. Rather than relying on in-house skills alone, businesses will need to embrace freelancers, remote workers and part-timers. By sourcing talent from wherever it can be found and even using crowdsourcing and broadbased collaboration to address security challenges, business will be able to bridge the skills gap. Of course, security is not like any other business function; organizations must be able to trust the freelancers and service providers they use completely when it comes to sensitive work. Where this trust can be built and the right collaborative models put in place, businesses will be able to draw on a much wider and more diverse pool of talent. By 2020 we can therefore expect to see enterprises maintain a core of highly-skilled security people that are supported by well-vetted outside resources.
for security challenges where automated decisions make sense and where quick action can reduce the cost of security incidents. Second, security teams should look to enhance their familiarity with data visualization; increasing their visual literacy and leveraging visualization to present security-related data in compelling and insightful ways. Finally, businesses should evaluate where a liquid workforce approach could help: address chronic staffing demands for scarce talent, surge capacity filling a burst or short-term needs, or support teams with a broader or diverse perspectives. The digital world promises much for businesses and citizens alike. It is transforming the way we work and live and will only continue to do so. By enabling trust in their businesses’ services, security teams are a key enabler in this digital transformation. If businesses are to meet the challenges of an increasingly complex security environment, then they must seek new ways to become more effective– mitigating threats and shutting down cybercriminals. As we have seen, Intelligent Automation and a liquid workforce will go a long way in helping them do just that.
Preparing for the future So what steps to businesses need to take now to ensure they are ready for the demands of the emerging security environment? First, businesses should examine their security infrastructure and identify repetitive and low-impact activities that can be automated; looking
– Ryan LaSalle, global managing director, Security Transformation Services,Accenture and Lisa O’Connor, managing director, Security R&D Lead,Accenture Technology Labs JUNE, 2016
27
OPINION PAVAN DUGGAL CYBERLAWS.NET
ALEGALEYE ON INDIA’S AADHAAR LAW T The month of March, 2016 was a historic month in the legislative history of India, as the Parliament of India passed Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016.
The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 not only symbolizes the biometric identity of individuals, but it also symbolizes biometric and demographic face of the biggest democracy in the world 28
EXPRESS COMPUTER
he month of March, 2016 was a historic month in the legislative history of India. This was the month in which the Parliament of India debated and passed a legislation dedicated on Aadhaar being the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016. The said Act has received the assent of the President of India on 25th March, 2016 and came into effect thereafter. The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 is indeed very significant as this has for the first time provided legal sanctity and validity to the Aadhaar ecosystem. It is pertinent to note that earlier in 2009, when Aadhaar was introduced it was done by means of an act of the Executive. From 2009 to 2016, there was not a single legislation that was passed by Parliament, which granted legality to the Aadhaar ecosystem. Meanwhile, various Public Interest Litigations were filed in the Supreme Court of India and the Supreme Court held that Aadhaar cannot be made mandatory by the Government till such time privacy related issues concerning Aadhaar ecosystem are not effectively determined by the Supreme Court. The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 is a law that is aiming to provide for, as a good governance, efficient, transparent, and targeted delivery of subsidies, benefits and services, the expenditure for which is provided from the Consolidated Fund of India, to individuals residing in India through assigning of unique identity numbers to such individuals. The said legislation deals with enrolment and grant of Aadhaar Numbers on the receipt of demographic information and biometric information from the applicant. The term “demographic information” has been defined to include
information relating to name, date of birth, and other relevant information as may be specified for the purposes of issuing an Aadhaar Number. However, the definition of demographic information does not include race, religion, caste, tribe, language, records of entitlement, income or medical history. Further, since Aadhaar is based on biometric information, biometric information has been defined to mean photograph, finger print, Iris scan, or such other biological attributes of an individual as may be specified by regulations. The legislation has provided for the establishment, operation and maintenance of the Central Identities Data Repository for all the biometric and demographic information of Aadhaar Number holders. Further, Unique Identification Authority of India (UIDAI) has been given the responsibility of authentication of the Aadhaar Number of Aadhaar Number holders in relation to his or her biometric or demographic information provided, on the request made to the said Authority by any requesting party. Given the fact that Aadhaar deals with the biometric information, the same is sensitive personal data within the meaning of the law, as defined under the Information Technology Act, 2000 and rules and regulations made thereunder. In the context of the Aadhaar ecosystem, thus the security of identity information becomes critical. The Unique Identification Authority of India (UIDAI) has been straddled with this primary responsibility of ensuring the security of identity information and authentication records of individuals. Further, the Authority has been mandated to take all necessary steps to ensure that information in its possession or control is secured and protected against access, use or disclosure not permitted under the law and against loss, destruction or damages. JUNE, 2016
www.expresscomputeronline.com
A perusal of a number of offences under Chapter VII of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 including unauthorized access to Central Identities Data Repository shows that they have not been given the kind of deterrent effect that matches the expectations of people. In this regard, the cyber security protection elements pertaining to Aadhaar assume tremendous significance. Under Section 28 of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016, the Authority has been mandated to adopt and implement appropriate technical organization security measures for the information in question. However, what the said appropriate technical and security measures will be, have not been defined. The Indian Cyberlaw mandates that reasonable security practices and procedures must be undertaken by a legal entity dealing, handling or processing sensitive personal data. Further, the Indian Cyberlaw has made ISO 27,001 as an embodiment of reasonable security practices and procedures. In this context, we find that the specified cyber security parameters in respect of Aadhaar ecosystem, has not been so prescribed, thereby leading to potential confusion. The issues pertaining to cyber security as defined under the Information Technology Act, 2000, in my opinion, are equally applicable in the context of the Aadhaar ecosystem. The Aadhaar legislation has not really gone much deeper into the issue of protection and preservation of cyber security pertaining to the Aadhaar ecosystem. It is important to appreciate that the Aadhaar ecosystem is a Critical Information Infrastructure of India and as such, there is a need for specific provisions to enhance the cyber security of the said Critical Information Infrastructure. Further, it is pertinent to note that the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 itself does not have EXPRESS COMPUTER
any specific provisions for protection and preservation of cyber security in the context of the Aadhaar ecosystem. However, it is pertinent to note that the Central Government has been given the discretion to make rules to carry out the provisions of this Act. The Central Government can come up with specific cyber security parameters for protecting and preserving not just the Aadhaar Numbers, but also the connected biometric and demographic information and also all contents pertaining to the Central Identities Data Repository. Issues pertaining to cyber security of Aadhaar ecosystem need to be very well examined and analyzed. The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 not only symbolizes the biometric identity of individuals, but it also symbolizes biometric and demographic face of the biggest democracy in the world. As such, it is likely to expect that with the passage of time, the Aadhaar ecosystem could potentially be targeted by various state and non-state actors. Unauthorized breach into the cyber security could also prejudicially impact its security and also prejudicially impact the preservation and protection of India’s cyber security, sovereignty and integrity. In case, if this aspect will not given the requisite focus
and emphasis, this could lead to potential cyber security breaches which could impact not just the Aadhaar ecosystem as a whole, but could also impact people’s confidence and trust in the Aadhaar ecosystem as the identity system All stakeholders are looking up to the Government to come up with appropriate cyber security mechanisms, processes and procedures which can help make the Aadhaar ecosystem far more protected, from unauthorized intrusion by state and non-state actors. This is a matter of urgent and immediate concern. It is common knowledge that the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 was passed very quickly. In this context, the responsibility lies on the Central Government to ensure that it puts in place adequate norms, procedures and mechanisms, in addition to the norms already stipulated under the Information Technology Act, 2000, to deal with cyber security aspects of biometric information of Aadhaar in the Central Identities Data Repository, for making the Aadhaar ecosystem far safer and more secure. – The author is Advocate, Supreme Court of India, and is an expert and authority on Cyberlaw, Cybersecurity Law & Mobile Law. He is also President, Cyberlaws.net; and Head Pavan Duggal,Advocate Associates,Advocates. JUNE, 2016
29
INTERVIEW JS SODHI AMITY UNIVERSITY
“THE NEXT PHASE OF CYBER SECURITY AT AMITY UNIVERSITY IS ARTIFICIAL INTELLIGENCE” “The threat to education sector is certainly getting worse. With vast stores of personal data and expensive research, universities are becoming prime targets for hackers. And mind you, these aren't just college kids trying to change their grades but potentially "nation-state actors" much like the hackers who target large corporations,” says JS Sodhi, VP & CIO, Amity Education Group and Executive Director-Cyborg Cyber Forensics & Information Security (CCFIS). The Amity Education group has over 1,00,000 students studying across 1000 acres of hi-tech campuses spread over Delhi, Jaipur, Lucknow, Noida, Ghaziabad, Gurgaon and many National & International Campuses across the globe. To stop and deflect attacks and targeted malware to its IT Infrastructure, JS Sodhi and his team created a National Cyber Alert System with its flagship technology Advance Threat Protection Sensor (ATP). In an interview with Rashi Varshney of Express Computer, Sodhi shares the journey about how making cyber walls unbreakable for Amity across the globe led formation of the startup Cyborg Cyber Forensics and Information Security Pvt Ltd (CCFIS), a Research Organization at Amity Innovation Incubator, by Amity Education Group for securing cyber walls for enterprise and government organization. Edited excerpts from the interview: Please tell us about the National Cyber Alert System The National Cyber Alert System is a project where we intend to deploy the network of our flagship product, Advance Threat Protection Sensor (ATP) across all Internet service providers (ISPs) of India in order to safeguard the country’s IT infrastructure. The ATPs installed on different ISPs shall create a ‘Ring of Fire’ across India which shall not only capture general and targeted attacks along with malware but also deflect them, before they enter the country. The data from all ATP sensors installed across ISPs would be collected at our Central Threat Intelligence Collection Center and at our Global Security Operation Center (GSOC – Malware Analysis Lab). The malware captured would be reverse engineered by our highly skilled attack analysis team who would generate reports and security 30
EXPRESS COMPUTER
bulletins observing trends of malwares on different parameters and give recommendations on how to safeguard enterprises from such lethal malware. Also a real time alert of attacks would be generated to share research analysis,
intelligence report forecasting future attacks, attackers and attack patterns and other malware trends with ISPs, government agencies, security researchers and companies which will foster an environment of research collaboration where the Internet community can fight together. Along with a real-time online forum, a graphical realtime map will also be created. The technology used for National Cyber Alert System which is our flagship product, Advance Threat Protection Sensor (ATP) got developed out of the need to secure the internal IT network of Amity University from any dreadful compromise. And then because of the threat landscape that the national IT infrastructure faces today, the idea of National Cyber Alert System got originated. Though organizations have already deployed some kind of security solutions JUNE, 2016
www.expresscomputeronline.com
either hardware or software to safeguard their network from cyber threats and even ISPs have deployed several high end firewalls that blocks malware and attacks on ISP levels from reaching end users, only a few of them are doing analysis of attacks or malwares to understand the key reasons behind the targeting. So the National Cyber Alert System has played a pivotal role in gathering intelligence information, and passing real time alerts of targeted attacks. Could you please elaborate more on the technologies used for the successful setup of the National Cyber Alert System? The technology used for setting up of national cyber alert system is Advance Threat Protection Sensor (ATP-Sensor) which is in-house developed technology of CCFIS. It is a malware and targeted attack capturing appliance. It captures malwares and attacks targeted to any network infrastructure by simulating as actual network and deflecting attackers from actual network to itself (ATP sensor). Within this one device, it is possible to simulate 100 of servers, web applications and users and hence can replicate the entire network infrastructure. Whenever an attacker tries to intrude any network, the attacker is presented with two different networks. One being the original production environment network and another being the virtual monitored decoy of that network i.e.the ATP sensor. Our research proves that 70% of the times, attacker chooses to attack the network with weak entry points and hence will target the ATP sensor. Information about the attacker like IP, attack type, tools used, methodologies used, intentions, malwares, exploits, etc. are captured and are saved in the ATP sensor for further analysis. It generates a real time alert of attacks and identifies critical infrastructures that are being targeted. The ATP sensor also captures targeted malware and collects attack logs to analyze and do research analysis by reverse engineering. It also exposes the information of attackers, which further EXPRESS COMPUTER
After analyzing all the captured malwares,we realized that most of the malwares were designed to work on Windows XP and some of them were information stealing malware help us in forecasting future attacks and attack patterns. What has been the impact of the system? How far does the cyber security system keeps the cyber criminal away? The first ATP Sensor got deployed at Amity Lucknow campus, and we captured a lot of malware and information about attacks. With successful results from the first deployment, we installed this ATP sensor in Amity University campuses of Noida, Gwalior, Jaipur, Manesar, Dubai and Singapore. While adopting different network topologies and different techniques each time to lure, attract and deflect attacker from actual network to this ATP sensor, we captured an overwhelming number of attacks and malware in a very short time span of 4 months after deployment. We received around 500+ malwares and more than 20 lakh attacks to our network. After analyzing all the captured malwares, we realized that most of the malwares were designed to work on Windows XP and some of them were information stealing malwares. The very next month, we received Windows XP 0day in multiple campuses and attacker tried to compromise many systems. But our ATP sensor gave us alert one month before the attack happened and thus we were prepared.
