Vault in the Cloud by ctof magazine

editorial Rahul Neel Mani | rahul.mani@9dot9.in

Dataleaks … What’s at stake?

n conversation with a few of India’s top-ranked CISOs (Chief Information Security Officers) last week, some very scary and eye-opening facts came to light. One of India’s premier telecom service providers (name undisclosed) discovered that over 400 of its employees were found misusing the corporate data – a clear violation of data usage norms. The company issued a cautionary warning to 49 of them and finally terminated nine employees as they didn’t pay heed to the

editor's pick 28

repeated warnings. Similarly, a software and e-learning major in India nabbed six of its employees and showed them the door. Terrifying, isn’t it? Indeed! While enterprises face a data deluge and there is tremendous pressure on technology organisations to make the data available to large sections of the workerforce, for better decision-making, the security of stored data remains a huge concern. While storage woes were handled beautifully by the majority of enterprises, the

Outsourcing Open Source

Mudra group takes the open source route to address its operations and accounting issues. The web-based application is centralised and integrated with all business processes.

security of data is yet to show on the ‘to-do’ list of many. A lot of you will disagree with me and site examples of firewalls, IDS/IPS, SSL-VPN secure access type of solutions deployed in your organisations. Frankly those solutions are related to network security and provide the first line of defence from external threats. When it comes to fighting internal data theft and misuse, the approach, technology and mindset needs to be totally different. In the same series of discussions, Murli Nambiar, VP and Head of Information Security at Reliance Capital explained how he, after a lot of internal jockeying, overcame the serious threats of data thefts and helped in reducing the number of incidents in an organisation that has over 25,000 employees. Technologies like Digital Rights Management (DRM) and

Data Leakage Prevention (DLP) come in handy and play a vital role when you are contemplating an enterprise-wide strategy for safety of data. In case of Murli, it wasn’t really an easy roll-out, but to believe him, it was the ‘only’ remedy to address the challenges of data theft and leakage. Not only has DRM and DLP prevented the leakage, it has also helped the company with preventing customer poaching (e.g. insurance customers). As custodians of sensitive corporate information, CIOs seriously need to look at these successful technologies that are not only saving sensitive data from being stolen or misused, but also safeguarding enterprises from something that can cause loss of image.

The Chief Technology Officer Forum

cto forum 21 march 2011

MARCH 11 C o v e r D e s i g E n b y P C A N OO P

Conte nts

thectoforum.com

32 Cover Story

32 | Vault In The Cloud

Columns

The cloud is forming; Virtualisation adoption is rising; and SSD is steadily gaining. Indian CIOs are at the forefront of technology when it comes to managing the data deluge.

Please Recycle This Magazine And Remove Inserts Before Recycling

Copyright, All rights reserved: Reproduction in whole or in part without written permission from Nine Dot Nine Interactive Pvt Ltd. is prohibited. Printed and published by Kanak Ghosh for Nine Dot Nine Interactive Pvt Ltd, C/o Kakson House, Plot Printed at Silverpoint Press Pvt. Ltd. D- 107, MIDC, TTC Industrial Area, Nerul, Navi Mumbai- 400706

cto forum 21 MARCH 2011

The Chief Technology Officer Forum

04 | I believe: Trust More Important Than Technology Active listening helped the IT department at Reliance Life Insurance to regain the trust from its users. By Milind Sawant

56 | View point: Big Data: I Was Right Again By Steve Duplessie

Features

16 | Best of breed: How to Present The IT Story CIOs need to engage the company's top brass in major presentations. By Dennis McCafferty

www.thectoforum.com Managing Director: Dr Pramath Raj Sinha Printer & Publisher: Kanak Ghosh Publishing Director: Anuradha Das Mathur Editorial Editor-in-chief: Rahul Neel Mani Executive Editor: Yashvendra Singh Senior Editor: Harichandan Arakali Resident Editor (West): Minu Sirsalewala Agarwal Assistant Editor: Varun Aggarwal DEsign Sr. Creative Director: Jayan K Narayanan Art Director: Binesh Sreedharan Associate Art Director: Anil VK Sr. Visualiser: PC Anoop Sr. Designers: Prasanth TR, Anil T, Joffy Jose Anoop Verma, NV Baiju, Vinod Shinde & Chander Dange Designers: Sristi Maurya, Suneesh K, Shigil N & Charu Dwivedi Chief Photographer: Subhojit Paul Photographer: Jiten Gandhi

28 BEST OF BREED CASE STUDY

28 | Outsourcing Open Source

Mudra group takes the open source route to address its operations and accounting functionalities.

RegulArs

01 | Editorial 10 | Enterprise Round-up

advertisers’ index

46 | Next horizons: Stuxnet and the Future of Malware Malware in future would be web-based worms By Jeff Vance

50 | NO holds barred: Dhruv Singhal, Oracle India’s Senior Director, Sales Consulting,

BHARTI AIRTEL SCHNEIDER IBM VODAFONE CISCO ACE DATA RIVERBED MICROSOFT

IFC 05 07 08-09 13 15 IBC BC

shares his company’s plans around cloud computing.

This index is provided as an additional service.The publisher does not assume any liabilities for errors or omissions.

advisory Panel Anil Garg, CIO, Dabur David Briskman, CIO, Ranbaxy Mani Mulki, CIO, Pidilite Manish Gupta, Director, Enterprise Solutions AMEA, PepsiCo India Foods & Beverages, PepsiCo Raghu Raman, CEO, National Intelligence Grid, Govt. of India S R Mallela, Former CTO, AFL Santrupt Misra, Director, Aditya Birla Group Sushil Prakash, Country Head, Emerging Technology-Business Innovation Group, Tata TeleServices Vijay Sethi, VP-IS, Hero Honda Vishal Salvi, CSO, HDFC Bank Deepak B Phatak, Subharao M Nilekani Chair Professor and Head, KReSIT, IIT - Bombay Vijay Mehra, CIO, Cairns Energy Sales & Marketing VP Sales & Marketing: Naveen Chand Singh National Manager-Events and Special Projects: Mahantesh Godi (09880436623) Product Manager: Rachit Kinger (9818860797) GM South: Vinodh K (09740714817) Senior Manager Sales (South): Ashish Kumar Singh GM North: Lalit Arun (09582262959) GM West: Sachin Mhashilkar (09920348755) Kolkata: Jayanta Bhattacharya (09331829284) Production & Logistics Sr. GM. Operations: Shivshankar M Hiremath Production Executive: Vilas Mhatre Logistics: MP Singh, Mohd. Ansari, Shashi Shekhar Singh OFFICE ADDRESS Published, Printed and Owned by Nine Dot Nine Interactive Pvt Ltd. Published and printed on their behalf by Kanak Ghosh. Published at Bunglow No. 725, Sector - 1, Shirvane, Nerul Navi Mumbai - 400706. Printed at Silver Point Press Pvt Ltd., A-403, TTC Ind. Area, Near Anthony Motors, Mahape, Navi Mumbai-400701, District Thane. Editor: Anuradha Das Mathur For any customer queries and assistance please contact help@9dot9.in This issue of CTO FORUM includes 12 pages of CSO Forum free with the magazine

The Chief Technology Officer Forum

cto forum 07 MARCH 2011

THE author has over 15 years of rich overseas and domestic experience managing technology infrastructure for large corporate organisations.

photo BY jiten gandhi

I Believe

By Milind Sawant Head - IT Infra, Reliance Life Insurance Company Ltd.

Trust More Important Than Technology

Active listening helped the IT department at Reliance Life Insurance to regain the trust from its users. The one principle that I believe very strongly in, and always try to live by, is that one must always be open to listening to people and trusting them to have the best intentions. This might sound naive in the cutthroat corporate world, but when a person knows that he or she is trust-

cto forum 21 march 2011

The Chief Technology Officer Forum

current challenge unavailability of communication infrastructure made people lose faith in IT services

ed and that others are depending on him, it will take a very hard heart to deliberately do something wrong. When we learn to intelligently, not blindly, live by this principle, it gives us a chance to positively affect many people's lives by creating a sort of a chain reaction. The principle is applicable equally in our personal and professional lives. Since we are in the services industry, we should always be in the listening mode to deliver the desired output. My strong belief is that when you listen carefully you can deliver effectively and efficiently. By virtue of our experience we transform/address these dynamic needs using different technology solutions. Here’s one example: We used to have lots of complaints from our branches about the unavailability of communication infrastructure, and people had lost faith in IT services. When we analysed the incident database through a series of interviews with the branch ops people, we found a pattern, and the solution was quite simple, really. An alert mechanism that proactively informed branches about the outages would go a long way in winning our users’ trust again, we realised. We also added regular status updates that gave people a clear idea, in the case of an outage, of when they could expect the services back and what was being done about it. Using people and technology we have started our NOC operations, which send alerts to affected branches either pro-actively or on an immediate basis. We follow up on it till the closure of the incident. Currently our NOC ops has handled more than 1,000 links successfully, with many ‘customer delight’ features including billing, commissioning and capacity planning. The point I’m making is, people are the real assets, and technology is merely a tool to enable them to do their best. Winning their trust goes a long way in getting them to perform well.

LETTERS CTOForum LinkedIn Group Join close to 700 CIOs on the CTO Forum LinkedIn group for latest news and hot enterprise technology discussions. Share your thoughts, participate in discussions and win prizes for the most valuable contribution. You can join The CTOForum group at: www.linkedin.com/ groups?mostPopular=&gid=2580450

Some of the hot discussions on the group are: The Cloud is all air and no substance Do you think cloud is going to die a quick death of SOA or is it going to make big headway into the enterprise? Is it old wine in a new bottle? What does it lack in making a convincing case?

What are the attributes of a good CTO? What are the prerequisites for a CTO role ?

I see the CTO role as that of a technology leader bridging the gap between the commercial requirements of the enterprise and the technology support of those requirements. An effective CTO should be able to guide the efficient implementation of IT strategy of the business.

Its real and all about today and tomorrow. However, you have to bring it back to a realistic service that gives tangible benefits. There are a great deal of 'cowboy' stories and not many who really understand it.

—Ronald Kunneman, Director at Digitra

Opinion

‘Win-Win’ Is Not a Cliche If you think, ‘win-win’ is a cliche, think again. “The power of this idea isn’t often as obvious to people as it should be. Just consider the following: who would like to lose? Got it?”

WRITE TO US: The CTOForum values your feedback. We want to know what you think about the magazine and how to make it a better read for you. Our endeavour continues to be work in progress and your comments will go a long way in making it the preferred publication of the CIO Community.

cto forum 21 MARCH 2011

The Chief Technology Officer Forum

Hubert Yoshida, Vice President & CTO, Hitachi Data Systems, provides insights into how Hitachi is transforming their data centres to stay in sync with changing business needs in a conversation with Rahul Neel Mani.

http://www. thectoforum. com/content/ transformingdata-centre

Richard Ward, Head of Technical, WIN Plc

Send your comments, compliments, complaints or questions about the magazine to editor@thectoforum.com

CTOF Connect

To read the full story go to:

http://www.thectoforum.com/content/'winwin'-not-a-cliche Aiyappan Pillai, Vice President, Tata Communications

FEATURE Inside

Enterprise

Four Risks CIOs Should Address When Contracting for Cloud Services Pg 12

Illustration BY Suneesh K

Round-up

Tablets to Shave Off Third of PC Growth this Year Gartner has cut its forecast for the growth of PC due to competition from tablets.

popularity of devices like the iPad, which recently saw its second iteration, will bring down growth of the PC industry from 15.9 percent to 10.5 percent in 2011, Gartner said. The impact will be the greatest on laptops, which have been driving the growth of the PC industry by growing at 40 percent growth every year. Consumer mobile PCs have been the dynamic growth engine of the PC market over the past five years, averaging annual rates of growth approaching 40 percent. For much of this period, mobile PCs remained consumers' platform of choice for bringing the Internet into their The growing

cto forum 21 march 2011

The Chief Technology Officer Forum

daily lives. Internet access is now available through a multitude of mobile devices that allow consumers to engage in virtually all their favorite online activities without the need of a mobile PC. George Shiffler, research director, Gartner said, "We once thought that mobile PC growth would continue to be sustained by consumers buying second and third mobile PCs as personal devices. However, we now believe that consumers are not only likely to forgo additional mobile PC buys but are also likely to extend the lifetimes of the mobile PCs they retain as they adopt mobile PC alternatives as their primary mobile device."

100 Data Briefing

million LinkedIn users worldwide

E nte rpri se Round -up

They Warren Said it Buffett

photos BY photos.com

Warren Buffett, American investor, industrialist and philanthropist, who is on his maiden visit to India, said that Ajit Jain has made more money for Berkshire Hathaway than he himself has. He said that he owes the people of India an enormous amount for sending him a person like Ajit Jain.

HP Integrates 3PAR Utility Storage for Cloud Computing New storage offerings optimise cloud service delivery and simplify data management announced the integration of 3PAR Utility Storage across the HP Converged Infrastructure portfolio to simplify scalable cloud computing, and introduced new storage solutions for virtualisation and data deduplication. This integration enables clients to optimise cloud delivery with features like automated storage tiering to improve performance, and thin storage offerings to eliminate over-provisioning. The combination also helps clients seeking to consolidate storage hardware and respond to explosive data growth to address both of these challenges with converged block-and-file storage on a single storage array. HP also has simplified data management with solutions built on converged storage, server and networking platforms to provide clients with unified management and a lower total cost of ownership. “Our clients tell us their journey to the cloud will be one of the most critical transitions for them this decade,” said Prakash Krishnamoorthy, Country Manager, StorageWorks, HP India. “HP 3PAR Utility Storage meets their demand for a new storage architecture specifically designed for IT as a Service.” HP has

Quick Byte on internet

"He (Jain) could have made a lot more money working for someone else than working for Berkshire, but he is unbelievably loyal and hardworking and unbelievably smart.”

-Warren Buffett, American investor, industrialist and philanthropist

According to a comScore report, by the fourth quarter of 2010, the average Internet user (worldwide) spent 23.1 hours per month online. While Indians surfers spend an average of 11.9 hours on the Internet per month, Canadians spend as high as 43.5 hours per month surfing. The Chief Technology Officer Forum

cto forum 21 march 2011

E nte rpri se Round -up

cloud-sourcing contracts that lack descriptions of cloud service providers' responsibilities and do not meet the general legal, regulatory and commercial contracting requirements of most enterprise organisations.

Illustration BY Suneesh K

Contract Terms Generally Favour the Vendor Organisations that successfully outsource, evolve more partnership-style relationships with their vendors. Cloud service contracts do not lend themselves to such partnerships â&#x20AC;&#x201D; mainly because of the high degree of contract standardisation â&#x20AC;&#x201D; where terms are consistent for every customer, and service is typically delivered remotely rather than locally. An organisation needs to understand that it is one of many customers and that customisation breaks the model of industrialised service delivery. Cloud service contracts are currently written in very standardised terms, and buying organisations need to be clear about what they can accept and what is negotiable. To manage cloud services contracts successfully, organisations need to manage user expectations.

