07 November 2009 | Rs.50 the cTo forum
A 9.9 Media Publication
Technology for Growth and Governance
vishal salvi, SVP & CISO, HDFC BANK.
burgess cooper, CISO, Vodafone, India.
Puneet k kohli, CIO, Soma Networks.
rajesh munjal, Head IT, Carzonrent.
Sachin Jain, CIO & CISO Evalueserve.
Beyond our differences
The
Restless
and
The
The new breed of energetic and ambitious minds challenging the status quo and mastering the 'art of possible' p21 Vikram Saxena, Head IT Emani Group.
joybrata mitra, CIO, Daikin India.
atul luthra, Group CIO, PVR Cinemas.
daya prakash, Head IT, LG Electronics India.
volume 05 | Issue 06
best of breed
by invitation
Next Horizons
keeping customers for life p13
it is about utility not technology p18
the seMantic web p37
arvind sood, CTO WNS Global Services.
tech for governance seven sins of security p50
the cto forum
editorial
N
We are the world...
o, I am not going to sing and complete the highly popular 1980’s song by Michael Jackson and Lionel Richie. But, as I pen my thoughts for this issue, I cannot think of a more fitting headline to my editorial. It captures the essence of our somewhat daring cover story on the ‘young and the restless’ – who are so ready to take on the world! In our editorial meetings to plan this issue, we spent time wondering how we would define the limits of this story – what about the young and bright minds we would leave out? Also, how do we simultaneously acknowledge our trend-setting, young-at-heart CIOs who have mentored and shaped these young leaders? And then we decided that we had to begin somewhere... The trend is obvious and the story compelling. It is well-known that leaders are becoming younger and the old order is making way for the new. But who are these individuals? How do they view their own roles? Where are they in their organisational hierarchies? What are they challenged by? What makes them tick? And what do they believe makes them winners? Do they have mentors and role-models? And what next... The opportunity to participate vicariously in their journeys has been fascinating. More so, since each one of the innovative and disruptive minds I wrote to – responded with candour and passion to our never-ending questions. Here are some top-of-the-mind findings:
www.thectoforum.com n
Our ‘young and restless’ brigade is spread across organisations – medium-sized, MNC and large conglomerates Many don’t report directly to the CEO – but are clearly identified as ‘leaders’ and therefore participate as members of the senior management team They see themselves as ‘change agents’ They all respond ‘beyond the call of duty’. And each one has mastered the ‘Art of the Possible’. Last but not the least, the language of business is second nature to this new breed of technology leaders. They almost live The CTO Forum tagline – ‘technology for growth and governance’ i.e a very holistic view of how to leverage technology for maximum impact in their corporations. They display several other favourable traits for moving to the ‘CXO suite’ – they are collaborative with peers and line of business executives, they build formal and informal networks, they balance change with consolidation, and embrace innovation. Inspiring, at the very least... Beyond the cover story, in our effort to bring you more and better, we have established alliances with highlyreputed international organisations. I look forward to your feedback on their contributions in this issue. Please write in with your comments - that’s what keeps us going...! n Rahul Neel Mani rahul.mani@9dot9.in
07 NOVEMBER 2009 | the cto forum |
1
it management
shiva shankar, vice president
& head – it infrastructure & security operations, reliance communications
R
unning the IT operations of a telecom company can be a nightmare, but thanks to processes and tools life becomes a lot more simpler. The business expectations grew manifold until recession shifted the focus towards cost-savings in every aspect of delivery. In all operations, the business has expectations from IT and unless the same is delivered there is no value. Despite the best of technical teams being present, the operations was unable to satisfy business because of issues within the environment where operations and business were not in sync. Various support groups were working in silos. There were no common processes. The cost of operations were high, supplier management was poor. The operations team had no tool to measure their performance till few years ago. Those were the times I started interacting closely with business through the delivery organisation to understand their vision and needs from IT. All their requirements were defined in a measurable Service Level Agreement (SLA). To be more measurable, central ITSM team and a common ITSM tool were formed and deployed. It touched the lives of every employee in the company. As a result, email crossfire reduced. Processes like Service Level Management (SLM), Configuration Management took shape. Trails of training and injection of steroids in the form of process adherence led to operational excellence day-after-day. We also formed a central monitoring team to monitor infrastructure, application layers and also few missioncritical business processes. This helped the support group to be more proactive, thereby improve availability of service and reduce the cost of outage. The whole bunch of IT devices were renamed as CIs and plugged into the CMDB and tracking it from its physical location to the due dates of the Annual Maintenance Contract relieved the pain not just for me as the operations head, but for my CFO as well. On the data centre front, we introduced consolidation and virtualisation of systems that were with high Total Cost of Ownership (TCO). We also consolidated the support of the operations under a central team. This resulted in reducing the FTE count and added to the topline of IT and the organisation. Automation is the mantra stressed in every team meeting.
www.thectoforum.com n
These initiatives gave leverage to in-source support from vendors, thereby reducing the vendor cost. This also helped team to improve the productivity, thereby being able to support more customers without augmenting additional resources. There were too many platforms and technologies, which required many vendors to support them. This diluted the ownership of the vendors and helped them shy away from their responsibilities. To overcome this, multiple small and old apps were migrated into consolidated solutions. Likewise, the OS platform was also regularised to a single UNIX and Windows platform. Currently, I am doing capacity planning to extract more out of the systems. I am also planning to chalk out an operations roadmap for the coming years so as to cope up with the business needs and meet competition. There’s still miles to go, but I am happy about the miles that I crossed with vivid memories. I believe operations is a constant marathon: you need to keep running without losing energy. I believe it’s possible. n
07 NOVEMBER 2009 | the cto forum |
3
i believe
Marathon Man
your comments
www.thectoforum.com
Volume 5Issue 06 07 NOVEMBER 2009
Editorial
Editor: Rahul Neel Mani Consulting Editor: Shubhendu Parth Online Editor: Geetaj Channana Assistant Editor: Gyana Swain Special Correspondent (Mumbai): Vinita Gupta Sr. Correspondent: Charu Khera, Jatinder Singh
Dear Editor, CTO Forum magazine keeps us updated about new technology and business processes. The topics under cover story with the quotes from business leaders are really very useful.
Regards, Umesh Khandelwal General Manager – IT BMW , India
October | 21 | 2009 | Rs.50
A 9.9 Media Publication
Technology for Growth and Governance
MANAGED SERVICES
BOON or BANE? Managed services offer cost benefits and provideflexibility of infrastructure scaling up and down p17
MANAGED SERVICES: BOON OR BANE
Managing Director: Dr Pramath Raj Sinha Printer & Publisher: Kanak Ghosh Publishing Director: Anuradha Das Mathur
Keep up the good work
THE CTO FORUM
Design
Sr. Creative Director: Jayan K Narayanan Art Director: Binesh Sreedharan Associate Art Director: Anil VK Manager Design: Chander Shekhar Sr. Visualisers: PC Anoop, Santosh Kushwaha Sr. Designers: TR Prasanth & Anil T advisory Panel
Ajay Kumar Dhir, CIO, Jindal Stainless Anil Garg, CIO, Dabur David Briskman, CIO, Ranbaxy Mani Mulki, VP-IS, Godrej Industries Manish Gupta, Executive Director and CIO, India Foods & Beverages, PepsiCo Raghu Raman, CEO, MSSG S R Mallela, Former CTO, AFL Santrupt Misra, Director, Aditya Birla Group Sushil Prakash, Country Head, Emerging Technology-Business Innovation Group, Tata TeleServices Vijay Sethi, VP-IS, Hero Honda Vishal Salvi, CSO, HDFC Bank Deepak B Phatak, Subharao M Nilekani Chair Professor and Head, KReSIT, IIT - Bombay Vijay Mehra, Group CIO, Essar Group
Insightful articles Dear Editor, I like the CTO Forum Magazine because it provides a crisp update on the latest technology happenings. The articles in the magazines are good and relevant to today’s times, and cover the necessary details that I need to know. I look forward to the next edition intently.
volume 05 | Issue 05
sounding board
S P I N E
QUESTION OF ANSWERS Making Sense Of Green p14
BEST OF BREED The new management imperatives p31
advertisers’ index VERIZON . . . . . . . . . . . . . . . . . . . . IFC CIO PASSION . . . . . . . . . . . . . . . . . . 8 IBM . . . . . . . . . . Reverse Gate Fold RARITAN . . . . . . . . . . . . . . . . . . . . 49 SAS . . . . . . . . . . . . . . . . . . . . . . . . IBC CISCO . . . . . . . . . . . . . . . . . . . . . . . BC
Regards, Parminder Singh Sr VP & CIO - Global Jubilant Organosys Ltd, India.
Sales & Marketing
Production & Logistics
Sr. GM. Operations: Shivshankar M Hiremath Production Executive: Vilas Mhatre Logistics: MP Singh, Mohd. Ansari, Shashi Shekhar Singh OFFICE ADDRESS
Nine Dot Nine Interactive Pvt Ltd C/o K.P.T House,Plot 41/13, Sector-30, Vashi, Navi Mumbai-400703 India Printed and published by Kanak Ghosh for Nine Dot Nine Interactive Pvt Ltd C/o K.P.T House, Plot 41/13, Sector-30, Vashi, Navi Mumbai-400703 India Editor: Anuradha Das Mathur
C/o K.P.T House, Plot 41/13, Sector-30, Vashi, Navi Mumbai-400703 India
Your feedback
VP Sales & Marketing: Naveen Chand Singh National Manager-Events and Special Projects: Mahantesh Godi (09880436623) Product Manager – Rachit Kinger Asst. Brand Manager: Arpita Ganguli Co-ordinator-MIS & Scheduling: Aatish Mohite Bangalore & Chennai: Vinodh K (9740714817) Delhi: Pranav Saran (09312685289) Kolkata: Jayanta Bhattacharya (09331829284) Mumbai: Sachin Mhashilkar (9920348755)
Printed at Silverpoint Press Pvt. Ltd. D 107,TTC Industrial Area, Nerul.Navi Mumbai 400 706
4
| the cto forum | 07 NOVEMBER 2009
n www.thectoforum.com
07.11.2009 21
contents
cover story
& G N S U S O TH E
Y TLE S E
THE
R
the good thing about being young is that you are not experienced enough to know you cannot possibly do the things you are doing .
i believe
Marathon Man 3
shiva shankar vp & head - it , infrastructure & security ops , reliance communications
q &a
Obtaining Security Assurances is a CIO’s Biggest Challenge 10
tom clare sr . director product marketing , secure web gateways
view point
Coming of Age 56
george zakharia on the growing pains of a tightly coupled infrastructure
www.thectoforum.com n
next horizons
CIO 2020 : New Challenges; Newer Possibilities The new CIO will have to totally immerse himself into the tactical business processes as well as strategic relationships....... 35
best of breed
The IT Imperative IT must be seen as a necessary part of business rather than as a necessary evil .......................................................................15
tech for governance
Seven Sins of Security The failure of many security initiatives can be prevented by carefully looking at - and avoiding - the primary sins associated with policy implementations and rollouts . .................................................... 50 cover design : binesh p s
regulars Editorial.........................................................................01 Sounding Board............................................................04 Enterprise Round-Up.....................................................06
07 NOVEMBER 2009 | the cto forum |
5
enterprise round-up
technology and business
Teradata Cloud Extends Architectural Flexibility
T
eradata Corporation has announced that the Teradata Enterprise Analytics Cloud provides Teradata customers architectural flexibility, which will enable them to meet their expanding analytic needs by leveraging cloud computing technologies. Initial offerings include the Teradata Agile Analytics Cloud, Teradata Express on Amazon EC2, and Teradata Express for VMware Player. For the business user, public and private clouds provide flexible, self service for the rapid building of short term analytic data marts, allowing users to pay only for the computing power actually used. More importantly, these cloud solutions offer business users and developers another means of improving decision making with agility and speed. Teradata Agile Analytics Cloud The Teradata Agile Analytics Cloud, Teradata’s entry into private Cloud Computing, is a unique set of products, capabilities and services designed to enable agile analytics in a Teradata private cloud environment. This allows for rapid development and sandboxstyle analytics. Business users can create data marts inside their Teradata system within minutes. This eliminates the need to build separate, costly physical data marts, because the production data can be accessed directly, without data movement or duplication. Built on the proven Teradata Database and platforms, the Teradata Agile Analytics Cloud combines advanced workload management, the new Teradata Elastic Mart Builder tool, and a services methodology to enable business users to rapidly exploit data marts inside their Teradata System. The Teradata Agile Analytics Cloud allows the business user to rapidly analyse data and respond to market opportunities with speed and confidence. This solution helps chief information officers control data mart proliferation, reduce costs for software licenses and servers, and lower training and labor costs. Teradata Express Cloud Offerings The two new Teradata Express cloud offerings are built on Teradata Express, which is a free, non-production version of Teradata Database software intended for developers and evaluation scenarios. The cloud versions of Teradata Express support up to one terabyte of data and are powered by Novell SUSE Linux Enterprise Server 10. Teradata Express on Amazon EC2: Teradata Express on Amazon EC2 is available on the flexible Amazon Elastic
6
| the cto forum | 07 NOVEMBER 2009
Compute Cloud (Amazon EC2). This prepackaged edition is a free developer version of the Teradata Database for use in the scalable, robust Amazon EC2 environment. Customers can quickly launch Teradata Express on Amazon EC2 and begin their collaborative work from any location in the world. Customers benefit from the easy self-service, flexible configurations, and the cost effective Amazon Web Services infrastructure, resulting in faster time to value and the quicker completion of projects. Teradata Express for VMware Player: Teradata Express for VMware Player delivers a fully configured Teradata Database bundled for private cloud analytics. Once VMware software is installed, the Teradata Database can be loaded in minutes, taking advantage of the many features of VMware. For the Teradata Database, VMware is an important stepping stone towards delivering internal private clouds for developers and information technology operations managers. The value for customers will be the easy creation of Teradata test and development environments with a significant reduction in capital costs from server consolidation. n
n www.thectoforum.com
technology and business
E
MC wants you to trust them when it comes to cloud computing data security. The company released a paper via its RSA security division substantiating that enterprises give up some control over data when systems are outsourced to the cloud. EMC’s Eric Baize, who was part of the team overseeing the company’s security strategy that led to the acquisition of RSA in 2006, acknowledges that security has consistently played catch up to disruptive technologies. But not this time. “Whether it’s EMC, Cisco Systems Inc. or Oracle Corp., cloud infrastructure providers want enterprises to build in security early,” he said. “There’s a certain amount of disruption with cloud [computing], but we also believe we need to create a disruption on security thinking and make security a feature of the cloud,” Baize said. Experts have boiled down cloud computing to essentially three areas: Infrastructure as a Service, in which an enterprise’s data centre or certain servers could be hosted outside the company walls, Platform as a Service, in which a company hosts certain business applications beyond its boundaries, and Software as a Service, in which a software suite is contracted out for employee use, such as Salesforce.com’s customer relationship management software. Each of the cloud computing use cases come with their own security challenges for enterprises. The EMC RSA paper, “Identity and Data Protection in the Cloud: Best Practices for Establishing Environments of Trust,” identifies some of the general issues slowing adoption of cloud computing. The federal government is also getting involved to help companies better understand the cloud. The National Institute of Standards and Technology (NIST) has written a publication explaining how cloud computing security can be applied. Enterprises need to demand more from their infrastructure provider, said EMC’s Baize, because boundaries within the cloud are much more fluid. In some cases, companies may share the same hosted space in a data centre. This loss of control over infrastructure and processes can be made up if enterprises make their provider aware of their security policies and the level of control it expects, Baize said. Many of the same physical assets in the company’s internal data centre can be applied to the cloud infrastructure. Firewalls and data leakage prevention appliances can be applied in a virtual environment to monitor and maintain the same level of security. The threat landscape remains the same. The standard defense-in-depth approach of deploying multiple technologies to detect and defend against attacks on sensitive data is essential, said EMC’s Baize. While cloud computing prompts some security concerns, infrastructure providers apply a virtualization layer, which provides additional visibility into how company data is being accessed and used. Compliance is another major challenge for many enterprises. Monitoring capabilities can greatly improve reporting processes for auditing and compliance within the cloud, but companies need to address how the data is reported when selecting a cloud computing vendor, Baize said. Forrester’s Whiteley said most companies are choosing a hybrid approach, maintaining an internal cloud using virtual infrastructure while outsourcing certain processes, such as testing and development. It’s a three-tiered process that begins with building enough virtualization and storage provisioning in-house to develop an internal cloud. Then companies begin to outsource certain processes followed by moving more business-critical workloads into the cloud. n
www.thectoforum.com n
Oracle iReceipts App Available from App Store
T
o help users automate expense reporting for cash transactions, Oracle has introduced the Oracle iReceipts App and integrated it with Oracle’s PeopleSoft Enterprise Expenses. Oracle iReceipts allows employees to capture cash transactions on the iPhone and iPod touch as they occur, then easily submit these transactions to Oracle’s PeopleSoft Enterprise Expenses. Oracle iReceipts allows users to capture receipt images with the iPhone Camera rather than having to deal with several paper receipts. The images are then processed as normal within the PeopleSoft Expenses solution. The app can also automatically tag transactions with a user’s location using location based features. This solution will be available for free from the App Store on iPhone and iPod touch or at www.itunes. com/appstore/ for Oracle customers currently running Oracle’s PeopleSoft Enterprise Expenses Release 9.0 and the soon to be released version 9.1. “The concept of using mobile technology would increase efficiency around expense automation. In theory you could see fewer lost receipts and more timely filing of expense reports,” said John E. Van Decker, Research VP, Gartner. “A solution that helps keep employees organized on the road could lead to greater productivity.” n
07 NOVEMBER 2009 | the cto forum |
7
enterprise round-up
Security Should be a Feature of the Cloud
question of answers
tom clare
Obtaining
Security Assurances is a CIO’s Biggest
Challenge
in an exclusive interview with the cto forum, tom clare, sr. director product marketing, secure web gateways, blue coat systems cautions cios about the
ignorance towards the growing web-based security threats and prescribes simple remedies to prevent from damages. rahul neel mani presents excerpts:
10
| the cto forum | 07 NOVEMBER 2009
n www.thectoforum.com
tom clare
I’ll respond to this question from two perspectives. First, if by ‘classify’ you were referring to how Web filtering solutions categorise and classify different URLs and Web-based IP addresses for blocking and tracking purpose, most Web filtering solutions can block malware, phishing, and spyware related URLs as well as provide filtering of sites that can waste productivity or could create legal or compliance liabilities for the organisation. In a broader sense, Web threats would be the number one threat facing organisations today. As more applications embrace Web 2.0 features, such as SaaS and others, Web-based services become an integral part of an organisation’s operations, and as employees are empowered in ways that enable them to both intentionally and accidentally leak confidential information through the Internet, IT needs to re-evaluate its security measures. With the focus on Web services, enterprises are facing multiple challenges at application security front? What are those challenges that a CIO should be aware of and how shall s/he safeguard the enterprise?