Can you give us a small description of the expertise of your CCFIS technology team? Our incident response team gathers all available information by assessing the incident or intrusion. We also identify the impact such as network down time, duration of recovery from the incident, loss of revenue, and loss of confidential information. We not only analyze the non-volatile data or data at rest that exists on a system, but also conduct Live-box computer forensics that gives us access to the entire running system, including the volatile information contained in the memory chips (RAM) and whatever is on the live hard drive. A computer’s volatile information, the data that is contained in the memory chips is lost when we remove power from the system or shut down the computer. The information found in memory includes user names and passwords, encryption keys, instant-messenger chat sessions, unencrypted data, open documents and e-mails, hidden code like rootkits, registry information, and other critical evidence. The runtime information found in memory is critical to many types of investigations as it can help in providing contextual information about the target subject’s activity on the computer. What is the next phase of the national cyber alert system? The technology supporting national cyber alert system, ATP sensor can, as of now simulate IT infrastructure & IT appliances. It can also emulate gas stations that are connected to Internet and various other SCADA appliances to capture SCADA based attacks and malware. In the next phase of ATP Sensors, we will work on artificial intelligence and will communicate with each other while simulating the IT infrastructure of the entire country. These ATP sensors will be synchronized on a common platform to generate automated alerts and share their captured data with each other to plan self-defense accordingly. rashi.varshney@expressindia.com
JUNE, 2016
31
OPINION NSN MURTY PWC INDIA
MAKING CITIES SMART To make cities smart, we must make them “predictive”; and to make a city or a community predictive, we must integrate social, political, environmental, economic and sustainable parameters, powering it with technology
Now it is the time for technology and its providers to bring to India global best practices, smart solutions and use-cases 32
EXPRESS COMPUTER
B
ad roads, congested streets; no clean drinking water; garbage; unreliable public transportation; non-functional street-lights; crime against women, old people and children; pollution; wrong utility bills; inefficient public grievance centre; and above all, a lack of accountability at municipal administration. These are few of the problems with which people of an unplanned, fast growing city, whether in India, or across the globe, can relate. City leaders are always looking for solutions – both tactical and long-term – to resolve these challenges they face on a daily basis. When they do find and implement a solution to any of these problems, they have made a progressive move towards making a city smarter. India too has taken up this challenge. Prime Minister Narendra Modi has brought the focus on urban revitalization by means of Smart Cities Mission. 97 cities, competing in this program, are all infested with the challenges mentioned above, and have one thing in common: the desire to look at smart solutions to address those. In order to make the cities smart, we must make them “predictive”; and to make a city or a community predictive, we must integrate social, political, environmental, economic and sustainable parameters, powering it with technology. In order to achieve this integration, city leaders need to analyze petabytes of data being thrown at them through several sources including sensors installed at various places. This data could include simple information from public grievance systems, or multimedia content from various cameras installed across the city. The most important part is how the city aggregates all this data, converts it into meaningful information, identify patterns of events/ issues, and comes out with most effective but least-cost solution that can be deployed with ease.
A smart city must be both economyand technology-driven where smart solutions are used to improve citizens’ everyday lives. It is well established that without a viable business and economic plan, cities can neither maximize growth nor offer high class facilities. The first step is to generate awareness among city leaders as to the city’s state of affairs – its impediments and its potential. A smart city must have a strategic plan for expansion, and its planners must have clear goals toward job expansion and output, financial inclusion, and sustainability and flexibility. The plan must identify the city’s strengths and weaknesses, and have strategies leveraging exclusive industry specializations, modernism, education and skills development, land and infrastructure, and governance and public services. All we need is a well-planned city Cockpit with Integrated Decision Support System to assist authorities in handling the growth of a city as measured by indicators including potable water, clean air, social security, efficient buildings and reliable power grid. City leaders do make these decisions without the use of technology as well, but those are less effective and are often delayed. For example, a flyover may be proposed to ease severe traffic congestion, but the lack of data and information might be hiding the actual problem, i.e., non-availability of parking space leading to everyone parking vehicles on the side-roads, resulting in congestion. Data and technology-driven analysis gives power to the city leaders to take more effective decisions. In order to create more smart, livable and sustainable cities, the entire ecosystem must be unified with integration of technology at all levels. From real-time traffic management, to reducing hazards and costs associated with water and lighting, to locating available parking spots, to managing JUNE, 2016
www.expresscomputeronline.com
energy in real time with smart meters on smart grid, to wearable health monitoring sensors – this is what essentially enriches the quality of life of people living in Smart cities. Three distinct levels to implement smart cities have emerged from the international experience. The first step towards building a smart city is to have a physical telecommunications network infrastructure, comprising cables, wireless stations, servers, or routers. The second layer constitutes applications that facilitate operations in the city, such as traffic control. Several vendors may provide such applications, using the provided infrastructure. The third step is ensuring last mile connectivity of all. ●
For instance: In Barcelona, the mayor Xavier Trias enacted a smart city vision, with three fundamental pillars:
●
Local projects: Focusing on better use
EXPRESS COMPUTER
of technology to improve citizens’ lives ● International vision: Creating a scalable platform to ensure that Smart City projects can be replicated ●
Technology standardization: Launch of a city protocol (in July 2012) to drive how technology standards must be tailored specifically for cities. Accordingly, mayor Trias created the Urban Habitat (smart city) department, which broke down the traditional silos inhibiting the delivery of next-generation citizen services. For example, the department now coordinates all of the services on a city street, from lighting to parking to road repairs, as opposed to different departments having responsibility for each area. India’s Smart Cities Mission – under which 97 cities submitted proposals on 15 December 2015 – also needs to look at global best practices, learn from their
mistakes and adapt to local conditions. The concept of Special Purpose Vehicle (SPV) within the Smart City Challenge Proposal is loosely built around the Barcelona model. The real test of this SPV will be when city leaders overcome internal resistance and give it the autonomy and power to plan, build, contract, operate and maintain projects. Technology will play a major role in this, as the SPV will help not only itself but also the city, state and the Central leaders to monitor its health and support its operations. Most importantly, now is the time for technology and its providers to bring to India global best practices, smart solutions and use-cases. They must localize those solutions and make those easy to deploy, easy for consumption and above all, commercially viable. – The writer is Director & Leader, Smart Cities, Pwc India.Views are personal. JUNE, 2016
33
INTERVIEW VIMAL MANI CISO, BANK OF SHARJAH
A ‘DEFENSE-IN-DEPTH’ STRATEGY IS KEY TO COMBAT APTs “We have a well defined information assurance program that helps us in ensuring that the critical data of our customers and the bank owned information systems remain safe.” saysVimal Mani, Chief Information Security Officer (CISO), Bank of Sharjah in a conversation with Ankush Kumar. As the CISO, Mani is responsible for the end-to-end information security program across the banking operations within the Middle East region.