Four Risks CIOs Should Address When Contracting for Cloud Services Cloud sourcing

contracts often favour the provider. Although cloud offerings are rapidly maturing, the immaturity of cloud service contracting means that many contracts have structural deficits, according to Gartner. Gartner has identified four risky issues that CIOs and sourcing executives should be aware of when contracting for cloud services. "Cloud service providers will need to address these structural shortcomings to achieve wider acceptance of their standard contracts and to benefit from the economies of scale that come with that acceptance," said Frank Ridder, research vice president

at Gartner. "CIOs and sourcing executives have a duty to understand key areas of risk for their organisations." The four risky issues for CIOs, when contracting for cloud services include: Cloud Sourcing Contracts Are Not Mature for All Markets When analysing cloud sourcing contracts, it is often obvious whether the cloud service provider wrote the contract with larger, more mature corporations, or the consumer side of the market, in mind. Gartner also sees many

Global Tracker

organisations are currently using cloud computing, 76 percent plan to use cloud computing at least after six months.

cto forum 21 march 2011

The Chief Technology Officer Forum

14%

Source: eEye 2011 VULNERABILITY MANAGEMENT TRENDS REPORT

While 14 percent of Indian

Cloud adoption in India

Contracts Are Opaque and Easily Changed Contracts from cloud service providers are not long documents. Certain clauses are not very detailed, as URL links to Web pages detail additional terms and conditions. These details are often critical to the quality of service and the price (such as SLAs) for uptime or performance, service and support terms, and even the description of the core functionality of the offering. Clauses that are only fully documented on these Web pages can change over time; often without any prior notice. Organisations need to ensure that they understand the complete structure of their cloud sourcing contract, including the terms that are detailed outside of the main contract. Contracts Do Not Have Clear Service Commitments As the cloud services market matures, increasing numbers of cloud service providers include SLAs in URL documents referenced in their contracts and, in fewer cases, in the contract itself. Usually, the cloud service providers limit their area of responsibility to what is in their own network as they cannot control the public network.

E nte rpri se Round -up

Punjab National Bank Standardises IT Infrastructure Helped improve availability of PNB’s core banking solution.

Punjab National Bank (PNB), India's second largest public sector bank, has become the world's largest site for Infosys's Finacle Universal Banking Solution running on Oracle Real Application Clusters, Oracle's Sun SPARC Enterprise Servers and Oracle Solaris. Catering to over 60 million accounts, over 5000 branches and extension counters and managing nearly 14 terabytes of data, Finacle on Oracle Real Application Clusters and Sun SPARC Enterprise servers have helped PNB to run its bank operations

more efficiently, securely and with zero downtime. "I can proudly say that among the nationalised banks in India, we have taken IT deployment to new heights," said Ajay Misra, GM, IT, PNB. "The Finacle solution on Oracle Real Application Clusters and Oracle's Sun Servers has provided us with reliable technology that helps us serve our customers much more efficiently. Our customer satisfaction rate has improved drastically in the last year." PNB reaped the following performance improvements: - 30% increase in daily business transactions. - 100% increase in number of transactions from delivery channels (NEFT, RTGS, ATM etc.) increased from 5 lakhs a day to 10 lakhs per day. - Growth in the number of concurrent users accessing FinacleTM across branches with the ability to scale up to 35000 concurrent users - IT optimisation resulted in a reduction of 1.5 hours daily to process day end activities (eg. Interest run from the day's sales of fixed deposits, savings account, loans etc. at a branch) - Automation of the bank's statistics gathering mechanism, which can now be completed within 12 hours, compared to 28 hours previously. - Reduction in query response time from 30 minutes to a few minutes due to high availability of the solution PNB's enhanced transaction processing efficiency enables the bank to provide its customers with on-line and real-time banking, across its urban and rural branch network across India. This platform empowers the bank with highly scalable architecture for quick ramp-up capabilities to handle growing volumes for future business growth and provides flexibility for creating innovative banking products.

Fact ticker

Worlds of IT and Operational Technology Are Converging Key issues for alignment examined. The worlds of IT and operational technology (OT) are converging, and IT leaders must manage their transition to converging, aligning and integrating IT and OT environments, according to Gartner. Analysts say the benefits that come from managing IT and OT convergence, alignment and integration include optimised business processes, enhanced infor-

cto forum 21 march 2011

mation for better decisions, reduced costs, lower risks and shortened project timelines. An independent world of physicalequipment-oriented technology is developed, implemented and supported separately from the IT groups. For simplicity, Gartner refers to physical-equipment-oriented technology as "operational technology" (OT).

The Chief Technology Officer Forum

"The relationship between the IT and OT groups needs to be managed better, but more importantly, the nature of the OT systems is changing, so that the underlying technology — such as platforms, software, security and communications — is becoming more like IT systems," said Kristian Steenstrup, research vice president and Gartner fellow. "This gives a stronger justification for IT groups to contribute to OT software management, creating an IT and OT alignment that could be in the form of standards, enterprise architecture (EA), security models, and information and process integration."

Year OF PaaS

All the leading enterprise software vendors, as well as large cloud specialists, will introduce new platform-as-a-service (PaaS) offerings this year, making 2011 the year of PaaS, according to Gartner. These vendors are expected to deliver new or strongly expanded PaaS service offerings and cloudenabled application infrastructure products. "By the end of 2011, the battle for leadership in PaaS and the key PaaS segments will engulf the software industry," said Yefim Natis, vice president and distinguished analyst at Gartner. "Early consolidation of specialised PaaS offerings into PaaS suites will also be evident. New vendors will enter the market through acquisitions or in-house development. Users can expect a wave of innovation and hype. It will be harder to find a consistent message, standards or clear winning vendors." During the next five years, the now-fragmented and uncertain space of cloud application infrastructure will experience rapid growth through technical and business innovation. Large vendors will grow through in-house development, partnerships and acquisitions, while small vendors will grow through partnerships and specialisation. Users will be driven into cloud computing as business application services and advanced platform services reach acceptable levels of maturity.

Features Inside

Is it Time For Bringing Your Own Technology? Pg 18

Best of

Breed

Business Analytics: Numbers and Nuance Pg 21 Have You Tested Your Strategy Lately? Pg 23 More

Illustration BY Shigil N

ou've been called upon to make a major presentation to your organisation. Your job is to "sell" the audience on your latest IT initiative. Now what? Use these eight tips to tell your IT story in a way that engages and motivates your audience. We feel your pain. You need to make a major presentation to your organisation – which includes everyone from your CEO to the CFO to the rank-and-file in all departments – to “sell” the audience on an IT initiative. Or, perhaps you've been called to present to your board of directors for the first time. You realise a long, dreary speech from the “tech boss” isn't going to get the crowd “pumped up” from the get-go. The solution? Don't give a long, dreary speech, according to Peter Peter Guber Guber. CEO, Mandalay With a proven track Entertainment Group record in the entertainment, sports, and new media industries, Guber's successes are often directly tied to his command of “telling to win” during his presentations. In the book, Tell to Win: Connect, Persuade, and Triumph with the Hidden Power of Story (Crown Business/Available now), Guber reveals that you don't have to be a Hollywood hotshot to dazzle audiences with your speeches. There are many, highly transferable qualities of winning presentations that CIOs and other senior leaders can adapt for their own engagements. In the end, it's all about connecting by

Stories emotionally transport the audience

How to Present the IT Story

It is challenging for a CIO to engage his company's top brass in a major presentation. By Dennis McCafferty

cto forum 21 march 2011

The Chief Technology Officer Forum

m a n ag e m e n t

telling a purposeful story. “Stories emotionally transport the audience,” says Guber, “so they don't even realise they're receiving a hidden message.” After an extensive history of leadership with Columbia Pictures, Casablanca Records and Filmworks, Sony Pictures and other high-profile entertainment organisations, Guber is now chairman/ CEO of Mandalay Entertainment Group. Films he produced or executive produced have been nominated for more than 50 Oscars. (Including Mandalay’s The Kids Are All Right, which was nominated for four Oscars, including Best Picture.) Guber is also owner and co-executive chairman of the NBA franchise, the Golden State Warriors. Here are eight tips drawn from the book that you can use for your next big presentation: Introduce “me-to-we” techniques that transform your story into a shared experience. In your “tell,” you connect to your listeners through shared frustration or pain, turning your audience into viral advocates. All stories have a challenge, struggle and resolution. The beginning sheds light on the

B E S T OF B R E E D

Be prepared to drop your script. Telling purposeful stories is as much about improvisational ability as it is about a good script. challenge. The middle explains what it takes to meet the challenge. The end is a call-to-action. Humanise the numbers. When you tell the story of the people behind any “success stats” presented, you put “real” faces on the data. Past failures can demonstrate authority/ authenticity as well. If you apply lessons learned to failure through the story you tell, you convey admirable qualities of vulnerability, humility and resilience. Listen with your ears – and eyes. Listen and look to see if the audience is engaged. Are they nodding, laughing and taking notes? Or are they yawning, pulling out smart phones and slumping in their chairs? Be prepared to drop your script. Telling

purposeful stories is as much about improvisational ability as it is about a good script. Take verbal/visual clues from the audience and remain nimble enough to shift direction as needed. Change passive listeners into active participants. Surrender control of your presentation to them. Allow them to “own” your topic with their input on action steps. Use “state of the heart” technology online – and offline. In doing so, you will make your story resonant, memorable, actionable and more likely to be paid forward by your listeners. —This opinion was first published in CIO Insight. For more such stories please visit www.cioinsight.com

Is it Time for Bringing Your Own Technology?

Three forces are colliding that will make the 'Bring your own technology' workplace a reality.

t’s time to get over the control paradigm we’ve all gotten used to and start thinking outside the box. What would it take to allow any device to connect safely and securely to our corporate networks? Most of the organisations I have worked with for the past 40 years had rules about what technology could be used at work. They spent a good deal of time and money creating or acquiring standard technologies that were supposed to be easy to secure and manage because they were: standardised; and recognisable. Some places even went so far as to “lock down” user technologies, preventing or overwriting changes made by users.With all the well-known challenges related to combating viruses and other malware—as well as the need to secure business data and make

By John Parkinson

sure that business technology wasn’t being diverted to unauthorised personal use—all this effort seemed to make sense. Occasionally, you would come across someone who didn’t want all the procurement and asset management hassle. These IT renegades would hand out cash to staff to “go and buy what you want.” But they remained in the minority, and generally still had rules about what could connect to the network and what software could run on user endpoints. Talk to infrastructure managers (and even some security managers) and they’ll tell you that keeping track of all this has become a real pain. Users don’t like it, and with some justification: No single configuration can be optimised for everyone. Asset managers don’t like it. Even vendors don’t like it -- especially in singleThe Chief Technology Officer Forum

cto forum 21 march 2011

B E S T OF B R E E D

m a n ag e m e n t

vendor environments in which procurement is a winner-takes-all event over a period of years. Now, three forces are colliding that will make the “Bring Your Own Technology” workplace a reality. The first is mobility. Innovation today is focused around mobile devices, and it’s becoming hard to have, or even enforce, standards. When a phone costs as much as a laptop and only lasts about half as long, businesses aren’t going to want to give everyone their own. Also, you can’t, yet, lock down a phone, the way you can a laptop, because it has to be able to connect to open public networks. There are things that a business can do to secure and manage mobile devices, but these are, at best, stopgaps. The second force is virtualisation. Once you have separated the user’s software environment from the underlying hardware, it’s less important what that hardware is or who owns it. User technology becomes an access point to a virtualised information and application space. I still have to be able to identify and authenticate the user, but I’m now much less concerned about the device. The final force is the rising use of contract and outsourced resources -- and of multi-business collaborative networks. It may

not be economically, or even legally, possible to dictate which technology contractors use, especially if they’re not working for you full time. Contractors won’t want to have different devices for different customers. And if they are working for an outsourcer in a different geography, you are unlikely to have much control over what technology they use. How can we assure ourselves that nothing bad will happen when a new device shows up? How can we ensure that when information leaves one of these devices, it will remain secure? Answer these questions -- and workable answers do exist -- and you can get out of the user-technology provisioning business, simplify asset management and let your users have the technology they really want. —John Parkinson is the head of the Global Program Management Office at AXIS Capital. He has been a technology executive, strategist, consultant and author for 25 years. Send your comments to editors@cioinsight.com. —This opinion was first published in CIO Insight. For more such stories please visit www.cioinsight.com.

The New CIO’s First Steps A new CIO has to define the present and future state of IT and strengthen governance. By Peter High

Illustration BY PC Anoop

uane Anderson took on his first CIO role in mid-2009 when he joined ad agency Marquette Group and its sister agency USMotivation. His first steps? Focus on defining the present and future state of IT and strengthen governance in his organisation. Marquette Group in Peoria, Ill., is an advertising agency that delivers qualified, local customers to national brands by designing integrated media strategies. Its sister company, USMotivation, focuses on incentive strategies, group travel, and creative communications. When Duane Anderson came on board in mid-2009 as CIO serving both entities, he clearly needed to be sure to work with his new colleagues to define the present and future state. This was Anderson's first foray into the CIO role, and he was new to the industry. As a former lieutenant to Tim Stanley at Harrah's Entertainment, he had

cto forum 21 march 2011

The Chief Technology Officer Forum

m a n ag e m e n t

been exposed to a high-octane IT department, but now he was in IT's biggest chair. Since he was new to the role and to his company, Anderson focused on steps related to defining the present and future state of IT, as well as strengthening governance. The first step was to develop an infrastructure roadmap. As Anderson began to evaluate the IT infrastructure, he realised that the server infrastructure had grown on a need-by-need basis, rather than with the company's strategic goals and total cost of ownership in mind. This led to a very outdated footprint that could not easily scale or be supported at a reasonable cost. "To break this cycle, we focused an internal and external team to define our server infrastructure roadmap," says Anderson. "We are now executing on key components of this plan, which includes moving tactical needs [such as] email and file servers to public cloud options, and strategic needs [such as] customer applications and high availability to a blend of private cloud and on-demand utility computing." Next, Anderson focused on the needs of his colleagues outside of IT. He had joined the company after the economic malaise was in full swing, and he pushed to ensure that he was gaining strategic traction with his new business colleagues, as opposed to being viewed simply as a cost center.

B E S T OF B R E E D

53%

"Our IT-business communicaour customer-facing IT efforts," tion plan is designed to ensure Anderson says. alignment at the strategic, Lastly, Anderson says that project, and day-to-day support prior to his arrival (and before levels, with forums that allow the last economic downturn), of the adults escalation or decision-making to Marquette Group and U.S. in India have happen closer to real-time when Motivation did not manage its been victims of spend on infrastructure as well an issue is identified," says Anderson. This includes: as it should have, leading to evermobile phone increasing costs just to "keep the Frequent strategic meetings loss or theft lights on." Anderson responded with company ownership and by creating a business operabusiness unit leaders to review tions function within IT. This group is the IT portfolio; responsible for tracking every external IT Project meetings that include everyone cost, benchmarking these costs externally, from the executive sponsor to the ultimate and re-bidding these costs at defined interend-user; vals to ensure the company is not paying Status for all IT projects communicated too much for services. "As a fringe benefit, via weekly email and an internal portal for our business leadership has allowed us to anyone to review. re-invest a portion of these savings into new After that, Anderson made sure that the IT development," says Anderson. appropriate governance was in place to manage the growing portfolio of initiatives under his purview. When he dug into the —Peter High is president of Metis Strategy, a IT portfolio of projects, he found that there boutique IT-strategy consultancy based in Washwere too many small projects that did not ington, DC. A contributor to CIO Insight, Peter is align well with the company's strategy. He also the author of World Class IT: Why Businesses turned this on its head, focusing instead Succeed When IT Triumphs, and the moderator of on fewer projects that were directly aligned the podcast, The Forum on World Class IT. He can with the business plans. "This has allowed be reached atpeter.high@metisstrategy.com. us to really move the dial on strategic efforts, such as growing our revenues non—This opinion was first published in CIO Insight. For linearly with costs and greatly increasing more such stories please visit www.cioinsight.com.

