Security 2020 by ctof magazine

cTo forum

Technology for Growth and Governance

December | 07 | 2011 | 50 Volume 07 | Issue 08

Building Storage that Lasts | Building an IT Business Office | IT Productivity Destroyers

I Believe

IT Nirvana for

Top-Line Growth Page 04

Next Horizon

Texting More

Effective in a Disaster Page 44

Volume 07 | Issue 08

CIOs need to chart out a clear IT security strategy for the coming decade | Page 28 A 9.9 Media Publication

A QUESTION OF ANSWERS

Education is Key to Mitigate Risks Page 16

The new network means business: Game-changing technologies that lower latency, require far fewer devices and decrease power consumption by more than half. It’s why Codonis chose QFabricTM to help transform their data centers, and why companies everywhere are thinking about the future in a whole new way. Learn more at juniper.net/thenewnetwork

“You can virtualize your network, you can build one physical underlying network. The capacity is there, the tools are there…That’s the solution that Juniper’s putting forward.” ANDREW BACH, SVP, NETWORK SERVICES, NYSE EURONEXT

Þ Inbound Response Management

Priya Sharma, 1800 209 3062 022 - 67083830, Juniper@dnbindia.in

editorial yashvendra singh | yashvendra.singh@9dot9.in

Offence or defence? As the threat

landscape turns more virulent, CIOs need to take a call whether they want to be defensive or go on the offensive

or technology leaders tasked with ensuring the security of their enterprise, the latest Intelligence Report from Symantec is not very good news. According to their estimates, daily targeted attacks have increased four-fold – the greatest increase over a 12-month period ever recorded by the security vendor! The continuous evolution of security threats has ensured that this area remains a critical business priority for CIOs.

editor’s pick 28

Once again, the changing threat landscape promises to change the rules of the game. The emergence of consumerisation of IT and cyber terrorism are compelling CIOs to re-look at their security strategies. In some corporates there is an office of a CSO to complement the function of a CIO in addressing security issues. In such enterprises, the two need to build camaraderie by working towards the common goal of achieving maximum business

Security 2020 CIOs need to clearly chart out a strategy for their IT infrastructure security for the next decade

efficiency without rendering the enterprise vulnerable to any threat – internal or external. Unfortunately, while the number of CIOs in the country runs into thousands, CSOs number in hundreds. So, in the scores of enterprises that still don’t have a CSO office, the onus of security lies on the CIO. With security experts predicting 2012 to be even more virulent than 2011 (there are fears the next year could well see the successor of the notorious Stuxnet), the going will only get tougher. You are the custodian of your enterprise’s most vital asset – information. Protecting data whether it is being used, is in transition or is static must get your mindshare on priority. This issue’s cover story will help you in deciphering the emerging trends in enterprise security and

the evolving role of the security function in the organisation. I recently met a CIO who took me through his detailed security framework --- how he understood the risks, analysed the impact of security breaches vis-à-vis risks, and eventually implemented a security strategy that aligned with the business. Given the unpredictable nature of the enemy, I would love to hear your approach to tackling threats in your organisation. We would share it with your peers, since our effort is to spread the benefits of ‘collective wisdom’. Tell us whether you believe this is the time for offence or defence?

The Chief Technology Officer Forum

cto forum 07 December 2011

DECemBER11 Cov e r D e s i g n by PC A n o o p

Conte nts

thectoforum.com

28 Cover Story

28 | Security 2020 With the

Columns

growing number of threats and increasing sophistication of the same, CIOs need to clearly chart out a strategy for their IT infrastructure security for the next decade.

04 | I believe: IT Nirvana for TopLine Growth For achieving IT nirvana, CIOs need to manage the two sources of value â&#x20AC;&#x201C; growth oriented and leverage oriented. By Randy Spratt

64 | View point: why Startups Die The Second Child. By Steve Duplessie

Features

Please Recycle This Magazine And Remove Inserts Before Recycling

Copyright, All rights reserved: Reproduction in whole or in part without written permission from Nine Dot Nine Interactive Pvt Ltd. is prohibited. Printed and published by Kanak Ghosh for Nine Dot Nine Interactive Pvt Ltd, C/o Kakson House, Plot Printed at Tara Art Printers Pvt ltd. A-46-47, Sector-5, NOIDA (U.P.) 201301

cto forum 07 DECember 2011

The Chief Technology Officer Forum

60 | TECH for Governance The Next Revision of ISO 27001 By Dejan Kosutic

www.thectoforum.com Managing Director: Dr Pramath Raj Sinha Printer & Publisher: Kanak Ghosh Publishing Director: Anuradha Das Mathur Editorial Executive Editor: Yashvendra Singh Senior Editor: Harichandan Arakali Assistant Editor: Varun Aggarwal Assistant Editor: Ankush Sohoni DEsign Sr Creative Director: Jayan K Narayanan Art Director: Anil VK Associate Art Director: PC Anoop Visualisers: Prasanth TR, Anil T & Shokeen Saifi Sr Designers: Sristi Maurya, NV Baiju & Chander Dange Designers: Suneesh K, Shigil N, Charu Dwivedi Raj Verma, Prince Antony, Binu MP & Peterson Chief Photographer: Subhojit Paul Photographer: Jiten Gandhi

16 a question of answers

16 |Educate to Mitigate Risks

Vijay Mhaskar, Vice President, Information Management Group, Symantec shares his insights into the growing risks attached to social media. 44

RegulArs

01 | Editorial 10 | Enterprise Round-up

advertisersâ&#x20AC;&#x2122; index

44 | next horizons: Texting for Disaster Recovery Texting could and should play a major role in your DR planning. By Pam Baker

20 | best of breed: IT Productivity Destroyers VC's views on the causes of inefficiency in the IT organisation. By Marc J. Schiller

Juniper IFC, 41,53 Schneider 5 Sigmabyte 6,7 Seagate 9 SAS 13 Tata Communications 15 Trend Micro 27 Check Point 45 Nokia IBC IBM BC This index is provided as an additional service.The publisher does not assume any liabilities for errors or omissions.

advisory Panel Anil Garg, CIO, Dabur David Briskman, CIO, Ranbaxy Mani Mulki, CIO, Pidilite Manish Gupta, Director, Enterprise Solutions AMEA, PepsiCo India Foods & Beverages, PepsiCo Raghu Raman, CEO, National Intelligence Grid, Govt. of India S R Mallela, Former CTO, AFL Santrupt Misra, Director, Aditya Birla Group Sushil Prakash, Country Head, Emerging Technology-Business Innovation Group, Tata TeleServices Vijay Sethi, VP-IS, Hero Honda Vishal Salvi, CSO, HDFC Bank Deepak B Phatak, Subharao M Nilekani Chair Professor and Head, KReSIT, IIT - Bombay Vijay Mehra, CIO, Cairns Energy Sales & Marketing National Manager-Events and Special Projects: Mahantesh Godi (09880436623) Product Manager: Rachit Kinger (9818860797) GM South: Vinodh K (09740714817) Senior Manager Sales (South): Ashish Kumar Singh GM North: Lalit Arun (09582262959) GM West: Sachin Mhashilkar (09920348755) Kolkata: Jayanta Bhattacharya (09331829284) Production & Logistics Sr. GM. Operations: Shivshankar M Hiremath Manager Operations: Rakesh upadhyay Asst. Manager - Logistics: Vijay Menon Executive Logistics: Nilesh Shiravadekar Production Executive: Vilas Mhatre Logistics: MP Singh & Mohd. Ansari OFFICE ADDRESS Published, Printed and Owned by Nine Dot Nine Interactive Pvt Ltd. Published and printed on their behalf by Kanak Ghosh. Published at Bunglow No. 725, Sector - 1, Shirvane, Nerul Navi Mumbai - 400706. Printed at Tara Art Printers Pvt ltd. A-46-47, Sector-5, NOIDA (U.P.) 201301 Editor: Anuradha Das Mathur For any customer queries and assistance please contact help@9dot9.in

I Believe

By Randy Spratt, CIO and CTO, McKesson Corporation The author is esponsible for the global applications that serve the entire corporation and for the overall IT strategy and information security for the company

IT Nirvana for Top-Line Growth For achieving IT nirvana, CIOs need to manage the two sources of value â&#x20AC;&#x201C; growth oriented and leverage oriented

There are two sources of value that a CIO must bear in mind, one is growth oriented, and the other is leverage oriented. These can be at odds. It is important for a CIO to successfully manage this paradox. On the one hand, you need to innovate and be agile to serve the strate-

cto forum 07 december 2011

The Chief Technology Officer Forum

current challenge creating a balance between the strategies of business and activities that are commodity driven

gies of the business. On the other hand, you have a lot of activities that are commodity driven, and if you are not competitive with other entities that can provide those services, then you will be at a competitive disadvantage as a company. In my mind, business Nirvana is topline growth. This suggests businessdriven IT activity, and a high degree of IT agility. The businesses will want and expect new devices, new capabilities, new applications, new tools to reach and delight their customers. They are looking for social networking, iPad apps, smartphone apps, and linking into cloud-based services to reach their markets and deliver innovative products and services. IT nirvana is making everything efficient, secure, leveraging economies of scale. In this scenario, IT controls things to a greater extent. In many organisations, there is a pendulum that swings between these two scenarios, between Business Nirvana and IT Nirvana, never quite reaching either side before the momentum shifts in the other direction every three to five years. An innovative CIO focuses almost exclusively on enabling the business vision, and, for a time, achieves tremendous things for the organisation. In the process, he creates a shadow infrastructure and buys products at sub-optimal purchasing power. Projects fall behind, costs accelerate, and the desired agility is not attained. A cost conscious CIO spends a lot of time cleaning up the infrastructure, and cutting staff. He de-emphasises innovative, top-line growth opportunities in favor of more efficient operations, greater buying power and more reliable operations through solid IT processes.

__ This opinion was first published in CIO Insight. For more stories, please visit www.cioinsight.com.

The strategic bridge between your data centre and your business? You. Only StruxureWare for Data Centres enables a healthy, business-driven data centre. Tap in to the health of your data centre As an IT or data centre manager, you know that doing your job well means saving your company both time and money. Today, there finally is a way for you to be completely tapped in to the overall health of your data centre. StruxureWare™ for Data Centres gives you visibility across your entire data centre infrastructure so you can make informed decisions — not arbitrary ones — about your infrastructure. For example, you can plan proactively for needed capacity and streamline workflow management to improve your business agility and availability. In fact, now more than ever, infrastructure decisions are business decisions.

Now, make informed decisions about your infrastructure:

Plan proactively for needed capacity.

Blueprint data centre expansions and consolidations.

What’s more, StruxureWare for Data Centres communicates in real time with the leading virtualization platforms: VMware vSphere™ and Microsoft® System Centre Virtual Machine Manager. The software’s built-in automated response capabilities ensure that virtual loads always have healthy host environments. With your VMs on healthy hosts, you can focus on running your data centre more efficiently. The software also gives insight into PUE/DCiE trending over time, enabling you to make intelligent energy management decisions. With StruxureWare for Data Centres’ planning and reporting capabilities, who’s the company hero now? You are!

Streamline workflow management of your IT physical infrastructure to improve your business agility and availability.

Make changes knowing how they will affect your business.

Visualize change/capacity scenarios to improve your bottom line.

APC by Schneider Electric™ is the pioneer of modular data centre infrastructure and innovative cooling technology. Its products and solutions, including InfraStruxure™, are an integral part of the Schneider Electric™ IT portfolio.

View your current and historic PUE/DCiE and energy costs of subsystems to make intelligent energy management decisions.

An always available, efficient data centre

How Data Center Infrastructure Management Software Improves Planning and Cuts Operational Costs White Paper 107

> Executive summary

Tap the business value of your data centre! Learn how in our management software white paper. Visit www.SEreply.com Key Code 11499p Toll Free 1800 4254 877/272

©2011 Schneider Electric. All Rights Reserved. Schneider Electric, InfraStruxure, StruxureWare, and APC are trademarks owned by Schneider Electric Industries SAS or its affiliated companies. All other trademarks are property of their respective owners. • 998-4108_IN-GB Schneider Electric India Pvt Ltd, 9th Floor, DLF Building No. 10, Tower C, DLF Cyber City, Phase II, Gurgaon - 122 002, Haryana, India, Phone: +91 124 3940 400, Fax: +91 124 4222 036

advertorial | sigmabyte

Sigma-Byte Celebrating 20 Years of Bringing Value to Customers

From left Dr. Ispran Kandasamy, VP, Enterprise sales, APAC, CommScope, Mr. Ketan Kothari, MD, Sigma-Byte and Mr. Stephan Kowal, VP, Global Partner Organization, CommScope.

igma-Byte, a provider of network cabling, audiovisual solutions & safety & security solutions, recently celebrated 20 years of bringing value to its customers. To celebrate this momentous occasion with

cto forum 07 december 2011

The Chief Technology Officer Forum

their long standing partner CommScope, SigmaByte hosted a gala event at the Hyatt Regency Hotel in Mumbai. The event brought together various partners, customers and beneficiaries of Sigma-Byte â&#x20AC;&#x201C; those who

hold a special place with the company. The celebration was kicked off with a performance by Aman and Ayaan Ali Khan, who along with Gino Banks, entertained the attendees. The event also featured Bharat Dabholkar, famous for his advertising work with Amul and various productions. The high profile event was hosted by Diana Hayden, Former Miss World and featured speeches from Sigma-Byte and CommScope executives detailing their future plans. CommScope and SigmaByte have had a longstanding relationship in bringing solutions with great value to their customers and both hope to continue to bring their efforts to them. In an interview with ITNEXT, Ketan Kothari, MD, Sigma-Byte; Dr. Ispran Kandasamy, vice president, Enterprise sales, Asia-Pacific, CommScope; and Stephan Kowal, vice

sigmabyte | advertorial

president, Global Partners, CommScope took a few minutes and spoke about the future and how they plan to take their services to the next level for their customers. As one of the key integrators/partners of CommScope’s solutions what are some the of the challenges that you face today from the customers? Ketan Kothari: Customers require connectivity that is foolproof. In India, the tendency is to get the solution at L1 (i.e., the best price possible). Obviously the best solutions and services are not available at the lowest price. Customers acknowledge the need for products and services that are better than what is available in the market; however, there is always a tendency to lean towards the most competitively priced solution, which is not necessarily the best. Another challenge we see is there is a lot of misinformation on what products and services are available in the market. In India, there is no guiding agency that recommends solutions or sets standards. It makes it difficult to convince customers towards a particular solution being better than another. If there is no government or regulatory agency setting standardization guidelines, then things are very challenging for us. How can you move beyond these challenges? Dr. Ispran Kandasamy:

CommScope is a global entity and leader from a tech-

nology perspective in this entire marketplace. We help set many of the global standards. So we try our best to educate our customers. We try to create awareness with respect to global standards. That’s important to do at this point of time. Ketan Kothari: The chal-

lenge in India is that because things are state driven you know when centre says something the state more or less opposes it. This makes it even more difficult to help in building standardization into our practice. Dr. Ispran Kandasamy: I think Ketan’s point regarding the establishment of a standardization process is important. At the rate that India is growing, infrastructure build is going to become uncontrollable without standards and the problems will erupt when customers are looking to scale up. Stephan Kowal: There is

also a human safety perspective that comes into place. In the United Sates and European Union, there are safety guidelines and ratings for cables. The government said that you need to use cables that do not burn or produce smoke. What you do not see is that there is no consistency in what should or shouldn’t be used. So when people use the most economical solution it may not be the safest solution. We actually have partners who are educating customers about standards and how investment in our

cables can help from a safety and quality standpoint. These are things that need to be taken care of immediately. Dr. Ispran Kandasamy:

We try and educate our customers. We work actively with our partners to accomplish this; however, the challenge becomes when the customer is in a competitive environment and their competition does not have the same standards requirements. Competitors implement low-cost solutions all to save the customer money. This becomes an issue where you can rapidly lose market share. Describe some of trends you are seeing in the connectivity space. Stephan Kowal: We are trying to find people who do not necessarily buy or sell our solutions but have a lot of influence over our solutions. What I see is the networks are becoming more of a central backbone for communications—having increased security of the network including heating, ventilation, access controls as well as controlling lighting. There is a movement towards lighting itself by using a low voltage system. Companies like Cisco are putting energy management policies into the networks. So CommScope has teamed up with Cisco to include these energy management policies into network infrastructures by helping them design in-building intelligent networks. It is our

responsibility to go out into the industry and partner with companies that are creating disruptive technologies and, at the same time, work with our partners to ensure that solutions customers want can be implemented. Dr. Ispran Kandasamy:

We are also seeing the penetration of fiber into networks. Bandwidth and the distance data needs to travel today is pushing technology to move into more of a fiberdominant space. So the issue in a fiber-intensive network is the quality of the installation associated with that goes up. It is so important that we have high-quality partners like Sigma-Byte with us where they can make a big difference in shaping how customers adopt technology. Sigma-Byte has been in the business for 20 years now. So what is next? Ketan Kothari: We want to build on the credibility we have built over the last 20 years and the skills we have developed and go into the next phase. The market is converging towards IP and our partnership with CommScope will assist us with obtaining a larger piece of the solution building business. We are expecting a lot of excitement in the coming future, especially given the nature of the amount of work that needs to be done on the standardization front. We are also always looking to acquire new customers. All I can say is its only going to get better from this point on.

