Slim Trim and Efficient by ctof magazine

cTo forum

Technology for Growth and Governance

November | 07 | 2012 | 50 Volume 08 | Issue 06

Research - Used For Good and Evil | BYOD or Rogue IT?

CIOs are shifting from a distributed IT setup to a centralised model leading to more efficient data centres. Page 22

I Believe

Tech for governance

Volume 08 | Issue 06

Risks of Password

Rethink your Next

Cleansing the

Authentication

Security project

of Terrorism

Based Page 4

A 9.9 Media Publication

Best of Breed

Critical Page 18

Internet Page 36

cto_artwork.pdf 1 09-11-2012 PM 03:15:43

editorial yashvendra singh | yashvendra.singh@9dot9.in

Long Live the Data Centre Despite cloud computing, on-premise data centres will stay relevant. CIOs have to transform them into smart and efficient entities

ince the onset of cloud computing, questions have been raised on the existence of the classic data centre. However, we feel all the talk about the “death of the data centre” is greatly exaggerated. Considerable concerns relating to compliance, control and security will ensure that on-premise data centre stays central and relevant to an enterprise’s business and IT policy. At least during our lifetime. CIOs should, therefore, stop worrying about the data

editor’s pick 22

centre going the way of the Dodo, and focus on increasing its efficiency. There is a lot already happening to enable CIOs in enhancing their performance of their data centres. To provide more computing power in lesser area, smaller and faster processors are being developed. Cutting edge software is being developed to take care of the ever increasing loads of data. Innovative solutions are getting built to tackle the perennial problem

Slim, Trim & Efficient CIOs are shifting from a distributed IT setup to a centralised model leading to more efficient data centres

of burgeoning power bills. CIOs are already implementing state-of-the-art IT to improve performance and reduce sprawl of their data centres. Going forward into 2013, several of the emerging technologies aimed at ramping up the efficiency of data centres will go mainstream. Some technologies that are already being deployed could turn into best practices next year. Virtualisation, for instance, promises to reduce operational costs while improving the energy efficiency. Its adoption is bound to increase in the coming year. Similarly, environmental concerns will force corporates to address one of the biggest concerns – curbing the burgeoning energy needs of their data centres, thereby cutting down on carbon emissions. Some of the corporates are

already working on it. Apple, for instance, intends to power its 500,000 square feet data centre in North Carolina entirely through solar power. The company is already in the process of setting up a 100 acre solar farm and also intends to deploy hydrogen fuel cells. Acknowledging the fact that the data centre will stay relevant in the times to come, we have dedicated this issue’s cover story on it. The story throws more light on how CIOs are transforming their data centres into lean, mean and efficient IT infrastructure. We look forward to your feedback.

The Chief Technology Officer Forum

cto forum 07 November 2012

november12 Conte nts

thectoforum.com

Cover Story

22 | Slim, Trim & Efficient

Columns

4 | I believe: Risks of Password Based Authentication

CIOs are shifting from a distributed IT setup to a centralised model leading to more efficient data centres

By Rakesh Thatha

52 | View point: Research - Used For Good and Evil The 5 Hour Energy Findings! By steve duplessie

cTo forum

Technology for Growth and Governance

cto forum 07 november 2012

The Chief Technology Officer Forum

CIOs are shIftIng frOm a dIstrIbuted It setup tO a CentralIsed mOdel leadIng tO mOre effICIent data Centres. Page 22

I BelIeve

Volume 08 | Issue 06

Features

ReseaRch - Used FoR Good and evil | BYod oR RoGUe iT?

Please Recycle This Magazine And Remove Inserts Before Recycling

Copyright, All rights reserved: Reproduction in whole or in part without written permission from Nine Dot Nine Interactive Pvt Ltd. is prohibited. Printed and published by Kanak Ghosh for Nine Dot Nine Interactive Pvt Ltd, C/o Kakson House, Plot Printed at Tara Art Printers Pvt Ltd. A-46-47, Sector-5, NOIDA (U.P.) 201301

November | 07 | 2012 | 50 Volume 08 | Issue 06

Risks of Password

Best of Breed

Rethink your Next

tech for governance

Cleansing the

Based

Critical

Internet

Page 4

Page 18

Page 36

Authentication

Security project

of Terrorism

A 9.9 Media Publication

Cover DESIGN: raj verma

18 | Best of breed: Rethink your NExT Critical Security project Take the investments already madeÂ and implement them to their full potential

www.thectoforum.com Managing Director: Dr Pramath Raj Sinha Printer & Publisher: Kanak Ghosh Publishing Director: Anuradha Das Mathur Editorial Executive Editor: Yashvendra Singh Consulting Editor: Atanu Kumar Das Assistant Editor: Varun Aggarwal & Akhilesh Shukla DEsign Sr. Creative Director: Jayan K Narayanan Sr. Art Director: Anil VK Associate Art Directors: Atul Deshmukh & Anil T Sr. Visualisers: Manav Sachdev & Shokeen Saifi Visualiser: NV Baiju Sr. Designers: Raj Kishore Verma, Shigil Narayanan Suneesh K & Haridas Balan Designers: Charu Dwivedi, Peterson PJ Midhun Mohan & Pradeep G Nain MARCOM Associate Art Director: Prasanth Ramakrishnan Designer: Rahul Babu STUDIO Chief Photographer: Subhojit Paul Sr. Photographer: Jiten Gandhi

14 A Question of answers

14 |Mark Kay, Senior VP, SI and Alliances, Hitachi Data System,

discusses trends in outsourcing and Hitachi’s future plans around them

RegulArs

01 | Editorial 06 | letters 08 | Enterprise Round-up

advertisers’ index

36 | teCH FOR GOVERNANCE: Cleansing the Internet of Terrorism A look at a few of the most controversial elements of the CleanIT project

42 | next horizons: BYOD or Rogue IT? If IT managers are embracing BYOD are they as accepting of Rogue IT in the office?

Microsoft FC CTRLs 5 Symantec 7 Airtel 11 SAS Institute 13 IBM (Future of IT) 17 Datacard IBC IBM BC

advisory Panel Anil Garg, CIO, Dabur David Briskman, CIO, Ranbaxy Mani Mulki, VP-IT, ICICI Bank Manish Gupta, Director, Enterprise Solutions AMEA, PepsiCo India Foods & Beverages, PepsiCo Raghu Raman, CEO, National Intelligence Grid, Govt. of India S R Mallela, Former CTO, AFL Santrupt Misra, Director, Aditya Birla Group Sushil Prakash, Sr Consultant, NMEICT (National Mission on Education through Information and Communication Technology) Vijay Sethi, CIO, Hero MotoCorp Vishal Salvi, CISO, HDFC Bank Deepak B Phatak, Subharao M Nilekani Chair Professor and Head, KReSIT, IIT - Bombay Sales & Marketing National Manager – Events and Special Projects: Mahantesh Godi (+91 98804 36623) National Sales Manager: Vinodh K (+91 97407 14817) Assistant General Manager Sales (South): Ashish Kumar Singh (+91 97407 61921) Senior Sales Manager (North): Aveek Bhose (+91 98998 86986) Product Manager - CSO Forum and Strategic Sales: Seema Menon (+91 97403 94000) Brand Manager: Jigyasa Kishore (+91 98107 70298) Production & Logistics Sr. GM. Operations: Shivshankar M Hiremath Manager Operations: Rakesh upadhyay Asst. Manager - Logistics: Vijay Menon Executive Logistics: Nilesh Shiravadekar Production Executive: Vilas Mhatre Logistics: MP Singh & Mohd. Ansari OFFICE ADDRESS Published, Printed and Owned by Nine Dot Nine Interactive Pvt Ltd. Published and printed on their behalf by Kanak Ghosh. Published at Office No. B201-B202, Arjun Centre B Wing, Station Road, Govandi (East), Mumbai-400088. Printed at Tara Art Printers Pvt Ltd., A-46-47, Sector-5, NOIDA (U.P.) 201301 Editor: Anuradha Das Mathur For any customer queries and assistance please contact

This index is provided as an additional service.The publisher does not assume any liabilities for errors or omissions.

The Chief Technology Officer Forum

cto forum 07 november 2012

I Believe

By Rakesh Thatha Co-Founder and CTO at ArrayShield the author is a security expert and the creator of patent protected ArrayShield IDAS two factor authentication system

Risks of Password Based Authentication

Enterprises need to switch to a stronger authentication system that secures against various hacking attacks Password based authentication is one of the most popular approaches to authenticate a user in various enterprise applications. But there are many problems associated with the password based authentication systems and the risks associated with using passwords as an authen-

cto forum 07 november 2012

The Chief Technology Officer Forum

current challenge moving towards a stronger authentication solution that provides higher levels of security

tication mechanism for enterprise applications is not completely secure. Considering all the risks associated with password based authentication systems, there is a strong need for enterprises to switch to a stronger authentication system which provides security against the various hacking attacks and also which is more convenient and easier to the end user of the system. Challenges with Password based Authentication: 1. Easy passwords can be cracked The end user’s behavior such as choosing passwords that are easy to remember introduces the majority of the password weaknesses. For a hacker, these passwords can easily be cracked or guessed. Surveys show that frequent passwords are the word ‘password’, personal names of family members, names of pets, and dictionary words. 2. Remembering Multiple Passwords The more passwords a person has to remember, the chances for remembering any specific password decreases. Having multiple passwords also increases the chance of interference among similar passwords. This is especially true for systems that are not used frequently. 3. Problems with passwords that needs to be continuously changed Computer systems require frequent password changes, to make the system robust from various attacks. Users must think of new passwords that conform to all of the organisation’s requirements but that are also easy to remember. System-enforced password policies, however, cannot guarantee password secrecy. Considering all the above, there is a growing trend among many enterprises globally to move to a stronger authentication solution which provides high level of security with-out compromising the user’s convenience.

Farmers are not

etting the right price for their produce.

Have we not heard this a million times now? Have an idea that can change this once and for all? It’s time to bring those ideas out in the open. CtrlS in association with iCongo introduces REX, a platform dedicated to Ideas for Action. Present your idea at REX CONCLiVE to be held on November 25-27, 2012 at Jesus Mary College Auditorium, New Delhi. Register to be a speaker at rexideas.com, and let’s actually get down to the task of changing our world. One idea at a time.

Speakers & Delegates REX CONCLiVE 2012 will have several speakers, each taking the stage for 15 minutes, and 12 alternative performances. Featuring Mary Mangte Kom (Indian Olympic Bronze Medallist), Alecca Carrano (International Fashion Designer & Entrepreneur), Mark Parkinson (Internationally Renowned Educationist), Michael Norton (Global Philanthropist & Author), Jaaved Jaaferi (Actor & Comedian), Gul Panag (Former Miss India, Actor & Founder of SOAP),

Dr. Villoo Patell (CMD-Avesthagen), Josy Paul (Chairman–BBDO), Meera Sanyal (Banker & CEO of RBS), Amala Akkineni (Actor & Animal Activist), Vijay Mehta (Global Philanthropist, Author & Peace Ambassador), Swaroop Sampat (Actor & Social Activist), Marco Carrano (Global Architect, specialized in Energy-friendly Cities),

Hansal Mehta (Movie Director), Arjun Sajnani (Movie Director, Theatre Artist & Playwright), P. Sridhar Reddy (CMD-CtrlS) and alternative performances by Rekha Surya, Lorraine Aloysius, Olavo Rodriques, Arka Mukopahyaya, Saqlain Nizami and others.

Asia's Largest Tier IV Datacenter

LETTERS COVE R S TO RY

B L E N D I N G T H E C LO U D

COVE R S TO RY

Hybrid clouds present a perfect blend of private and public clouds. It is time CIOs looked at this great opportunity and redefined their organisation

S p i n e

cTo for um

Techno logy for Growth and

CIO COu nCIl

best of

Gartner defines Hybrid cloud computing as the combination of external public cloud computing services and internal resources (either a private cloud or traditional infrastructure, operations and applications) in a coordinated fashion to assemble a particular solution. Hybrid cloud computing implies significant integration or coordination between the internal and external environments at the data, process, management or security layers. Going by this definition, there are hardly any companies around the world that are leveraging this concept in the true sense and it is for a reason. While most enterprises are gearing towards some or the other form of cloud, there are many basic building blocks of hybrid cloud that are yet to be put in place. There are many challenges that lay ahead in the widespread adoption of hybrid clouds and security is just one of them. As the underlying cloud technologies mature and confidence is built on public clouds, hybrid clouds present a compelling case for most enterprises. But they need to be geared up before they are forced to jump to this concept.