10 Sure Fire Ways to Avoid Success

Bad ideas can be very damaging for a business. Such ideas should be nipped in the bud.

Donn DiNunno

n business as in life, bad ideas are ubiquitous. In life, we often get a chance to grow up, be forgiven, and learn from our mistakes, but bad ideas in business can be devastating and unrecoverable. So, when they begin to take root and start damaging morale, blocking innovation, and destroy-

ing value, you must recognize the warning signs before it’s too late and take steps to avoid the damage. You say that you don’t have that many bad ideas; that they come from "others." Then perhaps you should review some of the following common bad ideas and attitudes that can destroy your business: The Chief Technology Officer Forum

cto forum 21 march 2011

B E S T OF B R E E D

m a n ag e m e n t

Delegate upward: What is needed is more support from upper management. This attitude is a not so subtle way of delegating upward. Management is about planning and supporting core systems and processes. It does set priorities and maintains order but what is needed is more leadership at all levels. Leadership is about proactive alignment, vision, establishing ways of getting things done -- usually within the direction of upper management -- sometimes in spite of that direction.

Rely on the experts: Follow the consultant’s recommendations, or worse, what the current magazine article outlines. Most consultants, books, and articles provide solutions that don’t account for any specifics of your situation or your company. Theory is a good place to start but it’s not practical or tactical. You need help getting from where you are to where you need to go, and both are most probably unique to your circumstances. It’s good to ask the experts, just don’t rely solely on their advice.

Hold onto the past: Great companies are built to last. Just like in investing “past performance is NOT a predictor of future success.” Companies that aren’t growing and changing are dying, maybe slowly, but dying for sure. This doesn’t mean that all change is good, but regular re-examination of values and strategies is necessary to keep companies alive.

Insert technology: Technology is the solution to streamlining processes, cost-cutting, creating competitive advantage, automating production, avoiding waste, etc. Technology is a means to a end, not the end itself. Streamlining is something that most companies can do much more of, but streamlining won’t help if what you are currently doing isn’t the right thing to be doing. Technology insertion for competitive advantage first requires market research, price benchmarking, and establishing a value proposition that’s good for customers and for the company. Then technology may help deliver that value.

Tough love is best: Training, quality management, advertising, research and other optional budget areas should be temporarily suspended in tough times. A company is defined by how it deals with tough situations. Almost anyone can manage the good times, but quickly eliminating the feeding mechanisms show that some company values aren’t held that strongly. In reality, it’s during tough times when “in-reaching” through training and quality programs and out-reaching through advertising and research become most growth of valuable in turning those tough times around. storage revenue

Try, Try, Again: If we just try harder, it will work this time.Redoubling your efforts, now that you have learned your lessons is usually a formula for failure. Working harder and expecting a reward can set you up for false expectations. However, sometimes when you’re faced with a “no way” response, the best approach is to take the thing to a higher level to find in apac in the “the way.” But, usually, this success involves changing Compromise values: There are exceptions to the equation. Just trying the same thing isn’t insanity, every rule. So it’s okay if a few high-performing indiyear 2010 but it can waste a lot of emotions and resources. When viduals are not held to the same level of scrutiny as the it’s those sunk costs that keep you holding on, trying rest of the employees. Company values are not “rules” to to reach that return on your investment, ask yourself live by. The rules are based on those values. Rules can be what you’d do if you didn’t have those sunk costs? If broken, but within the culture and according to the values your answer is different, then the difference is an indication of a betof the company. Everyone has their own set of values, and maintaining ter approach. Working smarter is a better idea. respect for individuality is important. But, when individual values clash with company values, then individuals may have to be separated from the company to maintain corporate integrity. Return to your roots: Focus on what made us successful in the first place. Like bad idea No. 2, returning to the past isn’t much better than holding onto it. You’ve heard that, “You can’t go Throw money at problems: People just need to be “incentivhome again.” Without reinventing itself every few years a company ised.” Instead of treating people as animals to be coaxed into will commit to a roadmap that leads to a dead end (just ask Blockdoing good work, get to know and work with people as individuals, buster). The customer has experienced that value and wants someand discover what they value. Build jobs around their core comthing more. Either you provide it or someone else will! mitments, and pay them for the value they create. Good people are These ten bad ideas (and more) are probably running rampant in more likely to stick around if you respect their values. your company and must be identified, evaluated, and replaced with better ideas or the eventual consequences will be the destruction of Avoid confrontation: Issues with your boss (or peers) should your business. Better ideas come from values, assessments, indibe minimised. Confrontation doesn’t have to be, well, confronviduals, empowerment, research, scenario planning, partnerships, tational. Make others aware of your concerns by calmly describing and a willingness to change. If what you are doing hasn’t led you to your issues and explaining the consequences of ignoring them. This success then change what you are doing -- before you destroy someis a great way of building a reputation for avoiding confrontations. thing good. Face it: Other people don’t see the world as you do. Engaging others in a discussion of viewpoints and initiating joint problem solving —Donn DiNunno is Quality director at EM&I, whose consultants specialize can be a way of getting others to come up with your ideas as if they in the areas of strategy, governance and engineering, were their own. You just might see a little better where their values —This article appears courtesy www.cioupdate.com. To see more articles have shaped their viewpoints too to avoid bad idea No. 4. regarding IT management best practices, please visit CIOUpdate.com.

21.2%

5 6

cto forum 21 march 2011

The Chief Technology Officer Forum

b u s i n e s s a n a ly t i c s

B E S T OF B R E E D

Business Analytics: Numbers and Nuance car-rental giant seeks solutions to get fast, accurate information about customer comments. A health care benefits provider is using IT tools to obtain a complete picture of patient medical histories. And a global nonprofit is deploying the same technologies to ensure that donor contributions are well-spent. Like many companies, these three organisations are discovering new ways to deploy business intelligence and business analytics tools. By now, using BI/BA is nothing new. What is new, however, is the eagerness of CIOs to seek out an ever-expanding list of capabilities and applications for this kind of technology, and to use them across the enterprise. This interest is fueling considerable demand: Worldwide BI software sales are expected to reach more than $11.3 billion by 2012, up from just over $9.7 billion this year, according to research firm Gartner. New solutions are emerging that allow for improved change-data capture, management and cleansing. And there are more self-service tools to make it easier than ever to access and use the data throughout the enterprise. For CIOs, however, a frequent and possibly more perplexing challenge goes beyond finding the right technology. The real challenge is in finding and retaining top BI/BA talent. Leveraging BI/BA, after all, doesn’t simply require high-end aptitude for data analysis, reporting and management. It demands a deep understanding of the intended business process, says Steve Cranford, a

Dennis McCafferty

Illustration byshigil N

BA tools have moved from being used for specific campaigns to being incorporated into the day-to-day operations of an organisation.

director in the advisory practice of PricewaterhouseCoopers, a global professional services firm. “These ‘hybrid’ qualities are usually found in individuals with several years of business knowledge who have emerged from either the business or the technology organisation,” he says. “They also have experience with the BI processes, methodologies and tools that are driving the decision processes of the organisation. Given the drought of top BI talent, these qualities become a ‘perfect storm’ retention challenge as adoption of BI increases in the overall marketplace.” Traditionally, BI/BA tools have been used to target a specific campaign, market segment or other niche. But the current push

is to incorporate BI/BA into the day-to-day operations of an organisation so that it’s routinely applied at all levels. This means that the BI/BA process must be collaborative across the enterprise, says John Lucker, principal at Deloitte Consulting. “CIOs should look for ways to actively participate in the process,” he says. “They must team with business groups to find new ways to do things and new approaches for analysis. They should look for new tools to make things easier or possible, and new external data sets to augment institutional data." This collaborative approach is already delivering ROI for the Cincinnati Zoo, which implemented a business analytics system tied to its POS. What CIOs really need are BI/BA soluThe Chief Technology Officer Forum

cto forum 21 march 2011

B E S T OF B R E E D

b u s i n e s s a n a ly t i c s

tions that can bring their companies to “nextlevel” business performance. It’s about more than simply gathering and analysing data. It’s about maximising the value of data throughout the enterprise. CIO Insight recently spoke to three top technology executives at highprofile organisations—Hertz, Capital District Physicians’ Health Plan and the Elizabeth Glaser Pediatric AIDS Foundation—to learn more about what “next-level” BI/BA solutions mean to them. Here are their stories. Like many car-rental companies, Hertz seeks as much feedback from customers as it can. It wants to know if its vehicles ran well, and whether the fleet was clean and appealing. It encourages customers to indicate whether there were any mechanical problems, and how the sound system fared. And, if a service-counter employee was extra accommodating, the company is interested in these details as well. Accessing such information in a timely fashion has always been troublesome. There have been thousands of paper surveys mailed to customers, toll-free phone conversations and comments posted on the company’s Web site. “It could take three weeks to gather all the information and have someone aggregate it and try to see if there was a trend there,” says Joe Eckroth, CIO for Hertz, which is based in Park Ridge, N.J. “Then, there was the question of, ‘What the heck do you do with this information?’ By the time you figured it out, the customers had moved on to other things.” By using Mindshare Technologies and other tools from IBM, Hertz has shifted its BI/BA capabilities into the fast lane. The resulting solution package is mobilefocused, collecting and aggregating massive streams of comment data delivered to the company by customers using smartphones. The solution can distinguish and provide special analytical focus according to specific topic points—Clean or dirty car? Helpful or unhelpful staff? Long or short wait at the counter line?—as well as geographic region. Local managers now get daily performance feedback. If a customer has a particularly negative experience, managers must address and resolve the problem within the day—no later than a 24-hour period. “That makes a huge impression, when a manager indicates that he wants to help you resolve a situation so quickly,” Eckroth says. “It

cto forum 21 march 2011

The Chief Technology Officer Forum

By using Mindshare Technologies and other tools from IBM, Hertz has shifted its BI/BA capabilities into the fast lane. The resulting solution package is mobile focused, collecting and aggregating massive streams of comment data delivered to the company by customers using smartphones. makes a great deal of difference when it comes to customer retention.” Available tools also help Hertz get a sense of whether features such as satellite radio and iPod-friendly sound systems deliver added (and salable) value to the customer. Sentiments being expressed “out there” in the social media universe, such as Twitter feeds, can also be monitored and analyzed. The efforts are paying off: Hertz’s performance on the Net Promoter Score—the industry standard of customer-satisfaction assessment tools—has risen steadily since the company made significant investments in BI/BA. Every monthly score in 2010 has seen a notable improvement over the same period in 2009, and Hertz has approached what amounts to industry best-in-class scores in four out of nine months. "In our business, it’s all about the customer experience,” Eckroth says. “This technology is allowing us to get a clear and immediate picture. With customers being as fickle as they are with the choices they have, you

need to be ahead of the data, not behind it. For patients in upstate New York, the path to improved health care may have been inspired by … Pop-Tarts? Long before BI/BA emerged as an IT industry buzz phrase, Linda Navarra had a “Eureka!” moment that involved the popular snack. “It was 15 years ago,” she recalls. “I was getting targeted ads from Walmart promoting strawberry Pop-Tarts before snowstorms. And I thought, ‘Walmart must know that its customers are going to want to load up on PopTarts before a winter storm. Why are they able to come up with this kind of useful knowledge and, in health care, we don’t?’ What we’re doing is about life and death, after all.” Now the CIO of the Capital District Physicians’ Health Plan (CDPHP) in Albany, N.Y., Navarra has taken the initiative to deploy BI tools for this very purpose. CDPHP uses BI solutions from HP to take data from financial, claims, clinical and third-party systems to come up with a “total patient picture,” with the intention of providing the best health care possible for its 340,000 members. “We can build this picture around years of medical services, lab results, prescriptions and other information,” Navarra says. “It allows for faster and more accurate assessments on the part of our physicians [than was previously possible].” When Navarra arrived at the 800-employee CDPHP four years ago, there was no way of tracking a patient’s entire medical history, given how often each patient switched coverage through the years, and how disparate various hospital record-keeping systems could be. HP’s solution allowed CDPHP to build a model that essentially “connects the dots” with respect to the far-flung data. This is far from a completed effort. “We want to see the day when a system will know, for example, when a patient was given a prescription but never went to the pharmacy to pick it up,” says Navarra. “Or when a system will know whether a patient is taking medication as prescribed and, if not, send us an alert so we can let the doctor know. This would allow us to make the appropriate intervention.” The Washington, D.C.-based Elizabeth Glaser Pediatric AIDS Foundation raises more than $119 million a year from diverse sources, including the Centers for Disease Control and Prevention, Disney, CBS, the

m a n ag e m e n t

Bill and Melinda Gates Foundation, the U.S. Agency for International Development, the NBA, actor Harrison Ford, IBM and members of the public. Carrying on the work started by Glaser—who passed away from the disease in 1994—the foundation provides health care services for more than 2 million women at 3,700 locations around the world. As with other nonprofits, Glaser employees must provide detailed reports to donors about how funds are used, such as how many people have been tested for HIV and how many are being treated successfully. Traditionally, the process of gathering such massive data on a global scale was a cumbersome, manual one. Workers—some

in remote locations—typed reports into Excel spreadsheets and attempted to e-mail or fax them to centralised locations. Data integrity was often poor. Slow Internet connections, frequent power losses and limited technical know-how further hindered the process. Sometimes, workers resorted to phoning in the latest numbers, which could increase the likelihood of inaccuracy. “The data wasn’t readily available,” says Mark Reilley, director of IT for the foundation. “We didn’t have the policies we needed to designate proper access. We couldn’t be assured of its accuracy. We needed a solution that addressed all of these concerns.” Reilley and his team went with a .Net application from Acumen Solutions to consolidate

B E S T OF B R E E D

and make use of the data. It allows each international site to automate reporting on a Webbased platform. At the headquarters level, the BI/BA solution provides a previously unavailable and valuable perspective on the intricacies of the funding impact. It can cross-track sites and their funding levels with the number of patients being treated. It can tap into the foundation’s travel database and pinpoint which areas have been visited most often, and whether they have made a large impression on the quality of local health care. “It lets us see where the dollars are going,” Reilley says, “and what kind of value we’re getting.” —This opinion was first published in CIO Insight. For more such stories please visit www.cioinsight.com

Have You Tested Your Strategy Lately?

A few timeless tests can help you kick the tires on your strategy, and kick up the level of strategic dialogue throughout your company. By Chris Bradley, Martin Hirt, and Sven Smit

Illustration byshigil N

hat’s the next new thing in strategy?” a senior executive recently asked Phil Rosenzweig, a professor at IMD, in Switzerland. His response was surprising for someone whose career is devoted to advancing the state of the art of strategy: “With all respect, I think that’s the wrong question. There’s always new stuff out there, and most of it’s not very good. Rather than looking for the next musing, it’s probably better to be thorough about what we know is true and make sure we do that well.” Let’s face it: the basic principles that make for good strategy often get obscured. Sometimes the explanation is a quest for the next new thing—natural in a field that The Chief Technology Officer Forum

cto forum 21 march 2011

B E S T OF B R E E D

m a n ag e m e n t

emerged through the steady accumulation of frameworks promising to unlock the secret of competitive advantage. In other cases, the culprit is torrents of data, reams of analysis, and piles of documents that can be more distracting than enlightening. Ultimately, strategy is a way of thinking, not a procedural exercise or a set of frameworks. To stimulate that thinking and the dialogue that goes along with it, we developed a set of tests aimed at helping executives assess the strength of their strategies. We focused on testing the strategy itself (in other words, the output of the strategy-development process), rather than the frameworks, tools, and approaches that generate strategies, for two reasons. First, companies develop strategy in many different ways, often idiosyncratic to their organisations, people, and markets. Second, many strategies emerge over time rather than from a process of deliberate formulation. There are some tests on our list, and not all are created equal. The first—“will it beat the market?”—is comprehensive. The remaining disaggregate the picture of a market-beating strategy, though it’s certainly possible for a strategy to succeed without “passing” all of them. This list may sound more complicated than the three Cs or the five forces of strategy. But detailed pressure testing, in our experience, helps pinpoint more precisely where the strategy needs work, while generating a deeper and more fruitful strategic dialogue.

