Press kit 2014 by Kelli Pippin

Press Kit 100 Tuck Hall Hanover, NH USA 03755-9000

digital.strategies@dartmouth.edu tuck.dartmouth.edu/digitalstrategies facebook.com/CenterDigital twitter.com/centerdigital youtube.com/TheCDSatTuck

About Us

Tuck School of Business Dartmouth College 100 Tuck Hall Hanover, NH 03755-9000 USA Phone: 603-646-0899 Fax: 603-646-0900 digital.strategies@tuck.dartmouth.edu www.tuck.dartmouth.edu/digitalstrategies

Fact Sheet ____________________________________________________________________________________ Mission: The Glassmeyer/McNamee Center for Digital Strategies at Tuck School of Business focuses on enabling business strategy. Digital strategies and information technologies that harness a company's unique competencies can push business strategy to a new level. At the center, we foster intellectual leadership by forging a learning community of scholars, executives, and students focused on the role of digital strategies in creating competitive advantage in corporations and value chains. We accomplish this mission by conducting high-impact research; creating a dialog between CIOs and their functional executive colleagues; and driving an understanding of digital strategies into the MBA curriculum. Our three areas of concentration and activity are: •

Scholarly Research: Connecting practice with scholarship anchored on IT enabled business strategy and processes.

•

Executive Dialog: Convening roundtables focused on the role of the CIO to enable business strategy.

•

Curriculum Innovation: Bringing digital strategies into the classroom through case development and experiential learning.

History: The Glassmeyer/McNamee Center for Digital Strategies, a part of the Tuck School of Business at Dartmouth, is dedicated to advancing the theory and practice of management in the digital, networked economy. Ed Glassmeyer and Roger McNamee, both Tuck alumni in the technology venture capital arena, agreed on the need for increased research and thought leadership on the ongoing impact of information technology, particularly the internet, on how corporations function. Founded in 2001 as the fifth of Tuck's research centers, the Center for Digital Strategies generates insight into the way firms use digital technology to create value both within and for the value chain and fosters thought leadership by forging a learning community of scholars and executives.

Core Team: Alva Taylor Associate Professor of Business Administration, Tuck School of Business Faculty Director, Center for Digital Strategies Hans Brechbühl Adjunct Associate Professor of Business Administration, Tuck School of Business Executive Director, Center for Digital Strategies Kelli C. Pippin, Marketing & Communications Manager Patrick Wheeler, Program Manager Leslie Tait, Center Administrator ____________________________________________________________________________________

Research

TC6-0038 Rev: April 29, 2014

Employing Consumer IT in Operations: Will iPads Save Money, Increase Efficiency, and Raise User Satisfaction? iPads and Trains When, on a Monday morning in Autumn 2012, Erich Siegrist, head of technology architecture at the Swiss Federal Railways (SBB), started his day with a freshly poured and steaming cup of coffee and browsed through the newspaper on his iPad, he was reminded of the important meeting that he and his colleague Philip Büchler would have this week. Over the last couple of weeks, they had evaluated various ways to replace the now outdated laptop-based computer system that the nearly 3,000 train drivers at SBB were using. The importance of this project was substantial, given its scale and the fact that the new solution would be used to support the most central and operational task of the SBB: Driving trains on the railway system with the highest network load worldwide. Besides its importance and scale, expectations of the new system from the business side were also exceptional. The objective was to cut device-operating costs by 75%, compared to the old laptop-based solution, increase the user satisfaction, and ultimately raise train driver efficiency. With conventional corporate IT devices, these aims seemed way beyond reach. But after evaluating several options, Siegrist and Büchler were convinced that they could meet these requirements after all, but with a device that was uncommon for a train cockpit: the Apple iPad. This week, they would have their big day and present the outcome of the evaluation to a committee. If the committee were to turn down the proposed iPad-solution, Siegriest and Büchler would need to start all over again. But if they could convince the committee and the project turned out to be a success, they were sure that many comparable consumer-IT-related projects would follow, contributing to decreased IT costs and increased efficiency. SBB faced increasing operational costs, with energy prices and railway maintenance costs steadily rising, making it more and more difficult to keep ticket prices at a reasonable level. Because SBB’s transportation service is used by nearly a million passengers daily in a country with a population of about eight million, it was extremely important to increase SBB’s operational efficiency through cutting-edge IT. But would consumer IT really turn This case is based on a joint project of the University of St.Gallen and the Tuck School of Business at Dartmouth. It was prepared by Thomas Sammer and Prof. Dr. Andrea Back, both members of the University of St.Gallen, and Hans Brechbühl, executive director of the Center for Digital Strategies at the Tuck School of Business. The objective is to discuss issues related to the usage of consumer devices for business tasks. Our information sources include online research and an interview with Erich Siegrist, head of technology architecture, and Philip Büchler, technology manager mobile. We would like to thank SBB, Erich Siegrist, and Philip Büchler for their support in creating this case study. Note: This case is also published at The Case Centre by the University of St.Gallen. © 2013 Trustees of Dartmouth College. All rights reserved. For permission to reprint, contact the Center for Digital Strategies at 603-646-0899.

Employing Consumer IT in Operations

TC6-0038

out to be an acceptable solution and could they really convince the committee to approve an iPad for an operational business task?

Switzerland and its Railway System Switzerland is a country in Western Europe with about 8 million inhabitants. The countryside is dominated by the Alps, which cross the country from East to West. While the Alps occupy the greater part of the country, the Swiss population of approximately 8 million people is concentrated mostly in the part North of the Alps, where the largest cities are to be found. Among them are the two international cities and economic centers of Zürich and Geneva. 1 2 The economic and political stability, transparent legal system, exceptional infrastructure, efficient capital markets, and low corporate tax rates make Switzerland one of the world's most competitive economies. 3 In particular, the country’s high level of public mobility and its efficient transport infrastructure are two important elements of its economic success. Both are closely bound up with the railway system. Besides streets and highways, a rail network of about 3,000 km 1 and about 800 railway stations connect the major Swiss cities and their surrounding areas (see Exhibit 1). Almost all of the railway system is operated by Swiss Federal Railways (SBB), the most important railway and transportation company in Switzerland, which is active in all parts of the country: the German, French, and Italianspeaking parts. SBB’s market share of total passenger traffic in Switzerland is 25% and 23% for freight traffic, which makes the company and railway traffic in general, one of the country’s most important transportation providers. On average, SBB’s passenger service is used by 967,000 passengers daily and 5 million customers per year. In 2010, 347.1 million passengers travelled with SBB and each Swiss resident traveled on average about 2,000 km by train. Besides passengers, freight traffic is also remarkably high, with an average volume of 175,000 net tons per day. This considerable demand for railway transportation creates challengers concerning the network load. Compared to other countries, the Swiss railway network is the most heavily used in the world (see Exhibit 2), with an average of 151.2 trains passing each railway route per day (128.6 passenger trains; 25.7 freight trains). On weekdays, about 9,947 trains are on the network (8,078 passenger trains; 1,870 freight trains). To operate such a high network load, SBB wants to further reduce infrastructure problems and vehicle faults, and to ensure that operations run smoothly and are well coordinated. For example, the railway network is 100% electrified, which makes it more reliable (see Exhibit 3). But given that the network load had been increasing over the last few years (see Exhibit 4) and is expected to increase further, additional improvements and innovations will be necessary.

1 km equals 0.6214 US miles

Tuck School of Business at Dartmouth

Employing Consumer IT in Operations

TC6-0038

Swiss Federal Railways (SBB) SBB is headquartered in Bern and is a special stock corporation with all shares held by the Swiss Confederation or the Swiss cantons. Nevertheless, it is managed entrepreneurially and in 2012, about 55% of the costs were covered by revenue. SBB is expected to meet a performance agreement, which is defined and updated every four years by the government. In its 2012 annual report, SBB lists the following nine corporate goals 4: 1. 2. 3. 4. 5. 6. 7. 8. 9.

Customer Satisfaction Corporate Image Staff Satisfaction Customer Punctuality Safety Annual financial result Cash Flow Competitive Edge / Market Share Environmental Sustainability

Overall, the SBB Group has 29,249 employees comprising 65 nationalities, with a full time equivalent (FTE) of 26,333 2 (see Exhibit 5). There are four divisions: Passenger, Freight (SBB Cargo) Infrastructure, and Real Estate. The passenger division is concerned with the services related to passengers, while the freight division delivers services related to freight transportation. The maintenance, extension, and operation / controlling of the railway network is done by the infrastructure division. SBB’s real estate division develops the company’s stations and adjoining sites and manages SBB’s properties. Additionally, the group includes seven control and service functions (group-level services), such as (1) Finance, (2) Human Resources, (3) Safety, (4) Information Technology, (5) Communication and Public Affairs, (6) Corporate Development, and (7) Corporate Legal Services / Compliance (see Exhibit 6). The control and service functions are expected to support the four main divisions, which are basically internal clients to them. Concerning FTEs, the passenger division is the largest division of the group, followed by infrastructure, freight, group-level services, and real estate (see Exhibit 5). The average age across SBB’s employees is 43.9. In 2017, 30% of SBB’s staff is expected to retire. 5

SBB Passenger Division SBB passenger transportation is one of the most important transportation service providers in Switzerland and used by nearly a million passengers per day. The passenger service is much appreciated and valued by customers, who display high satisfaction rates (see Exhibit 7). SBB also achieves high levels concerning the punctuality of train arrivals. About nine of

Average working hours per week are 42.5.

Tuck School of Business at Dartmouth

Employing Consumer IT in Operations

TC6-0038

ten passenger trains arrive at their destination with less than a 3-minute deviation from the timetable and 98.3% of all passengers catch their connecting trains (see Exhibit 8). However, the division is experiencing several challenges in maintaining this high level of service, as energy prices and infrastructure costs rise constantly. In the 2012 annual report, it is stated that value for money and sufficient space are increasingly becoming an issue in customer satisfaction. Hence, SBB needs to keep innovating and making its service delivery / production more efficient. Increasing Efficiency through IT To keep pace with the increasing cost pressure, SBB invests heavily to increase operational efficiency. One means of increasing efficiency is to make tasks computer-supported. For example, SBB offers self-service ticket sales through tickets machines, their website and the SBB app. As a result, in 2012, 72,6% of all ticket purchases were self-serviced. Also regarding internal tasks, SBB recently started projects such as the “paperless office” to increase the efficiency of their office-workers and achieve cost savings through reduced printing costs. The implementation of this initiative includes SBB executives and management roles being equipped with iPads. The intention is that users have all the information and documents at their fingertips in a very convenient and readable form, making it unnecessary to print documents and make handwritten notes. Besides office usage, the user-policy allows also private use of the device and unrestricted access to the app store. But this initiative is only the first step towards SBB’s vision of “connecting employees”, aimed at enhancing communication by providing computer devices such as smartphones and media tablets to all SBB employees by 2014. In particular, the objective behind this vision is to provide all employees with one device that enables them to have an email account, access to the intranet, and other SBB-related information and applications (see Exhibit 15 and Exhibit 16). Besides enhancing communication and giving access to information, another aim of this initiative is to supply all employees with one device that they can use both on the job and privately (see Exhibit 17). Apart from saving printing-costs and enhancing communication, another big issue is to increase task efficiency. Personnel expenses are still the biggest cost driver at SBB (see Exhibit 9) and total CHF 1,706 million per year for the passenger division. In terms of FTEs, the largest function of the passenger division is operations, with about 6,842 FTEs (see Exhibit 10). There are two major job profiles related to operations: 1. Train drivers (2,450 FTEs) 2. Train attendants (2,319 FTEs) For both job profiles, different types of supporting IT devices have been introduced over the last decade. However, as with any computer device, these also face buying cycles and payout

Tuck School of Business at Dartmouth

Employing Consumer IT in Operations

TC6-0038

times. One of these solutions is LEA, the Lokführer 3 Electronic Assistant, which is an electronic assistant for train drivers. LEA – Electronic Assistant for Train Drivers The most important task for a train driver is to drive the train safely and according to the schedule. To perform this job effectively and efficiently, train drivers need several items of information, such as the train stations to approach, speed limits, details about railway works etc. This information is included in the operating instructions, which are customized for each trip. Due to the high network load of the railway system, the operating instructions are usually updated on a daily basis. To operate a train, train drivers therefore need to read the latest operating instruction right before their shifts as preparation, and refer to it from time to time during the trip. Initially, the operating instructions were completely paper-based. But even in 2000, SBB introduced LEA, which is a software application that downloads and displays the latest operating instructions. It synchronizes the operating instructions before a trip and displays them according to the trip progress. In short, the application supports the train driver in preparing for the trip by downloading and displaying the instructions, and during the trip, by showing the information relevant for the current section of track. Decreasing User Satisfaction, Increasing Costs From an organizational perspective, solutions such as LEA are provided to the passenger division by the information technology (IT) department. The first generation, LEA 1, ran on a Psion netbook and was used from 2000 until 2007. In 2008, SBB introduced the second generation, LEA 2, which used a 15” Toshiba convertible touch notebook. These notebooks weight about 3kg 4 and use a desktop operating system (Microsoft Windows). While LEA had so far been considered as an accepted and established solution, since 2011, the IT support team received an increasing number of complaints, concerning hardware issues and the bulky form of the device. Additionally, the field-support efforts were increasing and IT-support often needed to replace faulty devices. Given the fact that these devices already created running costs of about CHF 8 million per year, they seemed thoroughly outdated and unreasonably expensive. However, as LEA 2 had already been in use for about 5 years, the IT budget for 2013 included a provision for replacing LEA 2 with a new solution.

The Next Generation When the new IT budget was published in autumn 2012 and sent to management, everyone seemed keen to know which projects would receive funding. Like all IT executives, Erich Siegrist, head of technology architecture, also browsed through the new budget and one item caught his attention: LEA 2 Replacement. He was very pleased to see that LEA would finally be replaced and he knew that his unit would be involved in the project. When it came 3

“Lokführer” means “train driver” in German.

About 6.6 lb.

Tuck School of Business at Dartmouth

Employing Consumer IT in Operations

TC6-0038

to evaluating new IT solutions and developing concepts for integrating them into the existing IT infrastructure, the IT architecture team was in charge. With about 3,000 clients, LEA was a large-scale application and had high visibility inside SBB. Doing a good job with the LEA replacement would definitely enhance ITâ&#x20AC;&#x2122;s reputation within SBB. Therefore, Siegrist was excited about the project and right away took a first look at LEA 2â&#x20AC;&#x2122;s status. To get an initial overview, he looked at the complaints that IT support had received from the train drivers. While reading the various statements, he realized that since the deployment of the second generation of LEA in 2008, user expectations of the device had clearly changed. There was a considerable number of complaints about the display quality, weight and mobility of the device. The old laptops really seemed extremely outdated, compared to the new devices. Also, from his own experiences, he knew that new consumer computer devices, such as the iPad, iPhone, Android tablets, had became increasingly popular and substantially outpaced common corporate IT devices in terms of usability, mobility, display quality, etc. It was also clear to him that many train drivers would already be using such devices privately and would therefore compare their corporate device with their private ones. Siegrist decided that it would be best to start from scratch and gather the requirements for the new solution directly from the users and the passenger division management. Accordingly, he called together a committee, which included the head of train operations, representatives from the train drivers and labor union, and a team from IT to support the evaluation process. From his unit, Siegrist appointed Philip BĂźchler, Technology Manager Mobile, as the project leader. After setting-up the project team and appointing the committee, the project had its kick-off meeting in autumn 2012, and, as expected, even the first meeting of the committee turned out to be very lively. All of the participants seemed to have very clear expectations of the next LEA generation. The head of train operations clearly stated that reducing costs was the highest priority and that running costs needed to be reduced to 2 million annually. On the other hand, the representatives of the users group also explained how important LEA is to their daily work and that they needed a reliable device, which is easy to use and very mobile. Train drivers usually have to carry the device with them when they leave work and do their preparation before they enter the cockpit of the train. A sufficient battery life and mobility, as well as good display readability, were therefore essential to them. IT added that connectivity would also be an issue, as the train drivers need to synchronize the latest instructions over the air before the shift. Therefore, as the discussion went on, it seemed more and more that the new benchmark for LEA 3 would indeed be new consumer devices, such as media tablets. However, when the discussion produced this conclusion, IT raised several concerns, as they were expected to integrate the device into the existing infrastructure. Given that the top priority was to reduce costs, changing the existing interfaces was not an option, as it would create excessively high expenses. The IT team therefore firmly stated that the new device would have to comply with the existing standards and interfaces, and support industry IT standards.

Tuck School of Business at Dartmouth

Employing Consumer IT in Operations

TC6-0038

Collecting the requirements that emerged throughout the meeting, B端chler felt somehow caught between various competing objectives, namely simultaneously reducing costs, and increasing mobility, usability, hardware quality and ultimately user satisfaction. Furthermore, it was necessary to integrate a new solution that would meet these expectations without adding new standards or interfaces to the existing infrastructure. Besides these objectives, he also knew that the new solution would need to be secure and reliable. If the new devices could be hacked or infected by a virus, that would create considerable interference in the form of delays, missed stops, and both dissatisfied employees and customers. Evaluating Devices After the initial requirements had been collected, it was time to start with the actual evaluation. The aim of the evaluation was to select the right device, operating system and solution to port the application. To evaluate the different solutions, B端chler used a step-bystep approach. Firstly, he checked what devices were available on the market and grouped them into three device categories: 1. Industrial Devices (see Exhibit 12) 2. Laptop Computers (see Exhibit 13) 3. Media Tablets (see Exhibit 14) In the next step, B端chler evaluated the expected running costs of devices. Regarding laptop computers and industry devices, it turned out that a significant reduction of the running costs could not be achieved with a full-feature desktop operating system. Desktop operating systems are associated with several service activities, such as patch management, virus protection, and software deployment. Therefore, cutting the running costs down to a target of 2 million did not seem achievable. However, from their experiences with iPads used by executives, he knew that a significant cut in running costs could be possible by using lightweight operating systems usually used on media tablets. Additionally, these tablets were much cheaper in terms of purchase price and their specifications would suite the purpose of the LEA application very well, namely displaying information. Battery life time, weight, start-up time also outpaced laptops. But still, their experience in managing media tablets and employing them in operations was very limited. Also, it was unclear how the running costs would develop over the next few years. As consumer devices become more and more advanced, they could turn out to be as complex as desktop operating systems. Alongside with these concerns regarding the operating system, compatibility with the existing application was also unclear, which made it necessary to further evaluate the software. Application Applications that run on consumer device operating systems, so-called apps, are different to common desktop applications. The former use different technologies, are usually downloaded to the device through a central marketplace, called an app store, and can not usually be ported to a different operating system without considerable effort. In most cases, it is necessary to re-write existing applications to convert them into apps. But re-writing the

Tuck School of Business at Dartmouth

Employing Consumer IT in Operations

TC6-0038

entire LEA application was not an option in this case, as it would have meant exceeding the project budget. However, the good thing about LEA was that it is mostly based on web-technologies. Other than standard desktop applications, web applications were compatible with many operating systems, in fact, nearly all operating systems that came with standard web browsers. As the latter were included in all media tablets in the market, the chances were good that there was still a way to easily adapt the existing application so that it would be compatible with consumer device operating systems. But one problem still remained, namely connectivity. Web-technologies usually require an uninterrupted data connection to a server. While most of the time, trains have Internet access through 3G or their own data-network, uninterrupted data connectivity still cannot be guaranteed. Therefore, the app would need to synchronize the information before the trip and save it locally on the client device to ensure that it would be available during the entire trip. To evaluate whether there was a solution to this issue, B端chler met with some colleagues from software development who had experience developing apps. Surprisingly, they assured him that with only a small effort, a hybrid app (a native app that captures and displays webcontent) could be developed, which would indeed solve his problem. The hybrid app would use the existing web-based application and store the information locally on the device. When a data connection was available, it would update the information and store it locally, to make it available even if there was no data connection. But how would the information be transferred securely to the device? To get some assistance on this issue, B端chler talked with his colleagues in network infrastructure. And also regarding this issue, there seemed to be a solution in place. His colleagues advised him that most media tablets support virtual private network (VPN) connections, which is a sufficient industry standard to secure a data connection. After talking with his colleagues, who can be considered as experts in their work domains, B端chler was surprised how easily the porting of the exiting desktop application to an app seemed to be. As he trusted the advice of his colleagues, he concluded that from a technology point of view, using media tablets for LEA 3 was feasible.

Proposing a New Solution based on iPads B端chler was confident that he had the information he needed to make a sound assessment of the available solutions. Therefore, he started assignung scores and explanations regarding the different requirements to the various products on the market, including media tablets and laptops. The outcome was that the only possible way to achieve the required cost cuttings, and still ensure high user satisfaction, was to employ some kind of media tablet. In particular, the assessment rated the Apple iPad highest, mostly because SBB already used it to support their executive levels. Therefore, the appropriate device management software had already been purchased and SBB already had some initial experiences with the device.

Tuck School of Business at Dartmouth

Employing Consumer IT in Operations

TC6-0038

To present the outcome of his evaluation, Büchler prepared a slide deck and discussed the various issues and final solution with Siegrist. Siegrist was rather surprised at the outcome. Was the iPad, which was generally considered a high-end or even luxury device, the solution to reducing costs in an operational task? But after discussing the different options, Siegrist was also convinced that Büchler had done a good job and that his evaluation was comprehensive and correct. But would the committee also agree to their proposed solution?