The Chief Technology Officer Forum

cto forum 07 december 2011

LETTERS CTOForum LinkedIn Group Join over 900 CIOs on the CTO Forum LinkedIn group for latest news and hot enterprise technology discussions. Share your thoughts, participate in discussions and win prizes for the most valuable contribution. You can join The CTOForum group at:

S P I N E

CTO FOR UM

Techno logy for Growth and

WHY

24X7 CIO

STAR TUPS DIE | SOFTWA RE DEF ECT

r | 21 | 2011 | Volum `50 e 07 | Issue 07

PAGE 26

FEATURE

PAGE 04

S | E-DI SCO VERY IN THE CLOUD

e 07 | Issue 07

Volum

E 28

Some of the hot discussions on the group are: Open Source vs Proprietary SOFTWARE Practically how many of you feel OpenSource Free software are best solutions than any proprietor software's?

loud

Publicatio

www.linkedin.com/ groups?mostPopular=&gid=2580450

I BELIEVE

Su Business pporting Through ‘Synte lovati on’

eather C It is no lon not. Th ger about wh e ques tion CIO ether to go s are as for clo ud kin when an g themselv or es is d for wh at | PAG

Media

Novembe

BEST OF BREED Delivering Electr Health onica lly

Fa W ir

S VER SUS

A 9.9

Gover nance

NO HOL

Adopt DS BARRED MPS to Redu Cost ce PAGE 52

ThE CTOs more interested in satisfying the CFO & Board rather than the consumer?

I see CTO is aligned to the CFO and the Board in that order, the CTO will have to also be good at resume writing as he will not last too long. But then the question arises, is the CFO aligned to the Consumer? If he is not, then even he may be in hot water sooner or later.

I would rather mention that, you call should depends on the criticality of the application to serve the enterprise business requirement, as opensource application can have security breaches and lack of support in worst come senario

—Vishal Anand Gupta, Interim CIO & Joint Project Director HiMS at The Calcutta Medical Research Institute

cto forum 07 DECember november 2011 2011

The Chief Technology Officer Forum

http://www.thectoforum.com/content/ building-storagelasts

Supporting Business Through ‘Syntelovation'

Syntel has instituted a programme that rewards innovative solutions We enable our clients' IT team to support THEIR business. To read the full story go to:

WRITE TO US: The CTOForum values your feedback. We want to know what you think about the magazine and how to make it a better read for you. Our endeavour continues to be work in progress and your comments will go a long way in making it the preferred publication of the CIO Community.

Storage has always been the backbone of information. Roberto Basilio, VP, Storage Platforms & Product Management, Hitachi Data Systems talks about Hitachi’s plans for this market.

Opinion

Arun Gupta, Group CIO, Shoppers' Stop

Send your comments, compliments, complaints or questions about the magazine to editor@thectoforum.com

CTOF Connect

http://www.thectoforum.com/content/supportingbusiness-through-%E2%80%98syntelovation Muralidharan Ramachandran CIO, Syntel Inc

FEATURE Inside

Enterprise

Salesforce.com Claims Big Leap in Social Marketing Pg 12

Illustrations by shigil N

Round-up

Cloud to be 51% of Data Centre Workloads by 2014 Global cloud computing

traffic to reach 1.6 zettabytes by 2015 inaugural Cisco Global Cloud Index (2010 â&#x20AC;&#x201C; 2015) issued recently, Cisco estimates global cloud computing traffic will grow 12-fold from 130 exabytes to reach a total of 1.6 zettabytes annually by 2015, a 66 percent compound annual growth rate (CAGR). Cloud is the fastest growing component of data center traffic, which itself will grow 4-fold at a 33 percent CAGR to reach 4.8 zettabytes annually by 2015. Cloud is also estimated today to be 11 percent of data center traffic, growing to more than 33 percent of the total by 2015. In the

cto forum 07 december 2011

The Chief Technology Officer Forum

The vast majority of the data center traffic is not caused by end users but by the data centers and clouds themselves undertaking activities that are largely non-transparent to end users â&#x20AC;&#x201C; like backup and replication. By 2015, 76 percent of data center traffic will remain within the data center itself as workloads migrate between various virtual machines and background tasks take place. 17 percent of the total traffic leaves the data center to be delivered to the end user, while an additional 7 percent of total traffic is generated between data centers through activities such as cloud-bursting, data replication and updates.

Data Briefing

80% Cloud services prices will include an energy surcharge by 2015

E nte rpri se Round -up

They STEVE Said it WOZNIAK Steve Wozniak, the maker of the Apple II computer which brought about a worldwide computer revolution, was in Bangalore recently to speak to a bunch of young entrepreneurs and achievers of the Young Presidents Organisation who wanted to hear the story of the mostloved technology brand in the world -- Apple.

Researcher Unearths ‘Scary’ Code on Cell Hidden software logs and reports usage-details to carrier

“It doesn't matter if you don't make any money. Because you don't have any money to begin with. Steve Jobs and I did not have any money to begin with.” — Steve Wozniak, Co-founder, Apple

According to a report on HuffingtonPost.com, in a 17-minute video posted on YouTube, Trevor Eckhart shows how the software – known as Carrier IQ – logs every text message, Google search and phone number typed on a wide variety of smartphones - including HTC, Blackberry, Nokia and others. The application, which is labeled on Eckhart’s HTC smartphone as "HTC IQ Agent," also logs the URL of websites searched on the phone, even if the user intends to encrypt that data using a URL that begins with "HTTPS," Eckhart said. "Why is this not opt-in and why is it so hard to fully remove?" Eckhart wrote at the end of the video. In a post about Carrier IQ on his website, Eckhart called the software a "rootkit." Eckhart's video is the latest in a series of attacks between him and the company. Earlier this month, Carrier IQ sent a cease and desist letter to Eckhart claiming he violated copyright law by publishing Carrier IQ training manuals online. But after the Electronic Frontier Foundation, a digital rights group, came to Eckhart’s defense, the company backed off its legal threats. The Electronic Frontier Foundation said the software that Eckhart has publicised "raises substantial privacy concerns" about software that "many consumers don’t know about."

Quick Byte on Financial

TC Infotech has launched a new package called OptSustain. Touted as India’s first such indigenously developed product, it has been purpose-built with the aim of simplifying the process of sustainability management across the globe.

The Chief Technology Officer Forum

cto forum 07 december 2011

Illustration by shigil N

E nte rpri se Round -up

Salesforce.com Claims Big Leap in Social Marketing New tool can

turn brand conversations into useful customer engagement Salesforce.com has unveiled the Radian6 Social Marketing Cloud, which extends the social enterprise to marketing with new features in social monitoring, insights, engagement, workflow and websites. Together these innovations, claims Salesforce.com, will let companies turn millions of social conversations about their products, brand and industry into dynamic engagements that strengthen customer relationships. The Radian6 Social Marketing Cloud allows marketers to adapt to the new world of social marketing through these five key pillars: Social Monitoring: Managing Millions of

Social Conversations - Radian6â&#x20AC;&#x2122;s technology enables companies to monitor on a social scale by capturing 150 million sources of social media conversations across the web including Facebook, Twitter, YouTube, LinkedIn, blogs, online communities and more. Also, Radian6 now supports a total of 17 languages, with the addition of Turkish and Polish. Social Insights: Leveraging Social Media Intelligence - The massive volume of social media conversations generated by consumers can be overwhelming to an organisation, but overlooking a tweet from a prospective

Global Tracker

Dip in outsourcing players' revenues

By 2015, low-cost cloud

outsourcing playersâ&#x20AC;&#x2122; revenue.

cto forum 07 december 2011

The Chief Technology Officer Forum

Source: Gartner

services will cannibalise up to 15 percent of top

customer could result in loss of sales. New Radian6 Social Insights provide intelligent dashboards and sophisticated analytics to filter through the noise, identify relevant conversations and perform marketing campaign analysis. Now including third-party providers such as Klout, OpenAmplify and OpenCalais, Social Insights provides an additional level of information like demographics, influence, geolocation, sentiment and topic categorisation to conversations. This level of intelligence allows marketers to understand the impact of a campaign and have the flexibility to respond to customer sentiment and reaction in real-time. Social Engagement: Connecting with Customers and Prospects - The Radian6 Social Engagement Console now enables companies to engage with customers directly where the conversation is taking place -- whether on Twitter, Facebook or other social channels. The Social Engagement Console also brings in third-party data to provide a comprehensive view of social conversations. New addons include the ability to see Trending Topics from Twitter, Bit.ly statistics to determine the reach of shared links and more. In addition, Radian6 is now natively integrated with Salesforce, across the full suite of Salesforce apps and platform. Social Workflow: Delivering Millions of Social Conversations Across the Enterprise - With the launch of Radian6 Social Hub companies will be able to organise massive amounts of social media conversations by applying sophisticated analysis and rules. These action streams can automatically route relevant social content for quick engagement and response. In addition, Social Hub now populates social customer profiles, helping marketers create relevant campaigns based on what the consumer likes. Social Websites: Empowering Marketers to Move at the Speed of Social - Siteforce empowers marketing organisations to move at the speed of social and quickly and easily build socially rich websites to engage with customers and prospects. Using a powerful drag and drop studio, marketers can build, edit and publish pixel perfect websites, without any help from IT. Siteforce uses a powerful and flexible content management system, allowing companies to better engage with customers and prospects by adding social features like Twitter streams, Facebook likes and more.

E nte rpri se Round -up

Illustration by shigil N

BI in India to reach $81 mn in 2012 Demand drivers include consumerisation of BI

The market for business intelligence (BI) software in India is forecast to reach revenue of $81.5 million in 2012 a 15.6 percent increase over 2011, according to Gartner, Inc. Worldwide BI software market revenue is forecast to grow 8.7 percent to reach approximately $12.7 billion in 2012. Gartner analysts said the market for BI platforms will remain one of the fastest growing software markets despite expectations of an economic slowdown. Organisations continue to turn to BI as a vital tool for smarter, more agile and efficient business, and

they are increasing their current usage scenario from just an information delivery mechanism. "The BI market has remained strong because the dominant vendors continue to put BI, analytics and performance management at the centre of their messaging, while end-user organisations largely continue their BI projects, hoping that resulting transparency and insight will enable them to cut costs and improve productivity and agility down the line," said Bhavish Sood, research director at Gartner. "It's a sign of the strategic importance of BI that investment remains strong." Among the sub segments, BI platforms is still expected to be the largest in pure revenue terms, while CPM suites are expected to grow the highest. Adoption deadlines of IFRS and XBRL –Extensible Reporting Language will further drive demand for CPM suites in India. Decision making in India historically has been based on either "gut feelings" or on the business experience of managers. BI will allow enterprises to make more fact-based decisions. BI promotes revenue growth and faster innovation through shorter product and service life cycles and the ability to find where value is being created in the business. "The demand side of the BI platform market in early 2011 was defined by an intensified struggle between business users' need for ease of use and flexibility on the one hand, and IT's need for standards and control on the other," said Sood. "With ‘ease of use’ now surpassing ‘functionality’ for the first time as the dominant BI platform buying criterion, vocal and influential business users are increasingly driving BI purchasing decisions, most often choosing easier to use data discovery tools over traditional BI platforms — with or without IT's consent," he said.

Fact ticker

Things IT leaders should watch out for in 2012 Social

media, mobile are likely security targets

Web security provider Websense has come up with its cyber security predictions list for the year 2012. Here are the seven things IT leaders need to watch out for in the year ahead: 1. Social media identity may prove more valuable to cybercriminals than credit cards. Trust is the basis of social networking, so if a bad guy compromises your social media log-ins, there

cto forum 07 december 2011

is a good chance they can manipulate your friends. 2. The primary blended attack method used in the most advanced attacks will be to go through your social media "friends," mobile devices and through the cloud. We've already seen one APT attack that used the chat functionality of a compromised social network account to get to the right

The Chief Technology Officer Forum

user. Expect this to be the primary vector, along with mobile and cloud exploits, in the most persistent and advanced attacks of 2012. 3. 1,000+ different mobile device attacks coming to a smartphone or tablet near you. People have been predicting this for years, but in 2011 it actually started to happen. And watch out: the number of people who fall victim to believable social engineering scams will go through the roof if the bad guys find a way to use mobile location-based services to design hyperspecific geolocation social engineering attempts.

Jaxtr SMS

abeer Bhatia's new venture, JaxtrSMS, aims to release short messaging from the clutches of closed groups. Can he do a Hotmail to SMS? Going by the promise in the Hotmail co-founder's press announcement, he well could. After all, it's been a long time since Sabeer's last successful venture, the ubiquitous free email service Hotmail, was bought by Microsoft (1998). And this time, the new venture could just click on the simplicity and power of the idea - unlike others such as Arzoo and Live Documents. Called Jaxtr Inc., the new venture is founded by Sabeer Bhatia and Yogesh Patel. The firm has launched JaxtrSMS, a cross-platform, open texting application to send an SMS to anyone in the world for free. JaxtrSMS is claimed to be unique in that a mobile user can send a text SMS to any mobile phone in the world without requiring the receiver to have the JaxtrSMS application installed on their phone. This “open” facet of JaxtrSMS, claims the release, distinguishes it from other free mobile messaging applications where messages can only be sent within a closed network to people who also have the same app installed. JaxtrSMS retains the number of the user and no new number is required while signing up for the JaxtrSMS service.

A Question of answers

V i j ay M h a s k a r

Making the most of Social Media: Mhaskar gives insights into best practices for companies to leverage social media

cto forum 07 december 2011

The Chief Technology Officer Forum

V i j ay M h a s k a r

A Question of answers

Educate to Mitigate Risks Vijay Mhaskar | VP, IMG, Symantec

Vijay Mhaskar, Vice President, Information Management Group, Symantec in a conversation with Varun Aggarwal shares his insights into the growing risks attached to social media, and suggests measures to mitigate them Social media threats are on the rise. In such a scenario, how should enterprises build a social media strategy? We do see a growing trend wherein companies are adopting social media applications to improve collaboration between employees and partners and to build better relationships with customers. Information is the most valuable asset to Indian enterprises. However, it is also the most vulnerable asset, since a data breach can impact an organisation negatively.

Todayâ&#x20AC;&#x2122;s organisations need to manage risk proactively, protecting not just the infrastructure that data resides in, but also the information itself. Enterprises require a holistic information security and management strategy, which is risk-based and policy-driven, information-centric and operationalised across a well-managed infrastructure. Enterprises need solutions that can help them develop and enforce policies, manage systems efficiently, protect information and identities and protect the infrastructure.

Some of the best practices that companies can follow include: Begin with a formal and well-understood policy for employeesâ&#x20AC;&#x2122; use of public sites like popular social networking portals; Monitor managed and unmanaged endpoints, on or off the network; Notify employees when they try to send confidential data outside of the company; Like all corporate communications, define how to use social media and train employees regarding appropriate content to post; Identify and understand legal

The Chief Technology Officer Forum

cto forum 07 december 2011

A Question of answers

or regulatory requirements specific to your industry, and implement policies to address regulations that call for retention of social media content; Consider deploying an archiving solution that enables the automatic capture and retention of social media content, especially if your industry is highly regulated; Implement a data loss prevention solution to provide another layer of protection to prevent confidential and proprietary information from bleeding out of the company onto social network; Enterprises should have a sustainable programme that allows them to measurably reduce risk of a data breach, demonstrate regulatory compliance and safeguard customer privacy, brand equity and intellectual property. With social networking growing exponentially, enterprises need to consider both the risks and opportunities presented by this phenomenon. The good news is that tools exist to help organisations gain the real business benefit from these sites. In order to secure this new age, Symantec has been assembling a set of solutions that bring together identity and device security, information protection, context and relevance and the benefits from leveraging the cloud – the critical enablers of confidence in a connected world. What are the various threats that you've observed over the use of social media? We recently commissioned a survey to gauge the impact of corporate using social networking sites-the Symantec 2011 Social Media Protection Flash Poll. The findings clearly indicate a growing trend amongst enterprises engaging in social media and falling victims to various related incidents that may result in serious consequences from reputation loss to loss of confidential information. In particular we would like to focus on the top three social media incidents the typical enterprise experi-

cto forum 07 december 2011

V i j ay M h a s k a r

“With social networking growing exponentially, enterprises need to consider both the risks and opportunities”

enced over the last year: Employees sharing too much information in public forums (46 percent); The loss or exposure of confidential information (41 percent); Increased exposure to litigation (37 percent). Technology has a role to play here with solutions that can protect and archive the information making it recoverable in case of any regulatory /compliance need. Information protection will need to go beyond just the current set up to integrate the new medium and automate the process to ensure better access controls. It’s more important than ever for companies to have controls in place to capture social information to comply with open records requests, industry regulations such as the supervision requirements and the eventuality of an eDiscovery request.

The Chief Technology Officer Forum

How can organisations safeguard their confidential

things I Believe in efine how D to use social media and train employees regarding appropriate content to post onsider C deploying an archiving solution that enables the automatic capture and retention of social media content Implement a data loss prevention solution

data and reputation while allowing access to social media? Like all corporate communications, organisations must define how to use social media and train employees regarding appropriate content to post. Organisations must identify and understand legal or regulatory requirements specific to your industry, and implement policies to address regulations that call for retention of social media content. Organisations must consider deploying an archiving solution that enables the automatic capture and retention of social media content, especially if your industry is highly regulated. Keeping this in mind, Symantec Enterprise Vault 10, the new version of our email and content archiving software now features data loss prevention technology. Another new feature is the ability to archive all social media interactions for compliance and eDiscovery purposes. This prevents data getting leaked outside organisations.