How important is the role of Information Security in your organization? Banking as a business involves the management of information security risks on an ongoing basis to avoid any subsequent financial and reputational loss. Security in banks, thus assumes significant proportions, comprising physical security in addition to the factors relating to security of information and information systems, all of which have an impact on the operational and reputational risks faced by banks like ours. We have a well defined information assurance program based on robust management and technical controls that helps us in ensuring that the critical data of our customers and the bank owned information systems remain safe. How do you ensure that adoption of emerging technologies do not expose your bank to unforeseen risks? We have a well defined IT GRC (Governance, Risk and Compliance) strategy and operational plan in place. These IT GRC strategy initiatives and plans are made based on thorough market and technology analysis that helps us in identifying new technology (Social Networks, Cloud, Big Data Analytics and BYOD) and process innovations from the industry. The information security and technology risks related to these technology and process innovations are assessed thoroughly in advance through well 34
EXPRESS COMPUTER
To protect the Bank from emerging cyber security threats and APTs,we have established multi-layer security controls in a 'Defense In Depth' approach which includes people,process and technology elements. defined risk assessments. Based on the risks identified, appropriate risk mitigation controls are established in place to support the smooth implementation of these innovations in the bank. What are the major issues that are bothering CISOs in recent times? As a CISO, some of the key issues include: the increasing amount of cyber attacks and Advanced Persistent Threats (APTs), availability of right threat intelligence in right time, data leakage, lack of information security awareness among staffs and management, and
management buy in for new security initiatives. To protect the bank from emerging cyber security threats and APTs, we have established a multi-layer security controls in a 'Defense In Depth' approach which will include people, process and technology elements. This will include information security policies & procedures, hardening & patch management practice, endpoint protection suite, IDS/IPS, next generation & web application firewalls, periodic vulnerability analysis & penetration testing, information security risk assessments and ongoing information security training & awareness programs etc. Also, we have established agreements with UAE CERT and global cyber security consulting firms such as Fire Eye, Symantec, Kaspersky, McAfee for availing incident response services from them in an on demand basis that will help us in addressing those attacks that will escape from the multi-layer security controls that we have established in place. We have subscribed for periodic threat advisory with most of our vendors such as Microsoft Corporation, Cisco, Adobe and others. In addition, we receive a variety of threat intelligence feeds from industry in daily, weekly and monthly basis. Such intelligence received help us in planning for protective controls against emerging cyber security threats well in advance. In addition, we also get JUNE, 2016
www.expresscomputeronline.com
threat alerts from the Central Bank of UAE on an ongoing basis. We have a Data Loss Prevention (DLP) module configured as part of the McAfee end point protection suite in place. Also, we have disabled all flash and CD drives which helps us in ensuring that critical data from the bank doesn’t get leaked to the outside world. Personal laptops and PDAs cannot be connected to the bank's internal network which is well protected through appropriate segregation of networks. We have a Mail Marshal Solution which works as an email gateway server that does the appropriate filtering of outgoing and incoming mails. Based on content type and size, emails are getting regulated by this Mail Marshal solution which plays vital role in data loss prevention inside the bank. What kind of training and awareness programs do you hold for employees as well as customers? We have established a well defined Information Security Training & Awareness Program which has identified specific training programmes for different targeted audience groups of the bank. Detailed training content for these identified areas have got developed which are then rolled into our internal online elearning platform. In addition, we publish daily information security tips to our staff using desktop screen savers and in TVs kept in main lobbies across the floors of the bank. We also communicate information security tips to our customers through the monthly account statements sent to them from the bank. Also as and when we receive any threat alert from Central Bank Of UAE and from industry we keep communicating the same to the internal and external stakeholders of the Bank in an appropriate manner governed by a communication matrix in place. We also have an information security committee in place which looks into the strategic projects driven by the information security function of the Bank. This committee is occupied by representatives from corporate functions such as Internal Audit, Risk Management, Compliance and business EXPRESS COMPUTER
units of the bank. On a periodic basis, this committee meets and discusses the various information security initiatives in progress and identifies the support required. As a CISO of the bank, I am the secretary for this information security committee. We get the management buy in through this information security committee which works with both management and information security team as an interface. How do you manage the process of sharing business critical data in your bank? What kind of incident response capability have you deployed? We have a well defined data classification scheme in place. Various data elements used in the bank are classified using this scheme. Based on the classification and sensitivity level identified, each
document will be labeled and provided with appropriate level of protection which enables a safe sharing of these documents with the outside world. Also the DLP solution in place ensures that no data element gets leaked from the bank. We have strong IT performance monitoring and incident response capabilities (SIEM & Contextual Secruity Analytics) established in place which are well supported by a state of the art technology stack. Also, we have periodic risk assessments conducted for the various IT systems used in the bank by our staff and affiliates. These arrangements help us in identifying IT performance issues and risks in a proactive manner and mitigating them in a timely manner. ankush.kumar@expressindia.com
JUNE, 2016
35
INTERVIEW VINOD BIDARKOPPA FUTURE GROUP
WE ARE AT THE CUSP OF A BREAKOUT OPPORTUNITY IN MODERN RETAILING IN INDIA In the retail sector, technology can help in achieving one view of the customer and succeeding in an omni-channel strategy, opines Vinod Bidarkoppa, Group Chief Information Officer, Future Group, in a conversation with Ankush Kumar. Vinod is a global technology executive with over 20 years of experience in diverse operational and strategic leadership roles with consumer facing companies in the retail, airline/travel and banking sectors comprising global brands like Tesco, HP, EDS and American Airlines/Sabre. Some edited excerpts: As you have recently joined the Future Group, what are some of your primary goals? We have a great opportunity to lead the business from the front. What really matters is how well we understand our customers and how well customers (both external and 36
EXPRESS COMPUTER
internal) perceive our products and services whether in the store or across the digital channels. Technology is the key ingredient for the success of any business today and retail is no exception. Understanding the customer expectations, making their shopping trip experience JUNE, 2016
www.expresscomputeronline.com
simpler, delightful and bringing better efficiencies to our internal processes has been our real goal. And in order for us to achieve these, we need to have the right engineering (Architecture and Leadership) behind the projects we deliver - this will mean having a consistent and robust environment for delivering excellence. We need to constantly try and ensure standardizing and leveraging scale across our businesses. We need to reimagine how we can bring agility and simplicity in all aspects of our work. Agile methodologies such as Scrum and DevOps are need of the hour. I am also keen to ensure we have the right people and training in place both at the leadership and in the technology areas to support our ambitions.
knows whether a particular customer has a silver, gold or platinum membership. Therefore, airlines as a business can monetize on that customer information. In the retail business, we are on the same trajectory. It's about employing an omni-channel strategy which helps to achieve one view of the customer, order and inventory (Stock) where technology becomes a key enabler to implement the business processes. Loyalty drivers and apps such as Big Bazaar Profit Club, Future Group Shopping Festival, Mobile Digital Wallet partnerships (Mobikwik), T24, Online and Mobile formats (Ezone) all these are pure technological conveniences. It’s difficult to imagine a world in retail which can run an enterprise as large, complex, as distributed as ours without the secret sauce of technology. Further, technology also helps us to analyze customer preferences and choices through the use of data science and personalize offers.
What are some of the immediate priorities? The first is getting the technology for our customers, colleagues, store employees, warehouses for collaborating among 36,000 employees ourselves. We need to organize the portfolio of strategic projects, get the engineering behind and develop them in the best manner we can and get new products to the market in the least possible time. Second is addressing the talent aspect and help run the engine of this vast enterprise which relies on IT. I spend time thinking about how we can up-skill or hire the right talent at the leadership, technical and support level. Third is getting a standardized and converged environment so that we can build once and deploy multiple times across multiple formats/businesses. You also have extensive experience in handling complex IT systems in sectors like airlines and banking. How has been the transition from the airline to the retail sector? In my prior roles in the retail, airlines and banking sectors, I have witnessed how technology can create huge business opportunities. For instance, in an airline business, all employees have the same view of customer data, whether it's accessing a company website or a kiosk, a call center or the travel agency. Everyone EXPRESS COMPUTER
Understanding the customer expectations,making their shopping trip experience simpler,delightful and bringing better efficiencies to our internal processes has been our real goal
What are the technologies that you believe can truly revolutionize the retail business in India? How are these technologies being used at the Future Group? If you look at the Retail Reference Framework across the plan, buy, move, and sell processes, there is ample scope to drive massive change by employing technology. Broadly speaking there are things that can be done to improve the efficiencies of the internal operations -be it in the head office (enterprise planning, merchandise planning, assortment planning, product life cycle management, intelligent promotions and markdowns, RFID, auto replenishment) and warehouses (intelligent warehouse management and transportation and distribution) to name a few. Equally, there are a number of customer conveniences that can be brought in through technology both offline and online. Digital shelf edge labels, mobile POS, digital kiosks in the stores and whole gamut of online and mobile conveniences to make the shopping trip easier. Today, at the Future Group, we are either actively evaluating, or have implemented all of the above. JUNE, 2016
37
INTERVIEW
www.expresscomputeronline.com
VINOD BIDARKOPPA FUTURE GROUP
How do you see the role and impact of technologies such as Big Data and IoT in the retail business? Big data is no longer just a “hype�. The industry has cut through that hype cycle a year ago. Today, we are talking about IoT, and according to Gartner, the market will be 20.8 billion worth of connected devices by 2020. At the Future Group, we are in a place where we are mining and analyzing a lot of data. Today, we have more than 30 million customers who use our loyalty program. We collect the sales data for all the transactions, and we bring it back into a data warehouse or into the databases. They have the ability to crunch this data and build insightful business models that tell us how we need to be selling and marketing in the future. We are in a very good position to harness and crunch all data that proliferates. It helps us make meaningful decisions. For us, Big Data is immensely relevant and we are already sitting on heaps of data which we want to analyze correctly and accurately. 38
EXPRESS COMPUTER
Today,we have more than 30 million customers who use our loyalty program. For us,Big Data is immensely relevant and we are already sitting on heaps of data which we want to analyze correctly and accurately.It helps us make meaningful decisions.