Many companies have had minimal exposure to Web threats until recently simply because their users lacked more than minimal Web access. All of their applications have been internal, many employees did not need even use the Internet other than, indirectly, through email. But over the last year, online services have finally matured to the point where they can offer competitive features and capabilities at an affordable level. Many job roles require increasingly greater Web access. And with the added benefits to the enterprise of an application that can grow or shrink without the need to consider things like equipment investments, server room space, etc. interest in such services is growing rapidly. However, CIOs should pay more attention to the security infrastructure and procedures of the service provider. If data about employees, customers, or company secrets become compromised, few countries, industries or companies will accept a CIO defense of “It was the providers’ job”. What are the ways of improving Web Application security? How can an enterprise create a roadmap on threats and countermeasures?
Introducing a new application should involve sufficient ‘user education’. This is another area where companies often take shortcuts. But the vast majority of security breaches involve a mistake by a user. Part of the reason for ‘education’ is to make sure the users understand the power of what they have been provided and to help them think through all of the potential for abuse and the consequences. For example, a story earlier this year related how a US Senator, traveling with the President of the US, sent out an update on his Twitter feed that said “Landing in Bagdad” innocently violating the security of the President’s travel plans in what is obviously
www.thectoforum.com n
one of the most dangerous places he could be. Too many of these technologies are being adopted without really thinking it through. All the users know is that it is ‘cool’, and they need one to be seen as ‘technology savvy’ so they do it. Also, some of the risks come when different solutions ‘interact’. For example, some browsers can ‘remember’ login information, so a user doesn’t have to type it in every time. Anyone in that office can walk up to their PC and access that new application. Or what if their laptop is stolen? Overall, for any company providing increasing Web access for employees needs to update its security plans. The importance of patching cannot be understated. Continued use of firewall and antivirus solutions is critical. Application platforms such as blogs, wikis, and other social networks are in vogue in the enterprises. What kind of security breaches are possible using these platforms?
There are two main areas of risk with most of these technologies: Data leakage prevention – Most of these tools are designed to create a ‘casual’ atmosphere, which may cause users to get careless. Things they wouldn’t say to just any customer visiting their office may find themselves posted on Twitter. Malicious links – Till date, the malware threat primarily spreads by finding ways to embed links to malware content in legitimate sites. A full Secure Web Gateway strategy needs to encompass technologies to block these malicious links. CIOs/CISOs need to consider more complete Secure Web Gateway strategies, including security for their mobile clients. As noted before, firewalls and AV alone are simply insufficient particularly for a mobile client which may become infected remotely and, literally, ‘walk a threat right around the firewall.’ Proliferation of highly-portable computing platforms, such as “netbooks” and Web-enabled mobile phones is a trend with a threat element. What could be the security concerns and how can a CIO be proactive in protecting his company?
As noted above, Web filtering needs to be distributed and managed on the end-point which operates outside of the gateway. Particularly when you keep in mind that many infections are designed to spread in multiple ways. Once they get onto an under-protected mobile perhaps at an airport or hotel, they may spread from that one system to other when they reconnect to the network leveraging peer-to-peer or network worm technologies, or even USB drives. (Conficker is one such example.) However Smartphones are not yet the malware threat, people fear. Traditional ‘risk analysis’ says you need to balance ‘what’ can happen with ‘how likely’ something is to happen. Is it possible for malware to penetrate your Smartphone? Probably! Is it likely that anyone would try? Not very! Mainly because there are easier targets. n Rahul.mani@9dot9.in
07 NOVEMBER 2009 | the cto forum |
11
question of answers
How will you classify the web-based threats? How do they impact enterprises?
best of breed
system hardening
A Process
Checklist for
System
Hardening
most administrators and security officers are well aware of the necessity of system hardening for corporate systems
H
by bozidar spirovski
ardening is a process of securing a system by reducing its vulnerability surface. By the nature of operation, the more functions a system performs, the larger the vulnerability surface. Since most systems are dedicated to one or two functions, reduction of possible attack is done by the removal of unrelated software, user accounts or services that are not required by the planned system functions. System hardening is a vendor specific process, since different system vendors install different elements in the default install process. However, all system hardening ef for ts follow a generic process. So here is a checklist and diagram by which you can perform your hardening activities. Perform initial system install - stick the DVD in and go through the motions. Remove unnecessary software - all systems come with a predefined set of software packages that are assumed to be useful to most users. Depending on your usage, you should remove software that is not required. Disable or remove unnecessary usernames and passwords - most systems come with a lot of predefined user accounts for all kinds of purposes - from remote support
12
| the cto forum | 07 NOVEMBER 2009
to dedicated user accounts for specific services. Remove all remote and support accounts, and all accounts related to services, which are not to be used. For all used accounts, always change the default passwords. Disable or remove unnecessary services - remove all services which are not to be used in production. You can always disable them, but if you have the choice to remove them altogether, just do it. This will prevent the possible errors of someone activating the disabled service further down the line. Apply patches - after clearing the mess of the default install, apply security and functionality patches for everything that is left in the system - especially the target services. Run Nessus Scan - update your Nessus scanner and let her rip. Perform a full scan including dangerous scans. Do the scan without any firewalls on the path of the scan. Read through the results, there will always be some discoveries, so you need to analyse them. If no vulnerabilities are discovered, use system - after the analysis of the results, if there is nothing significant discovered, congratulations! you have a hardened system ready for use. n Bozidar Spirovski of Information Security Short Takes is an Information Security Expert
n www.thectoforum.com
customer experience
where does your company stand on the scale of experience-based differentiation?
by bruce temkin
I
’m thrilled to announce that we just published a new Forrester report called The Customer Experience Journey. This is the culmination of several months of research where I looked into how companies progress towards Experience-Based Differentiation (EBD), the blueprint for customer experience excellence. In this report, I defined five stages of EBD maturity: Some other highlights from the report: Here’s a little bit of what goes on in each of the 5 stages: Stage 1 (Interested): In the first level of EBD maturity, organisations begin to believe that customer experience is an
Five Stages Of Experience-Based Differentiation Maturity Stage 5 (Embedded):
CxP is in the fabric of the company, not separately discussed Stage 4 (Engaged):
CxP is one of the core tenets of the firm’s strategy Stage 3 (Committed):
CxP is critical and execs are actively involed Stage 2 (Invested):
CxP is very important and formalized programs emerge Stage 1 (interested):
Customer experience (CxP) is important, but receives little funding
www.thectoforum.com n
important part of their business. They start undertaking a number of different efforts without making any major investments, attempting to get control on the current situation. There’s a flurry of uncoordinated activity and no real leadership for customer experience activities. Stage 2 (Invested): Companies enter into the second level of EBD maturity after they recognise that customer experience is worthy of a significant investment; in both capital and key personnel. So the approach to customer experience becomes more organised with an intensified focus on fixing problems. We start to see centralised customer experience groups and more formalised voice of the customer programs. Stage 3 (Committed): In the third level of EBD maturity, firms are embracing customer experience because they understand the specific impact it has on growth and profitability. The effort is no longer isolated to a few groups as customer experience becomes a major transformational effort across the organization. Instead of just trying to fix problems, the focus turns to redesigning processes. Stage 4 (Engaged): When companies enter into the fourth level of EBD maturity, customer experience is a key component of everything they do. Instead of re-engineering processes, the focus turns to designing break-through experiences and solidifying the culture. There’s significant emphasis on employee engagement and companies become much less dependent on a centralised customer experience group. Stage 5 (Embedded): At the highest level of EBD maturity, which can take companies several years to achieve,
07 NOVEMBER 2009 | the cto forum |
13
best of breed
Winning Customers & Keeping Them For Life
best of breed
customer experience
Infuse Emotion Into Experience Design The Web is becoming an increasingly important channel for companies, yet online experiences leave a lot to be desired. Our research shows that most sites have poor usability and they don’t reinforce key brand attributes. That’s why I worked with Ron Rogowski (the primary author) on a research report that created a concept called Emotional Experience Design, which we define as: creating interactions that engage users by catering to their emotional needs.
customers, their sites must cater to these deeper customer needs. n Develop a coherent personality. Websites can feel sterile — devoid of a brand’s human characteristics, which are often apparent in other channels. But firms need their online experiences to do even more than just reinforce their brands; the experiences should enrich them. How? By developing a coherent, consistent personality that customers can easily
Emotional Experience Design is quite different from today’s functional design: To apply Emotional Experience Design, firms must: n Address customers’ real goals. People may come to a website to get service or buy a product, but that’s typically not the beginning or culmination of their journey. The mother of a newborn with stomach problems isn’t going to a site for information about medication; she’s looking for a way to bring comfort to her baby — and maybe get a little relief for herself. If firms want to engage
Functional design
Emotional Experience Design
User research
User’s needs for the site visit
User’s context for coming to the site
Sales model
Store-shelf metaphor that allows users to compare details of multiple offerings
Solution-selling metaphor in which products and solutions are introduced based on user need
Multichanned experience
Siloed: no coordination when users move from one channel to another
Blended: Interactions across channels are designed and orchestrasted for users
Branding
Design elements layered on top of the Web experience
Interactions and design reinforce key brand attributes
Personality
None: site appears like collection fo content and functionality
Clear: site demonstrates consistent and recognizable traits
Interation Design
Sratic: text pages that refresh throgh point-and-click actions
Dynamic: tactile experiences that blend in multimedia elements
customer experience is deeply ingrained throughout the organisation. Just about every employee feels ownership for maintaining the culture. The executive team no longer focuses on change, but views itself as keeper of the customer-centric culture, which is viewed as a critical asset. Based on results from 287 companies that took our Experience-Based Differentiation self-assessment, we estimate that 37 percent of firms have not yet reached the first stage of maturity and 41 percent are in the first two stages. Only 4 percent are in the 5th stage. I outlined 8 major activities that these customer experience groups work on including customer insight management, customer experience measurement, employee communications, and culture and training. I also looked at customer-centric DNA, which we define as: a strong, shared set of beliefs that guides how customers are treated. It turns out that customer-centric DNA starts to show up in Stage 3 of maturity (Committed) and becomes fully developed in Stage 5 (Embedded). I also uncovered a set of behaviours that make up customer-centric DNA, which I call the 6 C’s of customer-
14
recognise throughout all interactions. n Engage a mix of senses. Over reliance on text and imagery makes many sites indistinguishable from competitors. Interestingly, most people can’t remember the content of Intel’s commercials, but they can easily imitate the Intel sound. While web experiences don’t allow users to taste or smell objects, they can and absolutely should engage users’ senses of sight, hearing, and even touch.
| the cto forum | 07 NOVEMBER 2009
centric DNA: n Clear beliefs n Compelling stories n Consistent trade-offs n Collective celebrations n Constant communications n Commitment to employees The bottom line: Get ready for a multi-year customer experience journey. n
The bottom line: It’s time to make emotional connections online. Bruce Temkin is Vice President and Principal Analyst at Forrester Research and focuses on Customer Experience. Temkin’s blog ‘Customer Experience Matters’ can be viewed using the URL (http://experiencematters.wordpress.com/). The content of this article is not related in any way to Forrester Research
n www.thectoforum.com
it - business alignment
best of breed
The IT Imperative maximising business results through effective it leadership by andrew barker
T
he purpose of the Information Technology (IT) department in any organisation is to facilitate the business objectives of that organisation through the use of people, process and tools in a secure and deterministic fashion. I do not consider IT as a group that is just there to provide support functions. This is most commonly indicated by statements such as the following: “IT needs to remember that it is here to serve the business.” I see that mindset as debilitating. It paints a picture that is neither accurate nor useful. This IT versus business debate is a silly, time-wasting dichotomy. When I say that IT is supposed to facilitate business objectives, I mean that it is a key driver of growth in business. Not only does IT have great potential to add value, but it can be a business differentiator (not just by being
www.thectoforum.com n
there, as almost everyone uses technology these days.) Ultimately, IT is the engine that makes business run. If IT is only playing a servile role in an organisation, then the business is not going to achieve its best possible performance, and it’s probably wasting a whole lot of money as well. IT must be seen as a part of the business – and a necessary part at that – rather than a necessary evil. Technology management is not just critical to most businesses today, but it constitutes a significant part of their budgets. Additionally, it touches clients, partners and suppliers. In order to reap the maximum effect of the investment, technology needs to be managed carefully. So does the technology team. If the technology team is not brought on board with new initiatives early enough in the process of establishing direction and goals at the corporate level, then IT will
07 NOVEMBER 2009 | the cto forum |
15
best of breed
it - business alignment always seem out of step with the business, and technology solutions will never fully address the needs of the business. What IT Should Focus On Once an organisation has established its corporate goals, it is then possible for IT to establish what it will be focusing on. In other words, the IT team can effectively do its job as it understands what the business is trying to accomplish. This cannot be an independent discussion by the business and by IT. With corporate goals firmly established, here are some broad categories of issues that IT needs to focus on:
IT must be seen as a part of the business – and a necessary part at that – rather than a necessary evil.