Best of

illustration by PC Anoop

Breed

Features Inside

IT Productivity Destroyers Pg 22

Building an IT Business Office Pg 25

Why You Deserve to 50% Be Demoted Data Briefing

of email users will rely primarily on a browser or mobile instead of a desktop by 2016

cto forum 07 december 2011

There are three very real and current challenges that are the big reasons for demoting the CIO

By Marc J. Schiller

t doesn’t take a genius to figure out that when a group of people (say, CIOs for example) are constantly talking about their role and the future of their role, it’s likely they are in trouble—whether they want to admit it or not. Judging from what’s been appearing online and in print over the past 24 months, it seems like we have a really big problem brewing. The Chief Technology Officer Forum

Don’t believe me? Try it yourself. Do a search on “the role of the CIO.” Look at the results for the last 90 days and see what comes up. Article after interview after white paper all talking about the big and important changes afoot for CIOs. To be sure, every executive examines their role and scope of responsibilities from time to time -- that’s natural. But if you look at the volume of material being

m a n ag e m e n t

written about and discussed on the role of the CIO, it seems that CIOs are obsessed with this issue. That’s especially clear if you do a similar search on “the role of the CFO,” or even “the role of the CEO.”

The folly of conventional wisdom Now comes the interesting or, some might say, the exasperating part. When you read these articles, white papers and interviews, there isn’t really a meaningful exchange of ideas around specific issues. They all just seem to say almost exactly the same boring and unbearably obvious thing. It goes something like this: The world is changing. Business is going faster than ever before. You can’t just be a technologist. You have to be a real business partner. You have to drive revenue. And when you do, everything will be great. Recently, it’s gotten even worse. Here is a direct quote from the closing lines of the just-published CA white paper entitled: “The Role of the CIO--Becoming the Boss.” "… the penny is dropping in boardrooms around the world; cloud computing is driving change and CIOs are well placed to capitalise [sic] on market conditions and offer their expertise to the organisation [sic] at a leadership level...CIOs must maximise [sic] their muscle as the technology visionary within their business and help the boardroom to emerge stronger in the future.” “Maximise their muscle?” What sort of fantasyland do these people live in? “The penny is dropping?” Gimme a break. More like a bowling ball. Beyond the sheer silliness of lines like these, this stuff drives me nuts for several reasons: It’s beyond simplistic and obvious. Of course the world is changing. Of course you have to be close to the business. Of course you have to seek out revenue-enhancing solutions. That’s been standard operating procedure for CIOs for years already. The flowery, esoteric, you’ll-be-the-CEO-

B E S T OF B R E E D

IT is ubiquitous and no longer offers a strategic advantage. It has become a commodity that can be purchased on-demand and in the cloud someday ideas are nothing more than feelgood journalism. It promotes a completely unrealistic expectation for 95 percent of CIOs. Heck, research shows that less than 40 percent of CIOs even report to the CEO today. The biggest problem I have with this kind of material is that it fails to address what’s really going on. These articles and white papers talk about how things ought to be and they describe the roles they believe CIOs would like to play. They don’t address head-on the real challenges of the CIO today. In place of facing up to the very immediate and real threats to the CIO, they jump to future visioning. As if to say, when you act like this, everything will be fine. So before I say a single word about the role of the CIO, I want to take a moment and put out there what’s really going on, what’s really driving so much of the role searching for CIOs today. Unless we clearly see the true nature of the challenges, no solution will work. It will simply be disconnected from reality.

Meet the big three For lack of a better term, and for dramatic effect, I’ll call the very real and current challenges the three big reasons for demoting the CIO. They are: 1. Today’s business managers are tech-savvy. They have grown up with technology, they understand it and they want to make their own technology decisions. They do not need a CIO slowing things down and making it more complicated. And don’t bother offering yourself as a “consultant” to the business.

If they want a consultant, they will hire one with the specific expertise they need. After all, such consultants are a dime a dozen. 2. IT is ubiquitous and no longer offers a strategic advantage. It has become a commodity that can be purchased on-demand and in the cloud. 3. What can’t be bought in the cloud can be bought from an outsourced vendor. From desktop support to payroll processing and on to nearly every business process, there are plenty of competent outsourcers out there to get the job done. Given these three obvious realities, what are really the roles and the value-add of the IT group generally, and the CIO specifically? Now that, my friends, is a serious challenge. And that is what is going through the minds of business managers all over the world.

A real dialogue to address the challenges In place of attempting to give you a 30-second version on the “new” role of the CIO, I’d like to open a dialogue. I’d like to present just one idea that I believe will be helpful to IT leaders in both forming a sense of their role today and into the future. Most importantly, I’ll present and test that one idea against the big three reasons to demote the CIO to see how it stands up. You get to be the judge.

Returning to a very basic premise The real importance of the CIO role comes from the focus on information. It’s not a trivial point. In fact, when you think of the role of the CIO as being first and foremost

Novell is offering Sentinel Log Manager absolutely FREE* Compliance & Security through effective log management at your fingertips

*Limited period offer. Pay Rs.20,000/ + taxes only for implementation services and defend against an attack.

Visit: www.novell.com/products/sentinel-log-manager Call: 080 - 4264 4712 | Mail: cshekar@novell.com

B E S T OF B R E E D

m a n ag e m e n t

often lead to support and compliance around about managing, securing, enhancing, and issues like data governance and standards. leveraging the organisation’s information When that happens, it’s magic. Because now assets, the three big arguments for demoyou share a common destiny regarding the tion are easily countered. Here’s how: integrity of, and the access to, your organisa1. Today’s Business Managers are Techtion’s most important asset: its information. Savvy: That’s both a blessing and a curse. It’s 2. IT No Longer Offers Strategic Advana blessing because a lot of the silly, handholdtage: Completely true. And that’s the most ing activities required of IT in the past can important reason to have a CIO. To make be ditched. It’s a blessing because it makes sure that IT investments are made with this technology-based discussions easier. But fact clearly in mind. The CIO needs to be it’s also a curse, because business managthere to remind everyone that ers are still business managers, the technology, per se, offers no and so they should be. They operating advantage. To merit are impatient and want to get IT investment dollars, an applithings done quickly. They don’t cation must be implemented in have the time or the inclination such a way as to confer unique to work through all of the nittycloud services value. With all the hype about gritty details that are required to will include a ERP, CRM, the Cloud, whatensure that the systems they are global energy ever, it’s easy for the business putting in place do, in fact, colto believe that a purchase from lect and integrate data with other surcharge by a vendor is all that is required. corporate resources. They don’t 2015 The CIO is there to remind have the time or the expertise to the business of the very hard evaluate the information integrawork it takes to implement a real solution tion and interface requirements a particular and to derive meaningful information from system may create. And they certainly don’t it. It’s the CIO, with his or her process and want to be on the hook for all of the data information perspective, who is uniquely security and regulatory compliance issues positioned to articulate the metrics of value that are growing by the day. The beauty is, relative to any technology-enabled project, when you really lay out the information which, today, is nearly everything. angle for a tech-savvy colleague, they usually 3. Everything is Being Outsourced: If propget it. What’s more, this understanding will

80%

erly managing and extracting value from information assets that are fully under your control is hard, it’s 10 times harder when an outsourcer or cloud-based solution provider is involved. The challenges of information security, management, governance, integrity, integration, and meaning increase dramatically. Without a CIO (and his team) to focus on these issues, who will do it? Certainly not the functional outsourcer: It’s way out of scope for them. The business? Of course not. They don’t have any of the necessary skills or knowledge. It’s the critical role of IT.

The opening salvo This is far from the last word on the role of the CIO. In fact, it’s only meant to be the opening salvo. But it’s an important one. It’s important because it directly answers the questions that are driving some to think about demoting the CIO (including many CIOs themselves). It’s important because it is rooted in what organisations really need. And finally, it’s important because it builds on what CIOs can and should be doing for their organisations; today, and into the future. — Marc J. Schiller, author of “The 11 Secrets of Highly Influential IT Leaders,” is a speaker and a strategic facilitator. — This opinion was first published in CIO Insight. For more stories please visit www.cioinsight.com

IT Productivity Destroyers

VC's views on the causes of inefficiency in the IT organisation By Marc J. Schiller

his article series is for the IT leaders, managers and professionals who seriously want to shake things up, for themselves and their organisations. It’s meant for IT leaders, managers, and professionals who know in their gut that there is always a better way to do things and who are eager to learn and apply it. So, if you consider yourself a member of this group, stick with

cto forum 07 december 2011

The Chief Technology Officer Forum

me. Because this series is going to show you how to: 1. Gain an extra work day for yourself without working an extra minute, and 2. Increase your team’s productivity and work satisfaction by 20 percent, 30 percent or more. Sound ambitious? Think I’m kidding? Well, I’m dead serious. So, let’s get started.

Illustration BY shigil N

m a n ag e m e n t

B E S T OF B R E E D

time on Twitter, LinkedIn, Facebook, web surfing, news reading, and so on—all under the guise that it really does relate to your job. Not surprisingly, pointing to this category is a favorite of managers. Although, with the appearance of many CIOs on Twitter, it’s starting to be a problem at the leadership level as well. Degree of organisational impact: mild. 2. Misguided efforts and energy: This category refers to all those activities that some IT managers feel are very important but, in reality, have little value except in the most limited instances. The big culprits in this category are: Email proliferation (too many cc’s, too many thank you’s, using Email like chat instead of actually speaking with someone); global standards initiatives; vendor briefings to “stay on top of things”; department reorganisations that produce unclear org models and even more esoteric and meaningless titles for the same people; telling stories of the days when you changed vacuum tubes and picked the bugs out of the punch cards. Degree of organisational impact: moderate. 3. Productivity destroyers: These are the activities that are described not with a roll of the eyes, but with a furrowed brow and a shaking head of disapproval. What makes this category stand out in particular isn’t the fact that it has massive impact on the individual and the organisation (which it does) but rather that there is nearly 100 percent agreement between managers and professionals on the biggest culprit. And the winner is: MEETINGS! Yup. Almost everyone (at least in the IT world) believes that the biggest personal and organisational productivity destroyer is the abundance of meetings they have to attend. Degree of organisational impact: severe. Here we have an essential business activity that nearly everyone in IT feels is a major drain on productivity and progress. For years I ignored this observation. I chalked up complaints about people doing Email during meetings to bad etiquette. Statements about poor planning and agenda management, I figured, were about political rivalry or attributable to the fact that they were unfairly comparing my highly prepared workshops and seminars (which have to sparkle with sexy, multimedia presentations, studies, and data so that I can get paid) to the rest of their “normal” work day. A few years ago I landed a venture capital (VC) firm as a client and I got a huge wake-up call. All of a sudden, I was in close contact with a different industry with a different mindset and different business practices. The biggest difference between the worlds of VCs and IT? Their attitude towards, and handling of, meetings. For a VC, meetings (with entrepreneurs, investors, analysts, bankers, etc.) are a core competency. They don’t have to deliver systems or provide tech support. What they have to do is find, process, oversee and sell companies. And that takes a ton of meetings. Meeting inefficiency isn’t just a productivity killer, it has the potential to

VCs don’t have to deliver systems or provide tech support. What they have to do is find, process, oversee and sell companies The hierarchy of organisational time-wasting activities Organisations are inherently inefficient. It’s just the way of the world. IT professionals complain about the inefficiencies that impact personal productivity and cut into personal time. Managers become frustrated by the slow progress of their team members. As an external consultant, I often get the “pleasure” of hearing these complaints from both sides of the management divide. Where it gets interesting is when you ask IT professionals and managers to identify and rank the causes of inefficiency and time wasting. Overall there are three big categories. They are presented below in order of time-wasting rank and degree of impact, from mild to severe. 1. Personal time wasting: This covers items like spending too much

The Chief Technology Officer Forum

cto forum 07 december 2011

B E S T OF B R E E D

m a n ag e m e n t

presentation. However, I was told that at this stage all that they wanted was a 20-minute overview of the players with their key strengths and weaknesses. It focused me. It saved me time. And, it saved them money. I was hooked. When I first encountered this approach, I figured it would produce a lot of stress and resentment as people (myself included) were forced to fit into a tight time slot. In fact, I observed nearly the exact opposite response. In place of stress, the highly focused agenda, framework and time constraint produced a sense of calm. People were very clear on what the meeting was about and what they needed to do—before, during and after the meeting. Not only were the attendees well prepared, but there were few complaints about all the meetings.

It’s not just a time box

destroy the firm. They know this and live it deep in their bones. (At least the guys that I worked for did.) The very best illustration I have of this is the seven-minute triage meeting.

The seven-minute triage meeting

When I first shared my experience with my IT clients and told them that I wanted to implement a similar sort of system for IT, they thought I was crazy. Their immediate response: How could they possibly do anything in seven minutes? It’s a natural response, but it completely misses the point about what it is that makes the seven-minute triage meeting (or others like it) work. It’s not just a time box. It’s a defined business process expressed in a set of goals, executed in an agenda, and contained within an appropriate time frame. My IT clients were hearing, “have short meetings.” But what I was trying to say was, “get your meetings into a tight, well-focused, framework, like those VC guys do, and your meetings will be productive and brief.”

Ask any entrepreneur how much time they would like to pitch their company to the VC. They are likely to say 60 minutes to 90 minutes. They are eager to cover all the ins and outs of their company and why it will be a winning investment. Now, look at things from the perspective of the VC, who needs to meet with lots of entrepreneurs in order to find the one or two they are going to back. The particular firm I worked with funded about one out of every 150 companies that pitched them—two or three The essential point and the big question new investments per year. Using their numbers, that would require After a bit of trial and error, a winning approach emerged. It’s meeting with about 450 entrepreneurs. And if every one of them founded on one very basic idea with which nearly every IT profeswere given 90 minutes, it would result in 675 hours of initial pitch sional and manager can agree: Meetings with very focused goals and meeting time. Their solution? The seven-minute triage meeting. objectives, controlled by the right agenda, have the potential to be Once a week, several hours were set aside to meet with wrapped in a tight time frame. The only remaining entrepreneurs. Each entrepreneur was told they had seven question: How to realise that potential across IT withminutes to give their pitch to the partners and to answer out creating some wacky meeting definition project? one or two key questions. Their thinking was pretty simple. If the entrepreneur couldn’t make a convincing Is that it? per year growth No, of course not. But since good articles, like good case for the value proposition of the company in seven minutes, there wasn’t much point going any further. The meetings, need to live within strict parameters, that’s of financial sole purpose for the meeting was to determine whether exactly where I will pick up later this week with Part impact of or not the company merited a closer look. Super focused. II. In the meantime, consider how you might apply cybercrime Super disciplined. the VC approach to your meeting schedule. You’ll be shocked at what you will uncover on your own. through 2016

10%

It didn’t stop there

The seven-minute pitch is just one example. This discipline around fixed meeting times extended to a number of other common business processes where they had figured out the appropriate scope and time boundaries for the meeting to keep it focused and to direct follow-up activity. A personal example. One of my first assignments was to present an overview of the competitive landscape for one of their portfolio companies. I had in mind a detailed analysis and

cto forum 07 december 2011

The Chief Technology Officer Forum

— Marc J. Schiller, author of “The 11 Secrets of Highly Influential IT Leaders,” is a speaker, strategic facilitator, and an advisor on the implementation of influential analytics. He splits his time between the front lines of client work and evangelising to IT leaders and professionals about what it takes to achieve influence, respect and career success. Download a free excerpt of his book athttp://11secretsforitleaders.com — This opinion was first published in CIO Insight. For more stories please visit www.cioinsight.com

m a n ag e m e n t

B E S T OF B R E E D

Building an IT Business Office

To bridge the gap between business and IT, financial firms are building an IT business office By Bob Reinhold

illustration by Shigil N

he challenge of demonstrating the business value gained from IT spending has been an issue for as long as there has been IT. This is particularly a challenge for financial services firms as they strive to respond to emerging regulatory requirements and drive a growth agenda in the current cost-constrained environment. But these challenges are not unique to financial services. Improving the ability to measure and communicate the business value of IT is critical for any organisation in this challenging economic and regulatory environment. One of the greatest pitfalls in linking spend to value is the common communications gap between the business and IT. IT professionals have developed a robust set of metrics designed to drive the management of IT; unfortunately, expressions like “four nines of availability” and the maintenance of “DASD utilisation below 75 percent” are often meaningless to, say, the head of the wealth management business. According to David Reilly, Technology Infrastructure executive and Chief Technology Officer at Bank of America, “there is a big difference between management information and management reporting — the metrics you use to measure yourself and run the business of IT are not necessarily the same things the business will use to judge your success.” To bridge this gap, a growing number of financial firms are building an IT business office. This function aids in managing IT value delivery by packaging and measuring IT services in business terms and improving the ability of the business to collaborate

with IT to manage technology investments. It’s a model that can work for any enterprise. The goal of this function is to increase transparency and accountability, both for IT and the business and, ultimately, to deliver the maximum value out of technology to meet the needs of the business. IT business offices take different forms depending on the organisation. Regardless of whether there is a formal entity called the “IT business office,” or a rather informal adoption of business-aligned management and communication practices, we have found that two foundational elements are necessary to achieve the desired results. Agreement on value components A critical requirement for successful alignment is to get IT and the business to

agree on a common definition of what is valuable to the business. Pascal Boillat, CIO of Fannie Mae, introduced the concept of an IT business office when he joined the government-sponsored entity and immediately focused on creating a common set of goals between business and technology. By agreeing on goals and standards of measurement, the “business gains transparency into IT and is empowered to make more informed decisions. The collaboration raises accountability on both sides,” he says. Bank of America’s Reilly emphasises the importance of having the business take ownership of values and measurement: “You have to hold yourself accountable to what the business cares about; while this may be difficult, it is the business impact that matters.” The Chief Technology Officer Forum

cto forum 07 december 2011

B E S T OF B R E E D

m a n ag e m e n t

Two kinds of value should be defined: 1. Transformative value. This is a change from the current environment to a desired future state. This type of value is often associated with significant strategic initiatives, such as implementing a new financial system. To keep focused on the strategic objective, the IT business office should ensure that business stakeholders and IT share a vision of the ultimate business outcome to be achieved through the effort, as well as value to be achieved over the course of the initiative. Transformative value can also be associated with more general, cultural or environmental changes, such as reducing complexity in the applications architecture or adopting a more mature set of IT processes. In both cases, IT is charged with moving the organisation along a path; progress on the path should be visible and measured by definable business outcomes. 2. Operational value. This, essentially, is the effective delivery of IT. Typically, it is defined and measured by IT’s ability to meet appropriate service levels. But it is important for “effective” to be defined in the language of the business. For example, translating the phrase “four nines of system availability” to “one hour of unavailability per year” may be clear language for a business executive, but still more information may be needed to understand its significance. In this case, an outage occurring as a series of events during peak trading hours will have a significantly greater impact than a single outage occurring overnight. According to Bank of America’s Reilly, “What business executives really care about is reducing or eliminating the number of incidents that impact their business.” To that end, Reilly advocates measuring the number and duration of business-affecting incidents, and holds himself and his team accountable to the business stakeholders’ definition of impact. As important as defining goals is defining how they will be measured and reported — specifically the processes, roles and responsibilities for IT business office functions. Whether you have established a formal business office or are simply introducing business office practices into your organisation, you must define the organisational structure that will be established to capture and report on the metrics that demonstrate IT value delivery.