Tasks 1. Concerning SBB’s passenger division, what are the major challenges the company and the division were facing? How and why could consumer IT contribute in solving these challenges? 2. From a technology perspective, the evaluation showed that iPads would be the first choice in this case. But how do you think the committee would react to the proposed solution? The committee includes the (1) head of train operations, (2) representatives from the train drivers and the (3) labor union, and a (4) team from IT with people from IT support, IT infrastructure, applications and IT architecture. 3. Before the new solution could be deployed, a usage policy needed to be defined and communicated. What are the pros and cons for different device usage policies regarding this solution (private usage yes/no, restricted access etc.)? Also discuss the implications for SBB’s organizational culture. 4. The evaluation assumed that SBB would buy and own the devices. Consider whether a form of Bring Your Own Device (BYOD) policy could be also suitable? Also the solution for the train attendees will be replaced in the next year and, due to the even higher mobility requirements, an iPad-based solution will be not suitable for that purpose. Accordingly, what are the implications for future decisions, if the train drivers receive iPads?

Tuck School of Business at Dartmouth

Employing Consumer IT in Operations

TC6-0038

Exhibit 1: The Swiss railway system. 6

Tuck School of Business at Dartmouth

Employing Consumer IT in Operations

TC6-0038

Exhibit 2: Railway network load compared with other countries. 7

Exhibit 2: Comparison of railway companies. 8

Tuck School of Business at Dartmouth

Employing Consumer IT in Operations

TC6-0038

Exhibit 3: Development of the infrastructure capacity utilization. 9

Exhibit 4: Key figures on SBB personnel. 10

Tuck School of Business at Dartmouth

Employing Consumer IT in Operations

TC6-0038

Exhibit 5: Organizational structure of SBB. 11

Exhibit 6: Customer satisfaction for passenger division. 12

Tuck School of Business at Dartmouth

Employing Consumer IT in Operations

TC6-0038

Exhibit 7: Punctuality for passenger division. 13

Exhibit 8: Break-down of SBBâ&#x20AC;&#x2122;s operating costs. 14

Tuck School of Business at Dartmouth

Employing Consumer IT in Operations

TC6-0038

Exhibit 9: Personnel structure of the passenger divison. 15

Exhibit 10: Income statement of the passenger division. 16

Tuck School of Business at Dartmouth

Employing Consumer IT in Operations

TC6-0038

Exhibit 11: Example for an industrial computer device. 17

Exhibit 12: Example for a laptop computer. 18

Tuck School of Business at Dartmouth

Employing Consumer IT in Operations

TC6-0038

Exhibit 13: Examples for media tablets. 19

Exhibit 14: SBB’s strategic initiative “Mitarbeitende verbinden”. 20

Tuck School of Business at Dartmouth

Employing Consumer IT in Operations

TC6-0038

Exhibit 15: Parts of the initiative. 21

Exhibit 16: Goals of the initiative. 22

Tuck School of Business at Dartmouth

Employing Consumer IT in Operations

TC6-0038

Endnotes 1

CIA Word Factbook: https://www.cia.gov/library/publications/the-worldfactbook/geos/sz.html 2 Article about Switzerland on Wikipedia: http://en.wikipedia.org/wiki/Switzerland 3 CIA Word Factbook: https://www.cia.gov/library/publications/the-worldfactbook/geos/sz.html 4 Annual Report 2012 (German): http://goo.gl/gojyng 5 SBB Annual Report 2012 (German): http://goo.gl/gojyng 6 SBB Facts and Figures 2012: http://goo.gl/J3Hv4y 7 SBB Facts and Figures 2012: http://goo.gl/J3Hv4y 8 SBB Facts and Figures 2012: http://goo.gl/J3Hv4y 9 SBB Facts and Figures 2012: http://goo.gl/J3Hv4y 10 SBB Facts and Figures 2012: http://goo.gl/J3Hv4y 11 SBB Facts and Figures 2012: http://goo.gl/J3Hv4y 12 SBB Facts and Figures 2012: http://goo.gl/J3Hv4y 13 SBB Facts and Figures 2012: http://goo.gl/J3Hv4y 14 SBB Financial Position 2012: http://goo.gl/mg0N7B 15 SBB Facts and Figures 2012: http://goo.gl/J3Hv4y 16 SBB Financial Position 2012: http://goo.gl/mg0N7B 17 Picture retrieved from: http://www.nextpoints.com/media/k2/items/cache/0692a4e584defe6544ca2abbf7dd2502_X L.jpg 18 Picture retrieved from: http://www.custom-build-computers.com/image-files/hp-laptop-computers-repairs.jpg 19 Picture retrieved from: http://ithinkink.files.wordpress.com/2012/06/tablets.jpg 20 Newspaper article on SBB’s strategic initiative “Mitarbeitende verbinden” (German): http://www.20min.ch/digital/news/story/19564482# 21 Newspaper article on SBB’s strategic initiative “Mitarbeitende verbinden” (German): http://www.20min.ch/digital/news/story/19564482# 22 Newspaper article on SBB’s strategic initiative “Mitarbeitende verbinden” (German): http://www.20min.ch/digital/news/story/19564482#

Tuck School of Business at Dartmouth

Digital Strategies in Action V I N C E N T

L A C O R T E

C A S E

S E R I E S

| 2012–13

FEATURED CASE The Center for Digital Strategies at the Tuck School

Norwegian Cruise Line

of Business develops case studies that help students

David P. Sibley T’13, M. Eric Johnson, 2013 Subjects covered: operations and marketing strategy Case #6-0037

examine how digital strategies are changing the way firms compete. Our cases illustrate how these strategies can enable the supply chain, marketing, manufacturing, services, innovation, and product development.

What are digital strategies? Digital strategies focus on the use of technologyenabled processes to leverage an organization’s unique competencies, support its business strategy, and drive competitive advantage. They can help organizations use information technology to better manage operations in the global marketplace, direct organizational change, enable supply chain integration, and create revenue opportunities in customer service.

As the cases in this catalog illustrate, digital strategies are implemented in a variety of industries including communications, manufacturing, retail, biotechnology, and humanitarian relief. tuck.dartmouth.edu/digitalstrategies/cases

digital strategies. competitive advantage.

After five years of profitable growth, Kevin Sheehan, CEO of Norwegian Cruise Line, rang the NASDAQ bell on Norwegian’s first day of trading. Under Sheehan’s leadership, Norwegian had experienced a dramatic turnaround, largely due to his efforts to help the organization deliver on the promise of Freestyle. Allowing guests the freedom to choose between many different dining and entertainment venues, Freestyle was an industry first and an immense operational challenge. When first introduced, the execution of the game-changing strategy failed with guests waiting in long-lines for poor quality food. A veteran of private equity turnarounds, Sheehan systematically integrated technology and process improvement to build an organization that could deliver Freestyle cruising. This case allows students to explore the challenges of aligning marketing and operations strategies and the competitive advantage that can be achieved through such integration.

Sotera Wireless Johnny Kaye T’12, Ron Adner, M. Eric Johnson, 2012 Subjects covered: operations, innovation and product development Case #6-0035 “Healthcare game-changer.” This was Sotera’s dream in the spring of 2012. The ViSi Mobile platform allowed for continuous, noninvasive monitoring of a host of critical vital signs that could reduce patient length of stay, increase Intensive Care Unit (ICU) throughput, improve patient safety, and reduce frequency of uncompensated events like bed sores and pressure ulcers. “Continuous vital signs monitoring is crucial to detecting early deterioration in a patient’s condition and facilitating early intervention or rapid response,” said Tom Watlington, Sotera’s CEO. “The ViSi Mobile System will stretch the boundaries of patient monitoring by enabling clinicians to receive this information without limiting a patient’s freedom to move about the hospital.” ViSi Mobile’s potential for value creation was clear to many and the complete system was now ready for sale. But success would require cooperation, investment, and operational changes across a range of actors in the healthcare ecosystem. This case provides a view into the challenges facing medical technology startups. Students are asked to consider Sotera’s underlying business model and the challenges the U.S. healthcare ecosystem presents new ventures.

Digital Strategies in Action

LACORTE CASE SERIES

Hulu Rama Oruganti and Alva Taylor, 2009 Subjects covered: growth, strategy, disruption Case #6-0030 Los Angeles-based Hulu.com had finished 2008 with impressive growth in both viewership and market visibility. The video portal startup, established in 2007 with the backing of NBC Universal and News Corp., had 227 million video views and had become the sixth most-visited online video web site. Popular media had taken notice and prominently featured the company. Even the harshest Hulu skeptics, like Michael Arrington of the popular TechCrunch blog, acknowledged its success. But Jason Kilar, the CEO, was cautious about the future.This case examines the explosive growth of Internet TV and potential for significant change in a well established industry. Supplemental Material “Video: Winning the Battle for People, Platforms, and Profits,” Center for Digital Strategies, 2009 “Happy Birthday Hulu. I’m Glad You Guys Didn’t Suck,” TechCrunch, October 29, 2008 (www.techcrunch.com/2008/10/29/ happy-birthday-hulu-im-glad-you-guys-didnt-suck/)

Dell

Courtesy of Dell, Inc.

Jennifer M. Farrelly and Paul Argenti, 2009 Subjects covered: marketing, media, product development, public relations Case #6-0032 Every second, two blogs are created, seven PCs are sold, 2.2 million emails are sent, 520 links are clicked, 1,157 videos are viewed on YouTube, 31,000 text messages are sent. With the explosive growth of social media, society and corporations are embracing this phenomenon as much more than a passing trend. This case focuses on computer manufacturer Dell Inc.’s social media strategy and how it has successfully integrated digital communications into every aspect of its business model. Case readers are put in the shoes of Bob Pearson, VP of Dell’s “Conversations & Communities” team, who is tasked with developing Dell’s social media strategy. After a rocky start with social media — including an actively blogged service crisis termed “Dell Hell” — Pearson is challenged with not only creating a department and strategy from scratch, but with developing internal

tuck.dartmouth.edu/digitalstrategies/cases

buy-in and skill sets needed to get Dell started with Web 2.0. Pearson faced important decisions including how to structure the internal team, what guidelines to set for blogging and social media participation, and how to measure success. The Dell case focuses on how new social media technology is changing not only corporate communication but also business functions such as product development, customer service, marketing, and customer engagement. It offers many valuable lessons for both students and business professionals as they continue to join the Internet age. Supplemental Material P. Argenti and C. Barnes, Digital Strategies for Powerful Corporate Communications, McGraw-Hill Professional, 2009

Information Risk Analysis at Jefford’s Hans Brechbühl, Stephen Powell, Chris Dunning, and Scott Dynes, 2008 Subjects covered: risk analysis, information risk management, investment decision making, Monte Carlo simulation Case #6-0029 Jefford’s faces several information security threats and must decide which risks to mitigate and at what cost. Headquartered in the U.S., Jefford’s, a fictitious Fortune 500 company, is growing rapidly, with much of the expansion coming in emerging markets. They face numerous risk management decisions, including how to mitigate problems with stolen/lost laptops, malware, fraudulent web site transactions, and protection of personally identifiable employee data. Each information security risk is presented in context with the overall scenario and issues presented in Part A and further details in Part B. The case can serve as a good basis for a discussion on information security and risk management approaches in this arena but also can be approached as a more generic investment decisionmaking and risk-analysis challenge. In Part B, the case provides detailed data on which to do a cost/benefit analysis and, with the help of the teaching note, creates a robust Monte Carlo simulation using Excel and Crystal Ball or similar software. The case includes an appendix provided by the Ponemon Institute on the cost to companies of actual data breaches involving the loss or theft of employee information. Supplemental Material M.E. Johnson, E. Goetz, and S.L. Pfleeger, “Security Through Information Risk Management,” IEEE Security and Privacy, 7(3), 2009 S. Powell and R. Batt, Modeling for Insight, John Wiley & Sons, 2008

Groupon Cassie Young T’11, M. Eric Johnson, John Marshall T’92, 2011 Subjects covered: marketing strategy, innovation and product development Case# 6-0034 One of the fastest growing businesses in history, Groupon and its

Bringing the Executive Point of View to the Classroom

latest daily deals were news the business media could not resist. From

Want more insight into how

the local corner bakery to national retailers such as Gap, sizzling

today’s leading companies

offers were projected to triple Groupon’s 50 million subscribers

are using digital strategies to

by the end of the year. But while the limelight remained focused on the headline “feature” deals, Groupon was quietly testing new models to expand this core platform. In late 2010, the company introduced Groupon Stores, a self-service model that equipped stores with the tools to build their own promotions. Sales chief and co-founder Eric Lefkofsky mused that when customers could “go on their own and put up a deal, Groupon would become their commerce strategy,” alluding to yet another new angle of the business, Merchant Services. The Groupon case provides a vehicle to unpack web 2.0 business strategies. It also challenges students to consider the impact of social marketing on traditional service businesses, including the operational implications of flash sales and deals sites.

enable their organizations? Introduce your students to the executive point of view with articles covering innovation, marketing, operations, talent management and more. These articles contain firsthand accounts of Global 1000 senior executives as they come together to share perspectives on a specific business issue and exchange best practices. Taken from our Thought Leadership Roundtable on Digital Strategies series, they are to the point and grounded in practice. Recent roundtable articles include: Driving the Top Line

Mattel, Inc: The Lead Paint Recall M. Eric Johnson, 2010 Subjects covered: supply chain, manufacturing Case# 6-0033 Supply chains face many risks, from material flow disruption and quality failures to information security. In some cases those risks come

Big Data: Capitalizing on the Potential Managing Enterprise Risk Mobility, Mobile Apps and Corporate Apps Deployment The Impact of Technology Mega-Trends on Corporate IT and Business Models Building Talent and the Next Generation of Leaders Business Intelligence and Analytics Enabling Innovation Performance by Design: People, Process and Technology

from suppliers in other cases they

Customer Experience and the CustomerFocused Organization

come from downstream partners.

Technology, Transformation, and Collaborative Leadership

For example, in 2010, Toyota faced

Global Supply Chain Management: Shifting Strategies

global criticism over its handling of a

Leading the IT Organization of the Future

recall related to sticking accelerator pedals. Likewise, in 2007 product safety problems led many toy

For more information about the

makers to recall products during the holiday season. Mattel, the

Roundtable series and articles, visit

world’s largest toymaker with years of experience working in China,

tuck.dartmouth.edu/roundtable

found itself in the middle of very negative global publicity. This case inquires as to what went so wrong? tuck.dartmouth.edu/digitalstrategies/cases

Social Media and the Burger King Brand

Nolej Studios: Growing a Creativity-Based Company

Andrew Schneller and John Marshall, 2007 Subjects covered: marketing, branding, digital media, food service Case #6-0025

Ashley Martin and Alva Taylor, 2008 Subjects covered: growth, strategy, advertising, interactive advertising, client management, market entry, workforce management Case #6-0028

With profits decreasing and franchisees unhappy, Burger King needed to take dramatic action and redefine how it was perceived by customers. Instead of traditional advertising and sponsorships to build the brand, the company created and distributed Burger King-related content intended to entertain consumers, give the brand social currency, and create a sense of mystery. The firm was media agnostic and often chose inexpensive, non-traditional media channels such as Internet micro-sites and social-networking sites to reach target consumers. This case study examines how the use of digital communication, media channels, and Web 2.0 changes the way firms build their brands.

In 2007, Alejandro Crawford, CEO and co-founder of Nolej Studios, a small, cutting-edge digital advertising firm in New York City, faced a tough decision: whether to take on a new client in an unfamiliar industry. Nolej focuses on providing dynamic websites, brand identities, and unique interactive demos primarily for clients targeting a young adult, urban, hip demographic. The company develops cross-platform marketing and advertising that engages the audience and generates visibility for their clients’ products and services. When a new client approached Nolej for help in developing and marketing a new product for the toy industry — a product area new to the company — Crawford knew that taking on this potentially lucrative project would push the company out of its comfort zone. This case deals with growth, client relations, and changing direction. It describes how Nolej handled a promising opportunity that would push the company’s management team into a high-profile arena.

Supplemental Material “Web 2.0 and the Corporation,” in Thought Leadership Roundtable on Digital Strategies, Center for Digital Strategies, Tuck School, 2007

Strengthening the Distribution Channel at Steinway

Few brands enjoy the quality image of Steinway & Sons. For nearly two centuries, Steinway pianos have set the world standard in product excellence. While quality has also been the cornerstone of Steinway’s manufacturing and marketing strategy, its channel strategy was less well aligned. What were the strengths and weaknesses of Steinway’s distribution network? This case examines the integration of operations and marketing strategies. It describes how Steinway used channel consolidation and new product offerings to enhance its distribution strategy and control its quality image. Supplemental Material M.E. Johnson and R. Batt, “Channel Management: Breaking the Destructive Growth Cycle,” Supply Chain Management Review, 2009 M.E. Johnson and R. Batt, “How to Make Dealerships Strong — and Happy,” The Wall Street Journal, October 20, 2008 Video featuring Bruce Stevens, former Steinway president and CEO, available on request

NetHope — Collaborating for the Future of Relief and Development Benjamin Farmer and M. Eric Johnson, 2007 Subjects covered: collaboration, resource management, technology development, humanitarian relief Case #6-0026 Daniel Cima, American Red Cross

Robert Batt and M. Eric Johnson, 2007 Subjects covered: supply chain (distribution), marketing, product development, musical instruments Case #6-0027

Most disasters occur in developing countries, often in remote areas lacking roads, reliable power grids, and telephony. To expedite aid, international relief agencies desperately need effective information communication technology. NetHope’s mission is to collaboratively address similar technology challenges facing relief agencies and to build shared infrastructure to enable humanitarian supply chains. Formed in 2001, it began as a consortium of the world’s largest humanitarian organizations in partnership with technology firms like Cisco and Microsoft. By 2007, NetHope had grown to include 16 member agencies, including World Vision, Oxfam, CARE, and Save the Children. This case study chronicles the challenges in operations, technology, and business strategy that a nonprofit organization faces, while addressing the needs of its major stakeholders — founders, donors, experts in the field, and member delegates.

Digital Strategies in Action

LACORTE CASE SERIES

XOJET Jordan S. Esten T’12, M. Eric Johnson, Joseph M. Hall, 2013 Subjects covered: operations and strategy Case# 6-0036 XOJET was launched in 2006 as an alternative to the fastgrowing fractional private aviation model. The founders saw an opening in the market for customers who didn’t want to “purchase” large pro-rated shares of a plane and were looking to fly fewer than 200 hours/year. Unlike its fractional competitors, XOJET would own and operate its entire fleet of aircraft. Five years later the company had 30 super-mid jets and believed they would need at least 50 planes to reach operational scale. When an opportunity arose to buy twelve Hawker Beechcraft 800XP jets, CEO Blair LaCorte was faced with important question: would adding the smaller cabin jets be the right decision to increase capacity? On the surface it appeared to be contrary to the original super-mid transcontinental strategy. It also added more operational complexity and risked degrading the premium XOJET brand. The Hawker jets, however, did offer major cost advantages. To make the decision, XOJET needed to balance increased demand against current capacity, provide their customers with best-in-class service, and manage profitability. The XOJET case gives students a wide perspective on the challenges of operating an asset intensive business where capacity decisions must reflect both market strategy and operational capabilities.

Enhancing Service at Southwest Airlines M. Eric Johnson and Joseph M. Hall, 2009 Subjects covered: operations and marketing strategy Case #6-0031 Scarcely five years at the helm of Southwest Airlines, CEO Gary Kelly was navigating the high-flying airline through the downturn of 2009. By focusing on simplicity and keeping costs low, Southwest had posted profits in every year for over three decades and had grown to be the fifth largest U.S. carrier. Kelly was faced with maintaining those low costs while readying the airline for growth when passengers returned. Looking to enhance its value proposition, he was considering a number of service refinements including satellite-based WiFi Internet, more extensive wine and coffee service, and even new international alliances with foreign carriers. In each case, the offering would be scrutinized to see if it fit within the Southwest strategy and its legendary operating model.