Business Enablement and Process Improvement n Services Delivery n Capacity Planning n Information Security and Risk Management n Disaster Recovery and Business Continuity n Technology Roadmap Development n Business Innovation The specifics of each category depend on the inherent nature of each business as well as goals that the corporation has set for its business. The business can only effectively tell IT what to focus on if it sets clear business goals, and allows IT to be part of that discussion at some level. IT can only successfully drive the business, if technology is respected for its understanding of the business, and if it has been involved in the formation of the business goals. Any IT organisation which tries to drive the business, where the business sees IT as a service function, is heading for a disaster. Likewise, if IT sits back in a reactive mode, and simply serves the business whatever the business wants in the name of flexibility, then both IT and the business will fail, because it is not fair to ask people who do not understand the ramifications of complex technical decisions to make them without being given guidance. IT must work with the other business units in a collaborative way, making sure to provide guidance and options, and being willing to serve the needs of the organisation. The business on a whole must understand and appreciate the value of IT to their organisation, and recognise that IT possesses skills and information that are essential to attain organisational goals and complete its mission in a cost-effective fashion. By engaging in an us versus them mindset with regards to IT and other business units, the organisation will squander its investments in people and technology, and find itself behind the curve with customers and competitors. It takes strong leadership – all across the business, including IT – to navigate these potentially treacherous waters and come out victorious.
16
Working Smarter, Not Harder Not only is it important that the entire organisation be working together, but it is vital that they work together intelligently. Yes, working hard is important. In fact, it is vital. Working harder, however, should be minimised, as it is counterproductive. It can be done in emergencies, and for a limited time, but it is not a sustainable strategy. Over time, it leads to more breakdowns in execution and more, costly mistakes. The goal, then, is to work hard, but smart. Working smarter is achieved by... ...properly evaluating what needs to be accomplished before just jumping in with both feet. ...effectively communicating with all parties (staff, colleagues, clients, partners and management) about the goals, objectives and progress of the work already underway. ...delegating some level of decision making to workers, so that creativity can be employed within the bounds of reason. ...setting aside some time for formal staff training, and creating a culture that continuously evaluates projects to learn what worked, what didn’t, and how to create or improve business processes. ...recognising that it always costs less to do a thing right the first time, versus doing it the fastest way possible repeatedly. ...properly aligning incentives with accomplishments. An engine that is operating optimally, is neither idling nor spending a great deal of time in the dangerous red zone. Not only does such an engine generate significant value, but it will last a long time as well. By working together, and doing so intelligently, the organisation can maximise its business results, obtain competitive advantage over its competitors, and achieve true innovation. It takes strong IT leadership and good communication throughout the enterprise to not only manage the technology challenges of an organisation, but to help the business understand and take advantage of the capabilities of IT. United we stand, divided we fall. n
| the cto forum | 07 NOVEMBER 2009
Andrew S. Baker is currently working as CIO of ARGI, US. He is a business-savvy leader of high-performance technology teams, with hands-on expertise in designing, deploying and maintaining secure, mission-critical computing environments for small to mid-sized organisations across such verticals as Financial Services, Media & Entertainment, Internet and Publishing. Andrew can be followed at http:// home.asbzone.com
n www.thectoforum.com
low - cost computing
best of breed
The Path to
Low Cost
Computing how netbooks could change enterprise computing
T
here seems to be a great surge in new devices that will soon impact enterprise computing from small businesses to the Fortune 100. One of these technologies is Netbooks, the small, low-cost computers aimed at consumer web-browsing and email. All these machines ship with and run Windows XP quite happily, which is still de rigueur enterprise standard. However, I was rather surprised to find they were exceptionally in sync with Windows 7 and the latest office suite. It’s obvious that most corporate users do 95 percent of their computing work in exactly these types of applications, and a machine that can run an office suite, access the web and corporate ERP or CRM systems and do it cheaply is pretty compelling. I think the Netbook is going to precipitate a change in corporate computing already seen at the consumer level. Rather than shifting to a pure ‘dumb terminal’ model suggested in the past where everything runs ‘in the cloud,’ I think we’re going to see a hybrid of cloud computing and virtualisation, creating a smart terminal of sorts. Despite more than a decade of pundits proclaiming the end of client server computing, I don’t think we’ll see a return to pure dumb terminal computing. Google and its ilk want us to believe we should do everything from email to word processing through a web browser and “in the cloud,” but at an enterprise level, a disconnected model is still very compelling. I still want to wade through my inbox and crank out a document or two in places where there’s no connectivity, so we’re still going to need a local office suite. However, shifting the “heavy hitters” like CRM, ERP
by patrick gray
and modeling to the cloud makes perfect sense. Where Netbooks and virtualisation enter the picture is disconnecting a user’s computing environment from the hardware. Today, an average user has a personal and business laptop, and perhaps a couple of desktops or Netbooks at home, combined with a smart phone. They change computing devices based on mood, use and travel itinerary. With Netbooks, hardware becomes a cheap commodity, and I think we’ll soon see virtualisation technology squarely targeting the enterprise end-user. Imagine that my work computing environment is a virtual machine that I can use on a shared desktop in the office or my personal Netbook when I’m on the road. The company provides the computing environment and cloud or hosted application, and the user runs it on whatever hardware they see fit, swapping environments and hardware as needed. The company gets out of the business of providing, provisioning and managing end-user hardware, and the user accesses work and personal computing environments on the device they choose, when they choose it. While the Netbook certainly is not critical to this transition, I believe small, cheap and capable hardware is going to get enterprises thinking about how they actually deploy and use computing at the user level. n
Small, cheap and capable hardware is going to get enterprises thinking about how they actually deploy and use computing at the user level.
www.thectoforum.com n
Patrick Gray is the founder and President of Prevoyance Group. A recently rehabilitated tech nerd, Patrick possesses the unique ability to comfortably talk shop with the folks in the server room, and also navigate the boardroom with ease. Prevoyance is French for “foresight”. Patrick can be followed at http://itbswatch.com.
07 NOVEMBER 2009 | the cto forum |
17
by invitation
utility model
IT is About Utility Not Technology for consistent growth it is better to organise the it department so as to put more emphasis on information than on technology
by mike scheuerman
I
T managers have always worried more about the mine if the business is running the way they expect. ‘speeds and feeds’ and less about how the equipment Business intelligence provides the controls that keep the under their control provides support and value to ship of business afloat. the people who use that equipment to do their jobs. The challenge in implementing this model is developing Infrastructure management is necessary, but not sufficient a true-cost model of the current IT services so a reasonto provide executives with daily information that they able comparison of costs and goals can be achieved. Today, would need to make critical decisions. the cost of IT is calculated largely on personnel and capiA better approach to consistent growth is to organtal costs. In truth, the opportunity costs of not providing ise the IT department in such a way that the emphamore effective utilisation of people in the business is unacsis on information is more than that of technology. counted for. The cost of not being able to determine the To that end, the new face of IT becomes the business state of the business in a more timely way is also left out analyst and project manager. The onus of infrastructure of the equation. And the cost of decisions being made with management falls on vendors and incomplete information is missed. someone in IT will have the role Most business managers never of vendor relationship managethink about the technology they ment. Managing SLAs becomes use every day. They are concerned the primary goal for this group. about the cost and how tech is not Within the business analysis meeting their demands. function, there are three major These are real concer ns. If components: project management, management can think about IT as business unit expertise, and busia utility they will begin to see that ness intelligence. Project managetrying to keep the IT infrastructure ment provides the methodology running is like buying and mainfor getting things done timely and taining your own power plant. You cost-effectively. Business unit experwouldn’t do that because you can’t tise is used to provide knowledgeable justify the cost. IT should be viewed individuals who understand busithe same way. n Today, the cost of IT is ness processes within a particular Mike Scheuerman is an independdepartment. Since this group falls calculated largely on ent consultant with over 30 years within the overall business analysis personnel and capital costs. experience in strategic business planfunction, they can also provide the cross-functional view that is missIn truth, the opportunity ning and implementation. His experience from the computer room to the ing in so many projects. costs of not providing boardroom provides a broad specThe third component of busimore effective utilisation trum view of how technology can ness analysis is that of business be integrated with and contributes intelligence. This group holds the of people in the business is significantly to business strategy. key performance indicators (KPIs). unaccounted for. Mike can be reached at These KPIs make up the dashboard mike@scheuerman.org. every manager uses daily to deter-
18
| the cto forum | 07 NOVEMBER 2009
n www.thectoforum.com
cloud computing
by invitation
Costs of
cios and their it departments need to pick holes in the spiel hurled by cloud computing service providers to have a clear picture of the complete costs.
by chris curran
D
uring a time when businesses are counting their pennies, every conceivable cost needs to be factored into forecasting models. Hidden expenses are never a welcome surprise, but they are particularly unwanted now. Cloud service providers can try to make the costs seem clear cut. However, CIOs and other IT professionals should know that $100 per user per year is only the beginning of the budget. When making a massive technology transition and managing a new system, the costs associated with people, processes, and architecture are equally important to consider. The mystery is how much
www.thectoforum.com n
07 NOVEMBER 2009 | the cto forum |
19
by invitation
cloud computing these costs amount to in the unfamiliar realm of cloud computing. To help uncover the hidden costs of cloud computing, answer the following four key questions: What are the viable paths to move (or replace) legacy applications into the cloud? What architectural changes are required to integrate cloud and non-cloud applications? How should we change our technology and operations processes to take advantage of different procurement, provisioning, and management models? How will a private cloud—built for the sole use of one enterprise—give us more flexibility than current hosting or public cloud models? What are the cost trade-offs?
1 2 3 4
Cloud service providers can try to make the costs seem clear cut. However, CIOs and other IT professionals should know that $100 per user per year is only the beginning of the budget. When making a massive technology transition and managing a new system, the costs associated with people, processes, and architecture are equally important to consider. The mystery is how much these costs amount to in the unfamiliar realm of cloud computing. Answters to these questions will change the mindset from leveraging cloud-based applications to managing complex systems, which will help to reveal the true costs of making the switch. When the focus of the conversation shifts to systems, it prompts other questions that will sharpen the picture: How do we make sure all of the customers in Salesforce. com are synchronised with those in our customer management application, our billing application, and our six product systems? Should we add custom application logic into Salesforce.com to validate customer
1 2
20
| the cto forum | 07 NOVEMBER 2009
and company information against our master list? Or should we do it externally and integrate the resulting systems and processes? What kinds of skills and other organisational considerations should we make for the IT staff that support our customer systems? Many companies across industries are still working on getting beyond the usage costs for cloud computing to understand the complete costs of migrating, implementing, integrating, training, and redesigning the surrounding and supporting people, processes, and architecture. In fact, three examples from companies that we are working with demonstrate how different details can lead to the same conclusion: uncertainty about the hidden costs of cloud computing. A managed IT services vendor is interested in moving some of its in-house help desk applications into the cloud for its clients, but the company is taking its time before moving past market surveillance. An industrial products company is evaluating new technologies and approaches, but the company is also taking a measured approach to see where the chips fall. A financial services company that deals in very small and extremely high-speed transactions is not yet convinced that any of the cloud computing service providers can provide the processing horsepower within their service-level agreements and security requirements that would be necessary for the investment to pay off. In these three examples, not knowing the potential hidden costs of cloud computing has stalled the decision making process. So as cloud service providers roll out their spiel, ironically, CIOs and their IT departments need to pick holes to have a clear picture of the overall bottom line. Remember: it’s deceptively easy to get burned on a cloudy day, if you’re not protected. n
3
Chris Curran is Diamond Management & Technology Consultants’ chief technology officer and managing partner of the firm’s technology practice. He writes the CIO Dashboard blog at www.ciodashboard.com, and can be reached at Chris.Curran@diamondconsultants.com or @cbcurran on Twitter.
n www.thectoforum.com
young cio s
& g n s u s o Pg.24
h li ko w o r k s . k et a Net ne Pu , Som O Pg.23 CI
n Ja i h i nC I S O c Sa , & rve. C I O luese Eva
Pg.25
e y e l Th t s e R
i alv ls O a h S v i sP & C I N K . SV F C BA HD
ja l u n nrent. m o h arz j es r a d IT, C a e H
Pg.29
peria. oo s c ne, Ind s e g afo bu rO, Vod CIS g.28
P
Pg.27 d oo l d s Glob a n i S arv , W N Pg.26 CTOvices. Ser
e na a x roup. S m ani G ra Vi k d IT Em Hea
sh ka ra p a g.32 G dayd IT, L s India. P a He tronic Elec
Pg.31 a itr a m dia. t a b r in In Pg.30 joy , Daik O I C
www.thectoforum.com n
07 NOVEMBER 2009 | the cto forum |
21
cover story
a hr lut l O atu up C I mas. GroR Cine PV
young cio s
The good thing about being young is that you are not experienced enough to know you cannot possibly do the things you are doing. n
By Rahul Neel Mani & Sana Khan
C
IOs focusing on the business first and looking to leverage technology to help their firm’s move in the right direction is quite a norm now. Having worked with this community for over 10 years, I strongly feel the impact of new-generation CIOs on the role of information technology in business. Although I have seen CIOs of all ages and backgrounds the best ones are those who identify with their business. In the environment where the expectations of the C-suite executives from their CIOs are skyrocketing, the young brigade has left a remarkable impression to reserve their berths in the boardrooms. The keys revolve around understanding the business needs, constantly wearing the hat of an innovator, being an able change agent and creating solid brand equity for the IT. We’d all acknowledge that the success company only when we embed IT business partners directly to business units and that’s job well done by these young CIOs. In no way this story belittles the contributions made by the older CIOs but it should be our endeavour to change tracks at times and look for those who are challenging the status quo.