cto forum 07 december 2011

The Chief Technology Officer Forum

It is important to be pragmatic in this effort. The business office function will fail if it requires a large bureaucracy or expensive custom reporting. In some cases, close proxies may need to be used for metrics that are difficult to capture and quantify. For example, let’s say your goal is to increase the adoption of an improved systems-development lifecycle process. It would be hard to measure the adoption directly, other than by observing the actions of a large team of people. However, you can measure the indicators of success, such as the number

You can measure the indicators of success, such as the number of emergency bug fixes, which would be reduced if team members follow a rigorous development process of emergency bug fixes, which would be reduced if team members follow a rigorous development process. It can be a challenge to gather information and produce reports on a regular basis without incurring major repeated costs or business interruptions. Efficiency, repeatability, and speed to implementation are important to Fannie Mae’s Boillat: “We found we lacked the infrastructure we needed to automate gathering the metrics, so we had to start off with fairly basic measurements,” he says. “The lesson here is not to wait for the perfect reporting systems. Start with what you can and make it an iterative process." It’s best to automate as much of the reporting process as possible. Means of automation would include direct reporting from financial systems or creating purposebuilt data stores to capture relevant IT busi-

ness operations data. Similarly, automating workflows with business process management tools will enhance the efficiency and effectiveness of the process. Some organisations apply the IT business office concept to individual business units or functional areas. When this approach is taken, experience has shown there is an advantage gained from establishing common measures that all business units report. Establishing a common set of scorecards and measurement approaches across business units streamlines the convergence process and ultimately lowers the cost of the overall implementation. Successful implementation of an IT business office function will result in enhanced transparency, improved trust, joint accountability and, ultimately, alignment between IT and the business. "Our primary objective in starting the IT business office was to help us apply the same disciplines to technology that you take for granted in running a business: establishing goals and measuring progress against them with a strong focus on the financials,” says Fannie Mae’s Boillat. “The end result has been far greater transparency for the businesses [than was previously possible], giving them the opportunity to direct and really own their IT spend." The business office helps firms understand the levers available to business decision-makers to provide a degree of control over IT cost allocations. Since IT is one of the biggest costs at many institutions, this can be a significant gain for firms. The benefits extend beyond the walls of the organisation. An IT business office can enable improved communication with regulators, the board of directors and internal and external auditors. Firms can take a holistic, centralised look at the IT risk management function in response to business objectives, regulatory requirements and board directives, and demonstrate the maturity and reliability of IT processes to regulators, auditors and other stakeholders. — Bob Reinhold is a Principal in the Financial Services Office of Ernst & Young LLP. The views expressed herein are those of the author and do not necessarily reflect the views of Ernst & Young LLP. — This opinion was first published in CIO Insight. For more stories please visit www.cioinsight.com

TREND MICRO IS #1 IN SERVER SECURITY, WORLDWIDE PHYSICAL OR VIRTUAL*

PHYSICAL. VIRTUAL. CLOUD. BRIDGE YOUR DATACENTER TRANSFORMATION SECURELY WITH TREND MICRO

As datacenters transform from physical to virtual, and eventually into the cloud, gaps in datacenter security widen. As virtual machines overtake physical hosts and sensitive data moves into the cloud, your datacenter perimeter blurs and the complexity of security increases. Turn to Trend Micro, the leader in server security, to bridge your datacenter transformation - higher consolidation, better manageability, faster performance, and plainly more secure. The result is a true business advantage.

Learn more at trendmicro.com/cloud-security For more information, visit us at www.trendmicro.co.in Call: 1800 103 6778 Email: sales.in@trendmicro.com Delhi: 91-11-42699000 Mumbai: 91-22-26573023 Bangalore: 91-80-40965068 *Sourced from: Worldwide Endpoint Security 2010-2014 Forecast and 2009 Vendor Shares, IDC

securit y

COVE R S TO RY

With the growing number of threats and their increasing sophistication, CIOs need to chart out a clear strategy for their IT infrastructure security in the coming decade.

Illustration BY PC Anoop

By Varun Aggarwal

here has been a sea change in the security landscape in the year 2011. For the first time, threats such as Distributed Denial of Services attack, considered a highly sophisticated attack vector, were executed using open source tools. Hacktivism, or the use of hacking as a means of showing protest, became commonplace this year. Hacktivism groups such as Anonymous and LulzSec emerged, threatening governments, corporates and anyone who they thought was not doing the right thing. The threat of cyber war loomed large, giving governments sleepless nights. Iran built its first cyber command to fend off cyber attacks. Israel similarly built a Cybernetics taskforce, while the US announced its strategy to retaliate hostile acts in cyberspace with military might. With their acceptance increasing in enterprises, and the concept of Bring Your Own Device to work (BYOD) catching on, mobile devices were on the receiving end of security breaches. The first couple of months of 2011 saw the largest number of malware in its history of mobile platform. Amidst this changing security scenario, CTO Forum look ed at some of these threats and came up with strategies that enterprises could adopt to mitigate them.

INSIDE 30 | 32 | 34 | 36 | 38 | 40 |

The Cyber Defence Team Going the Consumer Way Security Priorities 2020 Consumerisation of IT Evolving Role of Security CFO's View On Security The Chief Technology Officer Forum

cto forum 07 december 2011

The Cyber

Defence Team ew threats and new measures to counter them call for a reorganisation of IT security teams so that they can focus on defending the organisation from targeted attacks. It is only ten years since most enterprises established separate security teams to address vulnerabilities and deploy and maintain patches and virus signature updates as well as configure and maintain firewalls. To ensure that policies were created and enforced most organisations also created the position of Chief Information Security Officer (CISO) who enacted those policies and became responsible for ensuring that the organisation was in compliance with standards and regulations. The rise of targeted attacks must be met by similar organisational enhancements. The terminology and titles are not important but the roles and responsibilities described here are required to mount an effective cyber defence. It is interesting to note that the Cheong Wa Dae (Korean President’s “Blue House”) has instituted a special Cyber Defence Team in reaction to concerted attacks on the computers of the G20 Summit Committee in Seoul. “Since June, the government has been running a special cyber defence team to prevent attacks against major private and public computer networks. “ -The Chosunilbo Countering targeted attacks calls for new measures. One of those measures is creation of specialised teams that are not bogged down in the day to day tasks of blocking viruses and cleaning up machines. Here is my proposal for such an organisation.

Team Lead: Cyber Defence Commander The title may evoke a too martial image. Perhaps cyber defence team lead, or director of cyber defence, will be a better fit. But the idea of one-throat-to-choke in establishing a leadership role is an effective way to motivate a team and its leadership with the seriousness of its task. They must be instilled with the idea that they are targeted, under attack daily, and engaged in a battle to protect the organisation from a malicious adversary.

cto forum 07 december 2011

The Chief Technology Officer Forum

Richard Stiennon, Chief Research Analyst, IT-Harvest and author of Surviving Cyberwar shares insights into some of the new threats faced by enterprises and suggests new measures to counter them

The cyber defence team replaces the traditional computer emergency response team (CERT) and will probably incorporate most of the same people. The cyber defence commander is responsible for establishing the cyber defence team, assigning and directing roles, making sure the correct tools and defences are deployed, putting in place controls and audit processes, and reporting to upper management on the results of those processes, and audits. The cyber defence commander would also be the primary point of contact for communicating to law enforcement and intelligence agencies when the inevitable situation arises that requires outside help or communication. A large organisation with divisions spread around the globe or separate large business units may well have cyber defence teams deployed in each division with their own leaders who report up to the cyber defence commander. (Call them lieutenants if you must but I am not going to take the military command structure that far.) The cyber defence team should have three primary roles: an outward looking role, an operational role, and an inward looking role. Each of those roles is described next: Cyber defence analysts are the intelligence gatherers. They study the threatscape with an eye towards emerging threats to the organisation. Most organisations assume that because they have so many people in IT security that someone is looking out for the latest attack methodologies or tools, and even keeping tabs on the various groups that engage in cyber attacks. Unfortunately the operational aspects of IT security are too consuming to allow this type of outward looking focus. IT security practitioners are very inquisitive and attempt to keep up with the huge volume of information available to them at conferences, from vendors, and in the news. But their activities are ad-hoc and mostly voluntary. Would TJX

growth in targeted attacks from January 2011to November 2011

Securit y

COVE R S TO RY

Infowar Monitor team working at the University of Toronto. They have succumbed to an attack that entered through a WiFi access dub their methodology “fusion research”, a combination of technical point in a store in Minneapolis if they had had someone staying analysis, contextual understanding, and field investigations. Transabreast of the news who would have seen the exact same methlating this into the activities within an organisation would mean odologies used against a Lowe’s store in Southfield, Michigan working with their peers to discover methodologies being used four years before? A team of cyber analysts working at a mining successfully against them, and the tools and defences they deploy. or oil and gas exploration company would have been alert to the It would also mean having an understanding of the industry they news that the three largest such firms in the US (Marathon Oil, are in and the value of their information assets to various potential ExxonMobil, and ConocoPhillips) were compromised in 2008. adversaries. Banks, long the target of cyber crime, and casinos, with They would have had contacts within the community who would vast experience fighting insider threats, have had this type of interhave given them a heads up. They would then have seen the 2009 action with their peers for years. It is time for manufacturers, nonattacks against BHP Billiton, Rio Tinto and Fortescue Metals profits, universities, state and local governments to do the same. Group, the major natural resources companies in Australia and The second role within the cyber defence team is the operational analysed those attacks for similarities. They would have raised a role. Members of the cyber defence operations team must: red flag that their own organisation could be targeted as well and 1. Select and deploy network and host based tools to monitor activity, increased the vigilance of the internal teams. alert on unusual activity, block attacks, and assist in removing infecCyber defence analysts assume the role played by counter intellitions that have made it through all of the cyber defences. gence agents inside most governments. They gain an understanding 2. Interact with the rest of IT operations to ensure that infections are of the attackers and their tradecraft and advise those responsible for quickly snuffed out and cleaned up. defending against them. As members of a cyber defence team these 3. Engage in forensics activities to perform post mortems on sucanalysts will be responsible for: cessful attacks, gather evidence, and improve future operations. 1. Understanding the state of the art in attack methodologies. They The members of the internal should research and understand cyber defence team supplement the successful and attempted the rest of IT operations. They attacks against similar organiare not responsible for the daily sations. They do this through updating of servers and desktops monitoring news reports, secuor the distribution of AV signarity research reports from the tures or maintaining firewalls. vendors including McAfee Labs, Their job is to discover and mitiVersign’s iDefense team, Verigate attacks as they occur. This zon’s Threat Report, F-Secure’s is a 24x7x365 job. A primary Mikko Hypponen, Symantec’s responder must be identified threat report, Sourcefire’s VRT, for each evening, weekend, and Fortinet Research, Infowar holiday shift. They must be able Monitor, IBM X-Force, as well to receive alerts, quickly gain as independent researchers access to the monitoring syssuch as Dancho Danchev, tem, and take defensive action Brian Krebs, Nart Villineuve, when an attack occurs. and dozens of others. The third component of the 2. Getting to know potential cyber defence group is the Red attackers and monitoring Team. They look inward. They their activity. Is the organisascan the network for holes tion a target for industrial in the defences and new espionage from competitors or vulnerabilities. They engage state sponsored spies? Could in attack and penetration a particular fanatic group, be exercises to test defences. it PETA, Greenpeace, Islamic They evaluate new IT projJihad, or a religious faction, be ects to ensure that authentargeting the enterprise? tication, authorisation, and 3. Monitoring known attack sources and distribut—Richard Stiennon, Research Analyst, ITdefences are included in ing the IP addresses of those sources internally for Harvest and author of Surviving Cyberwar the initial design all the way purposes of blocking and alerting. through to deployment. 4. Communicating the threat level to the rest of the Each of these three roles cyber defence team. has special tools that they should use to accomplish their duties. 5. Assisting in evaluating technology for internal deployment. The cyber analysts make use of knowledge management tools A valuable methodology for the research is being developed by the

“The cyber defence team should have an outward looking role, an operational role, and an inward looking role”

The Chief Technology Officer Forum

cto forum 07 december 2011

COVE R S TO RY

Securit y

to categorise and create linkages between disparate data sources. An internal wiki can serve as the basis of communication with the other members of the team. A sophisticated tool from Palantir Technologies can help them track sources of attacks, record data, remember IP addresses and malicious domains, and even keep track of the identities, affiliations, and methods associated with particular groups or individuals. The cyber defence operations team will use advanced packet capture, network behavior monitoring, application monitoring, and endpoint protection tools. Netwitness provides the best tool for capturing network traffic and applying filters that contain knowledge of attack sources, and other cross correlation capabilities. By deploying a network flow monitoring solution from Arbor Networks they can see changes in traffic patterns that are indicative of an attack. Guidance Software, known for its forensics tool kits has a cyber defence product that leverages the end point protection of HBGary to identify and remediate infections. FireEye is a network gateway defence against zero hour malware and blocks attempts to communicate with command and control servers operated by attackers.

The cyber defence Red Team makes use of many open source tools to act as surrogate attackers. Nessus can be used for scanning for vulnerabilities it is open source and the basis of several commercial products most notably Tenable. Vulnerability scanning is also a function of the regular IT operations so it is important that the Red Team use a different set of tools than those used by operations. Core Impact is the most advanced commercial attack and penetration tool. The organisation and duties of the Cyber Defence Team arise from the new threat of targeted attacks. There is a fundamental difference between defending against random attack from viruses, worms, and botnets and targeted attacks. When the viruses and worms are written to specifically infect an enterprise’s system and gain control of internal processes, communications, and data, traditional tools are ineffective and traditional organisations are at a loss. By assigning responsibility to a core team of cyber defence specialists the enterprise can begin to address their vulnerability to targeted attacks.

