cTo forum
Technology for Growth and Governance
April | 21 | 2011 | 50 Volume 06 | Issue 17
The important 3Cs for a CIO | The Difference Between Doing IT and Infosec | Value of Innovation
Women Leaders
Making the Cut A few women have broken into the male bastion called CIO. They are role models for a whole new generation of aspiring women IT leaders. | Page 26
Amrita Gangotra Director – IT, India & South Asia, Bharti Airtel
Thought Leader
Legal Challenges With Cloud Computing Page 50
Next Horizon
Parallelised Data Mining Security Page 44
I BELIEVE
Volume 06 | Issue 17
View IT as a Profit Centre Page 04
A 9.9 Media Publication
Annie Mathew CIO, Mother Dairy
Asmita Junnarkar CIO, Voltas
AD
editorial Rahul Neel Mani | rahul.mani@9dot9.in
A Question of Survival Or a question of rising women power
I
f I’m honest with myself, I have to say I had to postpone writing this opinion thrice in two days. It wasn’t due to lack of ideas. It wasn’t due to lack of courage either. It was simply about finding an apt frame of mind to write something about the growing influence of women in IT leadership. Though still dominated by the masculine gender, the community of CIOs and IT decision makers in India is witnessing a visible trend of rising female influence - clearly challenging the status quo.
editor's pick 24
In the western world, according to a few reports from respectable institutions and organizations, the number of women choosing to enter the IT profession has dropped drastically in the past. In the U.S. the proportion of women in IT has fallen from about 35 percent in 1990 to less than 20 percent recently, while the proportion of women studying computer science at university level has, in some European countries, fallen to as low as 15 percent or even lower.
Boosting Conversions By deploying a cloud-based CRM, Godrej Properties tagged customers Hot, Warm or Cold , and built a system of follow-ups that boosted its conversion rates across its projects.
Also, I recently read a report by The Chartered Institute for IT Enabling the Information Society (Formerly the British Computer Society) titled ‘Women in IT Scorecard,’ which precisely talks about the diminishing number of women in information technology industry in the Western world. The report says that women are increasingly concentrated in jobs at the low end of the pay scale. In India, the scene seems to be quite the opposite: we are witnessing a significant rise in women IT leadership. And the reason behind this astounding success is partly due to the fact that women CIOs are just as technically knowledgeable to talk about technology and further, because they are naturally wise to align IT with business. I have no hesitation in saying that even though women CIOs and IT leaders in India are low
in numbers yet, in some cases, they are outperforming their male counterparts. We have dedicated this issue of CTO Forum to this rising power of Women in IT. With the noble intention of covering as much ground as possible, we reached out to a large number of women CIOs but unfortunately could not cover them all in time for print. We collectively apologise for it. The women CIOs profiled here are building a great legacy and I am sure it will encourage hundreds of other women, AND men, to think of the same career path. As ever, I will wait for your feedback and opinions.
The Chief Technology Officer Forum
cto forum 21 april 2011
1
april 11 Cov e r D e s i g E n by A n i l t
Conte nts
thectoforum.com
26 Cover Story
26 | Women Leaders Making
Columns
of today have to come up with new revenue streams from the data their company already possesses. By Ajay
the Cut: A few women have broken into the male bastion called CIO. They are role models for a whole new generation of aspiring women IT leaders.
Please Recycle This Magazine And Remove Inserts Before Recycling
2
Copyright, All rights reserved: Reproduction in whole or in part without written permission from Nine Dot Nine Interactive Pvt Ltd. is prohibited. Printed and published by Kanak Ghosh for Nine Dot Nine Interactive Pvt Ltd, C/o Kakson House, Plot Printed at Silverpoint Press Pvt. Ltd. D- 107, MIDC, TTC Industrial Area, Nerul, Navi Mumbai- 400706
cto forum 21 april 2011
The Chief Technology Officer Forum
04 | I believe: View IT as a Profit Centre CIOs
Satyarthi
52 | View point: When Did Industry Events Become So Awful? By steve Duplessie Features
40 | Tech for Governance vendors tough on licences, not solutions By Kris Barker
www.thectoforum.com Managing Director: Dr Pramath Raj Sinha Printer & Publisher: Kanak Ghosh Publishing Director: Anuradha Das Mathur Editorial Editor-in-chief: Rahul Neel Mani Executive Editor: Yashvendra Singh Senior Editor: Harichandan Arakali Resident Editor (West): Minu Sirsalewala Agarwal Assistant Editor: Varun Aggarwal DEsign Sr. Creative Director: Jayan K Narayanan Art Director: Binesh Sreedharan Associate Art Director: Anil VK Sr. Visualiser: PC Anoop Sr. Designers: Prasanth TR, Anil T, Joffy Jose Anoop Verma, NV Baiju, Vinod Shinde & Chander Dange Designers: Sristi Maurya, Suneesh K, Shigil N & Charu Dwivedi Chief Photographer: Subhojit Paul Photographer: Jiten Gandhi
12 A question of answers
12 | Value of Innovation Alok Ohrie, VP – Systems & Technology Group, IBM India details the roadmap for innovation and how will it help CIOs in achieving greater optimisation levels. 44
47
RegulArs
01 | Editorial 08 | Enterprise Round-up
advertisers’ index
44 | Next horizons: Parallelised Data Mining Security PDM
47 | NO holds barred: Sudipta K Sen, CEO & MD – SAS Institute, shares
could be the future of a range of commercial tools. By K.S. Abhiraj
reasons for the continued growth and the company’s future road map.
Juniper SCHNEIDER Ricoh Riverbed MICROSOFT
IFC 05 07 IBC BC
advisory Panel Anil Garg, CIO, Dabur David Briskman, CIO, Ranbaxy Mani Mulki, CIO, Pidilite Manish Gupta, Director, Enterprise Solutions AMEA, PepsiCo India Foods & Beverages, PepsiCo Raghu Raman, CEO, National Intelligence Grid, Govt. of India S R Mallela, Former CTO, AFL Santrupt Misra, Director, Aditya Birla Group Sushil Prakash, Country Head, Emerging Technology-Business Innovation Group, Tata TeleServices Vijay Sethi, VP-IS, Hero Honda Vishal Salvi, CSO, HDFC Bank Deepak B Phatak, Subharao M Nilekani Chair Professor and Head, KReSIT, IIT - Bombay Vijay Mehra, CIO, Cairns Energy Sales & Marketing National Manager-Events and Special Projects: Mahantesh Godi (09880436623) Product Manager: Rachit Kinger (9818860797) GM South: Vinodh K (09740714817) Senior Manager Sales (South): Ashish Kumar Singh GM North: Lalit Arun (09582262959) GM West: Sachin Mhashilkar (09920348755) Kolkata: Jayanta Bhattacharya (09331829284) Production & Logistics Sr. GM. Operations: Shivshankar M Hiremath Production Executive: Vilas Mhatre Logistics: MP Singh, Mohd. Ansari, Shashi Shekhar Singh OFFICE ADDRESS Published, Printed and Owned by Nine Dot Nine Interactive Pvt Ltd. Published and printed on their behalf by Kanak Ghosh. Published at Bunglow No. 725, Sector - 1, Shirvane, Nerul Navi Mumbai - 400706. Printed at Silver Point Press Pvt Ltd., A-403, TTC Ind. Area, Near Anthony Motors, Mahape, Navi Mumbai-400701, District Thane. Editor: Anuradha Das Mathur For any customer queries and assistance please contact help@9dot9.in This issue of CTO FORUM includes 12 pages of CSO Forum free with the magazine
This index is provided as an additional service.The publisher does not assume any liabilities for errors or omissions.
The Chief Technology Officer Forum
cto forum 07 april 2011
3
I Believe
By Ajay Satyarthi Senior GM - IT at Videocon Telecommunications Ltd. The author brings deep domain expertise in the field of telecommunications to his job. He has come up with innovative ways to maximise VAS revenues for the telco.
View IT as a Profit Centre CIOs of today have to come up with new revenue streams from the data their company already possesses.
IT is no longer just an enabler of business, but has come to be a profit centre in its own right. The role of CIOs, and the organisations they lead, is to become a bridge between a company’s business strategy and the enabling technology architecture. Today’s CIO is expected to make innovations real and raise the return on investment of IT to expand business impact.
4
cto forum 21 APRIL 2011
The Chief Technology Officer Forum
current challenge Providing greater business value at lower costs.
Just planning an innovation is not enough. It needs a foundation that can sustain the dynamically changing business requirements. The CIO is expected to be a visionary, perceptive to promoting a broad technology agenda. On the other hand, the CIO has to take a pragmatic approach to deal with the realities of business. This approach facilitates the productivity of current IT solutions to eke out more time and budget for innovation. Accompanied by an ongoing focus on lower costs and higher efficiency, IT has to produce greater business value. A ‘Savvy Value Creator’ finds new ways to help customers and the organisation profit from how data is used. The ‘Relentless Cost Cutter, its counterpart, is focused on managing budgets and processes to eliminate or reduce costs. To contribute the most to an organisation, proven expertise in both business and technical matters is vital. CIOs have to engage with enterprises as collaborative business leaders and drive new business initiatives. The Inspiring IT Manager role occupies centre stage to motivate the IT organisation and deliver superior IT performance. More than ever, CIOs need to provide an IT architecture that enables effective, cost-efficient management of risk and compliance. To solve multitudinous problems for internal as well as external customers, CIOs need to be multi-disciplinary and business oriented. Perhaps the CIO’s true role should be that of a business innovator and strategy leader. In other words, CIOs are no longer expected to sit at the boardroom table and suggest ways to move other C-seat dreams into reality, but to stand and present new revenue streams from the data the company already possesses.
AD
LETTERS CTOForum LinkedIn Group Join close to 700 CIOs on the CTO Forum LinkedIn group for latest news and hot enterprise technology discussions. Share your thoughts, participate in discussions and win prizes for the most valuable contribution. You can join The CTOForum group at: www.linkedin.com/ groups?mostPopular=&gid=2580450
Some of the hot discussions on the group are: The Cloud is all air and no substance Do you think cloud is going to die a quick death of SOA or is it going to make big headway into the enterprise? Is it old wine in a new bottle? What does it lack in making a convincing case?
what are the attributes of a good CTO? What are the prerequisites for a CTO role ?
I see the CTO's role as that of a technology leader bridging the gap between the commercial requirements of the enterprise and the technology support of those requirements. An effective CTO should be able to guide the efficient implementation of IT strategy of the business.
Its real and all about today and tomorrow. However, you have to bring it back to a realistic service that gives tangible benefits. There are a great deal of 'cowboy' stories and not many who really understand it.
—Ronald Kunneman, Director at Digitra
cto forum 21 april 2011
The Chief Technology Officer Forum
http://www. thectoforum. com/content/3gdevices-willattract-morecyber-scamsters
Trust More Important Than Technology Listening to your users can help you gain their trust.
“When we learn to intelligently live by this principle, it gives us a chance to positively affect many people's lives by creating a sort of a chain reaction.”
WRITE TO US: The CTOForum values your feedback. We want to know what you think about the magazine and how to make it a better read for you. Our endeavour continues to be work in progress and your comments will go a long way in making it the preferred publication of the CIO Community.
6
Harvinder S Rajwant, Vice President, Borderless Networks – Security, Cisco Systems talks to Varun Aggarwal about the increasing threats on the mobile platform, fired up by 3G.
Opinion
richard Ward, Head of Technical, WIN Plc
Send your comments, compliments, complaints or questions about the magazine to editor@thectoforum.com
CTOF Connect
To read the full story go to:
http://www.thectoforum.com/content/trust-moreimportant-technology Milind Sawant Head-IT Infrastructure, Reliance Life Insurance Company Ltd.
AD
news Inside
Enterprise
Seagate and Samsung Announce Strategic Alignment Pg 11
Illustration BY Suneesh K
Round-up
Microsoft Office 365 Public Beta Available in India People can experience an always-up-to-date cloud service.
Microsoft has announced the public beta of Microsoft Office 365, the company’s cloud productivity service for businesses of all sizes, in India. Office 365 was introduced in limited beta last year, bringing together Microsoft Office, SharePoint Online, Exchange Online and Lync Online in an always-upto-date cloud service. The public beta, available at http://www.Office365.com, allows millions of people in India and across the world to try Office 365 for the first time. Globally, more than 70 percent of the organisations that signed up for the limited beta were small businesses with fewer than 25 employees.
8
cto forum
21 APRIL 2011
The Chief Technology Officer Forum
“The early adoption trends show how well Office 365 resonates with small businesses that want fullfeatured professional technology, delivered in a way that makes sense for their company by offering them streamlined communication with high availability, comprehensive security and simplified IT management,” said Sanjay Manchanda, Director, Microsoft Business Division. “We encourage businesses to make the best of the Beta opportunity we are launching – and experience the powerful impact of Microsoft Office 365”, Manchanda added.
Data Briefing
35% Of spam in APJ originated from India in 2010 — Symantec
E nte rpri se Round -up
They Michael Said it Dell
photo BY photos.com
In an interview with Wall Steet Journal, Michael Dell accepted that he didn't anticipate the rapid rise of the tablets. "What's also interesting is Apple's great success with the iPhone. Android comes along, even greater success," he said.
Semiconductor Industry Experiences Largest-Ever Increase Revenues rose by more than $70 Billion in 2010.
“If you look at 18 months ago, Android phones were like, 'What is that?' And now there are more Android phones than iPhones. I don't see any reason why the same won't occur with Android tablets.� –Michael Dell CEO, Dell Inc.
Total worldwide semiconductor revenue reached $299.4 billion in 2010, up $70.7 billion, or 30.9 percent from 2009, the largest dollar increase for the semiconductor industry in any one year, according to Gartner, Inc. However, the industry just fell short of the milestone $300 billion revenue threshold. Gartner said that the top 25 semiconductor suppliers accounted for 69.1 percent of semiconductor industry revenue in 2010, and as a group, memory vendors showed the strongest growth. "The industry-wide upturn was due to the combination of pent-up demand that had built in the wake of the worldwide economic recession, and rebuilding of semiconductor inventories that were significantly depleted during the recession and early recovery," said Peter Middleton, principal analyst at Gartner. "The market began to surge in the second half of 2009, as demand recovery in a variety of market sectors resulted in strong order rates. This continued, almost frantically, during the first half of 2010 as demand soared, prices rose, and we saw lead times expanding significantly."