About the Center The Center for Digital Strategies at the Tuck School of Business brings together executives, academics, and students to advance the theory and practice of management in a networked economy. M. Eric Johnson Associate Dean for the MBA Program Benjamin Ames Kimball Professor of the Science of Administration Faculty Director, Glassmeyer/McNamee Center for Digital Strategies Hans Brechbühl Executive Director Adjunct Associate Professor of Business Administration Affiliated Faculty Ron Adner Paul A. Argenti Joseph M. Hall Constance E. Helfat Steven J. Kahl Andrew A. King Adam M. Kleinbaum Praveen K. Kopalle Margaret A. Peteraf Stephen G. Powell Alva H. Taylor

This series of cases has been supported by the LaCorte Family Foundation. For more information about our case studies, research, and publications, please visit tuck.dartmouth.edu/digitalstrategies

Supplemental Material T. Laseter and M.E. Johnson, “Reframing Your Business Equation,” Strategy + Business, 2009

tuck.dartmouth.edu/digitalstrategies/cases

Center for Digital Strategies Case Library SUBJECTS COVERED CASE NAME

CASE #

INDUSTRY

Agile Software – I Want My Web TV! (2000) † Align Technology (2006) † AT&T and Comcast (2002) Biogen-Idec (2005) † Burger King Brand (2007) † Yantra and ChemPoint (2002) Cisco: Evolution to e-Business (2001) Cisco: Maintaining an Edge (2001) The Day McDonald’s Blinked (2001) † Dell (2009) Do You Yahoo!? (2001) Electronic Trading Systems (2001) EMC: Creating a Storage-Centric World (2002) Experience.com (2001) Garden.com (2002) Groove Networks (2002) Groupon (2011) Hasbro Interactive (2004) * Hulu (2009) Information Risk Analysis at Jeffords (2008) † Learning from Mattel (2002) Mattel, Inc: The Lead Paint Recall (2010) Mattel, Inc: Vendor Operations in Asia (2002) McGraw Hill (2003) Microsoft’s Xbox Gamble (2002) NetHope (2007) † New York Times Digital (2002) * Nolej Studios (2008) * Norwegian Cruise Line (2013) NTT DoCoMo (2002) NWS, (A) Privatization (2006) NWS, (B) Distribution (2006) NWS, Spirits to Wine (2008) † Papirius (2004) Participate.com (2001) PERI (2003) Quad Wants to Be a Savi Player (2002) § † Red Cross (2004) § Simon & Schuster (2001) Sotera Wireless Southwest Airlines (2009) † Steinway Distribution Channels (2007) § † Steinway Quality (2005) † Stora Enso North America (2002) * Victoria’s Secret (2004) Video on Demand (2002) Woolworths (2004) § † XOJET

1-0074 6-0024 6-0012 6-0022 6-0025 6-0003 1-0001 1-0002 1-0049 6-0032 6-0005 6-0006 6-0009 6-0001 6-0017 6-0008 6-0034 6-0021 6-0030 6-0029 1-0072 6-0033 1-0013 6-0018 6-0011 6-0026 2-0006 6-0028 6-0037 6-0010 1-0019 1-0020 1-0021 6-0016 6-0002 6-0019 6-0015 6-0021 6-0004 6-0035 6-0031 6-0027 6-0023 2-0001 6-0014 6-0013 6-0020 6-0036

Computer Hardware Medical Devices Communications Biotechnology Fast Food Chemicals Network Hardware Network Hardware Fast Food Computers Internet Finance Computers Career Consulting Garden Supply Communications Retail or Internet Toys/Video Games Communications Electronic Controls Toys Toys Toys Publishing Video Games Humanitarian Relief Media/News Digital Advertising Transportation Communications Food and Beverage Food and Beverage Food and Beverage Office Supplies Consulting Construction Agribusiness Humanitarian Relief Publishing Communications Transportation Musical Instruments Musical Instruments Paper Apparel Entertainment Retail Transportation

IT Management

Supply Chain

X X

Marketing & Sales

Manufacturing

Services

Innovation/ Product Dev.

X X

X X X

X X

X X X

X X X X

X X X X X X

X X X

X X X X

X X X X X X X X

X X X

X X

X X X X

X X X

X X X X X

X X X

X X

X X X

X X

* Cases developed by the William F. Achtmeyer Center for Global Leadership at Tuck. † Teaching note available to professors upon written request. § Spanish version available upon written request.

Order Reprint Permission Please note that all cases listed above have been copyrighted by the Trustees of Dartmouth College. To request related teaching notes for selected cases, please contact digital.strategies@dartmouth.edu. To obtain permission to reprint copies of these cases, please place an order in one of the following ways: Call: (603)-646-0187 s Fax: (603)-646-1308 Email: digital.strategies@dartmouth.edu

Visit: tuck.dartmouth.edu/digitalstrategies/cases Write: Center for Digital Strategies Tuck School of Business at Dartmouth 100 Tuck Hall s Hanover, NH 03755-9000 USA SCAN QR CODE TO VIEW CASES ON OUR IPAD APP © 2013 Trustees of Dartmouth College. All rights reserved. Revised May 2013.

Executive Dialogue

The Internet of Things: The Opportunities and Challenges of Interconnectedness A Roundtable Overview Americas Chapter Discussion

The Internet of Things: The Opportunities and Challenges of Interconnectedness Thought Leadership Roundtable on Digital Strategies An executive roundtable series of the Center for Digital Strategies at the Tuck School of Business The Americas Chapter of the Roundtable on Digital Strategies convened for a day-long discussion of the phenomenon of the IoT: What it is, where it’s going, and what is holding it back. Topics for the day included examples of current IoT deployments and the value they deliver; the business value behind IoT initiatives for both companies and customers; and obstacles slowing further progress. Participants shared perspectives from both the consumer and industrial sectors — and each group was surprised to discover how far along the other was, and how much could be learned from their experiences. Common themes included the primacy of providing additional customer value, the need for balancing privacy with commerce, the disruption to existing business models, and how in the world are companies going to manage and derive value from all this new data? Participants in the session, hosted by Yum! Brands at the headquarters of Taco Bell in Irvine, CA, included CIOs and their business unit counterparts from Aetna, Bechtel, Chevron, Eaton Corporation, Hilti AG, Nike, Taco Bell, Time Warner Cable, and YUM! Brands. Key Insights Discussed in this Article: The Internet of Things (IoT) is happening now, with unexpected scope, scale, and velocity. From machines to wearables, from machinery to landscape-scale features, sensors and monitors are being placed by the billions — and smartphones are the most important IoT device of them all. ......................................................................................................... 2-3, 4, 5-7, 8-9, 10, 16 Initial value lies in improving customer relationships, not in finding new products to sell or new ways to sell them. Companies are deploying IoT in operational capacities to improve customer experiences, rather than to search for new revenue streams. ............ 3, 5-6, 8-9, 15 IoT data combines services even more deeply with products, to the extent that they can no longer be disentangled. Companies need to be careful of what services they enable, both to protect their revenue streams and to strengthen, rather than endanger, their customer relationships. .................................................................................. 3, 5-6, 9, 11-12, 15, 16-17 By delivering value across expanded customer and partner ecosystems, IoT is disrupting existing business models and creating new ones. In many cases, the IoT data itself is the primary source of value; consequently, data-for-service “freemium” models will likely be shortlived. ..................................................................................................... 2-3, 7, 9, 12-13, 14-16 IoT is generating even more reams of Big Data; corporations are searching for means to use it effectively. Obtaining insight for the deluge is one challenge; changing business models to monetize data is a new opportunity. ............................................. 4-5, 7, 10-11, 12-13, 16-17 Corporations are their own worst enemies in IoT. Technology exists, but companies are struggling to change their perspectives on risk and innovation. .......... 2-3, 6-7, 10, 13-15, 17

Roundtable on Digital Strategies

Introduction: Instrumenting the Physical World Chris Rezendes, President of INEX Advisors, began the day’s discussion with a presentation that described the Internet of Things as “the instrumentation of the physical world.” Sensors and devices are being attached to or embedded in whole new categories of “things” — including people, pets, vehicles, clothing, buildings, and machines of all types. Even “landscape-scale assets” are being connected to the Internet: roads, bridges, tunnels, pipelines, rail lines, power lines, coastlines, rivers, and farms are just a few examples of big “things” that have already been instrumented. “People are experimenting with this instrumentation of the physical world on every possible dimension.” “So the question is why?” Rezendes asked. Because 99.99% of physical world assets are not connected, and those that are, connect at sub-optimal utilization. So we have very little data — almost no ground truth, no objective intelligence — to support the policies, the strategies, or the decisions that we’re making about how to invest in, how to build, or how to expand assets or operations that are rooted in the physical environment. The point is not to take humans out of the loop, it’s to augment and enhance human experience. In some ways the IoT is not particularly new, Rezendes reminded the group: “Some market segments and asset categories have been going about this for almost 20 years, for example heavy equipment in agriculture, construction, materials handling, and mining. Fleet telematics has been around forever. Companies at this table are deep into it already it’s not happening around you, it’s happening in part because of you.” And yet, he said, “2013 was the pivot year, the year when the Internet of Things went from a concept to a reality. It didn’t necessarily become a big business with lots of people making money, but it was the year that four behemoths in different parts of the global economy — GE, Cisco, Salesforce, and Intel — all came out with variations on ‘the Internet of Things is the future.’” “So why now?” Rezendes continued. “Because there’s never been lower technical risk to do this: Yes, security is a huge issue, and it will be forever. But the meta-trends are lining up to remove so much technical risk. There won’t be many architectures, and they’ll be rooted in standards and available from merchant sources. There’s the smartphone. We’ve got so much network, compute, control, and communications enabled, in so many different places. It isn’t about new technologies being developed; it’s about existing technologies being integrated, being configured, and co-existing. The only thing we really have to do is ask ourselves, “What could we connect, and why?” Based on engagement by thousands of companies, Rezendes forecasts, the number of internetconnected devices will increase by at least another half-order of magnitude in the next few years, from 10–12 billion today to 50 billion or more by 2020:

Roundtable on Digital Strategies

“The benefits are real,” he continued. “There are proven ROI cases, but they’re not what we hear about all the time: In the oil & gas industry, for example, three of the top five use cases are compliance, safety, and risk mitigation. They’re not just new revenue, new ad platforms, or persistent connections to customers to sell them more stuff: An intelligent egg tray may not be the best way to prove the value of instrumenting the physical world. Find something more meaningful — if you don’t pay close attention to the operations technologies in your business and your ecosystem, you’re going to miss the taproots of value creation in the Internet of Things. If you have a relationship with me today over a specific product or service, start with that. How can you enhance my experience with that product or service? That’s the number one area for return on investment. Revenue enhancement and competitive differentiation are important, but they come after the real stuff, and the real stuff is, “What does it do for customers?” “The hardware we deploy to do this,” Rezendes observed, Is not going to be like anything associated today with consumer or even commercial IT, with their two-to-five year upgrade cycles. That’s too expensive. To instrument the physical world and to do it well, we’re going to have billions of these things. The hardware is going to come from the community as much or more than it comes from any of the major IT or consumer supply chains.”

Roundtable on Digital Strategies

“Connecting those physical assets and the data about them to a network, and delivering value in services and apps, will be a multi-trillion dollar opportunity,” Rezendes concluded. “The Best Damn Network” IoT examples from the Roundtable reinforced Rezendes’ points about using technology for operations to improve customer experience. Mike Hayashi, Executive VP of Architecture, Development and Engineering for Time Warner Cable, started by describing TWC’s IoT environment: We are both a landscape-scale industry and an industry that serves consumers. We are an infrastructure company that enables connectivity, but we’re not in the content business: We deliver services, but we don’t create the services themselves. And customer-owned and customer-managed devices represent a new path by which we enable our core services, whether that’s video or home management or security, and whether they’re iPads or Android phones or televisions connected directly to the Internet. “Historically,” Hayashi’s colleague Matt Zelesko, Senior VP, Converged Technology Group, explained, We have had separate infrastructure for different applications. Increasingly, all of them are running over the IP infrastructure, so the “things” we are putting in a customer’s home are already Internet-connected. We’re evolving into “stewards of the home,” responsible for an ecosystem a lot broader than just the devices. It’s all the connectivity inside the home, whether that’s Wi-Fi or Bluetooth or Ethernet or MoCA, because most customers think about their home as an extension of our service and our plant. Moderator John Gallant, Senior VP and Chief Content Officer of IDG Enterprise, asked about the potential changes in the TWC business model based on new connectivity: So increasingly you’re looking at the customer as an IP address. It’s a mobile world, and you’re looking at individuals with a tablet watching HBO Go. That’s a lot more information that the advertising community would find very interesting in a real-time fashion. Who is going to ultimately control the information and monetize it? To some extent you’re in the catbird seat, with an opportunity to be the broker in the middle of that information stream. “The information we can get from that environment is far richer than what we can collect from the classic legacy video environment,” Hayashi answered: The technology allows us to know exactly what an individual household is consuming. We will eventually have the ability to say what a specific individual is consuming. But the key question is, “What do we do with it?” It’s actually hard to market: There’s a big gap between having this vast amount of information and monetizing it. There’s a discussion about whether we become the aggregator of the various intelligent devices that consumers are buying, but it’s really difficult: If you try to sell home management through

Roundtable on Digital Strategies

security, then you’re trying to convert existing security products to match your infrastructure. Whether we become the providers or the enablers of these kinds of technologies is still up in the air. There’s a distinction between becoming the home management company, and being the company that enables and brokers connectivity to various home management technologies. “We are looking at some really interesting uses of that data,” Zelesko added. “For example, suppose you want to reach a certain demographic, and the best way is to advertise on ESPN, but that’s really expensive. So we have enough data to say, ‘Those people who are watching ESPN are also watching these shows on these channels at these other times.’ So you could reach a very similar audience at a much cheaper price.” “Will the technology be available to target an individual person?” asked Lynn Hemans, Director of Industry & Competitive Insights for Taco Bell. “To actually target five people that are brand advocates who are watching ESPN right now? That would unlock so much value in my industry.” “It would be an anonymized individual,” Hayashi answered, “That’s called ‘personalization,’ and every device could have a particular ad insertion for that particular experience. You wouldn’t know that it was something done just for you, because it’s part of the linear experience you’re having.” “We’ve tried to drive synergies between products, for example between voice and the TV,” Zelesko concluded. “But there are all sorts of concerns that come up, for instance, privacy issues in shared households. All sorts of things start getting in the way of the utility of those services. So to some extent we’re going to do that, but really what we want to do is build the best damn network we can, to deliver a high-quality, high-speed experience with the internet.” Don’t Be Creepy “It is increasingly difficult to separate products from services,” stated Chris Satchell, Nike VP and Consumer Technology Officer: If you buy a pair of shoes, how much of your end enjoyment is just the physical product? Or was it the in-store athlete who found you the best shoes and hooked you up with a running club? You start to not disconnect those things. A FuelBand is a physical product, but it’s not very useful without the additional service that goes with it. It’s the combination of human services, digital services, and physical products that gives the consumers benefit, that makes something happen in their world. “But now because of that,” Satchell continued, “The customer does expect a better experience:” If I’ve signed up for two marathons, registered 300 runs, and made 500 FuelBand entries, I expect that you know me fairly well. Then if I go into a store and you don’t know who I am, and you recommended something stupid — well, I don’t know why I want to deal with your brand. This idea of seamlessness is a huge force in the consumer world. But our company is

Roundtable on Digital Strategies

very used to channels and product categories, and now we have to somehow blend those together to make the consumer experience seamless. “The things you’re doing at Nike are very visible,” commented Gallant, “Because lots of people have these devices. They’re recording a lot of stuff about their life. How are you using all that information? What are you doing with it? Where do you see it going?” “What we really wanted to know,” Satchell explained, “Is to understand the athlete that’s using it:” If we know more about you, we can service you better, with motivation, with combinations of products, events, digital services, applications. We have over 20 million users on the running app: We know how fast you run, where you run, what time you run. Say we find out the majority of users run early morning, and a lot of them run in a cold environment? We can correlate with weather, and put more emphasis into our thermal and waterproof products. It’s even more useful as we shift from consumer electronics on your wrist to sensors embedded in your apparel and your footwear. Say we start to see a huge population that pronates in a certain way? Maybe our shoes aren’t helping that enough. We can actually change the product creation process based on what we understand about segments of our audience. But our real value is, “How can we take individual data, use what we know about you, and get it to the end points of the business as an actuation point with you in a way that’s useful, whether it’s helping you with training, with motivation, or with selecting products, to help you as an athlete get better?” We think that’s the magic of wearables and sensors on a personal level. “You are collecting a lot of information about customers and patterns and regions and all kinds of things. Has it changed how you market to people?” Gallant asked. “It hasn’t yet,” Satchell answered, “One of the big things we’d like to solve is knowing whom we’re talking to in retail. The problem with point-of-sale is, it tends to be a single-purpose device built by somebody else. If you can move mobile point-of-sale on a general-purpose device that you can update with software and service, you can put a lot of innovation in it. If we knew automatically who’s in the store, and whom we are talking with, then we could serve them a lot better. But if there’s an auto-sensing device, then the problem is, “How do you not be creepy?” Creepiness is a big thing with consumers. We’ve seen really quickly how much people value their privacy. Trust equals use: How much I trust something is how much I’ll use it, and this will translate directly to the Internet of Things at a consumer level. Dickie Oliver, the VP of Global IT for Yum! Brands, the corporate parent of Taco Bell, expanded on how the “personally-owned mobile general-purpose IT device” — aka, the smartphone — is taking on a variety of new roles. “The point-of-sale simply doesn’t exist anymore in our delivery business. We

Roundtable on Digital Strategies

don’t take face-to-face orders. We’re engaging with the customer in the cloud: They’re doing all the work themselves, either on their smartphone or on a PC.” “So then if you look at our quick-serve restaurant business,” Oliver continued, “Why do we need a point of sale in the store? It’s a tremendous cost burden for us — why aren’t we using this device that every consumer is going to buy, that will just get more and more powerful, flexible, and convenient?” “60 percent of all restaurant searches are done on mobile,” Oliver’s colleague and Taco Bell CIO Greg Fancher continued, “and 60 percent of those result in purchasing food within the hour.” It is the “place” where people go when they figure out, “I’m hungry, what am I going to do about it?” So it’s a logical next step to then order on it, pay on it, and show up in the restaurant. You don’t need to talk to the cashier, you don’t need to wait in line: Your food is just made and ready. We’re working on a mobile app to order and pay, and it uses geo-location, because we don’t want to make that food too early. We’re optimizing the inventory flow. IDG’s Gallant commented on the changing role of the smartphone in dealing with customers: “Mostly when people talk about mobility from an IT perspective, they’re talking about controlling it,” he said. “They worry, ‘Oh my god, people have mobile phones!’ Well no kidding. We’ve got to deal with this: The real value of mobile would be envisioning how you work with your customers in completely different ways because they have mobile devices.” “The smartphone is absolutely going to be the center of an individual’s digital or virtual life for the foreseeable future,” concurred Rezendes. Wearables will complement it. Yet at the same time, in a really interesting tension, the most successful companies will develop applications that don’t emphasize stickiness, that actually emphasize efficiency: Get in and get out. The most successful companies in IoT are going to free people from screens. A second factor is integration. People want a COP — a common operating picture — of what’s going on, whether it’s in healthcare, athletics, dining out, or any domain of an individual’s or business’ activity. They want access to all the data they need for decision support to spend time or spend money. Industrial companies are taking a similar approach, according to Tom Black, VP of IT, Enterprise Information Management for Eaton Corp: We are instrumenting a lot of things — seven or eight product lines right now — and we need to step up the aggregation of all of those. We have facilities with hundreds of devices, and people want to see them on one screen, quickly. How do you do that? The user experience is a big challenge; so are the data life cycle, and the privacy.

Roundtable on Digital Strategies

Better Living through … Telemetry? “If you think you have privacy concerns there, or about inserting personalized TV ads,” began Michael Palmer, Chief Innovation & Digital Officer for Aetna, “Then just wait till we find out from your pacemaker that it gave you an extra jolt because you had some irregular rhythm, and we send an ambulance to your house because you’re going to have a real problem later today. That’s where the Internet of Things is going in the healthcare industry.” “People are living longer, and the most effective care setting is your home,” Palmer continued. “So to the extent that we can keep people in their homes and bring care to them, that’s a better outcome.” He gave examples of Aetna’s pilot programs in healthcare-related IoT: Diabetics can get ulcers on the bottoms of their feet, which if not treated can end with amputation. So there are little mats that you put in front of the mirror on your bathroom floor that sense whether there’s an indentation in the foot, long before one of these ulcers gets to the point of erupting. If you’ve had a mild stroke, your gait is likely to have changed. So we can have a sensor in the carpet that says “Grandma’s gait has changed, it may be worth having a visit from the physical therapist.” There are five factors that indicate metabolic syndrome, and if you have three of them, you’re at five times the risk for getting diabetes, at 1.6 times the healthcare cost of someone without those factors. Newtopia is an Aetna program that integrates data from several connected devices: A BodyMedia exercise tracker, a food logging application, and a weekly Skype session with a coach. The point is to help people lose seven percent of their body weight, which gets them much closer to heart health. 500 people signed up for the pilot. Six months into the pilot, 62% are on track to lose the target amount, “which is an unbelievable stat on patient engagement.” “We have all kinds of standards around ‘do not resuscitate, do not intervene,’ Gallant pointed out. “If you’re getting all this information about me, do you have to create a whole new set of rules around when it’s okay for my insurance company to tell me what to do?” “We can be the ‘Intel-Inside’ of healthcare data and predictive analytics,” Palmer answered, “To help the doctors know whom to intervene with, so our model can be to enable the physician and hospital community to be the locus for health advice. No one ever wants to pick up the phone and call their health plan.” “Ultimately are we going to wind up where healthcare is the other killer app in the home, in addition to entertainment?” asked Hans Brechbühl, Executive Director of the Center for Digital Strategies. “Most things start centralized, but they tend to land in the lower-cost, more accessible location,” Palmer replied, “So the short answer is ‘Yes:’”

Roundtable on Digital Strategies

Pushing monitoring equipment to the home for patients with pulmonary disease, for example, is the right way to do it, rather than having them show up in the emergency room with a breathing issue. The technology is becoming so cheap that avoiding one ER visit could easily pay for all of the equipment. Once we have a proven solution for something, the tradeoff is, “How much will we save in medical costs, and are we willing to invest that amount instead in prevention, hardware, software, and monitoring equipment?” We see huge opportunity there. Let’s Make a Deal “But we’ve got to create a connection for consumers to make it worth their whiles to be measured and quantified,” Palmer concluded, echoing Satchell’s comments about Nike’s experiences with customers sharing data. “And that’s one of the hardest things:” Consumers are willing to connect to devices if they get something back for it. To the extent that we can help people make good choices about their health, that’s part of the reward. So you start with a wearable, for the people who really want to understand their health, or to manage their weight and fitness. Some people are willing to give up an amount of privacy to get a lower premium, but it’s only a very small subset of the population. So we’re trying to figure out, “How do we help people select the healthy apps that are going to change their behavior?” “Then you’re fighting the fear that you’re going to use their own data against them?” asked Gallant. “When the internet came,” Geir Ramleth, retired CIO of Bechtel and Executive Fellow at the Center for Digital Strategies suggested, “Individuals felt they had control over the interaction with a laptop, and they could manage their own destinies. Now all this stuff is floating in the cloud somewhere, and people don’t have the same level of control, or comfort of control. This will be harder to accept.” “All of our tools have RFID chips in them,” volunteered Jean-Louis Keraudren, Corporate Head of Direct Marketing — Big Data for Hilti AG, “And we are getting some pushback already.” The chips exist so that we can best serve our customers in the AMS processes, but the reaction in some cases is “We don’t want you to know even more about the Hilti tools, you’re too powerful already.” So we have to show people in a very authentic way that we want the best for them first, before we make more revenue and profit. On the other hand, he continued, We don’t want to add services to too many products without clearly demonstrating the differentiation and value-add they create, so that it’s possible for us to sell. Otherwise, our customers will get used to a certain level of premium value, and it will be impossible to charge for it afterwards.

