Issuu on Google+

cTo forum

Technology for Growth and Governance

September | 21 | 2011 | Rs.50 Volume 07 | Issue 03

I Believe

Boost Business, SECURITY AND THE CLOUD | KNOWLEDGE MANAGEMENT | HOW TO CURB LICENSING COSTS

Wow Customers: Automate Page 04

Viewpoint

Treat The Cause Not The Symptom Page 44

No Holds Barred

3D Heat Map Cuts Cooling Costs Page 36

Forging a

Symbiotic

Volume 07 | Issue 03

Relationship The CIO and the vendor need to understand each other's goals for a mutually beneficial relationship | Page 22

A 9.9 Media Publication


Scale up from 10 kW to 2 MW as fast as your business needs it

Now, align your back-up power to your business strategy through scalable, modular back-up power and power distribution

The Symmetra PX 100 fits anywhere, with no rear access required. It is scalable up to 2 MW, giving you more power in a smaller footprint.

Right-sized, modular power – the key to virtualizing with true efficiency! If you haven’t already virtualized your servers, you’re probably seriously considering it. What you may not know about virtualization is this: modular power is critical to maximizing the gains made through virtualization. Otherwise, overabundant power simply negates the efficiency advances you’ve made. Now, combined with our new three-phase modular power distribution unit (PDU), the modular power you know from the APC by Schneider Electric™ acclaimed line of three-phase Symmetra™ PX UPS units is more flexible than ever. The new modular PDU lets you go up to 2 MW quickly in a modular, scalable fashion. Only APC by Schneider Electric gives you this means to scale up or down at the speed of business itself. What’s more, our modular power configures in parallel up to 2 MW, for enterprises with consolidated servers that are growing on a larger scale. In addition, the parallel-capable PX now can support system-level redundancy if you need it.

The PDU – modular power’s newest frontier Our truly modular PDU technology holds the key to enabling you to quickly align IT capabilities to your business needs — literally in a snap! With the plug-in modular PDU, you don’t need to schedule outages as the modules can be added easily without system interruption at any time of the day. And you no longer have to predict your future power circuit needs. In fact, you can add circuits as fast as you add the power modules themselves. That’s right-sized scalability and flexibility!

Modular PDU

•High-densitypowerina fractionofthefloorspace •Upto277kWina1/2rack footprint •Built-inadvancedalarms andnotification

Distribution module

•Plugsdirectly intoRPPand PDUproducts •Hot-swappableandsafe •Availableinsingleand three-phase

Scale up or down as your business demands Scaling up or down no longer means powering down or attempting to forecast future use. So now you ensure that your IT is truly in line with your ever-changing business strategy. A Scalable, Reconfigurable, and Efficient Data Centre Power Distribution Architecture White Paper 129

> Executive summary

Thereismuchconfusioninthemarketplace aboutthedifferenttypesofUPSsystemsand theircharacteristics.EachoftheseUPStypes isdefined,practicalapplicationsofeachare discussed, and advantages and disadvantages are listed.  With this information, an educated decision can be made as to the appropriateUPStopologyforagivenneed.

Contents Introduction

1

UPS types

2

Summary of UPS types Use of UPS types in the industry

7 7

Conclusion

9

Resources

10

Download a FREE copy of APC White Paper #129, ‘A Scalable, Reconfigurable, and Efficient Data Centre Power Distribution Architecture’!

Visit www.apc.com/promo Key Code 96132t Toll Free 1800 4254 877/272 ©2011 Schneider Electric. All Rights Reserved. Schneider Electric, APC, Symmetra, and InfraStruxure are trademarks owned by Schneider Electric Industries SAS or its affiliated companies. Schneider Electric India Pvt. Ltd., 9th Floor, DLF Building No. 10, Tower C, DLF Cyber City, Phase 2, Gurgaon - 122 002 Toll free 1800 180 1707 or 1800 103 0011 • 998-1762_D_IN


editorial Pramath Raj sinha | pramath.sinha@9dot9.in

Love thy vendor!

There has to be a certain level of transparency between an organisation and its IT vendor.

I

remember an interesting lawsuit filed in 1998 in the US. FoxMeyer, ranked as the fourth largest drug distributor in the country sued Anderson Consulting for a whopping $500 million! The charges: FoxMeyer alleged the consulting major’s high-priced and slipshod SAP installation led to its bankruptcy and eventual liquidation. While I can’t recall the fate of the lawsuit, a strong takeaway from the legal tangle was that one has to be very careful, first

editor’s pick 22

while zeroing on a vendor, and then subsequently in managing the relationship. A false step can lead to your company’s collapse. Although this holds good for every function, it is all the more critical when it comes to choosing IT vendors. Selecting a vendor to run a college canteen or deciding on a vendor to supply stationery may not be that tough. Demand patterns here are fairly predictable and changes slow. Choosing the right IT vendor is a different ball

Forging a Symbiotic Relationship The key to smooth vendor management lies in the CIO and the vendor understanding each other's goals for a symbiotic relationship.

game altogether. Technology obsolescence is rapid as are business dynamics. A CIO has to be ready with an IT infrastructure that is quick to adapt and align to any such change. So, you can love your vendors, you can hate them but you simply can’t ignore them. In fact, the real exercise of managing your vendor starts once you have signed on the dotted line. From that point, the vendor becomes a partner and the partnership becomes an extension of your organisation into that of your vendor. There has to be a certain level of transparency between an organisation and its IT vendor. As one example, the former should share its growth plans while the latter should provide access to its product development road map. In this issue’s cover story, we cover how one can forge a long-

term and mutually-beneficial relationship with one’s vendor as this can make all the difference to your business in terms of speedier go-to-market, operational efficiencies, and increased focus on core activities. Some of you are already going that extra mile in striking the right rapport with your vendors. There are CIOs who annually meet offsite with their vendors to review their IT plans. After all, no amount of vendor management solutions and processes can substitute the ‘human touch.’ It is said, “choose your friends with care, and stick to them!” I would say choose your vendors with care and stick to them. So, when was the last time you took your vendor out for lunch?

The Chief Technology Officer Forum

cto forum 21 september 2011

1


SEPTEMBER 11 thectoforum.com

Cov e r D e s i g n by p c A n o o p

Conte nts

22 Cover Story

22 | Forging a Symbiotic Relationship The CIO and

Columns

04 | I believe: Boost Business, Wow Customers: Automate Automation helps make customer the king By D Ramakrishnan

the vendor need to understand each other's goals for a mutually beneficial relationship

44 | View point: Treat The Cause Not The Symptom Virtualise Your Data By steve duplessie Features

Please Recycle This Magazine And Remove Inserts Before Recycling

2

Copyright, All rights reserved: Reproduction in whole or in part without written permission from Nine Dot Nine Interactive Pvt Ltd. is prohibited. Printed and published by Kanak Ghosh for Nine Dot Nine Interactive Pvt Ltd, C/o Kakson House, Plot Printed at Silverpoint Press Pvt. Ltd. D- 107, MIDC, TTC Industrial Area, Nerul, Navi Mumbai- 400706

cto forum 21 september 2011

The Chief Technology Officer Forum

38 | Tech for Governance How to curb Licensing Costs By Pam Baker


www.thectoforum.com Managing Director: Dr Pramath Raj Sinha Printer & Publisher: Kanak Ghosh Publishing Director: Anuradha Das Mathur Editorial Executive Editor: Yashvendra Singh Senior Editor: Harichandan Arakali Assistant Editor: Varun Aggarwal Assistant Editor: Ankush Sohoni DEsign Sr. Creative Director: Jayan K Narayanan Art Director: Anil VK Associate Art Director: PC Anoop Visualisers: Prasanth TR, Anil T & Shokeen Saifi Sr Designers: Joffy Jose, NV Baiju Chander Dange & Sristi Maurya Designers: Suneesh K, Shigil N, Charu Dwivedi Raj Verma, Prince Antony & Binu MP Chief Photographer: Subhojit Paul Photographer: Jiten Gandhi

36 No holds barred

36| 3D Heat Map Cuts Cooling Costs

As organisations struggle with staggering power bills of data centres, G Dharanibalan, Vice President, IBM, India/South Asia, talks about how IBM helps CIOs cut their energy and cooling bills with technological aids 31

12

31 | next horizons: Security and the Cloud

12 | best of breed: Knowledge Management

Cloud really looks to revolutionise information technology By Geoff Webb

People, processes, structure and culture are the core components of a winning KMP

RegulArs

01 | Editorial 08 | Enterprise Round-up

advertisers’ index SCHNEIDER RIVERBED IBM

IFC IBC BC

This index is provided as an additional service.The publisher does not assume any liabilities for errors or omissions.