It looks as if the new generation CIOs have mastered the ‘Art of Possible’ very well. They may not be magicians but they do know how to juggle things well so that the outcome is a positive business impact. The ten young technology leaders whom we are featuring in this story have all seen quite some life before reaching this stage but it all happened as if they wrote their destiny. None of these 10 CIOs wear just the technology hat. They all have some kind of business roles and they all are taking decisions for their companies. Most of these CIOs are thinking of not only creating agile IT organisations but also agile business conglomerates. These CIOs know how to listen to their business partners and to the energy inside their organisation. They know how fast to move and how much change to introduce so that the businesses can handle it. Sure, some of this comes with experience. However, these technology leaders with good business sense are making the grade regardless of their age and experience. Rajashekhar V. Reddy, Architect at SFS LLC, and Chief Architect at
Neuron World Corporation feels that more than ever before, the young leadership — both as a business executive and information technology (IT) expert - is shaping the destiny of the enterprises. “Most CEOs feel there is a gap in integration of business and technology, hindering customer satisfaction, speed, and flexibility. Closing this gap is critical because of the unprecedented pace and breadth of technological change and its strategic impact on all areas of the business,” says Reddy. These young minds are thinking of employing more intuitive and innovative ways of communicating with their customers. Reddy further adds that the new age CIOs/technology leaders now see themselves as an integral part of the company. “They now participate more actively in the strategy meetings along with other C-level peers,” he feels. In a sense they know how to work in partnership with line of businesses and business owners. This special story is about these energetic, enthusiastic, optimistic and ambitious young minds who are out there to change the rules of the game. n
Know When to Say Yes Good CIOs focus on the business first, and look to leverage technology to help their firm’s move in the right direction. I have been in the business for over 30 years and have been a CIO for over a decade. I have seen CIOs of all ages and backgrounds. The best leaders understand their role. The keys revolve around understanding the business needs of your firm. One of my greatest achievements include embedding IT business partners directly to business units. Additionally, providing training and support to IT business partners is crucial. I have found that using the principles of the Product Development Management Associate (PDMA) to be very useful in this regard.
22
| the cto forum | 07 NOVEMBER 2009
It is of utmost importance to manage the project intake process. This means making sure that you know how to say ‘yes’ to projects and when to execute them well with solid project management techniques and knowhow. Good CIOs know how to listen to their business partners and to the energy inside a firm. You have to know how fast to move and how much change a firm can handle. I think some of this comes with experience; however; CIOs with good business sense will make the grade regardless of their age and experience. — CIO, Red Wing Shoe Company, US
n www.thectoforum.com
young cio s
Puneet Kaur Kohli, 38 CIO Soma Networks
MBA (Information Systems), FMS, Delhi & B Tech (Computers), DCE Certified lead auditor for ISO-27001: 2005 from BSI
Involved at the board level and part of senior management
Feel Challenged, Change the Culture
W
Understanding customers’ pain points before digging out solutions helps in achieving the real purpose of IT.
h e n P u n e e t Ka u r Kohli talks, confidence just oozes out of the words. Working as the global CIO of Soma Networks – a wireless broadband company Kohli has dirtied her hands in tech projects across several industries. Having qualified as a lead auditor for ISO-27001:2005 certification, Kohli believes that a CIO should focus more on the business side than technology. “To my experience, IT, therefore, should create business for the organisation and should enhance the business value,” she states. Kohli is clear in her approach. “Understand the pain points of customers before you dig out solutions. This not only helps in building relationships, but also in achieving the real purpose of IT,” she says.
Ambitious projects
Kohli, in her current role, anticipates a multi-fold growth in the next few quarters. “We are on the verge of implementing a state-of-the-art ERP system to minimise our cost of operating expenses. Though we already have a full-fledged ERP solution for finance, we plan to implement ERP across all functions so that we have the best practices available across Soma worldwide,” she says. Kohli
www.thectoforum.com n
expects to lower the inventory costs and make the whole business more streamlined and transparent. Kohli’s team is also busy working on a migration plan to unified communications.
Key differentiators
Kohli strongly feels the need for ‘behaviour translator’ and place one on every IT team that works closely with individuals on the business side. This position should be able to understand what users really need and to make sure the IT team knows it must deliver solutions for those needs. Secondly, she suggests developing user surveys. “These surveys should not just assess how well the IT organisation meets internal standards (such as the percentage of trouble tickets closed within 24 hours), but also augment the ability of users to meet business goals,” she says.
Outlook for the future
Kohli is very enthusiastic about her future role. “A new era has arrived where, if the businesses ignore the needs of it’s users, they will find their own solutions by bringing more consumer technologies into the workplace, which can lead to anarchy. I feel challenged to change this culture and want to make it business oriented and proactive.” n
07 NOVEMBER 2009 | the cto forum |
23
Atul Luthra, 38
Group CIO, PVR Cinemas Bachelor of Engineering
Not involved at the board-level, but part of senior management team
Think Beyond the Obvious
I
I have visualised a future for the IT department of PVR which is in sync with the future plans of the company at a broad level.
f you’re about to watch a movie at PVR Cinemas, and you’ve the option of booking the ticket through Internet or a kiosk or via facebook, it is the handiwork of this smart new age techie – Atul Luthra, who holds the position of the CIO of PVR Cinemas at the age of 38. Luthra brings to the table rich and varied experience of handling IT in companies like WNS, GFOL and SRIL and a fresh approach to ‘thinking beyond the obvious’. He has successfully implemented some very innovative projects at PVR - for instance, the Customer Relationship Management (CRM) programme. Internally, it helped streamline the online booking process, and at the customer end, it cut down the transfer time in refunding unsuccessful transactions from two days to a couple of hours. Luthra has also utilised the social networking site Facebook for booking tickets, getting customer feedback and creating blog space for PVR.
plug the resulting loss of revenue and ticket sale. This project involved fixing a camera next to the screen to take a photo of the auditorium. An in-built application would count the number of people sitting and compare the same with the number of tickets sold for that particular show to backtrack the unaccounted people,” he says.
Ambitious projects
Luthra has set his eyes on the goal of climbing up the value chain. “I have visualised a future for the IT department of PVR which is in sync with the future plans of the company at a broad level. “I intend to achieve these targets by sub-dividing them into smaller efficient and executable plans and executing them one by one,” he concludes. n
Luthra recalls various innovative projects like ‘CRM’, ‘iCount’, Facebook application that he has implemented in past few years. Out of all, Luthra calls Project ‘iCount’ the most innovative. “It was initiated to control the entry of unauthorised and unaccounted patrons in the cinema hall for any show and
24
| the cto forum | 07 NOVEMBER 2009
Key differentiators
Luthra is a firm believer in outcomebased IT. He has been following a methodology of Problem/Concept/ Idea Solution required Technology. “This has given me invaluable experience and brought laurels for my organisation. I have a vision for the organisation, and using this methodology I come up with small but effective innovative thoughts,” he says. Careful planning and chronological execution of the same has resulted in successful completion of projects.
Outlook for the future
n www.thectoforum.com
young cio s
Sachin Jain, 35
CIO & CISO, Evalueserve Graduate in Science. MBA & diploma for a 3-year course from NIIT. Certified lead auditor/assessor for ISO 27001
Does not sit on the board but part of the senior management team in decision making on IT function
A Reformer of Customer Experience
H
It is important to define the accountability of people who can take end-to-end responsibility of a project.
www.thectoforum.com n
onoured as ‘Young CIO of the Year’ by The CTO Forum in 2009, Sachin Jain, CIO & CISO of KPO major Evaluserve, wears the two hats at all times. Jain believes in the dictum of a CIO being a ‘Chief Innovation Officer’ forever looking at ways to improve efficiency, effective manageability and reduce costs. “I shun the premise of short-term solutions. Rather, I’d go for long-term plans which are scalable,” he says.
Ambitious projects
In sync with this philosophy, he conceptualised the “One Office” project at Evaluserve. Completed in 2008, the project aimed to integrate all offices of Evaluserve within and outside India. The company has already started benefiting from this mammoth exercise. Not only has it improved user feedback, it has also changed people’s mindset. “They think at a global level and not just for their own location,” he says. Sachin finds his “One Office” project to be the one which outperforms others. “We initiated this project to closely integrate all our offices. The idea was to create oneness in the IT platforms across all offices worldwide. I wanted one global IP-based commu-
nication system and a single network and security operation centre for the company. We accomplished this project in first half of 2008 and already see a lot of benefits. The user is in awe with the change. All our fresh enterprise level project gets build on this global platform,” he says.
Key differentiators
Jain says that it is important to build a team with the right people and define the accountability of people who can take end-to-end responsibility of a project or task. “Apart from regular IT work, I push every single member in the team to understand the business and organisational level goals,” he says.
Outlook for the future
Jain feels that is a never ending journey for technology professionals on the path for technical excellence and innovation. “I have heard the CIO being called Chief Innovation officer multiple times. I tend to agree with this term as CIOs have to always look for innovative ideas which can transform the way we run IT and support business. We always need to look for the ways to improve efficiency, reduce cost and manageability. My aim is to ultimately improve user experience,” he concludes. n
07 NOVEMBER 2009 | the cto forum |
25
Arvind Sood, 36 CTO, WNS Global Services, India BA (Hons.) Economics
Not directly involved with the company board but give strategic inputs to senior management
keeping it agile and adaptable
W
I think the big change I have been able to bring to the table is focus on customer satisfaction and delivery.
ho says that IT is the domain of only those who are qualified in technology? Arvind Sood a graduate in Economics defies the norm. Currently working as the Chief Technology Officer, WNS India – a leading BPO - started his career at 19 with the CII where his main responsibilities were managing Internet and automation initiatives for all locations.
Ambitious projects
Sood attempts to simplify the operating environment at WNS and his efforts have resulted in the virtualisation of over 120 client environments for storage and authentication; covering over 18,000 users across 13,000 desktops. In addition, he has been instrumental in centralising the entire organisation’s database systems onto two major central nodes. “Centralising the database systems has reduced the costs by 30 percent and improved our response times for new engagements by 50 percent,” he asserts.
satisfaction and delivery. However, I encourage all my teams to challenge the status quo and continuously reinvent or improve service offerings. This keeps us agile and adaptable and also ensures that people in the organisation continuously get a chance to improve their skill levels,” he feels.
Outlook for the future
The future, according to Sood, looks bright. WNS continues to expand in both geographical and head count terms. There is a new suite of computing innovations that look extremely promising for a growing company like WNS. “Selecting the correct technology stack to support our growth is an interesting challenge that we hope to address in the medium-term,” he concludes. n
Key differentiators
Change is something that Sood strives for. He is never low on energy and has never turned his back on the biggest of challenges. “I think the big change that I have been able to bring to the table is my focus on customer
26
| the cto forum | 07 NOVEMBER 2009
n www.thectoforum.com
young cio s
Rajesh Munjal , 33
Head IT – Carzonrent, Easy Cabs Masters in Computer Applications (MCA)
Part of Core Management Team and involved in all major business decisions and management meetings
customer centricity is key
R
I believe in Plan, Do, Check and Act. I regularly apprise business of the benefits of IT so that business owns the projects.
adio taxis are a norm in India now. If not in all cities, at least in major metros of India, they are available on a call, SMS or through an Internet booking. ‘Easy cabs’ is a popular brand in the country today, and Rajesh Munjal the man behind running this facility, which has drastically improved the customer experience. Starting his carrier using DOS and Unix Servers for sales and distribution functions at all HETL plant and branch offices, Munjal has covered a long distance. “I took the challenge of ensuring that functional users should enter their information on their own and started telling the benefits to them. It was more like user-awareness. To my surprise, it was so successful,” he recalls. Today Munjal manages IT for Carzonrent India (parent company for Easy Cabs) in 13 cities and Radio Taxi operations in Delhi, Bangalore and Hyderabad.
Ambitious projects
While the company has seen many greenfield tech implementations, Munjal recollects two with great pride. First one was design, development and implementation of the CRM software for the rental business, which is operated under Hertz brand. “The CRM is being used at
www.thectoforum.com n
more than 50 locations and provides real-time availability of all cars. We are the first company in India that built this personal ground transportation software,” he claims. The CRM, integrated with payment gateways of Master, VISA and Amex, has been very successful. The customer service level has improved by over 60 percent. Next big one is the ‘Taxi Dispatch System’. The solution was imported from a Singapore-based company. It took them more than a year to customise and implement the solution as per the Indian environment. But the localisation has resulted in huge savings on support costs.
Key differentiators
Munjal believes in ‘PDCA Approach’ which means Plan, Do, Check and Act. “I regularly apprise business of the benefits of IT so that business owns the projects. I strictly follow the customer-centric approach because it is all about a happy customer experience,” he feels.
Outlook for the future
Munjal looks forward to understand ing more about ‘numbers’. “While we are involved in all the processes, understanding business needs and meeting customer expectation has become the real challenge for thinking CIOs,” he concludes. n
07 NOVEMBER 2009 | the cto forum |
27
Burgess Cooper, 35 CISO, Vodafone Essar India BE, MBA (JBIMS), CNE, MCP, CCNA, CISA, CISM, CGEIT
In Limca Book of Records for motor biking across four highest mountain passes in India
Wear the right attitude
B
I want to arm myself with the knowledge of all departments across an organisation to gear up for the role of a CEO.
28
urgess Cooper walks the talk when he says, “Life’s journey is not to arrive at the grave in a well preserved body suit, but rather to skid in sideways, completely worn out screaming - Yeah! What a ride!” Professionally a CISO of Vodafone and personally a PADI-certified scuba diver, Cooper holds a Limca record in his name. He completed motor biking across the four highest mountain passes in India and got himself registered in the ‘Limca Book of Records’. At 35, Cooper has clear goals. “Where on the one hand, I want to arm myself with the knowledge of all departments to gear up for the role of a CEO, I also want to appear for my qualifying exam for a Black belt in Karate,” he reveals. Quite a contrast but munificent by all means! Cooper has been with Vodafone since 2006 and has helped the company achieve the highest coveted certification PCIDSS (Payment Card Industry Data Security Standard) for Mumbai circle. “This makes Vodafone the first telecom company to get certified in India and the first operating company within Group. Currently we are implementing one of corporate India’s biggest audit and awareness programme by conducting IS audits and awareness sessions across 500 vendors,” he says.
| the cto forum | 07 NOVEMBER 2009
Before Vodafone, Cooper climbed through the ranks from a Telecoms Officer to IT Security specialist to AVP IT Security handling the entire gamut of IT Security services for HSBC Bank in India.
Ambitious projects
Cooper recalls the mission of standardisation of IT infrastructure in Vodafone into a single unified hardened configuration (>1000 routers/ switches, > 90 + firewalls), across 23 locations pan-India as his most ambitious and successful implementation. “We have also implemented ISMS and ISO 27001 for the national IT data centres and have helped the company to achieve the much coveted certification PCIDSS for Mumbai circle,” he tells.
Key differentiators
For Cooper, it’s all about the right attitude. “Assertiveness coupled with humble attitude is my approach to things. I owe this ‘attitude’ to the wisdom shared by JRD Tata,” he says.