Have you tested your strategy lately? 4-6

er 3 or few

7-8

Number of tests rated as fully consistent with company strategy, percentage of respondents

Those conversations matter, but they often are loose and disjointed. We heard that, loud and clear, over the past two years in workshops where we explored our tests with more than 700 senior strategists around the world. Furthermore, a recent McKinsey Quarterly survey of 2,135 executives indicates that few strategies pass more than three of the tests. In contrast, the reflections of a range of current and former strategy practitioners suggest that the tests described here help formalise something that the best strategists do quite intuitively. The tests of a good strategy are timeless in nature. But the ability to pressure-test a strategy is especially timely now. The financial crisis of 2008 and the recession that followed made some strate-

cto forum 21 march 2011

The Chief Technology Officer Forum

gies obsolete, revealed weaknesses in others, and forced many companies to confront choices and trade-offs they put off in boom years. At the same time, a shift toward shorter planning cycles and decentralised strategic decision making are increasing the utility of a common set of tests. All this makes today an ideal time to kick the tires on your strategy.

Test 1 Will your strategy beat the market? All companies operate in markets surrounded by customers, suppliers, competitors, substitutes, and potential entrants, all seeking to advance their own positions. That process, unimpeded, inexorably drives economic surplus—the gap between the return a company earns and its cost of capital—toward zero. For a company to beat the market by capturing and retaining an economic surplus, there must be an imperfection that stops or at least slows the working of the market. An imperfection controlled by a company is a competitive advantage. These are by definition scarce and fleeting because markets drive reversion to mean performance (Exhibit 2). The best companies are emulated by those in the middle of the pack, and the worst exit or undergo significant reform. As each player responds to and learns from the actions of others, best practice becomes commonplace rather than a market-beating strategy. Good strategies emphasise difference—versus your direct competitors, versus potential substitutes, and versus potential entrants. Market participants play out the drama of competition on a stage beset by randomness. Because the evolution of markets is path dependent—that is, its current state at any one time is the sum product of all previous events, including a great many random ones—the winners of today are often the accidents of history. Consider the development of the U.S. tire industry. At its peak in the mid-1920s, a frenzy of entry had created almost 300 competitors. Yet by the 1940s, four producers controlled more than 70 percent of the market. Those winners happened to make retrospectively lucky choices about location and technology, but at the time it was difficult to tell which companies were truly fit for the evolving environment. The histories of many other industries, from aerospace to information technology, show remarkably similar patterns. To beat the market, therefore, advantages have to be robust and responsive in the face of onrushing market forces. Few companies, in our experience, ask themselves if they are beating the market— the pressures of “just playing along” seem intense enough. But playing along can feel safer than it is. Weaker contenders win surprisingly often in war when they deploy a divergent strategy, and the same is true in business.

Test 2 Does your strategy tap a true source of advantage? Know your competitive advantage, and you’ve answered the question of why you make money (and vice versa). Competitive advantage stems from two sources of scarcity: positional advantages and special capabilities. Positional advantages are rooted in structurally attractive markets. By definition, such advantages favor incumbents: they create an asymmetry between those inside and those outside high walls. For example, in Australia, two beer makers control 95 percent of

m a n ag e m e n t

B E S T OF B R E E D

the market and enjoy triple the margins of US brewers. This situation has sustained itself for two decades, but it wasn’t always so. Beginning in the 1980s, the Australian industry experienced consolidation. That change in structure was associated with a change in industry conduct (price growth began outstripping general inflation) and a change in industry performance (higher profitability). Understanding the relationship among structure, conduct, and perforin determining strategy (essentially, the degree to which a market is mance is a critical part of the quest for positional advantage. Special segmented) significantly influences resource allocation and thus the capabilities, the second source of competitive advantage, are scarce likelihood of success: dividing the same businesses in different ways resources whose possession confers unique benefits. leads to strikingly different capital allocations. The most obvious resources, such as drug patents or leases on minWhat is the right level of granularity? Push within reason for the eral deposits, we call “privileged, tradable assets”: they can be bought finest possible objective segmentation of the market: think 30 to 50 and sold. A second category of special capabilities, “distinctive compesegments rather than the more typical 5 or so. Too often, by contrast, tencies,” consists of things a company does particularly well, such as the business unit as defined by the organisational chart becomes the innovating or managing stakeholders. These capabilities can be just default for defining markets, reducing from the start the potential as powerful in creating advantage but cannot be easily traded. scope of strategic thinking. Too often, companies are cavalier about claiming special capabiliDefining and understanding these segments correctly is one of the ties. Such a capability must be critical to a company’s profits and most practical things a company can do to improve its strategy. Manexist in abundance within it while being scarce outside. As such, agement at one large bank attributed fast growth and share gains to special capabilities tend to be specific in nature and few in number. measurably superior customer perceptions and satisfaction. Companies often err here by mistaking size for scale advantage or Examining the bank’s markets at a more granular level suggested overestimating their ability to leverage capabilities across markets. that 90 percent of its outperformance could be attributed to a relaThey infer special capabilities from observed performance, often tively high exposure to one fast-growing city and to a presence in a without considering other explanations (such as luck or positional fast-growing product segment. This insight helped the bank avoid advantage). Companies should test any claimed capability advantage building its strategy on false assumptions about what was and vigorously before pinning their hopes on it. wasn’t working for the operation as a whole. When companies bundle together activities that collectively create In fact, 80 percent of the variance in revenue growth is explained advantage, it becomes more difficult for competitors to identify and by choices about where to compete, according to research sumreplicate its exact source. marised in The Granularity of Growth, leaving only 20 percent Consider Aldi, the highly successful discount grocery retailer. To explained by choices about how to compete. Unfortunately, this is deliver its value proposition of lower prices, Aldi has completely the exact opposite of the allocation of time and effort in a typical redesigned the typical business system of a supermarket: only 1,500 strategy-development process. Companies should be shifting their or so products rather than 30,000, the stocking of one own-brand or attention greatly toward the “where” and should strive to outposition private label rather than hundreds of national brands, and super-lean competitors by regularly reallocating resources as opportunities shift replenishment on pallets and trolleys, thus avoiding the expensive within and between segments. task of hand stacking shelves. Given the enormous changes necessary for any supermarket that wishes to copy the total system, it is Test 4 Does your strategy put you ahead extremely difficult to mimic Aldi’s value proposition. Finally, don’t forget to take a dynamic view. What can of trends? erode positional advantage? Which special capabiliThe emergence of new trends is the norm. But many ties are becoming vulnerable? There is every reason to strategies place too much weight on the continuation believe that competitors will exploit points of vulnerof the status quo because they extrapolate from the past of indian ability. Assume, like Lewis Carroll’s Red Queen, that three to five years, a time frame too brief to capture the

Too often, companies are cavalier about claiming special capabilities. Such a capability must be critical to a company’s profits and exist in abundance within it while being scarce outside. As such, special capabilities tend to be specific in nature and few in number.

30%

you have to run just to stay in the same place.

Test 3 Is your strategy granular about where to compete? The need to beat the market begs the question of which market. Research shows that the unit of analysis used

telecom subscribers to be on 3g by 2015

true violence of market forces. A major innovation or an external shock in regulation, demand, or technology, for example, can drive a rapid, full-scale industry transition. But most trends emerge fairly slowly—so slowly that companies generally fail to respond until a trend hits profits. At this The Chief Technology Officer Forum

cto forum 21 march 2011

B E S T OF B R E E D

m a n ag e m e n t

point, it is too late to mount a strategically effective response, let alone shape the change to your advantage. Managers typically delay action, held back by sunk costs, an unwillingness to cannibalise a legacy business, or an attachment to yesterday’s formula for success. The cost of delay is steep: consider the plight of major travel agency chains slow to understand the power of online intermediaries. Conversely, for companies that get ahead of the curve, major market transitions are an opportunity to rethink their commitments in areas ranging from technology to distribution and to tailor their strategies to the new environment. To do so, strategists must take trend analysis seriously. Always look to the edges. How are early adopters and that small cadre of consumers who seem to be ahead of the curve acting? What are small, innovative entrants doing? What technologies under development could change the game? To see which trends really matter, assess their potential impact on the financial position of your company and articulate the decisions you would make differently if that outcome were certain. For example, don’t just stop at an aging population as a trend—work it through to its conclusion. Which consumer behaviors would change? Which particular product lines would be affected? What would be the precise effect on the P&L? And how does that picture line up with today’s investment priorities?

material. Early recognition of that possibility allowed the CEO to sell the business at a multiple based on Performance cohorts based on position in 2001 relative to mean, n = 743 everyone else’s assumption that the status quo was unthreatened. Return on invested Developing proprietary insights capital (ROIC),% isn’t easy. In fact, this is the ele20 ment of good strategy where most 15 companies stumble. A search for problems can help you get started. 0 Create a short list of questions whose 5 answers would have major implications for the company’s strategy—for 0 example, “What will we regret doing -5 if the development of India hiccups or stalls, and what will we not -10 regret?” In doing so, don’t forget to -15 examine the assumptions, explicit 2001 2003 2005 2007 2009 and implicit, behind an established business model. Do they still fit the current environment? Ratio of enterprise value to invested capital (EV/IC) Another key is to collect new data 3.5 through field observations or research 3.0 rather than to recycle the same indus2.5 try reports everyone else uses. Simi2.0 larly, seeking novel ways to analyse 1.5 the data can generate powerful new 1.0 insights. For example, one supermar0.5 ket chain we know recently rethought 0 its store network strategy on the basis -0.5 of surprising results from a new clus-1.0 tering algorithm. -1.5 Finally, many strategic break2001 2003 2005 2007 2009 throughs have their root in a simple but profound customer insight (usuTop quintile ally solving an old problem for the Middle quintile Bottom quintile Source: Standard & Poor’s Compustat; McKinsey customer in a new way). In our experience, companies that go out of their way to experience the world from the customer’s perspective routinely develop better strategies.

Markets drive a reversion to mean performance.

Test 5 Does your strategy rest on privileged insights? Data today can be cheap, accessible, and easily assembled into detailed analyses that leave executives with the comfortable feeling of possessing an informed strategy. But much of this is noise and most of it is widely available to rivals. Furthermore, routinely analysing readily available data diverts attention from where insight-creating advantage lies: in the weak signals buried in the noise. In the 1990s, when the ability to burn music onto CDs emerged, no one knew how digitisation would play out; MP3s, peer-to-peer file sharing, and streaming Web-based media were not on the horizon. But one corporation with a large record label recognised more rapidly than others that the practical advantage of copyright protection could quickly become diluted if consumers began copying

cto forum 21 march 2011

The Chief Technology Officer Forum

Test 6 Does your strategy embrace uncertainty? A central challenge of strategy is that we have to make choices now, but the payoffs occur in a future environment we cannot fully know or control. A critical step in embracing uncertainty is to try to characterise exactly what variety of it you face—a surprisingly rare activity at many companies. Our work over the years has emphasised four levels of uncertainty. Level one offers a reasonably clear view of the future: a range of outcomes tight enough to support a firm decision. At level two, there are a number of identifiable outcomes for which a company should prepare. At level three, the possible outcomes are represented not by a set of points but by a range that can be understood as a probability distribution. Level four features total ambiguity, where even the distribution of outcomes is unknown.

B E S T OF B R E E D

m a n ag e m e n t

Rigorously understanding the uncertainty you face starts with listing the variables that would influence a strategic decision and prioritising them according to their impact. Focus early analysis on removing as much uncertainty as you can. In our experience, companies oscillate between assuming, simplistically, that they are operating at level one (and making bold but unjustified point forecasts) and succumbing to an unnecessarily pessimistic level-four paralysis. In each case, careful analysis of the situation usually redistributes the variables into the middle ground of levels two and three. Rigorously understanding the uncertainty you face starts with listing the variables that would influence a strategic decision and prioritising them according to their impact. Focus early analysis on removing as much uncertainty as you can—by, for example, ruling out impossible outcomes and using the underlying economics at work to highlight outcomes that are either mutually reinforcing or unlikely because they would undermine one another in the market. Then apply tools such as scenario analysis to the remaining, irreducible uncertainty, which should be at the heart of your strategy.

Test 7 Does your strategy balance commitment and flexibility? Commitment and flexibility exist in inverse proportion to each other: the greater the commitment you make, the less flexibility remains. This tension is one of the core challenges of strategy. Indeed, strategy can be expressed as making the right trade-offs over time between commitment and flexibility. Making such trade-offs effectively requires an understanding of which decisions involve commitment. Inside any large company, hundreds of people make thousands of decisions each year. Only a few are strategic: those that involve commitment through hard-toreverse investments in long-lasting, company-specific assets. Commitment is the only path to sustainable competitive advantage. In a world of uncertainty, strategy is about not just where and how to compete but also when. Committing too early can be a leap in the dark. Being too late is also dangerous, either because opportunities are perishable or rivals can seize advantage while your company stands on the sidelines. Flexibility is the essential ingredient that allows companies to make commitments when the risk/return trade-off seems most advantageous. A market-beating strategy will focus on just a few crucial, highcommitment choices to be made now, while leaving flexibility for other such choices to be made over time. In practice, this approach means building your strategy as a portfolio comprising three things: big bets, or committed positions aimed at gaining significant competitive advantage; no-regrets moves, which will pay off whatever happens; and real options, or actions that involve relatively low costs now but can be elevated to a higher level of commitment as changing conditions warrant. You can build underpriced options into

a strategy by, for example, modularising major capital projects or maintaining the flexibility to switch between different inputs.

Test 8 Have you translated your strategy into an action plan? In implementing any new strategy, it’s imperative to define clearly what you are moving from and where you are moving to with respect to your company’s business model, organisation, and capabilities. Develop a detailed view of the shifts required to make the move, and ensure that processes and mechanisms, for which individual executives must be accountable, are in place to effect the changes. Quite simply, this is an action plan. Everyone needs to know what to do. Be sure that each major “from–to shift” is matched with the energy to make it happen. And since the totality of the change often represents a major organisational transformation, make sure you and your senior team are drawing on the large body of research and experience offering solid advice on change management—a topic beyond the scope of this article! Finally, don’t forget to make sure your ongoing resource allocation processes are aligned with your strategy. If you want to know what it actually is, look where the best people and the most generous budgets are—and be prepared to change these things significantly. Effort spent aligning the budget with the strategy will pay off many times over. As we’ve discussed the tests with hundreds of senior executives at many of the world’s largest companies, we’ve come away convinced that a lot of these topics are part of the strategic dialogue in organisations. But we’ve also heard time and again that discussion of such issues is often, as one executive in Japan recently told us, “random, simultaneous, and extremely confusing.” Our hope is that the tests will prove a simple and effective antidote: a means of quickly identifying gaps in executives’ strategic thinking, opening their minds toward new ways of using strategy to create value, and improving the quality of the strategy-development process itself. —About the Authors: Chris Bradley is a principal in McKinsey’s Sydney office, Martin Hirt is a director in the Taipei office, and Sven Smit is a director in the Amsterdam office.The authors wish to acknowledge the many contributions of McKinsey alumnus Nick Percy, now the head of strategy for BBC Worldwide, to the thinking behind this article —This article was originally published in January 2011 in McKinsey Quarterly, www.mckinseyquarterly.com. Copyright (c) 2011 McKinsey & Company. All rights reserved. Reprinted by permission."