Roundtable on Digital Strategies

Rezendes combined this comment with the earlier thoughts from Satchell and Palmer: “Authentic value builds trust. You can charge for anything that is of authentic value from a trusted party. And then you don’t have to be opaque about what you’re doing with the data.” There is a backlash now: “I don’t want my healthcare insurer to know that I hit my refrigerator every midnight.” In a freemium world, an appliance manufacturer might look at the data and say, “Let’s put it into a data store and sell it.” But the value of data is now known to everyone who is sentient. No one is going to participate in a big freemium way in IoT: They’re just too smart. Companies need to move from the freemium-based model to a value-based model, and through an education process get people to understand the value of the application, the reasons both for why they’re paying for it, and for why it needs to be secure. “Will it start on the commercial side,” asked Bill Braun, CIO of Chevron Upstream and Gas, “Where companies can require sensors be worn, for example? If a pilot’s going to have a heart attack, you do want to know, you’ll be obligated to know. ‘We’re not asking, it’s just how we operate: Just like you wear a hard hat, you’ve got to strap on this device, and we get the data.’ That could start much more easily in a corporate environment.” “Danger, Will Robinson!” Mike Lewis, Senior VP and Corporate Manager of Construction, Bechtel described safety-related IoT applications already in use: A device for all truck drivers in the Andes, because of anoxia and working at altitude. It flashes in front of the driver and causes him to look at it. It looks at his retina, measures his reaction time, and determines if he’s fit for duty, and if he should be driving or not. If he’s not reacting appropriately, it stops the truck. It’s wireless, and it reports back to the dispatcher, “This truck is stopped, this guy’s not fit for duty.” Vests — “wearables” — that use radar and a proximity system to help the machine understand if a person is in close contact, and therefore, does the machine operator need to be warned that he’s about to contact somebody, or does the employee need to get a buzz that he’s too close to a piece of equipment. We’ve used a similar system in London for when we’re doing maintenance on the train tracks, and we know that trains are coming, so that we can warn people if they’re about to go into a hazardous area. Telemetrics on all our cranes and all our mobile equipment. We use mesh networks, satellite systems, wi-fi location, and rAgent technology developed by DARPA to locate and monitor them in real-time, so we know availability, we know utilization, we know a lot of the operating parameters associated with the equipment. We can program the parameters for the speed of a dump truck going down the road. We know who’s driving the dump truck, and if he’s speeding or not, from a safety standpoint. The trucks all have inclinometers on them, so if he’s raising his bed up and it’s overloaded, we know.

Roundtable on Digital Strategies

“You’re getting a lot of data about those vehicles,” moderator Gallant pointed out. “What’s the back end that you need to capitalize on that, to make sure that problems are being resolved?” “All that data feeds into a regional control center,” Lewis explained. “Our rAgent system warns a supervisor, who can be monitoring 20 or 30 pieces of equipment doing hazardous work. And the backend is programmed: If you set the parameters for warnings versus shutdowns, you can kill the equipment.” Hilti’s Keraudren agreed: “People get used to this Internet of Things, and they come back to the manufacturers and say, ‘My appliance, or my equipment, is down. You have all this information, why don’t you do something about it?’ The pressure is getting very high, and if we don’t move fast, it will get too high.” Gallant posed a question raised by Satchell’s earlier point about automated actuation: “If you know a lot more about your customers and your equipment, and how they’re using it, does that create a set of potential problems around liability?” “IoT and M2M stumbled in the middle of this decade,” Rezendes admitted, In part because most of the solutions being deployed got you asset identification, location, and that’s about it. You had virtually no ability to provide any kind of remote, real-time actuation. So most enterprises got really scared: “Once I have enough security and data and intelligence, my entity assumes responsibility. If I can’t have the digital, virtual, real-time, cost-effective, secure, autonomous agent to remotely change the condition of the asset, then I don’t want to know about it, because all I’ve done is assume the liability.” Bill Blausey, Senior VP and CIO of Eaton Corporation, countered the objection with the potential benefits: “We’re trying to drive a zero-instance safety culture, if we can bring together information about behaviors of the human, what they’re about to do, and the state of the machine, we could prevent people from doing something stupid: ‘I don’t have my protective electrical garb on — should I really be doing maintenance on this charged machine?’” “So there’s a race on,” added Blausey’s colleague Black: It’s table stakes for us to put IoT in switch gear and power monitoring equipment, but it’s a value-added service to use RFIDs to measure where a hose is about to fray and send an alert, so that a customer gets more life out it. It’s a big savings, because normally our customers just periodically sweep through and change everything. But I can see that somehow we’ll wind up with the responsibility for all of that equipment, and the people and safety issues will somehow transfer to us. Bechtel’s Lewis gave an example of a high-ROI deployment around equipment: We tag our tools around the world for checkout and control. From a pilferage standpoint, the business case is huge. To be able to control what comes in and goes out of the gate or what stays on the project is a huge savings to us from the tools that tend to “walk off” or be

Roundtable on Digital Strategies

“destroyed.” We also use RFID tagging in our tool maintenance and management system to monitor when it’s time to redo a cord inspection, or to determine if a tool is reaching its useful life, since now we know how long they’ve been on the job site and what they’re doing. “The challenge for Bechtel,” said Ramleth, “Is how to build large infrastructure and still deliver the kind of seamlessness that Chris talked about.” We have little sensors you throw into the concrete, and we can watch what’s happening from an iPad on the ground. Then they just stay in there forever. How can we use sensors like that for the efficiency and effectiveness of building the project, and leave them in the infrastructure so that they continue to deliver benefits for 20 or 30 years, once the customer has taken over the physical plant? Blausey returned to Satchell’s concept of the convergence of products and services to highlight its difficulty in the industrial sector: “We’ve been instrumenting things as an industrial manufacturer for a long time, to sense behaviors and predict reliability. We have systems that capture that data, trend it, and understand in advance if something’s going to fail. But we’re generally one piece of a system — power distribution, or lighting. We have pockets of things, but limited success with selling services around them.” Andreas Wagner, IT Process Consultant for Hilti AG, described a middle ground between the Eaton/Bechtel world of machinery and landscape-scale assets and the Nike/Aetna world of consumers: Hilti has been merging products and services for decades. Now we’re adding more and more software, that we see as embedded IT, or as a digital service. For one example, we track improve usage times of tools on job sites, so customers can distribute tools more efficiently. For another, there are very tight health regulations on how much vibration a worker can be exposed to. So, we have a device like a smart watch, that can tell how long employees can continue to work with our tools, and compare this to the allowable time with competitors’ products — because Hilti products, being premium, produce fewer vibrations. “There’s an interesting point here about deployment,” Chevron’s Braun observed, “Because consumers can drive large-scale investments fairly quickly, while broad-based corporate infrastructure takes a long time to move, to get buy-in, figure out the price, figure out the maintenance. How these come together or combat each other is going to be very interesting.” Data, Data, Everywhere, nor Any Drop to Drink “So with the level of instrumentation we’re getting now, is anyone struggling at all with the data side of this?” asked Satchell from Nike. “Massively,” answered Braun. “Massive echo on that,” emphasized Rezendes:

Roundtable on Digital Strategies

The first phase of IoT isn’t really about IoT: It almost always begins with more secure real-time access to a broader range of existing data sources. It’s about harvesting, and about leveraging the existing sources of data that are stovepiped or stranded or siloed. But then everyone is drowning in data, because they’ve sensed and instrumented. “That is the hard part,” Taco Bell’s Fancher agreed. “We have sensors that have been out there for a long time, taking temperatures, we can do that pretty reliably. It’s the centralized control and management of those sensors — getting the data back, and what do you do with it? The sensor is the tangible piece, so people want that. The hard work is connecting back to get some value out of it, to drive the action: What decision are you going to take?” Ramleth suggested the solution to the data deluge is to approach it with a different set of objectives: We often got too enamored with analyzing the depth of information. We go down more and more and more, so what we get is a “more correct” answer, because we have more statistical data points. But as we go wide, we can start to correlate data sets that we could not otherwise compare before. So now we can get answers to questions we never asked before. “But we have people in the business who have been trained for years on small data, on narrow data,” Satchell objected, “And those are the only questions they can think about.” People can’t even formulate the questions that might move the business. You need somebody who can think differently, across the business, and laterally from how we think today. One of our impressive recent hires was from Facebook, and he spends a lot of time answering really interesting questions. His comment was, “This is really simple math. The hardest thing I do is a regression; the rest is like addition. The problem is figuring out which addition to do, that can move the business and give you new insight.” “We’re struggling to find people who can ask the business questions,” Christian Reilly, Manager of EPC Systems at Bechtel, affirmed. “It’s got nothing to do with the data. The technology is there, in spades. The mechanisms for analyzing it are there. But something we see is that people don’t trust the results, even if you ask the right questions, because it didn’t come from a recognized, traditional mechanism. There’s an inherent distrust: ‘This can’t possibly be right.’” “And we’ve all been very successful companies for a long time not using data at this level,” Oliver pointed out. “It’s hard to move the corporation and the leadership team from where they’ve been successful to where they need to be successful in the future, using data at that level.” The key, Ramleth suggested, is to use those new questions the data enables “to get predictive indicators, rather than reactive indicators, so that as we start getting information from the IoT environment, it can actually start to act on itself, by itself. Why should the guy wearing the vest have to get an alarm? Why doesn’t the machine just stop?” “Even if you have someone who can ask the right questions,” added Taco Bell’s Hemans, “You still have to tell the story to influence your organization. So you need the data people who are really good

Roundtable on Digital Strategies

at analytics, and great storytellers to tell the story, and it’s the mash-up that is powerful enough to influence the organization.” Rise of the Digital Natives The discussion turned to what companies need to do to prepare and execute. Ramleth addressed outstanding technical issues around standards and security: As you go into IOT, you kind of have three or four different kinds of participants: people, devices, applications, and something in the cloud, and you have to get those four to somehow talk together, without having the luxury of a really set, fixed set of standards. So the standards will have to be quite fluid, because you can’t get all these participants to play in the same sandbox. On the security side, you can secure the systems, but how do you secure the information? Often, by looking at behavioral actions on it. So you have to find out the pattern of information behavior, and when is it going out of the norm, because watching systems and monitoring systems to see if you have a breach is not enough. “It’s even worse,” Satchell said. “When you have actuation built in, that’s a whole different level of security, a whole new set of problems, like the ability to disrupt a centrifuge in a foreign country.” There’s more processing power in devices, and they have access to a network. Nine of your ten devices are completely secure and great, but somebody made a mistake on the tenth, and that’s one of the classic ways to break through networks. They get into that one, then they jump to the next network. And the more of these devices you’ve got, the worse gets. “Security is still an issue for us,” Blausey responded, “Because of the kinds of things we do: Our devices sit on the power grid. They’re smart. They have firmware and software. They’re hackable. And we know that’s a target for taking down infrastructure. And so any time we’re enabling these devices, they suddenly become disable-able as well.” The solution, Ramleth proposed, is that “You have to actually go down to the sublevel, where people interact with data. That is where rogue machines interact, and where you see abnormal information flow or information gathering. And then the system has to be able to self-react, and shut something down because what it sees is abnormal.” “What’s the chief obstacle to deal with all this?” asked Brechbühl, posing a lightning question round. “Is it a) Culture/society, b) Corporations’ ability to execute, c) Technology, or d) Government and regulation? And how ready are we to move forward on the IoT on a scale of 1 (not very) to 5 (very)?” Fifteen of the seventeen roundtable participants identified corporations themselves as the biggest bottleneck, with an average readiness score of only 2.5. “We’re so busy reacting to what’s already coming at us,” Chevron’s Braun explained, “That we’re just trying to get our heads around it and keep up with it:”

Roundtable on Digital Strategies

I can’t see too far down the road, but I can see our business being very, very different, with things shifting pretty fundamentally. Are we doing enough? We are 30 percent driving and 70 percent reacting, and I don’t want to do anymore until we figure out how to get neutral, so we don’t feel like we’re always behind. Keraudren suggested another reason for the relatively slow pace of IoT adoption: There is a generation change. The people in charge of corporations at the management level are mostly older, especially in companies that aren’t in the digital world or the internet. Implementing sensors and collecting data is the easy part: These people don’t naturally understand the power of what we’re talking about. They have rather risk in mind, more than opportunity, so there’s a lack of vision on this topic: They sometimes don’t even see the business case. We don’t have a holistic, integrated vision of what we can do. “They just can’t help themselves,” Satchell agreed. There’s lots of innovation, but it’s incremental and narrow within a field of business. You don’t get new directions for the company because they’re way too focused on next quarter’s results. Even if they start a project that’s supposed to be very innovative, it will get sucked into everything else. So you need to protect these kinds of projects, but then you have the problem, “How do you integrate the results back into everybody’s roadmaps when they’re already 100 percent maxed out on their committed revenue plans?” “The use-case driven approach to IoT is a start,” Wagner asserted, “But leadership is needed to drive the whole thing, because it needs to be cross-silo. The IoT needs to have a clear visionary leader, to merge the products and services really completely, to change how we interact with our customers. It’s a responsibility for the company: The digital natives are rising. They’re going to expect a certain handling by us.”’ “The bridge between the two,” said Keraudren, “Is to come back to a very core assignment within the company, which is the basic task to understand customer needs:” The IoT brings a multitude of new ways to better understand customer needs, and we are simply not familiar with them all yet, especially when we’re not talking about facilities or devices, but we’re talking about customer behavior. That’s much more complicated. There are plenty of sensors we can put out there, but we don’t know which ones to look at, which is where our whole question of data analysis comes from. The best solution is to avoid silos. We have good developments here and there, but no breakthroughs, because we have a silo here, a silo there. What we are not doing is to have all these people work together to have a holistic, consistent understanding of the customer experience, so we can make a strategy out of it.

Roundtable on Digital Strategies

A Honeycomb of Interests Gallant turned the telescope around, and asked about who would be the sources of IoT technologies: “Are the household names — IBM, Cisco, HP, Dell, Oracle — are these the companies that are going to become strategic vendors?” “Enterprises are looking for deep subject matter expertise in the IT vendor community, to meet where their internal operations communities already are,” Rezendes answered. “IoT has more to do with embedded operations technology than it does with information technology, and there’s never been a big IT vendor with a big footprint in embedded technology, ever.” “We’re not going to see them doing great layers to control these embedded devices,” Satchell agreed. “The hardware will probably come from the leaders that we see today, but the software is more likely to come from the open source community. It might be productized, like Hadoop, but a lot of it is still a small industry.” “We won’t see any leading innovation out of that cluster of companies,” Ramleth finished. “If they do anything radical, it’s to buy someone. And over time, they’ll do enough acquisitions that they then do become the providers.” “There aren’t a lot of companies that have an ‘IoT Strategy’ yet,” Rezendes pointed out. The strategy may not be about our physical product at all. It may be about the intelligence that we can capture from our physical products, their ambient and operational environments, and their antecedents and their downstream contributors or complements. So in other words, we’ve got to figure out who’s going to own that data, who’s going to get access to that data, how that data can be deployed, because if we don't, we’re going to end up in a really bad place, where, for example, in integrated commercial value streams, one entity may have all the intelligence. One entity may have massive leverage, and be able to aggregate all the profit in that space.

Roundtable on Digital Strategies

If you think about all the new interconnections and interdependencies between your businesses and your suppliers and customers, a lot of companies forget that when they start instrumenting physical assets that are either products or inventory or consumables, they sometimes forget that in that instrumentation, there will be impacts upstream and downstream on their trading partners. Think honeycomb: Think about all the potential stakeholders that might be interested in that data in one way or another. “There is this big ecosystem,” Black agreed. We have to change our whole culture to think about how to extract value not just for ourselves, but for this honeycomb. If we could be more transparent with the analysis we’re doing, and give the data or sell the data or share the data…. It’s re-creating the supply chain, to protect your channel partners, to keep them in the fold. The data becomes a new form of currency. But that’s not comfortable, not comfortable at all. “IoT data will be disruptive to the existing balance of power,” Black continued. “How do you decide who gets all the data? We are not asking the right questions yet, because we aren’t thinking about the honeycomb.” Reilly proposed “the 5 Cs of IoT” that companies will need to complete in order to develop their IoT strategies: Connect: What layer you are operating at, with what type of connection. Create: The context of the data that’s created by the sensor or the thing.

Roundtable on Digital Strategies

Collect: The aggregation of that data via push/pull. Correlate: The question about how the data impact the business. Comprehend: Understanding what action we’re going to take. “What this means,” he continued, “Is that we’re going to have to do a hell of a change management exercise and pick the battles at the right place to get any traction with this. It’s more difficult than mobile, because you can’t see some of this stuff, and mobile generally augments people. It doesn’t replace them. So our capacity to accept change is going to be a major challenge.” Rezendes returned to his earlier theme of growth of the IoT, and talked about the unquantified aspects, the qualitative environment that companies will be working in as the IoT develops: What we’ve done with social and mobile and with most technology to date pales in comparison to the velocity and potentially to the violence with which our business models, our customers’ requirements, and certain industries are going to be reshaped. This isn’t going to be smooth, and it isn’t going to be monolithic. And I can tell you based it’s going to be fraught with tension. The best thing we can do is to identify and be honest with what the tensions are, because if we can identify and define them, then we can start to build our new businesses based on understanding those tensions and the negotiation of them.

Roundtable on Digital Strategies

Participant List The Internet of Things: The Opportunities and Challenges of Interconnectedness February 20, 2014

Tom Black

VP, IT, Enterprise Information Management Eaton Corporation

Bill Blausey

Senior VP and CIO Eaton Corporation

Bill Braun

CIO Chevron Upstream and Gas

Hans Brechbühl

Executive Director Center for Digital Strategies Tuck School of Business, Dartmouth College

Greg Fancher

CIO Taco Bell Inc.

John Gallant (moderator)

Senior VP and Chief Content Officer IDG Enterprise

Mike Hayashi

Executive VP, Architecture, Development and Engineering Time Warner Cable

Lynn Hemans

Director – Industry & Competitive Insights Taco Bell Corp.

Jean-Louis Keraudren

Corporate Head of Direct Marketing – Big Data Hilti AG

Michael J. Lewis

Senior VP, Corporate Manager of Construction Bechtel

Dickie Oliver

VP, YUM! Global IT YUM! Brands, Inc.

Michael Palmer

Chief Innovation & Digital Officer Aetna

Roundtable on Digital Strategies

Geir Ramleth

Owner, GeirHeads Executive Fellow Center for Digital Strategies Tuck School of Business, Dartmouth College

Christian Reilly

Manager of EPC Systems Bechtel Corporation

Christopher Rezendes

Founder and President INEX Advisors, LLC

Chris Satchell

Consumer Technology Officer and VP Nike, Inc.

Andreas Wagner

IT Process Consultant Hilti AG

Matthew Zelesko

Senior VP, Converged Technology Group Time Warner Cable

Roundtable on Digital Strategies

Information Security Organization and Governance A Workshop Overview European Chapter Discussion

Information Security Organization and Governance An Executive Workshop by the Center for Digital Strategies at the Tuck School of Business and the Institute of Information Management at the University of St. Gallen We convened a day-long workshop for Chief Information Security Officers (CISOs) at Kartause Ittingen in Warth, Switzerland. The topic of the day was the organization and governance of information security in corporations, given the nature of the changing information security threats and the challenges of supporting new business models and technologies in the workplace. CISOs from industry and government joined with academics from the US and Europe to discuss what was needed to address these threats and challenges. Participants in the session included CISOs from ABB, Adidas, Bechtel, Cisco, Daimler, Goldman Sachs, Hilti, ING, Novartis, Schindler, Swarovski, Swiss Reinsurance Company, the Swiss Confederation and UniCredit. The workshop was hosted by the Center for Digital Strategies at the Tuck School of Business at Dartmouth College and the Institute of Information Management at the University of St. Gallen. Key Insights Discussed in this Overview: The consumerization of IT is a major source of security challenges. The behavior and expectations of employees has changed, making it imperative for corporate IT to proactively embrace the use of the right technologies and proactively scout for threats..................................................... 2–3 Blocking websites and shutting applications down is not working anymore. Users now demand an appropriate replacement for any software that gets shut-down, even a consumer product. Additionally, with 4G-connections, blocking websites is also becoming questionable ..................... 2–3 IT-enhanced products and services are a new avenue for attacks. No matter if it is car IT, remote monitoring/controlling of industrial devices, or tracking of people, as the services and products of companies become IT-enhanced, it makes them vulnerable to attackers. Information security therefore has to be more involved in product and service development ............................................................ 3–4 The role of information security is changing and makes reorganization necessary. Information security has often been a part of IT. Now that IT is not only owned by the IT department and since information security topics are emerging in most departments, it is important to place it where it can function and be governed best in each corporate culture ................................................. 3–9, 11, 14–16 Keeping talented people within the corporation is challenging. While information security is becoming increasingly important and information security departments are growing in headcount, it is necessary to offer appropriate career paths to keep talented people in the company ....................... 9–10 Information security needs people that can sell the topic and show leadership-skills. While technical skills are still necessary, a diversified skill set, which includes soft-skills, has become necessary. Information security people need additional skills such as strong communication skills, the ability to influence people and “sell” the topic within the organization......................................... 11–12 Key performance indicators and reporting are important elements of information security governance. Communication with other parts of the business and with management is becoming increasingly important. Key performance indicators can be an important instrument ................... 12–16

© 2014 Glassmeyer/McNamee Center for Digital Strategies, Tuck School of Business at Dartmouth The CISO Workshop publication series is edited by Hans Brechbühl, Executive Director of the Center for Digital Strategies.