Gover nance

By Varun Aggarwal Design by Shokeen Saifi | Imaging by Anil T & Peterson PJ

breed

Rele

Gettin IT on g Rightthe Side

October

| 07 | 2012 | 50 e 08 | Issue 04

ases BYOD

GoVerNAN Ce

TOOlkIT

Conc for a Gerns lobal Survei llance Projec t

| ClOuD slas: HOw DO YOu FaRe ? | Rem OvIn

Some of the hot discussions on the group are:

g vaRI aBIl ITY FRO m PROBlem

Blendi The ng

Virtual CTO/CIO A long term IT partner for your business growth

sOlv

Cloud

Ing e 08 | Issue 04

Volum

CIO is a Pe role le Funcop tion

I BelIe ve

Media

www.linkedin.com/ groups?mostPopular=&gid=2580450

Page 36

Hybrid private clouds pre looked and publi sent a perfe redefin at this greatc clouds. It ct blend of is ed the ir organopportunity time CIOs an isation . Page 26 d

A 9.9

Join over 900 CIOs on the CTO Forum LinkedIn group for latest news and hot enterprise technology discussions. Share your thoughts, participate in discussions and win prizes for the most valuable contribution. You can join The CTOForum group at:

Volum

Page 18

teCH for

CTOForum LinkedIn Group

Publicatio

Page 04

are CTOs more interested in satisfying the CFO & Board rather than the consumer?

If CTO is aligned to the CFO and the Board in that order, the CTO will have to also be good at resume writing as he will not last too long. But then the question arises, is the CFO aligned to the Consumer? If he is not, then even he may be in hot water sooner or later.

This is a model that SMBs are slowly waking up to. While their IT head can chip away with his day-to-day activities, an external help (a part time CIO) can give their IT a proper direction and can review performance to ensure the company's objectives are met.

â&#x20AC;&#x201D;Balasubramanian S R, Business & IT Consultant

If weâ&#x20AC;&#x2122;re not engaged in a cyber war, we cannot win or lose

Send your comments, compliments, complaints or questions about the magazine to editor@thectoforum.com

cto forum

www.thectoforum. com/content/timeripe-intelligentnetworks

Fact from fiction in the shadow of tallinn manual

By piggybacking on past successes, infosec manager can point to actual return on investment on security To read the full story go to: http://www.thectoforum.com/content/informationsecurity-investment-too-little-or-too-high-4

WRITE TO US: The CTOForum values your feedback. We want to know what you think about the magazine and how to make it a better read for you. Our endeavour continues to be work in progress and your comments will go a long way in making it the preferred publication of the CIO Community.

07 november

Mahesh Gupta, VP, Borderless Networks, Cisco India talks to Varun Aggarwal about the need for networks to become intelligent

Opinion

Arun gupta, CIO, Cipla

CTOF Connect

The Chief Technology Officer Forum

Prabhakar Deshpande, Product Evangelist, Seclore Technologies

FEATURE Inside

Cloud Usage Grows 25% Y-o-Y in India

Enterprise

Pg 10

imaging by shigil narayanan

Round-up

Microsoft Launches Windows 8 in India Windows comes alive with a range of apps and hardware options

Microsoft has announced the availability of Windows 8 for its customers in India and around the world. Consumers and businesses worldwide can experience all that Windows 8 has to offer: a new UI, a wide range of apps with the grand opening of the Windows Store, available on a variety of Windows 8 certified PCs and tablets. Windows 8 PCs and tablets will be available in India from 14 OEM partners - Acer, Asus, Dell, Fujitsu, HCL, Hewlett Packard, Lenovo, RP Infosystems, Sai Info System, Samsung, Sony, Toshiba, Wipro and Zenith Computers on a variety of form factors - from

cto forum 07 november 2012

The Chief Technology Officer Forum

tablets and hybrids to laptops and ultrabooks, on both touch and non-touch devices. In India, over 250 Windows 8 enabled devices, including 23 completely new SKUs of Windows 8 PCs are available across 100 cities and more than 2500 retail stores. "With the launch of Windows 8, Microsoft is unveiling a reimagined Windows to the world," said Bhaskar Pramanik, Chairman, Microsoft India. "Whether you want a tablet or a PC, whether you want to consume or create, whether you want to work or play Windows 8 delivers a personalised experience that fits your unique style and needs."

Data Briefing

1.6

Smart mobile devices to be bought in 2016 â&#x20AC;&#x201D;Source: GARTNER

E nte rpri se Round -up

They STEVE Said it BALLMER Steve Ballmer, speaking at a meeting for software developers at Microsoft's headquarters near Seattle, said hundreds of millions of Windows systems would be sold over the next year, and the company was seeing strong interest from business users.

photo BY photos.com

“We're seeing preliminary demand well above where we were with Windows 7, which is gratifying” —Steve Ballmer, CEO, Microsoft

4.4 Mn IT Jobs to Support Big Data by 2015 But there is not enough talent in the industry Worldwide IT spending is forecast to surpass $3.7 trillion in 2013, a 3.8 percent increase from 2012 projected spending of $3.6 trillion, but it’s the outlook for big data that is creating much excitement, according to Gartner, Inc. “By 2015, 4.4 million IT jobs globally will be created to support big data, generating 1.9 million IT jobs in the United States,” said Peter Sondergaard, senior vice president at Gartner and global head of Research. “In addition, every big datarelated role in the U.S. will create employment for three people outside of IT, so over the next four years a total of 6 million jobs in the U.S. will be generated by the information economy.” “But there is a challenge. There is not enough talent in the industry. Our public and private education systems are failing us. Therefore, only one-third of the IT jobs will be filled. Data experts will be a scarce, valuable commodity,” Sondergaard said. “IT leaders will need immediate focus on how their organization develops and attracts the skills required. These jobs will be needed to grow your business. ” He said the IT industry is entering the Nexus of Forces, which includes a confluence and integration of cloud, social collaboration, mobile and information.

photo BY photos.com

Quick Byte ON GROWTH OF INTERNET IN AMERICA

A new research from Forrester expects that 2 million new households in the US will be connected to the Internet by the end of 2012 compared to the end of 2009, and that 82% of households will have Internet by 2015 The Chief Technology Officer Forum

cto forum 07 november 2012

photo BY photos.com

E nte rpri se Round -up

Cloud Usage Grows 25% Y-o-Y in India Organisational

resistance to change is hindering even faster adoption in India

VMware has announced the findings of its 3rd annual VMware Cloud Index, a commissioned study conducted in 11 Asia Pacific countries by Forrester Consulting and ITR (in Japan). The findings of the survey reveal a surge in cloud usage in India where half the respondents in the country state that they have already adopted cloud solutions or approaches – a 25 percent growth over last year. An additional 30 percent of respondents declared that they are currently planning to deploy cloud solutions within the next 18 months, highlighting the growing

cloud opportunity in India. However, 40 percent of respondents state that there is internal resistance to change that is hindering the adoption of cloud, suggesting that faster cloud adoption is possible for Indian organisations if these hindrances can be overcome. “The survey demonstrates the potential for cloud computing in the country and reflects a double digit rate of adoption,” said T Srinivasan, Managing Director, VMware India and SAARC. “With concerns around data privacy, integration and security limiting the adoption of cloud in India, we

Global Tracker

By 2013, mobile phones will overtake PCs as the most common Web access device worldwide and by 2015 over 80% of the handsets sold in mature markets will be smartphones 10

cto forum 07 november 2012

The Chief Technology Officer Forum

Source: gartner

Growth of Smartphones

continue to work towards enabling organisations with knowledge and resources to raise adoption rates,” Srinivasan added. The study also reveals that 54 percent of senior IT professionals surveyed in India consider cloud computing as a top business priority. There has also been an improvement in the understanding of cloud computing with 72 percent of respondents claiming a good understanding, compared to 59 percent last year. The knowledge about cloud computing is higher at large organisations (10,000+ employees: 82 percent) compared to small organisations (<500 employees: 63 percent). In India, while 80 percent of respondents believe that cloud computing will help enable their organisations to reduce IT costs, 82 percent believe that cloud computing will help them optimise their existing IT management and automation capabilities. Data privacy, legacy or “loss of control” (64 percent), integration with existing onpremise systems (62 percent) and security (60 percent) are the top barriers to cloud adoption in India. “As optimism in the economy rises, businesses in India can once again focus on growth and expansion. This comes at a time when cloud computing is reaching a significant level of maturity and acceptance in India,” added Srinivasan. In India, 81 percent agree that virtualisation is highly critical to enable cloud computing and 94 percent of respondents have leveraged or are planning to leverage virtualisation in their organisation. Further, 50 percent of the respondents in India state that they are running 50 percent or more of their production applications on a virtualised environment - a growth of 51 percent over last year. Reflecting the optimism for cloud computing, 62 percent of Indian organisations are increasing their budgets for training internal IT staff to support their cloud initiatives, above a regional average of 55 percent. Beyond internal trainings, 56 percent of organisations in India are actively seeking to hire new staff with cloud expertise. This is critical, as nearly 73 percent of Indian IT professionals believe that failure to improve their cloud-related skills and gain cloud experience will increase their risk of falling behind peers professionally.

E nte rpri se Round -up

photo BY photos.com

Two-Third of Enterprises Will Adopt a MDM Solution To be used for corporate liable users through 2017

Over the next five years, 65 percent of enterprises will adopt a mobile device management (MDM) solution for their corporate liable users, according to Gartner. With the increased functionality of smartphones, and the increasing popularity of tablets, much of the network traffic and corporate data that was once the primary domain of enterprise PCs is now being shifted to mobile devices. "Employees are becoming more mobile and looking for ways to still be connected wherever work needs to be done," said Phil Redman, research

vice president at Gartner. "The convenience and productivity gains that mobile devices bring are too tempting for most companies and their employees. Securing corporate data on mobile devices is a big challenge, but one that companies must embrace. Enterprises are struggling with how to support and secure this dynamic workforce." Gartner predicts that through 2017, 90 percent of enterprises will have two or more mobile operating systems to support. In the past year, many companies have moved to Apple's iOS as their main mobile device platform, with others to follow over the next 12 to 18 months. As enterprises continue to offer multiplatform support, and new platforms — such as Windows 8 — continue to emerge, MDM needs will continue to grow. As one of the fastest-growing enterprise devices in the past 18 months, tablets are a further driving force for enterprises adopting MDM. Most companies and users are supporting the tablet for limited usage, typically for email and personal information management (PIM) functions. However, users are pushing for more enterprise applications to be supported on the tablet, usually through either enterprise or application provider development. As more of these native apps become available, and as remote access technology improves, more enterprise content will be stored on these devices. "The rapid influx of users bringing their own mobile devices that demand access to corporate resources presents challenges to organisations," said Redman. "However, by implementing a structured support system, IT organisations can shield business information and enforce policies about data movement between the device and the corporate network, while enabling users to adopt the device they deem most appropriate.

Fact ticker

Tech Budgets Becoming IT Budgets Much of this change is being driven by digitisation Twelve years ago technology spending outside of IT was 20 percent of total technology spending; it will become almost 90 percent by the end of the decade, according to Gartner, Inc. Much of this change is being driven by the digitisation of companies’ revenue and their services. The Nexus of Forces is leading

cto forum 07 november 2012

this transformation. The Nexus is the convergence and mutual reinforcement of social, mobile, cloud and information patterns that drive new business scenarios. Organisations are digitizing segments of business, such as moving marketing spend from analog to digital, or digitising the research and development budget. Secondly,

The Chief Technology Officer Forum

organizations are digitizing how they service their clients, in order to drive higher client retention. Thirdly, they are turning digitisation into new revenue streams. Gartner analysts said this is resulting in every budget becoming an IT budget. To address these changes, organisations will create the role of a Chief Digital Officer as part of the business unit leadership, which will become a new seat at the executive table. Gartner predicts that by 2015, 25 percent of organisations will have a Chief Digital Officer.

VMUnify

indtree has announced its partnership with Kryptos Networks to enhance its distribution of VMUnify solution across Asia. VMUnify is a cloud platform agnostic solution that enables the setup and delivery of Infrastructure as a service. This partnership will leverage Kryptos’s expertise, scalability and reach in reselling high-end technology solutions in the Asian markets. Mindtree and Kryptos Networks have introduced the Cloud Service Provider Program (CSPP) to onboard service providers for the VMUnify platform. This global program enables cloud service providers, small or big, to start with a minimal investment and pay for only what is consumed. As per the exclusive study conducted by Parallels on the SMB markets, the global Infrastructure as a Service (IaaS) market size is expected to grow to $27B in 2015 from today’s $14B. In Asia, the comparative numbers are $7B in 2015 and $2.8B currently. Mindtree’s VMUnify will be targeting the management software segment which is ~ 5% to 10% of the IaaS market size. The Mindtree VMUnify differentiators include: Pay as you go licensing Cloud provisioning across multiple hypervisor families, such as VMware’s vSphere and Microsoft Hyper-V

What would you do with an extra 92 hours?