advisory Panel Anil Garg, CIO, Dabur David Briskman, CIO, Ranbaxy Mani Mulki, CIO, Pidilite Manish Gupta, Director, Enterprise Solutions AMEA, PepsiCo India Foods & Beverages, PepsiCo Raghu Raman, CEO, National Intelligence Grid, Govt. of India S R Mallela, Former CTO, AFL Santrupt Misra, Director, Aditya Birla Group Sushil Prakash, Country Head, Emerging Technology-Business Innovation Group, Tata TeleServices Vijay Sethi, VP-IS, Hero Honda Vishal Salvi, CSO, HDFC Bank Deepak B Phatak, Subharao M Nilekani Chair Professor and Head, KReSIT, IIT - Bombay Vijay Mehra, CIO, Cairns Energy Sales & Marketing National Manager-Events and Special Projects: Mahantesh Godi (09880436623) Product Manager: Rachit Kinger (9818860797) GM South: Vinodh K (09740714817) Senior Manager Sales (South): Ashish Kumar Singh GM North: Lalit Arun (09582262959) GM West: Sachin Mhashilkar (09920348755) Kolkata: Jayanta Bhattacharya (09331829284) Production & Logistics Sr. GM. Operations: Shivshankar M Hiremath Manager Operations: Rakesh upadhyay Asst. Manager - Logistics: Vijay Menon Executive Logistics: Nilesh Shiravadekar Production Executive: Vilas Mhatre Logistics: MP Singh & Mohd. Ansari OFFICE ADDRESS Published, Printed and Owned by Nine Dot Nine Interactive Pvt Ltd. Published and printed on their behalf by Kanak Ghosh. Published at Bunglow No. 725, Sector - 1, Shirvane, Nerul Navi Mumbai - 400706. Printed at Tara Art Printers Pvt ltd. A-46-47, Sector-5, NOIDA (U.P.) 201301 Editor: Anuradha Das Mathur For any customer queries and assistance please contact help@9dot9.in This issue of CTO FORUM includes 12 pages of CSO Forum free with the magazine


The author brings more than 15 years of industry experience to his role

Photo by S Radhakrishna

I Believe

By D Ramakrishnan Head, Core Banking, ING Vysya Bank Ltd.

Boost Business, Wow Customers: Automate

Automation helps make customer the king, as it turns interactions upfront and personal, efficient and pleasant From a customer perspective, automation matters a lot. One must necessarily make customer interaction with the organisation convenient, efficient and a pleasant experience, be it via a mobile phone, a Webbased interface, a kiosk, personal interaction, or any other channel.

4

cto forum 21 september 2011

The Chief Technology Officer Forum

current challenge To help sustain operational excellence in implementing the bank's long-term core-banking strategy

Automation can play a strong role here, and is a critical component in improving business in most organisations. This is for three reasons: First, customer centricity, where we look to provide that 'wow' factor and the customer gets something useful and convenient. Second, automation frees up skilled full-time employees from routine work so that they can focus on innovation. Finally, automation enables efficient processes. Next, in any automation strategy, an organisation must determine its own appetite for both the automation itself and any risk that might arise out of automating certain processes. The reverse is also an attraction of automation, in that one can eliminate the risk attached to manually handling certain business processes by automating those processes, from a technology point of view. An organisation's maturity in terms of technology adoption is an influencing factor in how far it might be willing to go to automate anything. The current practice in most corporations is to increase automation — not to reduce FTEs but for the three reasons I mentioned earlier. For example, as part of an initiative called 'Customer First,' we automated a few customer-facing processes to a very encouraging response. One of them is chequebook re-ordering. When a threshold number of cheque leaves are spent (processed in the system) by a customer, it triggers an automated re-order of the chequebook. We also automated 'Insta PIN' and 'Insta Card' where, if you lose your PIN or you card, you just walk up to your nearest branch with any valid identification proof as per records, and get it instantaneously. The PIN or Card is activated within 24 hours. Thus, automation helps us differentiate and distinguish ourselves from our competitors in the eyes of our customers.


supported by


LETTERS CTOForum LinkedIn Group Join over 900 CIOs on the CTO Forum LinkedIn group for latest news and hot enterprise technology discussions. Share your thoughts, participate in discussions and win prizes for the most valuable contribution. You can join The CTOForum group at:

S P I N E

CTO FOR UM

Techno logy for Growth and

Gover nance

!

Septemb

er | 07 | Volume 2011 | Rs.5 07 | Issue 0 02

TABLET PCS ARE TAKING

Principal MADHAV CHAB Consu LANI CEO, Tippin ltant & Found gEdge Consu er lting.

OVER

45%

RISHIKESH Professor, A T KRISHNAN Strategy, Corporate IIM, Banga lore.

|

server virtua penetratio lisation n 2012. by

TRANSF ORM

ENTER

&

ING IT | SECURIN

re TecT hnonlodgs ies PRISE

IT

G WEB SERVER S WITH

Three Managcomprehen and C ed Servicessive stories on onsum ; erisatio Top Tech Ad n of IT . PAGE 30 options;

SSL

$66Bn: the value Managed of market services by 2012

95%

SAMR CIO of Tata AT DAS AIG Life Insurance.

e 07 | Issue 02

Media

Some of the hot discussions on the group are: Open Source vs Proprietary SOFTWARE Practically how many of you feel OpenSource Free software are best solutions than any proprietor software's?

of users self purc use devices hased at work .

Volum

A 9.9

SUNIL SIROH VP-IT, NIIT. I

www.linkedin.com/ groups?mostPopular=&gid=2580450

Publicatio

n

THOU Manag GHT LEADE ing RS Comp lex Pro Large and jects, th e

Easy W ay PAGE 54

BEST OF

ReinveContinually nt and Redefin e BREED

PAGE 18

A QUES TION OF

You Ca Wip nnot DataeFrYour the Cl om oud

ANSW ERS

PAGE 12

ARe CTOs more interested in satisfying the CFO & Board rather than the consumer?

The CTO is aligned to the CFO and the Board in that order, the CTO will have to also be good at resume writing as he will not last too long. But then the question arises, is the CFO aligned to the Consumer? If he is not, then even he may be in hot water sooner or later.

I would rather mention that, you call should depends on the criticality of the application to serve the enterprise business requirement, as opensource application can have security breaches and lack of support in worst come senario

—Vishal Anand Gupta, Interim CIO & Joint Project Director HiMS at The Calcutta Medical Research Institute

cto forum 21 september 2011

The Chief Technology Officer Forum

http://www.thectoforum.com/content/% E2%80%9Cthereare-5-million-decoyaccounts% E2%80%9D

Future lies in Open Collaborative Spaces

Open-Concept spaces are efficient and cost effective and it certainly encourages collaboration. “In the coming months and years, you're going to see more and more companies and their employees opting to work in open collaborative spaces.” To read the full story go to:

WRITE TO US: The CTOForum values your feedback. We want to know what you think about the magazine and how to make it a better read for you. Our endeavour continues to be work in progress and your comments will go a long way in making it the preferred publication of the CIO Community.

6

Ajay Goel, Managing Director, India and SAARC, Symantec talks to Varun Aggarwal about embedded security, hacktism and the impact of regulations in India.

Opinion

Arun Gupta, Group CIO, Shoppers' Stop

Send your comments, compliments, complaints or questions about the magazine to editor@thectoforum.com

CTOF Connect

Paul Martine CIO and Corporate VP of Operations, Citrix Systems

http://www.thectoforum.com/content/futureoffice-environments-will-be-dominated-opencollaborative-spaces-0


FEATURE Inside

Enterprise

Gmail Now a Viable Alternative to Microsoft Exchange Pg 10

Illustration BY shigil N

Round-up

Intel Joins Hands with Google for Ultrabook Outlines plans for computing and

smartphone businesses Intel Corporation has announced a new effort with Google that aims to accelerate Intel’s business in smartphones. The company also revealed that Intel’s engineers are working on a new class of platform power management for Ultrabooks that will aid in the delivery of always-on-always-connected computing. Intel’s President and CEO, Paul Otellini, made the announcements during the opening keynote of the Intel Developer Forum in San Francisco. “Computing is in a constant state of evolution,” said Otellini. “Intel is innovating and working with our partners to deliver computing experiences that are more mobile, secure

8

cto forum 21 september 2011

The Chief Technology Officer Forum

and seamless.” Addressing a major corporate goal of growing Intel’s business in adjacent computing market segments, Otellini discussed the company’s recent efforts to accelerate its smartphone business and showcased a form factor reference design based on Intel Atom processor, and running the Android platform. He predicted that Ultrabook systems will provide the most satisfying and complete computing experience. The company is working with industry partners to deliver mainstream-priced products beginning this holiday season for this new category of lighter, sleeker compute companions.

Data Briefing

$114

Billion

Cost of Global Cybercrime


E nte rpri se Round -up

They PAUL Said it OTELLINI Paul Otellini, President and CEO, Intel outlined the company’s plans to enable and optimise future releases of the Android platform for Intel’s family of low power Atom processors. The joint effort is designed to speed time-to-market of Intel technology-based smartphones running the Android platform.