Quick Byte on security
Susan Combs, Comptroller for the State of Texas, U.S. has announced a massive data leak that resulted in 3.5 million people's social security numbers, names, addresses and in some cases their birth date and drivers license number being exposed. The Chief Technology Officer Forum
cto forum
21 APRIL 2011
9
Illustration BY Shigil N
E nte rpri se Round -up
Turning Point in Asia Pacific IPv4 Exhaustion IPv4 final stage begins. The Asia Pacific Network Information Centre (APNIC) has reached the last block of Internet Protocol version 4 (IPv4) addresses in its available pool, activating a major change in regional delegation policy. This is a key turning point in IPv4 exhaustion for the Asia Pacific, as the remaining IPv4 space will be ‘rationed’ to network operators to be used as essential connectivity with next-generation IPv6 addresses. All new and existing APNIC Members who meet the current allocation criteria will be entitled to a maximum delegation of a /22 (1,024 addresses) of IPv4 space. APNIC Director General Paul Wilson explained the Asia Pacific region is the first to reach the point of being unable to meet
Global Tracker
In 2010, 65 percent of malicious links in news feeds observed by Symantec
IPv4 demand. This is due to the unprecedented fixed and mobile network growth the region is experiencing. “Considering the ongoing demand for IP addresses, this date effectively represents IPv4 exhaustion for many of the current operators in the Asia Pacific region,” Mr Wilson said. “From this day onwards, IPv6 is mandatory for building new Internet networks and services.” With no way to accurately predict IPv4 demand and the exhaustion date, APNIC instead published daily updates on the status of the IPv4 pool to keep the community fully informed. The implementation of a three-phase management plan would also guarantee absolute fairness in the final
News Feeds with Malicious Links
used shortened URLs.
Of these, 73 percent were clicked 11 times or more. 10
cto forum
21 APRIL 2011
The Chief Technology Officer Forum
Source: Symantec Internet Security Threat Report
stages of IPv4 exhaustion. Phase One led up to the exhaustion of the IANA global IPv4 pool, which occurred on 4 February 2011. During that time, no changes in allocation policy or procedure were made and allocations were processed as usual, according to demonstrated need. While Phase Two did not introduce any new policies, APNIC Member Services amended their evaluation and allocation procedures to ensure all requests were dealt with in strict order of receipt and to ensure fair processing. Phase Three involves a policy change that restricts the amount of IPv4 address space available to each applicant. Agreed on by the Asia Pacific Internet community, the Final /8 Policy conserves the remaining IPv4 address blocks to support the region’s transition to IPv6. Without that block of IPv4 space, new network operators would find it difficult, or impossible, to connect to the Internet, even with large IPv6 address allocations available from APNIC. Wilson said the intention is to provide both new and existing Members with a single allocation from the Final /8. As the APNIC region is home to many developing economies, this policy will conserve adequate space for new entrants to the regional and global market. “Economic activity in the Asia Pacific continues to gain momentum. The high rate of new entrants to the Internet industry is still increasing, and under this policy these newcomers will always have access to enough IPv4 address space to begin operations in today’s market,” Mr Wilson said. A second benefit of the Final /8 Policy is that it provides additional IPv4 address space to facilitate the transition to IPv6. Networks will need to support both IPv6 and IPv4 for many years to ensure their customers do not experience service disruptions. During the past few years leading up to this point, APNIC has been actively involved in the promotion of regional IPv6 deployment, supported by extensive Liaison and Training programs. APNIC Director General Paul Wilson said IPv6 deployment requires involvement from the broader stakeholder community, including government, commercial, and civil society representatives across the region.
E nte rpri se Round -up
Imaging BY Suneesh K
Seagate and Samsung Announce Strategic Alignment Samsung to combine hard disk drive operations into Seagate.
Seagate Technology and Samsung Electronics have entered into a definitive agreement under which Seagate and Samsung will significantly expand and strengthen their strategic relationship by further aligning their respective ownership, investments and key technologies. Major elements of the agreement include: Samsung combining its hard disk drive (HDD) operations into Seagate Extending and enhancing the existing patent cross-license agreement between the companies
A NAND flash memory supply agreement under which Samsung will provide Seagate with its market-leading semiconductor products for use in Seagate’s enterprise solid state drives (SSDs), solid state hybrid drives and other products A disk drive supply agreement under which Seagate will supply disk drives to Samsung for PCs, notebooks and consumer electronics Expanded cooperation between the companies to co-develop enterprise storage solutions Samsung receiving significant equity ownership in Seagate A shareholder agreement under which an executive of Samsung will be nominated to join Seagate’s Board of Directors The combined value of these transactions and agreements is approximately $1.375 billion USD, which will be paid by Seagate to Samsung in the form of 50 percent stock and 50 percent cash. These transactions and related strategic agreements will enable both companies to better align their current and future product development efforts and roadmaps, accelerate time-to-market for new products and position the companies to better address rapidly evolving opportunities in markets including, but not limited to, mobile computing, cloud computing and solid state storage. In connection with its strategic alliance with Samsung, Seagate expects also to strengthen its relationship with TDK Corporation/SAE Magnetics (H.K.) Ltd. Together, these transactions and agreements broaden a strategic relationship between Seagate and Samsung that began with a joint development agreement announced in August 2010. The transactions and agreements significantly expand Seagate’s customer access in China and Southeast Asia.
Fact ticker
Hype for Media Tablets Slows PC Demand PC shipments suffer first y-o-y decline in six quarters. Worldwide PC shipments totalled 84.3 million units in the first quarter of 2011, a 1.1 percent decline from the first quarter of 2010, according to Gartner. Although the first quarter is traditionally a slow one for PC sales, these shipment results indicate potential sluggishness, not just a normal seasonal slowdown. These figures are below Gartner's earlier forecast for 3 percent
growth in the first quarter of 2011. "Weak demand for consumer PCs was the biggest inhibitor of growth," said Mikako Kitagawa, principal analyst at Gartner. "Low prices for consumer PCs, which had long stimulated growth, no longer attracted buyers. Instead, consumers turned their attention to media tablets and other consumer electronics. With the launch of
the iPad 2 in February, more consumers either switched to buying an alternative device, or simply held back from buying PCs. " Steady growth in the professional PC sector, driven by the replacement cycle, was a bright spot for the global PC market. Without the professional segment growth, the PC market could have experienced one of the worst declines in its recent history. Replacement sales will generally continue into late 2011 or the start of 2012, with some variations between different regions and market segments.
CNN Android
C
NN has announced that the CNN App for Android Phones is available globally for free on Android Market. The CNN App combines intuitive navigation with an immersive news experience, giving users direct access to CNN’s global resources – from live field reporting to user-generated content and a variety of enterprise interviews and podcasts. “Android users are extremely discerning, and will accept nothing less than a first-rate app that showcases high quality, world-class content – and enables them to share it,” said Louis Gump, vice president of Mobile at CNN. “We built the CNN App with these desires specifically in mind, and are excited to offer the millions of Android phone users around the world with access to CNN’s global reporting.” Available on Android powered phones running on platforms 2.1 and above, the CNN App showcases news of the day through text, audio and photos, live and on-demand video, and a direct gateway to CNN iReport, the network’s participatory news community. By clicking on the menu button, users can seamlessly toggle between U.S. and International editions, each of which includes all of the features of the CNN App.
The Chief Technology Officer Forum
cto forum
21 APRIL 2011
11
A Question of answers
PERSON' S NAME
Stellar Growth: Continued investment in R&D has enabled IBM to come up with cutting edge products
12
cto forum
21 APRIL 2011
The Chief Technology Officer Forum
a lo k o h r i e
A Question of answers
Alok Ohrie | IBM India
Value of Innovation
Year 2010 saw a massive surge in demand for IBM STG’s products. In conversation with Rahul Neel Mani, Alok Ohrie, Director – STG, IBM India/SA details the roadmap for innovation and how will it help CIOs in achieving greater optimisation levels.
IBM vision 2015 for Cloud, Virtualisation and Consolidation is now being rolled out. What will it mean for the end users – existing and prospective? All of these are clubbed as part of IBM’s larger initiative known as ‘Smarter Planet’. This theme is no more constrained with developing superior technology. It aims at how we can make the life of the masses simpler and make those workers effective in their domain. But purely from the STG’s (Systems and
Technology Group) perspective, we are doing it under the umbrella of Smarter Computing. There is a continuous evolution taking place in the computing arena. The workloads have been shaping up differently as opposed to what they were a decade ago. If we take a classical example of a banking organisation, there are thousands of real-time computes every day – be it retail or corporate banking. The other workloads, which we can think of, are business intelligence and analytics. Finally, the business process
management is another very important workload. All these workloads have different needs. They operate in different environments. The optimisation of these workloads becomes absolutely critical. That is also the biggest challenge a CIO faces in today’s business environment where he has to manage it all in a costeffective way. While this example was for a typical banking organisation, it is true for any industry. A CIO has to not only understand these workloads but also have to define the need for corresponding environment which is The Chief Technology Officer Forum
cto forum
21 APRIL 2011
13
A Question of answers
a lo k o h r i e
optimised and cost-effective. Our optimised systems, on a twodimensional matrix will have ‘capability’ on the one side and ‘focus’ on the other. This also defines what kinds of skills you need to implementing some of these systems. It ranges from very high-end systems requiring a lot of sophisticated skills to an appliance which is just ‘plug and play’. For example you can think of an optimally designed IBM System Z, P or X running a DB2 with Websphere. If you take it down to the next level the involvement of the client is lesser than the earlier scenario and the implementation takes a couple of hours as opposed to days and weeks in the earlier scenario. In the second scenario, mostly there is some fine-tuning required to the available packaged systems. A business analytics system will be an apt example in this category. That’s because the needs of various industries are different and thus there is a scope for fine tuning. Where do you think are these workload optimisation solutions needed? We see these requirements from almost all sides - be it data management, security or cloud computing. IBM is researching and producing solutions that address those specific requirements. This is nothing but an evolution of smarter way of computing where the users are looking for optimised, costeffective solutions which do not compromise on efficiency but do care about the total cost of ownership. Almost all of these solutions work in heterogeneous environments and still give an optimal result for that specific app. But to have the complete infrastructure optimised, we bring in the element of ‘infrastructure design’ which is done in consultation with the client even if he/she is using majority of competitive products and only a few IBM solutions/appliances.
14
cto forum
21 APRIL 2011
The Chief Technology Officer Forum
"2010 was a watershed year for IBM's STG worldwide. We grew 11 percent last year, which was the highest in the past decade."
How has STG performed this year? 2010 was a watershed year for IBM’s STG group worldwide. We grew 11 percent during last year and that was the highest in the past one decade. This growth didn’t compromise on profits, which were as good as the growth in the revenue. A lot of this growth came from the new technologies and products launched during this period. There was a tsunami of great products that were launched. Talk about the RISC-UNIX environment, IBM launched Power-7. In the Mainframe domain, we launched Enterprise System-Z platform sometime during the Q3. IBM infused innovation even in X86 platforms which are much commoditised now. IBM was one of the first companies to address the decoupling of memory issues that X86 has and pass on the flexibility to the users. This innovation empowered the users to do the same work-
things I Believe in here is a T requirement for workload optimisation solutions from all sides -- security, cloud and data management. sers will invest U in a product only if they sees value in it. echnology T innovation relevant for prevailing market conditions has to be brought out quickly.
flow with half the number of servers. It has provided great benefits in a virtualisation environment. Did this growth coincide with the hardware refresh plan of the users or were the products so compelling that there was an instant uptake? It was a result of a combination of products. Yes, CIOs had pulled back their budgets during the time of economic crisis and that resulted in a delayed hardware refresh. But the refresh doesn’t mean that a big chunk of it will come to IBM. That is where the product merits come in the picture. Why would a user invest with us if he doesn’t see any value or relevance? Not only that, I can also guarantee that on ‘price-to-performance’ and TCO parameters, IBM delivers a great value. This value is very compelling and that’s the reason we saw this growth.
a lo k o h r i e
But what happens to those who have already invested in IBM products. Don't they ask for a transition plan? Yes, certainly that is the case with almost all our existing users. No one is ready to give up or give away their old infrastructure without a transition plan. Here, I would like to give you an example. Let’s take the case of Power systems (the RISCUNIX platform). In case of IBM it is called AIX and it has a 25 year old legacy. It got enriched with every version – be it functionality, speed etc. For the Power series, we are talking of a roadmap up to 2015. As we speak, IBM can talk about Power 8 and 9 because it is being developed and will live up to its timelines. IBM has lived up to every possible date we have given on the Power systems since 1995. That gives a lot of confidence to the users. How does IBM decide when to phase out an old product and when to induct a new version? Any amount of technology innovation that is relevant for the prevailing market conditions needs to be brought in as quickly as
possible. For example, India’s has not yet fully rolled out the 3G and the work already started on 4G. It happened because there is a need for 4G technology in the market. Users need faster, better and smarter systems. Many a times the decision to launch a newer version depends on enabling an efficient environment faster, which is difficult with the existing set of products. I will give you another example here of an IBM product called Watson. Watson is an IBM supercomputer that combines artificial intelligence and sophisticated analytical software for optimal performance. The supercomputer is named for IBM’s founder, Thomas J. Watson. The Watson supercomputer processes at a rate of 80 teraflops (trillion floating-point operations per second). The company has been working on this product for well over four years. This machine, in a contest called ‘Jeopardy’ defeated the best human brains in Q&A sessions this February. This has opened up the eyes of IBM customers as well. This kind of machine could work wonders in different environments including healthcare, investment banking, and insurance sectors. So, I think the world has reached at a stage where
A Question of answers
any kind of technology innovation can immediately find an application. How does IBM support these innovations? You will be surprised to know that $3 billion go into R&D for the STG group alone. The result of this R&D spent not only reflects on the products but also on the number of Patents IBM gets for itself. For 18 consecutive years IBM is on top of charts for filing patents. Last year alone we filed for 6000 patents. This gives us an access of a lot of IP which then develops into products. This results into a huge amount of optimisation for the end users, with which we started our conversation. Look at some of the benchmarks. Power 7 is a case in point. It can beat any competitive product on priceperformance ratio. We have done over 2900 migrations worldwide so far this year. Out of this total, nearly 1100 are from Oracle-Sun. We don’t geography-specific numbers but the numbers in India are impressive too. This has translated into revenue worth $1 billion.
Features Inside
5 Tips for Managing Data Breach Risk Pg 19
Best of
The 8 Truths of Quality: Clear the air around quality practices. Pg 20
Breed
Marketing the Cloud: Ways to market a disruptive More technology. Pg 22
I
n the past, life for a CIO was hard work but not an impossible undertaking. Today, however, things are getting more and more difficult faster and faster. But, for those who love a challenge, the CIO is the best seat in the house. The main challenges CIOs face can be summed up with the 3Cs: Consumerisation: Every business user is also a consumer so they expect Web2.0 style apps to be delivered to any and every device including PCs, Macs, iPads or Smartphones just like at home. Cloud Apps: Enable business users to sidestep IT Ian Gotts using something I have been Founder & CEO, Nimbus calling the Stealth cloud. Partners Compliance: An increasingly regulated environment for almost every industry, which covers everything from data security to SOX compliance. These “3Cs” are causing so many things in the world of the CIO to change. The technology world is going through a paradigm shift, just as it does every 10 years or so, but this time the CIOs relationship with the business is different. Technology is a critical resource for every company, just as electricity was in the 1930s. Back then they had Electricity Directors. Not so today. How long until the CIO’s role directing the provision of IT resource is defunct for similar reasons?