How is the company maintaining privacy and data protection to safeguard sensitive information of its customers? Ours is a retail business and like any other business dealing with customers, we need to have effective security practices, policies and frameworks in place. We have implemented DMZ (demilitarized zone) security rings where we interface with external systems. Customer details are masked when data leaves secure zones. PCI compliance is mandatory. Data needs to be dealt with utmost care and we also make it a practice to keep our colleagues aware of the need for the same. I believe we are at the cusp of a breakout opportunity in modern retailing in India and Future Group is uniquely positioned with a vast network of hypermarkets, super markets, convenience stores, digital stores all supported by industry leading loyalty program(s) underpinned by a strong workforce and technology to propel us into higher orbits. ankush.kumar@expressindia.com
JUNE, 2016
INTERVIEW
www.expresscomputeronline.com
SHIV KUMAR BHASIN STATE BANK OF INDIA
CLOUD COMPUTING HAS BROUGHT IN AGILITY FOR SERVING END CUSTOMERS The State Bank of India is not only the largest bank in India, but its work for the Government requires it to undertake large scale and critical initiatives such as LPG Subsidy, and Jan Dhan Yojana. To ensure high availability of IT services, the bank undertook a massive technology transformation drive, which allows it to provision IT infrastructure quickly for initiatives such as mobile banking and mobile wallets. In an extensive interaction with Express Computer’s Srikanth RP, Shiv Kumar Bhasin, Chief Technology Officer, State Bank of India, shares how his bank is getting ready for competing in the digital era using technology. The bank has been one of the most aggressive adopters of technology, and after virtualizing its servers, it is now looking at virtualizing the network, using technology from VMware. The bank has deployed the VMware vCloud Suite, a cloud management platform that helps enterprises in managing a heterogeneous, hybrid cloud. The bank has also deployed VMware NSX, a network virtualization platform that delivers the operational model of a virtual machine for the network. Similar to virtual machines for compute, virtual networks are programmatically provisioned and managed independent of underlying hardware. Some edited excerpts from the interview: Can you describe the state of IT infrastructure prior to your organization’s virtualization drive? A large amount of our IT infrastructure was proprietary infrastructure, which created a number of challenges. One of the key challenges for us was the large procurement cycle for the hardware and which led to fulfilment of the hardware time, anywhere between 6 months to 9 months. This brought down the agility of any services or applications roll out to the business. As we had a proprietary infrastructure, we needed highly skilled EXPRESS COMPUTER
staff which banks normally don’t have. Different platforms demanded different types of skill sets, which meant maintaining an army of experts or outsourcing it to a third-party services provider. As these were proprietary skill sets, it led to high cost of maintenance, which in turn used to increase the operational cost for the bank. On top of this, the legacy IT infrastructure used to occupy a lot of data center space as well. So, in summary, the operational costs were high, highly skilled staff were not available to maintain the proprietary
infrastructure and agility to roll out the new services or fulfilment of the business requirements were very low. How did you actually start about addressing this? Can you describe the initial stage of your virtualization journey? One of the key concerns was the agility because whenever there was a new business launch, the first roadblock used to occur that we did not have the required hardware. The procurement cycle for buying the new hardware was long, which in turn affected the launch of the business JUNE, 2016
39
INTERVIEW SHIV KUMAR BHASIN STATE BANK OF INDIA
service. To address this, we decided to build our own internal private cloud. We believed that by building our own cloud, we will be able to bring in a lot of agility and it will bring down the go-live time for a huge number of business services and the applications. We have hence standardized our cloud platform on x86. Today, thanks to the cloud, we have cut down 7-8 months of the procurement time. We are now able to provision infrastructure quickly with a faster time to market. Also, the cloud has helped us in addressing some of our business peak requirements. For example, we can now do performance testing during peak periods without impacting our production environment. Today, we are running live applications on the cloud. We have our Kiosk Banking running on the cloud which has 60,000 registered users and out of them 20,000 concurrent users log in daily. And we have our Digital Wallet and SBI Buddy deployed on the cloud which has got now more than 2.5 million registered users. Similarly the Wealth Business which we have launched recently is also running on the Private Cloud. All these developments we have done in the last 12 to 14 months. As one can see, the cloud has really brought in a lot of agility for serving the end customers. How much time does it take to provision a new server? We use our private cloud for auto provisioning, and we can spin up a virtual server within 2 to 3 minutes. Being a PSU, we were earlier using a lot of paper and approvals were taken on memos and then they were given to the data centre department, which then procured and built the servers. The life cycle of the memo used to be a couple of weeks. So now it has been brought down to a few minutes. The moment the request is raised, it goes to a workflow and the authorizer approves it, then within a couple of minutes post authorization, the server is ready. And we are working on the Platform-as-a-service this year in our Private Cloud. We have standardized Oracle on Linux. Hence, Oracle is made 40
EXPRESS COMPUTER
available to the users, to the developers, so that they don’t need to deploy Oracle themselves. It is a standard configuration where depending on the application, whether it is a customer facing application or staff facing application, whether based on the Internet or an Intranet application - we have standardized our configuration of the
hardware. This makes the provisioning of the resources or IT resources to the development staff in a faster way. What do you think has been the impact on productivity in terms of your own staff and the skill challenge that you mentioned? Yes, actually the productivity has gone up tremendously. We have standardized the JUNE, 2016
www.expresscomputeronline.com
environment on x86. For virtualization, we are using and Linux as the OS across the organization. It has reduced our need for having multiple platform experts. This has helped us in optimizing our workforce across the organization. For example, earlier we had experts in silos. Each department was having their own Unix and Windows expert. But now we have consolidated the teams of the operating system administrators. Hence, it has helped us in optimizing our staff as we need to just focus on one set of resources and one set of skills, rather than hunting in the market for some 3 or 4 skilled set resources. Can you talk also about the network virtualization part? Yes, we are using the network virtualization for multiple purposes. One key reason is to use the network in the most optimistic manner, so that virtual LANs could be setup for the various applications and the available bandwidth could be most optimized, and utilized across the applications by sharing the same LAN network. We are getting our Digital Wallet certified for PCI DSS Compliance and that’s where we are finding the NSX implementation is coming handy to us because this is deployed on a shared cloud which is a massive cloud. As the NSX technology ring-fences the Wallet Application, the PCI DSS compliance scope becomes the virtual boundary across this application. NSX is helping us to go in for a very large cloud. For example, SBI has more than 1,500 VMs while my Wallet is consuming only say 25 VMs out of 1,500. So, we are able to certify our application on this small subset of this infrastructure as well. What is the implication on security? It helps us to do data segregation, although we have not yet deployed. But we are looking at this use case where some of the countries have a requirement where the database should not be shared and the data during transition should not be shared. So, we can have a multi entity deployment of the applications where the data could be segregated on the network level as well. Similarly, for the test EXPRESS COMPUTER
We are getting our Digital Wallet certified for PCI DSS Compliance and that’s where we are finding that the NSX implementation is coming handy to us, because this is deployed on a shared cloud environment, we can set up various zones in the same physical hardware. We are able to segregate our various test environments using NSX, so that also helps us to do the data segregations in a secure manner. Any view on DR? How would it impact Disaster Recovery? We require the hardware on that DR side on the same amount, but the best part is that by using VMware technology, you are billed only for the licenses which are in use at that time. And normally the DR is running all the applications which are carried out by using VMware, and it keeps the VMs in sync in DR location as well. We get charged only for the licenses which are used in production. So that brings huge savings and having the highly available DR, where not only the database but the complete VM is replicated at the DR. So it brings all your local file systems and all the file based interfaces. Everything is getting replicated on DR. So it really gives you the full DR rather than on configuring multiple separate isolated interfaces to achieve the full DR. The VMware DR capability brings the full compliance with the 100 percent DR to meet the regulatory requirements. Can you share some specific numbers on the cost saving or anything what you have
measured internally due to moving to the private cloud? Roughly we see that we are using 1 physical CPU to 7 virtual CPUs. And normally the industry standard is 3 to 4, so we are leveraging cloud quite efficiently. Our efficiency in using the cloud is twice the industry standards. So that is one big advantage by using the private cloud. When we look at the overall utilization of the boxes or how much hardware we would have ordered, based on last year versus 2015, we would have roughly ordered 4 times the hardware, had we not done the cloud implementation to run the sheer amount of applications. This is what our analysis tells us. Would you also like to mention, any other big complex applications which are running out of virtual machines apart from the ones you mentioned? Yes, actually we have lot of our applications on the cloud. We are moving our cash management applications on the cloud and we have support applications which are used in branches, such as Online Account Opening. If you go to any branch of SBI, there will be an Internet Kiosk where you can apply online for the account opening and then you can take the print out and go to the teller because there is a physical paper requirement and signature on the paper as per regulations. This data travels through the core banking system automatically. On a daily basis, around 2 lakh applications are pumped in, and this application is deployed on cloud. So this is one of the very big applications because this is utilized by the end customer from the branch channel. The SBI Buddy is run on virtual machines and SBI Wealth is also run on virtual machines. SBI Kiosk Banking which is used by 60,000 users and 20,000 login concurrently is run on virtual machines. There are actually some of the payment applications in the Cash Management, which process something like 24,000 transactions in 3 minutes. So these kinds of applications are also getting deployed on the private cloud. srikanth.rp@expressindia.com
JUNE, 2016
41
INTERVIEW MRIDUL SHARMA INDUSIND BANK
“INDUSIND IS ONE OF THE FEW BANKS TO HAVE ADOPTED A BIMODAL IT APPROACH” The Bimodal IT approach enables the bank to concentrate both on keeping the lights on kind of operations, and in working on disruptive projects based on industry developments, says Mridul Sharma, EVP, Head Technology, IndusInd Bank in an interview with Abhishek Raval Most of the banks, more or less offer the same services, they are into the same kind of businesses. However the differentiator is in the way they serve the customer. Your viewpoint ? We haven’t created any buzzwords. All of the innovations that IndusInd bank embarked upon have been taken to its logical conclusion. None of them suffered a miscarriage. The initiatives should be usable, long term and for the customer. Apart from the usage factor, the design is also important. For e.g. The feature at IndusInd ATMs to withdraw money in the denomination of the user’s choice, ` 100, ` 500 ` 1000; The facility for customers to have an account number of their choice. We don’t settle our eyes on anything that doesn’t serve the customer. Our view is from his standpoint. Even a small change or additional feature is well appreciated by the customer, if it serves the purpose. It doesn’t have to be always something big. Please elaborate on the Bimodal IT approach taken by IndusInd bank in 2015 ? In 2015, we have launched a Bi-Modal IT structure. It essentially means the combination of foundational IT, which is applications, infrastructure with the digital and trying out new innovations in the space. The Mode 1 consists of 42
EXPRESS COMPUTER
JUNE, 2016
www.expresscomputeronline.com
applications, infrastructure and Mode 2 is in the lookout for innovations. I am responsible for the Bimodal strategy. In the Bi-Modal space, occasionally, there is a conflict between the two modes because both the modes run at a different pace. Mode 1’s objective is to keep the lights on, security and stability and the Mode 2 wants to challenge the status quo and disrupt. They are looking for scorching pace they want to cut TAT and talk in terms of hours while the Mode 1 is still talking in terms of weeks. The Mode 2 wants the ports to be open often for them to try things out. The Mode 1 team might not allow that. I have to make sure that both coexist. The security and the stability has to be ensured and still be able to actualise the innovation work. The way we have structured the Bi-Modal IT is: Mode 1 and Mode 2 are joined at the top. I try to maintain a balance between the two. We are one of the few banks to have adopted this approach. How does cloud technology fit into the bank’s operations ? We are actively looking at cloud. Not just for the buzz of it but how can cloud provide a better user experience because It results in an infrastructure which is more resilient and scalable for the bank to match up to the peaks and troughs of customer demand. We have already started on this journey. This year we may have some of our services running on the cloud. The graph of the number of mobile banking transactions is only going up. What are your plans? We are working on some mobility initiatives. The bank is ready with a next generation app with an intuitive end user experience. A wallet is introduced in the app from which, the balance can be checked. Moving on, the customer can log in to the main account and conduct other transactions. The app is designed such that it’s EXPRESS COMPUTER