Outlook for the future
Cooper wants to tow the line of optimism. “It would be my endeavour to obtain in-depth knowledge of various departments of an organisation, to prepare myself to hold a ‘CEO’ position someday,” he concludes. n
n www.thectoforum.com
young cio s
Vishal Salvi, 38
SVP & CISO, HDFC Bank Limited B.E. Computers, MBA Finance and CISM
Provides critical updates to bank’s audit committee, Provides quarterly updates to bank’s Information Security Committee
Kill the challenges point blank
D
My aim is to ensure that security does not become a bottleneck for implementing any new solution.
riving information security in a way that it creates value for various business groups and not just an additional layer of approval chain, is what Vishal Salvi, SVP and CISO of HDFC Bank aspires to deliver. Salvi’s role is to influence key stakeholders across the company, and therefore he feels it is important to first understand the business before developing any information security policy or solution. “You cannot think of any business being transacted without information security in place, and my aim is to ensure that security does not become a bottleneck for the implementation of any new solution in the organisation,” he says. Salvi was a marketing executive in an IT firm before he ventured into the banking sector and became an IT officer in Standard Chartered Group in 1995. Today, in his current position, he ensures successful management of information security.
Ambitious projects
In his career of over 15 years, Salvi has done multiple good things to recall. He has earned the reputation of one of India’s finest Infosec professionals and is respected for his domain expertise. But Salvi says that process migration from different countries such as UK, the US and Africa and
www.thectoforum.com n
Middle East and consolidation and standardisation of processes has been his mainstay so far. “Today HDFC is the only BFSI company in India to become the member of ‘Information Security Forum’, which helps in benchmarking banks with global best security practitioners. This is our third year of membership,” he says. He also tells about HDFC being one of the first banks to have a true multi-factor authentication solution.
Key differentiators
Salvi’s role involves a high degree of influencing all stakeholders. “It’s important to first understand the business, its goals, challenges, constraints and problems before developing solutions. I drive information security so as to create value for my business groups,” he says.
Outlook for the future
With the exponential growth in technology, there is a rise in information security challenges. “Some of the Indian companies are now on par with global best practices. The information security market is growing at a faster rate than IT, and this trend will continue for some years. “I want to make my company free from the dangers of cyber crime, which is most critical problem today,” sums up Salvi. n
07 NOVEMBER 2009 | the cto forum |
29
Joybrata Mitra, 45 CIO, Daikin Air-conditioning India (P) Ltd , Science Graduate from Calcutta University, PGDCA from IEC and MBA
[Operation Management] from, IGNOU, Responsible for India IT operation of Daikin Part of top management and takes all IT investment decisions
BALANCING THE ACT
J
To survive, implementation of appropriate technology is a must. Now there is no time or option left to defer it.
oybrata Mitra, CIO of Daikin India – a Japanese Air-conditioning major - is part of the young brigade of CIOs shaping the future of user-centric IT. Managing IT and aligning it with core business goals of world’s second largest air-conditioning company is no small task, which Mitra has been handling extremely well. Mitra got on to this wonderful journey with Vam Organic Chemicals (now known as Jubilant Organosys) 22 years back as a junior programmer. “I worked with Vam Organic for eight years. During my journey from Vam Organic to Daikin, I have worked with some renowned companies of India like ITC and Shriram Pistons & Rings. “A person is known by the company he leaves. All your achievements work as accolades for you in the future. Building upon past experiences and moving with conviction has been the hallmark of my journey,” he says.
achievement. “I always give equal importance to business as well as technology during implementation of applications. I call it a balanced approach,” says Mitra.
Key differentiators
Mitra feels that implementation of right technology and solution is the key differentiator for any CIO. “Technology has and will always drive business. To survive, implementation of appropriate technology and solution is a must. Now there is no time or option left to defer it,” he feels. n
Ambitious projects
Apart from a lot of routine stuff in day-to-day IT, Mitra feels that upgrading from SAP 4.6B to ECC 6.0 version and developing the new SAP module ‘Ukeharai’ to manage inventory at Daikin was his outstanding
30
| the cto forum | 07 NOVEMBER 2009
n www.thectoforum.com
young cio s
Vikram Saxena, 41
Senior General Manager, Head IT Emami Group M.Sc (IT), MBA, IBM Certified Professional on AS400 platform
Interacts with top management for IT Roadmap, business initiatives and IT approvals by presenting to the board/management.
System oriented approach
I
As a CIO, I aspire to become a perfect blend of technologist, change-enabler and business strategist.
t can’t get straighter than this. Vikram Saxena, Head of IT of Emami Group – a conglomerate with diversified interests in FMCG, edible oil, paper, healthcare and real estate - rates his success at 95 percent. Today Saxena is gearing up for a global rollout. He thinks his past experience from a wide variety of industries will help him maintain this success rate in all his future initiatives and rollouts. Starting his career with Eicher, a farm equipment major, as an IT executive, Saxena has held important positions in IT organisations, including that of GM of IT for SAP implementation at Hero Cycles Limited.
Ambitious projects
Saxena has seen many SAP implementations in his past roles. But he recalls that the successful implementation of SAP across all functions at Emami and effectively using in-house capabilities have been the key highlights. ‘The SAP implementation here not only gave me satisfaction, but also a new way of thinking. We went on successfully implementing the secondary sales automation system as well,” recalls Saxena. One project that Saxena wants to underline is ‘Project FIRE’ (Faster Information Retrieval from ERP)
www.thectoforum.com n
- SAP ECC 5.0 stabilisation, 100 percent on-line and sensitisation. “This project was an initiative to address all post implementation issues and make SAP as ‘One System’ for the entire organisation. It gave us speed, efficiency, optimisation – everything that you can count as benefit,” he says. This implementation, Saxena claims, has been rated as one of top 10 in innovation by IBM.
Key differentiators
Saxena believes in working with a more system-oriented approach. “I spend more time on problem definition, analysis and discussion. I ask teams to clearly jot down all the functionalities, including flowchart and project roadmaps, followed by a presentation to all stakeholders. After approval of the stakeholders, we execute the solution,” he says.
Outlook for the future
Saxena wants to have a more systematic approach to business and IT alignment. To sustain his success, he wants to learn all traits of business. “As a CIO, I aspire to become a perfect blend of technologist, changeenabler and business strategist. This helps me build an IT-enabled organisation,” he concludes. n
07 NOVEMBER 2009 | the cto forum |
31
Daya Prakash, 38
Head IT, LG Electronics India MBA – Finance, MCM (Masters in Computer Management)
Part of the senior management; Reporting into CFO and CEO
Work beyond boundaries
F
We have to ensure seamless communication in people and processes through effective use of tools.
or Daya Prakash, Head of IT at LG India, his company’s ‘Blue Ocean’ strategy is cast in stone. The crux of the strategy is focus on innovation. So much so that LG is running a competition globally to incubate innovation. “The evolution and in some cases revolution would continue to happen in the field of IT as it gets adopted in more enterprises. The future belongs to IT,” says Prakash who has covered a long journey in the past 15 years of his professional career. Prakash joined LG India in 2001 as an in-charge of its application division. “Here’s the opportunity to apply my knowledge in making IT a strong enabler of the business process. It took slightly longer, but I was successful,” he recalls.
Ambitious projects
Instead of one, Prakash insists on sharing two major implementations with us. First was a Vendor ERP (platform for supplier collaboration). Through this project LG achieved collaboration with its hundreds of suppliers. “It not only gave us complete online supply chain management, but also great transparency and accuracy of data. This web-based system gave tremendous advantage to the suppliers in operation management,” says Prakash. Second one is GSCP (Global Supply
32
| the cto forum | 07 NOVEMBER 2009
Chain Planning). An automated GSCP system is a supply chain optimisation tool, which works on weekly sales forecast basis. It not only gave us 5 percent improvement in logistics cost, but also 50 percent reduction in defective stocks. And the of number of days of inventory outstanding reduced from 29 to 22.
Key differentiators
Prakash modestly accepts he doesn’t approach things differently. “It is as simple as this: In order to sustain and grow in a business, it is must to focus on “next practices” rather than focusing on “best practices” says Daya citing Prof. C K Prahlad. “A CIO must understand the business and its direction and then apply his knowledge of IT to deliver results and help organisation achieve its goal. One may call it working beyond the boundaries,” adds Prakash.
Outlook for the future
Prakash strives for strategic advantage. The evolution and (in some cases) revolution would continue to happen in the field of IT. “However, we as IT leaders have to take up the challenge of working with business closely, by ensuring seamless communication in people and processes through effective adoption of tools and technologies,” he concludes. n
n www.thectoforum.com
young cio s
Maturity in Practise the young cio should develop a point of view on how business and technology will shape in the future
by alagu balaraman
A
ny young CIO is in an enviable position. We are seeing maturing of a set of technologies and a revival of business optimism. It is a terrific time to be shaping the IT roadmap for an organisation. The IT industry periodically has a batch of technologies that mature around the same time, leading the way for great experiments. This time around, we are seeing mature usage of Web 2.0, multiplicity of devices and operating systems at the presentation end and virtualisation, cloud computing and web services at the back end. We also have a new generation of tech-savvy people entering the workforce. It’s a great time to shape people’s work. What should a young CIO focus on, therefore? Let’s peel the layers off of this problem one by one and see. We’ll start with what all CIOs have to do, then see how it has changed in the current business circumstances. Finally, let’s take a look at what a ‘young’ CIO should do to ride over the present scenario and the future possibilities. Firstly, what are the things all CIOs have to compulsorily do? These are things that just don’t change with time and are table stakes for staying in the game. Top on the list is providing great services – the nuts and bolts of ensuring availability, education, information access and process support. Good times or bad, this has to be done at low cost. So you need to aggressively automate IT management to get routine and repetitive work out of the way; use outsourcing creatively to leverage your team and, of course, ensure good vendor management. Secondly, there is greater uncertainty in the market and planning cycles are shortening. There will be a demand for faster payback and more tangible results. Conversely, this is exactly when a well-planned architecture can make a huge difference in the delivery capabilities of IT. Transitioning into the right architecture that makes sense in the long run and choosing initiatives with quick payback will retain business relevance for the IT organisation. It’s a tricky job, requiring technical and selling skills, but then they didn’t make you CIO to do an easy job. So, this is also the time when greater leadership will be expected from you. Finally, we move to look at what is special for a young CIO in these times. With a combination of technical opportunities and business demands, you will need to think hard
www.thectoforum.com n
“Chart out a roadmap that will enthuse and energise your colleagues and your team.” and long about the shape of things to come. Your thoughts and experiments on technology, architecture and methods of exploiting both will shape your mental model on how to use IT. You can choose to be cautious and play safe. You can choose to develop the skill of taking and managing risks, keeping further up the curve than competition. To do this, the young CIO should develop a point of view on how business and technology will shape the future. Build on that vision and sharpen in it in your mind. Delve deep into frameworks and standards that will dictate your future game plan. Chart out a roadmap that will enthuse and energise your colleagues and your team. The future will be here before you know it. Enjoy it. n Alagu Balaraman is Vice President - Human Resources and Process Architect, Britannia Industries Limited
07 NOVEMBER 2009 | the cto forum |
33
young cio s
Walk the Talk
how budding cios can get extraordinary things done in their organisations
by s. r. balasubramanian
I
t is wonderful to see young minds applying themselves to the position of CIOs and doing rather well. They are energetic, enthusiastic, optimistic and ambitious and deserve all encouragement. They often refuse to follow the beaten track, and try new ways to succeed. While they should be adventurous and positive, a few guidelines in my opinion will lend strength to their endeavour.
Develop Business Acumen
This is easier said than done. This is purely asking our sensory organs to be active, to understand the environment that we operate in and the purpose for which the organisation exists. Just conceptual and theoretical knowledge wouldn’t really help. A CIO can volunteer to visit the markets and meet some customers, or take a round of the shop floor to get a sense of how the work gets done, or spend some time with the stores in-charge to understand the challenge that he faces when managing stocks. Absorb all that is said by the senior management personnel or the CEO – that will give a sense of how business is managed. Once you get closer to understanding the business, IT solutions that you propose will suddenly start making sense to the management.
Take Total Responsibility
Many of us often take work as a task and push matters to the extent we can. Though there is no harm in doing so, this approach stops us from doing that extra bit to transform the environment. For example, when we commission a solution and the user is less than responsive, we shrug our shoulders and say there is nothing more we can do. But if were to assume full responsibility of ensuring that the investment made is fully utilised, we would try different methods to make that happen or escalate the matter suitably and do whatever it takes to ensure usage. By doing so, we would ensure a higher success rate on our assignments, and in return gain the trust of the management.
“A CIO can meet some customers or take a round of the shop floor to understand how business is done.” we want and ask him to submit a proposal. I have always found it useful to explain the problem and then ask the vendor to work out a solution and present to us. I have been surprised many a time when the vendor brought out new dimensions that I would not have thought of. I realised that the vendor knows technology better than I do, and it is best to use their experience and also learn in the process. If there is more than one vendor involved, all of them compete to tell you more about their stuff and also what is wrong with the other solutions. You get educated for free and so why not make use of this opportunity. There could be many such approaches that may help you become more effective, but the above three were on the top of my mind. Once my senior told me that extraordinary means being a little above the ordinary – that was a great piece of advice, for we do not have to do something out of the world to be extraordinary. n
Be Willing to Learn
Yes, we all think we are always open and good at learning though this may not always be true. For instance, we think of a solution based on our understanding of technology and then call a vendor and start telling him the solution
34
| the cto forum | 07 NOVEMBER 2009
S R Balasubramanian, Executive VP, IS and Strategic Planning, Godfrey Philips India, has nearly three decades of working experience in Finance and IT domains.
n www.thectoforum.com
future cio
New Challenges; Newer Possibilities the new cio will have to totally immerse himself into the tactical business processes as well as strategic relationships
W
hen I became the CIO of an organisation 25 years ago, times were different. In those days computers were large monoliths behind glass walls and admired with awe by everyone. Getting the right to enter into those room was a privilege, and if you were allowed to touch and manage them, you were a whizkid. PCs had just about appeared on the scene and were extremely costly for the power they delivered. But owning a PC was a privilege reserved only for the CEOs of rich organisations. Things have come a long way in the intervening period. Today micro processors reside in practically every appliance we use, and thus we can call our washing machines, cars and refrigerators a computerized appliance. Children use their home PCs at age 2-3 to paint or play games, and later to do their homework and chat with their friends across the globe.
The changing role of a CIO Even in corporate life, the role of the CIO has undergone a dramatic change. A quarter century ago, CIOs were responsible for hardware, software, networks, security and everything else connected with computers. Today you have specialists looking after each aspect. Even the interfaces with the business functions have changed substantially. The CXOs of the past namely the CFO, CHRO, CMO, COO or the CEO were not very knowledgeable about how computers could aid the organisation as a whole and consulted the CIO. With the easy access to computers over the last decade, they are often an aware lot. The focus in business has also changed from functions to processes, and therefore process owners have emerged far more powerful roles than the traditional functional bosses. In the recent past, with the tremendous growth of business process outsourcing, IT has now become a commodity. Most large organisations have used external partners to do what the CIO used to do traditionally. With the emergence of
www.thectoforum.com n
by ashok kumar wahi
concepts like the ASP or SaaS as commercially viable ideas, IT will become a pay-as-you-use utility and I can see the role of the CIO change even more. Businesses will then not need the CIO that we have known in the previous millennium at all. He will then emerge as the real custodian of information or knowledge resource of the business. I feel we need to discuss and understand this evolution a little more. With IT becoming a commodity, I expect the SBU heads of a business to decide on purchasing IT services just as they purchase raw materials or fuels or services from suppliers of their choice to ensure that they are in full control of their profitability. This may result in disparate systems landing up in the different SBUs of the same corporation which may be good for the SBUs, but may be a disaster for the corporation as a whole. Most of the older CIOs have seen this ‘islands of information’ phenomenon in the early 1990s and have struggled hard with their CEOs to ensure compatibility and standardisation across the businesses. The magnitude of the new problem is going to be extremely challenging. This is because today every CXO thinks that he can do the CIO’s job and most of them have partial knowledge about computers and computerisation. In this context, the process orientation of the CIO and his emphasis on optimisation of organisation processes will be the driving force for SBU heads to move towards congruency and cohesion.