Illustration by shigil n
“It has been said that CIO stands for Career is Over”
The Important 3Cs For A CIO
Consumerisation, Cloud and Compliance are collectively reshaping the world of a CIO. By Ian Gotts
16
cto forum 21 APRIL 2011
The Chief Technology Officer Forum
c lo u d
It has been said that CIO stands for “Career is Over” rather than “Chief Information Officer.” But what should the "I" in CIO stand for: Chief Innovation Officer - enabling innovation powered by IT inevitably? Chief Investment Officer - a more commercial and procurement focus than technology focus? Chief Integration Officer - stitching together third party apps? Chief Insight Officer - moving from data to information to insights? It is probably a little piece of all of them. There has been a gentle shift in power over the last few years. Business buyers are taking the driving seat on software purchases with the IT department becoming another name for “IT Purchasing." That trend is accelerating and the CIO has some strongly engrained "techie" prejudices to overcome. Therefore they need to start changing their game now before it is impossible to make the shift with any level of credibility. So the CIO should be spending less time less worrying about how to provide IT to the business and more time being the advisor about what benefits the business can glean from technology. So, against this backdrop, let’s explore the how the 3Cs are affecting the world of the CIO in more detail:
Consumerisation The collective sales and marketing departments of consumer electronics companies around the world are driving up consumer anticipation for the latest technical wizardry with promises that it will change the world, save more time than ever, make you more attractive to the opposite sex and, gulp, have unparalleled battery life!
B E S T OF B R E E D
20%
So what is the issue? These the public cloud, private cloud, are consumer devices targeting G-cloud, the stealth cloud plus consumers, right? Microsoft has launched a conHardly. cept called the personal cloud. CIOS said they The line between consumer Where is all that corporate and business was finally swept data going when it is synced in did not have away by Apple. Apple has these clouds? What data protecthe resources finally managed to penetrate tion or corporate security polito develop a the business by providing cies will be broken? devices that are the electronic So much as been written about cloud strategy equivalent to jewelry; items the cloud but mostly from a techwhich are highly desirable; nical perspective; security, cost that consumers buy with their own money savings, virtualisation, plus the long running and take to work. Once inside the building, debate (inside of IT anyway)of “Is it really a these consumers turned business people cloud app if it is not multi-tenant?” demand that IT make their device connect These are all valuable discussions but if to the corporate network and play well with we look from the CIO’s perspective there everything there in. are wider issues. The CIO is being looked to Business users are consumers and, today, by the rest of the executive team for advice they get a better technology experience at and guidance on how IT can help improve home than at work. A staggering 74 percent their operation in terms of information, of PCs in the workplace are still running integration, innovation, investment and Windows XP. But, outside of the workplace, insight. The cloud is a key part of that strata plethora of PC devices of different shapes egy. Not just for cost-saving reasons which and sizes and an even bigger range of are good, or for Green reasons which are smartphones are being launched daily. They laudable, but, because of the opportunivary in form factor and increasingly Macs ties that it opens up; including the ability are being found in briefcases and on desks to liberate non-office-based staff, provide in more and more industries outside of better business continuity and address new media and advertising (Apple's traditional markets easily and quickly, all at lower cost. stronghold). The consequence for IT departRecent research by outsourcing advisory ments is at best more expectations mancompany, TPI, shows that only five percent agement for their end-users customers; at of CIOs have a cloud strategy. An even worst an increasing variety of technology to more worrying number is a further 20 perintegrate and support. (Based on experience cent said they did not have the resources to probably a headache-inducing mix of both!) even develop one! This is short sighted at best. This is doing the easy stuff; playing with technology and Cloud fixing today’s problems, rather than the As far back as 2008, when I was presenthard stuff; sitting down with a blank sheet ing at the Microsoft World Partner Conferand thinking realistically about the future. ence, Steve Ballmer’s keynote told people And a huge number of business people are to take the cloud seriously. Now we have using cloud services oblivious to the security, reputation and compliance risk that they are exposing their organisations to. Most are doing it without the advice, support or authority of the CIO. Hence, we’ve been calling it the Stealth cloud -- an extension of the ever-popular Shadow IT but, like the blood-sucking Vampire it may come to be, one that doesn’t cast a shadow.
Back then they had Electricity Directors. Not so today. How long until the CIO's role directing the provision of IT resource is defunct for similar reasons?
Compliance Every business is being put under significantly more regulatory compliance. And the The Chief Technology Officer Forum
cto forum 21 APRIL 2011
17
B E S T OF B R E E D
c lo u d
regulators have teeth with the ability to fine, halt operations or send senior executives to prison. This has focused minds, raised the stakes and released IT budgets. Why IT? The ability to comply with the plethora of regulatory standards requires sophisticated IT support. At the heart of all regulation is the management of information. The CIO is pivotal to achieving compliance -- at an acceptable cost. And when it goes wrong, if an audit is failed, they are seen as partly to blame. It’s said that “Compliance is easy." All you have to do is write down what you want people to do, get them to do it and prove that they did it. See the problem? To achieve compliance you need clearly documented processes which are presented in a way that end-users can understand, rather than BPMN, XPDL, BPEL, on an interface they want to use (Web, tablet or smartphone). It needs to be linked to supporting applications (SAP, Oracle, Salesforce, etc.), documents and policy statements must be held somewhere (Sharepoint , FileNet, Documentum, etc.), and there must be metrics (Excel and BI system, etc. interfaces). Finally, add collaboration and governance over all these artifacts and you have "auditable sustainable improvement." This user-centric business process management (BPM) is also being called SocialBPM. Some of our clients, such as Carphone Warehouse, call it How2 because that is what is means to their staff. Could you achieve this using Visio and PowerPoint with some Sharepoint thrown in? No. In exactly the same way that your finance department doesn’t do their accounts using Excel and some clever macros. They use an accounting package. Fortune 500 companies around the world like Nestlé, HSBC, Chevron or Novartis see this approach is complementary to their core applications and critical to maintaining compliance at an acceptable cost. That is why this form of BPM is thriving in industries where compliance is critical such as pharma, banking, insurance, oil and gas. But for the CIO compliance is far wider than just process management. It touches every information asset: customer data,
18
cto forum 21 APRIL 2011
The Chief Technology Officer Forum
The ability to comply with the plethora of regulatory standards requires sophisticated IT support. At the heart of all regulation is the management of information. The CIO is pivotal to achieving compliance — at an acceptable cost.
the corporate ladder only to find it is leaning on the wrong wall." Thankfully, it is not as bleak as that. There are CIOs making a transition. They are embracing rather than fighting the 3Cs. Employees’ consumer orientated devices like iPads are more likely to be accepted and integrated into the network infrastructure. Cloud computing is being actively baked into IT strategies. And finally compliance is now considered a part of the business operations supported by IT, rather than delegated to the Quality or Risk team. This shift will not be done tomorrow, but over the next two-to-five years. The smaller the organisation the faster and more dramatic the transition. Yes, the role of the CIO, as manager of the IT department full of developers, service delivery and infrastructure will diminish. As per John Chamber’s recent comments at Gartner Symposium, the CIO will increasingly become a trusted advisor to the business. They will be architects of the IT capability. Managers of third party suppliers requiring commercial and procurement skills. Their role model and career path will be more like a partner at Accenture or PwC rather than through the ranks of IT. This has profound effects on who they see as role models, their career path and aspirations. Like the addict looking for a way out, the first step of any transformation is admitting you have a problem.
—Founder and CEO of Nimbus Partners. Ian Gotts is the author of six books including, Common Approach, Uncommon Results; Why Killer Products
process information, application configuration, user directory, social media and corporate websites. Much of it is outside the firewall in the cloud or on a person’s personal "device." So does CIO really stand for Career Is Over? Based on the backdrop of the 3Cs is seems that the role of the CIO today has a limited life. For those on a career path aiming towards CIO this is completely demoralising, which can be summarised as, “You’ve been climbing
Don’t Sell; and two Thinking of … books on cloud computing. He is a prolific blogger with a rare ability to make the complex seem simple, which makes him a sought-after and entertaining conference speaker. His book, Thinking of ... Offering a cloud Solution? Ask the Smart Questions, articulates the opportunities and the challenges ISVs face in their transition to the cloud. —This article appears courtesy www.cioupdate.com. To see more articles regarding IT management best practices, please visit CIOUpdate.com.
securit y
B E S T OF B R E E D
5 Tips for Managing Data Breach Risk The trend towards outsourcing is making companies more vulnerable. It is time they upped the ante to manage data-related risk. By L. Elise Dieterich and Ronald Whitworth
Illustration by shigil n
S
ensitive, personally identifiable information (PII) such as names, account numbers, trading and other financial information are collected and used for virtually every customer and internal corporate function: HR, marketing, sales, customer support, technical support, product development, investor relations, regulatory compliance ... the list goes on. Companies also handle sensitive data related to intellectual property (IP) and trade secrets that must be protected. Because the risks are high, companies should put procedures in place to minimise the likelihood of data breaches and to mitigate the damage if a release occurs. In this article, we identify five steps every business should take to ensure that it is facing and appropriately managing data-related risks. The trend toward cloud computing, use of thirdparty application service providers, and outsourcing functions that can include payroll, benefits, marketing and more, multiply the potential vulnerabilities, and up the ante when it comes to managing data-related risk. Recent, high-profile cases illustrate all too vividly the financial, legal, and reputational damage that can occur when sensitive data goes astray. These examples highlight that companies that experience the unauthorised release of sensitive data (accidentally or otherwise) potentially face at least two types of claims: claims by the individuals whose sensitive information has been exposed, and indemnification or damages claims by creditors or other companies that may have incurred losses as a result of the breach. In this area, more than most, an ounce of prevention can truly be worth a pound of cure. Know what you’ve got - Among the first steps every company should take in evaluating their information security is to catalog every place where the organisation acquires, uses or stores potentially sensitive data. Common data portals include the company website (are there contact, registration, or application forms online);
the employment process; and information collected for marketing and sales purposes. Find out who is in charge of each type of information, and who has access to it. Is information shared with outside vendors or other third parties? Determine what physical and technological safeguards are in place to protect sensitive data. Make plans to stop collecting and destroy PII that the company doesn’t actually need. Know your obligations - To protect employees and consumers, a host of federal and state authorities have implemented an alphabet soup of privacy and data security laws. Depending on the kinds of data your company handles, acts with acronyms such as CAN-SPAM, COPPA, ECPA, FACTA, FCRA, GLBA, or the USA Patriot Act may apply. Private standards may also be applicable by contract. And, of course, both the FTC and state attorneys general have become increasingly aggressive in their enforcement of laws prohibiting “unfair and deceptive trade practices” against compaThe Chief Technology Officer Forum
cto forum 21 APRIL 2011
19
B E S T OF B R E E D
m a n ag e m e n t
92%
unauthorised access to, loss or breach of sensitive data. nies that say one thing about how they will use inforThis plan should address who is responsible in the first mation they collect, then do another. instance for being on the lookout for data incidents, Be aware, also, that it is increasingly common for including computer hacking; loss of physical files, the government to request information about indidata breaches devices or drives containing sensitive data; and misuse viduals from companies who have such information of data by company employees or vendors. The plan in their possession. Not every government request is are caused also should spell out how, once a breach is detected, the valid, particularly if the request is not supported by by hackers company will respond, from an IT, legal, insurance, and a proper subpoena. Any request should be carefully and malware public relations perspective. vetted, as a phone companies very publicly learned While the parameters of responsibility for data prowhen they cooperated with government requests for attacks tection remain uncertain and in flux, it is crystal clear customer information in the post-9/11 period. that the costs and liabilities associated with failing to Know your partners - If your company handles sensiprotect sensitive data are on the rise. tive data for others, or relies on outside vendors for functions that require the company to share its data, it is crucial to know exactly how each and every vendor agreement addresses privacy, confidentiality, data protection, and responsibility in the event of a breach. —L. Elise Dieterich is a partner in the Regulated Industries practice in Sullivan Know whether you’re covered - Faced with a data breach that and Worcester's our Washington, D.C. office, and advises clients on a wide potentially could result in disclosures of private information, comparange of matters affected by government regulation. With over two decades in nies may look to their insurance policies for protection from resultpractice, Ms. Dieterich has represented clients in matters involving numerous ing claims, costs, and liabilities. As a result, before a data breach state public utility commissions and federal agencies including the FCC, FTC, occurs, companies should take steps to ensure that they have the Department of Commerce, Department of Justice, Department of Energy, and coverage that they need. In particular, companies should conduct an EPA, as well as in litigation and mediation. audit of their insurance portfolios to identify potential gaps. Ronald Whitworth is an associate in the Privacy & Data Security and TelecomHave a plan - First, an ongoing plan to govern how data is collectmunications Groups in our Washington D.C. office. Mr. Whitworth is a Certified ed, handled, stored, shared, and accessed day-to-day. And, second, Information Privacy Professional (CIPP), as certified by the International Assoa plan to govern how the company will respond if the worst occurs ciation of Privacy Professionals (IAPP), and handles a wide variety of state, and, despite best efforts, sensitive data is lost or stolen. U.S., and international privacy and data security matters for S&W’s clients. The first plan will include external privacy and confidentiality policies, and internal policies to ensure data protection. Second, the —This article appears courtesy www.cioupdate.com. To see more articles company should put into place a plan to detect and respond to any regarding IT management best practices, please visit CIOUpdate.com.
The 8 Truths of Quality Clear the air around quality practices by busting myths associated with them. By Donn DiNunno
Q
uality practices (e.g., quality management, quality assurance, quality control, quality improvement) apply to a broad range of topics and tasks, and this broad scope has created some dangerous myths about applying quality principles and practices. Here are a few misconceptions that should be cleared up to avoid the cost of poor quality:
20
cto forum 21 APRIL 2011
The Chief Technology Officer Forum
1 Quality is free - You’ve heard of buying new windows because they “pay for themselves” in energy savings. Well, the windows aren’t free. They may be worthwhile and profitable over the life of the investment, but there is an investment that must be made to reap the rewards. Philip Crosby was right when he said quality is free, but only in a certain sense. The cost of quality is significant – especially
poor quality. Quality is free like marriage is free. When you consider the rewards and the costs of going without it, it’s better to have it. Quality practices applied effectively add value to your value chain, but not immediately or always to the bottom line.
2 Quality is qualitative - Speaking of the bottom line, if you don’t have a measurement system in place, you won’t be able
m a n ag e m e n t
B E S T OF B R E E D
Program managers know that they have to balance doing things quickly, inexpensively, and well, but they tend to measure only the cost and schedule -- leaving the wellness of their programs to chance or, at best, to “intangible measures.” The pervasive and embedded nature of quality leads to an unwillingness to measure it out of fear of becoming invasive or too costly. The truth is you can touch and measure the rewards of customer satisfaction and trust, process improvements, waste reduction, productivity enhancements, and gains in system availability and continuity -due to sound quality management practices. This tangibility comes from having a good definition of quality.
3 The definition of quality is too subjective to be defined to be useful - It’s true that "quality" is a concept
Illustration by PC Anoop
to determine where or whether quality practices save money, improve productivity, or avoid costs from waste and rework.