Going the

Consumer Way Consumerisation is leading to the third wave — “use the good things out” i.e. finding ways to use the good things (information assets, data etc.) outside the organisation perimeter in a secure form to enhance its value By Sameer Shelke

onsumerisation of Information Technology or the Enterprise (adaptation of cloud services, social networking and mobile devices) is being experienced by all of us, the extent and time of adaptation is the only variable. Many ask the question, is consumersiation applicable only to a B2C environment? Is it relevant in a B2B ecosystem. The perennial question, would organisations adapt CSM (cloud, social & mobile) for serious business systems?

cto forum 07 december 2011

The Chief Technology Officer Forum

The B2B world needs to adapt CSM, in a phased and controlled manner using the following steps: Use IAAS or PAAS cloud services, so that applications and data are “controlled” Define standard builds and approved mobile devices under controlled environments, e.g. virtualisation Only allow communication applications on mobile devices Social media usage restricted to specific departments Basically we are seeing CSM creeping into the enterprises because

Securit y

COVE R S TO RY

of business benefits it offers and user demands. The main reason for this being, behind every B2B there is a “C”. The “C”, the consumer is using CSM models in personal life and is demanding the same services in the work life. Maybe it’s a new definition of work life balance. Today’s senior and mid level management in organisations are at varied levels of maturity is using CSM. Tomorrow leaders are growing up today using CSM, they get smartphones and social networking accounts before their driving license. So the influence of “C” on the enterprise would only grow. What does this do to enterprise security? The strategy and the control posture of organisations to manage information risk. Since the enterprise is transforming so should enterprise security. Today enterprise security strategies are built around “information assets”. We estimate the value of the asset, its exposure probability and define the controls. The first wave of security used the concept “keep the bad things out” (firewall’s, IDS, IPS), the second wave added “keep the good things in” (DLP, DRM). Consumerisation is leading to the third wave “use the good things out”. I.e. find ways to use the good things (information assets, data etc.) outside the organisation perimeter (internet) in a secure form to enhance its value. The first two waves were one dimensional the focus was information assets; the third wave adds the dimension of use —Sameer Shelke, Co-founder, Chief or openness, driven by the conOperating Officer & Chief Technology Officer, Aujas Networks sumer. The focus changes to the user / consumer and the risk’s from information usage in the Its difficult to spot phishing emails on smaller compact mobile open world, which is outside the organisation perimeter. device screens As an example organisations now need to identify, assess and conGesture usage on smartphone, sometimes we click links we don’t trol the risks arising from its information which is on the internet in mean to social media sites, blogs, micro blogging sites etc. This uncontrolled We use mobiles on the move, which might make phishing emails information could have serious business impact, simple examples difficult to spot being product pricing information, reviews, support credentials etc. Mobile devices are used by kids, we never know what they would click Another dimension would be risks to information from people, Social networking is used to connect to unknown people, risk of which are considered the weakest link in security. The combinaphishing increase tion of the weakest link and uncontrolled information would test Frequent changes in social networking or cloud services coneven the most mature security postures. In relation to people figurations are expected, hence those become good phishing email risks, social engineering, which is commonly defined as the art subjects etc. of manipulation people, is a major risk area for control postures Organisations now need to develop their enterprise risk manageto focus on. Recent increase in phishing attacks, show this trend. ment strategies to address this new world and the third wave of RSA research reported that phishing attacks reached an all time “using good things out”. The third wave adds on the first two, hence high of 38,970 in September 2011 alone. Spear phishing attacks the organisation control posture would become more varied and like the one used in the publicised RSA attack demonstrate the complex, which is an issue to manage itself. focus hackers are giving on the weakest link. Consumerisation is here, Consumerisation of enterprise security A combination of consumerisation and people risk increases the risk is following and we need to prepare ourselves for it. The ostrich synto levels we haven’t seen before. Taking the phishing example again, drome (i.e. denying or refusing to acknowledge something that is phishing attacks on consumers using CSM are more effective than trablatantly obvious as if your head were in the sand like an ostrich) is ditional web or enterprise scenarios because: something we as risk managers can’t afford.

“Consumerisation is here, Consumerisation of enterprise security is following and we need to prepare ourselves for it”

The Chief Technology Officer Forum

cto forum 07 december 2011

COVE R S TO RY

Consumerisation of IT

Securit y

“The proliferation of tablets and smartphones will make it tough to ensure that the security infrastructure remains capable of protecting the organisation from new vulnerabilities.” —Satish Warrier, CISO, Godrej Industries

Application Security

“Understanding that security needs to move from the perimeter to internal, we need to evaluate the security of applications within the enterprise.” —Murli Nambiar, Group CISO and CTO, Reliance Capital

Security

Priorities 2020 Cyber War

“As a Nation, we need to prepare extensively to protect our National Critical Information Infrastructure from targeted cyber attacks as rogue nations are increasingly using cyber warfare to cripple their enemy countries.” — Parag Deodhar, Chief Risk Officer, Bharti AXA General Insurance

cto forum 07 december 2011

The Chief Technology Officer Forum

Targeted Attacks

“The combination of new vulnerabilities and more specific targeted attacks will lead to continued growth in bottom-line financial impact due to successful cyber attacks.” —Sharad Sadadekar, AVP - IS and IT Governance, HDFC Life

Privacy

“With the amendment of IT act and increased compliance requirement from foreign business partners, Information Privacy is a key priority for organisations. Considerable work need to be done in every organisation in achieving Information Privacy compliance.”

The security landscape is fast changing and in order to keep ahead of the bad guys, —Sunil Varkey, CISO, Idea Cellular organisations need to be geared up to address some of the key security challenges that they would have to face going forward IT Governance “There is a rapid expansion of Enterprise Ecosystem where external partners are increasing, which requires even greater emphasis on third party/ vendor security governance, through disciplined analysis and actionable risk management.” —Pankaj Aggarwal, CISO, Aircel The Chief Technology Officer Forum

cto forum 07 december 2011

Consumeris of IT

The introduction of social media and mobile in the enterprise brings along not just productivity gains but also their own set of risks. Enterprises therefore, need to build a strategy to mitigate these risks By Varun Aggarwal

mployees are increasingly using their own devices for business– a trend known as the consumerisation of IT. The rate at which employees are bringing in their own devices to work is quite alarming. Employers don't seem to know how many or what consumer technologies are in use in their workplace. Workers report using consumer devices at twice the rate employers reported, according to a research IDC recently conducted on IT consumerisation trends on behalf Unisys. According to the report, workers are dissatisfied with the level of support IT provides for consumer technologies. Employees think their employers are more permissive of the use of consumer technologies than the employers actually are. Most workers, 67 percent, say they can access non-work-related websites, but only 44 percent of employers say their employees can access non-work-related sites. Meanwhile, 52 percent of workers say that can store personal data on the company network, but only 37 percent of employers say this is the case. With Consumerisation of IT, becoming a reality, CIOs need to find ways to allow this transition in a safe and secure manner so

that sensitive data is not comprised in order to provide convenience for employees.

Building a case

While there is an increasing demand from employees to open up social media in the enterprise and allow for BYOD, enterprises do not see the lack of this as a deterrent to attract talent. “Normally before joining the organisation, employees do not ask for thinks such as social media access in the organisation or allowing personal devices to work etc. However, once the employee joins the organisation, he starts to compare it with their previous organisation and tends to demand access to social media for better productivity,” opines Satish Warrier, CISO, Godrej Industries. Therefore, even while you’re able to attract talent even without consumerisation of IT being a part of your organisation culture, retaining talent and motivating could be challenging. “BYOD is not just about bringing a personal device into the enterprise network. The employee sees this as an incentive because he can access his email and enterprise applications on that device while at the same time he can access his personal data and play games etc on the same device. BYOD is also about identifying the critical applications that the enterprise wants to activate on the user device and thereby improve employee productivity,” opines Pankaj Agrawal, CISO, Aircel. For example, if the sales force gets access to some of the enterprise applications on the move, it can greatly enhance their productivity. Most CIOs agree that we cannot stop these technologies from entering the organisation because of the concept of employee wellbeing at work. These technologies are said to reduce the stress level of people to hence increase productivity. “The new concept from world over is the reduction of emailing. According to a statistic, only 20 percent of emails are actually useful. Therefore, employees need to use social media and chat for most of their communication. The pressure especially would come from MNCs operating in India to enable such policies,” opines Murli Menon, CISO, Atos. On the flip side, the management —Satish Warrier, CISO, Godrej may also see consumerisation of Industries IT as an additional cost because in

“Once an employee joins the organisation, he tends to demand access to social media for better productivity”

cto forum 07 december 2011

The Chief Technology Officer Forum

ation order to enable the technology, you need to setup controls using new tools that cost money. The need for the concept varies drastically between industry verticals and therefore, in order to get a management buy-in for the same, CIOs need to engage with the business. CIOs need to clearly articulate the productivity benefits for consumerisation of IT. A combination of solutions need to be deployed to successfully enable BYOD in an organisation. You need a security solution to protect the end point and combine it with a virtualisation solution to isolate and protect the enterprise data residing on the device.

Securit y

COVE R S TO RY

secure environment. Similar security for the mobile can be provided through app related container.

Data Classification In order to build a successfully implement consumerisation of IT, organisations first need to identify classified information within the organisation. You need to define what needs to be protected, what enterprise data can be downloaded on the end point and what shouldn’t be downloaded. Moreover, data classification has to be linked to the best technology and process available. One also needs to define the kind of granularity you want. For eg. You can either focus on just the structured data or go deeper and look at unstructured data in the form of files, emails etc. Classification should be broad based to start with and then depending on your needs, you can gradually move towards granular levels.

Preparing the infrastructure Allowing social networking and bring your own device concept in the enterprise, exposes the enterprise to a wide variety of risks. For one, the enterprise data is now residing on a device that is not owned by the company. “When you look at BYOD as a concept, you need to look at a solution that can actually provide a secure shell for the users to work —Murli Nambiar, Group CISO & CTO, Reliance Capital in—whether he comes from a mobile device, a laptop, or working from a business center. You need to ensure that when he connects to the enterprise, to access his emails or any other enterprise applications, you need to restrict him to a shell so that he cannot take anything outside that environment,” suggest Murli Nambiar, Group CISO & CTO, Reliance Capital. Felix Mohan, Group CISO, Bharti Airtel warns, “The fundamental concern with BYOD is how do you extend the control of the enterprise on its owned corporate data which now resides on a personal device.” “This doesn’t happen with most solutions because all solutions available in the market are basically MDMs which control but do not provide containers. The only way to control BYOD is to create a virtual container within which the enterprise data remains secure. No data can go out from the container to the personal environment of the device and nothing from the personal environment can enter that container,” he suggests. This is similar to the traditional workstation environment, where you in order to access enterprise data on a laptop, enterprises installed VMWare virtual environment on the laptop to create a

photo BY Jiten Gandhi

“When you look at BYOD, you need to look at a solution that can provide a secure shell for the users to work in”

Conclusion Consumerisation of IT is not just about deploying a technology, it is a shift in the enterprise culture and therefore CIOs need to build an entire ecosystem around it and as the concept gets more mature, the tools and technology available to effectively enable it would also let organisations put up more critical applications on the mobile to further increase productivity. Unless the tools reach that maturity level, organisations should restrain themselves from allowing sensitive applications on the mobile. Finally, a combination of solutions needs to be deployed to successfully enable BYOD in an organisation. You need a security solution to protect the end point and combine it with a virtualisation solution to isolate and protect the enterprise data residing on the device. The Chief Technology Officer Forum

cto forum 07 december 2011

Evolving Role of Security The security function is constantly evolving similar to the IT function 10 years back. As security issues become real for enterprises, the role of a CISO is becoming strategic By Varun Aggarwal infrastructure is in the hands of private entities. The evolution in the awareness about information security has also brought to the forefront the role of the security function in the organisation or the role of a Chief Information Security Officer. How is his role going to be defined going forward and what should he do in order to become strategic for the organisation? According to Felix Mohan, Group CISO for Bharti Airtel, every leader needs the qualities of collaboration, communication and convincing and a CISO should work on certain principles to make their role strategic. “CISO’s role is to maintain and manage an information risk program such that information assets are reasonably protected. However, information assets are not the only assets that a company has. There are tangible and intangible assets. Brand and reputation also need to be protected. Financial assets need to be protected by preventing fraud. The CISO's role need to evolve into the role of a CSO. The more you enlarge your role, the more you make your presence felt in the organisation,” he suggests. The second vector is agility and business intelligence. What role does a CISO play in order to make the company more agile and to have more business intelligence! “CISO needs to embark on intelligence based security. Intelligence based security would help the CISO fend against Advanced Persistent Threats. To embark on this journey, CISO needs to become a planner. Like Peter Drucker said, the work of a manager is 80 percent planning, 10 percent replanning and rest of the 10 percent in coordinate to make sure those plans are implemented. Less than 25 percent of a CISO’s time is spent on even looking at a plan. That should substantially increase. And in order to plan better, he needs to get threat intelligence, intelligence on business to understand new lines of business etc. CISOs also need to know the reference of intelligence,” Mohan says. Gartner predicted —Felix Mohan, Group CISO for Bharti Airtel 10 years ago that

he growing awareness around information security can be sensed by watching Sachin Tendulkar talking about the importance of security in an advertisement. There are some banks who have also started advertising about the effects of phishing and how users need to be aware of them. Even the end user today talks about data security without being a geek. What’s driven all this is a spate in large number of high-profile attacks in just the last 6-9 months. While industrial espionage or national espionage with the use of IT was thought of something furturistic, recent events have come to prove that these threats have manifested into real risks for organisations. Even from a national security perspective, the attacks on private enterprises can wreck havoc considering 80 percent of national

“The more you enlarge your role, the more you make your presence felt in the organisation”

cto forum 07 december 2011

The Chief Technology Officer Forum

Securit y

COVE R S TO RY

consumerisation of IT would be a big issue, yet not many CISOs are geared up to enable it in a secure manner.

CISO to CRO Next step is to move from security to risk management. The work of board of directors is to manage risks. Theoretically, the more risks you take, the more money you make. And as organisations are under tremendous pressure to make more money, they are taking more risks. “It is important for CISO to articulate in a business understandable language, the impact of these residual risks associated with information risks. When you communicate this to the management in an effective manner, they start looking up to you with a lot of respect,” Mohan explains. Take for example if an employee’s mobile phone gets lost. That is a physical risk but it may contain corporate data, making it an IT risk. That data loss may result in a loss of reputation for the organisation, making it a reputational risk and finally, based on that loss in reputation, company’s stocks may plunge, making it a — Pankaj Agrawal, CISO, Aircel credit risk. CISOs need to assimilate all these risks and evolve into a role of Conclusion enterprise risk manager. In order to For a lot of businesses like online, security become strategic, CISOs need to become Chief Risk Officer by gainis highly strategic. The security issue is real and threats are now ing knowledge about finance and business. getting manifested into actual risks. CISOs need to start working “More than 50 percent of our interactions should be with busion their hygiene and assume that they are under attack. Though it ness. As more and more things are getting online, security is should be a given that the investment that goes into protection is becoming an important thing. CISOs can suggest extremely conless than the value of the asset that we are protecting. Also, the secusumer centric strategies to business and become more strategic,” rity measures would not be the same for every organisation and may says KS Narayanan, Head - Information Risk Management, ING vary dramatically between industry verticals. Vysya Bank Ltd. “People at various levels can be strategic. CIO, for eg., can take a strategic decision on whether to build a CRM application inhouse or outsource it. Similarly a CISO can take a strategic decision on CISO as a Compliance officer whether to hire a partner for the core security team or build an Next is CISO’s role in compliance. Previously, compliance was all internal security team and build competence for them. He can take policy based. Then came government based regulations leading to a decision on whether he should manual handle compliance or regulatory compliance. There is a third kind of compliance that we’ll invest into an automated GRC solution,” opines Pankaj Agrawal, be evolving to and that is customer centric compliance. Customer CISO, Aircel. centricity is the prime need for the CISO. The entire business is “There is a strategic component to the CISO’s role. It is up to the now becoming customer centric but CISOs can play an important CISO how much he wants to contribute to that strategic comporole in becoming customer centric. The more you start looking at nent,” adds Murli Menon, CISO, Atos. the pain points of end customer in terms of trust and security, the The good news is that the CISO community in India is working higher are the chances of retaining that customer. CISO can help in together, keeping competition aside, so that there is no need to reinbuilding that trust. vent the wheel. Finally, CISO needs to bring in innovation. While CISOs can look at bringing innovation in terms of cost and productivity, but the real innovation is in working with vendors. Vendors are not just for hir—varun.aggarwal@9dot9.in ing. We need to co-create with vendors. You need to look at how you can create security solutions together with the vendors. Similarly, you need to co-create with the customers. You need to ask the customers what challenges they are facing.

“People can be strategic at various levels in an organisation. A CISO can take strategic decisions as a CIO does”

The Chief Technology Officer Forum

cto forum 07 december 2011

COVE R S TO RY

Securit y

CFO’s View

On Security

photo BY Jiten Gandhi

Mahendra Negi, CFO, Trend Micro, in an interaction with Varun Aggarwal, shares his view on how a CFO views the role of IT and security in an organisation. Being a CFO yourself, how do you prioritise security budget requests sent to you by the CIO or the CISO? In today’s business environment, information has become key to success for any businesses. That’s why information security has become extremely critical and it has also become one of the top priorities for organisations. Whenever, I receive a request from the CIO or the CISO, I analyse the criticality of the request and its implication on the business and then prioritise accordingly. However, as an organisation our endeavour has been to keep the information highly secured as we consider that as the lifeline of our business. How do you see cloud from a both security as well as financial perspective? How can CIOs communicate the need and benefits of cloud to a CFO? Cloud computing means far-reaching changes to the information and telecommunications industry, as cloud computing promises users and providers significant cost reductions and new business models. I believe a technology platform change takes place when the new platform provides both a) better usability, and b) better price performance. Cloud computing delivers this, and that is why in the last few years, cloud computing has grown from being a promising business concept to one of the fastest growing segments of the IT industry. Now, companies are increasingly realising that simply by tapping into the cloud they can gain fast access to best-of-breed business applications or drastically boost their infrastructure resources, all at negligible cost. But usability usually comes at the cost of security, thus as we use the cloud more and more, we expose more and more data to security risk. However, as the cloud services ecosystem grows, specialised companies will address the security issue.

cto forum 07 december 2011

The Chief Technology Officer Forum

I believe it is important for today’s CIOs to bring an entirely new set of skills. Today’s CIO will continue to require an understanding of infrastructure and architecture, but he needs to bring in a Business understanding of finance, marketing, operations, HR and the other functions. It is important for the CIOs to understand and explain the same to the management by embracing new services that make their companies competitive, while mitigating risks and allowing for smallscale failures in the pursuit of longterm success. In fact, management is looking at having strategic value in a world, where cloud computing is a given for future competitiveness. How do you perceive information risk in your overall enterprise risk management strategy for your organisation? Enterprise risk management strategy is critical for our organisation. We have a very strong enterprise risk management strategy in place and I am confident about the confidentiality of our information. We also have a dedicated team which monitors the company’s security posture 24/7, and a prioritisation methodology which enables us to address critical security risks very quickly. So while risk can never be completely eliminated, we have a better risk management strategy than most companies. What do you consider more important-risk mitigation or risk management? How should a CIO/CISO look at risk? Risk management is an expansive term, which may include the mitigation of risk. Mitigation techniques aim at reducing the impact that a risk will create if it occurs. CIO/CISO should understand the risk and its impact on company’s mission and effectiveness. Seeking justification on budgetary impacts is also an important consideration.