The Chief Technology Officer Forum

cto forum 21 march 2011

Case Study | Mudra Group

Outsourcing Open Source Challenge:

Mudra group takes the open source route to address its operations and accounting functionalities. The web based application is centralised and integrated with all the business processes.

By Minu Sirsalewala agarwal

he advertising vertical is a niche industry and one does not see much in terms of product and solution offerings for this space. As a result leading players in this space are left to dabble in technology for themselves and take the home-grown route on most occasions. There are several examples where advertising agencies have developed their own solutions to cater to their needs. One such example is the Mudra Group, which embarked on this journey in 2001 and is now reaping the benefits. With a new brand identity and diversified business units, the group has successfully completed over 30 years in the industry. Technology continues to play a key role at any organisation in realising its goals. The Mudra group too resorted to technology to achieve increased efficiency, streamline its processes and align its business goals with the delivery systems. mBoss (Mudra Branch Operations Support System), the flag-

cto forum 21 march 2011

The Chief Technology Officer Forum

ship product of the group has been at the core of this. mBoss is the operations and accounting business application of the Group that has been developed in-house and continues to be supported by the in-house team. According to Sebastian Joseph, President Technology & FM, Mudra Group, â&#x20AC;&#x153;mBoss is a comprehensive web-based integrated accounting and operations system covering all the branding and communications offeringsâ&#x20AC;&#x201D;mainline advertising (press & TV), digital media, out-of-home solutions, strategy & design consulting, localisation & pre-media services, content creation, interactive & new media, data driven marketing services, health & lifestyle communication, retail designing & visual merchandising, navigation solutions, promotional marketing, field force management, trade marketing, bottom of the

c a s e s t u dy

B E S T OF B R E E D

respective locations and merged with the Corporate system. In short, all the systems were running in silos,” expressed Sebastian.

A web-based solution COMPANY DASHBOARD

Company: The Mudra Group Headquarters: Mumbai, India employees: 1,100 employees across 26 offices Clients: Aircel, Amrutanjan, Amway, Bank of Baroda,Bajaj Allianz Insurance, Castrol, Dabur, Disney, Emirates, Electrolux, Femina, Future Group, Godrej, HBO, Henkel, HP, HPCL, Hindustan Unilever, ITC, Jet Airways to name a few.

Sebastian Joseph, President Technology & FM, Mudra Group Ltd implemented an Mudra Branch Operations Support System for 20 percent of the cost of SAP.

pyramid marketing, sports marketing, integrated events management, youth marketing —making it one of its kind in the advertising vertical. The system is deployed across multiple companies and Strategic Business Units (SBUs) spread across multiple locations.” The Group earlier had an accounting and operation system in UNIX and Ingres for major locations and Clipper based system for smaller branches. The corporate office had a separate accounting system in UNIX. None of these systems could talk to each other. “On a monthly basis, only the header information was brought in from

In 2001 management decided to take a re-look at the existing IT infrastructure. The entire IT landscape was re-drawn keeping in view the future growth agenda. This is when the company decided to go in for an integrated product that could address the business needs. After considerable evaluation of various off the shelf products it was decided to take the build route rather than the buy route. Sebastian shared, “The primary reason was lack of product fitment and high level of customisation (around 65%) required for the existing products. The next step was to decide on the overall architecture to be adopted. The first selection was the RDBMS. Ingres was the obvious choice since we were already an Ingres shop. After numerous discussions with the vendor, industry feedback and our own study we were not confident about their Roadmap. Hence we zeroed in on Oracle.” Next was the Operating System (OS) selection. The users were all sworn UNIX fans. RISC architecture was vanishing. After a lot of deliberation, the choice was narrowed down to LINUX. Having achieved this the development architecture was narrowed down to Java (J2EE). Crysal Report was the default choice for report development. “However, at that point of time, Crystal did not support LINUX. We found a third party software that allows rendering of crystal reports on the LINUX platform, “ added Sebastian. The development journey began in mid 2001. The system initially addressed Accounts Receivable, Accounts Payable, General Ledger and MIS on the accounting front. Client Servicing, Press, TV, Outdoor, Studio were covered on the operations front. With the business growth, newer modules such as Radio, Internet, Trade Marketing, Direct Marketing, etc. were added. Sebastian shares, “This is a completely web-based model – anytime any where access. Whenever we look at adding any additional physical location to the business, all we need to take care of is only the basic physical infrastructure. There is nothing on the technology front that needs to be additionally set up as one just needs an internet connection to have the new location up and running in a jiffy.

Challenges faced Change is a way of life but change is not always welcome. Sebastian opined, “Challenges were plenty, Users knew about 40 percent of what they required. The user requirements received were half baked. IT team had to burn the midnight oil debating on the user inputs and stretch them to create possible scenarios. Since they were not exposed to other systems their thinking was single track. Best The Chief Technology Officer Forum

cto forum 21 march 2011

B E S T OF B R E E D

c a s e s t u dy

“In 2001, Java resource was a scarce commodity. So was the case with Open source. On the implementation front, the team faced immense mind-set issues. User acceptance thus became a challenge.” —Sebastian Joseph

practices being followed in the industry vertical was not known.” In 2001, Java resource was a scarce commodity. So was the case with Open source. On the implementation front, the team faced immense mind-set issues. User acceptance thus became a challenge. One thing that did work in the company's favour was the UI. The earlier system was in character mode whereas the new system had a graphical user interface. Then came the huge task of migration that was an even bigger challenge. Sebastian expresses, “We had to do extensive hands-on support to the users. The business logic also underwent changes at the time of implementation. We came across business cases that differed from location to location for the same activity.” The system was developed in-house and proved to be extremely cost effective as the investment was well within 20 percent of a SAP or any other similar implementation for a like to like enterprise. Sebastian opined, “The maintenance cost is also negligible as compared to what a similar enterprise would end up paying as ATS or AMC charges to SAP or other similar solution annually.”

Key benefits The web-based feature of the solution was the one which truly gave the solution its due credit. According to Sebastian, other benefits included implementation of unified accounting practices, integration of all transactions, effective control, and the flexibility to take care of different business cases,

cto forum 21 march 2011

The Chief Technology Officer Forum

etc. Due to a centralised web based infrastructure anywhere anytime access became a reality and security could now be centrally controlled. In terms of resource utilisation also the group witnessed a significant

General Features

Multi-company support Multi-division support Multi-location support Multi-currency support Supports all types of clients- full agency, fee based,AOR (Agency on Record) Multiple media support - print, electronic, digital, studio, production, out-of-home, event management, retail Facility to import plans in excel Facility to create bulk ro / contracts Supports different formats of contracts Facility of post changes in contracts Statutory compliance-tds, service tax, input, vat, stampduty, central sales tax etc. In-built checking of duplicate supplier invoice In-built e-payment facility Adjustment of bills within group clients Inter-branch transactions Commission sharing – internal/external Facility to reverse a wrongly entered document Push reports - on given intervals Integration - e-hrms and time-sheet User friendly accounting functionalities Data retrievals and huge mis reports On-line user help Issue tracking tool

change. There was an effecient utilisation of manpower and computing resources.

Constant upgrades Since the start of this initiative in 2001, there have been constant feature upgrades. "Apart from tight integration with other business applications, our business has gone through major growth. From a few companies/SBUs it has grown into multiple companies, multiple SBUs, multiple locations, multiple business verticals," Sebastian opines. mBoss caters to both the accounting and operations requirements for the entire Mudra Group across all companies, SBUs, locations and business verticals.

Road ahead According to Sebastian, “The intention behind implementing a virtual office infrastructure is that employees can work from any geography. The base application platforms that address end-to-end business processes are already in place. The organisation is now constantly building new features and applications on this framework. In terms of management, innovation and support, Sebastian has done things differently. The core team that supports the business application is a five member team. The entire project management – Design, implementation, support and infrastructure management is done by the core team. The development and testing are carried out through a cost effective staffing model. 23 outsourced consultants operate out of company premises, managed by the five member team, thus ensuring effective project management.

COVE R S TO RY

E n t e r p r i s e s t o r ag e

cto forum 21 MARCH 2011

The Chief Technology Officer Forum

COVE R S TO RY

E n t e r p r i s e s t o r ag e

The cloud is forming; Virtualisation adoption is rising; and SSD is steadily gaining. Indian CIOs are at the forefront of technology when it comes to managing the data deluge.

ILLUSTRATIONS BY PC ANOOP

t was not too long back when a couple of terabytes were considered big data. Not anymore. Today, information in enterprises runs into tens and hundreds of terabytes. Managing this ever increasing data flow is a tough challenge, more so because of the critical nature of the information. The CIO of an enterprise, thus, has his job cut out. He has to formulate a storage strategy that aligns with his company's growth plans, is flexible and possesses scalability. Read on to know how Indian CIOs are dealing with this data deluge.

cto forum 21 MARCH 2011

COVE R S TO RY

e n t e r p r i s e s t o r ag e

Cloud of

Data

Enterprises are increasingly including cloud in their overall strategy of managing the data flow. CIOs across verticals have already taken baby steps towards cloud storage, and it won’t be late before they leapfrog into it. By Yashvendra Singh

ver the last couple of years, cloud storage has come to be one of the most widely used terms in enterprises. However, it is only now that CIOs have started putting their money where their mouths are. There are enterprises that now allocated separate budgets for cloud storage. Max New York Life Insurance, for instance, has set aside a budget just for cloud storage. “We are exploring the various possibilities around cloud storage and have a budget also around it,” says Parvinder Singh, Corporate Vice President & Head IT Services, Max New York Life Insurance. “I am all for it (cloud storage). You may call it by any definition, but we are already running a private cloud in my enterprise that has fast provisioning. We have hosted more than 100 applications on the cloud infrastructure and they are performing perfectly. We are slowly maturing the model, and are not far away from moving to public cloud storage,” he says. Cloud storage could get a big boost in the

cto forum 21 MARCH 2011

The Chief Technology Officer Forum

near future, if a recent report from research firm Ovum is to be believed. According to the report, Clouds Open for Enterprise Storage, a new breed of specialised cloud storage services is emerging that would be able to take care of live data being generated from a customer’s applications.

These storage services would be able to work independent of other cloud services, and claim to be more cost effective compared to the traditional on-premise storage solutions. As Timothy Stammers, Senior Analyst at Ovum, had said in a statement, “Not only do they relieve the burden of storing

“Cloud storage is going to go main stream in 2011. Enterprises are migrating their non critical applications such as email and back office onto the cloud” Nandkishor Dhomne CIO, Manipal Hospitals

e n t e r p r i s e s t o r ag e

data on customers' premises, but they also have the multiplying effect of transferring to the cloud provider the responsibility of backing up that data.” Nanadkishor Dhomne, CIO, Manipal Hospitals, believes 2011 would be the year when cloud storage would go mainstream in the enterprise segment. “Cloud storage is going to go main stream in 2011. Enterprises are migrating their non critical applications such as email and back office onto the cloud,” says Dhomne, who himself is moving his non-critical data onto the cloud.

Scalability and Efficiency The move towards cloud is logical as it offers elastically scalable storage resources in a metered manner, thereby delivering significant value in efficiency, agility and speed. Proponents of cloud storage can gain encouragement from yet another study, ‘Cloud Computing in India 2010 - End-User Adoption Trends,’ by Springboard Research. According to the report, awareness around cloud computing has shot up significantly among enterprises in India during the last 12 months with an increasing number of enterprises finding it appropriate for their IT infrastructure. The report also found out that those enterprises in India that had adopted cloud, storage ranked amongst the top applications that were moved onto it. “Cloud adoption and awareness have increased rapidly in India, but a large proportion of non-users still have no concrete plans to adopt cloud-based solutions. While this is currently a consistent trend across the Asia Pacific excluding Japan (APEJ) region, it is also changing rapidly and the percentage of Indian organisations planning cloud initiatives is set to increase dramatically”, Michael Barnes, VP, Software Research at Springboard Research has said in the report. “While a focus on reducing hardware infrastructure costs is the most important driver of cloud adoption in India and across APEJ region, the strong focus on scalability on-demand is unique to India-based respondents”, Sanchit Vir Gogia, Associate Research Manager, Software Research at Springboard Research further said. The benefits of freeing up of capital, which can then be deployed in other busi-

“We are exploring various possibilities around cloud storage.” Parvinder Singh

Corporate Vice-President & Head IT Services Max New York LIfe Insurance

“For starters, we are moving our workflow and email access to the cloud.” S C Mittal

Group CTO, IFFCO.

COVE R S TO RY

ness units is creating a strong pull for enterprises towards cloud storage. With an eye on optimising its resources, multi-product electric engineering and electrical goods manufacturing company, Havells, is moving its primary data to the cloud. “I feel cloud is the future. The benefits are huge as we are able to get expert services at minimum price. If used intelligently, it is very beneficial for an enterprise as it helps in optimising resources,” says Vivek Khanna, Vice President, Finance & IT, Havells. “Cloud storage model is moving towards maturity with every passing day. We are going in for Oracle’s salesforce automation tool, Oracle on Demand. We are also moving our primary data outside, and transforming the in-house data center into disaster recovery site,” he adds. Indian Farmers Fertiliser Co-operative Limited (IFFCO) too is aiming to make the most of the opportunity arising from cloud storage. "For starters, we are moving our workflow and email access to the cloud," reveals S C Mittal, Group CTO, IFFCO. For others like Dhomne, migrating to the cloud has several other benefits. “By moving to the cloud, I would do away with the need to have skilled manpower. There would be no hassles of updating patches, and since our company would not be hosting servers, there won’t be issues of manageability,” says Dhomne. While there are CIOs showing faith in cloud storage, there are others who are treading cautiously on account of issues associated with the model. Some bottlenecks that exist in the present cloud storage model include -- relationship problems cropping up between the service provider and the enterprise; what would be the legal contract between an enterprise and the service provider; lack of firm SLA (service level agreement) between the parties; and fool-proof security and confidentiality of the customer data. These are, however, teething troubles common with any new technology. At the end of the day, an enterprise has to focus on a technology that adds to its top line and bottom line. From a wait-and-watch mode, large companies have already starting moving their storage onto the cloud. A few more proofs of concepts would have a domino effect. The Chief Technology Officer Forum

cto forum 21 MARCH 2011

COVE R S TO RY

E n t e r p r i s e s t o r ag e

Moving Your Data to the Cloud-

Sense and Sensibility

Before building an effective data governance strategy for the cloud, a CIO needs to ask and answer 10 crucial questions. Contributed By: Danny LiebermanÂ

cto forum 21 MARCH 2011

The Chief Technology Officer Forum

E n t e r p r i s e s t o r ag e

ata governance is a sine qua non to protect your data in the cloud. Data governance is of particular importance for the cloud service delivery model which is philosophically different from the traditional IT product delivery model. With increasing numbers of low-priced, high-performance SaaS, PaaS and IaaS cloud service offerings, it is vital that organisations start formalising their approach to data governance. Data governance means defining the data ownership, data access controls, data traceability and regulatory compliance, for example PHI (protected health information as defined for HIPAA compliance). To build an effective data governance strategy for the cloud, start by asking and answering 10 questions – striking the right balance between common sense and data security requirements: 1 What is your most valuable data? 2 How is that data currently stored – file servers, database servers, document management systems? 3 How should that data be maintained and secured? 4 Who should have access to that data? 5 Who really has access to that data? 6 When was the last time you examined your data security/encryption polices? 7 What do your programmers know about data security in the cloud? 8 Who can manipulate your data (include business partners and contractors)? 9 If leaked to unauthorised parties what would the damage cost the business? 10 If case of data breach, how long would it take you to detect the data loss event? A frequent question from clients regarding data governance strategy in the cloud is “what kind of data should be retained in local IT infrastructure?” A stock response is that obviously sensitive data should remain in local storage. But instead, consider the cost/benefit of storing the data in an infrastructure cloud service provider and not disclosing those sensitive

data assets to trusted insiders, contractors and business partners. Using a cloud service provider for storing sensitive data may actually reduce the threat surface instead of increasing it and give you more control by centralising and standardising data storage as part of your overall data governance strategy. You can RFP/negotiate robust data security controls in a commercial contract with cloud service providers – something you cannot easily do with employees.