Changing Tech Landscape Availability of technologies like Service Oriented Architecture (SOA) will be the catalyst that will aid the change in perceptions of the CIO and help achieve the goal of agility without diluting the supremacy of information as the base for all decision making. This visibility of processes is available only to the CEO or the CIO, and will give the legitimacy to the new CIO’s role. This role thus envisages integrity, availability and security of the business information, use of internal or external (more
07 NOVEMBER 2009 | the cto forum |
35
next horizons
CIO 2020
next horizons
future cio often) sources to get it done, standardisation or at least compatibility across businesses to make knowledge available for decision making to all decision makers. The maturing of technologies will add to the role of the CIO, who will now have to process organisational information to discovering trends or patterns in various processes. Over a period of time, this is going to provide each organisation its USP. It will provide the impetus to innovation in the products and services offered by the organisation to its customers and provide real economic value to the society at large. In this role, the CIO will be only next to the CEO in creating thought leadership and driving positive change. While most CXOs think about customer’s needs and often take decisions on gut feel, the Information Age is going to emphasise on knowledge-based decision making.
Tasks of the Future The new CIO will have to multitask using multiple talents and contribute to multiple facets of business. Besides the conventional role, he will be a significant contributor to strategy, globalisation and other Board level decisions. This emerging role of the CIO is also leading to a situation where the CIO does not always coming from the vertical growth in the IT function, but also quite often from other
The new CIO will have to multitask using multiple talents and contribute to multiple facets of business. Besides the conventional role, he will be a significant contributor to strategy, globalisation and other Board level decisions.
36
| the cto forum | 07 NOVEMBER 2009
business functions. Currently, 39 percent of CIOs come from non-technical backgrounds, reports Forrester and that number will only climb. The new CIO is expected more likely to emerge from line roles than staff as in the past. The CIO of the next decade is going to need great selling abilities, team work, good negotiation and an understanding of the big picture. Development of most of these capabilities is dependent on the appropriate culture and environment of the organisation. I can thus see certain organisations not only develop future CIOs for themselves, but also for other organisations driving out their potential CIOs before they mature and become productive. The new CIO thus will be an all-round manager with in-depth knowledge of other functions such as marketing, finance, etc. With the evolution of IT from a back office data processing role to an integral part of each process and activity the role of the new CIO also is facing unprecedented pressure. I see the organisations that use the CIO as the driver of fact-driven business change having a much higher probability of success in the next decade. Businesses in the next decade will need to differentiate themselves from competition on the basis of innovation. Sounds familiar! But this time around the differentiating innovation will not come from the R&D labs but from leveraging integration of IT into all aspects of the businesses. Quite a lot of this will come from simplification or elimination of existing processes and some from designing new processes that integrate dozens of old processes into one. Besides this they will need to involve themselves in making the extended supply chain of the organisation totally IT-enabled. So it means working with the marketing and sales people to create visibility into the customers’ customers and with the purchase teams to create similar visibility into the suppliers’ suppliers. This also applies to other functions like finance to create integration capabilities with the organisation’s bankers, venture capitalists, share holders and so on. The new CIO will have to totally immerse himself into the tactical business processes as well as strategic relationships. n
Ashok Kumar Wahi is Professor of Information Systems at Jaypee Business School. He has spent 30 years in multiple functions including Information Technology, Operations Management, HR, Corporate Planning & Strategy etc. He has had exposure to multinationals like Nestle, Convergys, Dresdner Bank and ICI, Indian business houses like Spice group, NIIT, SRF, Apollo Tyres and Jubilant Organosys, Public sector organisations like BHEL and consulting organisations like A F Ferguson & Co.
n www.thectoforum.com
2.0
web
of Influence this ‘semantic web’ will turn the current document-driven internet into a database-driven internet, where every
information search and every movement online becomes a stored experience by peter bowman
&
aaron friedman
A
s the end of the first decade of the new millennium approaches, Internet developers and strategists are predicting the timing and impact Web 3.0 will have on the digital landscape. Analysts have proven that the Internet is much larger than most people even comprehend - some 500 times larger than all the content indexed on sites like Google and Yahoo. This ‘invisible web’ comprises hidden databases and protected data which are deployed online, but can only be shared on private networks. As with life itself, the Net has a way of evolving progressively and sometimes at great speeds. As the adoption of this technical evolution increases, so will related connectivity, community and a new era of personal empowerment online. The question remains will Web 3.0 and all of its proposed promises become more of a technical milestone or an Internet user expectation? In the 1980s, the world saw the adoption of the PC
www.thectoforum.com n
and desktop computing. This phenomenon of personal computing really took shape in the 1990s with the introduction of the Internet and basic applications which took data from file systems and expanded them into file servers. This period of the Internet introduction era or Web 1.0 was a major time of transition, as many industries were caught off guard in their adoption to a new way of dealing with both communications and business operations. The speculative financial markets in the Y2K years brought with it an investment correction online. The results of the meltdown proved that not everything built online with a business model in mind would find financial success. As the difficult market correction forced a new and more quietly focused period of development online, the power of people online and their social communications began to emerge as a new way to conduct commerce and foster a new level of online community. Web 2.0 has proven that users of the Internet dictate the Web’s progress more than
07 NOVEMBER 2009 | the cto forum |
37
next horizons
Widening Circle
next horizons
web
2.0
business models and money. The growth of social networking and personal publishing has empowered a new era of peer- to-peer sharing – as once static websites have turned rapidly into platforms that engage conversation and commerce. Today, entrepreneurs and online speculators are envisioning what the next generation Internet means as Web 3.0 and Web 4.0 push for their time. The new generation Internet is not so much a replacement of the old, but an extension of what has already been developed to date. As online users become more comfortable with digital and even mobile interaction, the logical, next step Internet will begin to seamlessly understand each user and learn meaning behind both language and user personality. This ‘semantic Web’ will turn the current document-driven Internet into a database-driven Internet, where every information search and online interaction is a learned and stored behavior and experience – one that understands, compounds and even learns about knowledge. This cognitive Internet ultimately will create a platform where information and applications are delivered at the right time and at the right place. With a new, intelligent design in delivering content and community, many thought leaders and institutional online players are discovering how to move to this new generation Internet. The question is will users have to learn how to interact with this new, self-learning Internet or will this intelligent extension simply fall into place as the Web begins to mirror the needs and personality habits of the individual user? Either way, this new, intelligent and thought-driven Internet will quickly move us to a whole new level of information and marketing delivery. There are two major shifts that will occur in the Web 3.0 environment. The first is that the abundance of information today will evolve to more controlled information tomorrow. The second is that any and all user movements and activities online become stored and learned behaviors, which ultimately benefit both the source and the individual. For the source, understanding user needs on an individual basis changes the entire Internet from a delivery mentality of ‘this is what we have’ to a new thoughtplatform of ‘this is what we believe you are looking for.’ For years, the driving force for search and aggregation of user tools has been industry leaders like Google, Yahoo and even newer ventures like BING that are starting to position themselves as next generation engines. To date, these institutional players have been the catalysts to global search content, leaving a ‘vertical hole’ in the semantic
search space. Most of the development around semantic search is stemming at the university, microoriented niche markets and vertical online community levels. It will be the predictive thinkers like WebMD (which Microsoft currently has an ownership stake in); that can deliver a large scale, vertical market site based on a cognitive platform. Experts believe it is the microniche markets that will ultimately serve as the new catalysts to the semantic and cognitive Web. These focused communities have the ability to not only harness their intellectual and market assets quicker, but also to better leverage their development resources with more accuracy. Additionally, vertical market communities can come to market more rapidly with a captive audience. In the end, these smaller initiatives will become the leaders in the next generation “Intelligent Web”. This trend may validate the reasoning why so many of these vertical market sliver sites and channels are currently under development. From a marketing perspective, the semantic web offers exciting value as dynamic communication programs become seamlessly integrated with user search and individual behaviour. Through learned behaviour tracking online, marketing programs can be delivered intelligently to the individual needs supplying the most strategic message at the right time to the right location and in the most compelling media format. One of the greatest challenges in this evolution of the semantic and intelligent web is for already existing sites to determine just how to migrate to this new databasedriven environment. Although a handful of sites are developing semantic engines, most are burdened with the process of even understanding how to migrate their existing platform to the newer cognitive design. For the user, a semantic engine is merely a seamless progression to being understood and being served. Older online users have already been through so many transitions online from E-commerce, site personalisation and even social networking. Younger users seem to have the ‘built-in’ gene code where the latest technology is automatically adopted. The fact is, all users will begin to expect smarter engines as topology and one-dimensional search engines and databases move into the semantic and cognitive space. n Aaron Friedman is a skilled technology leader with over 15 years of experience spanning IT operations and business development, with expertise in developing solutions in the technology sector, for the retail, vendor management, healthcare and financial services industry.
The question is will users have to learn how to interact with this new, self-learning Internet or will this intelligent extension simply fall into place as the Web begins to mirror the habits of the individual user?
38
| the cto forum | 07 NOVEMBER 2009
n www.thectoforum.com
risk management
next horizons
Running the risk-assessment processes typically
expose only the most direct threats facing a company and neglect
indirect ones that can have an equal or greater impact
by eric
lamarre and martin pergler
T
he financial crisis has reminded us that risks gone bad in one part of the economy can set off chain reactions in areas that may seem completely unrelated. In fact, risk managers and other executives fail to anticipate the effects, both negative and positive, of events that occur routinely throughout the business cycle. Their impact can be substantial—often, much more substantial than it seems initially. At first glance, for instance, a thunderstorm in a distant place wouldn’t seem like cause for alarm. Yet in 2000, when a lightning strike from such a storm set off a fire at a microchip plant in New Mexico, it damaged millions of chips slated for use in mobile phones from a number of manufacturers. Some of them quickly shifted their sourcing to different US and Japanese suppliers, but others couldn’t and lost hundreds of millions of dollars in sales. More recently, though few companies felt threatened by severe acute respiratory syndrome (SARS), its combined effects are reported to have decreased the GDPs of East Asian nations by 2 percent in the second quarter of 2003. And in early 2009, the expansion of a European public-transport system temporarily came to a grinding
www.thectoforum.com n
halt when crucial component providers faced unexpected difficulties as a result of credit exposure to ailing North American automotive OEMs. What can companies do to prepare themselves? True, there’s no easy formula for anticipating the way risk cascades through a company or an economy. But we’ve found that executives who systematically examine the way risks propagate across the whole value chain— including competitors, suppliers, distribution channels, and customers—can foresee and prepare for secondorder effects more successfully.
Risk along the value chain Most companies have some sort of process to identify and rank risks, often as part of an enterprise risk-management program. While such processes can be helpful, our experience suggests that they often examine only the most direct risks facing a company and typically neglect indirect ones that can have an equal or even greater impact. Consider, for example, the effect of a 30 percent appreciation in the value of Canadian dollar versus the US dollar in 2007–08 on Canadian manufacturers. These companies did understand the impact of the currency change
07 NOVEMBER 2009 | the cto forum |
39
next horizons
risk management on their products’ cost competitiveness in the US market. Yet a few had thought through how it would influence the buying behaviour of Canadians, 75 percent of whom live within 100 miles of the US border. As they started purchasing big-ticket items (such as cars, motorcycles, and snowmobiles) in the United States, Canadian OEMs had to lower prices in the domestic market. The combined effect of the profit compression in both the United States and Canada did much greater damage to these manufacturers than they had initially anticipated. Hedging programs designed to cover their exposure to the loss of cost competitiveness in the United States utterly failed to protect them from the consumer-driven price squeeze at home. Clearly, companies must look beyond immediate, obvious risks and learn to evaluate after-effects that could destabilise whole value chains, including all direct and indirect business relationships with stakeholders. A thorough analysis of direct threats is always necessary—but never sufficient. Competitors: Often the most important area to investigate is the way risks might change a company’s cost position versus its competitors or substitute products. Companies are particularly vulnerable to this type of risk cascade when their currency exposures, supply bases, or cost structures differ from those of their rivals. In fact, all differences in business models create the potential for a competitive risk exposure, favourable or unfavourable. The point isn’t that a company should imitate its competitors but rather that it should think about the risks it implicitly assumes when its strategy departs from theirs. Consider the impact of fuel price hedging on fares in the highly competitive airline industry. If the airlines covering
What can companies do to prepare themselves? True, there’s no easy formula for anticipating the way risk cascades through a company or an economy. But we’ve found that executives who systematically examine the way risks propagate across the whole value chain—including competitors, suppliers, distribution channels, and customers—can foresee and prepare for second-order effects more successfully.
40
| the cto forum | 07 NOVEMBER 2009
a certain route don’t hedge, changes in fuel costs tend to percolate quickly through to customers—either directly, as higher fares, or indirectly, as fuel surcharges. If all major companies covering that route are fully hedged, however, that would offset changes in fuel prices, so fares probably wouldn’t move. But if some players hedge and others don’t, fuel price increases force the non-hedgers to take a significant hit in margins or market share while the hedgers make windfall profits. Companies must often extend the competitive analysis to substitute products or services, since a change in the market environment can make them either more or less attractive. In our airline example, high fuel prices indirectly heighten the appeal of video-conferencing technologies, which would drive down demand for business travel. Supply chains: Classic cascading effects linked to supply chains include disruptions in the availability of parts or raw materials, changes in the cost structures of suppliers, and shifts in logistics costs. When the price of oil reached $150 a barrel in 2008, for example, many offshore suppliers became substantially less cost competitive in the US market. Consider the case of steel. Since Chinese imports were the marginal price setters in the United States, prices for steel rose 20 percent there, as the cost of shipping it from China rose by nearly $100 a ton. The fact that logistics costs depend significantly on oil prices is hardly surprising, but few companies that buy substantial amounts of steel considered their second-order oil price exposure through the supply chain. Risk analysis far too frequently focused only on direct threats—in this case, the price of steel itself—and oil prices didn’t seem significant, even to companies for which fluctuating costs may well have been one of the biggest risk factors. Distribution channels: Indirect risks can also lurk in distribution channels: typical cascading effects may include an inability to reach end customers changed distribution costs, or even radically redefined business models, such as those recently engendered in the music-recording industry by the rise of broadband Internet access. Likewise, the bankruptcy and liquidation of the major US big-box consumer electronics retailer Circuit City, in 2008, had a cascading impact on the industry. Most directly, electronics manufacturers held some $600 million in unpaid receivables that were suddenly at risk. The bankruptcy also created important indirect risks for these companies, in the form of price pressures and bargain-hunting behaviour as liquidators sold off discounted merchandise right in the middle of the peak Christmas buying season. Customer response: Often, the most complex knock-on effects are the responses from customers, because those responses may be so diverse and so many factors are involved. One typical cascading effect is a shift in buying patterns, as in the case of the Canadians who went shopping in the United States with their stronger currency. Another is changed demand levels, such as the impact of higher fuel prices on the auto market: as the price of gasoline increased in recent years, there was a clear shift from
n www.thectoforum.com
risk management
Effects on a company’s risk profile Risk cascades are particularly useful to help assess the full impact of a major risk on a company’s economics. Exploring how that risk propagates through the value chain can help management think through— imperfectly, of course—what might change fundamentally when some element in the business environment does. To illustrate, let’s examine how the risk posed by new carbon regulations might affect the aluminium industry. Aluminium producers would be directly exposed to such regulations because the electrolysis used to extract aluminium from ore generates carbon. They’re also indirectly exposed to risk from carbon because the suppliers of the electrical power needed for electrolysis generate it too. The carbon footprint can be calculated easily and its economic cost penalty determined by extrapolation from different regulatory scenarios and the underlying carbon price assumptions. This cost penalty would of cour se depend on the carbon efficiency of the production process and the fuel used to generate power (hydropower, for instance, is more carbon efficient than power from coal). In general, large industrial companies believe they are “carbon short” in the financial sense—their profits get squeezed when carbon prices increase. Is that always true? A different story emerges from a closer look at the supply chain, which stiffer carbon regulations would change in many different ways. The cost of key raw materials, such as calcined petroleum coke and caustic soda, would increase, along with logistics costs and therefore geographic premiums. The US Midwest market premium, for example, reflects the cost of delivering a ton of aluminium to the region, where demand vastly exceeds local supply. Not all competitors in the industry would be affected alike: this effect favours smelters located close to the US Midwest, because they could then pocket the higher premium. Some suppliers might even benefit from their geographic position.