The Annual

CSO SURVEY 2011

he CSO Survey is an annual survey carried out by 9.9 Media amongst Chief Information Security Officers / Head of Information Security as well as CXOs in Indian organisations to understand the challenges and perceptions faced by the CSO community. In this third edition of the survey, we have gleaned some interesting inputs and insights. We began this survey with checking out how many organisations had a dedicated CISO or Head of Information Security. An interesting and significant change observed over 2010 was that

Who do you report to within the organisation?

the percentage of organisations having a dedicated CISO has gone up from 38 percent in 2010 to 78.3 percent in 2011. This reflects the growing importance of Information Security & Risk Management in organisations. In those organisations where there is no dedicated CISO, the responsibility usually falls on the CIO (72 percent of the cases). Often, reporting structures within organisations can have a significant impact on the role. So we decided to find out how this has been in India and what the CISOs think of their reporting structures. It was observed that a significant 55 percent report to the CIO or CTO. Interestingly, however, only 58 percent of respondents think that the above reporting structure is in the best interests of the organisation. The others think that they should be reporting either into the CEO (31 percent), the Board of Directors (25 percent) or the Risk Committee (25 percent). Next we looked at how the Information Security Function is viewed by the Organisation. In response to the question, â&#x20AC;&#x153;Does senior management view your role as strategic and critical and not as a cost overhead?â&#x20AC;? about 48 percent of respondents were skeptical. However, what was heartening to note was that 76 percent of organisations had a governance structure in place to specifically deal with Information Security & Risk Management issues. Amongst the key challenges faced by CISOs, managing business risks was rated the highest (54 percent), followed by managing multiple compliance requirements (44 percent).

CEO: 3.4% COO: 6.9% CIO / CTO: 55.2% CFO: 10.3% Other: 24.2%

cto forum 07 december 2011

The Chief Technology Officer Forum

Securit y

CO V E R S TOR Y

Challenges faced by CISOs 35%

Investigating security incidents

41%

Detecting security incidents

54%

Managing business risks Staffing the security team

41%

Prioritising security investments

26%

Tight budgets

27%

Managing multiple compliance requirements

What activities take up a large chunk of a CISO’s time?

44%

Vendor Management: 21% End user related issues: 29% Team development / management: 24% Management reporting: 20% New initiatives: 38% Operational / administrative tasks: 32% Defining security strategy and roadmaps: 20% Compliance management and reporting: 16% Interaction with business stakeholders: 42% Security incidents: 8%

Given the plethora of responsibilities on the CISOs shoulders, we wanted to understand what activities take up a large chunk of a CISO’s time. Among the key activities taking up the CISO's time, respondents rated “Interaction with business stakeholders” (42 percent) and “New Initiatives” (38 percent) as the leading time-consuming activities. CISOs today work in a domain that changes by the minute – and hence keeping up with developments in this field is critical. So how do CISOs manage to keep up? Given the expertise and deep knowledge required for this role, along with the requisite maturity and leadership skills, it is of little surprise that most CISOs have spent considerable time in this domain and/or related domains. The Chief Technology Officer Forum

cto forum 07 december 2011

HORIZONS

Features Inside

6 Tips for Better Mobile Security Pg 47

illustration by Anil t

Texting for Disaster Recovery Texting could and should play a major role in your disaster recovery (DR) planning By Pam Baker

cto forum 07 december 2011

The Chief Technology Officer Forum

n nearly every case, texting on mobile phones works even when voice calls are impossible. It stands to reason then that texting could and should play a major role in your disaster recovery (DR) planning. "The very first responders usually are average citizens, who happen to be on the scene of where a disaster is unfolding,” said Lee McKnight, professor at the School of Information Studies (iSchool) at Syracuse University. “For CIOs, those first responders may well be your own employees, helping their community and helping your business." McKnight, like many others, finds SMS (texting) to be such a critical feature in successful recovery efforts that he’s working on ways to make it even better for emergency use. Specifically, he is working on the iDAWG -- Intelligent Distributed Augmented Wireless Gateway -- a device that can share SMS messages, photos, voice and data, across any device, operating on any frequency, to aid in disaster recovery; even when cell towers are down or jammed with traffic.

N E X T H OR I Z O N s

D i sa s t e r r e cov e ry

S.O.S. for SMS Critics might question why anything else is needed when the current cell phone provider-based SMS seems to be working beautifully. The answer almost always circles around to a need for SMS that may be less vulnerable to traditional provider quirks. Blackberry, for example, recently suffered widespread service disruption across Europe, the Middle East and Africa on a disaster-free day due to a glitch in a data center. Vodafone Egypt was quick to tell its customers that the problem was all on Blackberry's side of the equation in a rather indignant defense of its own reputation. The phone carrier didn’t add that such an outage could affect any carrier and any SMS service data center at any time. For the most part, companies are aware of current SMS frailties and are actively seeking other means of augmenting or leveraging it. For example, itrezzo's BlackBerry PIN sync solution was developed at the request of The Department of Veteran Affairs in direct response to 9/11. itrezzo's customers -- Department of Justice, FCC, U.S. Army Corp of Engineers, The Carlyle Group, City of Berkeley, St. Jude Hospital, Shell, Hogan Lovells, HBO, and CNN among others -- count on the company’s unified contact management (UCM) solution using both SMS and Blackberry PIN-to-PIN blasts to see them through. For eight years, itrezzo UCM has deployed servers behind the firewalls of these companies and government agencies. But it’s important to recognize that even this service, like other services used today, still rely on servers and data centers. Such are the rigors of keeping clouds aloft and earthly communications plugged in – datacenters are at the root of everything, SMS included – and datacenters can and do fail. Nonetheless, SMS is the best we have at the moment and it works reasonably well in disaster zones. So how can it best be harnessed for use in enterprise disaster recovery efforts?

Behind the lines of fire (and hurricanes) The secret to successfully recovering from a disaster is and always will be in the availability of resources far behind the front lines of the event. Certainly, a strong DR server

cto forum 07 december 2011

The Chief Technology Officer Forum

back-up plan should be in place with regular updates and testing to ensure all is ready and functional. But SMS can be helpful here too in triggering the recovery from the backup centers or other offices. “In a situation where data loss has had a filter effect across geographically segregated offices, a quick fix solution may be easily sent via SMS to a contact on the other end for quick resolution," said Abhik Mitra, product manager in Data Recovery at Kroll Ontrack.

McKnight, like many others, finds SMS (texting) to be such a critical feature in successful recovery efforts that he’s working on ways to make it even better for emergency use For all practical purposes, it is wise to plan for anything in line of the disaster to be damaged or lost. The problem, of course, is you never quite know where the front line will be in the next disaster so the question of where to put the back-up datacenters always remains difficult. The question of how to send messages to employees also becomes a vexing planning exercise. “The challenge then becomes how does one communicate information to thousands of possible employees in a company setting? After all, one does rely on these very IT systems to communicate mass messages,” said Mitra. The most obvious answer to that is SMS since the majority of phones in the market today enable text messaging. “However, SMS should be used to augment an existing disaster recovery plan, not serve as a substitute for one,” warned Dave Sobel, CEO of Evolve Technologies. “You don’t want an actual disaster to be the first attempt at measuring the success of SMS communication,” said Sobel. “Another thing to keep in mind is how responses are

handled; if anyone replies to a text message, someone needs to be on the receiving end to ensure all messages are received.”

Pros and cons Even so, for DR purposes, SMS trumps just about all other options as one of the easiest and cheapest emergency communication systems. But that doesn’t mean you can sit back and relax and let the phone carriers handle all the disaster preparations. You’ve still got some planning to do. London-based Anthony Vigneron, IT Leader at Clifford Chance, a international law firm, provided this list of pros and cons to consider while deciding where, when and how to integrate SMS in your DR planning: Pros: SMS does not depend on your internal IT systems which may have failed. SMS messages are more likely to be read and not caught in spam or junk filters. SMS does not require use of expensive smartphones. When planning for DR scenarios, personal-liable or corporate-liable phones can be used for this service, allowing greater reach. Cons: SMS should be part of an emergency communication plan but not the only method- SMS message delivery is not guaranteed and can be delayed. SMS traffic takes lower priority than voice services by carriers. In certain extreme national security scenarios, it is possible for the authorities to take over all services and stop delivery of SMS traffic. Due to its service design as a store and forward, SMS is inherently poorly secured and should not be used to communicate sensitive information. It can also be subject to spoofing, which could cause staff to react when it is not necessary. — A prolific and versatile writer, Pam Baker's published credits include numerous articles in leading publications including, but not limited to: Institutional Investor magazine, CIO.com, NetworkWorld, ComputerWorld, IT World, Linux World,and Internet News. — This article has been reprinted with permission from CIO Update. To see more articles regarding IT management best practices, please visit www.cioupdate.com.

m a n ag e m e n t

N E X T H OR I Z O N S

6 Tips for Better Mobile Security

Here are some tips for managing mobile security in a better way

he more you do on your mobile device, the more you should be concerned about its security. This is especially true if you use it for work. Keep in mind, if your device is configured with your employer’s email or messaging server, they may already be implementing some of the security tips we’re going to discuss. Tip No. 1 - Choose a mobile OS that supports encryption, oh, and use it: If you are truly concerned about the security of your mobile phone or device you should use a mobile operating system (OS) and device that supports hardware-based encryption, such as Apple’s iOS or RIM’s BlackBerry, for both internal and external storage. This means the data stored on it is protected even from the most advanced hacker. Without encryption it’s possible that someone could recover the data on the device even without your lock pin or password. Full device encry Motorola Mobility's business-oriented smartphones offers encryption capabilities on Android 2.3. Android 3.x includes an API to help developers offer encryption on tablets, which some currently implement. And in the next year, we should see Android 4.x tablets and smartphones support encryption. WhisperCore is a third-party encryption solution you may want to also keep your eye on. Beta versions are currently available for Nexus S and Nexus One. Tip No. 2 - Set a lock pin or password: Enabling a password, whether it’s called a pin, passcode, or passphrase, is the

first line of defense in protecting your privacy and security. It helps prevent others from picking up your phone or device and snooping around if it becomes lost, stolen, or just left unattended. It’s also usually required if encryption is enabled on the device. If encryption isn’t supported by the OS you should still definitely require yourself to set a password. Though your data can possibly be recovered by determined individuals without them knowing the password, you’ll at least protect it from the causal snoopers. Tip No. 3 - Enable auto-wiping of data: Most mobile OSes support automatic wiping of the device’s data after a certain number of incorrect passwords attempts. This is great if encryption isn’t supported by the device but it can actually be just as beneficial for encrypted devices. Because giving others unlimited guesses to your password makes it much more possible that they could get it right, and once that happens the data is decrypted.

illustration by Anil t

By Eric Geier

Auto-wiping is natively supported by iOS, Windows Phone 7, and BlackBerry. Android requires the use of a third party app, such as Autowipe or a security app as in the last tip. Just remember to keep all your data regularly backed up and use a solution that lets you restore the data to a new device in case you can’t find the one you wiped. Tip No. 4 - Setup remote tracking and management: Before your phone or device gets misplaced or stolen you ought to setup a The Chief Technology Officer Forum

cto forum 07 december 2011

N E X T H OR I Z O N s

mobility

mitted through the air and remote tracking and managecan be easily intercepted. The ment solution. Most let you see most important sites and serthe device’s GPS location on a vices, such as banking webmap, send audible alerts to help sites, usually implement their you find it, and display a visual increase own (HTTPS/SSL) encryption message to tell others how to in Android that protects their individual return it. They typically also let malware traffic. But most email providyou remotely lock and/or wipe ers and many social networkit before someone else gets their samples since ing sites don’t; thus eaveshands on it. July 2011 droppers can likely capture For iOS 4.2 or later, Apple protheir passwords and traffic. vides a free service. For earlier On the other hand most 3G, 4G, and iOS versions there’s the MobileMe service other cellular data connections are usually from Apple at $99 a year after the 60 day encrypted by the carriers. Plus eavesdropfree trial. ping on these types of connections isn’t as For Android you have to use a third-party popular. Therefore, when you’re out and app, such as the security apps mentioned about you should try to use the data connecin the last tip. tion rather unsecured Wi-Fi hotspots. For Windows Phone 7 Microsoft provides If you insist on using Wi-Fi hotspots, use the free Windows Live for Mobile service. those that provide enterprise encryption For BlackBerry, RIM provides the and 802.1X authentication, such as from free BlackBerry Protect service. T-Mobile and iBahn. Alternatively, consider Tip No. 5 - Limit Wi-Fi hotspot usage: When using a VPN connection to secure your you use public Wi-Fi hotspots that aren’t traffic from local eavesdroppers. encrypted, all your Internet traffic is trans-

472%

Tip No. 6 - Use an antivirus or security app: Viruses, malware, and hacking on mobile devices aren’t a huge issue now but they are becoming more of an issue. You should consider installing a security app to help prevent infections and intrusions. Most AV solutions also offer additional features, such as remote wiping, backup and locating. AVG and NetQin provide free security apps for Android. LookOut offers free apps for Android, BlackBerry and Windows Mobile. Some paid options include McAfee WaveSecure, Kaspersky Mobile Security and Trend Micro Mobile Security. — Eric Geier is the founder of NoWiresSecurity, which helps businesses easily protect their Wi-Fi networks with the Enterprise mode of WPA/WPA2 security. He is also a freelance tech writer—become a Twitter follower or use the RSS Feed to keep up with his writings. — This article has been reprinted with permission from CIO Update. To see more articles regarding IT management best practices, please visit www.cioupdate.com.

d ata c e n t r e S e c u r i t y

ctof custom series

Remodeling the Data Centre

illustration by shigil n

While data centre spending is on the rise, the next five years could see forces emerging that promise to shrink space requirements

orldwide data centre hardware spending is projected to reach $98.9 billion in 2011, up 12.7 percent from 2010 spending of $87.8 billion, according to Gartner, Inc. Data centre hardware spending is forecast to total $106.4 billion in 2012, and surpass $126.2 billion in 2015. Data centre hardware spending includes servers, storage

and enterprise data centre networking equipment. "Worldwide data centre hardware spending will finally reach and surpass 2008 levels," said Jon Hardcastle, research director at Gartner. "Growth in emerging regions â&#x20AC;&#x201D; particularly Brazil, Russia, India and China (the BRIC countries) â&#x20AC;&#x201D; is balanced by continued weakness relative to pre-downturn levels in Japan and Western Europe. Storage is the main driver for growth. Although only a quarter of data centre hardware spending is

on storage, almost half of the growth in spending will be from the storage market." The very largest size category of data centres (which is data centres with more than 500 racks of equipment) will increase its share of spending from 20 percent in 2010 to 26 percent in 2015, driven by the cloud and the shift from internal data centre provision to external. In 2010, 2 percent of data centres contained 52 percent of total data centre floorspace and accounted for 63 percent of data

centre hardware spending. In 2015, 2 percent of data centres will contain 60 percent of data centre floorspace and account for 71 percent of data centre hardware spending. "Traditional in-house enterprise data centres are under attack from three sides. Firstly, virtualization technologies are helping companies to utilize their infrastructure more effectively, inhibiting overall system growth. Secondly, data centres are getting more efficient, leading to higher system deployment densities and inhibiting demand for floor space. Thirdly, the move to consolidated third-party data centres is reducing the overall number of midsizedata centres. Meanwhile, the largest data centre class is, of course, benefitting from the rise of cloud computing," Hardcastle said. Meanwhile, Gartner also highlights four forces that would have a significant impact on data centres during the next five years. These forces will result in shrinking data centres by 2018, and space requirements could be only 40 percent of what they are today, claims Gartner. The primary factors impacting data centres in a significant way during the next five years include: smarter designs, energy efficiency pressures (or green

The Chief Technology Officer Forum

cto forum 07 DECember 2011

ctof custom series

d ata c e n t r e S e c u r i t y

IT), the realities of high-density environments, and the potential of cloud computing. "In the world of IT, everything has cascade effects, and in data centres the traditional methods of design no longer work without understanding the outside forces that will have an impact on data centre costs, size and longevity," said David Cappuccio, Managing VP and Chief of Research for Infrastructure at Gartner. "However, these very forces can actually work in your favor, providing the means to apply innovative designs, reduce capital costs and operating costs, increase long term scale, and keep up with the business." Gartner recommends that data centre managers who are trying to determine how to optimally design and plan for the leading-edge datacentre of the future focus on the following four factors:

Smarter Designs Traditional methods of designing data centres were created during the mainframe era, and, because of their high costs, many mainframes were targeted for average performance in the mid-90 percent range during production time slots. As a result, there was minimal variation in the operating temperature or power consumption during long periods of time. Today's data centres have many different demands on mechanical/electrical systems, depending on workload mix, function and age of equipment. New designs have taken this into account by adding different density zones for different workload types. This zone might employ directed cold air, or even in-rack cooling to support very

cto forum 07 DECember 2011

high density workloads with minimal disruption, or impact, on the rest of the floor. Secondary zones would support steadystate applications that consume a consistent amount of power and produce manageable heat loads, while low-density zones would be designed to support low-power equipment (perhaps telecom and storage).