COVE R S TO RY

used by Facebook and Digg: CouchDB (with 10 million installations) and MongoDB that connect directly to Web applications. These noSQL databases may be vulnerable to some of the traditional injection attacks that involve string catenation. Developers are well-advised to use native APIs for building safe queries and patch frequently since the technology is developing rapidly and with large numbers of eyeballs – vulnerabilities are quickly being discovered and patched.

If anything, the database threat surface is growing rapidly. Telecom service providers have far more data in unstructured databases than in office. A second frequently asked question regarding data governance in the cloud is “How can we protect our unstructured data from a data breach?” The answer is that it depends on your business and your application software. If anything, the database threat surface is growing rapidly. Telecom/cellular service providers have far more data (CDRs, customer service records etc…) in structured databases than in Office and with more smart phones, Android tablets and Chrome OS devices – this will grow even more. As hospitals move to EMR (electronic medical records), this will also soon be the case in the entire health care system where almost all sensitive data is stored in structured databases like Oracle, Microsoft SQL Server, MySQL or PostgreSQL. Then. there is the rapidly growing use of MapReduce/JSON database technology

Note the proactive approach the the Apache Foundation is taking towards CouchDB security and a recent (Feb 1, 2011) version release for a CouchDB cross-site scripting vulnerability. So – consider these issues when building your data governance strategy for the cloud and start by asking and answering the 10 key questions for cloud data security.

—Danny Lieberman is a serial technology innovator and leader. Danny's software security business, Software Associates provides enterprise information protection to clients in Europe and the Middle East. —This article is printed with prior permission from www.infosecisland.com. For more features and opinions on information security and risk management, please refer to Infosec Island.

The Chief Technology Officer Forum

cto forum 21 MARCH 2011

COVE R S TO RY

E n t e r p r i s e s t o r ag e

What’s

Hot in Storage

CIOs are turning to state-of-the-art technologies and storage best practices to manage the ever increasing flow of information and data. By Yashvendra Singh

here has been a phenomenal growth in enterprise data in the last few years. The increase in information is increasingly putting pressure on not just an enterprises’ storage infrastructure but also on the human capital required to manage it. According to a recent study by IDC, digital data is clocking a fast year-on-year growth of 60 percent. It is expected to touch 1800 exabytes in 2011, which is a 10-fold increase over the last five years. To keep up with the growing data, there has been a steady growth in external controller based storage. This segment grew by 17.8 percent in 2010, according to industry experts. The growing data, coupled with the fact that it is considered a strategic asset by an enterprise, is posing a serious challenge for a CIO as he is required to put in place a storage strategy that is flexible, scalable and

cto forum 21 MARCH 2011

The Chief Technology Officer Forum

secure. Above all, he has to implement all this and cut costs too. CIOs are, therefore, deploying technologies and implementing best practices to manage their data and information in the best possible manner. Virtualisation and Deduplication are some of the technologies that enterprises are increasingly turning towards for simplifying their storage infrastructure.

Storage Virtualisation Virtualiation of the storage infrastructure is a clear trend that is being carried forward from last year. According to experts, in 2010, enterprises went in for virtualisation but not in a structured way. This year will see them adopting virtualisation in a more structured way. Manipal Hospitals, for instance, is one such organisation that has storage virtuali-

sation high up on its priority list in 2011. The company is witnessing its data growing at 18-22 percent year-on-year. Currently, Manipal Hospitals handles about 30 terabytes of data, which is expected to increase significantly as it is in the process of implementing HIS (Hospital Information System) in 13 other group hospitals. Likewise, IFFCO is implementing Oracle ERP across its five manufacturing plants, and expects its data volumes to grow several folds. “Our primary storage is about 9 terabytes, which is being used by Oracle and Dominos database, while our vital storage is about 4 terabytes. Once we move from the present legacy operations to Oracle ERP, there will be an increase in data. The way out would be to go in for virtualisation,” says S C Mittal, Group CTO, IFFCO. Muti-national companies with smaller set

E n t e r p r i s e s t o r ag e

ups in India also have virtualisation on their storage roadmap. As Preet Singh Khanna, CIO of commodity trading multinational, Glencore India, says, “We deployed IBM 3400 storage about five months back, and are using it for our storage and archival needs.” Glencore India has a storage requirement of 3 terabyte at present, while the solution is capable of handling 15 terabyte. “However, the pace at which we are growing, it won’t be long before we would need to look at other options. Storage virtualisation helps in optimising resources to the fullest, and we would go for it two years from now,” he says.

Automated Tiering and Deduplication Automated tiering is set to make big waves in many SANs in enterprises. It is becom-

The initial higher cost will be offset by the reduction in the footprint of the storage box and its power consumption.” Nandkishor Dhomne CIO, Manipal Hospitals.

COVE R S TO RY

Storage Best Practices Policy in Place: A CIO needs to make sure he has a policy in place on how to manage the unstructured data. According to an estimate, unstructured data takes up 80 percent of the entire enterprise storage, which is completely uncalled for. He should use technologies such as deduplication and thin provisioning to minimise the unstructured clutter. Ease of Access: A CIO should be able to categorise the information in such a manner that the most important information is easily and quickly accessible. Capacity and Regulation: The total capacity requirement within an enterprise should be in sync with the regulatory requirement of the particular sector. A CIO has to deploy a storage solution within that parameter for optimum utilisation. Go With the Need: A CIO should not buy storage based on the lifecycle of the product. Instead, he should buy according to his need. An ideal situation is to procure for the next six months instead of the next two-three years. Considering the cost of storage declines every quarter, it would not make business sense to buy storage to meet two-three years demand.

ing tedious to store data in a flat storage environment. Through automated tiering, enterprises are able to put information on the tier of discs that it needs – more accessed information on the top tier and less frequently accessed information on the lower tier. Those organisations that have already implemented automated tiering are reaping its benefits. “For IFFCO, implementing tiered storage has helped. We have moved vital data to fiber disc, while the archival data has been migrated to the cheaper SATA devices,” says Mittal. “We are now able to pull out important information fast, and data that is not needed has been pushed behind.” According to analysts, dedpulication is gaining traction, and it is expected to become big in the next two years. Ajay Shah, Senior Vice President, IT Applications & Security at Enam is in the process of implementing dedpuplication. “We are going in for deduplication, and should be able to complete it over the next three months,” he says. Data deduplication could be in the form of archive storage, virtual tape libraries, disk storage systems, backup systems, and applications like email systems. Deduplication enables more volume of data to be stored on

disc or fast access devices. For an enterprise it makes sense as it improves return on investment on systems.

Solid State Disc There is also a slow but steady movement towards solid state discs. While they may be expensive at the moment, their benefits offset the costs. Large companies looking at high performance and lower chances of data disruption could deploy solid state devices for their storage in 2011. As solid state devices don’t have mechanisms such as spindle and magnet, their seek times are extremely low thereby making data available fast. Says Nandkishor Dhomne, CIO, Manipal Hospitals, “We are certainly looking at solid state discs. I may have 10 percent of the data that I access frequently put on solid state discs. The initial higher cost will be offset by the reduction in the footprint of the storage box and its power consumption.” As per an IDC Outlook report brought out last year, solid state disc drive shipments are expected to increase 14 percent a year with a CAGR of 54 percent through 2013. The Chief Technology Officer Forum

cto forum 21 MARCH 2011

COVE R S TO RY

E n t e r p r i s e s t o r ag e

CASE STUDY | HDFC Bank

Enhancing

Operational Efficiency

Experiencing an exponential growth in data, HDFC Bank decided to further ramp up its already virtualised storage infrastructure. The result was an increase in overall operational efficiency. By Yashvendra Singh

ncorporated in August 1994, HDFC Bank currently has a nationwide network of 1,780 branches and 5,231 ATM's in 833 Indian towns and cities. As the bank expanded and decided to increase its retail customer base, the storage infrastructure came in under a lot of pressure. In response, HDFC implemented a multi-tiered storage solution for its business intelligent applications and data warehouse. However, the bank kept up its pace of growth, which resulted in further expansion in the volume and complexity of the bank’s storage needs. The growth in data was stretching the management software and hardware that were initially deployed. The day-today operations of the bank were slowing down. There were increased demands on the storage system too with the need to improve time management pro-

cto forum 21 MARCH 2011

The Chief Technology Officer Forum

cesses, extend the life of its existing storage assets, and shorten timelines. By 2005 it became clear that HDFC needed a more powerful model to handle the multiple terabytes of data being analysed and moved. It decided to go in for Hitachi’s Universal Storage Platform 1100. “The important aspect needed to improve operational efficiencies was to shift the architecture from islands of stranded storage assets to a virtualised tiered storage infrastructure,” says Harish Shetty, Senior Vice President of IT, HDFC Bank. Under a tiered infrastructure, the most important information or data is available for systems that demanded the highest availability, which includes the disaster recovery infrastructure. The least critical data such as nearline data analysis and data for backups, on the other hand, is stored on less expensive storage. By adopting this multi-tiered approach, HDFC was able to leverage its investment that it had earlier made by deploying the

The Goals Improve Operational Efficiencies. HDFC Bank’s growth meant that its storage systems had to grow and scale in terms of physical capacity. Simplify Management of Storage Infrastructure. From 2004 to 2007, HDFC’s storage grew from 10TB to over 400TB to support the exponential growth in the retail banking sector. This massive proliferation of data required a new system of management. Lower Costs Efficiently. Allocating storage helps increase utilisation and cut storage administration costs. Reduce Migration Time and Complexity. Based on previous approaches, the bank’s IT department expected to spend up to 33 days performing a data migration when migrating data from a legacy storage system to the new platform.

E n t e r p r i s e s t o r ag e

COVE R S TO RY

The Results Operational Efficiencies in Change Management Change management can be done online without bringing the application down. There is no need for the extensive planning and coordination between the multiple groups. New volumes can be created with required configurations. The application and data can be migrated online.

“The aim was to optimise the requirement for production, testing and archival of the database” Harish Shetty

Senior Vice-President of IT, HDFC Bank.

Universal Storage Platform 600. It made the new Universal Storage Platform 1100 the primary Tier 1 platform, with virtualised legacy storage behind it. The bank also added lower cost Tier 3 storage, which is virtualised behind the Universal Storage Platform. In addition, the multitiered system simplifies data management. Having a tiered storage strategy lets HDFC move large databases quickly to top tier storage for analysis, and then back to lower tier storage when done. These efficiencies also allow the bank to analyse data more quickly despite its growth, providing more actionable insight to the bank’s management that can help improve revenues, not just cut costs. “The aim was to basically optimise the requirement for production, testing, and archival of the database, and integrated it

into a common storage. This data could then be flexibly used as and when we needed based on the application,” says Shetty. The virtualised infrastructure also allowed HDFC to align application data to the appropriate class of storage, reducing the cost of data storage and extending the life of storage assets. “The advantage accrued was the visibility of the entire storage, and we were able to move from one storage to another based on the need,” says Shetty “Based on previous approaches, the bank’s IT department expected to spend 33 days to migrate the volumes on the storage systems. With the new technology, the application was brought down for less than an hour,” avers Shetty. The bank now uses tiered storage manager software’s nondisruptive data mobility

Simplified Storage Management Streamlined Migration Process HDFC Bank avoided both the complexity and time needed for migration by using virtualization technology and tiered storage manager software. The software did the storage mapping and then moved the data nondisruptively to the new storage. Extended Life of Storage Assets The multitier system has ensured that the life of storage assets is enhanced. Reduced Capital Expenditure The bank is now able to have low cost storage tiers. Reduced IT Risks The implementation has ushered in flexibility, scalability and improved uptime, easing the stresses that rapid growth has visited upon the bank’s data centers.

capability with regular monthly processes that require data migrations. This has eliminated hours of service disruptions. HDFC is now planning to implement virtualisation and tiered storage at its retail banking arm. The Chief Technology Officer Forum

cto forum 21 MARCH 2011

COVE R S TO RY

E n t e r p r i s e s t o r ag e

Making the

Right Choice

While Deduplication is an asset for managing data, choosing the right product is not easy. By David Strom

s the amount of data stored on the networks increases, it also takes more time to make backup copies of this data. This presents problems as the time for these backups lengthens beyond the overnight period. One solution is to eliminate duplicate data that is backed up. How much can you save? A lot. In some cases, there is a more than a 10-to-1 savings; meaning that 90 percent of your data is duplicates. Eliminating these redundant files can go a long way towards speeding up the backup process. As the screen shot of Symantec's PureDisk NetBackup shows, more than 95 percent of the data files have been eliminated as a result of the deduplication process, going from a backup of more than 3GB to about 150MB. Deduplication seems like a simple concept, but picking the right deduplication product isn't. There are dozens of vendors. There are also all sorts of technical wrinkles to understand before making the right purchase of a deduplication product. Here is a checklist and some suggestions as you navigate these waters: First off, where is the software agent located that controls the deduplication process? Some products put their agents at the source, meaning on each and every server that will be backed up, and others on the actual backup appliance. You need to put it someplace, and depending on your particular set of servers and circumstanc-

cto forum 21 MARCH 2011

The Chief Technology Officer Forum

es, and IT policies, you may prefer one or the other method. Some of the products, like CA's Arcserve Backup, can now work with agents in both locations. Second, how does the deduplication appliance appear to the backupsoftware app? Some deduplication boxes appear like a network-attached storage device, while others appear like a storage area network drive. Depending on the backup software that you already have, one or these might be more appealing to your situation. Does the deduplication agent have any granularity with any particular apps or OSs? Some products can examine individual email messages, or database records, or files that have changed on a particular virtual machine instance. As more and more shops make use of virtualisation technology, this factor becomes increasingly important, as the size of the virtual disk images can be enormous, yet they contain mostly the same common files for the operating system and underlying applications. This makes these deduplication products more useful when working with the backup software when the need comes to restore these particular files from inside the virtual images. Do you need special hardware or does the deduplication function come included as part of the backup software? A number of the usual backup software vendors are moving towards integrating deduplication functionality in their products. For

example, enabling data deduplication functionality on both Symantec's NetBackup 7 and Backup Exec 2010 needs only a single check mark in a pop-up box in one of their control menus. Is deduplication happening during the live stream of backup data or does some post-processing occur? This means that the backup could be first staged to a hard drive designed for this purpose, and then the duplicates are later removed. If the former, do you have enough storage capacity to hold all of your backup files, and can you add more storage as your needs grow? Finally, how does the deduplication product fit into your overall storage resource management picture? Can you examine file aging reports, that show which files haven't been accessed by your users for more than 90 days, for example? Or understand how your storage area networks are using their disk arrays, and perhaps reconfigure them for more optimal usage? These and other analyses are valuable if you want to effectively manage your storage needs. —Dave Strom is a freelance writer living in St. Louis and the former editor-in-chief of Network Computing magazine, DigitialLanding.com, and Tom's Hardware.com. He has written two books and numerous articles on networking, the Internet, and IT security topics. He can be reached at david@strom.com and his blog can be found at strominator.com. —This article appears courtesy www.cioupdate. com. To see more articles regarding IT management best practices, please visit CIOUpdate.com.