In the Bi-Modal space, occasionally,there is a conflict between the two modes because both the modes run at a different pace.Mode 1’s objective is to keep the lights on, security and stability and the Mode 2 wants to challenge the status quo and disrupt. They are looking for scorching pace - they want to cut TATand talk in terms of hours while the Mode 1 is still talking in terms of weeks. simple to use. We have invested in a mobile application development platform because we don’t want mobility to be an unmanageable mammoth. It should not be that changes done in the code of one platform affects other platforms too, resulting in complexity. Thus the mobility platform will be on a single code base. At the same time, the experience will remain the same. It’s a win win for the customer and the bank too. Payments is another area. We will soon be entering into partnerships based on what the bank is good at and what the Fintech space has to offer. On the core IT side, the industry is undergoing some foundational changes. The way IT infrastructure can be run,
viewing from a physical infrastructure point of view. Software defined networking is an important development in this space; Hybrid cloud computing, running some infrastructure on premise, some on the cloud. These developments are work in progress at IndusInd bank. The baseline - we will look at whatever best comes our way but carefully choose only that provides reasonable value for the customer. Not getting carried away by irrational exuberance. According to KPMG's recent survey, 72% Indian companies faced cyber attack in 2015. It was also alarming to note that 54 per cent indicated that spend on cyber defences is less than five per cent of the IT spend. Your take? It’s upon the CIO to make the board understand the importance of IT security. We have our perimeter security taken care of. Adequate security measures have been put in place for the end points, mobile device management and for network security. In the current times, the way cyber security scenario is emerging, it’s getting converted into a lucrative business opportunity. In times, when it’s said that the next war will not be fought in the physical world but in the cyberspace and banking being one of the mission critical infrastructures of any country, it will also be targeted, we look at cloud to address the issue of security to a large extent because a cloud service provider will have a much larger resource prowess of technologies than any individual organisation can have. The security organisations have larger stakes and they have economies of scale to implement technologies to the full infrastructure. Now, from a cloud standpoint, when the sovereignty issues are also being tackled from a data center perspective, the cloud data centers will be able to provide much better security posture to institutions than what they can do on their own. abhishek.raval@expressindia.com
JUNE, 2016
43
INTERVIEW SUBHRANSU MOHANTY EVEREST INDUSTRIES
EVEREST INDUSTRIES
ADOPTS SUCCESSFACTORS FOR BETTER SECURITY, SYSTEM RELIABILITY Subhransu Mohanty, Head HR, Everest Industries discusses what’s humming in the HR function in the company. Among other activities, Subhransu Mohanty says that the introduction of SuccessFactors will sharpen the security of the employee data and help in consolidation of different location specific systems working in silos As Head-HR, can you take us through some of the recent HR related initiatives? Everest Industries has kickstarted a middle management development programme in partnership with IIT-DELHI Delhi. The company wanted to groom the middle management leadership pipeline to meet the current and future business needs. There are about 600 officers in the company’s middle & junior management hierarchy. A selected few were shortlisted for the programme for one year. The officers were selected after recommendations from all the business verticals and also undergoing tests at the IIT-Delhi, for which the company provided facilities for pre-test preparations for Group discussion, aptitude tests, behavioral tests. The eligibility criteria were set that the employees should be less than 35 years of age and working with the company for not less than three years and very good ratings in the last two performance appraisals. From the forty officers who were shortlisted from the company to give tests at the IIT- Delhi, 44
EXPRESS COMPUTER
JUNE, 2016
www.expresscomputeronline.com
nineteen select officers passed the tests and made the cut to attend the middle management development programme. They were convinced by HR, their Business Heads, and Senior Management Team of how their participation in this middle management development programme will help them unfold a clear career path and also help Everest Industries achieve its desired goals. We didn’t just stop at learning, but took it to its logical conclusion. Each of the nineteen employees were teamed up with the individual mentors, who are a part of the senior leadership team. They belong to the same subject matter of expertise as the employee. The mentors at Everest Industries did preparatory sessions at the IIT- Delhi, and they are further aligned with the nineteen employees. Hence the mentors are adequately engaged in the leadership development of the mentee. By doing so, they also have a track of what the leadership programme is all about to further align their coaching in sync with the programme in order to get the best results. The programme consists of seven days of in house classroom training per quarter at IIT- Delhi. Subsequently, there is a weekly work assignment for 3 months for 2 Modules .So far 3 modules of 9 month were covered and final module is in progress. After a few sessions, we converted this exercise into a group activity. The nineteen employees were asked to group themselves into four, each having a mentor from Everest Ind and a project leader, who was a subject matter expert from IIT- Delhi. Each group was given a function related problem, the company might face and asked to suggest their recommended solutions. The employees in the process of solving these problem areas also engaged in a dialogue with other stakeholders of the company based on the problem solving methodologies learnt in the leadership development programme. Based on the Project learnings currently the team is focusing the execution of Programme EXPRESS COMPUTER
There are many reasons for implementing SAP SuccessFactors.Everest Industries uses the SAP ERP. Currently,the operations, marketing,billing and many other processes are handled on SAP.Secondly,we had concerns about security on the Performance Management System (PMS) on our e-connect platform, which is a Sharepoint system.
across our organisation, consisting of multi manufacturing facilities/marketing zones across India. Your firm has recently implemented SAP SuccessFactors. Can you elaborate on how this implementation will help your firm? Everest Industries will be using SuccessFactors for performance management and employee central. It covers an employee’s hire to retire HR process. There are many reasons for implementing SAP SuccessFactors. Everest Industries uses the SAP ERP. Currently, the operations, marketing, billing and many other processes are
handled on SAP. Secondly, we had concerns about security on the Performance Management System (PMS) on our e-connect platform, which is a Sharepoint system. In some cases we have observed that it’s easy to trace the passwords of other employees. With SAP, the security management is very transparent. In case of changes, it’s possible to track the person who made the change, and which IP address was used. This feature acts as a deterrent for the potential wrongdoers. Also, SAP is a huge brand and scores high on system reliability. So, from a long term perspective, we thought, it’s better to adopt a solution that can bring in long term benefits. Another challenge with the current solution is, while it empowers employees to record a number of employee related transactions, there is no control. Thus, leakages are expected with location related systems working in silos. The SAP system allows multiple locations to be integrated and provides a consolidated employee view across all the locations. The systems can be tracked. Can you tell us some of the future HR related plans at Everest Industries? The successful implementation of the performance management solution is our top priority. It will help us align the employee’s goal with the organisational objectives. Moreover, the PMS will enable the percolation of the company goals down the hierarchy and allocate it to various departments. The system also enables seamless availability of information for the top management to take corrective actions. My interim plan is to prepare some pre-derived templates for a certain kind of communication. The objective is to be specific with the purpose and avoid any miscommunication. The plan is also to integrate the knowledge management (KM) and the learning & development (L&D) portfolio aligned in the system in near future. abhishek.rawal@expressindia.com
JUNE, 2016
45
OPINION VIJAY KANNAN PWC INDIA
WILLYOUR DIGITALSTRATEGYDRIVE TOP-LINE GROWTH OR REALDISRUPTION? A survey by PwC on digital initiatives has revealed interesting insights
D
igital technologies are impacting industries and businesses alike. Leadership’s desire to capitalise on digital technology is so strong that it’s disrupting the enterprise operating model, as evidenced by shifting spending patterns, new digital roles, and undefined working relationships. Since 2007, PwC’s Digital IQ survey research has asked one simple question: What actions can leaders take to confirm their digital investments deliver and sustain value? To get to the answer, PwC studies the practices and performance of global companies, drawn from the experience of nearly 2,000 business and technology executives. This year, 10 critical attributes have been identified that correlate with stronger financial performance and this is what comprises the digital IQ score. The survey found that companies with high digital IQ scores (those in the top quartile) are twice as likely to achieve rapid revenue and profit growth compared with the laggards in our study. Let’s summarise the facts and findings on the Digital IQ of Indian enterprises vis-àvis their global counterparts.
Lack of a common definition – What is Digital?
70% of executives in India say they consistently measure outcomes from digital investments 46
EXPRESS COMPUTER
According to the survey, in India, more than half (55%) of the companies surveyed viewed digital as technology innovation-related activities versus 53% globally. A large share of global companies (41%) said that digital means investments being made to integrate technology into every part of their business, only 29% of the Indian counterparts agreed with that statement. And nearly half (48%) of the respondents in India said that digital is synonymous with IT (globally, 37%), while 39% believed that digital refers to customer-facing technology activities.
Leveraging digital investments for better customer experience & revenue growth In India, 43% of the respondents pointed to creating better customer experiences as the most important consideration for digital investments, and 49% see revenue growth as a priority. To meet these goals, companies in India are spending somewhat aggressively, with 34% allocating more than 15% of revenue to digital investments (globally, 31%).
New and evolving roles – Chief Digital Officer Where enterprise technology used to be the sole domain of the Chief Information Officer (CIO), there’s a shift happening in many organisations, with the traditional CIO role fragmenting across new and existing leaders. Some companies are appointing Chief Digital Officers (CDOs) to lead digital transformation efforts. (41%) of the respondents from Indian companies suggested that in three years’ time, the CIO may be tasked with only internal IT efforts with limited influence over digital investments, and only 12% suggested the CIO will be leading enterprise digital investments and efforts, including innovation and marketfacing initiatives.
Digital IQ Attributes – India Vs Global Companies CEO Champion The CEO is the natural leader as the focus on technology has shifted from operational efficiency to growth, and the stakeholders and conversations have changed. CEOs have ambitious expectations for digital, prioritising disruption much more highly than the rest of the executive team. Nearly three quarters (71%) of business leaders in India point to their respective CEOs as JUNE, 2016
www.expresscomputeronline.com
champions for digital, as opposed to 73% globally.
including risk managers and security leaders in conversations about new product and service development, especially those taking advantage of emerging technologies like the Internet of Things. More than three-quarters (76%) of companies in India say they proactively evaluate and plan for security and privacy risks in digital enterprise projects (globally, also 76%).
Digital Leaders Set Strategy CEOs may set the tone and vision for digital, but those responsible for operationalising digital, often the CIO or CDO, are instrumental in setting highlevel business strategy. For some organisations, one effective way to foster co-development of strategy is through new organisational structures. A global healthcare company, for example, created a digital council that brings together the company’s dozen CIOs and CMOs. 67% of companies in India say that the executives responsible for digital are involved in setting high-level business strategy (globally, 77%).
Executive Team Engaged Beyond the CDO and CIO, the rest of the C-suite must also weigh in on—then buyin to—the strategy. Being on the proverbial same-page means there’s greater likelihood to maximise investments, enabling the organisation to identify areas of overlap and bring to light any resource gaps that could derail efforts. Nearly 9 out of 10 (88%) of the respondents in India say their digital strategy is agreed upon and shared with its executive team, with the global number at 80%.
Strategy-sharing Across the Organisation Indian companies seem to be doing a much better job on organisational alignment on Digital as business-aligned digital strategy is agreed upon and shared enterprise-wide at 80% of the companies in India, compared with only 69% globally.
Outside-in approach Top-performing companies take an outside-in approach to innovation, leveraging the considerable knowledge base of other innovators, such as vendors or customers, to uncover and apply new ideas for using technology. A small percentage of companies looking to disrupt their own or other industries— take an even more rigorous outside-in EXPRESS COMPUTER
Digital Roadmap
approach with a broad view of innovation. 65% of companies in India actively engage with external sources to gather new ideas for applying emerging technologies, in line with 64% globally.