Green Pressures Most data centre managers paid little attention to the "greening of IT," unless they were pressured into it by senior management or the public. However, as awareness has increased, there has been a constant uptick in the attention paid to energy consumption in datacentres, and new data centre managers take a hard look at energy efficiency in both design and execution. The development and marketing of power utilization efficiency (PUE) by the Green Grid continues to gain ground in the market, and many new data centres are being developed with specific PUE targets in mind, for the energyefficiency advantages and the public relations impact.

Conquering Density With smarter designs and green pressures, data centre managers and designers have begun to focus on the compute density in their environments. Most data centres are woefully underutilized from a space perspective. The physical floor space may be nearing capacity, but in many cases, the actual compute space within racks and servers is very poorly used, with average rack densities approaching just 60 percent worldwide. Newer designs focus on this issue and are developed to

The Chief Technology Officer Forum

As awareness has increased, there has been a constant uptick in the attention paid to energy consumption in data centre, and new data centre managers take a hard look at energy efficiency in both design and execution allow optimal rack density, often approaching 85 to 90 percent, on average, thus increasing the compute-per-square-foot ratio dramatically. The advent of private cloud environments and resource pooling will provide methods to enhance vertical scalability, while at the same time improving the productivityper-kilowatt ratio.

Cloud Computing Data centre managers are beginning to consider the possibility of shifting nonessential workloads to a cloud provider, freeing up much-needed floor space, power and cooling, which can then be focused on more-critical production workloads, and extending the useful life of the data centre. Shifting workloads is not new; many companies use collocation facilities as an overflow mechanism. However, the difference is that, with collocation, the compute resource is still owned and managed by the application owner. With

offloading services to the cloud, ownership and management of IT assets is shifted to the provider, essentially outsourcing the service to someone else. As this practice increases in popularity, the landscape for what remains of the corporate data centre will change significantly. Only core business functions â&#x20AC;&#x201D; those that differentiate a business from its competition, or are truly mission-critical â&#x20AC;&#x201D; will remain in the primary datacentre. All other non-critical services will eventually migrate to external providers, having the long-term effect of shrinking physical datacentre requirements. Gartner predicts that by 2018, data centre space requirements will be only 40 percent of what they are today. The focus of these data centres will be on core business services, and, as those services continue to demand more IT resources, the shrinking size of servers and storage (and telecom equipment) will more than offset that growth

d ata c e n t r e S e c u r i t y

Food for Thought or Snack Gone Bad? Vendors should refrain from using titillating titles around data centres to attract the audience

n the recent past, I attended a few seminars conducted by large IT solution providers with a tantalising subject line, “How to achieve business agility” (or something on similar lines). CIOs obviously turned up in large numbers—only to realise the old adage that if it’s too good to be true, it probably is. Almost all the organisers wanted to focus on how to improve data center efficiency, utilisation, management and agility in provisioning new servers. According to all of them (without exception), the delay in provisioning a new server can lead to compromises in business agility, thereby adversely impacting the outcomes. Each vendor’s formula for success revolved around their solution for virtualisation and (or) management tools, which allow quicker provisioning of virtual machines—allowing the IT organisation to bring up a new application within hours, as compared to the days when physical servers were in vogue. I find this unpalatable, as it presupposes that everyone in the IT organisation is only focusing on the infrastructure, with no

The CIOs stay back only out of sheer decency. As a result, vendors run the risk of alienating their customers by this play of words

ctof custom series

communication with the team members who create or buy applications. The assumption is the two factions are not on the same page on timelines, which results in delay. Agreed that virtual machines can be provisioned quicker than physical machines—CIOs will also agree with this, but that’s only part of the story. If not enabled with policy, it can also lead to innumerable virtual machines (with limited or no use), thereby blocking resources and creating inefficiency. Virtualisation continues to remain at the periphery of deployment, with core and large package providers as yet to certify their applications on virtual servers. Typically, IT organisations are more organised in nature, with visibility of planned deployments and requirements of licenses or hardware. Dependencies are well known, and irrespective of the physical or virtual environment that the enterprise may prefer, this is rarely a cause of delay. So has the data center become the cause of business angst? Well, I’ve never heard of such a scenario! Coming back to the event under discussion, presenters attempted to justify their stance by stating that their global research data had indeed given them such insights. Talk about assumptions! Vendors should refrain from such titillating titles to attract the audience. Vendors end up with the realisation that most participants badly want to leave. The CIOs stay back only out of sheer decency and respect. As a result, vendors run the risk of alienating their key customers by continuing this play of words.

Arun Gupta,

—By Arun Gupta, Group CIO,

Group CIO at Shoppers Stop

Shoppers Stop

The Chief Technology Officer Forum

cto forum 07 DECember 2011

ctof custom series

d ata c e n t r e S e c u r i t y

Prevent Disaster in the Data Centre

here are many reasons to create segregated physical locations for servers and other critical infrastructure equipment. First, access is controlled, thus limiting security threats. Second, the controlled access limits human error arising from accidents and “curiosity.” Third, the concentration allows for efficient oversight and administration. Fourth, and the focus of this article, the relative consolidation of assets enables a controlled environment to better manage the risks associated with airconditioning, fire and flooding.

Air-Conditioning/System Cooling Today’s IT systems generate a tremendous amount of heat and need dedicated air-conditioning systems to be properly cooled. Some years ago, I was involved with a small server room that didn’t have a dedicated AC unit, but did have a dedicated duct. It worked great during the week when people were present to cause the AC unit to run because the thermostat wasn’t in the server room. On weekends, the office area would cool off quickly and shut down while the server room baked. We knew something

cto forum 07 DECember 2011

odd was going on when RAID drives and other components started failing far too often. The climax came when a Dellhosted clustered SQL Server system announced at the console that it had reached a critical internal temperature and was shutting down immediately to protect itself. This made several production departments grind to a complete halt. The first step was to put in a temperature probe that had an IP address that could be SNMP-polled every few minutes. The data was logged, trended graphically and the resulting report to senior management with graphics resulted in a dedicated AC unit getting capital approval and installed in record time. A second benefit of air-conditioning relates to filtered air. Manufacturing environments are often very dusty places. Systems with cooling fans that either draw or push air through a cabinet to cool actually wind up coating all components with dust over time in uncontrolled environments. Depending on the thickness and type of dust, overheating and/or short circuits can happen. Air conditioning feeds to data centres should have the dust removed and ensure that humidity is at proper levels.

The Chief Technology Officer Forum

illustration by anil t

Environmental issues need to be addressed to ensure availability. Today, when IT systems fail, it is the business that stops By George Spafford

When planning for cooling systems in a data centre, take power failure into consideration. Frequently, groups plan to keep the equipment and lights on, but overlook cooling. In the event of power failure, air-conditioning (or whatever the cooling system is) may very well be needed to protect sensitive electronics.

Conditioned Power IT systems need stable, reliable power. It is not costeffective to buy dozens of good UPSes. It is more economical to buy several good systems that can protect dozens, if not hundreds, of devices than buying one-off power fixes. First, lightning strikes need to

be dealt with. Second, fluctuations in voltage, harmonics, EMI/ RFI and other problems need to be removed. Third, in the event of an outage, there must be a solution that allows for the systems to stay on-line the necessary amount of time for a controlled shutdown and this may mean UPSes or a mixture of UPSes and generators. These types of solutions are very economical when applied to a large collection of systems, but less so when applied to fewer and fewer systems. Moreover, all these systems need maintenance and the fewer the better. Monitoring and swapping batteries in a handful of enterprise UPSes is better than trying to keep track of

ctof custom series

d ata c e n t r e S e c u r i t y

dozens of small UPSes spread all over. In the end, business needs and associated risks must drive the solution and the investment.

Fire Management The best way to deal with a fire in a data centre is when it is just starting. There are fire detection systems that are so sensitive they can detect the increase in particulates and temperature as a group moves through a data centre. These sensors go far beyond the traditional smoke detectors and can send alerts via the network as well as backup means. These systems can be deployed in a controlled environment such as a data centre with much success. The whole idea is to detect a problem and react before the fire becomes significant and is manageable. By layering early detection with a corrective control, namely suppression, the risks of

damage from fire can be further mitigated. Take the time to investigate fire suppression technologies that can put out fires without damaging electronics and leaving particulates. Using the threat of fire as an example, always think about how to compensate in layers. How can the risk be prevented? How can it be detected early on when the impact is minimal? Most times, a layered approach is more effective than any single method.

Water For some data centres, flooding is a very real concern. In dedicated data centres, it is possible to elevate equipment, re-route water pipes, disconnect water sprinklers and use alternative fire suppression systems, and so on all aimed at reducing the risk of damage due to water in a particular location.

Environmental issues need to be addressed to ensure availability. The mixture of elements to consider depends on the data centre, geographic location and so on Summary Environmental issues need to be addressed to ensure availability. The mixture of elements to consider depends on the data centre, geographic location and so on. Some systems must be located relatively near the user community and need to be protected regardless. In all cases, a balance must be struck between costs, risks and benefits. In the end, its all about meeting the needs of the business. Today, when IT

systems fail for whatever reason, it’s not just old-fashioned report printing that stops — it is the business that stops. — George Spafford is an IT consultant and a long-time IT professional. He focuses on compliance, management and process improvement. —This article has been reprinted with permission from CIO Update. To see more articles regarding IT management best practices, please visit www.cioupdate.com.

4 Risks of Data Centre Consolidation While benefits of consolidating the data centre are clear, corporates have not been too vigilant in protecting it By Robert Ciampa

ver the past several years, organisations large and small have initiated or continued data centre consolidation projects. Unlike some other IT initiatives, the benefits

cto forum 07 DECember 2011

from this exercise are clear and well-documented, and include both economic and operations advantages. The reality remains that the data centre frequently contains an organisation’s most important asset: Information. Given the prodigious efforts to

The Chief Technology Officer Forum

collect and provide access to this corporate resource, have we been equally vigilant in protecting it as well? Unfortunately not. Too often, a re-engineering effort quickly follows a consolidation project because the operational benefits are negated by

amplified vulnerabilities, which include information risk, asset risk, access risk and audit risk. Since the economic benefits of consolidation are so evident, organisations frequently rush to implementation while not fully dealing with the risk factors.

d ata c e n t r e S e c u r i t y

illustration by anil t

Fortunately, a holistic approach exists that not only mitigates these key challenges, but also allows information leaders to overcome some of the political challenges that permeate their consolidation efforts. First, we must explore some fundamental concepts. From an information viewpoint, we’ve seen astronomical growth in storage capacity, leading to the rise of information lifecycle management, which represents how information is managed, moved and viewed. We’ve followed this with a dramatic increase in our transaction processing capability. Finally, we’ve made it easy to provide information beyond our corporate borders to our customers and business partners. In essence, we’ve become a high-performance, informationdependent machine. Does that make us more vulnerable? Absolutely. If that’s the case, what are the risk factors? The media has been awash with coverage of information breaches, illegal access, lost tapes, etc. Information, as we’ve articulated, has value—even in the wrong hands. Exacerbating all this is compliance. Depending on your markets, you may be subject to a variety of regulatory constraints about the information you harbor. Also consider the financial risk factor. If the malcontents and the regulators don’t get you, the market certainly will, even at the hint of a breach. So, let’s consider each of the risk factors in turn, and then address mitigation.

Risk Factor 1: Information Risk Data centre consolidation represents an incredible con-

centration of information on an infrastructure that’s highly accessible. Remember that not all data is created equal, with some being much more sensitive than others. However, because the economics of the new data centre are so compelling, there is now a much broader variety of data within it.

identification of critical assets is just as important as identifying the data they contain.

Risk Factor 3: Access Risk Once we have a base understanding of the critical information and assets within our new data centre, how do we control access?

Since the economic benefits of consolidation are so evident, organisations rush to implementation while not fully dealing with the risk factors Risk Factor 2: Asset Risk Which assets contain the sensitive information? Great question, especially when we mix in server virtualisation and storage area networks (SANs). The benefits of the afore-mentioned technologies are great, but it remains a challenge for most organisations to identify assets which contain some of the critical information we highlighted in Risk Factor 1. This is a major compliance challenge, as

Organisations often have a vast array of not only authentication techniques, but also of authorisation methods. Depending on their information, different assets might require different access methods, which may in turn be incongruous with other technologies in place. To overcome access challenges, numerous technologies are thrown at the problem. These include but are not limited to router access controls, virtual LANs, firewalls, single sign on (SSO), intrusion

ctof custom series

detection, etc. Whether the information is distributed, concentrated, or virtualised, getting the policy in place for managing access remains a challenge.

Risk Factor 4: Audit Risk Aggravating these challenges are the ever-increasing audit requirements. It doesn’t matter whether you’re a privately held entity not controlled by the Sarbanes-Oxley Act, or if you just have sensitive information, you’re going to have to prove that you have the requisite controls in place and that they’re working. Even within a consolidated data centre, collecting information is difficult, especially since audit information may have to be correlated with other information outside the data centre. Activating specific auditing functionality within point products might not only result in large log files and trigger a number of events, but may in fact impact operational and transactional performance as well. This, of course, runs counter to some of the justification for consolidating the data centre in the first place. These risk factors aren’t going away. Outsourcing is not a cure-all either, as service providers are also dealing with these challenges. Though technology is evolving to address these issues, it does not preclude the need for crossfunctional planning and a candid assessment of requirements. —Robert Ciampa is VP, marketing and business strategy at Trusted Network Technologies, a provider of identity audit and access control solutions. —This article has been reprinted with permission from CIO Update. To see more articles regarding IT management best practices, please visit www.cioupdate.com.

The Chief Technology Officer Forum

cto forum 07 DECember 2011

ctof custom series

d ata c e n t r e S e c u r i t y

You, Your Data and Its Data Centre Among primary keys to effective IT support is understanding how your data is being preserved, provisioned and presented By Christopher Burgess

don't give a lot of thought as to where my data sits, as long as it is available to me. I know that if I'm storing it on my hard drive, I'm also backing it up to my secondary and tertiary devices. But if I'm storing or backing it up to a third-party environment, be it via my online document storage service or that used by my company (such as a centralised location), I make assumptions on the service being available and accessible, as well as having sufficient storage space for my data. When any of these conditions aren't present, then I call for help. It stands to reason that if you're creating video content, you're using more storage space than if you're creating written documents and your space will fill more quickly. If the storage devices are approaching 90 percent full, you know it is time to increase storage capacity. Do you have the same visibility into your work environment? So what are the information technology (IT) professionals thinking about with respect to you and your data? For that answer, I visited the third installment of Cisco's Connected World Report, which identifies those areas that are top of mind for the IT pros.

cto forum 07 DECember 2011

The number one issue is security, followed by uptime and performance. I was pleased to read how global IT departments are looking to create smarter data centers with the ability to deploy and deliver applications quickly with the elasticity to dynamically meet our demands. The IT pros from all 13 countries represented in the report were also integrating virtualisation as a key strategy to achieve the aforementioned goals, along with flexibility, reduction in costs, and ecological impact, that is, to be more green. Indeed, the IT prognosticators predicted 45 percent of all production environment data centers would be virtualised in three years. With our data and applications resident and available from virtualised data centers, it stands to reason why security is the number-one concern. The report notes the following as primary keys to effective IT support: Understanding how applications and their data behave in your dynamic virtualised environment; how your data is being preserved, identification of what training and education will be necessary to allow both you and your IT/Infosec departments to keep pace with technology.

The Chief Technology Officer Forum

I agree: Just like we read and learn as individuals, those departments that support us must allocate a portion of their professional day to learning. The report notes that IT professionals who have the most robust cross-training and collaboration capabilities will also enjoy the greatest number of professional opportunities. But like our personal infrastructure, the budgeted monies of the professional infrastructure must be stretched to meet identified (and the unidentified) requirements, and thus I was pleased to read how approximately 70 percent of the IT budgets within the 13 countries identified are increasing yearover-year. This increase will be a

In sum, we are creating content — be it data, audio or video — and we are using an ever-increasing number of applications

real necessity given the ubiquitous use of video by the end user (that would be you and me) of whom 50 percent expect video to eventually be their primary mode of communication. In sum, we are creating content — be it data, audio or video — and we are using an ever-increasing number of applications. At home, whether we realise it or not, we are creating our own data centers, whether within those hard drives on our desks or via online service providers. At work, we rely on others to do the heavy lifting and to create robust virtualised work environments. So what can you, as the individual, do to help your own business environment? When the IT pros show up at your desk asking you to identify, forecast or project your needs, work with them. They are attempting to get ahead of your requirements. You see, in the end, it all boils down to you, your data, and the data center supporting you. — Christopher Burgess is a senior security advisor to the chief security officer of Cisco. — This article is printed with prior permission from Infosec Island. For more features and opinions on information security and risk management, please refer to Infosec Island.