Information Security Organization and Governance The interaction with governments is of growing importance. Despite improved collaboration, governments need to react faster to incidents and collaborate with other companies and countries to define policies, enforcement, and punishment for acts of cybercrime ................................................. 16

CISO Workshop

Information Security Organization and Governance Introduction: Consumerization and Shadow IT Since the introduction of the iPhone in 2007, IT and the general perception of what IT should and could do has radically changed. IT had often been perceived as complex and difficult to use, and consumer devices such as smartphones and media tablets led to an implicitness that everything can be done easily just with the right app. This new expectation that “IT just works” has spilled over into corporations and leads increasingly to the question “Why can’t corporate IT be like consumer IT — easy and convenient to use?” A major aspect of this question is the trade-off between risk and convenience and the attitude towards IT risk in general, as Scott Bancroft, Group CISO at Novartis, described: “The attitude towards IT risk has changed from pretty conservative to an extreme where when an idea has got the term ‘mobile’ in front of it, then everything is worth the risk. So my job is not to say yes or no. My job is to point out the level of risk, and then it is the business that accepts or does not accept it. But at the moment, they are just accepting almost any risk on the basis that if it all goes pear-shaped, someone like me will sort out. So the business attitude to risk changing has become more of an issue than it was two or three years ago.” Even very risk aware industries, such as the banking industry, are experiencing comparable changes in the attitude towards IT risk, as John Holland, CISO of Credit Suisse, confirms. But equally, his stakeholders from business are asking “more challenging questions and want to understand the level of risk that they're running, how they could be exposed, whereas two-three years ago, they would never have even thought to come and have that dialogue or ask me those questions.” Hence, while the awareness of IT-related risk has increased, other parts of the business have also started to be more willing to take action and address these risks. Martin Sibler, member of the information security team at Swiss Re, agreed with Holland that there is a “trend towards more risk discussion and then also risk acceptance.” But he also mentioned that when useful software applications, for example Dropbox, turn out to lead to too high risk exposure, the users will not accept just turning them off, but will expect to be offered a more secure replacement. Therefore, just shutting down an application is not an accepted approach anymore. Valentin Simic, Corporate Information Security Manager at Swarovski, continued this thought by proposing that information security needs to be more consumer IT-focused at all: “For us it seems that security is more and more driven by the consumer. It's not that you need a businessreason why someone should have an iPad, but it is just the simple fact that he or she is using that device at home. This is true for hardware, but it's also true with software, which makes it a major issue for us in information security.” Holland agreed with this statement and summarized that IT therefore needs to be proactive and needs “to embrace the new technologies because you're not going to be able to stop them.” Therefore, Credit Suisse started to be more open to the usage of consumer device at work: “The approach we've sort of taken is to block what people do in the office, but allowing them to bring their own devices, so whatever they do on their personal space. And we've even gone as far as CISO Workshop

Information Security Organization and Governance providing unrestricted WiFi in our main offices building. That means the employees can browse the internet and do what they would normally do because they're going to have a 4G connection, anyway, so we've just given them WiFi.” While the discussion was focused on the usage of consumer hardware and consumer software, Olivier Gourinchas, Head of Market Reach, Service Management and IT Security at Hilti, added another dimension by mentioning that some users have even started to set-up complex IT systems and server farms the IT department is not aware of: “People are getting very creative, and then when we start on our own level discussion with, for example, Amazon and other cloud providers, we discover contracts already set by some guys in the company who have now their own server farm and are installing their own environment and have applications deployed for some person in the company in a completely uncontrolled and invisible way.” All of these self-provided tools (smartphones, apps, or even server farms) that are used without the knowledge of the IT department, can be summarized under the term “shadow IT”, which seems to be one of the major issues accompanying IT consumerization. While shadow IT is inevitably an issue to information security, Bancroft added that these kinds of IT tools also become an issue in terms of IT support: “When Dropbox is too slow or not available, they ring the service desk. ‘This is business critical. I must have my data.’ ‘What do you want to do about it? It's a server somewhere. I don't even know where it is. It might be in California and it might be in Azerbaijan.’ It's a bit like ringing you up and saying, ‘I'm at home and the internet's slow.’ ‘What do you want to do about it? There is no SLA. There is no quality of service. There is nothing.’ So it's, ‘Try again later. Pretend you didn't know.’” Increased Threat through IT-Enhanced Products and Services Enrico Senger, Head IT Strategy & Transformation at Schindler, described that one of the biggest business opportunities for Schindler — the automation of service remote monitoring and remote maintenance — might also lead to higher risk exposure from the external environment. Gary Lawlor, CISO at the adidas Group, added another example for IT threats related with ITenhanced products: “One of our shoes talks to a base station to tell you exactly how hard you kicked the ball, what angle your foot was at, so there is technology in things that you wouldn’t conceive of. But that data also tells you if an individual, for example, for one of the professional teams, is kicking less hard this month.” Another workshop participant continued by mentioning that there was a “big discussion on IT security concerning car IT.” On the one hand, there is a demand for innovation by adding new technological features. On the other hand, the companies need to figure out what needs to be protected, e.g. customer data. “We’re trying to cater to everyone, so that's a challenge on various levels.” Yvon Le Roux, Vice President Cyber Security at Cisco, followed-up on this issue by describing the challenges that Cisco is facing: We have to be “very aggressive in terms of proving out CISO Workshop

Information Security Organization and Governance [testing] our products. The more we prove out our products, the more we get hacked. There's a direct correlation if they know that we're going in one direction in terms of technology, we get hacked two days later or a day later.” He pointed out that having a strong IT information security organization that is willing to share experiences both formally and informally is one of their major advantages. External Threats: The State of Play Moderator Hans Brechbühl asked the group what was different in the external threat environment (rather than internal vulnerabilities) from when the group last met a year ago. Nick Godfrey, Head of EMEA Technology Risk at Goldman Sachs, responded that “there are not necessarily new tools or techniques or even actors.” But he described that attackers “are beginning to understand how to either disrupt the financial market system and core systematic problems and/or where investment banks and other non- retail firms have interesting information.” Markus Hänsli, Vice Director at the Bundesamt für Informatik und Telekomunikation (BIT) in the Swiss government, indicated that the only difference he sees lately is that the attacks are increasing. “It’s a bit astonishing,” he continued, “that they are not much more sophisticated,” but added that he fears the problems we don’t anticipate because we can’t imagine them, and indicated that, for instance, mobile devices are now a vulnerability and what happens there in the next year is yet to be determined. Josef Nelissen, CISO of ABB, echoed that while such external threats as advanced persistent threats (APTs) are an issue, these types of attacks are perhaps easier to quantify than the issues emerging from consumerization of IT, mobile devices and the wide distribution and use of data. Kelcey Tietjen, Information Security Operations Manager at Bechtel Corporation, however relayed the turmoil caused within Bechtel by a very focused APT that Bechtel suffered at the hands of some coordinated Chinese groups. The attack, an extended, prolonged affair, caused Bechtel, after months of planning, to shut down any access to the internet for the company for 72 hours, an extraordinary step in these days of connectivity, and caused a rethinking of Bechtel’s approach to information security and the info sec organization. Meeting the New Challenges: Deter, Detect, Respond, Remediate In a presentation to the other participants at the CISO Workshop, Tietjen described the transformation of information security at Bechtel from a security operation center (SOC) comprised of three employees to a SOC encompassing 50 employees that are working just for security operations and incident response. “So we had to move to a new model that's ‘deter, detect, respond, remediate’. And so all of our investment was in detection-response-remediation. We already had a lot of deterrence. We invested a lot more in deterrence. You can't get rid of it, but what we told our board is that we're going to be compromised. It's just how quickly do we

CISO Workshop

Information Security Organization and Governance get the compromise out of our network.” Figure 1 illustrates the new security model used by the SOC at Bechtel.

Figure 1: Illustration of the new Security Model at Bechtel. Basically, the new SOC is based on five-pillars as the guiding principles: 1. People with documentation and soft skills, who are able to mine and analyze large amounts of data, understand programming and operating systems and who own tool versatility and creativity. 2. An open, collaborative working environment. 3. The visibility of data and the capability to have a perimeter, no matter where the data is stored (e.g. “Who's opening up the files? Who's editing it through an API call?”). 4. A technology stack including a firewall, full packet capture across the entire world, an application firewall, DNS protection, email blocking and logging of servers and work stations, among others. 5. Key performance indicators (KPIs) that reflect how quickly you are able to protect Bechtel’s data (i.e. time to detection, time to response from detection, time from response to remediation) as well as fast report generation including trends. According to Tietjen, one of the major improvements of the new SOC is the generation of reports, which help to display the pain points in information security and the areas where new investments in IT are required. Change in the Information Security Organization Spurred by the presentation of the new approach implemented by Bechtel, the discussion moved on to the question of how information security needs to be embedded into an organization to meet the new challenges arising in nearly every department of a corporation and respond to the changing environment. Goldman Sachs’ Godfrey gave the example of the Threat Management Center (TMC) they set up during the last 6-12 months. The objective was to build capabilities to read threat indication information and so they hired and trained people to meet this objective. Bancroft gave a related example: Novartis has set up a Security Command Center in Prague for a similar purpose, with

CISO Workshop

Information Security Organization and Governance lower wages and the ability there for adding headcount being the main reasons for setting up the center in the Czech Republic. Adidas is taking an analogous approach, Lawlor explained. They introduced a Security Event Management Center (SEMC) that consists of two tiers. Tier I is responsible for maintaining and running the infrastructure, whereas tier II is responsible for handling all events globally. Like Novartis, headcount is an issue. Paola Francescucci, Head of Security Governance in the Group Chief Security Office at UniCredit, indicated that whatever the actual organizational changes, information security needs to be more people-focused: “It was and is important to make people understand, even the common employees, the role of security.” She and her team “started to create a connection to the business in the sense that it is important that also the top management understands the value that security can bring.” They developed a relationship with the corporate investment banking sector in terms of awareness for the management of data information as well as the policies in place. John Holland described how the organization of information security changed at Credit Suisse: “So traditionally, IT risk used to sit in our CIO organization, and we made an organizational change a year ago now moving that into our chief risk officer's area, so completely out of IT. I think that was done for a number of different reasons, but I think one of them was segregation of duties and recognizing that IT is not the only owner of technology in the firm.” The positive side of this change was that the IT risk department got closer to the business, Holland elaborated. The negative side is that they still needed to influence IT spend, which was and is a challenge to do from outside IT. So Where Should the Information Security Function be Placed? Novartis’ Bancroft followed-up on Holland’s example by explaining why — in contrast to Credit Suisse — information security is not a part of enterprise risk management at Novartis. He stated that IT risk is considered a small part of enterprise risk, which is why it still resides under IT. Additionally, “we don't have a chief risk officer, and in financial institutions, at least from my limited knowledge of them, the chief risk officer has really quite a lot of power,” Instead Bancroft has a direct reporting line to the chairman, not the CEO, “because the CEO is considered commercial and the chairman's considered advisory.” Ton Diemont, CISO at ING Group & Bank, responded that he wants to help management understand that they should not only focus on the commercial perspective, but that they are also responsible for changes in the applications and infrastructure to a certain extent, thus for the whole value chain: “We really separate the security operations and whether you call that IT security or whatever from the risk management parts, the CISO is within the risk management part, but still has a strong functional line into IT security, into security architecture, into the CSIRT, which we do together with the guys who are doing forensics as well, so that's a joint effort. But, basically, what we want to do is to make the business side more aware of their value chains.”

CISO Workshop

Information Security Organization and Governance Whatever the structure, participants agreed that it is important to keep information security connected with the other departments, which are dealing with risk issues. Francescucci posed the question to the group whether they have “clarity and a very precise model in terms of information security which is a wider concept.” She described that UniCredit SP, which is a holding company, has policies which build the basis for ICT security policies. On the other side, there is UniCredit Business Integrated Solutions (UBIS) which is “the global factory, at a group level for procurement, real estate, back office and ICT” and which includes ICT security. Francescucci added, that one of the next steps is thinking about the creation of a wider concept and structure of information security at the holding level. Kah-Kin Ho, Head of Cyber Security Business Development at Cisco stated that at Cisco, information security is parked under Corporate Security Program Office (CSPO), but also has a dotted line to IT since they still need to operate within the IT operating framework. He further argued that it is useful to pull information security out of IT, because Cisco is trying to link together the department of physical security, which is also located under CSPO, and information security in order to find threats: “So for example, if someone logs in from our Tokyo office in Japan, and two minutes later this same guy is being badged into a building in San Jose…so you have to have that link for you to better detect threats.” Of the corporate entities present, nine information security risk organizations reported primarily to IT and five reported outside IT, with the latter consisting of the banks with the notable exception of Cisco Systems. The group concluded that there was no one-size-fits-all solution. However, companies can ask themselves four important questions regarding the best placement: 1. 2. 3. 4.

Where do you get the best support? Who understands what you do / need to do? Where can you best build relationships and have a supporting structure? Where can you keep some level of independence?

Holland from Credit Suisse concluded that it depends on the organization and industry. However, the most important criterion of placement is where you are best supported: “The key is where is the quickest way to get to your board, because that's where you know you're going to get your influencing ability.” Bancroft pointed out the importance of being met with a certain level of understanding: “So CIOs don't always understand the security world, though one hopes they are at least vaguely interested in technology. But if you have to explain what a DDOS attack is to the board, let’s say, that is not a five-minute conversation. They don't know the concept. They don't get it, and trying to educate them is just not viable in the time you’ve got.” Lawlor from adidas— who reports to the CIO — emphasized the relationship network: “Even if you're not directly supported from where you sit, if you can inspire out into the network and have that proper support from the audit, from data protection, from legal, you can build your own support structure to ensure that you have the influence that's required to do what you need to do.”

CISO Workshop

Information Security Organization and Governance Hilti’s Gourinchas added an emphasis on independence: “I’m not even reporting directly to the CIO. That's also kind of depending where I am with the rest of my duties. What's important for me is that at least we must be sure that we can keep this independence in our analysis and the recommendations we make.” To illustrate the importance of independence, Holland shared an experience about engaging with the rest of the business: “The application development teams would almost feel offended [when I worked under IT]: ‘You're reaching out to my business clients. They're mine. I worked for those relationships.’ And now out of the CIO [reporting structure] that conversation doesn't happen because we're that independent a function.” Bancroft emphasized that it doesn’t really matter where one is placed as long it operates effectively: “I can't do my job without the IT organization, can’t do it without audit, but I can do it without ERM — they don’t have enough power.” Gourinchas from Hilti was of the opinion that reporting to the CIO makes most sense. With audit he saw a conflict of interest and for ERM, information security was just a “drop in the water.” A third participant as well favored the CIO option, but raised the question of the existence of a chief risk officer: “For those reporting to the CIO: Do they have a CRO, like financials, that they could report into, or is that [the CIO] the only logical conclusion? Certainly, a CRO is an interesting option.” Sibler from Swiss Re did not believe in the IT model: “We are part of operation risk management, and it works. I think the big advantage is we also have the close link to business risk, so from an information perspective, this makes certainly sense. The focus is not only IT, which also helps to provide some business value to the folks at the business end, being perceived as an enabler in some areas. We have a close relationship to audit, but just to help the business get moving.” Boris Otto from the University of St. Gallen concluded that there would not be a one-size-fits-all solution: “In the end it depends on the organization: on the governance model, on the diversification breadth, on the industry, on the size, on the international expose, and so on.” SOC vs. CSIRT and Separation of Duties The question of the difference between SOC and CSIRT structures and duties emerged. The group discussed a definition of these terms presented by Bechtel’s Tietjen, which led to the conclusion that a SOC is responsible for the day-to-day operations of security events, whereas a CSIRT rather deals with emergency response, investigation and the development of IT security architectural and engineering solutions. Moreover, they identified that mostly IT skill sets are required, i.e. forensics analysis, network protocol, (malware) reverse engineering, among others. Gary Lawlor added that in practice the adaptation to the specifics of the company is a very important. “We tried to align as much as possible in the definition of the SOC, what fits in the CSIRT, but it's different. Every company is slightly different because of the structure, reporting lines, how to fund it, where your influence is coming from. So you need to kind of adapt. The principles are the same, but the actual physical implementation of it can be quite different.”

CISO Workshop

Information Security Organization and Governance While discussing the definitions of SOC and CSIRT, the question of how to separate duties emerged. Markus Hänsli started by describing an approach, which is based on two paths for the separation of duties in information security: First, an operational path with automated monitoring and experts in the form of engineering, investigation and APT teams; Second, a path containing the service management of those operational tasks. Kah-Kin Ho continued by describing Cisco’s model of operationalizing the use of intelligence. Within Cisco there are three different categories of intelligence. The first category is called “collaborative intelligence” and contains the work with different agencies like the Department of Homeland Security and the National Security Agency (NSA) as well as information security forums. The second category is called “commercial intelligence”, which consists of Cisco’s internal security intelligence operational unit as well as intelligence bought from vendors. The third category of intelligence contains Cisco’s business unit employees themselves, who discover and report vulnerabilities within their products. Ho’s Cisco colleague, Yvon LeRoux, pointed out that people located all over the world and working for information security is a huge asset for companies, because they know what goes on locally. Bancroft described that Novartis was part of an informal network of people from various industries, who shared security relevant information on the basis of trust. Nick Godfrey added that there was a need for “structured formal communication using machine readable protocols”. He further explained: “So if you are moving a lot of threat intelligence information around and sharing your threat intelligence information around, you can't realistically deal with that manually. Scott said it. You get e-mails with 200-300-500 IP addresses in all the time, and you can't have teams sit in there and re-buy in that entry system. You need to be able to read it.” Keeping and Hiring the Right Talent Referring to intelligence, Hänsli pointed out that “you need guys with an intuition of what is not normal communication. So the value of the team is not in the machine, it’s in the guys you have on the team as they share the knowledge.” “How are you keeping those people? Holland asked. “That’s the challenge I am having.” “You gotta try and put some form of career path in for them,” Bancroft indicated and continued: “So if you hire a first-level analyst and his outlook for the next ten years is he's gonna come in every day and he's gonna stare at the screen, no one wants to be — to settle for their place in life at a first-level security analyst, but they want to be the second-line analyst. They want to be in your APT or CSIRT or whatever you call a team. They want your job one day.” Tietjen described that their career path was from “SOC to CSIRT”. He further described: “We're also looking at the SOC as kind of like the minor leagues to development team to the kind of pro CISO Workshop

Information Security Organization and Governance team, and we've actually moved some people from the SOC into the CSIRT so they could see if there's that career path of moving from our operations center in Glendale. The CSIRT is in San Francisco, so it's kind of also separated, not just moving up.” He added that to the degree possible, to give their employees challenging tasks without restricting them. Cisco’s Ho made two suggestions how you could counteract attrition: “One of the things I try to do is to basically bring our investigation team and the APT team and get them to talk to customers, engage them, proof of concept, and things like that. So that gives them more variety in their job scope. The other thing is you have to look into the tools that you provide them as well because some tools — and this is Cisco’s experience — some of the tools that we had were not flexible enough, didn't empower them to look for stuff, and they want to look for stuff, but the tools that they have in place just didn't allow them to do so.” While the discussion first focused on keeping talented people in the company, it evolved to the question of how to hire the right talent. Many new skill sets and talents that had not been needed in the past are required in information security and risk organizations. Examples of new skills are: modeling and analysis skills, cyber forensic skills, security skills, business process understanding, or communication skills. More diverse backgrounds, not just technical, are also an asset. Tuck’s Brechbühl recalled a conversation with a senior executive of a Bulgarian bank: “For instance, forensic talent is needed more, he is hiring people with police-type talents, investigative-type talents into his information security organization that nobody would have thought or seen a need for five years ago.” “Business process understanding” is another important skill, as Swiss Re’s Sibler pointed out: “You certainly need a person that has a clear understanding about business, and is able to explain in layman terms to the business what the risk is.” Bancroft added that communication skills are increasingly important: “In today's world of bring your own everything and consumerization of IT, the end user is at least a little bit smarter than they were a few years ago and you spend much more time to explain to them in much more detail than perhaps you used to have to. Now both verbal and written has become more important than it was a couple of years ago.” In addition, Markus Hänsli from the Swiss Confederation emphasized the importance of “interhuman communication” as opposed to “inter-machine communication.” Bechtel’s Tietjen described how in his team they had “people who were prison guard to PhDs in computer science.” He emphasized that though they all had varying skill sets; they all had the same mindset of being an analytical thinker. Finally, Cisco’s Ho shared an example from Swissgrid: “They actually have a senior security advisor whose background has got nothing to do with security. He can probably spot things that people who are very focused on security may not be able to see because we look at it every day.”