Moreover, in a carbon-constrained, tightly regulated world, aluminium becomes a material of choice to build lighter, more fuel-efficient cars. Since automobile manufacturing is one of the largest end markets for aluminium, carbon regulation could substantially accelerate demand, thus helping to support healthy margins and attractive new development projects. Clearly, a high carbon price would enhance aluminium’s value proposition—positive news for the industry. Finally, carbon regulations would affect not only a particular company, but also its competitors, changing the economics of the business. For commodity industries, the cash cost of marginal producers sets a floor price. In a world where carbon output has a price, the cost structure of different smelters would depend on their carbon intensity (such as the amount of carbon emitted per ton of aluminium produced) and local carbon regulations. It’s possible to show how any regulatory scenario could influence the aluminium cost curve (Exhibit 2). In nearly all the plausible scenarios, the curve steepens and the floor price of aluminium therefore increases. For most industry participants, especially very carbon efficient ones (such as those producing aluminium with hydropower), a meaningful margin expansion could be expected. A simple risk analysis suggested that one of our clients would be carbon short and that its profits would therefore decrease under new carbon regulations. But a more extensive view of the way carbon risk cascades through the industry value chain shows that this company would actually be carbon long: as carbon prices increase, the company benefits economically thanks to its high carbon efficiency, its desirable geographic location (proximity to the US Midwest), and the potential added demand for aluminium. Unknown and unforeseeable risks will always be with us, and not even the best risk assessment approach can identify all of them. Even so, greater insight into the way they might play out can provide a more comprehensive picture of an industry’s competitive dynamics and help shape a better corporate strategy. Thinking about your risk cascades is a concrete approach to gaining that insight. n
Exploring how risk propagates through the value chain can help management think through what might change fundamentally when some element in the business environment does.
www.thectoforum.com n
Eric Lamarre is a director in McKinsey’s Montréal office, where Martin Pergler is a consultant.
07 NOVEMBER 2009 | the cto forum |
41
next horizons
large sport utility vehicles to compact cars, with hybrids rapidly becoming serious contenders. Consider too how the current recession has shrunk the available customer pool in many product categories: demand for durable goods plummeted among consumers holding subprime mortgages as their access to credit shrank, and demand for certain luxury goods fell as even financially stable consumers turned away from conspicuous consumption.
next horizons
disaster recovery
Driving without
a Seat Belt planning for disaster recovery on a shoestring budget
T
ake a look at car variants around you. The first feature to be axed in the lesser variants is security. Features like ABS and airbags are done away with to reduce the price of the vehicle. But, come what may, none of them sacrifice on seatbelts. Shouldn’t that be the case with security and disaster recovery (DR) too? Ignoring the anxiety of security managers, DR budgets have been the first to get the axe in many cases during tough financial times. The security managers are left to manage higher stakes with no budgets at their disposal. Here are some options for managers who are desperately trying to save the seat belts on their networks.
Resource maximisation
by geetaj channana
be bandwidth constraints too. Another problem that can crop up with this approach is the compatibility issues with various server or SAN environments. But, certainly this is one of the options that cannot be ignored.
Focus on people more than machines Your biggest strength lies with the people in your staff. Ensure that they are trained well in disaster management techniques and to think on their feet. In this case you have a minimal plan in place and maximised team dependence. Your team in this case will be provided with a basic plan that they can use to define the problem, isolate it and guide them in the right direction. What it does require is a lot of training and staff planning. Team building exercises are also beneficial.
This is just obvious, revisit your current DR plans. They may have worked well for the time they were framed, but revisiting them may give you access to some excess capacity that can be utilised in other projects now. It may look like putting the running projects at risk, while trying to give cover to the new ones. But careful planning can easily help you share the resources.
Test and retest
Taming the cloud
Finally, it comes down to simple discipline. Though it is important for proper functioning of all systems, it becomes a hygiene factor in difficult times. Even the simplest of plans can fall flat if the people executing them are not focused and driven towards the cause. It is, again, as simple as a seat belt; it will not save you if you do not wear it religiously. n Geetaj Channana is the Editor of Smart Business & Online Editor of The CTO Forum. geetaj.channana@9dot9.in
Doesn’t the cloud crop up on everything that has anything to do with saving costs? There are some pretty significant offerings that are coming up on the cloud for DR. These infrastructures allow companies to replicate their workloads in physical or virtual modes on a highavailability cloud infrastructure in stand-by mode. But the reservations of their application for disaster recovery remain; they are security, risk, integrity and the lack of trust of these services. In some cases it could
42
| the cto forum | 07 NOVEMBER 2009
With minimal plans in place and very little hardware to rely on, your structure and processes are your keys to success. To ensure that they are correct and do not require any tweaking you must test them at the full load by planned outages of the primary system.
Discipline
n www.thectoforum.com
network of the future
mpls networks
MPLS Networks
An Edge Over the Past mpls was once the technology of choice for carriers and service providers but today medium to large enterprises are having a taste of this technology which not only promises network scalability on demand but also keeps the whole network architecture secured.
K
by team cto forum
eeping pace with the maturity of information technology and the ever-changing business scenario, enterprises are keen on adopting dynamic network infrastructure, which gives them scalability and reliability. CIOs today are most concerned to be able to deliver applications with least cost and on demand. Multiprotocol Label Switching (MPLS) is one of those promising technologies that can be very beneficial to enterprises and this article – in a nutshell – outlines the repayment that MPLS will give and also satisfy the craving that enterprise have from their networks going forward.
Trends and issues Trends in global businesses show that businesses are crossing conventional geographical borders. Global corporations now need to link their various sites and branches to create a seamless enterprise. A completely new range of applications - being introduced in the current IT environment - is adding to the sophistication and complexity of the networks. Areas like videoconferencing, social networks and global supply chains are being considered as tools to not only enhance business operations but also bring homogeneity and promptness into the networks. To connect the remote locations and branches of an enterprise, availability of applications in a seamless manner and across ubiquitous systems indicate towards the point where MPLS makes life simpler. Another vital concern of CIOs today is about shielding the business sensitive data in their enterprise networks. And without using technologies like MPLS, most enterprises end up compromising their separate and scattered WAN links,
44
| the cto forum | 07 NOVEMBER 2009
thus increasing the operating costs and hazarding their valuable data. MPLS - as a promising technology – takes care of many of these critical issues in the enterprise network which otherwise takes a lot of the CIO’s time.
High on adoption curve Many of the research reports indicate that the adoption of MPLS-based networks is on the rise. The business drivers that are encouraging enterprises to move to an all-IP environment are not limited to reducing operational expenditures. Interest in IP VPNs is generated by a number of other factors including an inescapable growth in traffic across enterprise networks from applications such as Oracle, SAP SAS to the growth in digital transactions between business and from the growing mobile workforce. Many enterprises are also now exploring the use of MPLSbased converged networks where voice and data use the same transport link replacing traditional switched PSTN and enabling VoIP applications.
Demystifying MPLS MPLS is a technology framework that allows for the introduction of label switching to Layer 2 and Layer 3 of networking protocol. In a traditionally routed IP network, each router takes an independent decision to forward packets based solely on the header mentioned. Every time a packet reaches the router, it has to make a decision on the destination of the packet. Whereas, MPLS gives network operators the desired authority and control over their networks. It can handle packets with particular characteristics. Packets generated from the real-time data like voice or video can also easily be
n www.thectoforum.com
mpls networks
Gartner Magic Quadrant on MPLS-based Global Network Service Providers (2008) Challengers
Business Drivers
Really Beneficial When this technology was introduced, it was primarily embraced by the telecom and network service providers. But today an increasing number of enterprises are deploying MPLS. One of the key reasons why MPLS is making greater inroads into the enterprises is that it separates forwarding mechanisms from the underlying data link service. MPLS technology enables enterprises to protect their investment of existing Frame Relay or ATM equipment while migrating in stages to an all MPLS enabled infrastructure. Since it is a converged network, it eases out the network infrastructure with the convergence of multiple technolo-
Because of the connectivity that MPLS gives, CIOs can reduce the number of hops between network points. This means efficient response time and a remarkable improvement in the performance of any application. www.thectoforum.com n
Orange Business Services BT Global Services Verizon Business
AT & T
T-Systems Cable & Wireless NTT Communications Telefonica
Niche Players
Global Crossing Reliance Globalcom
Visionaries
Completeness of Vision
As of December 2008
Source: Gartner Report, December 2008
Ability to execute
The number one business driver for adopting MPLS technology is the network availability. And not just from a technology perspective but from the perspective of company viability. In the old days, if you added two offices, you saw your bandwidth and your costs jump by an equal percentage. In terms of the total operating budget for a CIO and how it grows as a percentage of revenue, it has to be very controlled growth. With MPLS VPN technology, companies have an option to the have multiple links and circuits. With a single physical network for multiple purposes, CIOs can logically separate these functions and thus guarantee the security for the critical data. Because of the connectivity that MPLS gives, CIOs can reduce the number of hops between network points. This means efficient response time and a remarkable improvement in the performance of any application. These networks have capability to improve disaster recovery capabilities of an enterprise. Enterprise data centres and other key architectures can be connected in multiple redundant ways to the MPLS network. The need for convergence and prioritisation as companies strive to lower their latency is yet another requirement for which enterprises need to evaluate MPLS networks.
Leaders
gies. Enterprises can get rid of multiple, complex overlay networks and are able to transport a lot of applications over the network using voice, video and data. Simplification of the network greatly reduces capital and operating costs. It supports Quality of Service (QoS) and is able to intelligently allocate the needed network bandwidth at the appropriate time.
From Carriers to Enterprises Earlier MPLS was viewed as technology meant for carriers and WAN service providers. Today enterprises are reaping its benefits too. But because enterprise networks are not as complex as the telecom service provider’s networks, only a few features are really applicable. Using MPLS, enterprise users can deploy cost-effective solutions that take care of networking needs - from core to the data centre and from branch offices to remote sites. One of the key differences in how enterprises make use of the MPLS technology vis a vis service providers and WAN service providers is the sheer scale. Carriers’ usage of MPLS is very extensive and supports a huge amount of traffic for services and applications. Whereas enterprises use it at a small scale and for particular needs. But today large enterprises, who have requirements as stringent as a carrier, are betting on MPLS. The aspects such as traffic engineering assist these large global enterprises in ensuring application delivery to different businesses across the geographies. The ability to assign priorities to mission-critical data at the provider edge of the network is often sufficient for the majority of enterprises. n
07 NOVEMBER 2009 | the cto forum |
45
network of the future
mapped to low-latency routes across the network, which is not possible using conservative routing technology. The labels in the new MPLS architecture – in a sense -provide a way to introduce additional information to each packet as compared to the last generation networks.
ctof custom series
green it
Reduce Power, Go Green data centres are renowned as power guzzlers, what is not fairly well known is that through simple power management steps the data centre can not only be lean but also green
by shashwat dc
I
n case, Jai Menon is perturbed by the challenges that confront him; he does well not to betray them. Yet, there is little doubt that the Group CIO at Bharti Airtel, the largest mobile phone operator in India, wears two hats almost in conjunction. While the expanding network and the burgeoning customer base (Airtel crossed 110 million mark a month or so back) compels him to scale at a pace unimaginable. Indeed, with the rapid expansion of computing power especially in the data centre, there has been the associated escalation of the energy usage and costs. “Power consumption in the data centre is a major focus area for any CIO. It constitutes the biggest chunk of opex cost of running a data centre,” admits Menon ..
Virtualize and consolidate Virtualization of software or server can be of immense help as companies can consolidate their infrastructure. In fact, a virtualization device or a software application can track the server space and remap applications to different physical locations as necessary. With virtualization, information can be made location-independent and can be redirected across multiple I/O devices and platforms. While vendors emphasise the need to go virtual, even the CIOs seem to agree about the benefits that accrue from it.
Start with Measure To r e d u c e t h e c o n s u m p t i o n , one needs to know how much is consumed. And this measurement needs to be carried over a period of time, say 3-6 months, so that a pattern can be established on what is the average consumption. While there are quite a few ways in the market to analyse the power consumption pattern, the Power Usage Effectiveness (PUE) is one of the most favoured. Basically speaking, PUE is a ration between the sum of total facility power divided by the IT equipment power. As of now there are no comprehensive data sets that show the true spread of the PUE for data centres though some preliminary work by PTS indicates that many data centres may have a PUE of 3.0 or greater.
46
“Power consumption in the data centre is a major focus area for any CIO. It constitutes the biggest chunk of opex cost of running a data centre,” admits Jai Menon.
| the cto forum | 07 NOVEMBER 2009
The green angle While, power management from a purely economic perspective does make a lot of sense, there is an undeniable ecological angle to it as well. As we move into an era of eco and climate change consciousness, wherein companies in the future will not only be asked to measure their carbon footprint but also reduce it actively, a leaner and meaner data centre would go a long way. The CIOs in the coming days would have another hat to don; a green one. Going by the consummate ease with which Indian CIOs wear many hats (business, technology, administration, etc.), this one should not pose any issue. Like Menon, who by the way is already wearing a green hat, there are scores of leading CIOs playing the role of change agent in India Inc. Green is certainly not perturbing like many other things. n Shashwat.dc@9dot9.in
n www.thectoforum.com
green it
we asked a few leading cios their opinions on the power consumption in their data centres and the steps they have taken to monitor it.