Driven by Competitive Advantage Actively engaging and learning from many outside sources creates an opportunity for market differentiation. Some of the most strategically important technologies companies are investing in are cybersecurity, data mining and analysis, data visualisation, and digital delivery. More than three-quarters (77%) of the respondents in India make enterprise investments primarily for competitive advantage, inline globally at 76%.
Effective Use of Business Data Getting value out of the data you capture often means using it to guide strategic decisions like how to grow the business or whether to collaborate with competitors. Value-added data from third-party sources (71% versus 78% globally) tops the list followed by mobile customer interaction data (65%) and locationaware data (64%), as the key sources of data being harnessed by Indian companies.
Proactive Cyber Security Keeping pace with security and privacy issues is another ongoing challenge, and one that all companies contend with in their ecosystems. One way leading companies do this is by routinely
More than half (58%) of the companies in India say they have a single, multi-year digital enterprise roadmap that includes business capabilities and processes as well as digital and IT components (globally, 53%). One of the reasons for the low global number is due to lack of the right skillsets. Just 55% of global executives said their organisation had all the technology skills needed to deliver on their enterprise vision.
Consistent Measurement Business leaders demand to see the value they’re achieving from digital investments. Demonstrating this requires a combination of traditional metrics (like ROI) to track against growth goals, as well as newer ones for measuring more disruptive investments. 70% of executives in India say they consistently measure outcomes from digital investments, with a slight edge over the global number of 72%. Businesses have embraced digital technologies and expect investments to drive growth and create competitive advantage. While it is pertinent that digital technologies will drive innovation, even the best of the best technologies cannot deliver success without a structured approach and a well-defined strategy. Enterprises will have to develop a comprehensive strategy around the manner in which they wish to organise their traditional business model to become a true digital business and identify ways to achieve the best possible results from it. Most importantly, enterprises need to integrate digital into the fabric of their corporate culture. - The author is Director-Digital, PwC India JUNE, 2016
47
NEWS ANALYSIS
IT in Healthcare
»
HPE SEES HUGE GROWTH IN CLOUD ENABLED eHEALTH CENTERS Using the power of cloud and mobility, HPE has seen its eHealth centers cater to more than 1,36,000 patients in a short span of less than four years BY SRIKANTH RP
48
EXPRESS COMPUTER
JUNE, 2016
www.expresscomputeronline.com
T
hough India has progressed well on most economic parameters, the doctor-patient ratio in India is still less than the WHO-prescribed limit of 1:1000. As India seeks to provide effective healthcare to all its citizens, the role of technology in lowering the gap and providing quality healthcare will become even more significant. Says Lux Rao, Chief Technologist, Technology Services, Hewlett Packard Enterprise India, “Healthcare in India has been found wanting in rural areas. Availability of quality doctors and access to healthcare infrastructure facilities is a common challenge.” To resolve this issue, HPE has taken a different route. The firm has understood the significance of the role of the paramedics on the site. The firm has designed an online training system that ensures that paramedics are trained on technology usage skills, domain skills and
be recorded and transmitted. Using IoT, the firm can even measure the usage of these devices and equipments. Most technology solutions have traditionally faced challenges as they have been designed as isolated automation islands. As HPE’s solution has been built on open standards (OpenEMR), it has alleviated the problem of technology adoption by integrating devices, processes and resources into a seamless solution. As the electronic medical records are stored on the cloud, physicians hundreds of miles away can provide a remote diagnosis, reducing the need for highly skilled medics on-site.
The impact Installed in over 46 locations, the eHC has in a short span of less than four years catered to over 1,36,000 patients. From just one eHC in 2012, the number of eHC’s
Any epidemic outbreak and geo-specific ailments are instantly identified thanks to real-time analytics and insights soft-skills to help them do their jobs better. Using technologies and tools such as the HPE VideoBook that provides videobased learning and on-line assessment, the training module forms a critical cog in running the entire e-healthcare operations smoothly. Paramedics are hence the point of interface, with doctors available on video. “We have designed a mobile e-healthcare unit that provides similar care to citizens who are in far flung remote areas or are immobile. The kit is highly portable and works in conjunction with a tablet computer and is capable of working offline via Bluetooth or USB connectivity. The data thereafter is automatically uploaded to a cloud-based platform. This ensures an integrated approach and a system that is unified and free of human errors,” states Lux Rao. Using this solution, all vital health related statistics of a patient (blood pressure, pulse, ECG, glucose levels) can EXPRESS COMPUTER
have gone up to 46. Today, more than 1 lakh patients who did not have access to primary health care are now experiencing access and availability of healthcare comparable to metro standards. More importantly, ready availability of patient records on the cloud has ensured that cases tending too critical are immediately addressed by competent doctors. In addition, any epidemic outbreak and geo-specific ailments are instantly identified thanks to real-time analytics and insights. As data is aggregated and stored on the cloud, it helps policy makers understand the big picture so that they can better shape future healthcare policies. Given the dismal doctor-patient ratio in India, HPE’s solution could prove to be a significant catalyst in encouraging innovative models for delivering affordable healthcare.
Healthcare in India has been found wanting in rural areas.Availability of quality doctors and access to healthcare infrastructure facilities is a common challenge Lux Rao Chief Technologist,Technology Services,Hewlett Packard Enterprise India
srikanth.rp@expressindia.com
JUNE, 2016
49
INTERVIEW VIVEK GAUTAM IDC INDIA
SECURITY FEATURES ARE INCREASINGLY BEING EMBEDDED INTO PRODUCTS With a huge focus on digitization, cyber security is getting heightened attention from businesses and governments. In an interview with EC's Mohd Ujaley, Vivek Gautam, Research Manager, Software & Services, IDC India says that increasingly business leaders are becoming concerned about data security in their organizations What trends did you witness in the enterprise security business space last year? In 2015, we saw cyber security getting heightened attention from businesses and governments alike. Increasingly business leaders beyond CIOs became concerned about data security in their organisations. As a fall out, we saw security budgets swell. Also enterprises started realizing that having best-ofbreed security products doesn’t mean they can’t be breached. Not only they need to continuously monitor threats but also be prepared to swiftly respond to contain the severity and length of attacks. From products or technology perspective two key trends were noticeable. Firstly security features are increasingly being architected or embedded into products. For instance, Windows 10 has Windows Hello, a biometric technology that uses fingerprint, iris, and face recognition as alternative to passwords. Similarly Cisco announced new offerings with embedded security across the network. Secondly the notion of security as a platform, as against series of point products or devices on network, gained traction. 50
EXPRESS COMPUTER
seeing good uptake of managed security services. From an enterprise perspective,which verticals are primarily propelling the demand for the enterprise security business? From a vertical standpoint, banking & financial services and IT & ITES are key drivers of the India IT security market. In addition, manufacturing especially pharma, engineering design, government including defense are also contributing to overall demand in good measure.
What's the outlook for the enterprise security business segment for 2016? The outlook for overall enterprise security space is healthy. IDC estimates the India security software market will grow at around 12% in 2016. Faster growth is expected in the security services space. On the security appliance side, our estimates indicate growth in higher single digits. In terms of various segments, network security, end point security including mobile and Identity & access management are expected to lead market growth. Similarly on the services side, we are
How have technology trends such as cloud, mobility,virtualization,BYOD impacted the overall enterprise security business in India and globally? Adoption of this new style of IT characterised by cloud, mobility, social, analytics etc. have waned the traditional boundaries of organisations. Today we have employees and even business partners accessing corporate data and applications via multiple devices and platforms. With more applications being put on cloud and BYOD, IT administrators may not always have full visibility and control of security policies and practices JUNE, 2016
www.expresscomputeronline.com
being followed by employees and third party providers. For instance, most often information or data traffic from mobile workers don’t even cross corporate networks. All this have added to complexity of managing security and in turn pushed the market growth higher. How do you look at the recent European Court of Justice Judgment which termed the data transfer pact between US and Europe invalid? The European court’s judgment is more on the data privacy issue and may have ramifications from a regulatory perspective. Fundamentally, the judgement termed Safe Harbor agreement flawed and upheld EU citizen’s “right to privacy”. As such, it may not have any direct imminent impact on security market dynamics. However, to comply with the ruling large companies like AWS, IBM, Facebook, Google etc. may not be able to transfer data freely. This will drive the demand for data center space in EU countries and EXPRESS COMPUTER
indirectly the demand for data center security products & services.
To comply with the ruling of European court’s judgment on Safe Harbor agreement, large companies like AWS, IBM,Facebook,Google etc. may not be able to transfer data freely.This will drive the demand for data center space in EU countries and indirectly the demand for data center security products & services
What are the major challenges that enterprise security business face today and how can they be overcome? The most prominent challenge enterprises face is lack of skilled security professionals. Shortage of qualified personnel puts pressure on IT departments to recruit, train and retain critical staff. So managing an in-house team of security professionals can be costly affair, especially for SMEs with limited financial resources. To overcome this challenge, organizations are increasingly relying on managed security services. Such services not only provide access to a trained workforce but are also cost effective. Managed Security Service Providers (MSSPs) are able to spread investment in analyst, security software, hardware and facilities across multiple clients, reducing cost per client. mohd.ujaley@expressindia.com
JUNE, 2016
51
COLUMN OLIVE HUANG GARTNER
HOWTO CREATE ACOMPELLING CUSTOMER EXPERIENCE VISION Gartner's 2015 CEO survey identified customer experience management as the top priority for technology investments over the next five years. Analyst Olive Huang explores the importance of having a compelling customer experience vision
Once you have a vision for customer experience in your organization, it must be understood internally to have any impact 52
EXPRESS COMPUTER
O
rganizations today are seeking new ways to engage customers, drive new sales and increase customer satisfaction by providing engaging customer experiences. A customer experience initiative that lacks a strong, clear vision often fails to achieve its intended result. It’s important for an organization to create a compelling customer experience vision and socialise it throughout the company. A clearly defined and communicated customer experience vision gives a sense of purpose for employees. They want to be part of something that is bigger than they are and want to know "what is in it for me?" Companies like The Ritz-Carlton Hotels, Zappos and Singapore Airlines are famous for their customer service and, in particular, their friendly employees. Unfortunately for many organizations, creating an effective customer experience vision is a challenge, even though it is a fundamental step to create a customer-centric enterprise. It’s often difficult to engage all stakeholders to work together to develop a vision and strategy because the customer life cycle cuts through many different departments and functions. In addition, adoption often suffers from the organization's inability to communicate to employees the necessary changes that come with that vision.
● It provides a compelling value proposition that differentiates the company from competitors and shows the organization understands what its customers want. ● It is simple and intuitive – it needs to concisely state the purpose and be easy to understand. ● It demonstrates commitment and sets customers' and employees' expectations.