Dell Acquires Force10 Networks

Force10 R&D team in Chennai to be ramped up

“Our collaboration with Google will bring a powerful new capability to market that helps accelerate industry innovation, adoption and choice” — Paul Otellini, President and CEO, Intel Corporation

As Dell finalised its acquisition of Force10 Networks, a player in high-performance data centre networking, it announced that Force10 Networks’ Chennai R&D team will be significantly ramped up over the next 12 months to play a critical part for Dell’s networking business. Force10’s products and technology will greatly complement Dell’s existing Enterprise data center solutions. Force10’s Chennai Innovation Centre houses about 265 engineers working on core/switch product development, including software development and testing for Force10’s multiple product lines and multi-protocol label switching (MPLS). Some of the most recent Force10 products (such as TOR4810 solution for low latency and 10G aggregation and Z9000 distributed core solution) were all developed at the Chennai Centre. The Force10 acquisition is Dell’s latest investment to broaden its networking portfolio to deliver its Virtual Network Services Infrastructure. Dell expects the transaction to be accretive to earnings in the second half of 2012. It will hire several hundred team members in engineering, sales and marketing, and services jobs at the Dell Silicon Valley as well as Chennai R&D Centres. Dell has taken significant steps over the past three years to expand its presence as a complete solutions provider.

Illustrations BY shigil N

Quick Byte on MOBILITY

The Telecom Subscription Data for July 2011 released by TRAI indicates that growth in the mobile sector has slowed down. The total wireless subscriber base increased from 851.70 mn in June 2011 to 858.37 mn in July 2011, registering a growth of only 0.78 per cent. The Chief Technology Officer Forum

cto forum 21 september 2011

9


Illustration BY shigil N

E nte rpri se Round -up

Gmail Now a Viable Alternative to Microsoft Exchange Cloud email to capture 20 per cent market by 2016

After being in the market for five years, Google's enterprise Gmail is building momentum with commercial organisations with more than 5,000 seats, and it now presents a viable alternative to Microsoft Exchange Online and other cloud email services, according to Gartner, Inc.  "The road to its enterprise enlightenment has been long and bumpy, but Gmail

should now be considered a mainstream cloud email supplier," said Matthew Cain, research Vice President at Gartner. "While Gmail's enterprise email market share currently hovers around 1 per cent, it has close to half of the market for enterprise cloud email. While cloud email is still in its infancy, at 3 per cent to 4 per cent of the overall enterprise email market, we expect

Global Tracker

Fake antivirus loader W32/FraudLoad.OR accounted for 58 percent of the new malware activity tracked in August 10

cto forum 21 september 2011

The Chief Technology Officer Forum

58%

Source: Fortinet

Infographics BY Charu Dwivedi

Malware Activity in August

it to be a growth industry, reaching 20 per cent of the market by year-end 2016, and 55 per cent by year-end 2020."  Cain said that, other than Microsoft Exchange, Google Gmail is the only email system that has prospered in the enterprise space over the past several years. Other enterprise email providers — Novell GroupWise and IBM Lotus Notes/ Domino — have lost market momentum, Cisco closed its cloud email effort and VMware's Zimbra is only now refocusing on the enterprise space.  Google's journey to enterprise enlightenment, however, is not complete. Google focuses on capabilities that will have the broadest market uptake. Large organisations with complex email requirements, such as financial institutions, report that Google is resistant to feature requests that would be applicable to only a small segment of its customers. Banks, for example, may require surveillance capabilities that Google is unlikely to build into Gmail given the limited appeal.  While Google is good at taking direction and input on front-end features, it is more resistant to the back-end feature requests that are important to larger enterprises. Large system integrators and enterprises report that Google's lack of transparency in areas such as continuity, security and compliance can thwart deeper relationships. "Email is not a commodity, and cloud email is still maturing," Cain said. "We believe that, for most organisations, performing one more on-premises upgrade, which will take an organisation through 2014, is the most prudent approach. A less-risky approach to cloud email is via a hybrid deployment, where some mailboxes live in the cloud and some are located on premises. This hybrid model plays to Microsoft's strengths given its vast dominance of the on-premises email market."  "The intense competition between Microsoft and Google will make both vendors stronger and enable them to apply cloud expertise to other enterprise cloud endeavors," Cain said. "The rivalry will make it difficult for other suppliers to compete directly in the cloud email and collaboration space."


E nte rpri se Round -up

Illustration BY photos.com

CSC Acquires Software Testing Firm, AppLabs Strengthens apps development and management business

CSC has acquired AppLabs Technologies Private Limited, a pure-play software testing and quality management service provider. The acquisition vaults CSC into a leadership role in providing application testing services in the high growth discrete testing market, supporting the company’s multi-year strategic growth plan. AppLabs brings a strong portfolio of emerging technologies, proprietary methodologies

and tools, and a specialised sales force to CSC which significantly enhances CSC’s capabilities in application testing services as well as shortening time-to-market. AppLabs complements CSC’s expertise in Financial Services, Healthcare, Manufacturing, Chemical, Energy and Natural Resources and Technology and Consumer verticals. Financial terms of the deal were not disclosed. “Application Services continue to play an increasingly important role as companies adopt new technologies and cloud-based services to improve the quality and performance and reduce the total cost of ownership of IT services,” said Michael W Laphen, Chairman, President and Chief Executive Officer, CSC. “Acquiring AppLabs represents CSC’s continued commitment to our intense focus on growing the company’s applications development and management business as well as extending superior testing services to our clients and prospects.” “AppLabs will strengthen CSC's portfolio of services that are offered to its customers,” said Sashi Reddi, AppLabs founder and CEO. “AppLabs customers will benefit from the geographic reach and breadth of services that CSC has to offer so that we can finally become truly global partners to our key customers. The 2,500 employees of AppLabs are delighted to be a part of the CSC family.” According to research firm IDC, the independent testing and validation services market is growing faster than the IT services market and is forecasted for strong growth of 21 per cent compound annual growth rate (CAGR) through 2013.

Fact ticker

Samsung’s counter claim against Apple in Australia Samsung, Apple slugfest continues According to the new media state-

ment released by Samsung Electronics Co, the company has filed a counter claim against Apple Inc. with the Federal Court of Australia, New South Wales Registery, on September 16. The claim says that Apple infringed seven Australian patents owned by Samsung. These patents were related to wireless communications

standards are being used in Apple's iPhone 3G, iPhone 3GS, iPhone 4 and iPad 2 products. This latest move comes after Samsung last month delayed the launch of its latest Galaxy tablet computer in Australia over a global patent dispute with Apple. Samsung also states that the patents that Apple relied on in its claims against Samsung in relation to the

Galaxy Tab 10.1 were invalid and should be revoked by the court. This is not the first time that Samsung is counter suing Apple. Apple is yet to comment on the development. Samsung and Apple have been locked in a battle over smartphones and tablets patents since April as Apple seeks to rein in the growth of Google's Android phones by taking direct aim at the biggest Android vendor, Samsung. Apple, which has conquered the high end of the phone market with its iPhone, has argued that Samsung had infringed on its patents.

SUSE for SAP

S

USE has announced, as part of its ongoing partnership with SAP AG, that SUSE Linux Enterprise Server has been selected for use with SAP HANA. “Our partnerships with SAP and IBM have enabled thousands of customers to gain from the exciting benefits SUSE Linux has to offer, including decreased operating costs and improved performance,” said Michael Miller, Vice President of Global Marketing and Alliances, SUSE. “SUSE Linux Enterprise Server has been recognised by both SAP and IBM as the operating system for use with SAP HANA based on its technical capabilities and easeof-use. With SAP, IBM and our ecosystem of alliance partners, we look forward to the ongoing upward trend of customer success as they continue to see the value of implementing Linux within their IT environments.” SUSE Linux Enterprise Server is the Linux operating system selected by SAP as the supported environment for running SAP NetWeaver Business Warehouse Accelerator software, the SAP NetWeaver Enterprise Search application and the enterprise agent in the SAP StreamWork application. It is now the supported offering for use with SAP HANA, based on its ability to help organisations integrate, secure and manage information assets to reduce complexity and cost.

The Chief Technology Officer Forum

cto forum 21 september 2011

11


Best of

Breed

Features Inside

Seven Security Threats CIOs Need to Counter Pg 15

M

any organisations leap into a knowledge management (KM) solution (document management, data mining, blogging, community forums, and the like) without first considering the purpose or objectives they wish to fulfill or how the organisation will adopt and follow best practices for managing its knowledge assets long term.