High-performance analytics from SAS ® helped a financial services firm reduce loan default calculation time from 96 hours to just 4 Early detection of high-risk accounts is crucial to determining the likelihood of defaults, loss forecasting and how to hedge risks most effectively. Now, SAS can help you speed that time to decisions from days to literally minutes and seconds – transforming your big data into relevant business value.

high-performance A real analyticsgame changer. High-Performance Computing Grid Computing In-Database Analytics In-Memory Analytics Big Data

sas.com/92

to learn more

For more information please contact Mahesh.Bangera@sas.com

Each SAS customer’s experience is unique. Actual results vary depending on the customer’s individual conditions. SAS does not guarantee results, and nothing herein should be construed as constituting an additional warranty. SAS and all other SAS Institute Inc. product or service names are registered trademarks or trademarks of SAS Institute Inc. in the USA and other countries. © 2012 SAS Institute Inc. All rights reserved. S90309US.0412

Mark Kay | Hitachi data system

Enterprise IT Shifts to Service Model In a conversation with CTO Forum, Mark Kay, Senior VP, System Integrators and Alliances, Hitachi Data System, discusses trends in outsourcing and Hitachi’s future plans around them

How is enterprise IT outsourcing changing? If you look at the trends in the last 24 months, there has been a big wave of IT outsourcing globally. Most of these deals can be classified as ‘first generation outsourcers’ (such as IBM and HP) who are losing contracts to ‘second generation outsourcers’ such as the fast growing newer System Integrators (SI) like Infosys and TCS. There is yet another dramatic change taking place. It is something like what Apple apps did for the consumers. In the enterprise space, customers now don’t have to buy a multimillion dollar software license. There is a lot of pressure on SIs to take more responsibility for the assets. They don’t want to spend on buying software and hardware, they want end-to-end service Enterprises are moving towards service utility and SIs have to respond to this shift. It is no doubt challenging for SIs as this model is capital inten-

cto forum 07 november 2012

sive and it hits their balance sheet. It also creates risks for them. What happens if the contract changes? This gives Hitachi an opportunity to step up. We have a good balance sheet and deep pockets. How are you enabling Indian System Integrators to make the most of the opportunity? Business has grown exponentially since the last 18 months and so. Indian SIs are being aggressive in the market place especially in Europe. Earlier they were US-centric but now they are expanding into Europe. While Europe is in trouble, there is a lot of opportunity coming out as the companies there look at cost cutting and improving efficiencies. On our part, we have given these SIs innovative tools and technologies to compete and differentiate with the older SIs (IBM, HP etc). For instance, when they come across large transfor-

The Chief Technology Officer Forum

mational projects globally, one of the biggest challenges that they encounter is migration. We ease this challenge through our technology. We become a sort of gold standard for data centre migration and consolidation. The financial innovation and modeling that we provide to them helps them in structure the deal in a better manner. We try and provide a standardise approach in our relationship with all the SIs globally. These include a mixture of resources and investments. We enable through different ways – traditional education and training and then deploying technology in locations where they can do PoC (Proof of Concept) and have CoE (Centers of Excellence). It is a relationship based on building a core around their capabilities and us developing unique solution offering allowing them to offer services. Besides, Hitachi is very complementary and has no aspirations of

M a r k K ay

A Question of answers

Mark Kay Banking on system integrators for future growth

A Question of answers

M a r k K ay

doing what they do. It is a maturity model that we are building together. The HP and IBM have legacies they have to live with. Indian SIs can build new competitive models as they are not backed by old models and costing. In addition, we are doing a lot of solution co-development with our partners. What is your go-to-market strategy with your SIs? Every SI has a unique strength. We pick and choose a strength that makes common sense for both of us and then take that solution to the market. Hitachi in the last 18 months has been very active in the verticalisation of the market. We have come up with new verticals such as Healthcare, CME (Communication, Media and Entertainment) and are offering unique solutions here. In addition, there is a concerted area in investing in solution centers (there are four across India). Through this we give our partners an avenue to test our solution and garner the much needed confidence. We get double digit percentage revenues from our SIs. Please throw more light on the Fusion programme for your partners The Fusion programme has been running for three years and we have expanded it dramatically through this period. One of the pre-requisite of the programme is that the SIs have to be global in nature. Out of the 12 SIs in the programme, seven are Indian SIs. The Indian SIs are the fastest growing group in the SIs that we look after. We established this programme because we wanted to acknowledge that SIs require different relationships unlike channel partners. The challenge was not to build a rigid programme where some could fit and others could not. So we came up with a flexible programme that fitted all SIs (some were into managed services and outsourcing, some into consulting and some were into integration). Through this programme, we have the

cto forum 07 november 2012

“We have come up with new verticals and are offering unique solutions there”

responsibility to generate revenue for our partners. Conversely, they work to generate revenues for us. Going forward, we will expand the CoE to further ramp up education for them. Do you want to increase the number of SIs? Frankly, no. We want to invest heavy in a handful of partners. It is all about getting the most from existing partners. The number of SIs have remained the same since the last three years. I don’t think we are anticipating a change. However, there will be a significant change in the way we will be supporting them. Presently, about 10-15% of their revenue is from infrastructure projects. This is just the tip of the iceberg. We can do a lot more with them. We haven’t scraped the surface with the Indian SIs. What are your future plans for your partners? Our SIs are going to become even more important for us. They represent our future on multiple fronts. We will use our partnerships to

The Chief Technology Officer Forum

things I Believe in e want to W invest heavy in a handful of partners. e will expand W the CoE to further ramp up education for System Integrators (SI). We try and provide a standardise approach in our relationship with all the SIs.

fulfill the demand of customers of getting end-to-end services. From a strategic point of view, they are extremely important to us. It is a growth engine. We launched healthcare life-science vertical three years ago. We subsequently launched CME and then oil & gas vertical. We are trying to build an ecosystem which has technologies for particular verticals. Seeing the fast growth by our Indian partners, even our parent company Hitachi Ltd is taking interest in Indian SIs. So, we will bring solutions from our other group companies. We are the only partner to the Indian SIs that has the breadth of solutions – whether it is railways, power systems, medical systems. Our group companies have lot of solutions and we can be the anchor to make sure we collaborate with them. Going ahead, globally we see growth coming from financial services vertical as a lot of contracts are getting renewed. Besides, pharma and utilities will also push growth.

Future OF IT

www.itnext.in/futureofit

more on web

White Paper Value for Business, Value for Customers

It is important to be agile, which means understanding the business and its pain, and being able to alleviate the pain, promptly and efficiently. http://www.itnext.in/ futureofit/index.php/ the-agile-enterprise

Opinion

Re-thinking Authentication By Rakesh Thatha

Creating Agile Enterprise

I llustrat i on: r AJ ve rma

In a market that is perennially changing, being agile is the only way forward. CIOs today are preparing to meet change head on by focusing on making their businesses more responsive and future-proof Without change, there can be no growth. Nowhere is this more clearly visible than in the global IT sector. New technologies are coming up all the time, while existing ones become obsolete in the blink of an eye. Today, mobile technologies, social media and cloud computing are all the rage, and every enterprise is grappling with the need to incorporate them into its offerings. Companies are facing new demands every day. Data

“Open Sesame!” is a classic example of using an authentication mechanism in the famous tale, Ali Baba and the Forty Thieves.http://www. itnext.in/futureofit/ index.php/rethinkingauthentication

Expert View

Games Can transform Business By Daniel Burrus Anyone who has children or who has been around them for a while knows that kids, as well as young adults, are attracted to video games like flies to light. http://www.itnext.in/ futureofit/index.php/ games-can-transformbusiness

volumes are on the rise. Collaboration is gaining in significance. There are new security threats emerging every second. How do you build and sustain a business in an environment which is always in flux? With the changing technology landscape and rapidly evolving customer preferences, a new breed of companies is on the rise: agile enterprises. These companies value responsiveness over red tape, flexibility over rigidity, and are focussed on the big picture rather than the details. They realise that the cost of missed opportunities due to IT not being able to keep up with the business’s needs is far higher than any investment in IT towards making it more agile.

Need for Being Agile With companies’ e-commerce presence now extending across several countries, incorporating one key change for the end user can often mean months of development work and testing. Companies often end up with disparate apps, platforms and systems which become a drain on their resources. Not only is this true in the case of companies undergoing mergers, but also in growing companies, where IT deployments take place in a disparate way, with each branch or department setting up its own set of processes and technologies in isolation. Pretty soon, the company which is operating in silos, and data duplication and errors have crept into the system, transparency is an issue. Maintaining a huge, sprawling setup like this can be a challenge, and can raise expenses needlessly. But an agile business is able to continually re-examine itself to look for better and faster ways of doing things. Take Tulip Telecom, for instance. The company came across such a challenge in the recent past. According to CR Narayanan, CIO, Tulip Telecom, “Our network grew in an inorganic way, and we needed to optimise our costs. We connect to our customers from our Points of Presence (PoPs). We have more than one lakh connects across the country today. When a customer shifts location, the load on the PoP in that location reduces. If this happens, in some cases, it may not be economical to continue that PoP, because the cost of running and the cost of providing the bandwidth may outweigh the revenue.” So how did they deal with this? “To prevent revenue leaks, we are monitoring every PoP. http://www. itnext.in/futureofit/index.php/the-agile-enterprise

BROUGHT to YOU BY

The Chief Technology Officer Forum

cto forum 07 november 2012

Best of

Rethinking the Enterprise OS Pg 20

illustration BY raj verma

Breed

Feature Inside

4.4 mn Data Briefing

IT Jobs globally to Support Big Data by 2015

Rethink Your Next Critical Security Project

The next big project should be figuring out how to take the investments you've already made and implement them to their full potential By Rafal Los

hy do security 'solutions' fail to actually solve the problem that you made the investment of time and resources for? If we're honest with ourselves, we can easily look around the organisation and find several projects that even though they are imple-

cto forum 07 november 2012

The Chief Technology Officer Forum

mentation-complete, are hardly "complete" as they sit. Too often after a catastrophic failure, or security incident we're pre-disposed to making hasty purchases to effectively stop the bleeding without considering what the full scope of what we're doing may be. This is one of the reasons the worst time to make a technology investment is during a catastrophe.

securit y

Spend time with the tools that are your life-lines. As an analyst you should know the capabilities of all your security products and solutions. You should know the capabilities as well as limitations Along that thread, let's look at your projects list and resource requests for the next fiscal or calendar year. I bet there's at least one or two new "shiny objects" on there that solve some big new problem the media tells you that you have... and I'm probably committing blasphemy as a vendor by saying this but - do you really need those bright shiny new things? All too often the answer is no, and unfortunately this only gets worse as time ticks by.

So what should your next critical security project be? If the last few weeks of conversations with CISOs planning their budgets is correct... the next big project should be figuring out how to take the investments you've already made and implement them to their full potential. Getting 'full potential' out of existing investments is something one financial CISO runs an end-of-year program for each year. At the end of each year, this CISO spends a few weeks with his team combing through the many dashboards, boxes and security solutions in his environment to figure out where more use can be squeezed out of existing investment in technology. Unfortunately his team doesn't typically have to work very hard to find those gaps. At the beginning of the following fiscal year, the first few 'critical' projects, aside from business-related tasks, are to close those gaps between what the invested technology can do and what it currently does. This is no easy task, mind you, but it's one that yields a large benefit with minimal new investment. Here's a list of questions to ask when

B E S T OF B R E E D

pany... when you do a dashboard-to-analyst ration your dashboards shouldn't outnumber your security analysts... yet I find plenty of places where this is true. You can't tell me you're getting value from those if you can't spend quality time with your tools... The solution then to your glut of 'solutions'? Consolidate, re-evaluate, and maximise. Consolidate - Take five niche tools that each do one thing really, really well and consolidate them into a single tool that does all five of those things reasonably well in a single product. This gives you better usability, intelligence, and a much higher likelihood that you'll actually get value. Re-Evaluate - Sometimes that point tool you needed four years ago to fight some fire or band-aid some poor implementation just isn't necessary anymore or it can be rolled up into another tool or solution. Security teams are no more or less guilty than anyone else in IT or business at this. But it's still a cardinal sin - re-evaluate whether you need that widget at least twice a year... because if it's not helping you it darn well may be hurting you. Maximise - Spend time with the tools that are your life-lines. As an analyst you should know the capabilities of all your security products and solutions. You should know the capabilities as well as limitations - those aren't the same thing, and know when to keep pushing. A SEIM can just be a dumb logging box, or it can be the one nerve center for your enterprise - it's a matter of understanding capabilities and pushing boundaries!

looking back at existing security projects/ solutions to decide whether you should be giving them another look... 1. Have you updated, tweaked, tuned the product in the last quarter? 2. Do you use more than 50 percent of the product/solution's core features? 3. Is the product/solution adequately integrated with other solutions within your security practice? 4. Does the purpose the product/solution served when purchased still exist? 5. Does your team have time to regularly maintain, or get use out of, the product/ solution? Those are just a few of the questions from the list... but they give you a good idea of what to think about. Too many 'security solutions' are often orphaned servers, or blinking boxes in a closet, that no one ever checks on much less regularly maintains or gets useful intelligence out of. After all, aren't security tools supposed to be some of the most actively used telemetry in your war chest? Security What will your next priority organisations, if you haven't noticed, have project be for security? a glut of 'stuff' blinking, taking power and How about you look inward, and figure out space, and altogether being nearly useless how to maximise last year's investments (or in their organisations. Niche the previous years?) and surproducts are OK, but that "APT prise your management by tellFighter Pro v2.0" security widing them instead of chasing the get probably needs regular care new shiny thing you're going and maintenance ... oh and you to reinvest time in the stuff you should be getting regular benalready own. efits out of it! This article is printed with prior smart mobile Ask yourself how many secupermission from www.infosecisdevices to be rity dashboards you have at land.com. For more features and your disposal right now, today. opinions on information security bought in 2016 I bet it's at least a half-dozen if and risk management, please refer you're a reasonable sized comto Infosec Island.