Quality practices applied effectively add value to your value chain but not always.
that some people aren't comfortable defining. They consider it to be too subjective and different, based on individual perspectives (e.g., process, product, or people). Even when we know what it is, it eludes precision. If we can't define it, it then becomes something that can't be measured or controlled. Whether quality means “meeting stated requirements,” or “satisfying customer expectations,” or “eliminating bugs,” etc., define what quality means for your organisation so it can be continuously measured. Pick a few good indicators of good quality and inspect and expect them to be improved.
with others’ schedules, etc. you’d probably never get out of bed from the risk management activities and decisions! Face it, to get anything done, we all make compromises on quality. Usually, allowing a few errors, surprises, and lessons is more advantageous than getting that clean audit with no findings and no after-action root cause analysis. However, the opposite extreme is just as dangerous: If you fail to plan, your lessons learned will be from painful and inexcusable failures. Effective quality management comes from finding a balance between these extremes.
4 Do things right the first time.
5 Quality assurance (QA), quality control (QC) and testing are pretty much the same thing - Those who
Zero-defects is the way to go - Suppose that you decided you are going to start each day doing the right things right the first time. Do you realise that if you did everything right, you’d probably never even get to work each morning? Between planning the day (and updating the week’s plans), taking care of pre-requisite activities such as cleaning, chores, exercise, family relationships & commitments, conducting necessary fact-finding into weather and traffic, considering food options, gathering resources, coordinating
can’t define quality may think that QA, QC and testing mean the same thing. However, these processes refer to specific and separate activities. Quality assurance is a process-oriented set of activities ensuring continuous and consistent improvement (e.g., the planning, monitoring and execution of the quality plan and processes). It is an embedded and preventive action that defines the expectations (e.g., specification and standards development).
Quality Control is a product-oriented set of activities designed to evaluate (measure and control) against pre-defined requirements. QC deals with the measurement, analysis, and reporting of work procedures and associated deliverables. QC verifies that deliverables are of acceptable quality and that they are complete and correct (e.g., internal audits, or pre-production inspections, in-process reviews, or final shipment inventories). Testing is a specific example of a QC activity but it isn’t the same thing. One example is reliability testing that might include testing a sample for mean time to failure (MTTF) or service life. Testing is a component of QC, but there are certainly others. “Testing out” bugs (that should never have been inserted into products or processes) should be considered a last resort to “painting on” quality rather than building it into everyone’s workmanship.
6 Quality is the quality manager’s (or QA group’s) responsibility Deming said it best: "Quality is everyone's responsibility." Quality management has to be incorporated into the fabric of the organisation. Quality improvement is done best when it is The Chief Technology Officer Forum
cto forum 21 APRIL 2011
21
B E S T OF B R E E D
c lo u d
recognised and respected at every level. The gains are lost if there's no buy-in from top or the bottom. It can be agreed upon that QA/QC activities such as standards development, inspections, etc. are primarily the responsibility of those within the internal QA unit(s) or often the third-party quality provider. However, this does not relinquish responsibility from all others. QA is best achieved when top management recognises, reinforces, and rewards the application of quality principles and practices.
7 Quality is an expense that should be minimised - Quality often gets “shortchanged” when times are tough. When hiring contractors, program manager will insist on SLAs for cost, schedule, and performance measures, but I’ve heard them say that, “qualified employees from a quality certified company will produce quality work." They refuse to insist on or pay for quality practices; they just assume that mature processes, integrated teams, quality practices come automatically with a qualitybased company. That’s why they chose that company, but, by choosing to downplay quality, the potential benefits are rarely realised. In fact, even if you’re assumption that the vendor will
13.4%
organisation, the benefits are tangible -- from less turnover to fewer emergency situations to happier customers. growth Of course, small fixes aren't of business going to produce long-term results if permanent changes intelligence 8 Work smarter and you aren’t made. It’s always easier to software market measure the cost of putting out will be rewarded - Good in 2010 a fire than it is to measure the quality practices, like an cost of preventing it in the first effective network, are really place, but prevention is much only noticeable when absent. more beneficial in the long run. When present they tend to be overlooked With these eight quality misconceptions and go unrewarded. exposed, quality can be raised to the same Everyone praises the individual or team importance as cost and schedule managethat fixed the major problems during the ment. Understanding the “quality-gates,” night to avoid a catastrophe, but few thank the expectations, the indicators (e.g., risks, those who worked smart enough to avoid the changes) and what to measure provides an problem in the first place and went home to opportunity for everyone to build and levera good night’s sleep. The rewards for quality age the value of quality practices embedded practices and individual reliability may have within an organisation. to come from embedded sources -- just as the quality is built from within. From an organisational view, return on —Donn DiNunno is Quality director at EM&I, investment from “quality insertion” may not whose consultants specialise in the areas of stratbe immediate, but it is real and significant. egy, governance and engineering. Reduced risks, reduced rework, and even small investments in quality improvements —This article appears courtesy www.cioupdate. add up. When organisations incorporate com. To see more articles regarding IT managequality into every process within their ment best practices, please visit CIOUpdate.com.
provide it is true, by choosing not to grow quality organically into your organisation and to rely on purchasing it, it most likely will leave when the vendor leaves.
Marketing the Cloud What is the best way to market a technology that is disruptive and evolving? Read on to know how. By Ken Oestreich
O
f all the marketing, marketing "The Cloud" has all the makings of a real challenge: The concept is new, the technology is disruptive, buyers are skeptical, hype abounds, and the terminology (just what is "cloud"?) is murky. So, when recently asked how do I "market the cloud" this Blog idea arose. For me, marketing is far more than making "buzz" in the market. It's about matching seller and buyer: First, ensuring that the seller's product specifically targets one or more needs in the market (and
22
cto forum 21 APRIL 2011
The Chief Technology Officer Forum
adjusting as-needed), and second, ensuring that the buyers understand the product and its fit-for-their-purpose (and adjusting the buyer segments as-needed). So, where a nascent concept, confused buyers, and evolving definitions are concerned, I turn to basics of new product introduction: (a) understanding customer problems/opportunities, (b) clearly defining the product/solution, (c) addressing objections, (d) helping customers through the adoption cycle. Focus on specific issues the cloud addresses, not the Cloud
itself: Before I recommend "cloud" as a solution, I ask myself what problems will customers really try to solve? They've heard “cloud” and it likely interested them, but for what reason? Getting to the need point is critical: It is cost? agility? keepingup-with-the-Jones’? New business enablement? You have to first ask the business need question, not try to force-feed a solution. Usually the cloud model is compelling on nearly all levels - but the customer first needs to understand - and want to pursue - the opportunity. Good marketers ensure customers self-select into the solution, even if it's an extremely broad one. Also, an exercise I sometimes pursue is to avoid using the term "cloud" altogether during this phase. Instead, I focus on the attributes of cloud computing, and wait to hear whether they resonate with the customer's needs. Sometimes they might not. Get clear on definitions - and use lots of adjectives: The next question to ask is: What cloud? Too often marketers of the cloud model don't modify the noun Cloud with an adjective like Private/ Internal, Public, Hybrid, etc. causing even more confusion. It's alphabet soup. Many buyers usually start by thinking the only cloud is the public cloud. Once buyers are clear about the operational cloud model you're both talking about, you can have a more meaningful marketing action. Know your buyer's technology maturity, and technology appetite: Different markets, segments and customers will have different technology appetites and be at different technology maturity states. So, as much as vendors want buyers to take a big step and buy all-new stuff, there has to be a spectrum of offerings to fit buyers at different stages of the maturity curve. Be pragmatic - identify resistance areas and objections: I say pragmatic, because everyone has their own list of objections and concerns. They might be trust/security/governance issues; economic models to justify the investment; the risk of moving to new operational models; dealing with change management (a change in IT will necessarily impact changes in related orgs); the list goes on. Make sure you've listened carefully to all objections, and thought-through responses. I've unfortunately seen wonderful products fail - not because they don't work, but because when it comes to implementation, all of the pot holes and speed bumps haven't been identified and addressed. Be pragmatic - it's a Journey: Few buyer segments adopt all-new models - especially cloud - in their entirety on day-1. So marketers need to be prescriptive about where to start, what to do when, and how to help buyers with a roadmap that accelerates them down the
B E S T OF B R E E D
Illustration by shigil n
c lo u d
The opportunity we have with cloud is also a danger. There is an inordinate amount of hype in the space. path. Most cloud buyers (with the exceptions of folks like service providers) make incremental changes to infrastructure – so marketers have to help recommend the incremental changes (and products/services) they’ll need in the coming years. Educate: Finally, I believe a rising tide lifts all boats. The more the market is educated about cloud computing models - and how to get there - the faster the market will mature. It's our job to help provide education tools, models and success stories. And to draw distinctions between here-and-now vs. futures vs. vision. The opportunity we have with cloud is also a danger: There is an inordinate amount of hype in the space. So, as we move down the hype cycle, we need to get pragmatic about the value the cloud model offers, the journey customer take to implement, and the opportunities it creates.
—This article appears courtesy www.cioupdate.com. To see more articles regarding IT management best practices, please visit CIOUpdate.com.
The Chief Technology Officer Forum
cto forum 21 APRIL 2011
23
Case Study | Godrej Properties
GPL Plays Tag, Boosts Conversions Challenge:
Using a cloud-based CRM implementation, Godrej Properties Ltd., decided to tag customers Hot, Warm or Cold, and built a system of follow-ups that boosted its conversion rates across its projects.
E
stablished in 1990, Godrej Properties Limited (GPL) claims to bring the Godrej Group philosophy of innovation and excellence to the real estate industry. GPL is listed on the Bombay Stock Exchange (BSE) and The National Stock Exchange (NSE). The company has received several recognitions for its processes and performance which include the ‘Best Business Practices’ award for two consecutive years (2009 & 2010) and ‘Corporate Governance of the Year, 2008' award from Accommodation Times. GPL has also featured as the #1 ranked real estate developer for two consecutive years (2009 and 2010) in 'India’s Best Companies to Work For’ survey, conducted by ‘The Economic Times’ and ‘The Great Place To Work Institute’. GPL has been featured for five consecutive years as one of “India’s Top 10 Builders” by Construction World magazine. An important contributing factor that enabled this success was the intelligent use of IT to
24
cto forum 21 APRIL 2011
The Chief Technology Officer Forum
achieve simple, incremental, but far-reaching goals that boosted the company’s profits and endeared it to customers for its efforts at superior customer service.
GPL’s objectives and challenges GPL aspires to be among India’s top three real estate companies while continuing to be the most trusted name in the industry. GPL has completed several landmark projects and is currently developing projects in 11 cities across India. Throughout its operations, the company aims to deliver superior value to all stakeholders through extraordinary and imaginative spaces created out of deep customer focus and insight. In reaching out to a customer base that aspires to purchase property from a reputed builder, the company needed to address some key areas from an IT perspective, such as: 1. Building a robust follow-up system 2. Tracking the effectiveness of a campaign
c a s e s t u dy
COMPANY DASHBOARD Company: Godrej Properties Ltd Established: 1990 headquarters: Mumbai Total projects: In 11 cities across India Future projects: Development of 83 million square feet across the country
shailesh joshi, Head of IT for Godrej Industries implemented CRM based on cloud computing. It resulted in important innovations within Godrej Properties' IT.
3. Consolidation and assignment of leads 4. Unifying Sales and Post-Sales processes across sites 5. Building a strong customer feedback mechanism 6. Tracking customer complaints & turn-around time.
The solution “We decided to implement Salesforce CRM which is based on the cloud computing model and saves us server and related costs” says Shailesh Joshi, Head of IT for Godrej Industries Ltd., who also heads IT at Godrej Properties. The project has had a direct impact on the Marketing and Sales departments at GPL and on Customer Service.
Important innovations: Among the main innovations that Joshi and his team built into the project are: Follow up methodology: They made provision for a lead to be tagged ‘Hot,’ ‘Warm’ or ‘Cold.’ “This rating is mandatory. In-case a lead is marked Hot or Warm, it
B E S T OF B R E E D
becomes mandatory to enter a follow-up date and time for the lead.” Joshi said. This automatically creates a task in the system and reminds the lead owner to follow-up on that lead. Supervisors get a daily report about his/ her team regarding follow-ups done and pending tasks, if any. Customer centricity: This module tracks customer complaints throughout their life time. The complaint can be registered through mail, phone call, walk-ins or customer portal. In each case, a unique ID is generated for the complaint. The entire life cycle of the case is then tracked and the case is resolved through assignments and escalations. Work progress on the case is also visible to the customer through the portal. More over the customer is updated on the case status, closure date and comments through email and SMS as and when the status is changed. Customer’s feedback is captured through SMS, email or phone and a case is closed only after this feedback is captured.
Business impact The return on the investment for the fully deployed project was anticipated as quickly as within six months to a year from deployment. Among the processes that the project impacted are the following: Lead management: With an end-to-end system in place, GPL can track the entire lead life-cycle. They can segregate customer leads and rate them according to their interest in various properties. GPL also built in flexibility to pass on leads from one user to another. Hence, if a customer walked in at the Mumbai office for a property in Kolkata, the Mumbai user can assign this lead to a user in Kolkata with his comments. More awareness about customer behavior: With special comment and drop-down boxes that become mandatory in case of certain scenarios, GPL was able to capture customer requirements and feedback more effectively. “We were also able to track reasons why leads did not convert and consolidate this information and learning’s for forthcoming projects,” Joshi says. Campaign management & turnover: GPL advertises across several mediums and hence Joshi’s team customized the system such that every lead can be tagged to a campaign – be it newspaper, electronic media, exhibition or hoarding. This helped the Marketing team track success of their campaigns in terms of revenue generation vis-à-vis investment. The new CRM-based tracking system helped GPL tackle the issue of handling bulk leads also. Project launches: Recently, GPL successfully launched a large township project and this gave a good platform to test this software. "The software handled the rigours of the launch well. Sales personnel across regions could access the system, check the flat status and complete the booking process on-line immediately”, concludes Joshi. The Chief Technology Officer Forum
cto forum 21 APRIL 2011
25
CO V E R S TOR Y
leadership
Vandana Avantsa CIO, Motherson Sumi Systems
Annie Mathew CIO, Mother Dairy
Amrita Gangotra Director – IT, India & South Asia, Bharti Airtel
Neena Pahuja CIO, Max Healthcare
Women Leaders
Asmita Junnarkar CIO, Voltas
Making the 26
cto forum 21 april 2011
The Chief Technology Officer Forum
leadership
CO V E R S TOR Y
Reena Malhotra Deputy General Manager (IT), MTNL.