A
s the levels of automation and computerization increases and as more and more systems are put, the need for power at data centre increases. We have taken a number of steps to control the utilization of power. First and foremost we built a new state of art data centre where we took care of cooling patterns. Then we worked on server and Vijay Sethi, Hero Honda storage consolidation, we also have used virtualization a lot - around 80% servers today are virtualised. We monitor the power utilization regularly. n
W
P
V
ower consumption in the data centre is a major focus area for any CIO.. In order to monitor it, we have deployed a state of the ar t building management system (BMS). This provides us insights on power consumption versus utilization of servers, leading to decisions around virtualization and consolidation of servJai Menon, Airtel ers. We are actively using the PUE metrics. It’s measured monthly and reported to the senior management. Our latest 30,000 sq ft data centre which serves both internal IT requirements and external customers (large enterprises and SMB) has one of the finest PUE metrics. n
ithout monitoring and measuring, we cannot see how much power is used when and where and how. In this context, while building the new data centre in December 2007, we had given the emphasis towards mitigation with power & energy consumption in data centre The best way to Subbarao Hegde, reduce power consumption is to GMR Group save power consumption on IT equipment. For that, the IT-centric view is useful. n
ery few data centres are designed in a scalable power consumption model. But all of them are designed to accommodate the future growth demands of IT equipments . Due to this there is always an imbalance between power consumption on used capacity and usable capacity. The worry of availability of Capex Joseph Martin, for scaling up the facilities when Hiranandani Group needed in future force also seen as a reason for this. Virtualisation is one of the areas where we had already taken some successful initiates. Our ERP development , testing environment is in a virtualised state. This gives multiple benefits like lower power consumption and lesser heat generation. n
M
anaging cooling requirements in a data centre is definitely the area which has to be closely monitored for better environment management. There are many alternative rack layouts which can support more efficient cooling in a data centre. The new hardware even though closely packed are designed to consume less power. Regular review of hardware so that older servers are replaced with newer servers which may require less space, generate less heat and hence prove to be more cost efficient with more computing power in an overall sense. As connectivity is improving in our country one can examine if feasible to relocate the data centre in place where the average ambient temperature is lower e.g. the cities of Punjab, Himachal or Uttranchal Northerner UP and Bihar etc. Of course one has to also taken into account the availability of trained manpower. In my view relocation of Data centre to such locations would also reduce the overall costs of Data centres due to lower costs of land. n —Bihag lalaji, Ambuja Cements
www.thectoforum.com n
07 NOVEMBER 2009 | the cto forum |
47
ctof custom series
Power Management A View from the Top
ctof custom series
green it
Measuring Power the key to understanding power management in a data centre. by sanjay motwani, regional manager
A
-
s green initiatives begin to take priority for the enterprise simple rule-of-the-thumb measurements will have to be replaced by cold hard facts. It is common for an enterprise to have 25%-30% of their power consumption being taken up by their data centres. But when it is imperative to reduce this number by significant levels, where does one start? Logically speaking, the amount of power reduction that can be expected is a function of how much efficiencies can be derived from current levels and the most widely accepted representation of this is the power usage effectiveness (PUE) ratio. The PUE juxtaposes the amount of power provided to the data centre to the power being used to perform calculations. Simply put, it is a ratio where 1 represents the ideal situation and anything higher means that power is being used to feed non-computational tasks. PUE = Total Facility Power/IT Equipment Power To arrive at the numerator is not very difficult though it can get quite tricky in some cases. If the data centre is a stand-alone structure this is simply the power feed from the utility but in most enterprises this is not the case. A data centre may be the entire floor of a building in which case the reading from a submeter for that floor can be close to accurate, but this reading can be misleading if the datacentre shares its cooling with the entire building.
india and middle east, raritan.
It can get tricky but even in the worst case one simply needs to read of the meter reading from a couple of places to estimate the total power consumption of the datacentre. To arrive at the denominator is quite a challenge. Till recently data centre managers used rule of thumb percentages and applied it to nameplate ratings and as standard industry practice this was ~70%. But we all know that it is quite common for the usage to go beyond 80% at peak levels and below 20% at 2 am in the night To get closer to the number we have to get to the racks. The outlets of the power distribution units (PDUs) can be quite accurate, but depending on kind of PDU installed taking the reading can get quite cumbersome since not all enterprises have moved to intelligent PDUs. Of course the best option is just measure the power at the CPU. Measuring the power consumption is just half the work done. Numerous actions can be taken after we have the PUE equation, but what is really required is constant monitoring. Individual snapshot of power consumption at one point in time is not sufficient. IT devices consume a lot less power at midnight than they do in the morning and may hit peak power consumption at completely unknown day of the week. Measuring and continuous monitoring is key to optimizing the power allocation to datacentres. n
Measuring the power consumption is just half the work done. Numerous actions can be taken after we have the PUE equation, but what is really required is constant monitoring.
48
| the cto forum | 07 NOVEMBER 2009
sanjay.motwani@raritan.com
n www.thectoforum.com
tech for governance
security governance
7
Sins ofSECURITY
50
| the cto forum | 07 NOVEMBER 2009
why security initiatives fail in organisations by gan subramaniam
n www.thectoforum.com
security governance
www.thectoforum.com n
Every policy should have a business basis or justification. A number of templates are available dished out by consultants. It may look like an easy cut-and-paste job to create policies almost instantaneously. But, unless the business needs drive and are the basis for the policies, they shall continue to remain ineffective. There is no point in having policies simply for the sake of having them. Security policies divorced from the business needs serve little purpose. awareness within his organisation. Any organisation comprises different types of people. If I were to categorise them based on their security aptitude and attitude, my list will be like this: Indifferent Ignorant Ill-informed Interested Informed Convinced Committed Supportive Evangelistic It is the duty of the CISO to convert indifferent individuals with less security conviction to security evangelists. None of them will be convinced and get converted overnight. Only an appropriately planned and executed security awareness creation and sustenance campaign can lead to such change. The last sin is not undertaking continuous monitoring and not reporting on the effectiveness of the policy implementation. Security incidents, ranging from very small to substantial/major, do occur on a regular basis. There is a definite need to monitor, track and report on incidents that warrant reporting and pick up lessons from such incidents. Whilst reporting insignificant incidents is a waste of time and resources, not reporting those that need to be, implies that the CISO is the worst sinner. B. Gan Subramaniam is an eminent information security professional in India and can be reached at bgansub@yahoo.com
07 NOVEMBER 2009 | the cto forum |
51
tech for governance
D
espite the mandate to meet regulatory or audit requirements, many times security initiatives, in particular the policies implementation and rollout fail miserably. A simple analysis of such failures tells us about the ‘seven security sins’. Every Chief Information Security Officer (CISO) should understand and appreciate that everything cannot and need not be secured. It is impossible to secure the organisation against all risks. A computer is best secured when it is unplugged and turned off. The only constraint is that it cannot be used in such a situation. Security and usability are two inversely proportional variables. Business managers are bound to take risks, and gain is a function of risk. Informed risk or being risk-aware is an ideal state to be in. Risk is nothing but an anticipated outcome resulting from increased awareness. It is the responsibility of the CISO to advise the business in making risk-based decisions. By being extremely paranoid, security managers may alienate their colleagues running the business. Every policy should have a business basis or justification. A number of templates are available dished out by consultants. It may look like an easy cut-and-paste job to create policies almost instantaneously. But, unless the business needs drive and are the basis for the policies, they shall continue to remain ineffective. There is no point in having policies simply for the sake of having them. Security policies divorced from the business needs serve little purpose. The next sin is that the policies may be completely IT-centric. Security is often viewed as a technology issue, which is completely incorrect. To quote Bruce Schneier, a well know Security Guru, “If you think technology can solve your security problems, then you don’t understand the problem and you don’t understand the technology.” Many security professionals are infatuated with Firewalls, IDS and Penetration Testing etc. IT-centric solutions may solve part of the issues, but never in full. Security policies that remain static over a period of time automatically turn stale. They are not like ornaments or jewellery to be used occasionally. In the real world, ornaments may sometimes appreciate in value, but security policies do not. Business environment, technology, people and processes undergo regular change over a period of time. The security policies should be able to cope with those changes and be constantly updated to meet the changing business needs. CISOs render a major disservice to their companies by not keeping the policies current and letting them rot is yet another cardinal sin. CISOs must KISS always - Keep It Simple and Straightforward. Complex policies are rarely understood and people will alienate themselves automatically. Even if they are understood, people are unlikely to adhere to them. Implementing complex policies is next to impossible. People who find the policies complex, innovate and invent multiple ways to circumvent them, which defeats the purpose of their creation and existence. A prudent CISO is one who spends a substantial part of his/her budget on creating and raising security
tech for governance
risk management
Lies,
Damn Lies Statistics in Risk Management risk management is totally underplayed in most organisations, and the problem really lies within
by todd zebert
R
isky behaviour of past and outright foolishness are perfect ingredients for risk mismanagement. We’ve all heard Benjamin Disraeli’s quote ‘Lies, damned lies, and statistics’ which implied that statistics can be used to lie persuasively or lend credence to otherwise suspect arguments. With Risk Management getting layered atop statistics, things can really go wrong and provide a false sense of security. Individuals and organisations not only have a tolerance for risk, but also seemingly a tolerance for risk management itself. This tolerance biases our management, limiting the effective application of risk management. This article uses examples primarily from IT Operational and Project Risk Management, but is broadly applicable. It deals primarily with the organisational behavioural failures around Risk Management.
The Common Mismethodology While there are plenty of Risk Management methodologies, this one will suffice. It’s presented in reverse order as it is in the same order that organisations mismanage.
54
| the cto forum | 07 NOVEMBER 2009
1.Implementation of treatments 2.Prioritisation of treatments 3.Identification of risk treatments 4.Determine risk associated with threats 5.Assessment of threats 6.Identification of threats 7. Implementation of treatments Our budget is $85,000 so let’s spend it. How can we treat some of our threats? Actually, we don’t know what treatments would be most effective, but we’ve got to do something. We’ll add an extra signature here, a process there, a database of information here, remove some rights there, and hey I read about this in an industry magazine, so let’s do this other thing. Unfortunately, we’re having trouble getting buy-in from our development managers! Seems Risk Management and Accountability are not in their yearly goals and objectives; only functional point delivery and cost containment are. Anyway, those development guys just throw the product over the wall to the operations department,
n www.thectoforum.com
risk management
5
Prioritisation of treatments
Let’s get something going here even though we haven’t completely tied risks to treatments. Look, ‘treatment C’ should be easy – let’s start with that. What are we going to do ‘Treatment A?’ Could be expensive, let’s table that. Here’s another good idea, ‘Treatment 1’, it’s not on the list, but how could it not help? CXO David has talked to me about ‘Treatment D’; it seems his staff would have to change how they are doing things, so let’s mark that as hold and I’ll circle it and check with him.
4
Identification of risk treatments
Treat first, ask questions later: ‘Risk transfer’, I like the ring of that! If it’s outside my department and budget, it doesn’t exist! ‘Risk retention’ I can live with that, but let’s not really tell anyone. It’s better if they think we’re covered. And it’s free! ‘Risk mitigation’ of our server hangs and faults? Reboot! It’s fast and will keep our metrics high. The root-cause analysis will have to wait until it fails in non-production hours, or Saturday evenings between 11:45pm and midnight. ‘Risk avoidance.’ Well, it’s neither like we can’t do this project nor change the budget or timeline. “I’m going to need you to come in on Saturday [and get those functional points done, but don’t worry about checking for buffer overflow, it’ll be fine]”
3
Determine risk associated with threats
I didn’t have the time to go through the control logs or organisational assets of previous years, but I talked about likelihood of occurrence with the team. Look at this nice chart – it’s ordered and orderly: the threat, the rate of occurrence, the impact, and the risk value and description. Very comforting despite the false precision. It’s math. How can you argue with math? Put it in a PowerPoint and it’s gold.
2
Assessment of threats
Fire! Now what happens? Probably, we’re all on our way to being fired. Time to CYA. Along the way, let’s limit to one resulting problem from any one source issue. Let’s recount ‘war stories’ and see if we find the correlative cause post-hoc. How does one measure ‘we’re out of business?’ Doesn’t matter, we’re going to toss out the outliers anyway. Time to quantify the qualitative.
1
Identification of threats
Look at this Risk Management process! How much is this going to cost me? Can you just go take care of it while we do something useful? After extensive analysis of sources and problems, running various scenarios and
www.thectoforum.com n
With Risk Management getting layered atop statistics, things can really go wrong and provide a false sense of security. Individuals and organisations not only have a tolerance for risk, but also seemingly a tolerance for risk management itself. This tolerance biases our management, limiting the effective application of risk management.
checking best practices, we’ve identified the root risks: 1) We started this project, and 2) We’ve chartered an unyielding Project Triangle. n Todd Zebert is IT Leader with extensive experience, known for realizing business potential through IT. Todd writes blogs actively and you can find him at http://toddzebert.blogspot.com
07 NOVEMBER 2009 | the cto forum |
55
tech for governance
and then latter deal with the operational bugs and data integrity issues. I feel safer.
viewpoint
george zakharia
Coming of Age on the growing pains of a tightly coupled infrastructure
T
he rules of behavior one follows in life depend on the context: there are people who don’t behave as a grownup at work. While it is obvious to everyone, it doesn’t seem to be clear to a few IT managers and CIOs whose organisations are undergoing significant growth. Leniency allowed in an IT infrastructure when organisations are relatively small cannot hold on when companies grow. While coupling of systems is a necessary expedient in small organisations, it is totally unacceptable in the large enterprise. And if rapid growth takes an IT infrastructure from nascent IT to a mature IT in a time too short for adaptation, the growing pains experienced by these IT managers may be quite painful. When an organisation is small, it typically starts off with a financial system and core business applications such as Inventory Control, Customer Sales or Material Management. While these could typically be run as separate applications, a growth-focused company will quickly require that the two aspects of business be integrated: the CEO will want to know at any one point what his financial situation is as opposed to his assets. The IT manager then scuffles in a panic and eventually comes up with an acceptable solution: by the very nature of the request the two independent apps now get to access each other’s databases with the right of update. The business data that needs to be coupled with the financial data is shipped to the financial system and placed in newly created tables. The fact that duplication of information takes form is swept under the carpet. Soon, on top of regular event-driven feeds from the business system, the financial system begins to allow itself to fetch data directly from the core business system to suit its reporting requirements: unquestionably the essence of a tightly-coupled IT infrastructure. Why is an application allowed to play around with its own data, and not data from another application? It basically boils down to data ownership and responsibility. When applications begin to tamper with each other’s data, then the lines of responsibility begin to blur; except if the teams developing one application are very close or the same as those developing the other, which is typically the case in a small organisation. As an organisation begins to grow, other factors come into play: Its number of employees increases and their productivity becomes imperative; competition begins to drive increased customer-facing services; and a Web presence with stringent availability constraints becomes imperative; and so on.
56
| the cto forum | 07 NOVEMBER 2009
Within the IT infrastructure, new applications begin to proliferate and legacy applications begin to grow. Development teams begin to mushroom here and there. All of a sudden the question of data quality and ownership arises: who owns the customer data? The financial system or the core business system? Or both? Or neither? The question of system availability becomes crucial and applications are now assigned owners that have to answer to the CIO but because of rapid growth, the systems are very tightly coupled and when a problem occurs the blame business inevitably begins. A well informed CIO will look ahead and realise that there are ways in which applications can integrate without having to directly access and update each other’s data. As such, the concept of loose coupling begins to make sense to small organisations, and the drivers behind service orientation and asynchronous messaging become clearer. n George Zakharia is the Founder & CEO at CTO4u LLC. He has held positions as CTO at A.P Moller Maersk, Principal Technical Advisor to the Minister at United Nations Development Program, President & CEO at M2C2 Mini Micro Computer Corporation
n www.thectoforum.com