Four key attributes of a customer experience vision
● Find champions: An organization needs to find champions to "walk the talk" and be passionate about the vision. The leaders of the organization are not the only ones who need to be the champions, so do the employees, who are the role models and strong influencers in the customer service teams. They need to
There are four attributes that are consistently mentioned by our clients as the most important to craft a compelling customer experience vision: ● It makes an emotional connection with customers and employees.
Bring your customer experience vision to life Once you have a vision for customer experience in your organization, it must be understood internally to have any impact. Communication is the key. Your vision becomes the employees' common purpose when they are able to associate it with real-life examples and personal feelings. To make that happen, you need to: ● Make it real and believable: Communicate the vision using stories. Link the vision with the question, "What is in it for me?" People feel passionate about things that have a personal impact, and passion will drive employees to go the extra mile to exceed customer expectations. ● Paint a picture of the journey: Tell
your employees and partners why they should embark on the journey and where they are going. Also make it transparent to customers.
JUNE, 2016
www.expresscomputeronline.com
be identified and made visible.
Implement across multiple departments
● Communicate value, purpose and impact: Formalise a strong message. Organizations need to tell their customers, employees and partners about the compelling value proposition differentiating their companies from their competitors. Communicate (externally and internally) the progress of the implementation of the customer experience vision, and the impact on customers.
To be successful at creating great customer experiences, the organization needs to work as one — organizational collaboration is required. This is where the vision helps to guide everyone in the same direction. Typical roles and departments may be focused on only part of the customer life cycle. As in all companies, there is a collection of senior executives that have clearly defined roles and responsibilities. However, this doesn’t always ensure that they are focused on the customer, because their roles and departments may be focused on only part of the customer life cycle. IT leaders we’ve spoken with agree that top management is the key driver to create a customer experience vision. However,
● Form active communities of practice: The purpose of these communities is to synthesize employee insight about the customer experience and funnel it back to management — the community should have direct access to a senior leader to create the feedback loop. EXPRESS COMPUTER
organizations must be sure to get all parts of the business involved in the process. Having only part of the group in place can skew the results toward an individual agenda instead of the overall corporate vision. Without representation from all parts of the organization, the complete customer life cycle won't be captured.
Take action By focusing on these top attributes and best practices, it will be much easier to create a convincing customer experience vision and put it into action. Just remember that it must have an emotional connection, be simple and intuitive, and demonstrate your compelling value proposition and commitment. – The author, Olive Huang is Research Director at Gartner JUNE, 2016
53
COLUMN RAVI RAMAN PALADION NETWORKS
GAME CHANGING THREATS NEED A ROBUSTMULTI-PRONGED STRATEGY FOR EFFECTIVE PROTECTION The best way to avert ransomware is to institute a preventive mechanism. This cannot be only through implementing antivirus software. The approach needs to be multi-dimensional
Ransomware is morphing ever so often by changing its signature to escape detection by antivirus software.Typically antivirus solutions rely on malware signatures to detect them. By changing their signatures regularly, malwares attempt to overcome detection 54
EXPRESS COMPUTER
V
iruses and malwares have become an integral part of the Internet. We are aware that an antivirus software will help us ward off these treats. We also believe that malware can be disinfected to restore order. But, what if new threats do not conform to such known beliefs? What if the malware is designed to frequently change and thus browbeat antivirus software? What if once infected, the damage to your computer cannot be undone by merely removing the malware? What if you are asked to pay ransom to restore normalcy? What if the malware is designed to move stealthily from the end points through your networks to other sensitive data servers to cause maximum damage? Welcome to the world of Ransomware that is taking the Internet by storm. Ransomware is definitely a game changer for the security services industry, organizations, and individuals. Ransomware, as the name suggests is a type of malware that encrypts data on your system and demands ransom for decrypting it. Advanced 128 to 256–bit encryption algorithms are used. Decryption without the key is not possible. Affected parties are paying up – for getting back their data as this data can be extremely valuable and losing it is not an option. The ransomware malware has gone through several improvizations over the past year or so – each variety of ransomware designed to be more dangerous than the previous one. In the beginning the malware was modelled around a Fake AV - it attempted to extract
money by intentionally misrepresenting the security status of a computer. The user was enticed to purchase software in order to remove non-existing malware or security risk from the computer. Then the ransomware changed to extracting money by locking the PC screen. To unlock the screen, people had to pay up. These are referred to as “Locker” ransomware. The current wave of ransomware extracts money by encrypting the files of the PC / server. One has to pay up for decrypting the files. Each wave is thus more lethal than the previous one and this upward trend in terms of ruthlessness is what is making this variety most talked about in the industry. The concept of extracting money from affected people or organizations has worked since data is important and is a lifeline. Once the actors have tasted “blood” it can always be assumed that there would be no let up. Motivation apart, the malware actors also have open source technology on their side. Using such components they are able to execute their nefarious designs and still escape capture. They use several free technology pieces to execute their plans and to get paid, with minimal risk of getting traced or caught at any stage. They propagate the malware through the anonymous Tor (The Onion Router) service, create havoc for extracting the money by using advanced encryption technology, and get paid through bitcoins completely circumventing the regular banking channels, thus preventing traceability. In addition to this, ransomware is morphing ever so often by changing its JUNE, 2016
www.expresscomputeronline.com
signature to escape detection by antivirus software. Typically antivirus solutions rely on malware signatures to detect them. By changing their signatures regularly, malwares attempt to overcome such detection. A third dimension that is looming large is that after infecting the PC of the user, they have started to move through the corporate networks to other critical information assets. This staged attack through the cyber kill chain is something that is happening and we need to be cognizant of. The only way a disaster can be averted – unless you are willing to pay up – is to institute a preventive mechanism. This cannot be only through the antivirus software. The approach needs to be multi-dimensional. An organization has to invest in tools that will enable it to run data science EXPRESS COMPUTER
and machine learning models that can detect patterns from the network data to determine if a staged attack is underway; tools that rely not just on malware signatures but on other concepts such as indicator of
The concept of extracting money from affected people or organizations has worked since data is important and is a lifeline. Once the actors have tasted “blood”it can always be assumed that there would be no let up
Compromises (IOCs) to detect them; tools that can quickly scan your network / end points for any typical compromises that you suspect may have occurred; tools that can scan for rouge browser plugins; tools that can detect C&C user accounts that could be used by malware to piggybank on; and tools that can check for unused services that the malware can morph into. The good news is that such tools are available. You will need such tools to prevent ransomware attacks. We need to be geared to protect ourselves from such threats when the stakes are high. Game changing threats need a robust multi-pronged strategy for effective protection. – The writer is SVP & head of engineering – security intelligence & analytics, Paladion Networks JUNE, 2016
55
EVENT ASPECT
DIGITAL TECHNOLOGIES ARE TRANSFORMING CUSTOMER SERVICE IN THE BFSI INDUSTRY BFSI is being challenged to re-invent the way it thinks about customer service by constantly changing customer needs and non-traditional competitors. REIMAGINE CX, an event conceptualized by Aspect, HCL Services and Express Computer highlighted some solutions on how firms can remain competitive JASMINE DESAI
T
he landscape of BFSI is changing very rapidly in India. Between 2014-15, RBI issued 21 banking licenses. At the same time, the Indian BFSI sector is undergoing a massive digital transformation. Born in the cloud startups are changing the way financial products are sold and serviced. Taking note of this digital shift, Aspect and Express Computer, partnered to create ‘REIMAGINE CX’, a conference focused on digital transformation undergoing in the Indian BFSI sector. Emphasizing on this point, Sanjay Gupta, Head- Cloud Business, APAC &ME, MD- South Asia & Middle East, Aspect Software, in his welcome address at REIMAGINE CX said, “RBI is to bring P2P lending under regulation soon. Presently, lot of thrust in banking is coming from the Government as well. Every village with more than 5,000 people needs to have a physical branch.
56
EXPRESS COMPUTER
In such a mind-boggling scenario, what does future of banking look like?” Sanjay stated that ‘Next Gen bank’ models will have intelligent multi-channels. Omnichannel capabilities will need to go a step further and enable relationships, as most of the times, the reason of customer dissatisfaction lies in the back-office. Ratan Kesh, Sr President and Country Head, Branch Service Delivery, Contact Centre & Service Excellence, Yes Bank spoke at length about the future of customer service. “B2B and B2B2C is a powerful strategy that the bank is relying on. On the technological front, Yes Bank is upgrading its CBS and CRM which will play a key role in supporting an inclusive and sustainable growth model. Yes Bank also wants to make the web and mobile version of the site very similar. The bank does not have a lot of customer data, but what we really leverage on is the ecosystem data like Aadhar, Digilocker etc.
The bank is also putting visual assistance in its self-service capability. The challenge is to achieve 90% self-service but also remain personal at the same time Other projects underway are Yes Pay Wallet, Yes Money, Yes Secure.” The retail banking footprint is expanding in India and keeping up with the trend, Yes Bank is going to expand on its branches. Presently, Yes bank has 860 branches. The bank has relationship management and service oriented strategy. Presently, the bank is ramping up its branches to increase its retail assets. Touching upon the importance of CX in BFSI, he mentioned that according to a research report, 86% buyers will pay more for a better customer experience. Only 1% feel that vendors consistently meet their expectations. Delivery channels, hence, are changing rapidly. Says he, “More and JUNE, 2016
www.expresscomputeronline.com
Sanjay Gupta, Head- Cloud Business, APAC &ME, MD- South Asia & Middle East , Aspect Software
more customers want video-chat with financial advisors. On the competition front the landscape in BFSI has undergone such a dramatic change that competitors for banks are no more other banks but Amazon, Paytm, Apple Pay, and traditional BFSI players cannot
ignore this trend.� . He mentioned that 90% customers trust peer references. Customer experience is the main reason people close or open their account. He suggested that banks should formulate a strategy focused on few areas namely modern
branch/ ATM, putting customer first, social media presence and enhancing their mobile and online capabilities. The whirlwind of change have turned banks into a IT company with balance sheet. Joe Gagnon, SVP / GM Cloud and Chief Customer Officer, Aspect Software
Ravi Menon, SVP and Head-Financial Services, HCL Services
Ratan Kesh, Sr President and Country Head, Branch Service Delivery, Contact Centre & Service Excellence, Yes Bank
Joe Gagnon, SVP / GM Cloud and Chief Customer Officer, Aspect Software
EXPRESS COMPUTER
JUNE, 2016
57
EVENT ASPECT
www.expresscomputeronline.com
Shiv Kumar Bhasin- SBI, Tarun Pandey- Aditya Birla Finance, Hiren Shah- Reliance General Insurance, Suresh Shanmugam- MMFSL, Joe GagnonAspect Software during a panel discussion on transforming Indian BFSI sector.