A few women have broken into the male bastion called CIO. They are role models for a whole new generation of aspiring women IT leaders. By Yashvendra Singh
Puneet Kaur Kohli CIO, Marvel Group
Cut
The Chief Technology Officer Forum
cto forum 21 april 2011
27
IMAGING BY PC ANOOP
T
o boost team productivity, a large number of organisations today want to bridge gender diversity at all levels. They have realised women have those extra qualities that men lack. Women by nature are team players and possess the strength of getting into details to solve problems. They have more patience, and can take higher levels of stress, irrespective of whether it is home or workplace. Women bring in that required focus and commitment to finish the job on time. The reason for this could be that they have another job to be done at home. Attributes such as self belief and a fighter attitude are common for both males and females to succeed in any sphere of life. However, for women, unflinching support from the family is of utmost importance to make it big in life. There is a saying that behind every successful man there is a woman. Likewise, behind every successful woman, there is a complete family. Professions with odd working hours have always deterred women from taking them up. In the field of IT, there are a sizeable number of women in the applications development and support space but few in the area of network infrastructure. The running around and late nights associated with network management comes across as a big deterrent for women. For a woman CIO to be competent, she needs to have a complete knowledge of application, infrastructure and security. Till now, infrastructure had been a grey area for women. Going ahead, this scenario could change with improvements in areas of social networking, video conferencing and remote management. There are tools that enable one to remotely manage the network without being present in office. While the next generation of women CIO aspirants could find the going easy with these new developments, there has been a generation of women CIOs that has done the tough act of balancing home and office, broken the glass ceiling, overcome all odds, and emerged triumphant In the following pages, you will come across women CIOs who took the path less traveled and excelled in their endeavours.
CO V E R S TOR Y
leadership
Leadership Lesson Collaborate and network well. Always be eager to learn and keep an open mind so that you can imbibe more. Learn from your mistakes. It will help you in moving to the next level. Amrita Gangotra
Director – IT, India & South Asia, Bharti Airtel
Career Track 1988-1989: Research Officer, Allen Bradley 1989-1991: Sr. System Manager, HCL 1991-2000: Sr. Project Manager, Nestle India 2000-2002: CIO, HCL Comnet 2002-Present: CIO (India & S. Asia) Bharti Airtel
28
cto forum 21 april 2011
The Chief Technology Officer Forum
leadership
CO V E R S TOR Y
Amrita Gangotra | Bharti Airtel
Evolving New Revenue Streams Amrita Gangotra has been successful in aligning IT with the interests of the company. By leveraging IT, she has opened up additional revenue streams for the company.
photos by Subhojit Paul
A
mrita Gangotra, Director – IT, India & South Asia, Bharti Airtel has what it takes to be a CIO and leader. With her perfect combina tion of over two decades of technology experience and keen business acumen, Gangotra is able to bring an alignment between IT and business. “It was not just technology that excited me. I was also interested in knowing the business value that was derived from the technology,” she says. Gangotra’s exposure to different industries (FMCG, telecom and IT) has helped her a lot in understanding the evolution of technology and business. At Bharti Airtel, she has been instrumental in harnessing IT to provide additional revenue streams for the telco. “The telecom industry is going through a transition. The traditional telco organisation that was predominantly focused on voice (landline, mobile, and MPLS) is now trying to get additional revenues from data,” says Gangotra. “The new streams of revenue, including m-commerce and 3G, which we are trying to develop, have lots of elements of technology in them.” Under Gangotra’s leadership, Bharti Airtel became the first operator in the country to launch the app store. “We had a different model as compared to the device vendors. So, while Apple and Blackberry had apps specifically for their devices, ours could be downloaded by anyone. As we don’t deal with devices in India, we had to overcome the challenge of managing it across devices, and linking it with the billing and charging system,” she says.
Launched in 2010, today, Airtel claims its app store is the world’s biggest operator-owned app store. Since its launch, there have been more than 40 million downloads from the app store out of which 32 percent were paid apps. Gangotra has developed solutions for the media industry that enabled digital distribution, and had functionalities related to advertisements. She has also come up with cloud solutions for SMBs, thereby opening up new channels of revenue for Bharti. “Creating solutions for evolving new revenue streams is challenging,” she says. “Also developing and deploying a new solution calls for a series of tough decisions. One needs to create a business case and do a lot of brainstorming with the CXOs to get them on board.” During her journey to becoming the CIO, Gangotra has been fortunate to receive unstinted support from her colleagues and family. “Every career has its ups and downs but overall the journey has been pretty much rewarding. I have been very lucky to have supportive bosses and family. I have never had any problems being a woman,” avers Gangotra. On the future plans, she says, “The challenge for a telco like us is to grow the revenues from voice. However, scalability and technology architecture are insensitive to price erosion. I have to do what I have to do. Going forward, the additional revenue streams would need a lot of support from the IT team.” Although not sure, Gangotra says she could look at turning into an entrepreneur in future. The Chief Technology Officer Forum
cto forum 21 april 2011
29
CO V E R S TOR Y
leadership
Annie Mathew | Mother Dairy
Pioneering Effort Annie Mathew’s decision to deploy SAP in Mother Dairy was ground-breaking. The results mirrored the decision.
photo by Subhojit Paul
F
30
cto forum 21 april 2011
or Annie Mathew, it was a chance decision to get into IT. Armed with a degree in chemical engineering from Nagpur University, little did she know that a not-so-well-thought-out career move would leave her hooked onto IT for life. “It was by chance that I got into IT. Petrochemical major NOCIL (National Organic Chemical Industries Ltd), a JV between Mafatlal Group and Shell, was looking for chemical engineers to manage their IT. Fresh out of college, and with the IT sector evolving at that time, I decided to give it a shot,” says Mathew. The rest, as they say, is history. Before Mathew realised, she had developed a passion for IT. From Project Leader, Systems at NOCIL to becoming the CIO of Mother Dairy, the journey for Mathew has been “full of learning.” So did Mathew ever feel constrained in her professional growth because of her being a woman? After all, it is rare to find a woman in a leadership role in such a technical field as IT. “No, I don’t feel gender is significant in the journey to becoming a CIO. I feel the challenge is more on the personal front. For a woman in the IT field, it is tough balancing kids, husband and work,” she says. With her better half being in a transferable job (he is in the Air Force and gets posted out every 3-4 years) problems were compounded for Mathew. “I remember taking my two-year-old son, after his day care, with me to office and keeping him there till 9-10 pm. After becoming a CIO, I have to be extra sensitive towards women in my team,” reminisces Mathew. While it’s tough to do the balancing act, women bring their own value adds to the table. “When one struggles for something, it becomes more valuable. This is the reason why women are 100 percent committed to their jobs as compared to men,” believes Mathew. This sense of commitment went a long way when Mathew encountered the biggest challenge in her career -- implementation of SAP at Mother Dairy. Not only was the project challenging, it also involved
The Chief Technology Officer Forum
Mathew taking some of her toughest career decisions. Before her joining Mother Dairy, the company deployed Navision, and legacy applications. “The toughest decision was to swap it with SAP. There were a lot of SAP failure stories doing the rounds at that time. The stakes were high as we were going to be the first company in the dairy industry anywhere in the world to deploy SAP across all business processes,” she says. “We could not find a comparable case study in the dairy industry worldwide. We had to ensure that the organisation was ready for such a big change as we were going to be the trailblazers in this area,” recalls Mathew. For Mathew, convincing the management to go for SAP was the smaller challenge. The bigger challenge was convincing the users who were in their comfort zones with the legacy systems. While 50 percent of this has to be mandate driven, Mathew had to take care of the huge change management exercise. “We went live in 2008. Building the momentum and convincing the users to transition to the new system needed that extra effort. There was top-down support from the Board in ensuring that the mandate was clearly articulated and mandated. A highly responsive crore team ensured the users were trained multiple times and supported througout,” she says. Soon, the result was there for all to see. Annual closing, which used to take four-five months is expcted to close within two months. From collecting thousands of cheques a day, they are now able to directly debit money from its customers’ accounts. The company's ability to forecast business results has improved significantly. Going ahead, Mathew says, “We plan to roll out HR/ Pay-roll on SAP. We are already through with GPS integration that has enabled us to keep track of mileage and routing of our vehicles. MOSS deployment is helping us build a cohesive organisation.” “In future, I see myself continuing to make a difference, evaluating and harnessing new trends such as cloud, virtualisation and social media, and making IT an effective business enabler,” says Mathew. She certainly intends to stay hooked to IT.
leadership
CO V E R S TOR Y
Leadership Lesson It is very important to plan your career in the right way. Whenever you feel stagnated, move on. Annie Mathew CIO, Mother Dairy
Career Track 1988-1997: Project LeaderSystems, NOCIL 1997-1999: Manager- Systems, Bharat Shell 2005-Present: Mother Dairy
The Chief Technology Officer Forum
cto forum 21 april 2011
31
CO V E R S TOR Y
leadership
Leadership Lesson No leader can succeed alone. You need to have a strong team backing you, which would not only comprise your subordinates but also your peers and seniors. It is important to win the hearts of people and create a team that helps you and your organisation to succeed. Asmita Junnarkar CIO, Voltas
Career Watch 2008-Present: CIO, Voltas Ltd. 1995-2008: Delivery Centre Head - Gujarat, Tata Consultancy Services 1983-1984: Programmer, Hinditron Consultancy
32
cto forum 21 april 2011
The Chief Technology Officer Forum
leadership
CO V E R S TOR Y
Asmita Junnarkar | Voltas
Leader For All Seasons Asmita Junnarkar, CIO, Voltas has worn many hats in her career including that of an entrepreneur. She has emerged a winner in each role.
photo by Jiten Gandhi
W
hile some people are bad at facing challenges and some are good at it, there are others for whom challenges are the greatest motivators in life. Asmita Junnarkar is a typical career woman busy juggling multiple hats of a wife, a mother, a daughter, a CIO; has also been a consultant, an entrepreneur and a lot more. A science graduate and an MBA in Operations Management from SP Jain College, Mumbai, Junnarkar started her career as a Programmer at Hinditron Consultancy in 1983 working on Mainframe systems at the time. Later Junnarkar had to move to Ahemdabad where she decided to start her own IT company—Applications Software Group, from home. However, while everything was going great with her own venture, Junnarkar always wanted to work with a large IT consultancy firm and when TCS opened its first office in Ahemdabad in 1995, she decided to make the switch. While heading the TCS Gujarat Delivery Centre operations for three years, Junnarkar implemented an innovative service delivery model of shared support services for global customer base. In 2008, she joined Voltas as a CIO, switching the sides of the table again. However, achieving all this wasn’t easy with Junnarkar as she had to travel across the world for work while working with TCS. Maintaining the right balance between work and family was the biggest challenge for her, which she evidently succeeded in doing. “Women need to make a conscious effort to maintain this balance. I personally do not access mails over the weekends and even during weekdays, when I’m at home. I attend to only urgent mails,” Junnarkar opines. One of the biggest projects initiated by Junnarkar in Voltas was creating a virtual server farm. “At Voltas, we were running independent servers for each application. As business was growing, we needed to expand the capacity of these servers to meet demand. However, each of the application had peak loads at different time of the year and it wasn’t prudent to buy servers to meet
peak demand of each of the application. Additionally, there were regular demands for new servers for all those new applications that we were deploying. We took this opportunity to propose a virtual server farm by pooling in budgets of all new servers and old server upgrades,” Junnarkar explained. By deploying a virtual server farm, Voltas was able to improve its server utilisation from the previous 40-45 percent to over 70-75 percent now. Apart from an increase in utilisation level by close to 30 percent, the company has been able to save on other attributes including power, cooling and real estate. Junnarkar was also behind an ambitious project to make its overall global operations IFRS compliant. To achieve this, Junnarkar proposed to upgrade the existing SAP to ECC 6 version, and shift company’s international operations in UAE, Qatar and Singapore from stand alone applications to an integrated single instance SAP for the entire organisation. The biggest challenge to do this was that there were no examples to follow. “We couldn’t find even a single example of IFRS compliance at transactional level in India. So we decided to build one,” Junnarkar recalls. “Apart from the solutioning challenge, it was a major Program Management challenge too. I had to personally supervise all projects, DC & DR hardware upgrade, SAP Technical Upgrade, SAP Overseas Implementation, SAP Functional Upgrade and SAP IFRS configuration," she says. Voltas completed the IFRS Compliance initiative on time and within budget. This as per Junnarkar is her biggest achievement in Voltas. In the next round of her career, Junnarkar aspires to go back to be an entrepreneur. However, this time it won’t be IT, she says. “I think I’ve already achieved what I had to achieve in this domain. Now, I need something challenging otherwise it won’t be of much interest to me.” —By Varun Aggarwal
The Chief Technology Officer Forum
cto forum 21 april 2011
33
CO V E R S TOR Y
leadership
Leadership Lesson Take decisions and own them. Don’t go in for products that demand upfront expenditure. Optimally use your internal workforce and make small investments. Reena Malhotra
Deputy General Manager (IT), MTNL.
Career Track 1993-Present: Deputy General Manager (IT), MTNL (On deputation from Department of Chief forum The Technology Telecom) 34 21cto Officer Forum april 2011
leadership
CO V E R S TOR Y
Reena Malhotra | MTNL
Overcoming Odds Reena Malhotra took on the arduous task of overhauling MTNL’s legacy systems. In the process, she built a solid reputation for herself.
photos by Subhojit Paul
T
he first time Reena Malhotra, Deputy General Manager (IT), MTNL, approached the top management with a draft on the telco’s spam policy, she was in for a surprise. Instead of debating its approval, the management looked up the dictionary to find the meaning of spam. Not finding the word in the dictionary, they rubbished the draft. “Today everyone knows about spam but a decade back, hardly anyone knew about it. However, being an ISP, we had to formulate a strategy on spam otherwise we would have been black listed in the international market. It took a while to convince the management on the importance of having such a policy in place,” says Malhotra, going down memory lane. This was just one of the challenges Malhotra had to encounter in her professional journey to reach where she is today. There were times when being a woman posed problems for her. “Being a woman, there were apprehensions. People would doubt whether I would be able to deliver or not. Leading your team members in a male dominated country like India is tough. It is even tougher in a government set up where the average age is 45 years,” says Malhotra, who has an engineering degree in electronics from Jodhpur and a post graduate qualification in computer science from IIT, Delhi. Malhotra, however, has the habit of overcoming the odds. Despite hailing from Rajasthan, a state where education for girls is not a priority, she completed her studies – engineering and IT. There were few (even fewer in Rajasthan) women who opted for these streams back then. It came naturally for her to overcome whatever odds came her professional way. “The biggest challenge for me in MTNL was related to processes. Being a traditional government organisation, everything was manual in MTNL. A major chunk of the huge workforce of operators and linesmen (40,000-50,000) was non-productive. There was stiff resistance from employees against deployment of IT as it would have made them accountable, and
measured their productivity,” she says. All CRM activities at that time in the state-owned telco were manual. Customer care and contact centers were either not there or even if they were present, they maintained manual reporting logs. Malhotra eventually convinced the management that if they had to compete and survive in the telecom industry, there was no other option but to leverage on the power of IT. “We deployed applications and systems, and integrated the various legacy applications. We then motivated the employees to use the new system. The new system helped in data consistency so that the same information was available end-to-end,” she says. The CRM deployed by Malhotra has today expanded like anything from a functionality, applications, and subscribers’ perspective. “If you look at what it was handling at that time and what it is handling today, there is a vast difference. Applications and subscribers have grown 10 times. There were 1.5 million subscribers when I joined 12 years back. Today, all put together, there would be 10 million subscribers,” says Malhotra. Malhotra doesn’t believe in resting on her laurels. She is ensuring her IT is in tune with the times. “Lots of new services keep on coming. We have to ensure service delivery for CRM billing keep coming. Everyday operators keep coming out with new concepts and one needs to ensure that his systems have those concepts within negligible time,” she says. Malhotra is now in the process of consolidating the different CRMs within MTNL into a single solution. She says, "Nowhere in the world, in a telco, so many services are being brought at the front end at the same billing and CRM platform." Malhotra believes that reputation comes with time. She sure has built a reputation for herself. As she herself says, “If things are not moving in the right direction in the company, people now say give it to Reena’s team.” The Chief Technology Officer Forum
cto forum 21 april 2011
35
CO V E R S TOR Y
leadership
Leadership Lesson A tech leader should not just have experience in technology but should also know the working of business. Perseverance and an analytical mind are other desirable attributes. Vandana Avantsa
CIO, Motherson Sumi Systems
Career Track 1995-1999: Head IT, Willard India 2000-Present: CIO, Motherson Sumi Systems
36
cto forum 21 april 2011
The Chief Technology Officer Forum
leadership
CO V E R S TOR Y
Vandana Avantsa | Motherson Sumi Systems
Innovative IT
Vandana Avantsa believes in being in the thick of things (read shop floor). Spending quality time there has helped her in developing innovative solutions.