Illustration BY Joffy Jose

Terminology and Concepts

Knowledge Management

People, processes, structure and culture are the core components of a winning KMP 12

cto forum 21 september 2011

The Chief Technology Officer Forum

While Knowledge Management (KM) as a discipline is relatively young having started in the 70s, KM terminology, models, and best practices are still being established and adopted.  I've listed the more widely accepted terms and concepts below.  They should provide some awareness and basic principles upon which to build your organisation's KMP. KM best practices specify different types of knowledge.  The types most often referenced are tacit knowledge and explicit knowledge. Tacit knowledge represents internalised knowledge that an individual may not be consciously aware of, such as how he or she accomplishes particular tasks.  Explicit knowledge represents knowledge that the individual holds consciously in mental focus, in a form that's easily communicated to others.  In 1995, Nonaka and Takeuchi introduced the Socialisation-Externalisation-CombinationInternalisation (SECI) model in their book The Knowledge Creating Company wherein tacit knowledge is extracted to become explicit knowledge, and explicit knowledge is re-internalised

KM best practices specify different types of knowledge


K n o w l e d g e M a n ag e m e n t

into tacit knowledge.  It demonstrates a continual evolution of knowledge through socialisation, externalisation, combination, and internalisation. In 2007, the IT Infrastructure Library v3 (ITIL v3) introduced a KM process including definitions for data, information, knowledge, and wisdom.  Data is a set of discrete facts about events. Information comes from providing context to data. Knowledge is composed of tacit experiences, ideas, insights, values and judgments of individuals as well as the analysis of information and data. And wisdom gives the ultimate utilise tools and automation to enable discernment of the material, and the appliKM. Structure implies how you transform cation and contextual awareness to provide organisational structures to facilitate and a strong, common sense judgment.  encourage cross-discipline awareness and The Data-Information-Knowledge-Wisexpertise. And culture embodies how you dom (DIKW) structure demonstrates phases establish and cultivate a knowledge-sharing, of increased context and understanding and knowledge-driven culture.  The eight-phase how data is transformed into information, approach explained below addresses all then knowledge, and finally wisdom. areas of the KM framework. ITIL v3 also refers to a Service Knowledge Management System (SKMS) as set of tools and databases used to manage knowledge The Eight Phases of KM and information. While ITIL's application Implementing a KPM is no easy feat.  You of KM is primarily focussed on the developwill encounter many challenges along the ment, delivery, support, and improvement way including many of the following: of IT services, the architecture of the SKMS Inability to recognise or articulate knowledge; has relevance from a business perpective. turning tacit knowledge into explicit knowledge Understanding this architecture — how Geographical distance and/or language data and information is stored, related, and barriers in an international company integrated (data and integration layers) and Limitations of Information and Communihow people will want to access and utilise cation technologies the information (knowledge processing and Loosely defined areas of expertise presentation layers) — is the first step in Internal conflicts: professional territoriality addressing the technology needs of a knowlLack of incentives or performance manedge management system (KMS) solution. agement goals As mentioned at the beginning of this Poor training or mentoring programmes article, a successful KMP will consider more Cultural barriers: this is how we've than just technology.  The core components always done it of KM include people, processes, technolPhase 1: Establish programme objectives — ogy, structure, and culture. Before selecting a tool, defining a process, People represents how you developing workflows you must increase the ability of individuenvision and articulate the end als within the organisation to state. Different organisations influence others with their may have different reasons for knowledge. Processes involves implementing a KMP, but in cios say how you establish best practices order to establish the appropriand governance for the efficient aligning it with ate programme objectives, idenand accurate identification, tify and document the business business would management, and disseminaproblems that need resolution be their top tion of knowledge.  and the business drivers that Technology addresses how priority for 2012 will provide momentum and you choose, configure, and justification for the endeav-

B E S T OF B R E E D

A Data-Information-KnowledgeWisdom (DIKW) structure demonstrates phases of increased context and understanding and how data is transformed into information, then knowledge, and finally wisdom

66%

our. Provide both short-term and long-term objectives that address the business problems and support the business drivers.  Short term objectives should seek to provide validation that the programme is on the right path while long-term objectives will help to create and communicate the big picture to the stakeholders. Phase 2: Prepare for change — KM is more than just an application of technology.  It involves cultural changes in the way employees perceive and share knowledge they develop or possess. One common cultural hurdle to increasing the sharing of knowledge is that companies primarily reward individual performance.  This practice promotes a 'knowledge is power' behaviour that contradicts the desired knowledgesharing and knowledge-driven culture end-state. Successfully implementing a new KMP may require changes within the organisation's norms and shared values that some people might resist or even attempt to quash.  To minimise the negative impact, it's wise to follow an established approach such as John Kotter's eight-step change process, which will be covered in more detail in part II of this series. Phase 3: Define high-level process — To facilitate the effective management of your organisation's knowledge assets, you must begin to layout a high-level KM process.  The process can be progressively developed with detailed procedures and work instructions throughout phases 4, 5, and 6, but must be finalised and approved prior to "Phase 7: Implement Knowledge Management Programme." Organisations that overlook or loosely define the KM process will not realise the full potential of their KM objectives.  There The Chief Technology Officer Forum

cto forum 21 september 2011

13


B E S T OF B R E E D

K n o w l e d g e M a n ag e m e n T

are a number of KM best practices, all of which comprise similar activities.  In general, these activities include knowledge strategy, creation, identification, classification, capture, validation, transfer, maintenance, archival, measurement, and reporting. Phase 4: Determine and prioritise technology needs — Depending on the programme objectives established in Phase 1 and the process controls and criteria defined in Phase 3, you can begin to determine and prioritise your KM technology needs.  The diagram shown here reflects the main technologies that can compose a KMS. With such a variety of KM solutions, it is imperative to understand the cost and benefit of each type of technology and the primary technology providers in the marketplace.  Phase 5: Assess current-state — Now that you've established your programme objectives to solve your business problem (Phase 1), prepared for change to address cultural issues (Phase 2), defined a high-level process to enable the effective management of your knowledge assets (Phase 3), and determined and prioritised your technology needs that will enhance and automate KM related activities (Phase 4), you are in a position to assess the current-state of KM within your organisation. The KM assessment should cover all five core KM components: people, processes, technology, structure, and culture.  A typical assessment should provide an overview of the assessment, the gaps between currentand desired-states, and the recommendations for attenuating identified gaps.  The recommendations will become the foundation for the roadmap in Phase 6. Phase 6: Build implementation roadmap — With the current-state assessment in hand, it is time to build the implementation roadmap. But before going too far, you'll need to reconfirm senior leadership's support and commitment as well as the funding to implement and maintain the KMP.  Without these prerequisites, your efforts will be futile.  Having solid evidence of your organisation’s shortcomings, via the assessment, should certainly drive the urgency rate up.  Having a strategy on how to overcome the shortcomings will be critical in gaining leadership's support and getting the funding you will need.  This strategy can be presented as a roadmap of related projects,

14

cto forum 21 september 2011

The Chief Technology Officer Forum

each addressing specific gaps identified by the assessment.  The roadmap can span months and years and group projects into phases as well as illustrate key milestones and dependencies. A decent roadmap will yield some short term wins in the first phase of projects, which will bolster support for subsequent phases.  As time progresses, continue to review and evolve the roadmap based upon the changing economic conditions and business drivers. You will undoubtedly gain additional insight through the lessons learned from earlier projects that can be

How will you know if your Knowledge Management investments are working? You will need a way of measuring your actual effectiveness and comparing that to anticipated results

gaps are and have a roadmap to tell you how to address them. As you advance through each phase of the roadmap, make sure you are realising your short term wins.  Without them, your programme will surely lose its momentum and the support of key stakeholders. Phase 8: Measure and improve programme — How will you know if your KM investments are working? You will need a way of measuring your actual effectiveness and comparing that to anticipated results. If possible, establish some baseline measurements in order to capture the before shot of the organisation’s performance prior to implementing the KMP.  Then, after implementation, trend and compare the new after results to the before results to see how performance has improved.  Don’t be disillusioned if the delta is not as large as you would have anticipated.  It will take time for the organisation to become proficient with the new processes and improvements. Over time, the results should follow suit. When deciding upon the appropriate metrics to measure your organisation’s progress, establish a balanced scorecard that provides metrics in the areas of performance, quality, compliance, and value.  The key point behind establishing a KM balanced scorecard is that it provides valuable insight into what's working and what's not.  You can then take the necessary actions to mitigate compliance, performance, quality, and value gaps, thus improving overall efficacy of the KMP. 

Concepts applied to future projects as well. Phase 7: Implementation — Implementing a KMP and maturing the overall effectiveness of your organisation will require significant personnel resources and funding.  Be prepared for the long haul, but at the same time, ensure that incremental advances are made and publicised.  As long as there are recognised benefits, especially in light of ongoing successes, there should be little resistance to continued KM investments. With that said, it's time for the rubber to meet the road.  You know what the objectives are, you've properly mitigated all cultural issues, you've got the processes and technologies that will enable and launch your KMP, and you know what the

Implementing a complete KM takes time and money, however, the results can be impressive and risks can be minimised by taking a phased approach that gives beneficial returns at each step.  Most organisations that have made this kind of investment in knowledge management realise tangible results quickly. They add to their top and bottom lines through faster cycle times, enhanced efficiency, better decision making and greater use of tested solutions across the enterprise.