1.6 bn

The Chief Technology Officer Forum

cto forum 07 november 2012

B E S T OF B R E E D

mobility

Rethinking the Enterprise OS

Should there be a different OS for the consumer market versus the enterprise market? By Rafal Los

image by photos.com

e spend a lot of time in information security worrying about how we're going to secure the endpoint, but whether we're talking about the hipster Mac OS, or Windows, or Android on your mobile handset - the divergence of the security model, in my opinion, is becoming obvious. When Microsoft converged their kernel and made a single version of Windows most people were relieved, especially Microsoft developers and security types. It was now going to be easier to maintain the code base - but was that the right call? Should there be a fundamentally different operating system for the consumer marke versus the enterprise market?

Different Strokes The basis for my question comes from the way that 'security' is thought about and enforced in the two use cases. On the consumer end you don't want to have your grandmother thinking about whether she needs to update her Windows to the latest version fixing the various security bugs and adding new features. You'd rather have to not think about 'security' at all. On the consumer end you want simplicity and less opportunity for the user to "make the wrong security decision". On the enterprise end you absolutely need deeper capability of remote management, policy capabilities, and account separation--things that are pointless on the consumer end unless you're talking about remote malware. Enterprises need to

cto forum 07 november 2012

The Chief Technology Officer Forum

inventory their assets, push applications, push certificates or credentials, tokens and the like. Basically you want the enterprise end to be more highly security-configurable, manageable, and deeply defensible from the central nerve center of your enterprise.

Divergent Models On the consumer end, you want simple. You want the security-based decisions to be abstracted from the user experience. You want the vendor to set policy and push updates, and want to have security 'behind the curtain' where the user can't opt-out of a

Patch Tuesday for the sake of convenience. You want the consumer OS to protect the user, often from themselves. On the enterprise end you want control. You need the ability to set policy for a mass of users, and control the experience, peripheral attachment, and properties of that endpoint. You don't want the user to be able to undo the enterprise controls to circumvent your security posture.

What About BYOD? Thinking about what this means for BYOD - it could be argued that it would be counter-

mobility

productive to remove enterprise control from a consumer OS because it makes MDM more difficult - but aren't we saying that the endpoint is essentially not the place you want to worry about security in today's modern security landscape? If your enterprise BYOD security policy relies on pushing MDM to your clients, you'll end up with your users doing what I did on my personal iDevice - you'll simply remove access to corporate email rather than have the intrusive, invasive, snooping technology installed on your personal device. You'll have lots of opt-out, or privacy battles. The applications, on the endpoint and backend, the network and user management is what makes sense in BYOD rather than the endpoint OS or device.

Recipe for Separation It makes logical sense to separate out the security models. On the use case of the 'consumer' we want simplicity. Vast majority of consumer users don't have their own "IT person" at their beck and call so they need to be spared from having to make those tough decisions they don't understand. When that

B E S T OF B R E E D

The applications, on the endpoint and backend, the network and user management is what makes sense in BYOD rather than the endpoint OS or device certificate warning pops up, it shouldn't give you the option to "go to the site anyway" it should say "This website is not good for you, therefore, you can't go to it" - and end it there. No confusing jargon, no questions asked. On the consumer end of things we want simplicity and the ability to "just use it" without all the complex security overhead the enterprise systems have.Each consumer edition of an OS comes pre-configured with the things that you need to "keep you safe" with simple-to-use interfaces and a no-nonsense feedback. When you're talking enterprise systems, you want central management, and enable

the 'power user' to control their own destiny and tweak controls, configurations and security levels by editing configuration files, making their own choices, etc. You can dump the technical details behind why a certificate error has occurred, and allow the user to continue or quit - knowing they are more likely to have knowledge to make the choice correctly. When it all comes down to it, I'm starting to believe having a unified consumer and commercial OS just doesn't make sense. We fundamentally have at least two tiers of users, and we can't continue to do a "one size fits all" solution for them.Â The big question is ...now what?

COVE R S TO RY

Slim, trim and efficient

cto forum 07 november 2012

The Chief Technology Officer Forum

Slim, trim and efficient

COVE R S TO RY

Enterprises are no longer willing to over-provision infrastructure resources. They are consolidating their data centres. CIOs are making a shift from a distributed IT setup to a more efficient and centralised model, leading to consolidation of data centres. By Akhilesh Shukla Design By Shokeen Saifi Imaging By Peterson PJ

In the past few years, the world has witnessed a digital revolution. From paper-based information storage, we have stepped into digital information management. Enterprises are also changing their focus from data to information and analytics for making real-time decisions that impact business strategy and operations for business value. They are focusing and investing more into core functions, capabilities, offerings and leveraging strategic partners for non-core services to be more effective and competitive. With the evolution of infrastructure consolidation, virtualisation technologies and cloud service offerings, there is a growing tendency to consider data centre operations and management as a non-core function within enterprises. Under the current circumstances of budgetary constraints, it is becoming difficult for a CIOs to justify capital investment in expanding, sustaining operational expenses to manage captive data centers. As these offerings are maturing, a CIOâ&#x20AC;&#x2122;s focus is transitioning from data

center management and operations to leveraging technology to provide services that make business operations more effective and efficient. The U.S. Datacentre 2012-2016 Forecast, which provides a census of USA data centres by size, sophistication and ownership, complied by IT research firm IDCâ&#x20AC;&#x2122;s report, says that by 2016 the total number of data centres in the country will decline from the present 2.94 million to 2.89 million. However, the total data center space will grow significantly, from present 611.4 million square feet to more than 700 million square feet in 2016. The report highlight that service providers, by the end of year 2016, will account for more than 25 percent of all the large data center capacity. Virtualisation and server consolidation will result in the decline of physical data centre size and also lead to a decrease in the number of data centres. The shift toward a cloud model for application, platform and infrastructure will eliminate the need for many smaller datacenters. India is also catching up with global trend

The Chief Technology Officer Forum

cto forum 07 november 2012

COVE R S TO RY

Slim, trim and efficient

and most enterprises are no longer willing to over-provision infrastructure resources and are consolidating their data centres. They are making a shift from a distributed IT setup to a more efficient and centralised model, leading to consolidation of data centres into fewer but leaner and more efficient ones. While cloud will lure CIOs, enterprises will still run and manage their critical operations through captive data centers. The Indian IT infrastructure market, comprising of servers, storage and networking equipments, will continue to grow and is expected to reach $3.01 billion by 2016, says Gartner. On the other hand, the role of a CIO is changing in an organisation -- transitioning from being a technologist to a business partner to align and influence IT investments to meet business goals.

As a result, a CIO has to ensure a high availability of the data centre, capacity planning to ensure optimum use of the data centre, prevent sudden crash of the servers leading to data loss, recovery of data, and lastly effective cooling of the data centre, while keeping the cost low matching the pace with business. “Today businesses are very demanding vis-a-vis IT and infrastructure. Gone are the days when we consider minimal downtime. Business today can no longer afford even a miniscule downtime. Half an hour downtime, which was considered normal a decade ago, today is considered as disaster for an enterprise. Round the clock demand of high availability of IT infrastructure is building a huge pressure on the IT managers” says M G Raghuraman,

“Through automation, IT has effectively and efficiently streamlined the mechanism of provisioning computing capacity based on needs” Ashok setHi, CIO, sapient

Senior Vice President and CIO of MphasiS. As a result, Data Center Management, in the last few years, has emerged as a big discipline in itself. It involves management of key attributes such as real-estate; security, environmental controls, compute and storage capacity, essential services, skilled people support and training, disaster recovery, to name a few. These key management area has to be considered in the expansion phase of growing and competitive business. Multi-national organisations are planning and working on consolidation of data centres for effective management and control. But, small and medium businesses (SMB’s) are taking

cto forum 07 november 2012

The Chief Technology Officer Forum

a pragmatic approach of relying on strategic partners for such services. "Worldwide we are using only 10 percent of the data centre space," says Bhaskar Raj, CIO, FIS Global. He lamented that despite this, IT managers were still adding up one after another data center. “Server consolidation is the way forward. Technologies like virtualisation helps in utilise the unused processing power of the servers of the data center by adding more application in the same environment. Consolidation is helping in optimal utilisation of resources and keeping the cost under control” he says. By consolidating IT infrastructure at FIS's facilities, the company has successfully cut 4 million ton of carbon-

Slim, trim and efficient

di- oxide emission and saved around 1200 trees. Worldwide, including India, technologies like virtualisation and cloud computing services are revolutionising data center dynamics. However, their deployment and adoption are at varied levels of maturity within respective enterprises. “Through automation, IT has effectively and efficiently streamlined the mechanism of provisioning computing capacity based on needs” says Ashok Sethi, CIO, Sapient. Similarly, cloud computing is a logical maturity and advancement to leverage virtualization capabilities. While effectively managing total cost of ownership enterprises are leveraging highly configurable offerings/services on a need basis, with committed Ser-

COVE R S TO RY

vice Level Agreements (SLA’s) and minimal operational overheads, highlighted Sethi. Small and Medium Enterprises (SME) are leveraging managed and cloud services including SaaS, PaaS and IaaS. However, these technologies are not very popular among the large enterprise having a huge legacy infrastructure and have already made huge investment. Nonetheless, CIOs looking to expand or set up a new data centers are increasingly evaluating service providers focusing on data center infrastructure management, operations and various service. These providers, offering services including Platform as a Service (PaaS) and Infrastructure as a Service (IaaS) ease the load on a CIO and allow him to focus more on busi-

“Round the clock demand of high availability of IT infrastructure is building a huge pressure on the IT managers” M G Raghuraman, cio, mphasis

ness. Besides, providing highly trained people they are leveraging advanced technologies to effectively utilise compute and storage capacity. Of late, following the maturity of these services CIOs of large enterprises are increasing investments in managed and cloud services for non-core services and gradually reducing investments in captive data centers. As Sankarson Banerjee, CIO of India Infoline, says, “In India the data center model today is largely renting the physical infrastructure, operated within the country. This model have been serving well in the past. But now CIOs are renting storage space from service provider like Amazon Web services. No longer he worries about the

security, cooling, power supply etc. Even he is not aware of their physical location. Slowly and gradually CIOs have started trusting out these service providers, the way we have been trusting our electricity supplier” he says. And this is way forward, he quickly added. However, according to experts, a majority of CIOs still prefer to run critical business application on their captive data centre. Security and reliability are the a key concern for most of these CIOs. For instance, the training portal of MphasiS and some of the CRM application are the on cloud platform. The company is also moving the new applications on Cloud platform. However, The Chief Technology Officer Forum

cto forum 07 november 2012

COVE R S TO RY

Slim, trim and efficient

the core applications are still hosted at captive data center. Rising energy costs combined with the increasing size, sophistication, and energy density of data centers present new challenges for managers under pressure to continually improve performance and reduce operational expenses. As much as 60 percent of a data center cost is due to power consumption. Similarly, cooling systems account for around 50 percent of the total energy consumed by data centers. It is obvious, therefore, that the optimisation of chiller and conditioner functioning is an essential first step towards improving a data center’s overall energy efficiency. As result, cost reduction is one of the key inspirational source for a

CIO to adopt cutting age and news data center management technologies. But not everyone agree. Some are adopting these technologies for increasing efficiency, availability, performance of the infrastructure, especially hassle free management of the simpler infrastructure. Of late, some adoptions are happening to align the IT infrastructure growth with business growth. The future definitely belongs to the matured managed services models and cloud services, but that is not going to stop building up of new data centers. Service providers, on the other hand, will certainly see the growth in business and they will continue to build data centers for enterprises. Worldwide, cloud is getting popular in coun-

“CIOs are definitely not going to abandon data centers. They will co exists with managed and cloud services.” James Young, Technical Director- APAC, CommScope

tries having capital crunch. However, in countries like India and China enterprise are still focused on captive data center. The difference is that the new data centres that are being build are more modular, and flexible to accept new technologies. Vendors are coming up with cuttingedge technologies to enable CIOs in ramping up the efficiency of their data centres. For instance, a Broadband Bonding Network Appliance has the ability to combine six separate lines into one. The technique, known as bonding, combines the broadband lines into a giant pipe having a download capacity up to 50Mbit/sec. It is independent of internet access technology. The connection could be though

cto forum 07 november 2012

The Chief Technology Officer Forum

DSL or Cable modem or any other broadband technology. Bonding helps to increase the overall throughput, besides acting as a backup mechanism. Truffle connection keep on running, with the help of other lines, even if one connection line fails. “The demand from of the enterprises are changing for the last few years visa-vis IT infrastructure and data center management. Cloud services are gaining more acceptance. But CIOs are definitely not going to abandon data centers," says James Young, Technical Director- APAC, CommScope. "They will co exists with managed and cloud services. But the new data centre architecture will be built in a way to run it cheaper and hassel free,” he adds.