photo by Subhojit Paul
T
alk about deploying IT in the most unlikely of places. Vandana Avantsa, CIO of Motherson Sumi, has been there, done that. The undying passion for her work has taken Avantsa where few CIOs have gone before. Deploying IT infrastructure in open fields in a remote location is certainly not something most CIOs would have done. “As head of IT with Willard India, I was responsible for setting up the IT infrastructure for their upcoming sugar plant in remote Uttar Pradesh. We were virtually setting up IT infrastructure in open fields,” recalls Avantsa, a commerce graduate from Delhi University and an MBA (MIS) from IMT Ghaziabad. This was in 1995 when Avantsa had to develop and implement an integrated application for cane procurement, management weighing system, implementation of stores, inventory, finance and procurement system. That the site was 100 kilometres from Delhi made it challenging, and being a woman only accentuated the challenge for Avantsa. “Being a woman, it came across as a challenge for me. I didn’t want to stay overnight at the site so I traveled 200 kilometers everyday to the site and back to Delhi the same day. It was very taxing as I had to manage both, work and home,” she says. “But in the end it was very rewarding. The team received accolades for the successful and on-time implementation of the project,” she avers. It was not just during her stint in Willard that Avantsa displayed the never-say-die spirit. It was amply visible in Motherson Sumi. “I have always believed that there is not one big challenge in a CIO’s professional journey, there are challenges every day,” she avers. It was her love for taking up challenges that led Avantsa to move from Willard to Motherson Sumi in 1999. Avantsa’s job at the former company had turned monotonous, while the latter was growing at a CAGR of 40 percent. A growing company throws up new challenges at its employees everyday.
There have been times when she had to go the extra mile to convince the management on crucial matters. “Even after Motherson acquiring the British wiring and harness manufacturing company, ASL Systems, the latter was using its own application. It was tough to convince the management to migrate the company on to our own application. They eventually agreed and were happy to see the resulting cost of ownership coming down,” says Avantsa. Who says it’s only the men on the shop floor? Walk into Motherson Sumi’s manufacturing facility and you would find Avantsa there. “I make it a point to spend as much time as possible on the shop floor because the problems are on the floor. One can’t get to know about issues sitting in the office cabin,” she says. This thinking has helped Avantsa to come up with innovative solutions. It was during one of her visits to the shop floor that she noticed precious copper (used in wiring harness) being wasted. She deployed a home-grown software solution that calculated the length of the wire. The software sent out an alert when the end of a coil was nearing, thereby enabling the worker to put another coil before it finished. “A CIO does not have to always buy expensive technology. This cost effective solution helped us in saving 3-4 percent copper for the company,” she recalls. It is a result of such innovations that Motherson Sumi was ranked second in the worldwide audit conducted by the Japanese parent company of its manufacturing facilities worldwide. “Under the automotive audit, every one of the 110 manufacturing facilities is strictly checked. It was a high point in my career when our unit came second in 2005-06,” she says. Avantsa is in the process of deploying ERP BI suit and PLM. The result of her achievements is that today she is a part of the cross functional team and also a part of any improvement project in the company. The Chief Technology Officer Forum
cto forum 21 april 2011
37
CO V E R S TOR Y
leadership
Neena Pahuja | Max Healthcare
Fast Learner
The hunger to learn and a strong grasping power have helped Neena Pahuja in slipping into any technology role with ease.
photo by Subhojit Paul
F
38
cto forum 21 april 2011
or Neena Pahuja, CIO, Max Healthcare, the big learning experience came from an unexpected quarter. She was at a Max hospital in Delhi where the IT network had been down for four hours. A patient approached her and lamented he was awaiting his discharge for a long time just because the network was down. That day Pahuja resolved such an incident was never repeated. “That day we decided to bring in redundancy into the system, and took a call to deploy VPN so that such an incident was never repeated again,” recalls Pahuja, an IIT, Delhi graduate. Joining Max Healthcare was also a learning experience, in the literal sense, for Pahuja. Coming from a different back background (she was the Global Head of Digitisation at Genpact), Pahuja had to go through the learning curve.
The Chief Technology Officer Forum
“In my role as CIO of Max Healthcare, I had to manage the complete infrastructure. It was a challenge for me. However, I had three months before joining Max, and I made the most of this time,” she says. “I took the help of my juniors to get into the groove. One of my junior gave me 10 lectures on networks and infrastructure so that by the time I joined, I was ready with all the jargons,” she avers. Today, Pahuja is in the driver’s seat at Max as far as the company’s IT is concerned. She has firmed up the company’s IT roadmap for the future. “I am now working on electronic health records and doing a lot around mobile health applications. Then we plan to do work on informatics so that we are able to analyse clinical data to help patients,” she reveals. Pahuja has reach the top by setting her priorities right. She was able to strike the right balance between home and office. “There were times I could not travel for long duration on projects, so I opted for projects where I could survive without too much travel. I also took a break for three years and joined PhD when my children were very small. That kept me busy, gave me a valueadd, in addition to giving me advantage of having flexi-time for working,” she says. Pahuja, however, never compromised on quality of work. She ensured that she used her office time most effectively to close all meetings and expectations. “Be Passionate about what you want to do. It could be a project, or a relation. Your passion will make it succeed. The 24 hours are never enough in a day, but it is important to make use of everyone of 1440 minutes that you have,” she adds.
leadership
photo by Subhojit Paul
D
uring her stint in BSES (earlier Delhi Vidyut Board), Puneet Kaur Kohli, had earned herself the nickname of ‘Sheila Dikshit.’ She was a typical hard taskmaster when it came to implementing IT in the newlyacquired entity by Anil Mabani-led Reliance ADAG. “Reliance had acquired Delhi Vidyut Board (DVB), and my mandate was to bring in the same level of IT deployment in the latter as it was in the former. I was the mediator between Reliance and DVB. It was a challenging situation,” says Kohli. Kohli had shown her mettle in previous assignments also. While at Carrier Aircon, Kohli had convinced the global management to go in for a data archiving project that had a capex of Rs.40,000. It was, however, a different ball game at BSES. For a new CIO, past assignments mean nothing. New challenges need to be met with new solutions. “It was a tough job. The set up in DVB was typical of a government office. There was not a single table or chair, and the employees were not at all ready to accept new technology,” says Kohli, who is now the Group CIO for Marvel Group. Kohli, who is an MBA (Operation) from FMS, Delhi, not just had to face hostile colleagues within DVB but also hostile customers at times. “Whenever the network was down, people with
CO V E R S TOR Y
Puneet Kaur Kohli | Marvel Group
The Hard Taskmaster
At DVB, (now BSES) Kohli played daughter, mentor and taskmaster all rolled into one. ‘lathis’ would gather outside the office,” she avers. “While I had to turn into a hard taskmaster with employees at DVB, there were times when I had to get into the role of a daughter and a mentor as well. To minimise trouble to customers, I sent mails directly to the Chairman of TRAI (Telecom Regulatory Authority of India) explaining to him that we could not afford any down times,” she avers. "In the end, I was successful in transforming DVB," she says. In her present role in Marvel Group, Kohli is in the midst of implementing 13 big projects across different verticals. —yashvendra.singh@9dot9.in
The Chief Technology Officer Forum
cto forum 21 april 2011
39
T E C H FOR G O V E R N A N C E
s o f t wa r e l i c e n c i n g
5
POINTS
ISO/IEC 197702Â defines a process for creating a "tag" for each software product released dobe and A Symantec are beginning to tag new releases according to the standard some vendors have created their own model for tagging
photos by photos.com
I SO tagging will not be a practical solution until most software publishers fully adopt it t he failure to act on tagging stems from a lack of awareness of the ISO standard
Vendors tough on Licenses,
not Solutions While a new ISO tagging standard promises to solve licensing issues, just a handful of publishers have adopted it. By Kris Barker
40
cto forum 21 APRIL 2011
The Chief Technology Officer Forum
s o f t wa r e l i c e n c i n g
T E C H FOR G O V E R N A N C E
All aboard
In recent years software publishers
have stepped up efforts to identify and penalise corporations for the use of unlicensed software. They have also become more aggressive in cases where corporations intended to fully comply with licensing rules, but failed. This is most often the result of IT departments being uncertain of just how many copies of an application are installed and in use or a shaky understanding of complex product use provisions. The challenges associated with identifying precisely what software resides on desktops, coupled with fear of costly audits by software publishers creates an unwinnable challenge for the IT department. Purchase too few licenses: expose yourself to legal risk. Purchase too many: squander your software budget. Neither choice is a win/win. Eighteen months ago an international standard for software tagging emerged to address this issue and finally bring consistency to application identification. ISO/IEC 19770-2 defines a simple process by which publishers create and install an XML-based "tag" for each software product they release. The data contained within each tag adheres to a documented, standard format that leaves no doubt as to the exact name of the application, the publisher, the version, and the release date. (The next phase of the standard currently under development, 19770-3, will associate software entitlements, or product use rights, with each application, making compliance efforts even more straight forward). The promise of ISO/IEC 19770-2 is that IT departments will be able to rely on a single, accurate methodology for generating software inventories and ensuring they have just the right number of licenses -- no more, and certainly no less, than required. But while the standard has been available for some time, few publishers are putting it to use. The vast majority of publishers appear to be unaware of the importance of the stan-
dard or are simply choosing to ignore it but there are exceptions. Adobe and Symantec are beginning to tag new releases according to the standard, and some branches of the U.S. federal government such as the DoD and GSA are moving toward requiring tags in their software procurements. A handful of other publishers have pledged to tag future releases of their software. Alternatively, some vendors have created their own model for tagging their applications. While this may help end users identify software developed by those specific manufacturers, it is far from an industrywide standard thus leaving the global problem untouched.
“The reality for corporate IT departments is that the ISO tagging standard will not be a practical solution until most, if not all, software publishers fully adopt it.”
The reality for corporate IT departments is that the ISO tagging standard will not be a practical solution until most, if not all, software publishers fully adopt it. Even if they begin now in earnest, license audits based on tagging alone will provide little value until virtually all installed applications are replaced with newer "tagged" versions. Let’s look at why it is so difficult to ascertain information about installed software. After all, isn't it simply a matter of examining Add/Remove Programs? The answer is no. In fact, there exists no single methodology by which applications can be consistently identified and normalised across all titles and manufacturers; even by automated discovery tools that claim to do exactly this. Software inventory products that examine Add/Remove Programs information (stored in the Windows registry), for example, are notorious for incorrectly counting some applications. This is because registry entries are frequently only present for those applications installed using the Windows Installer. Worse yet, for applications that are present, the registry data doesn't always correlate what's installed with what actually requires a license. This makes responsible licensing decisions virtually impossible. Other methodologies utilised by inventory tools, such as examining the installer (MSI) database or application file headers, provide similarly incomplete or misleading information, leading to equally problematic outcomes. Because of such shortcomings, asset management tools that rely on the above methodologies require varying levels of human intervention by end users to translate presented data into truly reliable information. Some discovery tools, as a way of circumventing these issues, rely on proprietary software catalogs to identify installed programs. These databases are generally compiled using multiple identification methodologies, but their contents are manually validated and normalised in such a way that they correspond one-to-one with licensed application titles. But even with the potential for greater accuracy, software catalogs aren't necessarily the perfect solution for all companies, as it's virtually impossible for any database to contain The Chief Technology Officer Forum
cto forum 21 APRIL 2011
41
T E C H FOR G O V E R N A N C E
s o f t wa r e l i c e n c i n g
information about every application ever released to the desktop.
Where are the vendors? There’s no doubt that software identification creates a lot of pain within the enterprise. So why are software publishers not doing more to ease the burden? Let's face it: when it comes to educating the market about software piracy and enforcing compliance among its end users, the industry is aggressive and well organised. But vendors continue to place the burden of verification and proof of compliance squarely on their customers. Perhaps the failure to act on tagging stems from a lack of awareness of the ISO standard or a lack of conviction that it will solve the problem. Maybe it's due to the inherent difficulty of justifying product enhancements that don't contribute to "marketable functionality," organisational barriers that hinder coordination of efforts across broad product lines, or a perceived
both the knowledge and tools lack of demand among endneeded to limp along until the users. Or maybe it's simply promise of software tagging is easier to capitulate to the fulfilled. "chicken and the egg" paradox. That is, software vendors of all spam may not commit to the ISO emails have an standard until they see critical —Kris Barker is the co-founder mass; yet critical mass won't and CEO Express Metrix, a leader embedded url, exist until most vendors are in IT asset management solutions. which is most firmly on board. Kris was an early participant in the likely malicious Whatever the reason, until ISO 19770-2 standards work and publishers demonstrate they continues his involvement by parare committed to labeling ticipating in the 19770-3 entitlement their software in a way that allows license standard. Kris is also a professional educator, analysis and compliance reporting to be with more than 10 years of experience teaching turned into reliable, automated routine higher-education students Web development tasks, IT departments will continue to and software programming skills. An aeronautical devote countless resources --and a great engineering by training Kris has worked in both deal of anxiety -- to obtaining accurate development and management positions at WRQ views of their license positions. (now Attachmate), DEC and Boeing. Meanwhile, CIOs must recognise and appreciate the challenges and risks faced —This article appears courtesy www.cioupdate. by their IT staffs in evaluating their com. To see more articles regarding IT managelicense positions, and ensure they have ment best practices, please visit CIOUpdate.com.