— This article has been reprinted with permission from CIO Update. @ http://www.cioupdate.com. To see more articles regarding IT management best practices, please visit www.cioupdate.com.


securit y

B E S T OF B R E E D

Seven Security Threats CIOs Need to Counter s our personal and professional lives become more intertwined, the amount of digital data stored and accessed by companies, their employees and staff is staggering. From banking records to medical information, personal identifiers and business transaction histories, a treasure trove of sensitive information is a tempting target to cybercrooks. Moreover, the dramatic increase in cybersecurity attacks in the past few months has shaken consumer confidence. It has also caused the security industry as a whole to re-evaluate the effectiveness of the present methods used to protect data and systems. CIOs that build security programs using only formal security compliance frameworks are quickly finding this approach dated; exposing their company to risk. Of course, standards are foundational in the effort to keep businesses compliant with industry specific regulatory restrictions. However, therein lies a dangerous notion that the standardised approach alone will keep an organisation secure against today's ever-evolving threats. Here is what CIOs can do to avoid seven real threats to corporate security: 1 Focus on security threats rather than security compliance alone: There is little value in putting an alarm on the front door of your home to meet the compliance requirements of your insurance policy if the back door is left open. This is the problem with focusing on standards-based security programs alone — you are often building a program to specifically meet the letter of the standard and the auditors. This can lead to security gaps. In particular, too little focus directed toward protecting against threats such as cybercrime. CIOs need to do a 180 and start building the next generation cybersecurity controls to protect against these threats. 2 Use data-centric controls not location-centric controls: Data use is distributed and, as such, the controls that protect this data must

Illustration by photos.com

A

CIOs must build data and systems protection with real-time compliance for optimum security

also be distributed. Too often, security controls focus on location alone to protect the perimeter of the building. However, as telecommuting becomes the norm and workers access sensitive data from mobile devices and laptops, considerable data can exist outside the office walls. Because of this, data protection must be data-centric rather than location-centric. It must follow the data out of the building to protect it no matter where it resides. 3 Social network awareness verses lockdown: Open access to social networking sites are often viewed as taboo by IT and security departments while staff is in the office. Their concern is primarily based on the fear that staff will expose sensitive company data through the use of these sites. The black-and-white approach is to block office access even though IT is well aware that staff will still access social sites from their corporate laptop at home. Rather than applying the wet-blanket approach of no access, another approach is permitting controlled access — balancing secuThe Chief Technology Officer Forum

cto forum 21 september 2011

15


B E S T OF B R E E D

Securit y

Hackers don't work on predefined schedules. If a company is only utilising regularly scheduled security audits to detect problems, it could take days, weeks, or even months for a security incident to be detected and open and feature rich application program interfaces (API) have rity needs by making users aware of the risks, and how they can become the norm. As a result, the attack surface of the application protect against potential threats. This can help create a more tech has greatly increased just as the level of protection provided by a netand risk savvy employee who is better equipped to protect the comwork firewall has greatly decreased. pany’s data and assets against threats independently whether they If these network firewalls cannot independently provide the level are inside or outside of the office. of protection needed against an application compromise, then what 4 Reorganise traditional security teams: Agile development (softwill? This is where the application itself becomes the key security ware development methodologies that are based on iterative devellayer. This involves building application security controls into all opment) is shaped through collaboration among cross-functional phases of the application development, as well as secure code trainteams. Many companies have moved to agile software development, ing, and in-depth penetration testing. which enables product delivery cycles to occur every two weeks instead of quarterly, semi-annual, or annual release cycles. This 7 Monitor security in real-time: Many security standards require reduces delivery time directly, however, it also results in less time to companies to complete security monitoring on a pre-defined intercomplete a security risk evaluation of the changes. Therefore, secuval, including quarterly account audits or bi-annual firewall reviews. rity programs designed to examine long release cycles can struggle But hackers don’t work on pre-defined schedules. If a company is when presented with the much shorter agile development cycles. only utilising regularly scheduled security audits to detect problems, For example, if a company is completing a two week delivery it could take days, weeks, or even months for a security incident to release, and has 10 engineering teams in agile that each release be detected in the next round of security audits. 10 features per software release, then 100 product changes will be Security programs must provide real-time security monitoring to delivered every two weeks. This volume of feature changes demands detect and react quickly to threats to the business. thorough risk evaluation and unless the security teams can move When corporate security is at risk the entire company is at risk. at the same speed or faster as the development teams, Small, medium, large-size companies all face similar then security will quickly fall behind. security challenges thus the desire to implement security When this happens, business risk grows. standards. But CIOs must navigate their companies outSecurity teams must reduce their risk evaluation side of security standards and focus on protecting their times as a solution, or the release rate must decrease. data and systems with real-time compliance to achieve online adults Businesses typically will not slow down to facilitate a optimum corporate security. slower moving risk management evaluation process. in india have As a result, security teams that don’t move to agile —Niall Browne is the CISO & VP of Information Security been a victim of security may find that they are not able to meet curat LiveOps where he is responsible for defining and managing cybercrime rent business needs. the enterprise security, audit, risk and IT regulatory compliance programs. LiveOps offers two solutions for enterprises: Contact 5 Engage employees in interactive security awareCenter in the Cloud, a SaaS technology platform for managing ness: The days of security departments corralling jaded global contact centers, and Workforce in the Cloud, an onstaff into mandatory training programmes this year to demand workforce with over 20,000 independent agents. rehash last year’s security tips is inefficient, dated, and counterpro—Niall is currently Chair of the BITS Shared Assessments Cloud committee, ductive. Instead, security teams should actively engage staff as part and vice-chair of the steering committee. Niall is also on the steering comof their day to day interactions. This can include more interactive mittee of Cloud Security Alliance (CSA) Controls Matrix, and a member of the and frequent security awareness exchanges in the form of ongoing steering committee for the Common Assurance Maturity Model (CAMM). As security Lunch & Learns, security Brown-Bags, security posters, a Service provider he has also led IT Security assessments including PCIquizzes, newsletters, weekly messages, and other opportunities to DSS level-1, ISO 27002, SysTrust, SAS-70 Type II, BITS Agreed Upon Promeaningfully engage staff and increase awareness of modern risks. cedures (AUP) and FFIEC examinations. In 2004, Niall was the lead security 6 Focus on application security: Far too much focus is placed on architect for the European Union (EU) Presidency. the mistaken belief that applications are protected by the network — This article has been reprinted with permission from CIO Update. @ http:// firewall. This blind trust can result in insufficient application secuwww.cioupdate.com. To see more articles regarding IT management best rity controls being implemented to protect company applications. practices, please visit www.cioupdate.com. Additionally, modern applications are increasingly internet facing,

80%

16

cto forum 21 september 2011

The Chief Technology Officer Forum


Case Study | Essar

BPMS Integrates Cross Enterprise Technologies ChallEnge:

Each subsidiary had its unique set of processes, requirements and business demands. Things like process re-alignment to suit business benefit were becoming difficult to implement. Cordys BPM gave Essar a platform where it had a blank canvas to restructure their processes. By aNKUSH SOHONI

E

nterprises today are not short of technology under any circumstance, however, managing these technologies and utilising them effectively can be a challenge. Today the need is to optimise and to ensure full utilisation. However, may technologies within enterprises end up being in silos and don’t end up talking to each other effectively. This makes a CIOs job difficult to perform. Business process management has emerged as a key to solving the CIOs dilemma, and allows enterprises to optimise, utilise and build their infrastructure out in an organised manner. Cordys is one such company who’s main line of business is giving enterprises the flexibility they desire in terms of process mapping, definition and management. In an attempt to understand how BPM can play a crucial role in helping in optimise enterprise technology, we spoke to Milind Joshi, Sr. VP - IT Services, Essar Information Technology Ltd, about the company’s decision to use Cordys to map their business processes and optimise their enterprise architecture.

18

cto forum 21 september 2011

The Chief Technology Officer Forum

The need “It has been two years since we started initiating our conversations with Cordys and started working on different applications,” says Joshi. Essar is a conglomerate of about 250 – 300 companies and eight verticals - steel, oil, power, telecom, and so on. Each of these companies have different styles of operations and different processes. Until now in the Indian scenario, there has been a thick line between the manner of operation of technology and business people. Tehnology people primarily looked at pure play technology implementations, whereas business was involved in core business. There was no intersection of interests, which is not really the best way to implement technology for the benefit of the business. According to Joshi, there was always an issue as to who should own a project. Business would define the transactions through technology, but they were at a distance, and IT was moving in an independent direction.


c a s e s t u dy

COMPANY DASHBOARD

Company: Essar Information Technology Ltd. Lineage: Part of the Essar Group, with turnover of over $20 Billion, and multiple industry footprints. Business: The ESSAR group has a presence in multiple industry verticals like Steel, Oil, Power, Ports, shipping, construction, logistics, Telecom, BPO and retail. Services: Loans, Mutual Funds, Equity Broking & Wealth Advisory.

photo by Jiten Gandhi

Milind Joshi, Sr. VP - IT Services, Essar Information Technology Ltd says that BPM helped the company bring business and IT closer, greatly enhacing productivity.