COVE R S TO RY

Slim, trim and efficient

Datacenter will not obsolete in a decade

in a discussion with Akhilesh Shukla, Shree Parthasarathy, Senior Director, Deloitte, talks about the importance of efficient management of data centres

Considering the evolution of ICT industry, digitisation of data, growth of mission critical application etc how important have data centers become for enterprises? We are living in an Information age where data or information is essential for running of day to day operation of an organisation. In the last few years, after the rise of information technology, we have seen an explosion of digital data, in both structured and unstructured form. Data has become Intellectual Property of organisations, as a result data storage, management and accessibility have become critical for a CIO. Following which data centers have gained a significant importance in an organisation. A CIO has to ensure round the clock availability of data, information and mission critical application to its workforce. Security of data is another key concern in front the CIOs. Any breach in data center security or non availability of the data center means halt in business and fall in reputation of

the organisation. Proper data center management holds the key for the success of any business or organisation. What are the key concerns and challenges in front of a CIO when it comes to data center management? Data center structure has become very complex following the explosion of the data and growing dependence of businesses on IT infrastructure. A number of mission critical business applications are also running in the data centers. Further, a data center has to be agile and scalable to accommodate the changes in the fast moving competitive business environment. Globalisation and mobile workforce is also adding up the pressure and complexity on the data center structure. A CIO has to ensure information availability to workforce seating in the four walls of the enterprise and has to provide similar experience to the mobile work force. Consumerisa-

The Chief Technology Officer Forum

cto forum 07 november 2012

COVE R S TO RY

Slim, trim and efficient

ensure that the new solution should fulfill the required regulatory compliance.. I would suggest a CIO to first to understand his needs and careful look for the model which suits his enterprise and business requirement.

â&#x20AC;&#x153;A cost benefit analysis is a must before choosing any available model that could be helpful in a handsome reduction of operational cost.â&#x20AC;? Shree Parthasarathy Deloitte

cto forum 07 november 2012

tion of devices has demanded information ease of use on all platforms. Meeting the regulatory compliance are another tough challenges looming large in front of the CIOs. A large amount of time and resources today are spent on meeting the required compliance. Besides, attrition rate in high among trained manpower resulting in scarcity of trained manpower. All these facts are putting a lot of pressure on the data centers and making its management difficult for the CIOs. While procuring a suitable solution for data center management what are the key things that a CIO needs to keep in mind? Earlier a CIO has to build a data center from scratch. Today, however, the role of CIO has matured and he is more into governance, management and meeting of regulatory compliance of the data center. The credit goes to the various data center management models being offered by the vendors. These models, over the period of time, have matured and are considered as secure and reliable as any data centers hosted within the organisation. However, if a CIO decides to manage the data center himself that he has to carefully audit of the skills sets and technology resources available within. A cost benefit analysis is must before choosing any available model that should be helpful in handsome reduction of the operational cost. Needless to say that the solution has to match with the business requirement. It should be agile and scalable enough to match pace with business growth plans. He has to

The Chief Technology Officer Forum

How Cloud computing and virtualisation are changing data center management dynamics? Virtualisation and cloud computing could be the game changers technologies for the mid-size and small organisation. On the other hand these technologies gives an opportunity to the CIO of a large enterprise to consolidate his IT infrastructure and significantly cut the operation cost. The true cost saving is in adoption of cloud computing. It could help an organisation to shorten its go to market period. However, despite the benefits adoption of cloud is not very high among matured enterprises. CIOs of these organisations are little skeptical of cloud adoption due to security concern. However, vendors offering cloud is taking handsome care of cloud security. Cloud, on the other hand, gives an handsome opportunity to small and mid size enterprises looking for cost effective storage solutions. They do not need to invest in hardware and hire resources to manage the infrastructure. It is scalable and agile, besides the cost benefits. Both the technologies has handsome cost benefits. As per a report, data center will becomes obsolete in the next 7 to 10 years of time. Under the circumstances what are the challenges it throws in front of a CIO? I may not agree that data center will completely become obsolete in seven or ten years of time. Though slowly and gradually the trend is heading towards the similar direction. With the rise of service like cloud computing and managed services an enterprises no longer needs the physical infrastructure in his facility. It is a huge opportunity for small and medium size organisations. However, I do not see large enterprises completely moving to a cloud or managed services models in near future. They might, and as the trend suggest, move some its business application to the cloud platform. Still they will not prefer the core business applications on cloud platform. Going forward I see co exists of both the models.

COVE R S TO RY

Slim, trim and efficient

Relocating benefits Flipkart, India's leading e-commerce giant, has relocated its data center to India to support its fast-paced business. The results were more than expected.

In 2007, Flipkart had made a low profile entry into the then little popular e-commerce industry in India. The objective was to make books easily available to the readers having access to the internet. Today, five years down the line, Flipkart is present across various categories including movies, music, games, mobiles, cameras, computers, healthcare, personal products, home appliances, electronics, stationery, perfumes, toys and counting. The company has more than three million registered users and claims to sell 30000 items a day. Flipkart's revenue grew phenomenally in the period. From a mere Rs 11.6 crore in the FY 2009-10, its revenue jumped to about Rs 50 crore in 2010-11. It has reported a revenue of over Rs 500 crore by the end of FY 2011-12 and has a target to clock a reach $1 billion (about Rs 5,500 crore) in sales by the end of 2015. One of the key success recipe of the Bangloru-based company was its ability to provide memorable online shopping experience to the

customers. The company has deployed some of the robust information technologies tools and solutions to make online shopping hassle free and secure affair. Even a shopper can track the shipment movement online as well. “After entering into the e-commerce space we have leveraged technology to gain visibility and run business. We have invested handsomely in information technology to drive our business. It helps our customers at the same time running our business ” said Amod Malviya, Vice President, Engineering, Flipkart. “ Our investment in various IT domains are higher than industry standards” he was quick to add. In 2010, as traffic on its website grew manifold, the company started looking for a agile and robust data center solution housed in India. The company's data center was located in Canada. The country offered some key benefits to Flipkart like low cost of highly reliable electricity supply, cool weather and is less prone to any climatic disaster. But due to the location, The Chief Technology Officer Forum

cto forum 07 november 2012

COVE R S TO RY

Slim, trim and efficient

“The high availability of IT infrastructure and 99.99 percent up-time of the portal resulted in 20 percent jump in conversion” amod Malviya, VP, Engineering, Flipkart

cto forum 07 november 2012

the web portal had higher latency for people logging in from India. It was not good for Flipkart business, as most of its customer, around 95, percent were logging in from India. The data center hosted in Canada had a latency of around 300 milli seconds. The relocation has cut the cut latency to 30 to 35 milli seconds. Latency holds the key in online shopping experience. Lesser the latency, better the experience, resulting in higher conversion rates. Flipkart's IT team was also facing challenge in communicating with the IT team managing their data center facility in Canada. “ The IT team in Canada was good to work with, but communication was a challenge. First due to time difference connecting with the right people at right time was a challenge and there was hardly any face to face interaction, which was required in implementation of ideas” says Malviya. Moving the data center was not an easy task for the Flipkart IT team. Being an unconventional domain the IT infrastructure of an e-commerce company has to be robust and should have bare minimum downtime. For a company like Flipkart, which claims to clock a sale of Rs 2.5 crore per day, a few hours downtime could result in loss of millions. This is besides the fall of reputation. Adding to the pressure on IT infrastructure, the traffic load on IT infrastructure of an e-commerce company is highly unpredictable, unlike any traditional organisation. As a result they need to have a IT back up that could be scaled up very fast.

The Chief Technology Officer Forum

Besides, Flipkart also wanted the data center architecture to support application developed in-house. In traditional organisations these these applications are developed by third party. Besides, IT infrastructure has to be agile to support the innovation and development happening in the new age company. By the end of the year 2010 Flipkart started the process of relocating the data centers to India and partnered with Mumbai based Netmagic Solutions. “ We liked the approach of Netmagic team. From the day one we were interacting with the engineering team instead of the sales person. They suggested solutions after understanding our nature of business and problems associated with it. This was unlike of many vendors who always try to sell the product on the basis of industry trends” highlighted delighted Amod. Netmagic provided Flipkart with a bundled service package that included more than 110 dedicated servers with firewall and switches in the datacenter. To avoid any breach of security, as an e commerce website is prone to hacking attack, Nethmagic has provided Vulnerability Assessment and Penetration Testing (VAPT) services to secure any loopholes. Round the clock network monitoring and support service helped Flipkart to get faster resolution of any issue. Further, Netmagic partnership helped Flipkart to optimise its existing IT infrastructure to support their fast paced growth platform. Post implementation Flipkart successfully reduced its Total Cost of Operations (TCO) by amortising the hardware costs over a period of three years. Post relocation of the data center facility in India, Flipkart has benefited in numerous ways. "The high availability of IT infrastructure and 99.99 percent up-time of the portal ensured a good customer experience resulting in 20 percent jump in conversion," says Malviya. Round the clock technical and maintenance support not only ensured faster turned around time, but also helped Flipkart to remain focus on its core business. “Since the relocation, we have witnessed a growth of 200 percent QoQ in our business. One of the key reason of growth is our robust and agile IT infrastructure making the shopping an wonderful experience” says a delighted Malviya. Flipkart, to ensure business continuity for their scaling up operations, is looking to add around 100 more servers in the Chennai datacentre. In the event of disaster this datacentre would act as a backup site.

COVE R S TO RY

Slim, trim and efficient

Cutting edge innovations for data center

CTO Forum presents some of the latest innovations happening in the data centre space. These technologies promise to increase the efficiency of the data centre 1. Smart Fiber optics Intel has developed Light Peak, a fiber-optic cable that will help to reduce clutter and speed up transmission. The cable is already being used in laptop and desktop and are now heading to the data centres. The cable having a diameter of 3.2mm is as thin as a USB cable and can be 100 feet long. Light Peak presents an in interesting possibilities for data centres. While fiber optics connects mainframes at 200Mbit/sec, Light Peak runs data at 10GB/sec. The developers claims that Light Peak eliminates unnecessary ports and deliver data with higher throughput.

2. Submerged liquid cooling GreenDEF, developed by GR Cooling, has added a new twist to the liquid cooling of data centers. The new coolant is extracted from mineral oil and is nontoxic. It costs less and is not electrically conductive unlike water. The new coolant actually moves through the floor and travels up through all the nodes. The company claims that it cut the cooling cost by 30 to 40 percent vis a vis traditional aircooled systems.

3. Connecting Multiple data centers easily The process of connecting multiple data centers has always been troublesome. Cisco's Overlay Transport Virtualisation (OTV) helps reduces the trouble to the minimum level while connecting multiple data centers. It is a transport technology essentially for layer 2 networking. OTV software updates network switches and connects data center places in multiple locations. Cisco claims that OTV does not require redesigning of network or core services including label switching. It simply overlays onto the network and inherits all the benefits while maintaining the independence of the Layer 2 data centres.

4. Proority-based e-mail storage Messagemind is a new technology which identifies e-mails that can be safely archived, that too on a lower-cost. It analyses organisations all communication by tracking the messages which a user read, delete or save. The data centre manager can use this analytics to store e-mail on priority level and can successfully reduce the saving cost. The Chief Technology Officer Forum

cto forum 07 november 2012

NO HOLDS BARRE D

A r t h u r C o v i e l lo

DOSSIER

Company: RSA. Established: 1982 Headquarters: Massachusetts, US Products: Encryption and network security software employees: Approximately 1300

â&#x20AC;&#x153;Spend on Detection,

Responseâ&#x20AC;?

As Executive VP, EMC Corporation, and Chairman, RSA, Arthur Coviello is responsible for RSA's strategy as it delivers EMC's global vision of information-centric security. In a freewheeling discussion with Yashvendra Singh, he talks about the changing security paradigm and its impact on enterprises. 32

cto forum 07 november 2012

The Chief Technology Officer Forum

A r t h u r C o v i e l lo

While new security models are coming up, miscreants always seem to be a step ahead. Is it time to revisit the concept of enterprise security? The threats are alarming but that’s always the case. So, while the threats seem to get more sophisticated, the capabilities to combat the threats are entering into a whole new generation. I feel in the last 10 years, we have made the mistake of thinking we can erect ever higher walls around our infrastructure and feel safe. In fact, we were opening up those walls with web applications, mobile devices and cloud computing. So it is like selling locks to people for their doors but the people are leaving the doors wide open. The need of the hour is to change the model from protecting the parameters to being able to respond once someone gets inside. People think it is a calamity when someone breaches your infrastructure. However, it is a calamity if you fail to recognise that someone has breached your infrastructure. We have an opportunity to put in place a security model that can react timely and respond quickly enough to prevent loss as opposed to try and build almost perfect systems of prevention. So, we are shifting our focus from perimeter defence to the ability to get contextual information from the controls and analysing it in a big data application. You yourself have been a victim of a breach last year. RSA received a lot of bad press and also lost customers. Have you bounced back and how? I think we bounced back by doing the right thing. It is not the breach but how you respond to the breach is what is important. The attack on us proves (and we have very sophisticated systems) that all people are vulnerable. We were able to see the attack in progress. While we were unable to stop it, we were able to go public with the fact and with mitigation steps for our customers. The proof of this is that no customer faced a loss because of this. As a result, when the dust settled and the bad press disappeared, customers realised that we had actually done the right thing. We offered tokens to some of our customers, which too benefited us as they realised that we would always stand by them.