What is the kind of growth you’re seeing in the storage market in India? What are the key drivers for growth? The external controller-based disc market in India grew at 17.8 percent in 2010 over 2009 and we expect the growth to continue in 2011 at 16 percent over 2010. The Government vertical would be the biggest driver for growth in the storage market in India in 2011. While the government spending on storage contributes about 8-9 percent of the overall storage spend in India, going forward, we expect its contribution to increase to about 18-20 percent. We also expect to see increased traction in the SMB market that would fuel growth. BFSI and Telecom sectors would continue to drive storage demand, though we expect slight slowdown in demand from the telecom sector this year. What would be the key storage technologies for the next two years? Companies have seriously started looking at technologies that improve efficiency in their storage infrastructure. Therefore, while data deduplication is still at a nascent stage in India, we expect to see good traction for it in the Indian market. Storage virtualisation on the other hand would see slower adoption as it is not a one size fit all solution. While it may make sense for some enterprises, it may not be suitable for other enterprises and SMBs. Automated storage tiering will be the most important technology to forward to in 2011 Though not a new concept, organisations are realising the importance of tiering to improve efficiencies and reduce cost. Allowing to free up human resources from operational issues, automated storage tiering would help organisations focus on development and innovation. Thus, we expect this technology to have huge adoption in 2011. What could be the other areas of interest for an enterprise? Other areas of focus would include newer technologies like Near Line SAS, which gives you fibre channel performance at the cost of SATA. Similarly, people would also want to consider automated SSDs to improve the performance of applications. However, the first step is to have a storage plan. We’ve observed that most organisation

“Automated tiering is

the future of storage”

Storage market in India is set for growth as new technologies promise to make storage cheaper and apps perform faster. Aman Munglani, Research Director, Gartner talks to Varun Aggarwal about the new developments. don’t even have a storage plan. Organisations need to take some time out and try to understand what kind of applications they are running, what is the kind of disc performance that these applications require, what is the expected growth of the organisation. What is your view on cloud storage? Do you expect large scale adoption of the same in the near future?

While some organisations are ready to experiment with cloud storage, there are still apprehensions regarding security in the cloud and thus enterprises are taking a cautious approach. Cloud storage looks quite appealing for SMBs on paper but we haven’t seen a major vendor endorsing it in order to reach out to the SMB community and resolve their concerns around the cloud. The Chief Technology Officer Forum

cto forum 21 MARCH 2011

COVE R S TO RY

E n t e r p r i s e s t o r ag e

Taking a

Behind the Scenes Look

at Storage TCO

To ensure the storage system has a low TCO, a CIO should know the key measures to be calculated when evaluating the total lifecycle cost of the solution. By Rob Peglar

n today’s economic environment, it’s critically important to make sure that any data storage system an organisation purchases has an optimally low total cost of ownership (TCO) over its lifetime. Many storage buyers today use capital expenditure (CapEx) as the sole factor for determining the value of a storage purchase.

cto forum 21 MARCH 2011

The Chief Technology Officer Forum

In doing so, they overlook multiple significant operating expenditure (OpEx) cost variables such as: Length of warranty period; Post-warranty hardware and software maintenance costs; Software licensing fees; Administration costs;

Power and cooling costs; and Incremental cost of storage growth and the cost of lost business value caused by system downtime. Further complicating the total cost equation is that these variables impact storage systems differently depending on the vendor. In the end, as David Vellante points

E n t e r p r i s e s t o r ag e

out in his Wikibon article Storage CapEx vs. OpEx, OpEx is 64% of TCO, compared to 36% for CapEx. In this article, I will explain several key TCO measures to calculate when evaluating the total lifecycle cost of your storage system. This should remove the complexity surrounding true cost of storage, help you purchase the best system for your unique environment, and improve your return on investment.

The CapEx Equation CapEx is the easiest cost to determine since it is essentially the storage system’s sticker price. However, it’s important to not make a purchasing decision based on sticker price alone. A purchasing decision needs to take into account the underlying long-term cost variables. To better estimate the cost and manage the impact of CapEx, focus on these four primary strategies: Purchase Only What You Need Now- Purchasing the full amount of capacity needed for the life of a storage system at the point of sale may be simple, but it’s an inefficient use of resources and will decrease the system’s utilization rate. By deferring hardware purchases, you benefit from declining hardware costs over time. Disk drive prices have historically declined 30% year-overyear according to Gordon Moore in his April 1965 article “Cramming More Components onto Integrated Circuits.” ftp://download. intel.com/research/silicon/moorespaper. pdf As a result, purchasing three or even five years of capacity at the point of sale could cost you up to 150% more over a five-year period than adding the capacity each year, only when needed. The legacy view of purchasing storage capacity upfront is that it will be cheaper than making incremental add-on purchases and does not introduce downtime for subsequent installation. But with today’s storage technology, this is less of a concern and certainly not enough to justify such a TCO hit. Reduce TCO with Higher System Utilisation - There is a double benefit to purchasing storage capacity as it is needed.

COVE R S TO RY

“By deferring hardware purchases, you benefit from declining hardware costs over time” Not only does it reduce upfront and overall system purchase cost, but it also lowers OpEx by reducing electricity usage and software licensing fees through higher system utilization. Fewer disk drives means less maintenance, reduced licensing fees, and lower power and cooling requirements. However, you must ensure that you also get the I/O performance you need even as system utilization increases. Few storage systems can provide this benefit and an incorrect choice may force you to accept lower system utilization not for capacity but for performance. That’s because some systems may only have sufficient I/O capacity when writing to or reading from the outermost cylinders of disk platters, a practice known in the industry as “short stroking.” Make sure you get the capacity and the I/O performance you need at full utilisation. You are paying for the system, after all. Take full advantage of it and do not settle for less than optimal utilisation. The up-front cost of storage can also be reduced by implementing a tiered storage strategy. By purchasing storage capacity at a variety of price points you’ll have the flexibility to tailor the system’s capacity to your budget, with more expensive, highperformance storage for transaction processing systems, or value storage for disk backup. Additionally, you may be able to consider systematically turning off your lowest tier of hard disk drives for added power savings through well-controlled methods such as after a backup to disk or writing data to be archived to disk.

because they are keen to sell you newer gear even if your current storage system is meeting your needs. Storage vendors move this process along by tilting the annual cost/benefit equation of a new system strongly in their favor after the warranty is up. They do this because, ex-warranty, you are forced to purchase maintenance contracts to keep the system operational. Maintenance fees vary from vendor to vendor, and it’s not uncommon for these fees to be greater than the depreciation expense of a new system. This creates what is known as forced obsolescence. You may be able to avoid added maintenance fees by considering the length of warranty available as you choose your system. A longer warranty brings a system’s sticker price and its useful life into closer alignment. Control Software Licensing Costs- Software licensing fees also significantly vary by vendor and may be based on the number of storage systems, performance, capacity and features, or a combination thereof. It’s vital that you have a full and complete understanding of a vendor’s software licensing fees up front, over the useful lifetime of the system. Depending on the licensing model used, there may be a dramatic impact on future system costs when it comes time to upgrade. Moreover, software licensing costs may increase whether the system upgrade is designed to boost performance or capacity. —In part II of this two-part series, Rob will explore OpEx factors effecting TCO. Until then,

Avoid Forced Obsolescence- Every storage system has a useful life and a warranty length, and as with your car, the two are not the same. Many storage vendors encourage you to throw away or turn in a perfectly good system after three years,

you can use this handy worksheet to uncover your storage system's TCO. —This article appears courtesy www.cioupdate. com. To see more such articles regarding IT management best practices, please visit CIOUpdate.com.

The Chief Technology Officer Forum

cto forum 21 MARCH 2011

HORIZONS

Jeff Vance SAYS

“Some insider attacks are practically proofof-concept for state sponsored or organised crime sponsored ones.”

Illustration BY PHOTOS.COM

Stuxnet and the Future of Malware

Stuxnet is, in part, a sophisticated logic bomb, or a specific type of malware that kicks into higher gear when specified conditions are met. By Jeff Vance

cto forum 21 march 2011

The Chief Technology Officer Forum

ho was responsible for Stuxnet? This was a question I asked a number of security pros at the 2011 RSA security conference last month in San Francisco. The leading contenders were the obvious ones: the U.S. and Israel. However, a very good case was made (off the record, unfortunately) for a surprising dark horse: China. “Sure, China relies on Iran for oil, and it is an ally of Iran at the U.N., but China doesn’t want a nuclear Iran any more than we do,” my source said. China has proven itself to be proficient at cyber-espionage; most likely responsible for penetrating the U.S. electrical grid, as well as both U.S. defense and intelligence networks usually via thumb-drive launched malware.

Is the private sector next? There’s a case to be made that a Fortune 500 company has already been a cyber-espionage victim -- or more, accurately, a Fortune 500 company suffered collateral damage when it was caught up in state repression. That company was Google. The culprit was almost certainly China. The argument could be made that this is an isolated case but it

securit y

seems the Chinese government’s main target was its own dissidents, and it was just a fortunate side benefit for China that it had also been at odds with Google for some time. Thus, China wasn’t too terribly concerned about covering its tracks, avoiding detection or minimising collateral damage. Warning shots are now a key component of cyberespionage, it would seem. Today, the biggest threat to the enterprise is still the insider attack. Those attacks aren’t bankrolled by nations, but how long will it be until a hostile or even shady and opportunistic foreign government notices this opportunity? How long until a bad-actor nationstate or a creative organised-crime network decides to start turning unhappy, underpaid or simply greedy insiders into intelligence assets in the same manner that nations have turned locals into spies for centuries? In fact, some insider attacks are practically proof-of-concept for state sponsored or organised crime sponsored ones. The only missing ingredient is the link between the insider and a larger malicious entity willing to pay.

Logic bombs in everyday life Stuxnet is, in part, a sophisticated logic bomb, or a specific type of malware that kicks into high-gear when specified conditions are met. Logic bombs have long been suspected in several high profile cyber-espionage attacks, including, but not limited to, the Google hack, the penetration into the U.S. electrical grid, some of the attacks that hit Georgia and Estonia during their conflicts with Russia, and U.S.-backed attacks against the Taliban and Serbia. Even for national defense agencies, cyberespionage is still far more theory than fact. Skeptics have long argued that the threat from cyber-espionage is overblown. “Show me the actual damage,” they say. Or as Rob Rosenberger writes on the security-hypedebunking site myths: "Did a story in the Wall Street Journal say 'Thousands of Georgians feared dead in Russian military cyber-attack?' NO. Did The Register announce “Russian army hackers make Georgian fuel pipelines flow backward”? NO. Did the U.S. Air Force website proclaim “Airmen deploy to Tbilisi to stop Russian military hackers”? NO. Remember this the next time the computer media gets infatuated with the notion of a cyber-war."

N E X T H OR I Z O N S

The insider attacks share an important trait with cyberwarfare: the main intent is to disrupt and damage. ful, would have driven UBS’s stock price into the ground. Of the incidents listed above, three of them have one thing in common: they were logic bombs. The fourth incident, Texas Auto Center, didn’t even need logic bomb capabilities because the system itself was already pretty much designed to be a logic bomb. The conditions: a disgruntled employee with system access and ill intent. The result: the system does what it was designed to do -- set off car alarms -- but not how or when it was supposed to. All the Texas Auto Center ex-employee needed for that attack were credentials. His were suspended, but as a former admin, he just used someone else’s that he happened to remember. Texas Auto Center 2010, Texas Auto Center was sloppy about its access A vengeful employee, who had second controls and authentication and just been laid off, launched an paid for it. attack from the company’s Webthand phones For a primer in just how ech Plus software. He used the contain potentially dangerous these software, meant to aid with repospersonal data sorts of attacks are, check out sessions, to disable customer a November 2009 episode of vehicles, flash lights continu60 Minutes, which showed the ously and cause horns to blare world how easily a logic bomb all day long. The dealership was could damage or destroy physical machinbesieged with angry calls and towing requests. ery. A test attack (called Aurora) hacked into a SCADA system and caused a power gen2008, Fannie Mae - A logic bomb from a erator to self-destruct. contract engineer, who had recently been terminated, attempted to delete data on more than 4,000 servers. Logic bombs, insiders, scammers Well, Stuxnet has done lots and lots of real-world damage. There’s no body count, nor were Iranian defense systems, say, turning themselves against Tehran Terminator style, but Rosenberger now has some of the evidence that was previously lacking. The signs pointing to something like Stuxnet have been around for a while. With security so often an afterthought, I have a hard time dismissing anyone who wants to get out ahead of the evolving threat landscape for a change. That said, Rosenberg, back in 2008, had a very valid point. A few years later, several high profile attacks that hit the enterprise look to have plenty in common with Stuxnet. Here are some highlights:

54%

and thieves 2008, Wand Corp. - A laid off tech support employee at this family-owned restaurant technology and management company launched a semi-successful logic bomb attack that crashed 25 computers and cost the company thousands of dollars to clean up. 2006, UBS - A UBS system administrator, angered over his “meager” annual bonus, launched a virus that, had it been success-

The insider attacks above share an important trait with cyber-warfare: the main intent is to disrupt and damage. More troubling are the ones that actually want to steal classified information (or protected IP), or simply learn enough about the target to cause all sorts of problems. The Google penetration falls into that camp, as do earlier Chinese breaches into the U.S. intelligence and defense systems. The Chief Technology Officer Forum

cto forum 21 march 2011

N E X T H OR I Z O N s

securit y

The ZeuSand Bugat Trojans, both of which focus on gaining financial data, seek to gather specific data in order to steal. Now, take those sophisticated malware tools (which anyone can buy online for a few thousand dollars, by the way) mix them with disgruntled workers and an outside entity seeking to steal or do harm, and you have a perfect attack storm. Is there any proof that this sort of thing is happening? No. But it's probably just a matter of time before it does. There are two even more flammable ingredients: mobility and social networks. “Malware used to be binary in nature, taking advantage of a particular vulnerability in a specific system,” said Michael Sutton, VP of Security Research for Zscaler. Now, the software landscape is far more fragmented, with smartphones, tablets and other non-PC platforms complicating the picture, which is inspiring hackers to create more general-purpose malware. “The future of malware, I’d argue, is Webbased worms. Then, it doesn’t matter what device you are on,” Sutton said. “Malware also used to spread by hopping from device

46%

ever, instead of targeting the to device. The devices had to executives themselves, they have the same vulnerabilities, or went after spouses, the logic it didn’t work. Now, malware is apparently being that at least starting to target social networks, where it spreads from profile to rise in malware one executive would have a poorly secured PC shared with profile to profile, growing expotargeting a non-tech savvy spouse. That nentially, in minutes.” mobile devices in PC would then be the beachTwitter, Facebook and Linkehead into the company. dIn all have numerous security 2010 Hackers tend to be hackers, vulnerabilities. For social netconventional wisdom goes, working sites, the space is still because they’re greedy and a land grab and the point is to lazy. Emphasis on lazy. Patient, determined, grow as big as you can as fast as you can. high-achieving hackers who have even Security is considered a minor nuisance greedier backers? Now that’s really scary. that the sites figure they can clean up later. “As fascinating as it is to study new threats like Stuxnet, the majority of the —Based in Santa Monica, California, Jeff Vance is threats to business are what they’ve always the founder of www.sandstormmedia.net, a copybeen,” said Chris Larsen, head of Blue Coat writing and content marketing firm. He regularly System’s research lab. “Social engineering contributes stories about emerging technologies to attacks, especially for fake security products, this publication and many others. If you have ideas are still some of the most common and for future stories, contact him atjeff@sandstormmost successful threats.” media.net or visit. Larsen also discussed a particularly devi—This article appears courtesy www.cioupdate. ous social engineering attack where the com. To see more articles regarding IT bad guys launched their targeted attack by management best practices, please visit CIOUpfocusing on a company’s executives. Howdate.com.