“In the last one year, there has been a huge amount of confluence between business and technology. Business is also understanding technology application and they are demanding more from IT. Today we are in a situation where the adoption of BPM as a tool would be more welcome as compared to what it was earlier. Fortunately for us Cordys BPM has been a mainstay enterprise application as far as implementation and automation are concerned. In our case, business requirements are really driving technology utilisation, and since we have such a diverse set of companies, the challenge primarily lay in the fact that each company had its unique set of processes, requirements and business demands. Things like

Brand Equity: Essar Power is one of the lowest-cost power producers in India as well as the second largest in the private sector. The group is also the second largest private port operator in India.

B E S T OF B R E E D

process re-alignment to suit business benefit were becoming difficult to implement. This is where Cordys BPM scored. It gave us a platform where we had a blank canvas to restructure our processes,” explains Joshi. Joshi summarises the solution as a great tool which allowed Essar to; define process and create a model that is understandable both from a business and IT perspective; have more power in handling the integration aspects of various applications; and be more agile and react to change without much difficulty.

Technology-driven process vs process-driven technology “I feel it’s a bit of both. The way in which the Cordys decision was taken was based on optimisation. So it was not just silo-ed applications that we needed to integrate; but we wanted to redefine the way they talk to each other. When you want to optimise processes that is the time when one will find a need to integrate between diff applications based on the process instance flows. So optimisation is the basic need. In this scenario Cordys style applications can give great ROI. I think it’s a technology that is a business enabler. It is more of a business solution. It gives us a lot of flexibility and agility,” mentions Joshi.

Real time agility and flexibility Joshi’s use of BPM has been in terms of bringing together silo-ed applications and getting them to talk to each other. Going by the size of the company, processes tend to get complicated. Therefore redefining these processes ends up being a mammoth task. Citing an example, Joshi explains, “In terms of smaller applications of the solution, a typical problem that many of our users faced is remembering their SAP password. In case a user forgets this password it has to be reset, and the process of resetting requires interdependencies and a string of approvals.” This is a good example of a simple thing which requires a workflow or process combined. The cycle time required is very small; because the user cannot sit idle and must receive the password as early as possible. In this scenario, earlier the user would have to wait for hours to get the password reset. Now this happens in a matter of minutes and is a huge benefit in terms of productivity and irritation at a personal level. Also, supporting this process on a large scale of ‘n’ employees can have a huge cost associated with it. This is where Cordys helped Essar immensely. A company like Essar with its sub-companies, features a lot of servicing within the company itself. In this scenario, billing and accounts are to be managed between internal companies. “At the end of every month we needed to produce a consolidated accounts status for the group which is 300 companies globally. This was a nightmare. The biggest problem was that we need to net off the intercompany The Chief Technology Officer Forum

cto forum 21 september 2011

19


B E S T OF B R E E D

c a s e s t u dy

“Being a large conglomerate there is still a lot of work to be done, and with Cordys to help us, we know we will reach the high point of process efficiency very soon.” Milind Joshi Sr. VP - IT Services, Essar Information Technology Ltd.

transactions. For example, if shipping bills a certain amount for transporting steel, this is revenue for shipping, but the steel division has paid for it. So intercompany transactions is a very difficult area to net off and get an overall group wise balance sheet. So it became critical to account for this in a timely and correct manner,” explains Joshi. Every company in the group may have a different transaction system - Tally, SAP, and so on. Getting these systems to talk to each other was a mammoth

and time consuming affair; consolidated reports took a large amount of time. “What we did was we converted from the sources, all the inputs and we used BPM to make sure that the mapping becomes automated. Today instead of looking at 100 elements, automated mapping takes care of 90 and only 10 remain for manual analysis. The overall workload of mapping comes down significantly. This helps us cut down on time utilised and removes the scope for errors.”

Going forward Going into the needs of the process becomes the key for optimising the business and optimising the processes. That’s what Essar is trying to do. “Cordys has helped us utilise our resources in a way we never really imagined. Being a large conglomerate there is still a lot of work to be done, and with Cordys to help us, we know we will reach the high point of process efficiency very soon.”


V e n d o r M a n ag e m e n t

Illustration by PC anoop

COVE R S TO RY

22

cto forum 21 september 2011

The Chief Technology Officer Forum


V e n d o r M a n ag e m e n t

COVE R S TO RY

Forging a

Symbiotic

Relationship C

The CIO and the vendor need to understand each other's goals for a mutually beneficial relationship.

IOs today utilise multiple vendors for various technology needs – both in-house and outsourced. With multiple contracts floating around and multiple points of contact for various aspects of IT architecture, CIOs need to find ways to identify long standing players who can ensure success, growth and profitability. Every situation has its benefits, challenges and intricacies – so does dealing with multiple vendors. However, things are not as simple as they seem, and many a times CIOs find themselves stuck in deep issues if they do not handle their contracts with care. Although most vendors, SPs and SIs, have detailed metrics on system performance and troubleshooting, it is extremely important to make them a part of the key goals of the organisation – from a delivery standpoint. In addition to this, keeping track of monitoring tools and understanding what part of the agreements needs to change also should be provisioned for. One might even ask why managing vendors becomes tricky. However, most analysts believe, CIOs who choose to sign a deal and then expect things to take care of themselves, are sadly mistaken. Careful evaluation of contracts and hard negotiations in deliverables are the key to building long standing relationships with your vendors. Today enterprises are becoming more transparent with their key technology partners. The growing need to mutually understand each other’s goal is the future of a vendor-consumer relationship. This kind of symbiosis has its fruits, and if done right, can have immense benefits. INSIDE 24 | The Road to Vendor Management 27 | “Trust,Transparency are the Key Issues” 29 | Vendor Management: Becoming a Partner The Chief Technology Officer Forum

cto forum 21 september 2011

23


COVE R S TO RY

V e n d o r M a n ag e m e n t

The Road to A CIO should not look at a vendor as just the provider of IT. Rather, he should view the vendor as a strategic partner in his organisation By Ankush sohoni

M

ost enterprises today are entering into contracts and deals with multiple vendors for varied systems, which are effectively contributing to the information architecture of the enterprise. Dealing with multiple vendors has its own set of concerns, and CIOs today need to focus on building partnerships with these vendors to ensure success and sustainability. The question is, how are CIOs today really doing this? Today CIOs are becoming more transparent with their vendors. Sharing plans over goals to be achieved over the next few quarters with vendors is not unheard of. Many enterprises today are also looking at strategising with key vendors to drive goals like growth, increasing market share, expanding services and so on. One of the answers to this scenario is by a change in mindset. The conventional mindset dictates that the vendor is a provider – of infrastructure, applications, security, network and so on. However, the mindset that CIOs need to inculcate today is to see how they can make the vendor a partner in their organisation.

Aligning IT with business “One of the most crucial thought processes to adopt when dealing with a vendor is to align IT with business and look at business goals.

24

cto forum 21 september 2011

The Chief Technology Officer Forum

Although SPs do a pretty good job of monitoring metrics of performance, it is important for the CIO to measure the outcome. That’s where the customer satisfaction comes in,” Benoy C S, Dy Director, ICT, Frost & Sullivan, South Asia Middle East, says. Since the CIO is looking at a vendor as a business partner, the vendor needs to be accountable when business goals are not satisfied. This way, the vendor is personally vested into the project at the organisation level, and helps in eliminating issues that may have otherwise cropped up. “Please ensure that you understand the organisation structure of the vendor and have escalation chain set up to the top. Things will go wrong; it is important to know who to escalate to when needed,” indicates Sankarson Banerjee, CIO, India Infoline. G N Nagaraj, Ex-CIO, Religare, shares some of his views on best pratices that CIOs can follow. According to him, “Depending on the scale and complexity of one's IT landscape, it is recommended to have a fixed number of strategic partners who will contribute to the bottom line; bring in thought leadership in the relevant domain; and give you scope and space to experiment, and prototype to deliver innovation.” He further explains that the above mentioned structure works fine if there is a governance mechanism that is diligently followed and regularly reviewed for its applicability with the passage of time and space. “Depending on the scale and complexity of the IT landscape, it is also recommended that a joint architectural board with representation from business strategy folks and a steering committee with representation from CXO layer needs to be in place,” adds Nagaraj. Joshi believes that proper definition of roles and responsibilities, upfront and regular review of performance can be the operating model. “The space has to and will evolve as it has a lot of promise to


V e n d o r M a n ag e m e n t

COVE R S TO RY

“In all multi-vendor environments, the biggest issue is the determination of responsibility. While the situation can be helped with a clear RACI matrix, it still leaves some areas for disputes” Milind Joshi

photo by Jiten Gandhi

Sr. VP - IT Services, Essar Information Technology Ltd

deliver predictable efficiencies without compromising on effectiveness. The models will evolve taking more and more areas. The revenue models will move towards variable basis from a fixed cost basis although it may start there. IT applications service support, for example, will move from a people oriented time and material based model to variable model based on tickets. Final model could be based on concurrent user based revenue model where customers will pay based on number of users alone,” explains Joshi.