in his presentation touched upon the core of customer service. He said, “One can easily copy technology of other banks, but one cannot copy customer relationship that the bank has with its customer over a period of time and the way it happens. Banks have to think more about engagement.” Giving statistics, he said that 91% customers would use selfservice if it were available. 72% of customers prefer texts over picking up the phone. He stressed the need for BFSI organizations to build a capability set that gives customer choice to navigate the way they want to. “There is lot of under realized value of customers to tap into. The best trait of a successful relationship between a customer and vendor is giving autonomy and be there when they want you. Re-imagining customer experience is about what banks enable customers to do,” he mentioned. According to him, BFSI organizations should make it easy to get answers. They should create domain specific dialogue. In the panel discussion around transforming Indian BFSI sector Shiv Kumar Bhasin, CTO, SBI mentioned what digitization meant to his 58
EXPRESS COMPUTER
organization. He said, “Digitization is not about mobile applications. Our branches are over-crowded, so we are looking at self-service where we can reduce dependency of customers on us. For example, mobile number update is one of the toughest process in banks. That has now been made easy using self-service.” Touching upon the security concern that is on the concern list of every CIO, he mentioned that convenience cannot be ruled out due to security. Panelists spoke about what more could be done to change the customer experience dynamics. Most panelists shared why the only differentiators will be customer experience. Hiren Shah, CIO, Reliance General Insurance speaking of his experience of dealing with customer experience said, “Time is critical in banking. In 2020, 3 out of 4 insurances will sell digitally. Virtual office is the next thing. We are decreasing our branches. We are using drones and healthcare monitoring systems.” Giving his take on security he said that security will not stop people from adopting technology. Suresh Shanmugham, Head- BITS,
MMFSL spoke about initiatives at his organization and how rural banking is changing as customers are getting more aware. “We are using geo-spatial and mapping behavioral patterns of customers. The hype mode is very high in BFSI.” When it comes to boosting innovation within the organization, MMFSL is talking to startups to get innovative ideas. He stated that in rural banking, reach and speed is crucial. In rural areas, people do not even want to give their biometric details. They want NOC that states that the data won’t be misused. And now along with the NOC, they also want the data back. Thus, rural masses are more aware of security implication than imagined. The event ended with a presentation by Ravi Menon, SVP and Head-Financial Services, HCL Services. He mentioned that BFSI organizations are not at all updated about the financial journey of customers and are thus not able to make timely offers. He stressed and urged BFSI to enhance business model through context aware delivery. jasmine.desai@expressindia.com
JUNE, 2016
BUSINESS AVENUES
EXPRESS COMPUTER
www.expresscomputeronline.com
JUNE, 2016
59
EVENT SHRM
SPOTLIGHTON BLIND CVs,ARTIFICIAL INTELLIGENCE,GAMIFICATION,BIG DATA ANALYTICS FOR HR
The two days SHRM HR Technology Conference put the focus on emerging technology trends for HR BY MOHD UJALEY
60
EXPRESS COMPUTER
T
he SHRM HR Technology Conference 2016 Mumbai kicked off with a keynote address from Jason Averbook, CEO, Thought Leader & Author. Data is an asset and opportunity and in the age of technology. People, process and technology should hence work in tandem for organisational development—this was the resounding message of Averbook’s speech. “There is a need for HR to re-focus on how it looks at itself and its customers and the need
for people, processes and technology to work together but technology should not been seen as a silver bullet or the solution to all our problems,” Averbook said. The two day conference and expo witnessed two notable launches. One, the launch of the vendor community platform by SHRM India and Start Board. Officials informed that the platform will provide access to a dynamic and growing community of credible partners, apart from a host of JUNE, 2016
www.expresscomputeronline.com
There is a need for HR to re-focus on how it looks at itself and its customers. There is also a need for people, processes and technology to work together but technology should not been seen as a silver bullet multiple utilities. At the same time, the platform will create a unique opportunity for service providers to showcase themselves to the HR community. And, the other important launch at the conference was: Workplace stress: Impact and Outcome: An India Study, 2016, a joint study by SHRM and CGP (Chestnut Global Partners). The study attempts to measure the impact of stress on an organization’s top line and highlights the key areas of concern at all levels. During the conference, global trends like blind CVs, artificial intelligence, gamification, big data analytics for HR were thoroughly discussed and deliberated. Most of the experts were of the view that these emerging technologies have the potential to change the overall dynamics of the human resource management function across the globe but their adoption will take time -- especially in the Indian context. In an engaging panel discussion: HR Tech: Making it About the User Experience, panelists Jason Averbook; Kevin Freitas, Director, Global Recruiting and Rewards – InMobi; George Oommen, Dir HR, Tech. & Process Consulting – Cognizant; Madhura Dasgupta Sinha, Head, Employee Experience – IDFC EXPRESS COMPUTER
Jason Averbook, CEO, Thought Leader & Author
Achal Khanna, CEO, SHRM India
Bank discussed about the changing role of Technology in HR. In another engrossing panel discussion – Disruptive Learning: An eagle eye view, the panelists, Damodar Padhi, VP & Global Head, L&D – TCS; Abhijit Bhaduri, CLO – Wipro; Sid Banerjee, CEO – Indusgeeks; Prithvi Shergill, CHRO – HCL Technolog-ies, shared their experiences and viewpoints on how technology can be harnessed to build a holistic learning environment. ‘How technology can be harnessed to build holistic learning environments’, ‘Technology enabled learning and its usefulness in our worlds’, ‘How technology can help to completely re-invent your hiring strategy’, ‘How to build, manage and sustain a Smart Workforce that is constantly Skilled, up skilled and Re-skilled to meet the demands of a Digital World’ - were some of the key trends and topics discussed at the event. In his session, Viresh Oberoi, Founder CEO & MD, mjunction, highlighted how with a focus on problem-solving and innovative use of IT, mjunction changed the way commodities are sold. Using e-commerce to create a transparent and efficient mode for the sale of secondary
steel and coal e-auctioning, resulted in an incremental revenue of Rs 25,000 crore. Technology not only moved business for mjunction but it is an important lever that the organization uses to manage its people. The conference also witnessed some expert led demo sessions during both the days. One of the sessions: Redefining Talent Acquisition in an Era of Industry Convergence, showcased IBM Kenexa’s sciences, social, collaboration and analytics backed talent acquisition solutions, whereas Hacker Rank’s automated code challenges gave an in-depth insight into accelerated hiring in a captivating session. “While technology has always been considered as one of the tools of the HR domain, the SHRM Tech conference offered a platform to brainstorm and minutely assess the impact of technology on the top line of companies, simultaneously throwing a light on key HR Tech trends shaping up globally,” Achal Khanna, CEO, SHRM India, said. The conference was organised by Indian chapter of Society for Human Resource Management (SHRM), a professional human resource association devoted to human resource management globally. mohd.ujaley@expressindia.com
JUNE, 2016
61
INTERVIEW C R SRINIVASAN TATA COMMUNICATIONS
www.expresscomputeronline.com
In India, Tata Communications is witnessing huge growth coming from new age businesses. In an interaction with EC’s Mohd Ujaley, C R Srinivasan, VP, Global Product Management, Data Center Service, Tata Communications, shares his perspective on the key trends impacting the Indian data center market
e-Businesses are driving visible growth in the data center business What trends did you witness in the data center solutions space in India in 2015? Last year we saw robust growth in the data center business. If one takes India as a geography, there is a lot more activity in the data center space, as you know there are many e-businesses, not just e-commerce but many ebusinesses that are growing bigger and faster than ever before. And thereby the demand for quality data center space has been robust. Scalability of data centers, energy efficiency of data centers - these are trends that we have witnessed in 2015. Many of the businesses have moved from captive data centers to third party data centers. Cloud computing is something that is gaining significant traction. It is no longer in the category of being observed or being watched. Overall, it has been a very active and fast paced year for the data center industry in 2015. From an enterprise demand perspective, which verticals are primarily driving the demand for data centers in India? e-businesses are prominent in driving visible growth. These are new-age companies that are getting a lot more funding than the stable businesses. They are investing in infrastructure, they are building infrastructure. You see this segment taking a lot of data center capacity. Additionally, many enterprise customers are actually taking to data centers and third party data centers. Movement to the cloud is becoming a lot more common. Acceptance of private clouds is another thing that is coming of age. Customers are very specific of what they want in their cloud services portfolio. Enterprises are definitely looking at using the cloud and migrating to data centers. Some countries are thinking about bringing a policy around data sovereignty? How will this impact the business? Data sovereignty is being frequently referred by many customers. In particular, if you are dealing with intellectual property or if you are 62
EXPRESS COMPUTER
In 2015,we witnessed many attacks rising in scale and size.This means that enterprises need to be a lot more aware about their vulnerabilities. They also equally need to be well aware of the controls and the implementation of controls and the processes that they follow around security.
in an industry which has import or export restrictions or if you are a company working on healthcare type applications, then there are local regulations that prevent the data from crossing a geographical or political boundary. Therefore it becomes important for companies to make sure that they have their primary and secondary data centers in the same geography and there are environments around that. The good thing about data sovereignty is that customers now understand that moving to the cloud doesn’t mean you move your applications to the cloud and you don’t really bother where the data goes and sits. So like us who really have physical infrastructure and who provide data centers, over a million square feet of data center space spread across the globe, we have the reach that is required to cater to the data sovereignty need. Also, we have a data center alliances program through which we have expanded to newer geographies. So we have a strategic data alliance program which allows us to expand and sign up partners, build a web of data centers such that we can cater to the data sovereignty requirements of our customers. But data sovereignty as you rightly pointed out is becoming a lot more prominent in our procurement conversations. And data is anyway the new currency and thereby customers are worried about where the data is. What are some of the prominent trends in the data center space with respect to security? Customers are worried about the solutions that are deployed to protect data leakage in an enterprise. There are also challenges that enterprises have faced with respect to data services being brought down due to denial of service attacks. So we see a lot more of this distributed denial of service attacks, and in many cases there is a ransom demand behind such a data attack. We see ransom becoming lot more prominent. mohd.ujaley @expressindia.com
JUNE, 2016
20 of the 20 Top Governments United States, China, Japan, Germany, France, Brazil, United Kingdom, Italy, India, Russian Federation, Canada, Spain, Australia, Mexico, Republic of Korea, Indonesia, Netherlands, Turkey, Switzerland, Saudi Arabia
Get Better Results oracle.com/government or call 0804029 1298
Copyright Š 2016, Oracle and/or its affiliates. All rights reserved. Oracle and Java are registered trademarks of Oracle and/or its affiliates.
REGD.NO.MCS/066/2015-17, PUBLISHED ON 28TH OF EVERY PERVIOUS MONTH & POSTED AT MUMBAI PATRIKA CHANNEL SORTING OFFICE, DUE DATE 29 & 30 OF EVERY PREVIOUS MONTH, REGD. WITH RNI UNDER NO. MAHENG/49926/90