84%
The Difference Between Doing IT and Infosec Different skill sets are needed for an IT professional and for an information security professional. By robb reck
E
vidence of people performing accounting has been found as far back as Babylon (circa 4500 BC). We have records of a civil engineer from as long ago as 2630 BC. It’s fair to say that these are mature, well understood professions. The education and training for their practitioners has been thoroughly tested and documented. If you want to become an accountant you take some classes, learn your craft, and prove you’ve learned it by taking the Certified Public Accountant (CPA) exam. If you want to become a civil engineer, you do the same (only take the Professional Engineer exam instead). Compared to those fields, IT and information security are fresh and brand-new. For many of us practicing now, there was no accepted path for entering the technical fields. We came from all
42
cto forum 21 APRIL 2011
The Chief Technology Officer Forum
over. We saw the wide-open opportunities that technology provided and we jumped on the bus. Students from business, engineering, history, chemistry, communications, engineering, and performing arts (not to mention many who never received any kind of undergraduate education) saw opportunities in IT, picked up some self-directed or on-the-job training, and became part of the IT industry. This first group of IT pioneers had a lot going for them. They were the better innovators than your average group of CPAs, and they were much more willing to take risks than a civil engineer (and if you ever drive over a bridge or through a tunnel, you should be very thankful for this one). This led to great leaps and bounds forward in information technologies. Systems quickly
securit y
T E C H FOR G O V E R N A N C E
IT pros spent years learning that when they run into a problem they should make or buy a new technical solution. But information security pros are learning that more technology is almost never the solution to a security problem. became interconnected, and new functionality started sprouting up everywhere. Our lives moved from a paper calendar to our computers and then to the internet. We stopped writing checks and started paying bills on our computers. Our IT innovators were changing the world. The same people who gave us world-changing innovations also gave us system crippling vulnerabilities Unfortunately, while that our well-meaning innovators were adding new functionality they were also adding new vulnerabilities. You see, civil engineers are taught early on that they must account for all potential vulnerabilities in their structures. Wind, floods, earthquakes, unexpectedly high usage, all of these possibilities need to be factored into their designs and their risks considered. But our first generation of IT staff had no formal education, and so they continued building new functionality and leaving massive holes. And when these holes were identified they would stick a Band-Aid over it and move to the next innovation, because that’s what paid the bills. Somewhere along the way (probably around the time that we started trying to do our banking and shopping online) we realized that these vulnerabilities really needed to be addressed. Considering the track record, it obviously couldn’t be the IT departments who had been baking these vulnerabilities into the systems. Thus information security started getting budgets and staff. When these new information security jobs opened up, where did the folks come from? Yup, most of us came directly over from the IT world.
sional are not the same that make for a great information security professional. IT professionals manage systems, information security professionals manage risk. IT pros spent years learning that when they run into a problem they should make or buy a new technical solution. But information security pros are learning that more technology is almost never the solution to a security problem. The IT mindset is that problems are to be overcome by driving forward, innovating and creating new solutions. But often in information security the correct answer is to go backward, look at what we’ve done, and determine whether we did it right the first time. Instead of sticking on another Band-Aid we should be crafting secure systems from the ground up. I am certainly not suggesting the IT professionals cannot be successful information security practitioners (if that were the case, I’d be out of a job myself). But some of the attributes that made us good in IT are opposed to those which will help us succeed in information security. We still need to be responsive, analytical, courteous, and solution oriented, but we can no longer afford to value speed over quality (don’t forget, security IS quality), and focus on technology instead of business. Risk management is not system administration. You don’t get an error message when things aren’t going right. And there’s no Google search that is going to help you figure out what the problem is. Information risk management requires you act and think like a business-person. It’s only secondarily that your technical skills will support that mission. —Cross-posted from Enterprise InfoSec Blog from Robb Reck
The skills that make for a great IT professional are not the same that make for a great information security professional. The primary issue is that the skills that make for a great IT profes-
—This article is printed with prior permission from www.infosecisland.com. For more features and opinions on information security and risk management, please refer to Infosec Island.
The Chief Technology Officer Forum
cto forum 21 APRIL 2011
43
NEXT
HORIZONS
K S Abhiraj SAYS
“If an event's ‘environment' is limited to the processor on which it is executing, no specific security measures might be necessary.”
Illustration by Binesh Sreedharan
P
Parallelised Data Mining Security PDM could be the future of a range of commercial tools.But before that, security issues need to be addressed. BY K.S. Abhiraj
44
cto forum 21 APRIL 2011
The Chief Technology Officer Forum
arallel Data Mining (PDM) is currently attracting much research. Objects involved with ‘Parallel Data Mining' include special types of entities with the ability to migrate from one processor to another where it can resume / initiate its execution. In this article we consider security issues that need to be addressed before these systems in general, and ‘parallelised systems' in particular, can be a viable solutions for a broad range of commercial tools. In this section we will briefly describe some properties of these systems and more of parallel systems. This is not intended to be a complete description of ‘anything and everything' of the above mentioned topics. We try to focus on issues with possible security implications. When we speak of ‘entities' we mean an ‘object / process / matter / material / data stream' that splashes some kind of independent, self-contained and certain ‘intelligence'. So now I believe I can say "An entity is often assumed to represent another entity, such as an integrated output of a classified cluster or some other organisation or environment on whose behalf it is acting".
securit y
No single universal definition of entity exists, but there are certain widely agreed universal characteristics of entities, these include a fluctuating ambiance/environment, autonomy, and elasticity. Fluctuating Ambiance means that the entity receives tactile input from its environment and that it can perform actions which change the environment in some way. Autonomy means that an entity is able to act without the direct intervention of other entities (or other objects), and that it has control over its own actions and internal state. Elasticity can be defined to include the following properties: Responsive: Refers to an entities' ability to perceive its environment and respond in a timely fashion to changes that occur in it; Pro-active: Entities' are able to exhibit opportunistic, goal-driven behavior and take the initiative where appropriate; Social: Entities should be able to interact, when appropriate, with other entities and humans in order to solve their own problems (like distributing instructions to various sects, assigning instructions to respective processors with respect to certain considerations etc.) and to help other entities with their activities. A number of other attributes are sometimes discussed in the context of ‘Augur'. These include but are not limited to: Rationale: The assumption that an event will not act in a manner that prevents it from accomplishing its goals and will always attempt to fulfill those goals. Candor: The concept that an event will not ‘knowingly' communicate false information. Cordiality: An entity cannot have conflicting goals that either force it to transmit false information or to effect actions that cause its goals to be unfulfilled or impeded. Mobility: The ability for an agent to move across networks and between different hosts to fulfill its goals. Platforms or the desired infrastructure provide entities with environments in which they can execute. A platform typically also provides additional services, such as communication facilities, to the entities it is running. In order for entities to be able to form a useful parallelised system where they can communicate and cooperate, certain functionality needs to be provided to the
entities. This includes functionality to find other entities or find particular services. This can be implemented as services offered by other processes or services more integrated with the infrastructure itself. Examples of such services include facilitators, mediators, and matchmakers etc.
74% companies
N E X T H OR I Z O N S
cessor, thus preventing the host from carrying out other things (such as executing other events scheduled).
2
Fluctuating Ambiance: What the term compliance ‘environment' indicates is that it totally depends violations via on the application and email appears almost to be considerably arbitrary in with Security Issues with respect to events literature; Parallel Data Mining it can for e.g. be the ‘International NetIn this section we will discuss secuwork' viz. Internet or the host on which rity issues based on the characteristics the entity is executing. described as above: An entity is assumed to be ‘conscious' of certain states or events in its environment. Entity Execution: Naturally entities Depending on the ‘nature and origin' of this need to execute somewhere. A host and information, its authenticity and availability the immediate environment of an entity, need to be considered. is eventually accountable for the accurate If an event's ‘environment' is limited to execution and protection of the entity. the processor on which it is executing, no This leads us to the question of where specific security measures might be necesaccess control decisions should be persary (assuming the host environment is formed and enforced. Does the entity difficult to be spoofed keeping in mind the contain all necessary logic and information ‘objective proportional to time' ratio). The required to decide if an incoming request situation is however likely to be totally difis authentic (originating from its claimant) ferent if the event receives environment and if so, is it authorised (has the right to information from, or via, the Internet. access the requested information or service)? Or can the agent rely on the platform for access control services? Autonomy: This property when comThe environment might also need certain bined with other features given to protection from the objects that it hosts. entities, can introduce serious security An event should, for example, be prevented concerns. If an entity, for e.g., is given from launching a denial of service attack authority to perform an objective, it should through consuming all resources on a pronot be possible for another ‘party' to force the event into committing to something, it would not normally commit to. Neither should an event be able to make commitments it cannot fulfill. Hence, issues in around delegation need to be considered for ‘entities - events' / instructions. The autonomy property does not necessarily introduce any ‘new' security concerns; this property is held by many existing systems. It is worth mentioning that worms or viruses also hold this property, which enables them to spread efficiently without requiring any (intentional or unintentional) objects interaction. The lesson it indicates is that powerful features can also be ‘remixed' and used for malicious purposes if not properly controlled in a controlled environment.
admitted to
1
3
An event should be prevented from launching a DoS attack through consuming all resources on a processor, thus preventing the host from carrying out other things.
The Chief Technology Officer Forum
cto forum 21 APRIL 2011
45
N E X T H OR I Z O N s
securit y
4
Communication Botheration: Of the ‘Elasticity' properties, social behavior is certainly interesting from a security point of view. This means that entities can communicate with other events. Just as an entities communication with its surroundings / environment needs to be protected, so does its communication with other events. The following security properties should be provided: Confidentiality: Affirmation that communicated / proclaimed information is not accessible to unauthorised parties Data integrity: Affirmation that communicated / proclaimed information cannot be switched over / shaped / manipulated by unauthorised parties without being detected Authentication of origin: Affirmation that communication is originating from its claimant Availability: Affirmation that communication reaches its intended recipient in a timely fashion (‘Secure Negotiation' protocols play a HUGE role here) Non-repudiation: Affirmation that the originating entity can be held responsible for its communications It's a fact that "security usually comes at a cost". Additional computing and communication resources are required by most solutions to the previously mentioned secure structured structures functionality. Therefore, security needs to be dynamic. A lot of times it makes sense to protect all communication within a system to the same level, as the actual negotiation of security mechanisms then ‘MAY' be avoided. However, in a large scale parallelised data mining systems, security services and mechanisms need to be adjusted or tweaked to the purpose and nature of the communications of various applications with varying security requirements. Some implementations of varied architectures in the same niche assumes that security can be provided transparently by a lower layer i.e. adding it to data sects while distributing it to varied problems. This approach might be sufficient in closed or more precisely localised systems where the entities can trust each other and the sole concern is external malicious parties.
Rationality, Candor, and Cordiality: The meaning (from a security point of view) of these properties seems to be: "Events are well behaved and will never act in a malicious manner." If we make this a bona fide requirement, then the required redundancy for such a system is likely to make the system useless. Affirmation that only information from trusted sources are acted upon and that events (or their initiators) can be held responsible for their actions, as well as monitoring and logging of event behavior, are mechanisms that can help in drafting a system where the implications of malicious events / entities can be minimised.
5
7
Maneuverability: The use of movable or mobile entities bumps a number of security concerns. Entities need protection from other entities and from the hosts on which they execute. Similarly, hosts need to be protected from entities and from other objects / parties (tools getting co-mingled with processes through varied form of injections and other vulnerable loopholes) that can communicate with the platform. The problems associated with the protection of hosts from malicious code are aptly understood. The problem posed by malicious hosts to entities and the environment seems more complex to solve. Since an entity is under the control of the executing host, the host can in principle do anything to the event and its code. The particular objective of attack vectors that a malicious host can make / apprehend can be summarised as follows. Observation of code, data and flow control Manipulation of code, data and flow control - including manipulating the route of an entity Incorrect execution of code Denial of execution - either in part of an event or whole Masquerading as a different host Eavesdropping and Manipulating other event communications
46
cto forum 21 APRIL 2011
The Chief Technology Officer Forum
An entity could simply be identified by something like a serial number, or its identity could be associated with its origin, owner, capabilities, or privileges. If identities are
not permanent, securityrelated decisions should not be made on the basis of an entity's identity.
6
Identification and authentication: Identification is not primarily a security issue in itself; however, the means by which an entity is identified are likely to affect the way an entity can be authenticated i.e. if the labeling environment of an event gets knocked outor uncontrolled further actions would result the same. For example, an entity could simply be identified by something like a serial number, or its identity could be associated with its origin, owner, capabilities, or privileges. If identities are not permanent, security-related decisions cannot (more precisely should not) be made on the basis of an entity's identity. While an entity's identity is of major importance to certain applications and services, it is not needed in others. In fact, entities are likely to be ideal for providing anonymity to their initiators as they are independent pieces of code, possessing some degree of autonomy, and do not require direct third party interaction.
—The article was first published on www.infosecisland.com. It is reprinted here with prior permission.
DOSSIER Company: SAS Institute India Established: 1976 in USA and 1997 in India Founders: Dr. Jim Goodnight India Head: Sudipta K. Sen Products: World leader in Analytics & Business Intelligence solutions Employees: Globally more than 11000 employees and more than 500 employees in India Key Customers: BEML, SEBI, TTSL, Aarogyasri Healthcare, CBEC, BSES, Reliance Energy, Reliance Communications, NACO, Ministry of Health
Telecom, BFSI drive
growth for SAS Despite the market downturn, SAS Institute continues to witness a double digit growth year-on-year. In conversation with Minu Sirsalewala Agarwal, Sudipta K Sen, CEO & MD – SAS Institute (India) shares the reasons for the continued growth and the company’s future road map.