CISO Workshop

Information Security Organization and Governance The Importance of Building Leadership Skills for the Team While the discussion yielded the importance of a very diverse skill set for people in information security, it also highlighted the importance of an effective leadership team. There are several ways of building a robust leadership team that can influence not just information security or information risk, but go beyond that. Key factors are integration with the rest of IT, skills outside the narrow traditional definition of information security, and more diverse backgrounds. Bechtel‘s Tietjen emphasized the importance of getting the team integrated with the rest of IT and the whole company and showing the benefits not only for security, but also for operational excellence in the rest of IT. Novartis’ Bancroft focused on one-to-one coaching and educating his people for the skills they might need in 5 years, outside the information security business: “My techies hate me 'cause I make them go on negotiation skill courses and time management. The non-techie stuff. So they want to go to somewhere that begins with Microsoft and ends with tech ed. And I send them to someplace where they sit in a classroom for three days and learn to negotiate.” Lawlor likewise was convinced that skills outside the core information security business are very important. His team members at Adidas have to go through several three-day off-site leadership seminars: “Huge to me, is understanding the business. If we do not integrate ourselves with the business, we will never be successful. We need to understand what they want and how to provide it to them from a marketing perspective, sales perspective, consumer perspective. It all has to be understood. So we're teaching them those skills. For some of them, there are a lot of ah-ha moments. Guys that had never taken a course like this. They've always been security.” For Cisco’s Ho, soft skills were very important: “I think part of being a security leader is not just being seen internally that this guy is really good with security. I think you have to push people out to forums and basically get them to present their ideas and best practices.” Additionally, Holland from Credit Suisse underlined team diversity. “So in some cases, I don't want an information security professional. I want an application developer. I want an infrastructure expert. And I may bring them into my team. I don't care they may not have a CISM or a CISSP because I want that expertise and background, that's blended with I need clearly a team of info sec professionals.” UniCredit’s Francescucci agreed, highlighting the importance of bringing in people who can see the bigger picture and have different experiences and competencies. Diverse backgrounds and soft skills were also seen as very important to better sell or market the own function within the organization. With this in mind, several CISOs mentioned having hired someone with marketing skills recently to help with communications from the information security organization to other areas of the company. Valentin Simic explained Swarovski’s lateral leadership training: “This is what I think is hugely important for my guys to be able to influence others and to strongly mention to sell information security at appropriate times to VPs and to certain other senior-level persons.”

CISO Workshop

Information Security Organization and Governance As a concluding remark, Bancroft pointed out that not everyone wants to be a leader: “They say: ‘I want to be a techie. Leave me in the basement with the servers. Don't put me in front of people.’ And you need some of those people. Not everybody wants to be the CEO.” Effective Information Security While discussing the importance of good leadership and the ability to “sell” the topic throughout the corporation, the discussion broadened and reached a point where the general question of “what is effective information security?” emerged. This led to a discussion about key performance indicators for information security. During this very lively discussion, several measurements where mentioned, which are listed in the following: General measurements Virus incidents Security incidents Cost of loss Compliance / audit (PCI) statistics Risk register statistics Secure development lifecycle times Measuring the information security organization Number of security events Number of targeted events Time to detection Time to response Time to remediation Measuring business unit Local infection rate Click rate of test phishing Account/password exposure Input indicator Level of DDoS maturity (3tier included) Output indicators Disruption because of DDos Number of data breach incidents (public) Testing of disaster recovery maturity Budget for information security Number of new, high critical findings in audits Number of Vulnerabilities Certification level of security managers GAP to minimum SAP security baseline COBIT Self-Assessment

CISO Workshop

Information Security Organization and Governance Credit Suisse’s Holland advanced on the issue: “A very interesting KPI was the cost of the loss and building that into some of the reporting and metrics that goes out to justify why you’re doing what you’re doing.” Regarding compliance, Holland elaborated: “For PCI reasons there are actually metrics that you have to produce and have to present, so you can't choose them as they're dictated by your PCI compliance. They are prescriptive.” He further discussed the risk register statistics: “We have all this data we gathered from risk assessments and other activities, and mining. Perhaps some of those metrics and KPIs could be used. We do have risk assessments, but we have to be reaccepted annually. And that gets reported to senior management and the executives.” Clarifying the secure development lifecycle KPI, Holland raised some questions to ask in this regard: “Is IT complying with cycle? Are they meeting these requirements? What's that measurement on an ongoing basis?” Finally, “Looking at security trends and themes, important information to share with your executives via newsletters,” Holland concluded, “but not technically a KPI, more generally sort of showing how the game is changing.” Swarovski’s Simic gave an example of the KPI they call local infection rate: “It's a key performance indicator for the local management because we are highly distributed and we recognize that the more away they are from headquarters, the less they care about security and the more virus infections we saw. So we installed something measuring the number of detected viruses divided — compared to the number of pieces in this location. And this ended up in a list that no one wanted to be on the first place.” Swiss Re’s Sibler added a comment about the budget for information security: “I believe six percent [of IT spending] is the Gartner benchmark, right? I don’t know exactly. And we said this is measuring the effectiveness of the information security.” Hans Brechbühl agreed on the use of the budget as a benchmark, but didn’t agree on its point as a key performance indicator: “Should that be a high number or a low number? Is seven percent better than six percent, or is it worse than six percent? I don’t think it says anything about performance.” Tietjen shared his point of view on the budget KPI: “For us, we base our cost of off IT costs, which I go off of how much we're costing revenue. So like work off hours as we call it, so the more work — the more money we're charging to revenue per person, then that's so we have to kind of make sure that security is somewhere within the IT spend and so we don't base it off of budget, it’s how much we cost.” ING’s Diemont tried to see it from another perspective: “It's not about whether seven or five percent is better — it's more about putting a stake in the ground. When we did that the first time, and we were calculating these on the three percent and really look at let's say all the incidents, all the losses we have, this at least gave us additional [ammunition]. People were still saying, ‘Well, security, we spent a lot of money on this. Hey, guys, we're spending only three percent. The average of the companies is just been six percent.’ So it's not a let's say hard rock science whether you're good or bad. At least it's a stake in the ground.”

CISO Workshop

Information Security Organization and Governance Novartis’ Bancroft concluded “I go and see the boss and say I need another $5 million to do this. And they say, ‘Oh, we're spending too much on that.’ Normally six percent and this is fine. But I don’t report on a regular basis — I drag it out [as a supporting figure] when I need some more money, basically.” Aligning Information Security KPIs with Business KPIs As the discussion already highlighted, the connection between information security and the business is very important. Therefore, another important factor when using KPIs is the alignment of the metrics with general performance measurement system. Diemont explained how ING aggregates all the different metrics they have for information security within one final KPI: “We have a kind of enterprise risk management system in which we put in all the assessments of the controls: effectiveness, maturity, instance, losses, audit findings. So you bring them all together and that produces a kind of metric at the end which determines the level of off IT risk. In the beginning of the year the targets are determined, also based on the previous year. And at the end I'm the guy who needs to determine whether or not they have met that target and their incentive will be calculated accordingly. It’s a very strong stake in the ground.” Bancroft compared the KPI report to SLAs (service level agreements) and pointed out what was important for him: “The KPI report should be a way to drive behavior of other people.” Holland provided details about another topic — the audiences where some of this data can be used: “A lot of it is probably more regular base reporting that is done. But we saw examples across the different organizations about where they're leveraging it either in aggregated form, rolling it up to various executive committees, risk and audit committees. I think a bit of a combination from people presenting it in person versus it being in just reports that go up to these committees.” But is reporting really necessary? Bancroft gave an example that challenged this assumption: “I used to have to produce a vulnerability report, and one month I deliberately added a million extra vulnerabilities in it, and there was a huge spike in the chart. No one noticed. No one asked because no one was reading it. So I stopped reporting that, and no one noticed. I don't report on things unless they're being used. Just for the numbers sake is just a waste of everybody's time and your e-mail space.” Information Security Governance Models While talking about effective information security and related measurements, the discussion shifted toward information security governance. Nick Godfrey from Goldman Sachs started the discussion by outlining five characteristics of effective information security governance: 1. Clear responsibilities at top management 2. Clear accountability down through various layers of management CISO Workshop

Information Security Organization and Governance 3. Clear principles, policies and operational practices 4. Regulatory compliance & multi-dimensions of governance 5. Timely and effective escalation of incidents Clear responsibility and accountability of the top management is important because that is where accountability lies for the effective running of the firm and the operational risks and also where the regulators expect to see the responsibility. Godfrey clarified: “With top management, we think about the board of directors, ultimately. But then you have to ask: What do they need to know and how? How much information is enough? The question is how much your CEO actually understands this stuff.” Regarding clear principles, policies and practices, Godfrey added: “The governance model should extend from the top all the way down to the individual employee.” About the consequences of regulatory compliance Godfrey elaborated: “One thing the compliance does generally bring in many companies is that the governance structure becomes quite complex and multi-dimensional. You might have multiple governance structures (country, business) to satisfy the requirements the regulator will have in different jurisdiction.” Godfrey added to the fifth characteristic: “It is not just about committee reporting in a staged and structured fashion. It is also about the timely and effective escalation of incidents and the raising of issues and making it work.” In addition to the five characteristics, three different layers and structures of the committees and parts of the organization were identified. Godfrey illustrated: “First, most firms are doing something on an annual basis on the level of the board of directors. This is kind of what regulators and governments seem to be expecting.” Godfrey went on: “And then second, underneath that, it seems as though a lot of information security technology risks all roll up into what might be framed as operational risks. Therefore, more detailed committees and structures build the second level. This operational risk committee does periodic reporting (monthly or quarterly) and instant escalation.” Godfrey concluded with discussing the way of defining responsibilities, processes and oversight: “You would probably have to start getting into the definition of key assets and critical information. Firms can classify information and they can absolutely apply controls in the right ways when they need to. We see it through personal data, so PCI, they have protection legislation, and everything generally drives a fair degree of data classification on that specific subset of data, and we apply controls and we manage it accordingly.” Paola Francescucci from UniCredit highlighted the importance of power and the right positioning of CISO functions and roles: “An important thought is exercising the right power in terms of requiring and requesting from peers the needed contribution and collaboration in order to make things happen because power is not only for your own sake, but it's also to make things happen, and to create value within the company.” Hänsli emphasized the importance and use of power. “Sometimes I have security reports where I need the other colleagues to act, either to change processes or to change systems. And then I personally address that. This is different. The point is they need to know that on a high

CISO Workshop

Information Security Organization and Governance management level there is attention on the security subject. Otherwise, it doesn't work. So it really needs to have the power and it needs to use the power.” Ten of the participants had an information security board in place. All of them had top management on the board and in eight out of the ten security boards more than 50 percent of the people were from outside of IT. Diemont added to the discussion that ING has a slightly different approach, which includes two committees, one that deals with the CIOs and another one with the business executives. National Security and Governmental Interaction While the discussion was more focused on company-level issues, questions relating to the macro-level also started to emerge. It was concluded that the area of national security level and the collaboration of the private sector with governments is more and more sensitive and of growing importance. Progress can be observed, however it is still not in a good shape yet. The biggest challenges are governments acting too passively and the differences between countries. Related to these issues, the impact of cybercrime cannot be neglected anymore, as Cisco’s Yvon Le Roux illustrated: “Two statistics that we got recently from the impact of cybercrime on two nations: Contribution of ICT in the UK to the GDP is four percent. That is negated three percent by cybercrime, plus unknown, which is espionage, which means it is a zero-sum game. Same statistic for the Netherlands was plus four, minus two.” Governments are realizing this impact and starting to work together with companies. Diemont pointed out: “We now have a gathering with the ministry of justice and finance and all the CIOs of the banks and the Dutch Banking Association, and they agreed that we would appoint a banking liaison function.” Despite the increase in collaboration and exchange of expertise, Diemont was under the impression that regulators are behind and not proactive enough. This perception that governments are reacting too slowly was confirmed by Tietjen: “A perfect example is at Los Alamos when we were attacked when I worked there. We reported the incident, and it took them seven days to report out to everybody else. Within these seven days, two labs had to shut down...” Moreover, this issue is even more complex in the EU, as the biggest problem is differences between countries, as Bancroft emphasized: “The EU date protection directive which is the same stuff everywhere. It's just interpreted entirely differently between countries. It's the same legislation, but it's not the same in Germany as in France as it is in the UK. They're all different. We just interpret it how we feel we would for our national culture.” Tuck’s Brechbühl agreed, adding: “Security clearance is a much bigger issue in Europe than it is in the US, or, say, in China, because you have such a big territory under more unified clearance system.”

CISO Workshop

Information Security Organization and Governance

Participant List Information Security Organization and Governance An Executive Workshop for European CISOs

1–2 July 2013 Scott Bancroft

Group CISO Novartis International AG

Hans Brechbühl

Executive Director Center for Digital Strategies Tuck School of Business, Dartmouth College

Ton Diemont

CISO ING Group & Bank

Paola Francescucci

Member of the Group Chief Security Office UniCredit

Nick Godfrey

Head of EMEA Technology Risk Goldman Sachs

Olivier Gourinchas

Head of Market Reach, Service Management and IT Security Hilti

Markus Hänsli

Vice Director Swiss Confederation

Kah-Kin Ho

Head of Cyber Security Business Development Cisco

John Holland

CISO Credit Suisse

Peter Kunz

Manager Infrastructure Security Standards Global Information Security, Information Technology Management Daimler

Gary Lawlor

CISO adidas Group

CISO Workshop

Information Security Organization and Governance Yvon Le Roux

VP, Cyber Security Cisco

Amal Mezzour

Global Information Security Officer Holcim

Josef Nelissen

CISO ABB

Boris Otto

Assistant Professor & Head of Competence Center Corporate Data Quality Institute of Information Management University of St. Gallen

John Petersen

IS/IT Security Manager NestlĂŠ

Enrico Senger

Head IT Strategy & Transformation Schindler Informatik AG

Martin Sibler

VP, Risk Management - Information Security Swiss Reinsurance Company Ltd.

Valentin Simic

Corporate Information Security Manager Swarovski

Kelcey Tietjen

Information Security Operations Manager Bechtel Corporation

CISO Workshop

MBA Program Enrichment

MBA Fellows Program My CDS fellowship provided a focused

The Center for Digital Strategies’

learning experience at the intersection

MBA Fellows Program provides Tuck

of business strategy and technology. —Pratip Banerji T’05 Consultant, Bain & Company

students with a unique opportunity to work with affiliated faculty, executives, and research fellows to understand the impact of information technology on

The center’s events and programs gave me amazing access to senior level executives.

the extended enterprise and to study the role of digital strategies in driving competitive advantage.

—Julia Kidd T’04 Manager, Corporate Development and Alliances, Sun Microsystems

Through executive interviews, research projects, and case-study development, our MBA fellows examine how companies leverage information technology to transform different aspects of their business, including their corporate strategy, organization, marketing, operations and supply chain, and product development.

I had a specific research interest in multichannel retailing. The resources and access of being a CDS fellow helped me take my work to the next level.

By participating in the center’s corporate

—Joseph Newsum T’05

cover the business challenges managers

Associate, McKinsey & Company

roundtables and academic seminars, and managing center programs, including Tech@Tuck and Radio Tuck, fellows dis-

currently face and the role of technology in responding to those challenges.

Writing the case study was huge for me—it led to my job after graduation! —Kate Thunnissen T’02 Senior Director, Integration Planning, Time Warner Cable

The Center for Digital Strategies promotes the development and practice of digital strategies—the use of technologyenabled processes to harness an organization’s unique competencies and support its business strategy. The center

With digital strategies moving so quickly, only by sharing information as well as best practices can people network and find out what works, what has failed, and potential insights. —Justin Kreter T’03 Brand Manager Creative Play, Hasbro Incorporated

introduces its MBA fellows to issues throughout the extended enterprise, including globalization, organizational change, and information security. To learn more about the center’s MBA Fellows Program, visit the center website. www.tuck.dartmouth.edu/digitalstrategies

INFORMATION OVERLOAD: C A P I TA L I Z I N G O N

BIG DATA

AN OVERVIEW 2012 – 13

The Britt Technology Impact Series is an offering of the Center for Digital Strategies at Dartmouth’s Tuck School of Business. It is made possible by a generous donation from Tuck and Dartmouth alumnus Glenn Britt, CEO and Chairman of Time Warner Cable. In giving the gift, Glenn stated: “The role of business people is to understand the possibilities created by new technologies, recognize unmet consumer or business needs they could fulfill, and determine if the new technology and the customer needs can be put together in a business model that makes sense.” The Center for Digital Strategies structures the Britt Series so it highlights relevant aspects of a set of technologies, examines business models and illustrates how consumer and corporate needs are being met. The Britt Series focused on big data for the 2012–13 academic year because the amount of information in the world is growing at an unprecedented pace. This ever-widening flow of data is the byproduct of a digital, networked economy. New types of information and new combinations of data sets are yielding new insights. This “big data” is changing how technology can serve consumers and enterprises. The following summary highlights the unique perspectives offered by Britt Series speakers who are at the forefront of working with big data and, as such, in developing new ways to examine and interact with our world.

Thi nki ng bi g abou T big da T a !

! Impact Series examined the explosion of information emanating The 2012–13 Britt Technology from our digital world. This phenomenon is often referred to as “big data.” This is the idea that the amount of raw information is stretching beyond our ability to manage it and make use of it. The technology that underpins modern society — from smartphones to social platforms to supply-chain networks — is driving an unparalleled increase in data. SAP AG explains it this way: From the start of recorded time until 2003, humans created 5 exabytes (or 5 billion gigabytes) of data. By 2011, humanity created that much data in two days. In 2013, it takes only 10 minutes to generate 5 exabytes. This rapid growth demonstrates new tools are needed to capture, analyze and use huge sets of data. The executives who convened for the Britt Series revealed myriad ways in which big data is changing everything from how marketers reach consumers to how political organizations canvass voters to how automakers design cars. The discussion around big data begins with a simple question: How big is big data? There is, of course, more than one answer. One constant is that the perimeter of the big data universe is

– Cisco Systems

in a perpetual state of expansion. A deeper understanding comes from knowing what produces big data. Consider that YouTube users upload 72 hours of video every minute; Wal-Mart handles more than 1 million customer transactions per hour; Facebook users click “like” more than 3 billion times per day. Machines talk to other machines. Each of these actions produces a digital footprint that is, at its simplest, data. Analysts predict data will grow by at least 40 percent annually in the coming years. Executives gathered for the Britt Series offered their own definitions of big data: • At the insurer Aetna, big data means handling 500 million to 600 million claims per year while maintaining an error rate of less than one half of one percent. • For the consumer-data company Buxton, big data comes from the 7,500 data points it holds on the average U.S. consumer. • At Ford, 74 sensors, 70 onboard computers and more than 130 motors in the automaker’s plug-in hybrids generate big data. Some vehicles produce 25 gigabytes of data per hour. • At Rentrak, a provider of entertainment metrics, big data comes from tracking what people watch on TV in more than 100 million households and on 85,000 movie screens around the world. It works out to more than 7 billion transactions every day.

Patrick Pichette, SVP and CFO at Google Inc., believes enterprises and consumers are only at the beginning of understanding what big data will unleash.

It’s clear big data is big. But big data is about more than scale. Researchers often define big data as having three Vs: volume, variety and velocity. Volume is the amount of information. Variety refers to the many types of data from videos to social media posts to GPS coordinates. This so-called unstructured data can be more unwieldy than rows on a spreadsheet. Velocity refers to how quickly information from text messages to stock prices is generated and begins to pile up. Consumers are leading the growth in big data by using more technology. By 2016, there are expected to be 1 billion

– Experian QAS

people using smartphones and tablets and more than 25 billion devices connected to the internet.