Everyone wanted to learn what lessons we got from the breach. So we were in great demand for these lessons. Further, from these lessons we developed more capabilities some of which we have incorporated in an advanced analytics product that will be launched in the next quarter. That we have bounced back is also seen from the fact that our revenue continues to grow nicely and we continue to do well in the market. Since the attack on RSA, what do CIOs discuss with you? They mostly want to know what strategy should they adopt. They are interested in two things – threats and the models that they should be using for security going forward. I seldom talk about customers when I interact with CIOs. I show them the bigger

“The need of the hour is to change the model from protecting the parameters to being able to respond once someone gets inside.” picture where security needs to go and I generally get their agreement that my pieces make sense. They say none of the security vendors talk to them like RSA does. But despite the interest in security, many enterprises still lack a CSO office. The number of CSOs have increased dramatically. It is the pattern of reporting that is undergoing a change. So, earlier a CSO used to report to the CIO now he is reporting to the Chief Risk Officer (CRO) who reports to the board. So, the reporting lines are changing. Its not that all organisations in the US are uniformly more mature than those in India. The top organisations in India match up with the top organisations in the US. In terms of percentage there

NO HOLDS BARRE D

might be more in the US that are mature than in India. It is just a matter of time before more organisations in India also mature. This does not imply that Indian companies are not attacked. They are attacked nearly as much as the companies in the US. Do you believe in the theory of ‘offence is the best defence’? Should corporates counterattack adversaries? Should citizens attack criminals before the criminals get a chance to attack them? Should we arm our citizens with guns and weapons so they can shoot the criminals? It is probably not a good idea. The same is true in cyber security. First, so many websites get spooked, there are so many botnets but there are very few companies that carry out a counterattack. Second, doing so is illegal and it is always good to follow the law. But you are not wrong in one sense – we need a better capability to anticipate an attack to better recognise it. So we need to share information such that if ‘A’ gets attacked and is able to see the attack we can use his experience to save ‘B’. The best defence is the thorough understanding of the attack methodologies and information sharing for getting the ability to see the attacks. But new trends such as cloud and BYOD are further making life tough for CIOs. What is your take on this? Security people will have to learn and manage what they can’t control. The new model of security has to start with a thorough understanding of risk. Only if you can understand risk you can structure a security regime taking care of BYOD, consumerisation of IT and cloud. The controls you deploy inside and outside your infrastructure have to be more dynamic – be able to react to facts and circumstances and be situationally aware. Data moves based on patters. You have to keep track of whether this data is going to someone who doesn’t normally use it. Is it leaving the infrastructure and going where it normally doesn’t go? For eg, is credit card information being embedded in mail. Credit card information is designed to be processed and stored. We, therefore, have to spot these patterns The Chief Technology Officer Forum

cto forum 07 november 2012

NO HOLDS BARRE D

A r t h u r C o v i e l lo

of abnormalities and react to them quickly enough to prevent a loss from occurring. This is possible only if you have situationally-aware technology. Still, 80 percent of the security budget of a corporate is spent on prevention solutions, 15 percent on monitoring and only 5 percent on response related solution. This speaks of the problem in security today. A perimeter-based solution is static and is siloed and it relies on stopping things at the perimeter. That is why 80 percent of budgets are around prevention. In today’s day where infrastructure is so open that breaches are going to be common place, then the spend has to change towards detection and response. Our argument is that the spend should be a third on each (prevention, monitoring and response). By moving on to the cloud, aren’t we reducing the burden of security by concentrating on a few service providers rather than thousands of corporates? If the service provider is really good at security, then you are better off having your

information in the cloud. Some people look at all this concentration of information as a single point of failure. That is looking at the glass as half empty. It is important to look at the glass as half full. Now you have a single point of focus where you can adjust your risk programme and focus on making sure that it is protected. However, I don’t see public cloud picking up in the near future. It is going too slow for a host of reasons. The cloud providers need to prove that they can provide security. They have to give SLAs and visibility to their customers that their policies around security are being effectively managed. There is a lot of inertia around applications within the infrastructure that may not lend themselves to cloud. There are also cost implications. You have to incur cost to save cost. Companies may be reluctant to spend money to save money. About 10-11 years back, everyone was disillusioned with the Internet. Today, Internet is pervasive in our lives. Ten years from now, people would just take the cloud as an article of fact. The new age security solutions will need new skill sets and there could be a gap in getting skilled resources. What are you doing to bridge this gap?

We would need to turn out more such skilled people from universities and train them. We also need to help smaller companies who can’t develop this expertise on their own. We work with a number of universities in the US by advising on curriculum and hiring people from universities for intern jobs. EMC is putting a curriculum in place. In India too, EMC is working with IITs and regional engineering colleges. How do you see the CIO, CSO roles evolving in the future? Their roles are getting more interesting. The CIO who has to worry about his infrastructure, doesn’t get enough chance to get strategic. How can information change my business – he doesn’t get a chance to dwell on this subject. The CIO job in future will get more strategic and valuable. Similarly, the same mundane implementation of a firewall and the right settings on the gateway will get built into infrastructure and infrastructure services. The CSO will spend more time in risk assessment and evaluation and more time working with the business partners and CIO to advance the security capabilities with the moves that the business is making around IT.

T E C H FOR G O V E R N A N C E

securit y

Illustration BY peterson pj

POINTS

Cleansing the

CleanIT project has developed a set of 'recommendations’ that will compel Internet companies to act as arbiters of what is “illegal” uses of the Internet Internet companies under the CleanIT regime would be obligated to store communications containing “terrorist content" The plan also calls for semi-automated detection of “terrorist content” the document recommends that judges, public prosecutors and police officers be able to temporarily remove content that is being investigated Languages that have not been mastered by abuse systems to be banned

Internet of Terrorism

A look at a few of the most controversial elements of the CleanIT project By Jillian C. York and Katitza Rodriguez

cto forum 07 november 2012

The Chief Technology Officer Forum

securit y

A new project aimed at

“countering illegal use of the Internet” is making headlines. The project, dubbed CleanIT, is funded by the European Commission (EC) to the tune of more than $400,000 and, it would appear, aims to eradicate the Internet of terrorism. European Digital Rights, a Brusselsbased organisation consisting of 32 NGOs throughout Europe has recently published a leaked draft document from CleanIT. On the project’s website, its stated goal is to reduce the impact of the use of the Internet for “terrorist purposes” but “without affecting our online freedom.” While the goal may seem noble enough, the project actually contains a number of controversial proposals that will compel Internet intermediaries to police the Internet and most certainly will affect our online freedom. Let’s take a look at a few of the most controversial elements of the project.

Privatisation of Law Enforcement Under the guise of fighting ‘terrorist use of the Internet,' the “CleanIT project," led by the Dutch police, has developed a set of ‘detailed recommendations’ that will compel Internet companies to act as arbiters of what is “illegal” or “terrorist” uses of the Internet. Specifically, the proposal suggests that “legislation must make clear Internet companies are obliged to try and detect to a reasonable degree, terrorist use of the infrastructure” and, even more troubling, “can be held responsible for not removing (user generated) content they host/have users posted on their platforms if they do not make reasonable effort in detection.” EFF has always expressed concerns about relying upon intermediaries to police the Internet. As an organisation, we believe in strong legal protections for intermediaries and as such, have often upheld the US’ Communications Decency Act, Section 230 (CDA 230) as a positive example of intermediary protection. While even CDA 230’s

protections do not extend to truly criminal activities, the definition of “terrorist” is, in this context, vague enough to raise alarm.

Erosion of Legal Safeguards The recommendations call for the easy removal of content from the Internet without following “more labour intensive and formal” procedures. They suggest new obligations that would compel Internet companies to hand over all necessary customer information for investigation of “terrorist use of the Internet.” This amounts to a serious erosion of legal safeguards. Under this regime, an online company must assert some vague notion of “terrorist use of the Internet,” and they will have carte blanche to bypass hardwon civil liberties protections. The recommendations also suggest that knowingly providing hyperlinks to a site that hosts “terrorist content” will be defined as illegal. This would negatively impact a number of different actors, from academic researchers to journalists, and is a slap in the face to the principles of free expression and the free flow of knowledge.

Data Retention Internet companies under the CleanIT regime would not only be allowed, but in fact obligated to store communications containing “terrorist content,” even when it has been removed from their platform, in order to supply the information to law enforcement agencies.

Material Support and Sanctions The project also offers guidelines to governments, including the recommendation that governments start a “full review of

T E C H FOR G O V E R N A N C E

existing national legislation” on reducing terrorist use of the Internet. This includes a reminder of Council Regulation, which prohibits Internet services from being provided to designated terrorist entities such as Al Qaeda. It is worth noting that similar legislation exists in the US and has been widely criticised as criminalising speech in the form of political advocacy. The guidelines spell out how governments should implement filtering systems to block civil servants from any “illegal use of the Internet.” Furthermore, governments’ criteria for purchasing policies and public grants will be tied to Internet companies’ track record for reducing the “terrorist use of the Internet.”

Notice and Take Action Notice and take action policies allow law enforcement agencies (LEAs) to notify and act against Internet companies, who must remove “offending” content as fast as possible. This obligates LEAs to determine the extent to which content can be considered “offensive.” An LEA must “contextualize content and describe how it breaches national law.” The leaked document contains recommendations that would require LEAs to, in some cases, send notice that access to content must be blocked, followed by notice that the domain registration must be ended. In other cases, sites' security certificates would be downgraded.

Real Identity Policies Under the CleanIT provisions, all network users, whether in social or professional networks, will be obligated to supply their real identities to service providers, effectively destroying online anonymity, which EFF believes is crucial for protecting the safety and well-being of activists, whistle-blowers, and many others. The Constitutional Court of South Korea found an Internet "real name" policy to be unconstitutional. Under the provisions, companies can even require users to provide proof of their identity, and can store the contact information of users in order to provide it to LEAs in the case of an investigation into potential terrorist use of the Internet. The provisions will even require individuals to utilise a real image of him or herself, destroying decades of Internet culture. The Chief Technology Officer Forum

cto forum 07 november 2012

T E C H FOR G O V E R N A N C E

securit y

Semi-Automated Detection The plan also calls for semi-automated detection of “terrorist content.” While content would not automatically be removed, any searches for known terrorist organisations’ names, logos or other related content will be automatically detected. This will certainly inhibit research into anything remotely associated with what law enforcement might deem “terrorist content,” and would seriously hinder normal student inquiry into current events and history! In effect, all searches about terrorism might end up falling into an LEA’s view of terrorist propaganda.

LEA Access to User Content The document recommends that, at the European level, browsers or operating systems should develop a reporting button of terrorist use of the Internet, and suggests governments draft legislation to make this reporting button compulsory for browser or operating systems. Also, the document recommends that judges, public prosecutors and

police officers be able to temporarily remove content that is being investigated.

65%

What Is Terrorism, Anyway?

While the document states that the first reference for determining terrorist content will be UN/ Banning Languages EU/national terrorist sanctions Frighteningly, one matter up for CIOs will go for list, it seems that the provisions discussion within the CleanIT mobile device allow for a broader interpretaprovisions is the banning of tion of “terrorism.” This is languages that have not been management incredibly problematic in a mastered by “abuse specialists multicultural environment; as or abuse systems.” The current the old adage goes, “one man’s recommendation contained in terrorist is another man’s freedom fighter.” the document would make the use of such Even a comparison of the US and EU lists languages “unacceptable and preferably of designated terrorist entities shows distechnically impossible.” crepancies, and the recent controversy in With more than 200 commonly-used lanthe US around the de-listing of an Iranian guages and more than 6,000 languages spogroup shows how political such decisions ken globally, it seems highly unlikely that can be. the abuse specialists or systems will expand beyond a select few. At a time when new initiatives to preserve This article is printed with prior permission from endangered languages are taking advantage www.infosecisland.com. For more features and of new technologies, it seems shortsighted opinions on information security and risk manand even chauvinistic to consider limiting agement, please refer to Infosec Island. what languages can be used online.