How has the Business Analytics and Business Intelligence journey been in the last few years, specifically in India. The journey has been very pleasant in the space of BA/BI. Specifically in India, in the last few years there have been good experiences. We have been following trends that are visible in the matured markets, but in certain areas in India we are leap-frogging. Typically there have been four key factors that are driving the trends in this space. Be it a bank, a financial institution, telecom or retail, for all, managing profitability, managing growth, managing customer expectation and managing share holders are the key factors. All data-rich verticals where there is humungous data being churned are the fastest at the maturity curve. Technology wise, the adoption is at a much matured stage than it was a
The Chief Technology Officer Forum
cto forum
21 APRIL 2011
47
N O H O L D S B A RR E D
S u d i p ta K S e n
few years back. For example, a bank would have core banking in place, a CRM system and the likes. Similarly in the telecom space too, the OSs have gone through the maturity curve. This is turn is leading to market dynamics in the BA/BI space. How have these dynamics impacted the BA/BI market and what are the challenges? Today the scenario is such that no vertical is limited to just one service. A bank today is no longer engaging in just traditional banking service. It offers a bouquet of services. They are selling insurance, mutual funds, credit cards and a whole lot of other products. This bought in a scenario where the key challenge was the management of data. The data is not sitting in one place but is in multiple locations and in multiple formats. Banks have moved much beyond the product-centric approach to a customercentric approach, and as you go ahead in the market that’s the way to be. The challenge is to get all the data related to one person under one umbrella. The first challenge is the technological challenge as the data is in different forms in different locations and in different databases. The second even bigger challenge is the quality of the data. After the cleansing, it is put in the mart, than starts the process of analytics and then BI. This is also where predictive analysis is playing an important role. This allows the company to link the products to the profiles and enable specific campaigning to the target audience. Thereby enabling targeted bombing rather than carpet bombing. What is fuelling the growth? It all starts with the ever increasing data and how to reduce cost. Analytics play a very important role in ‘risk’ and ‘optimisation’. Typical scenarios like loan approvals, the parameters used to weed out fraud cases, inventory optimisation and the array of other similar services use the power of predictive analytics. People are looking at new avenues and areas for analysis. Verticals which are dealing with humungous data like BFSI, telecom etc are driving the growth for BA & BI. Today businesses are in an extremely dynamic and competitive market where they need to proactively reach out
48
cto forum
21 APRIL 2011
The Chief Technology Officer Forum
to customers not only for retention but for acquisition also. Here the power of analytics is allowing the business to be agile and correct before it hits a wall. The IT landscape at most organisations has undergone a change with mobility and penetration of smart devices? What impact is it having on BA & BI ? Earlier we were only on the internet. Today the scenario has changed and everyone is on social media, be it Twitter, facebook, etc. A personal example that I would like to share is recently my daughter bought a car. Earlier in a typical scenario you would have short listed 3 models, done the test drive and brought the car. But now, my daughter had finalized two models, had a blog, got her reviews and related details on the car and even before we went for the test drive we
“Today businesses are in an extremely dynamic and competitive market where they need to proactively reach out to customers not only for retention but for acquisition also. Here the power of analytics is allowing the business to be agile and correct before it hits a wall.”
knew exactly what to expect out of the test drive. We had all the details with us; social media has become extremely important not only for the marketers but many others. Form a marketer’s perspective you can do sentiment analysis where you can figure out the brand value, how is it moving, get feedback and check the issues around it, change what is required, correct or fix what is wrong and have a better market presence. Clearly earlier analytics was looked at for own set of data created internally but today not only own set of organised data but also a lot of unorganised, unstructured set of data has come into the play. Unstructured data has to be treated in a substantially different manner and the size of the unstructured data is much larger than the structured data. That’s where a company like SAS plays a very important role as we have the capability to address both the areas. How have SAS offerings evolved? If you had come and met me six years back I would have said we have some wonderful technology called data integration, data quality, SAS data, Stats, graphs and mining etc. But progressively we recognize that most clients are looking at that how quickly can they ramp up and that’s why the term leap frogging, how can they leverage IT and not waste time in reinventing the wheel. That’s where SAS came up with industry specific solutions. We have solutions for banking, telecom, retail, manufacturing and a few of these solutions are developed at our R&D facility in Pune. Which verticals have been contributing to the SAS pie? Initially 75 percent of our revenue was from banking and finance and one of the reason for this was that it was one sector where data was readily available and it had a faster adoption curve in terms of technology. Today the BFSI contribution has dipped and the segments contribution has come to 50 percent, but this is not because the market has come down or there is lesser business but purely the other segments have seen growth and addition. Telecom has caught in big way, 15-20 percent now comes from telecom, and another vertical is government that is seeing an excellent growth. Pharma and clinical research is another vertical of
S u d i p ta K S e n
N O H O L D S B A RR E D
“India is now an independent region from this year. This is a clear reflection of the potential the company sees in the Indian region� focus and it contributes 7-8 percent to the pie. Some examples in government are Ministry of health where they are doing some good projects on curbing the widespread diseases using SAS solutions. Another example is NACO (National Aids Control Office). They are also using SAS and have gone a step further and have integrated it with the GIS system by which they can know the epicenter and prevent the spread out of the disease. Retail is another vertical which has been seeing increased activity. Recent examples would be Shoppers Stop and in addition web based retailers like makemytrip.com also use SAS solutions. Hence the adoption and usage of analytics is no longer confined to the biggies. People have seen the value and that’s where the next wave is coming from. Talking about Cloud, it seems to be an offering for every technology, what is its impact on BA & BI? There are some areas where cloud is here to stay, going ahead software as a service on cloud will play an active role. At SAS we have some offering in the hospitality space where we offer our analytics on a software as a service (SaaS) basis. An example would
be optimization of room rates. Room rates vary on number of parameters like location, season etc and is an extremely dynamic scenario, we have a cloud based offering for the same and have signed up with most of the leading hotel chains like Hilton, Sheraton, Shangri-La, Oberoi, Marriott etc. Progressively we will be rolling out to other areas. Trends will be in SME type of organizations who will not have the infrastructure and the capability for the analytics. What about the organic and inorganic growth, any specific investment plans for India? If we see any good assets in the market we are agile and open to pick it. In the recent past we had picked three companies and amongst that latest is Assetlink, which fits in very nicely with our customer intelligence portfolio where we do customer campaign management and marketing optimization. This is actually out of cloud, so all your digital assets are sitting out of the cloud. Assetlink, is in marketing resource management (MRM). Combining SAS Customer Intelligence offerings with Assetlink's marketing resource management solutions into an integrated marketing management platform will make it easier for marketers to plan, create
and optimize marketing programs. SAS is known to invest around 24 percent of its revenue in R&D. Any plans to take this figure up and increase capacity at the R&D facility in Pune? For SAS this is the highest investment of the total revenue which is way higher then the industry norms. We continue to invest but no specific revised figures for the same. At the R&D in Pune we continue to improve the product profile and add IP on the top. Few of the Assetlink members also are based in the facility. How important is India in the SAS growth plans globally? India is now an independent region from this year. This is a clear reflection of the potential the company sees in the Indian region. There are other markets which are already seeing the maturity curve; there is high future growth that is expected from the Indian region. India has shown a constant double digit growth year on year. Am extremely bullish, earlier India was known to not be progressive because of the large population but today the million population is what is giving the BA/BI market the much desired impetus.
The Chief Technology Officer Forum
cto forum
21 APRIL 2011
49
ThoughtLeaders Prashant Mali | prashant.mali@cyberlawconsulting.com
Advocate Prashant mali is the President - Cyber Law Consulting.
Challenges with Cloud Computing While cloud offers many benefits, it also brings in legal complexities.
With cybercrime having grown out of infancy, gaining professionalism and proving to be a bold threat to individuals, businesses and institutions of all kinds alike, paradigm shifts in the way we use information technology come as a mixed blessing: cybercriminals do not only gain profit from the same benefits available to regular customers, but are also among the first to detect and exploit loopholes and other side effects of new technologies. In cloud computing, such a paradigm shift is taking place right now. The increasing use and opportunities of cloud computing services hold many challenges for legal practitioners, especially with respect to data protection policies. However, the effects of cloud computing on the law enforcement community can be narrowed down to one essential aspect of criminal investigations: the acquisition of evidence. While there are some beneficial developments, the loss of location is likely to cripple cybercrime investigations at a very early stage.
The loss of location Data in the clouds is constantly shifted from one server to the next, moving within or across different countries at any time. Also, data in the
50
cto forum
21 APRIL 2011
The Chief Technology Officer Forum
clouds might be mirrored for security and availability reasons, and therefore could be found in multiple locations within a country or in several separate countries. Due to this and to cached versions of data, not even the cloud computing provider might know where the sought-after data is exactly located. Thus, one could say that location as a constant applicable to all tangible objects and having been applied to intangible data objects ever since the Internet became popular as well, has ceased to function under the conditions of cloud computing. Location, however, is of prime importance to deduct the applicable jurisdiction in order for law enforcement authorities to gain access to a certain object other than publicly accessible information, such as text on a web page, especially if coercive powers are needed to retrieve the object. This comes as a consequence to the international legal principle of territorial sovereignty which sets forth that no state may enforce its jurisdiction within the territory of another sovereign state. Since the location of data often cannot be determined at a given time nor predicted for a given time in the future by law enforcement authorities, the determination of jurisdiction
"The increasing use and opportunities of cloud computing services hold many challenges for legal practitioners."
concerning data in the clouds would be based on coincidence; and utilising the help of cloud computing providers before determining data location could lead to forum shopping. Both outcomes hardly fit the needs of the rule of law in criminal proceedings. In finding viable solutions for investigations in the clouds, it might therefore prove fruitful to think beyond the principle of territoriality.
Benefits for investigation In spite of the confusion concerning location and jurisdiction outlined above, the rise of cloud computing also creates beneficial effects for law enforcement authorities that should not be left unconsidered: Since cloud computing applications allow for a greater flexibility in workflows of all kinds, many individuals as well as cybercriminals embrace the opportunities that services like Google Mail and Google Docs, Dropbox or Evernote are offering. Hence, information that without cloud computing services might have been stored on easy to conceal media such as tiny memory cards or flash drives in all kinds of unsuspicious hardware such as navigation devices:
Prashant Mali
--required physical access to obtain for future use as evidence; --never been created in the first place is likely to be created, stored and found within the clouds and thus easily accessible at a technical level. Provisions for the extended search and seizure of computer data on connected systems such as Section(80) on The Information Technology Act,2000 as amended by The Information Technology(Amendment) Act,2008 may enter any public place and search and arrest without warrant any person who is reasonably suspected of having committed or of committing or of being about to commit any offence under the above said Act.
How to deal with the loss of location So far it has been shown that location is not a factor to which legal strings can be attached when dealing with data in the clouds. Simply not being able to access vital evidence due to uncertainty about the applicable jurisdiction is not an option, however, since the states’ mandate and obligation to prosecute crimes in cyberspace is of the utmost importance not only to victims, but also to stakeholders at a private and institutional level within national as well as international contexts. Therefore, different approaches need to be evaluated. Have a closer look at existing options as well as models in comparable legal fields and try to develop a different approach beyond the principle of territoriality. Access using CrPC Sections As already mentioned, the information in a network environment need not be stored at the same site. The data could reside at a remote location even in a different country. Therefore, it may be important to find out the storage location and take action accordingly. In case, storage of data is suspected to be located outside the country, it may be necessary to alert the Interpol and take necessary follow up steps to issue letters rogatory under the provisions of Section 166 A CrPC.
Additional conditions and safeguards As much as the power of disposal approach brings feasibility for law enforcement authorities, it is suited to infringe upon the rights of suspects and/or third parties: it might, for example, not seem appropriate to enable law enforcement authorities to look into an Evernote or Dropbox account and thus to read intimate thoughts of someone who has been pressed charges against due to an alleged defamation or political speech. Also, data stored in the cloud usually can be classified as content data; the contents of telecommunicative actions, however, receive special fundamental protection in many countries. Logging on to a Google Mail account, for example, would infringe the right to privacy provided by Article 21 of The Constitution of India and also right to telecommunication secrecy provided in Germany by Article 10 paragraph 1 of the German Constitution. If done in a covert manner instead of openly, such an infringement usually requires a court order or permission from Home Secretary beforehand. Government of India can invoke Section 69 of The IT Act,2000 for interception or monitoring or decryption of any information through any computer resource. This section is violative of Article 21 of Indian constitution as mentioned above. In order to alleviate the possible effects on fundamental rights, additional conditions and safeguards should be considered. Such conditions and safeguards could be --limiting the scope of application to cases with yet to be defined exigent circumstances, including those where it is believed evidence will be destroyed if not seized; --stipulating the requirement for a judicial order; --stipulating notification obligations, both notifying the account holder and the provider, possibly with restrictions for cases in which the outcome of an investigation might be endangered; --stipulating obligations to mark the
Thought Leaders
Government of India can invoke Section 69 of The IT Act,2000 for interception or monitoring or decryption of any information through any computer resource. data that has been obtained, accompanied by scheduled deletion obligations.
Conclusion The rise of cloud computing provides cybercriminals as well as law enforcement authorities with new opportunities. The downturn for the law enforcement community, however, comes with the loss of location caused by cloud computing technology. Since the principle of territoriality requires location as a prime legal connecting factor for investigatory measures in criminal procedure, a new legal instrument is to be found in order to prosecute cybercriminals and obtain digital evidence in the clouds. Furthermore, traditional concepts of jurisdiction usually resort to criteria which are not applicable to the digital world. Therefore, a new legal instrument would have to regard location as irrelevant and serve as manageable parameter with respect to both the legal world and the world of information technology. Such a regulation might be built upon the legal connecting factor of (formal) power of disposal. The Chief Technology Officer Forum
cto forum
21 APRIL 2011
51
VIEWPOINT steve Duplessie | steve.duplessie@sbcglobal.net
Illustration BY shigil n
When Did Industry Events Become So Awful? IT pros-targeted events should be just for them.
I’ve always been on the vendor/ marketing/sales side of life historically, so growing up in this industry, events have always been a way of life. A vendor uses an event in hopes of reaching an audience of potential buyers–in order to push their agenda. I have no problem at all with that. Perhaps I’m naive, but didn’t it seem like the reason you could get potential buyers to attend an event was that there was something in it for them? Something other than free booze and tee-shirts, that is. Didn’t it seem like people used to go to industry events because they could learn something that would help them in their job? That could help their company? The VMUG and VMworld events are examples of things done right: users go because they NEED to learn things, and vendors go because that’s where the users go. That is the circle of event life as it should be: vendors aren’t pushing their story as “content” for users–users seek out vendors they want to talk to. That sure seems like a more civilised way to do things. I say all of this because ESG is holding our first ever event (www.esgahead.com). I was naive in thinking
52
cto forum 21 APRIL 2011
The Chief Technology Officer Forum
that creating an event specifically for IT pros by IT pros with a day jammed with education for IT pros on IT (virtualization, specifically) issues, would somehow keep consultants, headhunters, vendor sales reps, etc. from attempting to crash the party. How wrong I have been. Make no mistake, I like consultants, headhunters, and god knows I like sales guys – but for the love of god, this is not for you! Even the sponsors of our event don’t get to pitch–which they are fine with, because they understand that the entire point of all of this is to HELP the poor IT folk get more advanced in their virtualisation efforts. If the user gets smarter and does more–it creates opportunities those vendors wouldn’t get otherwise. Our objective is to help them get unstuck. Our sponsors are smart enough to realise that this is also their objective. Thus, they don’t mind not being able to stand on stage and give an overt infomercial. They realise that if the intent is pure and they are a positive member of this tight agenda in this tight community of like-minded people, they will have the opportunity they seek–eventually.
About the author: Steve Duplessie is the founder of and Senior Analyst at the Enterprise Strategy Group. Recognised worldwide as the leading independent authority on enterprise storage, Steve has also consistently been ranked as one of the most influential IT analysts. You can track Steve’s blog at http://www. thebiggertruth.com
I don’t see how a head hunter or a consultant looking for leads helps anyone at this event advance their virtualisation efforts. There are plenty of vendor networking events–and they are great. So go to those! So, my friends, even if I had an empty chair (which, thankfully, I don’t), I wouldn’t let you in. It doesn’t mean I don’t love and respect you–it just means that for the same reason it is inappropriate for me to demand to be allowed into a Girl Scout Troop meeting (without my kid involved), this is the wrong event for you. All we would accomplish is to make those who belong there uncomfortable with our presence. And for you vendor sales folk, well, I’m afraid you are just shit out of luck. We are trying to create a safehaven for IT folk to share, learn, and advance–not a battle ground to be accosted and pestered. Call me naive, but that is our quest. Will we succeed? I don’t know, but we sure as hell are going to give it our best shot. Once the huge offers of dough start rolling in, I may change my tone–but for now, leave us to our mission!
AD