Patrick Pichette, SVP and CFO at Google Inc., told a Britt Series audience that enterprises and consumers are only at the beginning of understanding what big data will unleash. “We’re really in early innings.” He noted only about 2 billion people have a cell phone. “There are another 5 billion that will show up with different economics, but there are 5 billion of them and they want a better life and they want better tools and they want amazing things and the real question is somebody is going to give it to them. Who is it going to be?”

tuck.dartmouth.edu/digitalstrategies

The big deal ! aroun d ana ly Ti cs

The Britt Series speakers agreed that as remarkable as the amount of information is, the more amazing aspect of the big data story is what it can enable. “It’s not the capture of big data. It’s the execution of big data,” said Tom Buxton, chairman of his eponymous company. He and other Britt participants argued big data will not only reshuffle the competitive landscape for enterprises but also allow companies to offer personalized service for customers on a scale not possible in the past. Ruben Sigala, SVP of enterprise analytics at Caesars Entertainment Corp., said the exponential growth in data can let companies assemble far more meaningful analyses. “There are a number of ways that if leveraged well you could substantially change the way that you run your business,” he said. “You can learn so much more quickly.” Sigala and other speakers predicted enterprises that fail to pursue the high-definition picture that big data can render are likely to falter. “As we think about winners and losers in the future, the ability to integrate analytics in a meaningful Ruben Sigala, SVP of Enterprise Analytics at Caesars Entertainment Corp., contends the exponential growth in data can allow companies to put together more meaningful analyses.

way into the operations, I think, will be a telltale distinction amongst companies,” Sigala said. John Ginder, manager of systems analytics and environmental sciences at Ford Motor Company,

said more information can sharpen decision-making. “For us it’s around the analysis: Are we going to inform better decisions, quicker decisions?” he said. “We’d like to use big data to serve our customers better. That’s really the ultimate goal.” Part of that improved service can come from generating deeper insights. “It’s about turning data into intelligence,” noted Chris Kelly, former chief privacy officer at Facebook Inc. One area where big data can flex its muscle is in taking information, both new and historical, to make informed projections. So-called predictive analytics is aimed at helping enterprises, and even consumers, answer difficult questions based on mountains of information. Mike Gualtieri, a principal analyst at Forrester Research Inc., said while predictive analytics is not new, big data is making it possible to generate more accurate predictions. “Big data

reinvigorates this because great predictive models depend on great data,” he stated. Such models might take the form of a decision-tree, for example, illustrating the consequences of a

particular action. “This is why ! it’s not just a buzzword,” Gualtieri said. “People are finding the knowledge in that big data. So it’s not just about storing; it’s not just about its massive size. It’s about mining that data to create knowledge that you can use to outcompete.” Most industries would benefit from faster analysis, Britt Series participants agreed. “You can’t just go in a room and come up with some hypothesis and some predictive model that you can just then deploy for 18 months or even a year. You have to continually

– McKinsey Global Institute

retrain that model for all of the changes that are occurring in the marketplace,” Gualtieri said.

Big Data Revenue by Type in 2012 in billions of dollars

SERVICES $5,042 44%

SOURCE: Wikibon

HARDWARE $4,304 37%

SOFTWARE $2,249 19%

Win ni ng bi g by ge TT ing ! beTT er ans Wers

Examples arose throughout the series of the types of souped-up analytic tools made possible with big data. Simply having the information is not sufficient. “Operationalization of how to use the data is much more important than the fact that it’s out there,” Kelly said. Putting the data to work is critical. Real-time analysis can save companies money, noted David Chemerow D’73 T’75, COO and CFO at Rentrak Corp. When Warner Bros. Entertainment Inc. released an installment in the “Harry Potter” franchise, Rentrak data indicated the movie was such a hit that running further advertising was not necessary. “On Friday afternoon as it opened we called up Warner Brothers and said ‘Guys, stop your TV advertising.’ They said ‘Oh my God, what’s wrong? The movie’s a hit, isn’t it?’ And we said ‘It’s so much of a hit, you’re sold out for the next seven days. Kill your TV ad-spend and bring it back next weekend.’ They saved $20 million by doing this,” Chemerow recounted. Ford’s Ginder explained how the company uses big data to help solve the type of logistical problems that batter any large company with a sprawling operation. Ford buys the molds, stamping dyes and other tooling its suppliers use to make

– International Data Corporation

Ford parts. This intellectual property is valued in the billions of dollars. One challenge centers on whether to source parts locally for a brisk-selling vehicle such as the Focus. “Do all the North American Focuses get parts from North America? Do all the European Focuses get parts from Europe?” Ginder asked. “Or, do you instead do some global sourcing?” Ford set up an analytics tool to tease out the best answers. “We are using this to help make decisions of outsourcing for these global programs and given the immensity of the data input and the types of decisions that are involved in it, it’s a huge help,” Ginder explained. “It wouldn’t be possible to be done by a human being with a spreadsheet.” Michael Angus T’87, group head of global payment strategy at MasterCard Advisors, the credit card company’s professional services group, said the company uses its enormous storehouse of data to save money. “Done properly you see impacts on fraud rates or impacts on risk default rates where you’re talking multiples,” he said. “You’re talking cutting the fraud rate by a factor of four or cutting the default rate by a factor of two or three with the right application of big data.”

David Chemerow D’73 T’75, COO and CFO at Rentrak, oﬀers examples of how the real-time nature of big data is changing the entertainment business.

At Caesars, the company can intervene in real-time to enhance or perhaps preserve a good relationship with a customer. “We can draw a pretty direct line between a customer service score and how he or she will transact with us on a given trip as well as over a lifetime,” Sigala said. He described how indicators such as a person’s social media activity can help the company determine the customer’s satisfaction. “It gives us an opportunity to interject within trip and outside of trip to preserve or recover from any problems that they may be having.” The company would like to tap into more data on the customer experience. It would be helpful to know, for example, how long a guest had to wait in line at a company property or whether a person bypassed a blackjack table because a dealer wasn’t present. “There are technologies now that start to enable that and, for us, the more properties you visit within our footprint, that’s meaningful,” Sigala said. He expects it will become “increasingly important” to monitor lines and the service experience. “I think we’ve got a pretty clear roadmap as to how we’re going to get after it, but it still is early days.” Sudev Balakrishnan T’07, director of e-commerce and product management at high-end fashion retailer Bluefly.com, said the company is able to use data to make faster decisions that can influence shoppers. “This kind of analysis is going to be required in the industry,” he said. Using traditional methods of data crunching, the company is able to identify “when a customer is in flux about a cycle or two cycles in advance of that behavior becoming permanent. So, that gives you basically one shot at persuading that customer one way or the other. Now, with advances in sort of the granularity of the data that we have and leveraging the networks that we have, we think we can extend that by three or four more cycles,” Balakrishnan said. He underscored that such an improvement could lead to a tremendous

tuck.dartmouth.edu/digitalstrategies

change in revenue and therefore for the company’s profitability. “That’s why I think there

is a legitimate urgency around getting this right. Because ultimately winners and losers may very well be judged on how they function in this space.” A range of industries have deployed big data analytics. Oil companies untether huge amounts of data to help detect deposits of natural resources. Other companies are increasing the level of detail they have in supply-chain data. Some manufacturers have used big data tools to monitor moving parts in a factory for vibrations. Such gyrations can signal a part is nearing the

Sudev Balakrishnan T’07, director of e-commerce and product management at Bluefly.com, says insights from data require a strong hypothesis.

end of its lifecycle and could need to be replaced. Swapping out parts too early is costly but so is waiting until a breakdown because such events can idle a plant.

Big data tools are muscling into areas outside the business world. With the backdrop of the 2012 U.S. presidential election, the series explored the role of big data in politics. “What I have seen big data be able to do is tell campaigns when a poll might not be entirely illustrative of the situation that they’re in,” said Nate Murphy, election center manager at NationBuilder. The company offers a software platform for organizing communities and makes available public voting records. Murphy noted the 2008 Hillary Clinton campaign achieved what it believed was a sufficient number of voters to win the Iowa Caucus. He noted the Barack Obama campaign turned to big data technology to reveal a more detailed analysis of the field. “The Obama campaign did a great job with big data to track the independents or Republicans that they were bringing to the polls for the first time.” What followed was a record turnout. “The only campaign that predicted that was the Obama campaign because they were doing great

What Could Be Analyzed vs. What Is Analyzed Percentage of digital universe totaling 2.8 zettabytes in 2012

modeling and metrics about who they were actually building

23%

relationships with and what sort of contacts they were bringing in. So, I think the real advantage to big data is it allows you to all of a sudden have these new types

of metrics and more accurate

0.5%

tracking of what your actual field

Useful if tagged & analyzed

operation is doing.”

SOURCE: IDC/EMC Corp.

Tagged

Analyzed

e ngaging in some bi g! e xpe ri men Ts

Big data lets companies experiment in ways not possible only a few years ago. Simple examples belie the complexity of the data crunching some enterprises are doing. The grocery chain Safeway has been testing ways to better serve customers. An employee alerted to the presence of a repeat customer entering the store might offer her a cup of coffee based on her purchase history. The employee also might hand her a coupon for flowers because models predict she might be likely to make this type of first-time purchase. Philip DeGisi T’09 is director of marketing at pet-products retailer Wag.com, a division of Amazon.com’s Quidsi Inc. He underscored the importance of tinkering with promotions to boost conversions in a business selling consumable goods. “Where it’s pretty repeatoriented, a fraction — a couple basis-points change in our repeat rate can really move the needle in the lifetime value,” he said. “How efficiently we convert the customer becomes that much better. So, there’s huge upside across all the elements of the business.” Angus said MasterCard Advisors is working to understand how massive amounts of purchase data can be combined with other information.

Philip DeGisi T’09, director of marketing at Wag.com, a division of Amazon.com’s Quidsi Inc., says analytic insights can allow companies to boost sales through more eﬀective promotions.

On its own, much of the information is of little value. He noted risk bureaus might track different risk behaviors that can be married with purchase data. “We’re struggling with what data will add value when combined with our data,” he said. “We learned early on that even the huge amount of data we have by ourselves can be a lot more valuable when we marry it up with other stuff.” Designing appropriate experiments involving consumers can be difficult. “A lot of where we think about testing-control that can get a little sticky is recognizing the inherent volatility of our customer behavior and then designing experiments that contemplate that volatility and in an accurate way. And that’s why this partnership between the analytics and the operations is absolutely essential,” noted Caesars’ Sigala. Balakrishnan believes it is important to define the objective and parameters of an experiment. “Data is only, I think, as good as the hypothesis that you start with and you try to see that data supports it.”

ge TTing personal ! in a big Way

For consumers, big data might begin to show itself through the level of personalized interaction they are able to have with technology. Gadgets can act more like human assistants by anticipating needs rather than reacting to cumbersome programming. Gualtieri offered a personal anecdote concerning the purchase of a new smartphone. As with his old phone, he began to carry it with him on the bus he took to work. After two weeks, without prompting, the new phone displayed his bus schedule. The device learned Gualtieri’s schedule and offered up information to assist him. “The company’s relationship with a customer is more that of a butler,” Gualtieri said. “Your relationship is standing by the side, kind of knowing what that customer’s going to need and giving it to them at the right time and the right place.” Big data and mobility makes this type of relationship possible. “You have more access to information on that smartphone than the president of the United States had 15 years ago.” For enterprises, establishing a butler-style relationship with consumers requires tailoring services to fit a person’s interests and needs. Buxton explained this process can involve “microtargeting” — understanding what motivates an individual or what one’s propensity to do something might be. If the “butler” fails in a task, the results can be damaging because the consumer has grown to rely on the enhanced level of utility provided by a good or service. “People get used to good results very fast,” noted Bluefly’s Balakrishnan. “If there is any loss of the … quality of service they complain on their iPhone right there, immediately.”

Andy Palmer T’84, founder of Koa Lab, a start-up club, explores how the consumer internet is setting expectations for what analytics can and should be.

Growth Forecast for Data !

A single exabyte equals 1 billion gigabytes. 23% CAGR 2012-2017

! 140

121 EB

Exabytes per Month

101 EB 84 EB 69 EB

56 EB 44 EB

2012

2013

2014

2015

2016

2017

SOURCE: Cisco VNI, 2013

The push to create more personalized experiences is in part because consumers have “choice and voice.” There are more products and services available to consumers and because of social media and other outlets, consumers have a louder microphone from which to complain about poor service or to commend good service. “This choice and voice is putting more pressure on companies to create better customer experiences,” Gualtieri said. “To provide better customer experiences, they have to make it personal.” This goes beyond the former iteration of personalization in which a consumer might be able to control insignificant factors such as the font size or color in an app. “When we talk about making it personal, we’re really talking about a personalized experience,” Gualtieri explained. He pointed to technology such as the Fitbit Flex wristband that collects information about how many steps a user takes, how many calories he burns and how well he sleeps. “That data can be used to make personal

– Autonomy Inc.

decisions and make you offers,” Gualtieri noted. The march toward ever more personalized interactions via technology is also changing inner workings of enterprises. Serial entrepreneur Andy Palmer T’94, founder of Koa Lab, a start-up club, remarked the consumer internet is setting expectations for what analytics can and should be. “Many people have this experience where they walk into their … office and go to do some work and they’re hit in the face with these antiquated and completely inadequate information systems relative to what they get at home on the web every single day,” he said.

tuck.dartmouth.edu/digitalstrategies

bi g ques Ti ons ! a round he al Th care

Perhaps no area requires as much personalization as health care. The topic of health care arose throughout the Britt Series as participants, students and faculty alike probed how amassing a greater amount of real-time information might remake health care in the U.S. and beyond. Robert Mead, SVP of marketing, product and communications at Aetna Inc., said the company is developing apps and other tools aimed at helping patients better track their health care data. “You’ve seen people go into doctors’ offices with shoeboxes full of files,” he said. “If they’re a caregiver they go with their elderly parent — they take two boxes full of prescriptions to sort out. What’s she on? What’s she taking? And is this right? And I think anybody who has an elderly parent has been through that where you’ve had to go to their medicine cabinet and you look up and you say ‘Oh my God. Are they really taking all these things? Are they taken at the right time?’ “And it’s really about this thing,” Mead said, holding his smartphone before the audience. “It’s really about … the mobility and convenience of that information and that support and that advice and that help that really gets people engaged.” Michael Palmer, head of innovation at Aetna, discussed the types of companies the insurer has acquired to allow the company to offer more personalized care for patients. “What we hope

Big Data Revenue in 2012 in millions of dollars

! COMPANY IBM

BIG DATA REVENUE $1,306

TOTAL REVENUE $103,930

BIG DATA REVENUE AS PCT OF TOTAL REVENUE 1%

PCT OF BIG DATA REVENUE FROM HARDWARE SOFTWARE SERVICES 19% 31% 50%

$664

$119,895

34%

29%

38%

Teradata

$435

$2,665

16%

31%

28%

41%

Dell

$425

$59,878

83%

17%

Oracle

$415

$39,463

25%

34%

41%

SAP

$368

$21,707

67%

33%

EMC

$336

$23,570

24%

36%

39%

Cisco Systems

$214

$47,983

58%

42%

PwC

$199

$31,500

100%

Microsoft

$196

$71,474

67%

33%

SOURCE: Wikibon

to do with this kind of big data analysis with these companies is to allow them to put really personalized intervention programs in for the individuals in the population. And as we are able to aggregate all this data and all these data points we think this is going to drive a higher engagement of the population in their own health,” he said. Koa Labs’ Palmer sees health care as offering enormous challenges around big data. He said simple questions such as how many patients a facility has or whose conditions are most acute can prove vexing. More intricate questions are all that much more complicated: “How many of the patients in the hospital today have been readmitted? What percentage of those have been readmitted for things that we could have avoided in some way?” Palmer and others noted hospitals are now using big data to run deeper analytic models and determine how to avoid having to readmit patients. “We need radically better outcomes,” Koa Labs’ Palmer added. “And much, much greater efficiency. We are not going to incrementalize our way in the health care system to the kinds of improvements and changes that we need. We need radical things and I believe one of the only ways to get there is to make these metrics,

– Autonomy Inc.

this information sort of generally accessible that shows people how inefficient and how poor we are at managing our own health and our own healthcare system.” He envisions real-time information-gathering as being central to how to improve health care in the U.S. “You walk into an ER [and] your medical record should show up immediately,” Palmer said. From there, doctors and other health care providers would have a jumpstart on beginning to diagnose and treat problems.

seeking big resul T s ! from anal y Tics

Though it’s still evolving, the role of analytics in the enterprise isn’t new. Big data is allowing enterprises to reimagine what’s possible. It’s also nudging corporate cultures to become more centered on data. The shift at Ford has been palpable. “There is a lot of emphasis on data — on making decisions around data and using that data,” Ginder said. “That really has strengthened the role of analytics at Ford.” Koa Labs’ Palmer sees big data as supercharging longstanding functions around analytics within the enterprise. Big data analytics, with its real-time dashboards of business metrics, is eclipsing older terminology such as business intelligence and, from the 1980s, executive information systems. Palmer contends it is still difficult for many enterprises to address simple but important questions. He said executives with whom he speaks often cannot answer question such as “Who is your most active customer today?” or “Who is giving you the most orders today?” Getting such an answer can be complex. Palmer recalled the response from one frustrated executive: “If I was going to answer that I’d have to go to all these systems and I’d have to ask all these people.” Palmer sees it as critical that answers to such questions be automated so an executive can determine minute-by-minute the most important customer or the cost of inputs such as commodities. Analytics within the enterprise should not be about projects that cost tens of millions of dollars or that produce little-used reports from consultants. “It’s about answering really simple but hard and important questions about your business every day.”

Global Internet Traffic (Actual and Forecast)

Gigabytes per second

40,000

35,000

20,000 12,000

100 GB per day

100 GB per hour

100

1992

1997

2002

SOURCE: Cisco Systems

2,000 2007

2012

2017

a big pl ay on mobile !

Mobility is one of the forces! that is not only creating mountains of big data but also increasing what data can do for consumers and enterprises. The pace of growth reflects improving technology for handling all of this information. Cloud computing, for example, makes it possible to gather, store and recall large amounts of information on demand. Angus offered examples of how MasterCard Advisors is looking to mobile as one of the forces powering new possibilities, in particular regarding location-based services. – Forbes

“Big data is at the front end. Using mobile is at the very front end and so we think about how it’s connected to payments and,

therefore, how it’s connected to offering deals,” he said. “The technologies exist [to identify] the SKU you’re standing in front of … or the store you’re walking by or what’s going on. That’s going to provide a huge amount of data that we can marry in.” MasterCard Advisors’ enterprise clients see mobile and big data as “really powerful ways to get very specific value propositions in front of consumers based on where they are and what they’re doing.” Mobile data is critical in nearly any market. It is accompanying growth of big data in the developing world. “Everything that I see in payments and in data in developing economies somehow equals mobile at some point or other. It’s just the only thing there and everybody’s got one,” Angus said. “It’s the one thing that we see that enables payments and enables dataacquisition in developing economies. It’s really disruptive.” Koa Labs’ Palmer noted mobile data in health care can help fill in important gaps in a patient’s electronic medical record. “The administrators in these [hospital] systems need to recognize the fact that most of the interesting information related to a patient does not

– Cisco Systems

exist in their EMR system, it’s going to exist on their cellphone.” Big data and mobile can make a potent mix for enterprises seeking access to well-off consumers. “Mobile, by far, is the data source that has the most potential for changing the way we think about consumers or measure or look at consumer data,” said Alexis Hoopes T’06, director of online merchandising at Nordstrom Inc. “Now every consumer is interacting with a device that is … sending off and receiving data at all times both with you and your store, outside of your store, interacting on different websites. I think there is huge, huge potential there.” Hoopes sees using such information — provided privacy concerns are addressed — as a way to bridge the online experience and the in-store experience.

tuck.dartmouth.edu/digitalstrategies

bi g ques Ti ons ! abou T pri vacy

The forces of personalization and mobility also give rise to important discussions around privacy. Forrester’s Gualtieri offered the example of the U.S. Department of Homeland Security, which is examining video of people’s faces to determine their mood or likelihood of certain behaviors. “That’s really big data, because that’s video data,” he said. “There are just enormous ways of using data here to make it personal.” There are, for now, limits to how far enterprises will go to engage consumers on a personal level. Series participants saw shifting lines on privacy as one big obstacle. Hoopes stated Nordstrom doesn’t use video surveillance to monitor customer behavior. However, she sees “huge applications” for such technology. Using video surveillance in stores could allow for some of the experimentation and testing of product offerings that are possible online. Applications might include heat maps or mobile-phone trackers that would Mike Gualtieri, a principal analyst at Forrester Research Inc., notes by 2016 there are expected to be 1 billion people using smartphones and tablets.

reveal how a customer navigates a store, for example. “Having that instore customer behavior piece and

getting the big data elements of that to feed in … could really change some decision-making,” Hoopes said. She cautioned there would be big concerns around privacy so the company would have to ensure those were addressed before pursuing any sort of monitoring beyond what it does to deter fraud and theft and to maintain security. There are other risks to offering customized, personalized services enabled by big data analytics. Hoopes pointed out the better services get, the more customer expectations increase. Even a now-commonplace service like a recommendation engine has

– Forrester Research Inc.

ratcheted up consumer expectations. “You’re searching for something and it is a restaurant and you have no idea how Google just filled in your predictive search,” she said. “That is

amazing and exciting the first ! time it happens. Then you come to believe it and expect that over and over. Now you come to Nordstrom.com and you start typing in our search bar [and] your expectation has changed.” “Even though we’re all kind of at the beginning

– Cisco Systems

[of using big data] there are external factors and things that we’re interacting with daily that we need to be watching and saying ‘Well, OK, what is the next bar?’ I mean at some point one question is ‘What is the incremental value?’ and then pretty quickly it becomes table stakes to just having that good customer experience,” Hoopes said. Caesars’ Sigala noted big data allows enterprises to combine varying types of information to develop a more complete picture of a customer but that doing so also can raise privacy concerns. “There are opportunities to fill in gaps and leverage third-party information to give us a fuller view of our customer. And that … is where you start to get into ‘Are we crossing the creepy line?’ and so that part is something that for us in a heavily regulated industry, we are very careful about. But there are opportunities and I know there are organizations that do this quite well.” Koa Labs’ Palmer contends some of the efforts around privacy should be redirected from trying to cordon off information and should instead focus on governance. “What you really want to do is you want to control what people actually do with your information — whether you’re being denied healthcare, whether you’re being denied life insurance, whether you’re being denied job opportunities based on this information.” Pursuing legal remedies for a misuse of information would be more efficient than trying to wall everything off, Palmer offered. “I’m not saying we shouldn’t try and protect information,” he said. “Security is important. There are a lot of bad actors out there in the world, but … the intuitive and the more subtle thing that matters way, way more is putting in place the regulations that are necessary in order to ensure that people use information the way that it is permissioned by the people who generated that information.” Palmer suggested health care and other industries with sensitive information around individuals would do well to adopt the model used by credit rating agencies. “Somebody wants your credit report, you’re going to find out about it, right? You’ll get a note and it says, ‘Hey, you know, this person wants your credit report, are you going to allow them to do that?’ It’s a great model for what we need to do in terms of privacy going forward in this country.”

geTT ing a big boos T from! Transp arency

Another element of allaying some privacy concerns is to give consumers direct and accessible answers, according to Kelly. The former Facebook executive said a marketing message that might have been cobbled together by combining sets of data about a consumer can unnerve or annoy the recipient. To avoid this, enterprises should take pains to ensure a message is ontarget with the recipient. Just as important is letting consumers “very easily” have questions answered about how they received a message. “That’s all good for the industry in the long run. That’s one of the reasons why we built a privacy infrastructure to allow people to be more secretive with some things if they didn’t want them to be publicly shared but also to make it easy for them to publicly share them if that’s what they wanted to do.” “The primary obligation that big data collectors have and should have … is transparency, is clarity about the collection processes, the operational processes that are used on that data and … a knowledge about what people have,” Kelly said. He contended that some of these requirements should be promoted through regulation. Bluefly’s Balakrishnan said consumers can be understanding when they see how they came to receive even a highly tailored ad. “Customers like some information on how you come up with decision making.” He noted even simple declarations such as “you viewed this” or “your friends viewed this” help consumers understand why they are seeing a message. “You want to give a brief rationale to why you did it and that kind of resonates with people who see the outcome.” – Forrester Research Inc.