Choosing your Vendor:

L

ook at overall capabilities of the vendor rather than specific skill match. Skills can be built and bought. Inherent capabilities and institutionalised knowledge cannot be. The matching culture is extremely important. The best of the vendors may not work for you if they are not culturally aligned with your company. One needs to keep in mind the following points before signing the dotted line with the vendor. Create a proper contract and RACI matrix. The mechanism of measuring performance has to be objective and acceptable to all. Consider security and legal aspects and the fine print before entering into contracts. The RACI and baselining of the SLAs needs to be a part of the contract and not left to the interpretation of either party. Definition of incident closure and resolution and responsibilities in that respect need to be clearly defined especially in multivendor situations.

The managed services scenario Banerjee, CIO, India Infoline, has multiple vendors that contribute to the architecture at India Infoline. “Being bound by agreements, services are more rigid than when they are internal. Sometimes, we are forced to move rapidly in unplanned ways because of business pressures — this is more difficult with an outsource contract. Change requests have to be negotiated, and that takes some time,” he explains. These are some of the things, which you might want to reconsider when dealing with your vendor. On the other hand, Nagaraj avers, “One needs to retain some people with domain and landscape familiarity to own and manage the managed services design principles. SLAs can be delivered only if both the managed service provider and consumer strike a sustainable model of collaboration and co-ownership.” “Managing your services, and vendors becomes increasingly difficult when one approaches it with a ‘fill it - shut it- forget it’ attitude,” he says. He further explains that right through the life cycle of the contract, the collaboration and co-ownership traits from the consumer needs to be as strong a virtue as that of the service providers. The technology obsolesce risk is minimised quite a bit in this kind of scenario. “The consumers need to limit themselves to the outcome, the objectives and the agreed predefined success criteria while collaborating with the service providers to manage the changing business landscape implications on the managed services during the contract lifetime,” mentions Nagaraj. There are a set of issues that can crop up if the matter is not handled with the utmost care and concern. “Typically in a multi-vendor landscape you tend to have different systems that do have a need to work. Handshake between such systems is generally provided by technologies such as ESBs, ETLs and middleware; which are managed by a different set of vendor The Chief Technology Officer Forum

cto forum 21 september 2011

25


COVE R S TO RY

V e n d o r M a n ag e m e n t

partners and SI partners. Such an environment needs strong architectural skills, project and program management competencies and ability to manage end user expectations and set achievable outcomes as targets,” says Nagaraj. “There is always the business pressure to deliver which is typically around timelines and there is the peer pressure to excel by delivering esoteric outcomes with a WOW factor. These need to be balanced to deliver goals and objectives that are realistic, achievable. Ability to deal with shifting goal posts with the discipline of strong programme management and sound processes is key to staying alive. Taking a little risk to deliver a WOW factor in the backdrop of expectations and perceptions is the key to success,” he explains. It all boils down to expectation setting, the rigour and discipline of following mature yet flexible processes to manage the shifting goalpost scenario. In addition to technical and managerial skills, inter-personnel skills around influencing various stakeholders, while aligning yourself and your teams to business objectives, reigning in the stake holders expectations and perceptions, play a huge role. “This is a huge challenge as most technology folks lack a competency or two in this space.” “One needs to have a thorough understanding of one’s own business and the dynamics around key groups within the organisation.

No two sets of people are born equal and this needs to be factored in as standardisation of processes is being attempted,” explains Nagaraj. According to him there is a need for strong change management process that addresses: 1.Expectations 2.Training 3.Facilitating for the learning curve on the job during transition 4.Reward achievement around successful adoption 5.Senior management patronage and support. Nagaraj explains that the success with which the organisation manages employee behaviour during their learning curve, will define the success of a managed services deal. The new processes when adopted, will create scenarios where there could be operations failure, process breakdown, business services outages and helpdesk services on a different model with new TATs. While one needs to work in collaboration with managed services partners to fix these instead of pointing a finger at them, one needs to manage the business users in their learning curve. The job becomes difficult as one needs to collaborate, show an element of kid-glove treatment and yet hold all stakeholders accountable. This is possible if the technology teams, managed service partners, and business teams collaborate to structure themselves to manage these issues. In some scenarios, divide and conquer works while in some scenarios a central command and control structure works. Success will finally be delivered if there is adequate amount of pre-planning, collaborative exception management mechanisms and the ability to not stray away from the pre-planned path. According to Banerjee, “It is important in contract negotiations to have your own data up to date and recently verified. Companies rarely keep the full details of their infrastructure current — and negotiating on the basis of obsolete information can lead to a lot of heartache; secondly, exit clauses and reversal in case of termination must be negotiated upfront. Things do go wrong sometimes in relationships, and when it does, the parties should be able to part amicably.”

Who is responsible?

“Ensure that you understand the vendor's organisation structure and have escalation chain set up to the top” Sankarson Banerjee CIO, India Infoline.

26

cto forum 21 september 2011

The Chief Technology Officer Forum

“In all multi-vendor environments, the biggest issue is the determination of responsibility. While the situation can be helped with a clear RACI matrix, it still leaves some areas for disputes. The problem is to apply the RACI in day-to-day operational situations. Typically the services providers have to work in tandem to achieve the final outcomes. What helps is to make one larger vendor accountable for the outcome rather than every individual. One of the disadvantages is also lot of time wasted on gathering data for the RACL and SLAs for intervendor processes,” explains Milind Joshi, Sr VP, Essar. There is an inherent contradiction in the multi-vendor scenario — the very vendors who are competing against each other, are expected to work collaboratively to achieve optimised level of efficiency for business. “I will compare this with a formula one team, where each team has two drivers and while they both are expected to win points for their teams, they themselves are competing fiercely to win the races and make their positions safe within the team,” he says. Dealing with this kind of inconsistency also makes life not so easy for the CIO.


COVE R S TO RY

V e n d o r M a n ag e m e n t

are the key issues” Biswajeet Mahapatra, Research Director, Gartner spoke to Ankush Sohoni about the various ways to manage one’s technology vendors and partnerships

How does one ensure long standing relationships with their vendors? Once one has the metrics to justify a job well done, how can CIOs forge partnerships with these vendors to ensure sustainability, success and profitability? The enterprise IT landscape has predominantly been composed of mixed technologies from a variety of vendors. Today, in the age of managed services, these technologies are either managed from a remote location or they are delivered through data networks. In all of this, the role of a CIO has become more of someone who brings

in technology partnerships that can help in boosting the organisation’s core competency. However, managing these partnerships is what can become quite a challenge in some cases and CIOs need to be careful and make sure all areas are covered. Vendor relationship is a two way street wherein trust and transparency are key issues. In spite of a well-defined contract, clear SLAs and Metrics relationships may or may not prosper, based on the treatment which is given to the relationship.  We are not saying that one needs to open up everything to the vendor but be very clear on The Chief Technology Officer Forum

cto forum 21 september 2011

27


COVE R S TO RY

V e n d o r M a n ag e m e n t

“CIOs need to make sure that the vendor they are dealing with ensures an inter-operable environment” Biswajeet Mahapatra Research Director, Gartner

what you value the most: quality, support, performance, on-time delivery and also how far would a vendor go to solve your problem.  In short vendor relationship management in a cloud environment is as important as in any other normal environment but in this case the relationship will surely define how the company would adopt the entire cloud environment. Could you outline some best practices that one could follow as far as contract management is concerned? When CIOs are looking to opt for a vendor who is going to be more of a partner than anything else, they need to be careful as far as their contracts are concerned. Contract management is one of those games where the CIO needs to get into the minutest of details to avoid potential problems later. One is not recommended to take things for granted; every last detail needs to be taken care of. Some best practices that can be put in place have been listed below. To begin with, CIOs need to make sure that the vendor they are dealing with ensures an inter-operable environment. In fact this should be assured. It is extremely important to understand that the service provider does not do anything with his infrastructure or application, that can cause problems with my current setup. To compound all this, vendors can have this terrible habit of autoupgrades, and maintenance patches that are continuously being sent over the delivery channel. The CIO needs to ensure, that at no point of time will there be upgrades or maintenance without their knowledge or prior approval. The technology market is full of mergers and acquisitions, with buy outs being fairly commonplace. In such a scenario, where does that leave you as a customer? Who is it that you can go to in case something goes wrong. This is where it becomes important to define clauses which can safeguard customers (the CIOs) when a service provider is taken over or merged or buys out any other similar service provider. CIOs must ensure that when the going gets tough that they have an exit clause in place to make things sail smoothly. Exit clauses are the most critical ones which need a lot of care when negotiating for a contract with a vendor. These clauses determine how the CIO can find his way out of a deal gone sour. Now there could be a number of