Creation and Administration of a Hotline

A look at the seven essential features to create an effective hotline By Thomas Fox

or the Astros, it is not this season’s ignominious record of 107 losses, which they achieved with a season ending loss to the Chicago Cubs, but the magic number of 186; which is the number of days until the Astros open the 2013 season and the next time they will be tied for first place in the American League (AL) West Division.

cto forum 07 november 2012

The Chief Technology Officer Forum

For the compliance practitioner, the same might be asked of your company’s hotline. However apocryphal the story might be it is too good to pass up so here we go: When, in final negotiations with a company to resolve a Foreign Corrupt Practices Act (FCPA) violation, the Department of Justice (DOJ) attorney asked for the phone number of the company’s hotline. Counsel representing the

company dutifully provided the number and the DOJ attorney called the hotline only to find it was “not a working number.” Oops. I thought about the above story in the context of the maxim that not all hotlines are created, or more importantly, administered equally. In an article entitled “Hotline Report Reveals Compliance Concerns” author Karen Kroll looked at the “2012

m a n ag e m e n t

T E C H FOR G O V E R N A N C E

imaging BY haridas balan

Make sure your hotline offers a secure, accessible report retention database, or you may be faced with making your own complicated and costly arrangements for transmitting and storing older reports to a permanent storage location. Corporate Governance and Compliance Hotline Benchmarking Report” and found what she termed “troubling findings”, which are that not only are instances of fraud increasing but that retaliation against whistleblowers is increasing as well. Kroll noted that “despite greater protection for whistleblowers in the Dodd-Frank Act, calls concerning potential retaliation against an employee who has made an inquiry through a hotline increased to 2.9 percent of overall incidents, up from just 2.1 percent in 2010.” But as bad as these figures are they seem to only presage Kroll’s penultimate conclusion, which is that internal reporting will slowly wither away with the protections offered by whistleblowers under the Dodd-Frank Act and the attendant bounties that can be paid to a whistleblower in the event a violation is uncovered and an enforcement action results in a fine or penalty paid to the US government. I recently saw a White Paper by Business Controls, Inc., released through Compliance Week, where an un-named author posited that there are seven essential features to create an effective hotline. I found this article to be useful in that it provided information

by which a compliance practitioner could quickly review how his or her company might set up a hotline. The seven criteria are as follows. 1. The hotline is developed and maintained externally. The author believes that employees tend to trust hotlines maintained by third parties more than they do internally maintained systems. By submitting reports through an external hotline there is a perceived extra layer of anonymity and impartiality compared to a system developed in-house. A third party provider is also more likely to bring specialist expertise that’s difficult to match within the organisation. 2. The hotline supports the collection of detailed information. If information can be gathered and recorded at every point during the complaint life cycle, then compliance officers should have greater insight into the situation and a company can protect itself more effectively from accusations of negligence or wrongdoing. A hotline reporting system should provide consolidated, real-time access to data across all departments and locations, plus analytic capabilities that allow

you to uncover trends and hot spots. All report materials should be consolidated in one comprehensive, chronologically organized file, so that you can monitor ongoing progress and make better, more informed decisions. 3. The hotline meets your company’s data retention policies. Retaining data in a manner consistent with your internal data retention policies is important. Make sure your hotline offers a secure, accessible report retention database, or you may be faced with making your own complicated and costly arrangements for transmitting and storing older reports to a permanent storage location. 4. The hotline is designed to inspire employee confidence. Kroll’s article discussed above cites the fear of retaliation as strong but also increasing among potential whis tle blowers. This can destroy the effectiveness of the internal reporting process and poison the corporate culture. The hotline must be seen to offer the highest levels of protection and anonymity. To encourage employee participation, the hotline should allow them to bring their concerns directly to someone outside their immediate chain The Chief Technology Officer Forum

cto forum 07 november 2012

T E C H FOR G O V E R N A N C E

m a n ag e m e n t

of command or workplace environment – especially when the complaint concerns an immediate superior. The hotline should also enable employees to submit a report from the privacy of an off-site computer or telephone. It may seem like a small convenience, but giving employees the freedom to enter a complaint from a location that “feels safe” can make a huge difference to participation rates. 5. The hotline offers on-demand support from subject matter experts. Opening lines of communication can bring new issues to your compliance group. It is therefore important that once those reports are entered into the system, a person or function has the responsibility to follow up in a timely manner. 6. The hotline provides inbuilt litigation support and avoidance tools. Ascertain that your hotline is preconfigured to meet the legal requirements for document retention, attorney work product protection procedures, and attorney privilege. Developing these tools in-house can add significantly to your costs, and maintaining a hotline without one exposes your organization to unacceptable risk. 7. The hotline supports direct communication. A hotline should open the lines of communication and give you a direct sight-line into the heart of your company. Look for a system that enables you to connect directly, privately, and anonymously with the person filing a complaint. Direct communication also signals to employees that their complaints are being heard at the highest levels. Like other risk management issues, hotlines must also be managed effectively after implementation and roll-out. Here are some practical tips which will help you make your hotline an effective and useful tool.

It’s important to remind employees regularly, through in-person communications, via e-mail, or through intranets, newsletters, and so on, that this resource is available to them where possible. And don’t think of the promotional initiative as a one-time effort. It’s important to remind employees regularly, through in-person communications, via e-mail, or through intranets, newsletters, and so on, that this resource is available to them. Some hotlines offer promotional materials to help make the job easier; make sure you ask what type of promotional support may be available.

or lower, it may indicate mistrust of the hotline, misuse, or a widespread compliance issue. Isolate the data by location and department to identify micro-trends that could indicate problems within a subset of your corporate culture. Analysing the data can help you stay a step ahead of emerging issues.

Train all your employees

Seeing a hotline system in action in this way can go a long way toward dispelling employee fears of being ostracised or experiencing retaliation because if see that their concerns are heard clearly and addressed fairly, they will learn to view the hotline as a valuable conduit. If your compliance group responds promptly and appropriately to hotline complaints, you can ensure robust participation and ongoing success. Even when a complaint proves to be unfounded, it can still provide an opportunity to open a dialogue with employees and clear up any misunderstandings. Responding to reported issues also gives compliance officers a chance to prove that issues can be resolved or addressed while protecting the privacy and anonymity of the whistleblower. As with the management of third party representatives, your real work begins are the contract is signed. You simply cannot set up a hotline without managing it. A fairly administered hotline and investigation protocol is a key component of fair process in your compliance regime. So take a look at your hotline based upon the above concepts. It may be that your magic number needs to change.

Getting employees to use the system is one half of the challenge; ensuring they use it properly is the other half. This is where training becomes essential. Make sure people understand what types of activities or observations are appropriate for reporting and which are not. HR and compliance staff will need training too, to help them understand how the hotline impacts their day-to-day activities. Company leaders also need to understand the role the hotline plays in the organizational culture, and the importance of their visible support for this compliance initiative.

Take a look at the data Get the word out If employees don’t know about the hotline, they won’t use it. Allocate a portion of your time and budget to promoting the corporate hotline through multiple channels. Put up posters and distribute cards that employees can keep in their wallets or desk drawers. Deliver in-person presentations

cto forum 07 november 2012

62% CIOs are increasing budgets for internal training

The Chief Technology Officer Forum

Use the data derived from or through the hotline to identify unexpected trends or issues. Examples might be what percentage of employees use the hotline and what issues are they submitting? A healthy hotline reporting system will yield reports from .5 to 2 percent of your employee base. If your reporting patterns are higher

Response is critical to fairness in the system

HORIZONS

Feature Inside

The Coming Storm: Forensics in the Cloud Pg 44

Using Brainware to Store Patient Data Pg 45

illustration by shigil narayanan

ecent research shows IT management and business leaders are accepting, and in some cases embracing, "bring your own device" (BYOD) in

BYOD or Rogue IT? If IT managers are warming up to and in fact embracing BYOD are they as accepting of Rogue IT in the office? By Bill Gerneglia

cto forum 07 november 2012

The Chief Technology Officer Forum

the enterprise. Rogue IT is the name given to the informal, ad hoc software and electronic devices brought by employees into their workplace. If IT managers are warming up to and in fact embracing BYOD are they as accepting of Rogue IT in the office? Is Rogue IT simply an extension of BYOD? Is it cause for headache and concern for the systems, network, and database administrators of companies because of the additional exposure of their networks and databases to enhanced cyber security threats? Recent research demonstrates some of the quantifiable benefits and complexities associated with allowing employees to use their own mobile devices on their employers' networks. Most organisations are now enabling BYOD in the enterprise. As many as 95% report saying their organisations per-

m a n ag e m e n t

mit employee-owned devices in some way, shape or form in the workplace. Additionally, the average number of connected devices per knowledge worker is expected to reach 3.3 by 2014. This is up from an average of 2.8 in 2012. The mobility numbers are staggering and depict the increasingly global consumerisation of IT trend in most organisations. In 2012, the population of the world will reach approximately 7 billion. According to research from mobiThinking, as of January 2012, the number of cellular subscriptions worldwide was approximately 6 billion. The number of cellular mobile broadband subscriptions worldwide was approximately 1.2 billion. IT managers are balancing security and support concerns with the very real potential to reap significant cost and productivity benefits from the BYOD trend. Research has shown that BYOD is just the gateway to greater business benefits. Over three-fourths (76%) of IT leaders surveyed categorised BYOD as somewhat or extremely positive for their companies, while seeing significant challenges for IT. These findings reinforce that BYOD is no passing fad and is here to stay. Many it managers are acknowledging the need for a more holistic approach to managing BYOD. This includes one that is scalable and addresses mobility, security, virtualisation and network policy management, in order to keep management costs in line while simultaneously providing optimal experiences where savings can be realised. CIOs have concluded that mobility needs to extend well beyond BYOD to include the integration of service provider mobility, enterprise mobility, security, collaboration and desktop virtualisation solutions. OK so what about Rogue IT? It is permeating the organisation through desktops, laptops, and tablets. Rogue IT is viral, unyeilding, and for the most part unstoppable. So as the CIO what do you do - embrace it, prepare for it, or try to control and ban it from your organisation? Consumer oriented cloud-based software such as Evernote or Dropbox in the office are examples of Rogue IT. It is widespread in the organisation as about 43% of businesses report that their employees are using cloud services indepen-

N E X T H OR I Z O N S

IT managers are balancing security and support concerns with the very real potential to reap significant cost and productivity benefits from the BYOD trend dently of the IT department. This is according to a recent survey of 500 IT decision makers. Previously, most enterprise software and hardware decisions were made by the company's CIO and the IT staff beneath that office. Rogue IT chages the traditional IT decision making process, effectively crowdsourcing IT choices to employees. So what does this do to the traditional role of the CIO? What does it mean for the future of IT at many of the largest global enterprises? For the CIO at the enterprise level there is always room for improvement in IT policies, procedures, and guidelines. CIOs are typically most concerned with security, compliance and back-end compatibility and less with the usability of an application for the employee. This has resulted in less than intuitive operational applications used by the employees which over time make them less productive and less competitive within their industry. The rapid growth of online, cloud-based SaaS applications permits ordinary workers to bypass IT and make their own software selections. This becomes a real issue for the IT department because there is now a problem with ownership and support for the application. Who is Responsible for a "Broken" BYOD Device or Rogue IT Anyway? What happens when your employee's personal laptop or iPad is not operating rationally? Who are they going to call to assist them to troubleshoot? Most likely the employee calls their corporate IT department for tech support. Many of us enjoy complaining about the poor quality of tech and PC support at our organisations. We may think our IT support is a poor performer, until we have to call the retail store where we purchased our mobile phone, or the manufacturer, or worse some 3rd party - because our device is not able to

access the corporate email or an important corporate app. When there is a clear ownership of the device, eg. corporate owned device is the responsibility of the corporation to support, there is no conflict. But when the corporate email simply "will not work" on an Android device - who should receive the tech support call - the corporate IT help desk? Here is where the finger pointing for support will begin. Should you call your email provider, hardware provider, carrier, or call the corporate IT help desk since you believe you have an established relationship with them? Who ultimately takes responsibility for the support of Rogue IT? How does the CIO budget for BYOD and Rogue IT help desk support? Making a clear distinction in device support is difficult because if the problem exists with a personal device you really can not expect your IT organisation to support all available mobile devices, or can you? It would be difficult to imagine your corporate IT support staff is competent to handle Apple, Samsung, HTC, Motorola, LG and any other devices each with their own operating system versions, applications, and local carrier issues. CIOs need to think about these tech support issues when they talk about increased productivity gains. How fast can your corporate support team offer support for a device they own end-toend, versus having to share responsibility and potentially finger-point with other vendors' support organisations? CIOs often consider the outsourcing route. CIOs relish not having to have fully staffed help desk department that supports cell phone carriers, operating systems, applications, and corporate connectivity issues. This enables the CIO to focus on the important

The Chief Technology Officer Forum

cto forum 07 november 2012

N E X T H OR I Z O N s

m a n ag e m e n t

the selection process is reduced to signing off issues that should really matter to on premium, enterprise-wide editions of the your company. most popular apps. BYOD initiatives and support issues Once rogue IT becomes accepted by the such as these continue to cause headaches CIO and the organisation the next step in corfor IT departments. Their security mandates poration implementation can take grow exponentially as they strugplace - integration. The IT departgle to prevent corporate data leaks ment will need to make sure from their private networks onto standard corporate applications all public clouds. work well together and are propSome of the biggest concerns erly secured so that no corporate of IT decision makers dealing of handsets data loss can result. with public clouds are the loss of sold in 2015 will The integration process requires corporate data and control of the be smartphones the CIOs office to handle the location of that data. details of collecting and integratIn the end, the best SaaS soluby 2015 ing data with other corporate tions are selected by the peer resources as well as assesing data review process. Employees will security and regulatory compliance issues. beta test and evaluate various application BYOD and Rogue IT offer hope to one day options in the workplace. Eventually, through streamline the IT administration aspect of the the selection process the most effective softCIO's role. ware emerges naturally. The CIO's role in

80%

According to Fortune, today some of the best crowdsourced IT solutions are social media based. Social Media is used by an estimated 1.43 billion people worldwide has only recently been discovered rused to be an invaluable workplace tool. Employees can evaluate and introduce new social tools that connect businesses and clients and increase internal productivity. Rogue IT and crowdsourced software decisions permit employees to voice an opinion in choosing intuitive, userfriendly software that can increase their productivity and allow the CIO to focus their attention on more strategic business oriented initiatives. —This article is printed with prior permission from www.infosecisland.com. For more features and opinions on information security and risk management, please refer to Infosec Island.