Consumers also respond when an ad, for example, was the result of an action the consumer took, such as signing up for an email. “The causal connection overcomes any privacy

hurdles,” Balakrishnan contended. “If it is very abstract it kind of gets marketed as ‘We are monitoring you to do X, Y, Z’ then there is a lot of suspicion about it. So, privacy really is the question about marketing.” He still prescribes a cautious approach. “You cannot be in the e-commerce space without having a very high level of trust with your consumer. Because once you drop the ball you’re toast.” Buxton sees crafting the right message as key and believes some privacy concerns are overblown. “I don’t even think it’s an issue. If you target the right message to the right person, they’re excited to see the message. If you target the wrong message to somebody then they don’t like that information.”

“I get marketing pieces that I enjoy all the time. I actually look forward to some of those things,” Buxton said. He noted the company does business with a couple thousand retailers and doesn’t see privacy as a big worry. “I never hear the word creepy. I never hear the word invasive. I just don’t hear it. People like to be talked to about something they care about.” “By looking at the lifestyle characteristics, looking at how you act, what you look like, you can target any specific group that you can imagine,” Buxton noted. In some areas, a lack of understanding about what is public information can lead to surprises. NationBuilder’s Murphy said in areas such as politics, voters can be receptive to well-tailored messages though are often surprised by them. “I don’t think many consumers or voters understand both what is in the political sphere public record already and don’t understand how big data works so it’s sort of the scare of how targeted these messages are becoming.” Cobbling together information about voters is now big business, Murphy said. “That data, whether they like it or not, is public record and it’s being bought and sold by companies. It’s being bought and sold by political consultants.” Campaigns at all levels will continue to rely on more detailed information about voters. “We’re seeing city council candidates use big data. We’re seeing someone running for the school board using big data,” Murphy noted. “In small elections where there are going to be thin margins or you only have to go out and contact 3,000 or 4,000 voters, big data can allow you to run no-money campaigns.”

tuck.dartmouth.edu/digitalstrategies

Reaching voters in an effective way can serve democracy, Murphy said. “I definitely don’t think … in the political world having your message better tailored is creepy. I think it’s only good for democracy and only good ! for campaigns to actually get their message across.” The flyers

that once blanketed entire districts are now far more focused thanks to the analytics tools campaigns are deploying. This is more effective than spending money on broad media buys. “Being able to target in a more efficient way and get your messages that people actually want to hear is in fact a good thing even if there’s going to be sticker shock for a while.” Nordstrom’s Hoopes believes privacy standards are an ever-shifting line. That is in part because mores around still-emerging areas like social media and mobile technology are evolving. “What peoples’ privacy concerns are in five years are going to be completely different.” This makes it difficult for enterprises to determine the types of big data and analytics systems in which to invest. Angus, from MasterCard Advisors, said the company stands well back from what it ventures is the threshold of consumers’ privacy tolerance. “We walk very far from that line for now until it gets clearer to us and everybody else where a good place to be is, where consumers are comfortable, where regulators are comfortable, where other groups are comfortable,” Angus said. “We don’t ever get to individual tagging. All the data we look at is anonymized and aggregated,” he said. “There’s a lot of value we probably can’t create. But we’re very worried about walking too close to that privacy boundary and we don’t know where it is yet. We don’t know what people are comfortable trading for giving up some of their privacy either implicitly or explicitly. And so right now we’re probably overly cautious and we found that we can generate a huge number of insights at the aggregate level.”

conc ern s abou T ! m aking big mis Takes

Working with big data can uncover obstacles beyond privacy. There are limits to what even huge data sets can do. “Doesn’t it sound great? You just get all this data, and you create this model, and you magically create all this knowledge. But it does have its limits,” Forrester’s Gualtieri cautioned. He highlighted the example of algorithmic trading on Wall Street. Complex models help determine when to buy and sell all manner of investments. Yet for all the knowledge built into such models, it is still often unclear what pushes investments up or down. The algorithms can react to price movements but not necessarily predict them with reasonable success. Gualtieri noted other systems with many fluctuating data points — such as the weather — are difficult to nail down. Predictive analytics also can hit roadblocks when data sets are insufficient in scale. As there have only been 57 U.S. presidential elections, there aren’t enough data points to draw sound conclusions. “You don’t have a lot of experience data to figure out what a

– McKinsey Global Institute

predictive model is, not to mention what the causative factors are,” Gualtieri said. Nordstrom’s Hoopes underscored the dangers of a small sample size. “One of the hardest challenges we have is we have the most information about our best customers, so that’s a hard sample to really test and draw widespread conclusions from — the people who are your most loyal and most engaged. So, that can lead you to a lot of false assumptions for the rest of the customers that you’re serving.” In addition, it can be hard to know all the ways customers are interacting with Nordstrom or any retailer with both a bricks and mortar and online presence. “Our data challenge is in identifying the customer and all the touchpoints,” she said. “If we were online-only there’s a huge advantage that you have in that … You create a unique identifier that you tend to stick with.” “A lot of our data is based on our physical stores that we’ve had for years and years. So, how do you start connecting all those points and get data down to the individual?” Still, enterprises don’t need to nail down every data point on a customer to be at least somewhat effective, Hoopes posited. “We don’t have to get to 100 percent,” she said. “The incremental value of getting really granular for my business is probably not there. I need to get you in the ballpark.”

In recommending products, for example, Hoopes suggests getting close enough can

work. “I need to get it right enough that I don’t turn you off,” she said. “I have a couple of opportunities to say I know you. The first time I get it really, really wrong, you’re out.” Other obstacles for using big data involve not managing human interactions but human nature. Series speakers noted executives often want to rely on instinct as they have in the past. Gualtieri, from Forrester, argued even executives who push for data-driven decisions

through processes like Six Sigma can disregard what does not align with instinct. “Then when a big decision came up, they’d throw that process out and … they’d make [decisions] based upon their instincts or their gut or whatever happens on the golf course.” Ford’s Ginder said simply managing big data can be daunting. “Can you capture and store all this data that is coming at you? This really is maybe the differentiation of big data in our minds.” Ginder noted Ford’s factories and the cars themselves still produce huge quantities of information every day that are not yet stored or analyzed for insights. The company is changing that though challenges remain. “Can you access these data later? Can you retrieve them, search them, integrate them and, especially, visualize them?” “We’re always looking for better methods to attack these volume, velocity, variety, challenges,” Ginder said. “How can we store more and access it quicker? How can we merge data more automatically from these different sources, especially at Ford where we have a lot of legacy sources of data?” The next difficulty is in running real-time analytics or near-real-time analytics. “How can we transition these big data kind of opportunities into our algorithms that we’ve built over the years for machine learning, artificial intelligence, and so on? That’s a big challenge for us.” Ginder sees visualization as an instrument for tapping into the beneficial aspects of intuition. “How do you convey the right, the most informative messages to the consumers of that data?” he said. “With the right visualization you can develop intuition that can aid your decision making in the future. So I think with visualization that’s the key to avoiding confusion with big data.” Bluefly’s Balakrishnan noted big data renders answers that are not always clear-cut. “It’s always important to recognize that big data doesn’t give black and white answers,” he said. Often, enterprises then have to evaluate how confident they are in the data producing the decisions. “You also have to be cognizant of the fact that the results might change over time. So, just because you got a result today doesn’t mean that result is going to hold in two weeks or three weeks. So, you have to keep adapting.”

b ig c hal lenges around ! scru bbi ng da Ta Even once information is captured, executives outlined difficulties around kneading the data into a form that is useful for combining with other sets of information. “Can you process it? Can you cleanse it, enrich it, and analyze these data just as we did before with not-so-big data as well?” Ginder asked. MasterCard Advisors’ Angus said it often is difficult to collect and cleanse data to make it useful. “In risk and fraud we’ve been doing it for 20 years and we’re just starting to get good at it,” he said. “To us it’s that intersection point between the business and data that’s so hard.” Sigala explained Caesars employs a logistics group that attempts to distill data sets into the cleanest state possible. He noted this requires a set of skills that are “dramatically different” than much of the rest of the organization. Forrester’s Gualtieri sees a particular challenge for IT because the appetite for ever more data can clash with constructs around data governance. “IT wants to govern the data and control it and they’re used to creating these well-thought-out models. And data science doesn’t work that way. Data science says ‘Give me everything you got and I’m going to run one of these algorithms against it.’” Sigala sketched out challenges. Integrating the new information into operations can be vexing, particularly for companies that aren’t primarily online businesses. In the internet world, it is customary to rely on metrics for many aspects of operations. “In more traditional bricks and mortar type environments it’s not. You shouldn’t take for granted that the analytics is going to have an equal seat at the table versus all the other elements of the business,” he said. “The decision-making process, regardless of how compelling an analysis may be, isn’t a given.” – International Data Corporation

Koa Labs’ Palmer said the continued rise of big data will unearth opportunities around working existing data, not just the

new sources of information presented by an ever more connected world. “There are really huge opportunities in data integration and I think you’re going to see the next wave of new innovative companies and startups coming out not to store data but how to take the data that already exist, integrate the semantics about that data and actually sort of surface real interesting data to people and as real time as possible.”

tuck.dartmouth.edu/digitalstrategies

a fu Ture Wi Th big promise !

The sources of big data will! continue to mushroom. Rentrak’s Chemerow described the company’s recent move into China. The company can now measure TVs, movies and other video entertainment in the world’s most populous nation. The result? Another form of big data: “Four years ago they had zero digital set-top boxes. Today they have 155 million digital set-top boxes.” Ford’s Ginder explained the range of devices being connected to the internet — the so-called internet of things — feeds the growth of big data and the possibilities around it. “We see huge opportunities in big data,” he said. “Yes,

– IBM

the techniques for extracting value from data analysis have been around for a long time but now this front end, this handling of these large volumes and speeds of data is a challenge that we’re tackling. Big data, again, is going to touch everything. … The real opportunity is to help optimize operation of all kinds of systems. We’re focusing, and I’m sure everyone is, around value and how we get value from these data.” Buxton noted the buzz around big data is giving way to action. “We’re still in an environment and a world that is not using big data appropriately to make great decisions,” he observed. “That’s changing.” Increased personalization of goods and services for consumers will continue, Britt Series participants predicted. “Firms that now make things personal, those are the firms that are going to thrive in the future, and the other ones are going to kind of drop off,” Forrester’s Gualtieri offered. He believes the consumer experience is what makes the marriage of big data and predictive analytics so exciting. Gualtieri cautioned against expecting too much too soon, however. “Those predictive models have limits. They’re not going to predict the weather right now. They’re not going to predict presidential elections. They’re not going to predict the stock market. But it’s just one tool that companies can use to create competitive advantage.” Google’s Pichette sees big data and the types of insights that can be generated as the type of leap forward that can help achieve goals that appear impossible. “Already enlightenment has really delivered amazing riches to humanity. If you think about it, it’s built on this absolute fundamental optimism of the human capability to understand the world in which we live in, to shift from dogmas — all these beliefs that are either set on myths or traditions or interpretations — but in fact trusting facts. And if you have trusting facts as a premise, is there no better world than the world of big data to do it in?”

The Center for Digital Strategies at the Tuck School of Business at Dartmouth ! promotes the development and implementation of digital strategies — the use of technology-enabled processes to harness an organization’s unique competencies and support its overall business strategies. Alva H. Taylor, Associate Professor of Business Administration Faculty Director, Glassmeyer/McNamee Center for Digital Strategies Hans Brechbühl, Executive Director, Glassmeyer/McNamee Center for Digital Strategies Tim Paradis, Program Manager / Editor Kelli C. Pippin, Marketing Manager / Copy Editing Leslie Tait, Administrator / Copy Editing R.C. Brayshaw & Company, Graphic Design / Printing Mark Washburn, Photography Heather Gere, Videography Daniel Maxell Crosby, Videography Jones Media Center, Dartmouth College 2012–13 CDS MBA Fellows Brent Dance Ashley Jeong Nishant Mehta James Valdes Ksenia Boehmer, honorary

Anirudh Goel Vijai Krishnan Justine Modot Hannah Yankelevich Betsabeh Madani, honorary

The CDS MBA fellows contributed project research and conducted interviews with many of the executives who informed this report. To access the interviews or learn more about the Center for Digital Strategies visit: tuck.dartmouth.edu/digitalstrategies

Android App On

Available for iPad on

100 Tuck Hall Hanover, NH 03755-9000 USA 603-646-0899 digital.strategies@dartmouth.edu

CONTRIBUTING EXECUTIVES !

Michael Angus T’87 Group Head, Global Payment Strategy, MasterCard Advisors Sudev Balakrishnan T’07 Director, eCommerce & Product Management, Bluefly Inc. Tom Buxton Chairman, Buxton David Chemerow D’73 T’75 COO & CFO, Rentrak Corp. Philip Degisi T’09 Director of Merchandising, Wag.com, Quidsi Inc. Dr. John Ginder Manager, Systems Analytics & Environmental Sciences, Ford Motor Company Mike Gualtieri Principal Analyst, Forrester Research Inc.

Alexis Hoopes T’06 Director, Online Merchandising, Nordstrom Inc. Chris Kelly former Chief Privacy Officer, Facebook Inc. Robert Mead SVP of Marketing, Product & Communications, Aetna Inc. Nate Murphy Election Center Manager, NationBuilder Andy Palmer T’94 Founder, Koa Lab Michael Palmer Head of Innovation, Aetna Inc. Patrick Pichette SVP & CFO, Google Inc. Ruben Sigala SVP, Enterprise Analytics, Caesars Entertainment Corp.

Download 200,000+ brand logos in vector format for free http://www.logoeps.com/

Recent Press Releases

PRESS RELEASE Kelli C. Pippin, web & marketing manager Kelli.Pippin@Tuck.Dartmouth.edu 603.646.1756 Tim Paradis, program manager Tim.Paradis@Tuck.Dartmouth.edu 603.646.9136

FOR IMMEDIATE RELEASE

Center for Digital Strategies at Dartmouth’s Tuck School creates iPad app HANOVER, N.H. – The Center for Digital Strategies (CDS) at the Tuck School of Business at Dartmouth College released its first app designed solely for the iPad. The app is the third for the center, which focuses on the role of technology in business. The free app is designed to feature the center’s in-depth research and exclusive insights from executives in an easy-to-digest manner. The content includes research, executive publications, case studies, video interviews, panel discussions and press articles. The concept for the app was simple yet challenging: create one engaging place where CDS’ many audiences can consume the variety information the center produces. Center staff conducted extensive research to determine the most user-friendly format and design. After interviewing experts and reviewing successes and failures of mobile apps, center staff elected to design the app for use only on the iPad. Designing the app for a single platform helped ensure the best user experience. “We believed doing one thing and doing it well would give us the best way to share our work. That led us limit the app to the iPad. It is the richest format available for consuming our content, which ranges from detailed research papers to video interviews. Plus, most of the students, researchers and executives who benefit from our content are already using iPads,” said Tim Paradis, the center’s program manager. “We tried to think of how we could best serve our audiences. So, as an example, we made it so the app displays most content even when the iPad is offline. This means it works on an airplane, where many of those who consume our content spend a great deal of time.”

Scan with an iPad to download the free app

The center worked with development firm Blue Pane Studio, based in North Carolina’s Research Triangle, to create the app. CDS and Blue Pane Studio collaborated on two earlier apps for the center. The CDS iPad app can be downloaded for free from Apple’s iTunes app store at http://bit.ly/PlWUxn. Or scan the QR code on the right with an iPad. About CDS: The Glassmeyer/McNamee Center for Digital Strategies at the Tuck School of Business at Dartmouth College is dedicated to advancing the theory and practice of management in the digital, networked economy. The center generates insights into the way enterprises use digital technology to create value both within and for the value chain. It also creates a learning community of scholars and executives. About Blue Pane Studio: We believe the wonderful and often incredible capabilities of mobile phones and iPads are improving how we learn, explore and find expert advice regardless of our professions or personal interests. Our roots are in graphic and publication design so we care about the complete experience of how an app or a page is read. Our Studio provides a complete range of client services from Discovery Workshops to Experience Design to Technical Development to Project Management.

PRESS RELEASE Kelli C. Pippin, web & marketing manager Kelli.Pippin@Tuck.Dartmouth.edu 603.646.1756 Tim Paradis, program manager Tim.Paradis@Tuck.Dartmouth.edu 603.646.9136

Questions about privacy, safety outpace the rise of cloud computing Fortune 1000 CIOs identify big challenges brought by ascendant technology Cloud computing promises to make setting up big server networks as easy as flipping a switch. The cost savings brought by such simplicity are appealing to CEOs navigating the unsteady global economy. What isn’t so clear is how CIOs stepping into the cloud will handle difficult questions over privacy – particularly in Europe – as well as how companies can maintain control over data. CIOs who see the vast potential of cloud computing must not only deal with the many questions around this shift but also with how their role will change. CIOs from Global 1000 companies recently gathered on the campus of Dartmouth College in New Hampshire for anniversaries of the European and U.S. chapters of the Roundtable for Digital Strategies at the Tuck School of Business. (The Economist this month ranked Tuck No. 1 among full-time MBA programs.) CIOs celebrating five years of the European chapter and 10 years of the U.S. chapter made clear that fitful rise of cloud computing portends the profound changes. For more information on Roundtable members, click here. Hans Brechbühl, Executive Director of Tuck’s Center for Digital Strategies and co-founder of the Roundtable, says cloud technology will require addressing a range of concerns. Among those identified by CIOs: • • • • • •

How to comply with laws governing information-sharing, particularly in Europe and Asia. How to ensure third-party vendors maintain care when handling company data. How to tackle legal and security issues for employees who expect to access company information on personal devices such as smartphones and tablet computers. How to handle increasingly unwieldy sets of information known as “big data” How responding to an outage in cloud networks requires different steps than failures in internal networks. How to redefine the role of the CIO to make the focus more on innovation and less on building networks.

Mr. Brechbühl, a Swiss-born former intelligence officer in the U.S. Army, can provide insights to the difficulties faced by CIOs with cloud technology and other challenges. View Highlights of the CIO / CLOUD Panel: http://youtu.be/C9WYyO2FKrU

________________________________________________________________________

Hans Brechb端hl: Hans is the Executive Director of the Center for Digital Strategies at Tuck School of Business, Darmouth College. He oversees all outreach efforts for the Center and manages the Roundtable on Digital Strategies. Prior to joining Tuck, Hans was Group VP of Corporate Development for Metromedia International Telecommunications, an executive for a financial dotcom and as managing director of the Davidson Institute at the University of Michigan Business School. Previously, Hans served as an intelligence officer in the U.S. Army where he led tactical units on the Iron Curtain in Europe for six years. He holds an AM from Harvard University and a BS in engineering from the U.S. Military Academy at West Point. Hans is of Swiss Heritage and speaks multiple European languages. About the Center for Digital Strategies: The Glassmeyer/McNamee Center for Digital Strategies, a part of the Tuck School of Business at Dartmouth, is dedicated to advancing the theory and practice of management in the digital, networked economy. Ed Glassmeyer and Roger McNamee, both Tuck alumni in the technology venture capital arena, agreed on the need for increased research and thought leadership on the ongoing impact of information technology, particularly the internet, on how corporations function. Founded in 2001 as the fifth of Tuck's research centers, the Center for Digital Strategies generates insight into the way firms use digital technology to create value both within and for the value chain and fosters thought leadership by forging a learning community of scholars and executives.

Digital Assets

Please Stay Connected With The Center for Digital Strategies iPad App: explore our research, roundtables, technology overviews and executive publications. Britt Technology Impact Series App: available for iPhone or Android. Stay informed of upcoming speakers and explore past panel discussions, video interviews and company information.

Twitter YouTube Facebook Google+ Blog RadioTuck

tuck.dartmouth.edu/digitalstrategies