NO HOLDS BARRE D

PERSON' S NAME

“Storage is IT’s backbone” Storage has always been the backbone of information. In an interview with Ankush Sohoni, Roberto Basilio, VP, Storage Platforms & Product Management, Hitachi Data Systems talks about Hitachi’s plans for this market

cto forum 07 december 2011

The Chief Technology Officer Forum

Could you talk about Virtualisation 2.0 and Hitachi’s role in enabling it? Clearly virtualisation is a tool that brings ease of management. With the IT having to mange an ever increasing amount of data, clearly you need to have ease of management, reporting and provisioning. As we need more and more access to information, we need an easy way to provide a medium to store the information. This is the key. Management is what is required. Currently there is a disconnect between what business needs - which is how can I reach more customers, and the ability of the IT infrastructure to deliver. So virtualisation becomes a tool to gain agility. IT budgets are not increasing and living within the means of these budgets is challenging. CIOs need to be lean and do more with less, but we have a running joke at Hitachi, of whether one should do more with

R o b er t o Bas i l i o

NO HOLDS BARRE D

Data needs to be stored efficiently in a way that can be utilised even decades after its creation.

The main idea is to be able to create legacy that can be utilised. This dictates that storage infrastructure needs to be robust and efficient less until you do everything with nothing. But jokes apart, this is the current landscape within enterprises today. What are some of the challenges enterprises are facing in adopting storage virtualisation? Clearly the challenge is to gain confidence in the technology. Nobody even knew what VMware was ten years ago. I didn’t even know where they were based. Confidence in the technology started to come when they became a part of EMC and started to have successes of their own through some large early adopters. These early adopters can afford to have an additional platform to play with. I found that the users here are still the ones who cant afford to experiment. They are looking for ways to have references so as to start virtualising. The adoption curve is bound to be slow as compared to the rest of the world. The curve here starts two to three years later. However, this is something that everyone will have to adopt because you cant afford to waste resources. You cannot have underutilised resources today. It’s important that we understand that the tools are there, the infrastructure is real and it works. People can now believe that they can now adopt these things with confidence Could you detail out the new technology you’’re introducing as part of the virtualisation 2.0 roadmap?

Today we are looking at bringing in the concept of merging high end infrastructure with affordable and flexible form factors. We want to give the same tools to every single enterprise inspite of size and budget. We want to enable enterprises by giving them the ability to implement an architecture that can take them along their growth path. We want to give them tools to deal with their growth. Enterprises in India are in a high growth phase. Growing business volumes and transaction sizes require that enterprises scale dynamically without taxing the infrastructure. What we are delivering very shortly is the ability to dynamically migrate data from one platform to another. As platforms become less useful, enterprises may need to go to the next step. You need to be able to create the links that will help enterprises transition from one technology to the next. This is the kind of value we are looking to create for our customers. Today we are used to large capacity provisional disk drives. Its no news that SSDs are becoming more relevant but they don’t solve the problem. If you do not have enough bandwidth in the system then you cannot take the advantage. Also you have to put technology close to the applications. What are some of the storage trends you are seeing with respect to Indian enterprises? There is a major need to be able to retrieve information independently of the application. You may be in one country and you happen to be travel-

ing to another one, you need access to information, There must be a way to disjoint information from the application that created it and make it available to another one. Let me take an example. India is going through UID. Part of this initiative is to create information that you will need to last the test of time. The children of your children may need access to this information. So the question is how do we create that information and retrieve it through the cycle of time. Its really about finding ways to disconnect them from the medium The more information we create the more the need to search and retrieve that information in the most efficient manner possible. Could you share some best practices that can help our readers achieve storage excellence? Clearly its hard to speak generally. The first thing that any CIO needs to do is understand their problem and their needs. These are key. Storage is at the end of the link in the IT process and forms the backbone. Clearly you cannot start from there but technology is something you will need. Data needs to be stored efficiently in a way that can be utilised even decades after its creation. The main idea is to be able to create legacy that can be utilised. This dictates that storage infrastructure needs to be robust and efficient.

The Chief Technology Officer Forum

DOSSIER Company: Hitachi Data Systems Established: 1989 Headquarters: Santa Clara, California Services: Information Storage Hardware, Information Storage Software, IT consulting and services Network: Over 5300 employees in more than 100 countries

cto forum 07 december 2011

T E C H FOR G O V E R N A N C E

securit y

POINTS

ISO 27002 lists all of 133 controls as in ISO 27001 with detailed explanation of best practices for their implementation I SO 27002 will remain a code of practice for implementation of security controls I SO 27001 will remain the only certifiable standard in the ISO 27k series

Illustration BY prince antony

t his alignment will be the biggest job that’s ahead of you in the transition period you will have plenty of refreshed best practices to choose from

The Next Revision of ISO 27001

It’s been six years since the last revision of ISO/IEC 27002 (in 2005) – much has changed in information security since then, and this standard definitely needs some “facelifting” By Dejan Kosutic

cto forum 07 december 2011

The Chief Technology Officer Forum

securit y

Since ISO 27002 is closely tied to ISO

27001, this revision has to be done simultaneously for both standards, and is expected to happen in the latter half of 2012 or during 2013. ISO 27001 and ISO 27002 What these two standards have in common are the 133 controls – they are offered as a kind of catalogue in Annex A of ISO 27001, with the idea that appropriate controls are selected based on the risk assessment. ISO 27002 lists all of these 133 controls again, but offers detailed explanation of best practices for their implementation. For a detailed explanation of the differences between ISO 27001 and ISO 27002, read ISO 27001 vs ISO 27002. This relationship between the two standards is why ISO 27002 has changed its name in 2007 – it was previously called ISO/ IEC 17799, but its name was changed to ISO/ IEC 27002, making it part of ISO 27k series. This most important link between ISO 27001 and ISO 27002 – identical structure of ISO 27001 Annex A and ISO 27002 controls – will most likely still be included in new revisions of both standards. However, the way it is structured and the individual controls will most probably change.

Expected Changes It is impossible to predict all the changes in ISO 27002 because the final draft hasn’t been written yet. However, most likely changes can be judged by hearing what ISO 27001 experts have to say – here’s a summary of suggestions from ISO 27k Forum, the leading expert forum about ISO 27001/ISO 27002: Accountability – definition of what it means in relation to human resources management Authentication, identity management, identity theft – they need better description because of their criticality for webbased services Cloud computing – this model is becoming more and more dominant in real life, but hasn’t been covered in the standard Database security – the technical aspects

T E C H FOR G O V E R N A N C E

to be created, and others merged. And these structural issues are probably the toughest ones since the body in charge of the revision will need to ensure compatibility with the existing revision. This is why we have no idea at the moment what these structural changes will look like.

ISO 27002 Certification? Many people still ask me whether it is possible to get certified against ISO 27002. The situation with the new revision will stay the same – currently it is not possible, nor will it be possible to get an ISO 27002 certificate because unlike ISO 27001, this is not a management standard. This means ISO 27002 will remain a code of practice for implementation of security controls. It will not define the management system–e.g. the documentation management, internal audit, management review, corrective and preventive actions, risk management, etc. – all these remain in the domain of ISO 27001. Therefore, ISO 27001 will remain the only certifiable standard in the ISO 27k series.

haven’t been systematically laid down in the existing revision Ethics and trust – an important concept not covered at all in the existing revision Fraud, phishing, hacking, social engineering – these particular types of threats are gaining more and more importance, but aren’t covered systematically in the existing revision Governance of information – this concept is very important for the organisational aspect of information security and is not covered in the current revision IT auditing – needs to focus more on computer auditing Privacy – needs to go broader than existImplications for the ISMS ing data protection and legal compliance, If you already have your Information Security especially because of cloud computing Management System implemented, you don’t have to worry too much – no matter which Resilience – this concept is completely changes the new revision will bring, you will missing in the existing revision have enough time to implement the changes. Security testing, application testing, vulnerOnce the revisions are published, you will ability assessments, pen tests etc. – these are need to align the structure of your controls essentially missing in the current revision in the Statement of Applicability with the As Gary Hinson from the ISO27k Forum new Annex A in the revised ISO 27001. And argues, several of these issues are already although the structure won’t change too covered, but they were not given sufficient much, this alignment will be the biggest job emphasis in the current revision of the that’s ahead of you. standard – key terms widely used today And this is where the new ISO 27002 are either completely missing or are only will bring the most value – in the transition vaguely alluded to. period you will have plenty of refreshed best Also, the new ISO 27002 will refer more practices to choose from. And since ISO on other standards that define certain areas 27002 is quite detailed, and you still have in more detail – for instance, Section 14 the freedom to choose only the Business Continuity Manageappropriate stuff for your organiment will refer to ISO 22301 sation, it will definitely help you and ISO/IEC 27031. make such transition easier. All these changes mean that not only some of the controls of Fortune 500 will change or will be added, but --This article is printed with prior organisations it also means that the structure permission from www.infosecisof the standard will change – land.com. For more features and will fail to instead of existing 11 sections effectively exploit opinions on information security of Annex A / ISO 27002, some and risk management, please refer big data by 2015 new sections will probably have to Infosec Island.

85%

The Chief Technology Officer Forum

cto forum 07 december 2011

T E C H FOR G O V E R N A N C E

s o f t wa r e l i c e n c i n g

Free From Defect Software Licence Software industry as a whole needs to take on a “we’ll stand by our software” attitude

have been writing open-source software on the side for quite some time now. I've used both GPL and the Apache licenses for my work. The flip-flopping between the licences is mainly caused by me feeling that a particular license meets my target audience. The one item that bothers me is the "no warranty" clause. I personally think that it's high time that the software developers take on the challenge of providing a guarantee that their software will work as designed. That all necessary due diligence have been done to make sure that the software does not contain bugs that could lead to loss of data or a security breach. As storage got cheaper, everyone got reckless and quality basically went down the drain as more development framework started providing the proverbial kitchen sinks. I've began work on a JavaScript-based web application framework that I've called Flat8 and I'm going to take the moral high ground by licensing it in a way that basically says "I've done my best to test and secure the software that I'm writing. If a bug/defect is found, that I intend to fix it after so many days." Why am I doing this? Because I feel that software developers are capable of doing this; so I'm going to be the first to do it and I hope that others will follow. If I actually pull it off, I hope that others will see that it indeed can be done; if I fail, then I hope that others will learn from my mistake. This is a question that I would like to pose to the open-source software community in general: Assuming that we can ignore the lawyers for a second, what amount of effort would you be willing to put to produce software that is free of defect from workmanship? How will you go about making sure that your software is indeed free from defect? Here is my list that I came up with: A clear list of requirements will be produced, documented, and agreed on. Any assumptions taken will be documented. Thorough development documentation will be produced. Basically the architecture, detailed design, testing, and source code documentation will be produced. Complete operating manual will be produced. Software is thoroughly tested to make sure that all requirements

cto forum 07 december 2011

The Chief Technology Officer Forum

Illustration BY shigil N

By Keith Mendoza

and assumptions are tested; and the results are published to provide a benchmark for proper operation. Secure coding standards will be adhered to, and source code will go through code scan to make sure that the code is as clean as possible. SCM practices will be followed. These are conditions that I would put in place to keep the software under warrantee: Software is not used in a way outside of the given requirements. User followed all user documentation and have referenced the test result to confirm that their input fall within the published parameters. The provided unit and functional tests actually passed on the platform where the software is running. If the software industry as a whole takes on a "we'll stand by our software" attitude then information security issues will go down significantly. At the end of the day everything from the BIOS, to the kernel, to the services, are all software. — This article is printed with prior permission from www.infosecisland.com. For more features and opinions on information security and risk management, please refer to Infosec Island.

ThoughtLeaders Krishnakumar Sankaranarayanan

Krishnakumar Sankaranarayanan is an Managing Consultant – PwC India

IT in Pharma R&D IT plays a vital role all

along the pharmaceutical value chain – but nowhere is its role more important than in R&D and sales force productivity improvement The pharmaceutical industry is facing unprecedented challenges. The impendingt patent cliff which could see big pharmaceutical companies lose over $105 billion worth of patented drug sales by 2015 is a cause of great concern. Compounding this impending patent cliff is the increased cost of development of new drugs, and requirements of regulators for enhanced safety and efficacy monitoring. IT plays a vital role all along the pharmaceutical value chain –but nowhere is the role of IT more important than in research and development and sales force productivity improvement. Information technology has also been used effectively in other areas of the pharmaceutical value chain like manufacturing and supply chain with wide ranging success. Computer simulations of the drug interactions with the human body i.e. in-silico research are an accepted process for drug development. Computer simulations help predict how the drug will react with the human body, enabling companies to take an informed go/no-go decision to invest in expensive clinical trials. Regulators, the world over are placing increasing emphasis on safety

and clinical efficacy of medicines before granting their approval for market launch. Submission of clinical outcomes from large multicentric clinical trials involving thousands of patients are needed before the approval is granted. This lengthy drug development process generates enormous quantities of data which the pharmaceutical companies have to track and preserve for many years. Information technology plays an indispensable role in generation, encryption and storage of sensitive drug development data. Many Indian information technology companies are functioning as strategic partners to large pharmaceutical companies in the drug development process. Given the vast information generated by artificial genetics, many large pharmaceutical companies are using the power of cloud computing to boost computing capacity. Multiple stakeholders in the personalised medicine ecosystem vis- à -vis clinical research communities, research-based institutions, investigators, contract research organisations, pharmaceutical companies, providers, patients, labs, and payers are joining the cloud based disease

Information technology plays an indispensable role in generation, encryption and storage of sensitive drug development data.

networks creating ever increasing volume of data. Large pharma companies are using the power of cloud computing for proteomics, statistics, and adaptive clinical trial design. Pharmaceutical companies employ large sales teams to reach out to physicians to promote their brands. Ensuring that the sales force has adequate information to have a meaningful conversation with the physician is a key to improving the productivity of the sales team. Many companies have begun using mobility solutions to achieve this goal. These mobility solutions enable two-way communication between the sales team in the field and the marketing and administrative teams in the regional/zonal offices. The sales representatives can use the devices to file their sales reports, expense statements and requisition for promotional material etc . The marketing teams can update the sales representative with new promotional material, additional information on the physician which helps enhance the quality of the communication which would help strengthen the relationship between the representative and the physician.

The Chief Technology Officer Forum

cto forum 07 december 2011

VIEWPOINT

Illustration by prince antony

Steve Duplessie | steve.duplessie@esg-global.com

Why Startups Die The Second Child

This post is less about true startup death and more about companies who have passed their first major hurdle– they have successfully navigated their youth and delivered a real product to a real market. Sometimes, they have been wildly successful with their first product. Then comes the second product, and that shits the bed. If the first product was NOT wildly successful, a failure of the encore can kill your company. Success creates incremental impediments to success v.2. It’s hard as hell to develop a product/ solution that solves a legitimate problem in an expanding market. It takes skill, clarity, and a heck of a lot of luck. Once a young company does it, however, they almost always screw up their second product. Why? First, because they have been successful, they often take shortcuts the second time they didn’t take the first time. They make ASSUMPTIONS on round two, often lethal assumptions. They assume that because they have a customer that is happy, that customer will buy anything they try to sell them. They assumAe that because they have a relationship with Chuck

cto forum 07 december 2011

the IT minion, they have a relationship with the entire IT department. Just because a storage weenie bought your gizmo, does not mean the network guy will have any idea who you are, care, or give you the time of day. Because the backup guy bought your software, you have yet to make the CIO’s “must have” vendor list. Stop assuming you matter more than you do. They also believe that because they successfully sold product 1 to some guy way down on the totem pole, that guy will somehow become the most important, relevant person in the IT department universally, and as such be able to command other groups to buy your new shiny toy. They won’t. They don’t do their homework (market research), they don’t test their assumptions. They just build it. First they were tremendously successful selling a new network switch. Then, because of that success, they spend 18 months and 9 Million dollars developing the greatest solar navel lint collection device the world has ever seen. Then they bum out because for some unknown reason the world doesn’t seem as excited about it as they did.

The Chief Technology Officer Forum

About the author: Steve Duplessie is the Founder of and Senior Analyst at the Enterprise Strategy Group. Recognised worldwide as the leading independent authority on enterprise storage, Steve has also consistently been ranked as one of the most influential IT analysts. You can track Steve’s blog at http://www. thebiggertruth.com

Product 2 is harder than product 1, I’m sorry to tell you. Product 2 is developed while the world has EXPECTATIONS about you. No one expects you to do anything right on product 1–as the odds are against you and no one knows who you are anyway. By the time product 2 comes around, you’ve already succeeded to some degree. If anything, you should spend MORE time up front making sure you are building something that someone wants, that solves a legitimate problem, that LEVERAGES the relationships you have built with channels/ customers on product 1, etc. Assuming you have your act together here and not doing it is an almost guarantee of a product fail. I estimate that as much as 80 percent of all second products are tremendous disappointments. It may even be higher. By the time you’ve hit two in a row, you know what it takes. It doesn’t mean you won’t get cocky and screw up your third or fourth, but if you do–you’ll know exactly why. You assumed. When you assume, you make an “ass out of u and me,” to steal a line from Felix Unger.