The Coming Storm: Forensics in the Cloud Computer forensics relies on having physical access to systems, providing examiners with the ability to acquire and interact with hardware By Ken Westin

loud computing has increased productivity and decreased IT costs. However, there is a black lining to this particular cloud, as the benefits come at the price of giving up control, visibility and tracking data provenance. Computer forensics traditionally relies on having physical access to systems, providing examiners with the ability to acquire and interact with hardware such as disks and memory. For example, extracting data from magnetic drives has been a core of computer forensics where examiners establish chain of custody, create a forensically sound image of

cto forum 07 november 2012

The Chief Technology Officer Forum

a drive, and interact with it in a non-volatile state. Mobile devices also store the bulk of their data not on the device itself, but in the Cloud making data retrieval difficult without a court order and involvement of other parties. In the Cloud where we do not have access to the physical hardware and resources are shared, traditional computer forensic techniques are not easily implemented. When a file is deleted the mapping to that file is destroyed instantly and the space can then be overwritten and can happen rapidly. If an image itself is shutdown it disappears, unless put in a suspended mode where you are still charged for it. Backups of data and images

can be made, but given the variables we would need to be able to have snapshots of specific instances in time. In many cases, unless we are running a private cloud on dedicated servers we control, we may not even know where our data is stored. Cloud data can be stored across multiple data centers around the country, even around the world. Backtracking a piece of data through its lifecycle can be difficult if not impossible. How do you submit a court order to a Cloud provider for forensically sound data, possibly for a crime that happened weeks or months prior? Does your Cloud provider have services to assist with investigations, or even collect the

c lo u d

Data that should be tracked on-site: Technical controls to monitor systems and networks under an organisations control Ensuring proper collection of log files including access logs, firewalls, usage logs, code deployments, content changes (CMS) and others, particularly those that involve

passing data to your Cloud instances.

Data that should be collected by providers: Technical controls to monitor systems allocated to customers such a logs of transactions,access and others that customers can easily access Option for automatic backups of data and images the client can access and control Additional technical controls to monitor all all systems and networks that support the cloud services including firewalls, load balancers, security appliances, access logs and other data that could be useful in an investigation

illustration by pradeep g nair

right data to assist you when things go wrong? It appears that the industry is still struggling with how to deal with these issues, let alone develop standards. In many respects we have opened Pandora’s Box as the benefits of Cloud computing cannot be ignored. In some cases we may not have a choice but to use the Cloud as some tools and applications will only be available utilising it. What can be done to provide more information and control? Most in the industry look to the importance of logging both onsite within your organisations, as well as with service providers providing more tools to help log critical changes that may be useful in an investigation, identifying breaches proactively.

N E X T H OR I Z O N S

—This article is printed with prior permission from www.infosecisland.com. For more features and opinions on information security and risk management, please refer to Infosec Island.

Brainware to store patient data A seductive notion that will eventually be the way we all store our medical and personal data By Ken Westin

here is a great deal of talk about how big data is going to revolutionize healthcare. There is also a great deal of discussion in the healthcare and security compliance communities about protecting patient privacy. Here I have discussed in detail why data privacy crusaders are their own worst enemies and why the US would be better off with a national id number and standard vendorneutral interfaces like HL7 for exchanging

patient data between providers and ensuring patient privacy. In a world where data is the coin of the realm, and transmissions are guarded by no better sentinels than man-made codes and corruptible devices, there is no such thing as a secret. Dr. Kio Masada, “The enemy among Us”. This Alien Shore, by C.S. Friedman, is a space opera that tells the story of a girl called Jamisia. Jamisia has an extremely advanced biological brainware system

(brainware is data storage and processing hardware that is implanted into the brain at a young age). She (as everyone else in the novel) interface external networks to their brainware using headsets which provide a Brain-Computer Interface. We need to empower patients to drive their own healthcare, with an emphasis on preventing rather than curing illness, and with support from the right information and technologies. By adopting this new mind set, pharma The Chief Technology Officer Forum

cto forum 07 november 2012

N E X T H OR I Z O N s

b i g D ata

photo by photos.com

The quality of data that is used in the clinical decision making process should be rated against standards of evidenced based medicine companies will find it increasingly easier to decide how to capture, collate and analyse data. The company will also position itself strongly to identify and design marketleading products and services for a patientcentric world. It seems clear that if pharmaceutical companies can access the right data from patients, then they can design and develop and manufacture better products. This is good for patient health but possibly problematic for current regulation and gatekeepers of patient privacy. However, as Dr. Kio Masada correctly notes, there is no such thing as patient privacy once big commercial ventures like large pharmas get involved.

A patient-centric world To help counter these trends, medical providers, governments and financing entities in the U.S. and a number of other countries are applying patientcentric approaches to healthcare. Patient-centric does not imply a fixed set of guidelines; rather it is a fluid and still-evolving definition characterized by practices that benefit patients: ensuring

cto forum 07 november 2012

that they receive the best treatment, at a reasonable cost, while putting into place strategies that will help individuals avoid becoming sick in the first place. Cardiovascular disease (CVD) remains the leading cause of death in the US. Therapeutic lifestyle change (TLC) is an effective intervention to reduce the risk of CVD. In developing a patient-centric electronic health record (PC-EHR), our project aims to build an evidence-based support system to facilitate patient-provider interaction, foster cooperative chronic disease management, and promote adherence to TLC guidelines by both providers and patients. There are 4 dimensions to patient data: 1. Data security. We have to give some credit to the healthcare providers with all their HIPAA compliance requirements, security professionals, systems, policies and procedures and awareness training that they know and of handsets try to protect data.Yet – with all sold in 2015 will their resources, it seems that the be smartphones average HCP cannot reliably prevent data loss, so we know that by 2015 awareness of the importance of data security is not sufficient.

80%

The Chief Technology Officer Forum

Putting it differently, if I cannot convince my children to protect their data online how can I reasonably expect awareness to be a sufficient countermeasure for HCPs? 1. Data quality. The quality of data that is used in the clinical decision making process should be rated against standards of evidenced based medicine. Introspective data, data culled on Google by the patient are important but cannot be the primary source for the data used by a clinician to make a decision. This is why doctors went to medical school and with all due respect to involving patients in the decision process and reinforcing a strong and positive patientdoctor relationship, it is incorrect to predicate medicine on user-generated content. 2. Data ownership. One can definitely argue, that patients already “own” the data and that this data ownership is already provided for by law in most countries in the Western world. If this is the case, then since a patient owns his data, patient privacy should be an issue of consent and access granted by the patient. In a patient-centric world, the patient would have complete control of her data. 3. Data accessibility. Data accessibility means that any patient or empowered

B i g D ata

caregiver should be able to access patient data using a common and well known key, such as a national ID number. The fact that the US for libertarian reasons continues to object to national ID does not change the fact that the rest of the world has found this a useful and economically effective way of accessing data.In a patient-centric world, the patient would would always have access to their data. Although I don’t believe in technology silver bullets for the problems of mankind, brainware and headsets that provide an interface to external networks is an extremely seductive notion that will may eventually be the way we all store our medical and personal data. Imagine a hypothetical patient, aged 75 with Parkinson’s disease. Our patient has developed CHF (congestive heart failure) and has been admitted to hospital after collapsing at home. Today, the patient would be admitted and wait 1-2 hours (at least) to see a cardiologist, probably a resident with 1 hour of sleep the

N E X T H OR I Z O N S

The access is on a consensual basis and past 72 hours who would then spend anothonce consent is given, care can be provided er 30-45 minutes interviewing the patient far faster than with the current system and reverse engineering her condition. The where a patient may die just waiting to see a patient and caregiver might or might not cardiologist. provide accurate information regarding the Not so far in the future – it seems that braindrugs she is taking and in particular where ware, headsets and Careseeker modules will she is holding on her Dopicar regime. be the best way that satisfy the Now imagine that the patient requirements for all 4 aspects of has implanted brainware data: patient data privacy, patient The patient also has a headset data quality, patient data ownerwith a BCI (Brain-Computer ship and patient data accessibility. Interface) that can interface with The impact of brainware and a hospital network. of handsets patient data that is truly owned The brainware has a Careseeker module which administers her sold in 2015 will by the patient will be huge. It Dopicar and keeps track of falls, be smartphones will probably impact the doctorpatient relationship, freeing the dizziness, heart rate and other by 2015 data from data collection and vital signs. Using the headset, enabling the doctor to focus the patient jacks into the hospital quickly and more effectively on network and her symptoms and the best therapeutic plan. history are presented immediately. Patient privacy is a non-issue since —This article is printed with prior permission the data is interfaced with a trusted computfrom www.infosecisland.com. For more features ing interface at the hospital and people are and opinions on information security and risk not involved. management, please refer to Infosec Island.

80%

VIEWPOINT Steve Duplessie | steve.duplessie@esg-global.com

illustration BY photos.com

Research - Used For Good and Evil The 5 Hour Energy Amazing Findings!

Good research can make a legitimate decision/argument compelling, but even questionable research can make you buy something. Anyone paying attention to the absurdity of the US presidential candidates’ claims has seen exactly what I’m talking about. Research can be manipulated to say anything about anything. Most research, as is the case in politics, is used in an attempt to defend or prove a position (or decision in business) that has already been made. You can always find some numbers to say something that defends the dipshit statement you just made. I’ve long advocated using legitimate data to guide decision making, but I’m also a realist. Agree with ESG data, you’ll use it to say “I told you so!” to the world. Disagree and you’ll either ignore it, or tell everyone that we must have been smoking some crack when we came up with those numbers! The power of research used to sell something is inarguable. It’s often stunningly senseless—but tremen-

cto forum 07 november 2012

dously effective. Case in point: 5 Hour Energy (www.5hourenergy.com) has a commercial out now that begins with a sharply dressed business looking woman sitting on a desk, next to a stack of thousands of sheets of paper. She states that 5 Hour Energy “asked over 3,000 medical doctors to review 5 Hour Energy, and the results were amazing.” Between the lines: Asked them what??? Here’s the amazing part: “Over 73 percent of those who reviewed 5 Hour Energy said they would recommend a low calorie energy supplement for their healthy patients who take an energy supplement.” Wow. Read that again. Over 73 percent of those who reviewed 5 Hour Energy.....how many was that exactly? Four or 2,600? .....said they would recommend a low calorie energy supplement for their healthy patients who take an energy supplement....WOW!!! That’s the money shot! No one said they would recommend 5 Hour Energy—

The Chief Technology Officer Forum

About the author: Steve Duplessie is the Founder of and Senior Analyst at the Enterprise Strategy Group. Recognised worldwide as the leading independent authority on enterprise storage, Steve has also consistently been ranked as one of the most influential IT analysts. You can track Steve’s blog at http://www. thebiggertruth.com

only that if their patient was already taking an energy supplement, they should take a diet version. 27 percent apparently disagreed and felt a higher calorie version of energy drink would be a better idea. Who the hell are these nitwit doctors? My point is the entire “research” is completely and totally useless. It says nothing. Nothing at all. Yet as my dad used to tell me, “It’s not what you say, it’s how you say it.” I have no idea how many people actually see this commercial and think, wow, there is serious medical research behind this product and go buy it, but i’m sure it’s a lot. “Nine out of 10 dentists surveyed whose patients chew gum, recommend chewing sugarless gum.” No shit. The other guy is the only one honest enough to realise his business is predicated on the dopes who chew sugared gum and drink gallons of straight Coke. Good research can make a legitimate decision/argument compelling, but even bullshit research can make you buy something.

INSTANT ISSUANCE GIVE CARDHOLDERS THE CONVENIENCE AND SERVICE LEVELS THEY DEMAND New financial instant issuance portfolio Datacard Group offers a full range of new innovative printers, CardWizard® software, the world’s #1 instant issuance software and unmatched global service and support. Our solutions give you the flexibility to issue permanent embossed, unembossed, magnetic stripe, EMV®-compliant cards and NFC enabled mobile devices immediately. Datacard India Private Ltd B-302,Flexcel park,S.V.Road, Next to 24Karat Multiplex, Jogeshwari (W) Mumbai-400102.India Tel:+91-22-61770300 Email:India_sales @datacard.com

Datacard Group makes it easy and affordable to launch a profitable instant issuance card program. Our Secure Issuance Anywhere™ platform empowers you to manage your card and mobile payments programs the way you want to – anytime, anywhere.

To schedule an instant issuance demo, visit www.datacard.com/cto

Datacard and Secure Issuance Anywhere are registered trademarks, trademarks and/or service marks of DataCard Corporation in the United States and/or other countries. ©2012 DataCard Corporation. All rights reserved. Datacard, CardWizard and Secure Issuance Anywhere are registered trademarks, trademarks and/or service marks of DataCard Corporation in the United States and/or other countries. EMV is a registered trademark of EMV CO., LLC. ©2012 DataCard Corporation. All rights reserved.