NO HOLDS BARRE D

Dhruv Singhal

DOSSIER Company: Oracle Established: 1977 founders: Larry Ellison, Bob Miner, Ed Oates products: Oracle Database, Oracle Fusion, Middleware, Oracle Applications,Oracle Enterprise Manager, Oracle Financials

Seeding

employees: 105,000

the Cloud With cloud emerging as a viable computing model, Oracle wants to make the most of this opportunity. In an Interview with Rahul Neel Mani, Oracle India’s Senior Director, Sales Consulting, Dhruv Singhal talks about his company’s plans around cloud computing. 50

cto forum 21 march 2011

The Chief Technology Officer Forum

What is your definition of cloud computing? Cloud computing provides on-demand access to a shared pool of computing resources in a self-service, elastically scalable and metered manner, delivering significant advantages in speed, agility and efficiency. Cloud computing has evolved from several trends that have been driving enterprise data centers and service providers over the last several years. These trends include grid computing, virtualisation, SOA shared services and large-scale management automation.

Dhruv Singhal

Cloud computing builds off these by adding new capabilities such as self-service, dynamic scaling and pay-per-use. What are the factors fueling growth of cloud computing and what trends can we expect in this space? Recent surveys show that the top two benefits of cloud computing are speed and cost. Through self-service access to an available pool of computing resources, users can be up and running in minutes instead of weeks or months. Making adjustments to computing capacity is also fast, thanks to an elastic and scalable grid architecture. Since cloud computing is a pay-per-use model, operates at a high scale and is highly automated, the cost and efficiency of cloud computing is very compelling as well. SMBs are expected to adopt public cloud services owing to lower costs involved, while private cloud computing is anticipated to see stronger traction with larger companies, which is not surprising, since many of these organisations already have extensive investments in expansive IT infrastructures. According to the survey conducted by Unisphere Research among IT and data managers and professionals with the Independent Oracle Users Group (IOUG), private cloud formations are growing in many companies, often outpacing adoption of public cloud services. As per the same survey, companies are packaging and virtualising their own IT assets into cloud-like services to offer across various departments and divisions, and even to outside partners. These ‘private clouds’ offer the same flexibility and incremental cost advantages to end users as public clouds, but with less perceived risk and greater assurances of security and accountability. Furthermore, security issues continue to be a concern with use of public cloud and online application services, making private clouds a more attractive option to enterprises. The survey also highlighted adoption of private cloud solutions for IT workload processing or infrastructure clearly outpaced the use of public platform service providers. As you said, security is an issue and so is performance. How is Oracle addressing these challenges related to cloud computing?

Oracle is committed to improving cloud security and has been building innovative security solutions which bring industryleading security functionality and ensure that the cloud environment remains secure for enterprises. Oracle Database provides advanced security products like Database Vault, Audit Vault, Advanced Security Options to ensure security of data. Oracle Identity and Access Management Suite simplifies the management of user identities and security in an enterprise infrastructure that spans a mixture of private and public cloud services. On the performance side, Oracle remains poised to address the needs for extreme performance and mission-critical computing, so that companies can reap the greatest ROI out of their IT investments. We recently announced two models of Oracle Exalogic

NO HOLDS BARRE D

hardware and software technologies, customers can expect clean and elegant solutions which are more tightly engineered to reduce costs and boost performance. What is Oracle’s play in the cloud computing space? Oracle has a comprehensive set of cloud computing offerings that are complete, open and integrated – spanning applications, middleware, database, operating systems, virtualisation, servers, storage, networking and management of the entire stack. These include building and managing private PaaS and IaaS clouds, customer options for running Oracle technology in public clouds or on-premise, and enterprise applications that are deployed on a shared services private cloud as well as a public cloud model via Oracle On Demand.

"Oracle helps customers realise the speed, agility and efficiency benefits of cloud computing through an evolutionary approach." Elastic Cloud - Oracle Exalogic Elastic Cloud X2-2 with 64-bit x86 processors and a choice of Oracle Solaris or Oracle Linux, as well as Oracle Exalogic Elastic Cloud T3-1B with SPARC servers running Oracle Solaris. Engineered for large-scale, mission-critical deployments, Oracle Exalogic Elastic Cloud provides the foundation for enterprise-class multi-tenancy or cloud applications and can support thousands of applications with differing security, reliability, and performance requirements. All Oracle Exalogic Elastic Cloud models are engineered hardware and software systems that leverage an InfiniBand-based I/O fabric and solid-state storage with the market-leading Oracle WebLogic Server and other enterprise Java Oracle middleware products, which are assembled, tested and tuned to reduce the time from machine delivery to fully operational for application deployment. Oracle provides complete, integrated and optimised systems which greatly reduce the TCO for the customer. As Oracle provides

Oracle is a cloud computing leader that can boost of a number of customer success stories. Oracle helps customers realise the speed, agility and efficiency benefits of cloud computing through an evolutionary approach. Oracle clients can accelerate deployment by leveraging Oracle Exadata Database Machine and Oracle Exalogic Elastic Cloud. Credit Suisse, an international financial services group, built a private, self-service, Java Platform-as-a-Service using Oracle WebLogic, consolidated over 200 applications onto the platform, saved 35 percent in operating costs, reduced 85 percent of their servers, and avoided 44 percent power increase while doubling capacity. Can you share details on Oracle’s ‘Cloud in a box’ theory? Today enterprises have an option to choose from various cloud models that have a number of compelling business benefits. However, issues pertaining to security, performance and associated costs overpower

The Chief Technology Officer Forum

cto forum 21 march 2011

NO HOLDS BARRE D

Dhruv Singhal

these benefits, making the decision for organizations uncertain. Oracle specifically designed Exalogic Elastic Cloud to provide enterprises with a foundation for secure, mission-critical private cloud capable of virtually unlimited scale, unbeatable performance, and previously unimagined management simplicity. Exalogic is the ideal platform for applications of all types, from small-scale departmental applications to the largest and most demanding ERP and mainframe applications. Oracle Exalogic's extreme performance, massive scale, and hardware-based application isolation make it the ideal platform for consolidating many existing applications on a single platform. It is the world's first and only integrated cloud machine—hardware and software engineered together to provide a "cloud in a box". Exalogic is designed to revolutionize data center consolidation, enabling enterprises to bring together tens, hundreds, or even thousands of disparate, mission-critical, performance-sensitive workloads with maximum reliability, availability, and security. What is Oracle’s strategy to increase its cloud computing footprint? Cloud computing is driving a significant part of Oracle’s product development plans – from enterprise applications to middleware, databases, servers and ! storage devices, as well as cloud management systems. Taken together, these developments are building off Oracle’s grid computing architecture to create an out-of-the-box solution for cloud computing- Oracle PaaS Platform. Oracle’s overall corporate strategy is to provide the industry’s most complete, open and integrated set of products from applications to disk. For cloud computing, Oracle’s strategy is to: Ensure that cloud computing is fully enterprise grade – Oracle provides enterprise grade technology for high performance, reliability, scalability, availability, security and portability/interoperability (based on standards). Enterprises demand these characteristics before moving important worklo! ads to a public or private cloud. Support both public and private clouds to give customer choice –Organisations are adopting different deployment models for cloud computing for different applications

cto forum 21 march 2011

The Chief Technology Officer Forum

“We believe that Private PaaS is the natural evolution for enterprise data centres.” at different rates of speed, so Oracle supports customers on premise or regardless of the type of cloud they choose. Develop and enable rich SaaS offering – Oracle offers a very broad portfolio of horizontal and industry applications that are deployed in either a private shared services environment or in a public SaaS model. What kind of traction has Oracle experienced in the cloud computing space? Wipro chose Oracle (Oracle Database, Oracle WebLogic Application Server and Oracle Virtual Machine) as the deployment platform for w-SaaS enabled applications. The Oracle Database is used as the backend data store for the platform. The w-SaaS platform leverages the high performance capabilities of the Oracle VM by integrating well with the Oracle VM Server powered private cloud. Amazon collaborated with Oracle to offer their customers options and convenience when deploying enterprise applications on the cloud. Not only can customers build enterprise-grade solutions hosted by Amazon Web Services (AWS) using Oracle Fusion Middleware and Database by Oracle, they can also launch entire enterprise software stacks from Oracle on EC2. In both cases, customers can benefit from the scalability, reliability, and cost-effectiveness of deploying on Amazon’s cloud. In addition, other Public Cloud providers

like Savvis are also offering services based on Oracle products. What is Oracle’s future road map? Oracle remains poised in the position to address needs for extreme performance and mission-critical computing, so that companies can reap the greatest ROI out of their IT investments. We believe that enterprises will evolve their current IT infrastructure (from standalone, consolidated and optimised) to become more “cloud-like” or “IT-as-a-Service”. “IT-as-a-Service” will see IT departments become better internal service providers to business units and departments. The first step for many customers will be to consolidate onto a shared pool of resources, which could be at the PaaS (middle tier, database tier) or IaaS (VM/Compute tier). We believe that Private PaaS is the natural evolution for enterprise data centers. Oracle’s engineered systems, Exalogic and Exadata, provide the foundation blocks for Private PaaS and are great target platforms for consolidation. This evolution will take time, and will take shape in different ways for each company. Oracle can evolve with the company’s IT infrastructure using compute, storage, network, and software building blocks for flexible, optimised datacenters. Similarly, the same building blocks can be tightly integrated and engineered to work on purpose-built systems like the Oracle Exadata Database Machine X2-8 and Exalogic Elastic Cloud.

Author: Tarun Khanna

Hide time | BOOK REVIEW

“Firms should create value where they are”

Emerging Market Survival Kit Two Indian-

American Harvard professors pen the entrepreneur’s ‘rough guide’ to the world’s promising markets

The world’s large, rapidly-growing emerging markets represent the collective ambitions and aspirations of the people who populate them. In a sense, these markets are not much different in character from the mighty American corporations of the late 19th and early 20th centuries. The markets are lucrative, but doing business in emerging markets isn’t at all easy for multinational companies. Key market-support institutions, that are taken for granted in the Western world, are either weak, still evolving or entirely missing in most such markets. When these institutions of regulation, governance, facilitation and transaction, are missing, there exists, what is known as an "institutional void". In their new book ‘Winning in Emerging Markets: A Roadmap for Strategy and Execution,’ Harvard veterans Tarun Khanna and Krishna Palepu work through the global maze of institutional voids, designing strategies to respond to them. By pinpointing these voids in product, labour, and capital markets, inves-

cto forum 21 march 2011

The Chief Technology Officer Forum

tors and entrepreneurs can succeed by harnessing private sector niches in the institutional infrastructure. These niches come in the form of information analysers and advisors, aggregators and distributors, transaction facilitators, and more. In their book, Khanna and Palepu identify and plug the institutional voids by asking a few key questions. If a company is planning to enter an emerging market, it must ask itself questions like which institutions in the market are working and which missing; how the void can affect its business model; how it can compete by navigating the voids, and; where profit lies in finding opportunities to fill these voids. According to Khanna and Palepu, emerging market institutional voids are a global phenomenon. They, therefore, focus their research worldwide, not just on the BRIC countries of Brazil, Russia, India and China. For companies that want to enter emerging markets, the book can serve as a sort of rough guide or survival kit. Some of the questions that

ABOUT THE REVIEWER

Author of Prey By The Ganges (Wisdom Tree, 2011), Hemant Kumar is a veteran of wire service and television journalism.

every such company’s leadership has to eventually ask itself, are: whether it should replicate or adapt an existing business model in that market; collaborate with domestic partners or go it alone; navigate around that market’s voids or actively try to fill them; enter the market now or look for opportunities elsewhere, and; stay in or exit the market if current strategies are not working. Peppered with examples from real companies in the real world, the book has ‘field-tested’ advice and knowledge of the emerging markets. So, whether you are an armchair globetrotter or jetsetting CEO, the book is a treasure house of knowledge and wisdom. And even if you are not some master strategist mulling over how to penetrate the Indian sweet-meat market, you should read it. Two exceptionally bright and gifted teachers have spent their entire working lives munching on a book of this calibre.

VIEWPOINT

Steve Duplessie | steve.duplessie@sbcglobal.net

Big Data: I Was Right Again What’s Next: Marketing

First, allow me to roll around in selflove for a few minutes. Aster just got acquired by Teradata, and yet again, I told you so. I called Vertica and Aster–way before it was in vogue. I have many posts on said subjects that back up my bravado. Good for me. The first lesson you should learn is that if you are a VC, or a startup, you should pay more attention, you dumb asses. I appear to be in the groove, as it were. So, Greenplum, Vertica, and Aster are gone. Informatica (public) is still a prime acquisition (big money) candidate (Dell isn’t in the game yet, but will be). And as we speak, any VC with any money left at all–post the great Armageddon of the past decade–is desperately looking to dump it into anyone who can spell “Big”–being able to spell Data is just gravy at this point. Most of these investments will be “lemming” investments with zero chance of any significant outcome, but that’s a different story. Now the fun starts, at least for

cto forum 21 march 2011

The Chief Technology Officer Forum

me. The reason these companies have been acquired is twofold: First, there is a legitimate need for better tools to be able to help owners of said big data sift through said big data to find stuff that they can make money on. Totally legit. Second, because the other guys made a move first. So, what we have is the classic follow the leader, keeping up with the Joneses mentality at play, and then we will try to sort out the details post facto. The issue: now that big dogs have acquired the small dogs in this space, the real work must begin. The small dogs all sounded a lot like total geek, niche market plays. Those are not appealing to big dogs. Selling to the “analytics” guy is arguably more niche/geeky than selling to the “storage” guy. At least the storage guy has had ten years or more of being “visible” in the IT organization. The analytics guy is the modern pocket protector-wearing IT dude. (Take no offense–as always, I’m just telling you what those uneducated bastards on the 57th floor think).

About the author: Steve Duplessie is the founder of and Senior Analyst at the Enterprise Strategy Group. Recognised worldwide as the leading independent authority on enterprise storage, Steve has also consistently been ranked as one of the most influential IT analysts. You can track Steve’s blog at http://www. thebiggertruth.com

So, what’s critical for any of this big data business to make the leap from “geek to chic” (I want credit for that, that’s a good one), is MARKETING. These companies have to establish their broad market appeal (hint: it ain’t about your super spiffy algorithm)–to business buyers, with broad business application. Talk about the overall value of what happens when you find that nugget of gold out of the piles of dung–not how you found it. Little guys–and some big guys–love to talk about algorithms. Algorithms won’t impress the ladies, or ultimately the money players. Algorithms impress fellow geeks–which (sorry again, people) represent a SMALL NICHE MARKET OPPORTUNITY. If you wanna play against Oracle, you bring forth your best-looking assassin, not your smartest scientist. Now, let’s get out there and do some bad ass marketing, so that I can tell one of you from the other. Otherwise, I’ll get bored and write the whole lot of you off.