28

cto forum 21 september 2011

The Chief Technology Officer Forum

reasons for this — performance not matching up to projected standards, or non-efficiency of the system — the reasons being many. In addition to the above mentioned exit clauses, penalty and safety clauses are also important and must be defined. Penalties and safety clauses have to be worked out in minute details when a breach of contract takes place. The CIO needs to go to the extent of including a valid and precise definition of the nature of breach; what they need to safeguard against; what part of the process the breach is detected at and so on. This can definitely be a useful ally, when performance levels are dropping, or SLAs are not being followed. One aspect that CIOs must look at is ensuring the validity of the contract in terms of data privacy and disclosure. CIOs today, need to ensure this. Clauses which define availability, performance and other details including penalties and fall back mechanisms should also be very clearly defined. What are some of the key trends that you are looking at in this space? CIOs should be looking to adopt international standards and follow practices available globally. We get so busy with operations and we forget the benefits of these standards (ISO, COBIT, and so on). The underlying objective is to streamline processes, reduce redundancy and so on. Whether you are moving into virtual, cloud or hybrid, adopt those best practices and standards. It is easier for you to move onto a new platform. Apart from that, as discussed above, contractual prudence is extremely important. Managed Service Provider deals and Cloud deals feature an increased focus on contract management. Although contract management among CIOs has matured as a practice, there is always room for improvement. Currently if you look at the industry, they are talking about server consolidation, virtualization, and reduction of cost, standardization or so on. If someone is on the virtualization journey its probably for cost savings or to reduce CAPEX. CIOs today are trying to find out the most optimum way of doing this, The key question they often ask is, “Should we start with process or technology?” and so on. So clearly, one has to start with their corporate goals. CIOs today need to be in tune to the business requirement, because that is monumental to consider while trying to succeed.


V e n d o r M a n ag e m e n t

COVE R S TO RY

Vendor Management Customers need to take matters into their own hands to improve the strategic nature of their vendor relationships By Anne Zink

T

he old adage really is true. The more things change, the more they stay the same. In 1997, my company conducted a series of interviews with CIOs in Global 500 companies. The goal was to find out how IT vendors could improve their relationships with their most important customers. The top 3 findings were: Invest in understanding our business, not just our infrastructure; Build relationships outside of IT; and Include us in your strategy/product roadmap discussions. We repeated that research, expanding it to include Fortune 1000 companies. The findings were the same today also. What’s interesting is when we share them with vendors they practically groan in frustration. “We would be more than happy to comply with the first two; ‘they’ (the clients) won’t let us.” Clearly, something was amiss, so we dug deeper. The first thing we discovered is vendors, with very few exceptions, The Chief Technology Officer Forum

cto forum 21 september 2011

29


COVE R S TO RY

V e n d o r M a n ag e m e n t

Vendors, with very few exceptions, don’t feel comfortable moving outside of the CIO’s department. Vendors are concerned their day-to-day contacts will feel they are going around them and undermining their authority. don’t feel comfortable moving outside of the CIO’s department. Vendors are concerned their day-to-day contacts will feel they are going around them and undermining their authority. Our research found plenty of evidence backing up the concern. The second challenge is that, even if they felt empowered to move outside of IT, most weren’t sure where to go. In the Global 100, senior executives cultivated cross company relationships, but that practice was fairly limited. It’s simply not scalable. There are only so many senior executives to go around. The third challenge is that the average account executive has very little expertise or understanding of the world outside of IT. Most were hired for their technical expertise. They tend to be ‘geeks’ hired to communicate with other geeks. Take them outside of their IT comfort zone and they are severely handicapped. It feels like this should be an easy challenge to solve. After all, both parties want the same thing so we dug some more. This time we searched for companies who feel good about their vendor relationships. We found 50. They were spread out across multiple segments. Due to this wide distribution, the numbers are not statistically significant. They employed a variety of solutions to the challenges we uncovered. Every corporate culture is unique. What works in one, may not be the best solution for another. Therefore we are calling these solutions, ‘leading’ practices. Getting to Know Us Sessions: This practice was found mostly in Fortune 1000 companies. The CIO sponsored several informal sessions that would introduce internal stakeholders to key vendors. The sessions required careful planning to minimise any vendor conflict as well as ensure the appropriate stakeholders were present. Internal departments also took some convincing, but ultimately found the sessions valuable. The number one advantage to the CIO was that departments now felt heard. RFI/RFP Briefing Sessions: This practice was found in Fortune & Global 500 companies. When an RFI/RFP was ready for release, they conducted Web conferences to review the goals of the project and its expected impact on each stakeholder group. These sessions tended to be outbound only. In a few instances there were anonymous question boards, but the real focus was giving vendors first-hand insight into the needs and expectations of the ultimate end user. Vendor Participation on Virtual Teams: This practice was found in companies of all sizes. However, vendor participation was limited

30

cto forum 21 september 2011

The Chief Technology Officer Forum

to a few of the most strategic vendors. The teams were typically addressing very specific projects. However, we did find half a dozen companies where vendors were considered an extension of the IT department and participated in all appropriate meetings. These activities address the first two findings, but what of the third: Gaining insight into and contributing to a vendor’s long-term development strategies? This is the most frustrating challenge for the CIOs we interviewed. Most did not understand vendors’ reluctance to share their visions. We heard, in almost every conversation, “They want us to invest in building a business process around their solution yet they won’t tell us their five-year plan. We get marketing fluff, at best.” We only found five customers out of the 50 who participated in this research who felt they had a solution to this challenge. All five were Global 250 customers. In every case, they created leverage by engaging the entire executive team. These companies insisted on annual briefings by the executive leadership of their top 20 vendors. If vendors were unwilling to comply, they were phased out and eventually replaced. Needless to say, most vendors complied. We found three additional companies, classified as Fortune 1000, which were able to convince their top vendors to share their analyst briefings. In these instances, the Analyst Relations Team either visited the customer or conducted a web briefing. The focus of this article, is how customers took matters into their own hands to improve the strategic nature of their vendor relationships. Vendors are not idly standing by. Many are aggressively retooling their account management teams, investing in customer advisory boards and engaging customer in strategy discussions. It is clear, from our research, there is work yet to do. We hope these leading practices inspire more customers to take the initiative and invite their most important vendors to participate more fully in their business. After all, the ultimate goal is to move beyond the transactional buying relationship to a true partnership. —Anne Zink is founder of AZtech Strategies, which is dedicated to developing multi-channel strategies based on customer expectations, channel input, and industry expertise. — This article has been reprinted with permission from CIO Update. @ http:// www.cioupdate.com. To see more articles regarding IT management best practices, please visit www.cioupdate.com.


NEXT

HORIZONS

Features Inside

Can Cloud Really Replace Outsourcing? Pg 33

Security and the Cloud Pg 34

Illustration by Suneesh k

R

A New Enterprise Paradigm? A growing storm of enterprise apps is blowing in winds of change bringing with it new provisioning models

By Pam Baker

ikke Helms, Managing Director of the Global Telecom division and Vice President of the EMEA region for Antenna Software said, “We'll see a move away from the 'build' to the 'buy' mentality, as many enterprises move away from custom to packaged applications." CIOs will soon be buying apps the same way they buy MP3s now: from an app store. "The parallels between music and cloud computing are eerily similar when it comes to format (mp3 vs OVF), enabler (mp3 player vs. virtualisation), and the delivery system (network vs cloud)," pointed out Pat O'Day, co-founder and CTO of BlueLock, a provider of cloud hosting and managed IT services. Such immediacy in deployment and ease of use on the cheap is simply too compelling for enterprises to ignore.

App Stores Abound "The idea of an enterprise class app store is starting to take hold," said CloudSoft CEO, Duncan Johnston Watts. "Like cloud adoption itself though, the likelihood is that large companies will start by trying to pool applications internally using this model, i.e. create private app stores." Watts cites the UK G-Cloud initiative, which includes an app store aimed at The Chief Technology Officer Forum

cto forum 21 september 2011

31


NEXT HORIZONs

a p p l i c at i ons

pooling applications across government departments, as a prime example. The US Government has also launched their Apps. gov, a GSA-operated website that government agencies can use to buy and deploy cloud computing applications. External enterprise app stores, ranging from the McAfee's to the Korea Telecom's (KT) of the world, mostly address the mobile sphere. For example, Korea Telecom has developed a service called KT Enterprise Mobility Platform (KEMP) for enterprise apps. KEMP offers a programmer function does not go away; range of enterprise mobility packages, from however, he/she is employed by a provider or a fully-hosted service, with apps supplied onliving in a low-cost country." demand over a multi-tenanted or dedicated single server to an on-premise offering with Antenna Mobility Platform (AMP) located Selling the sizzle behind the corporate firewall, and even a Realising that the mammoth enterprise softremote cloud-based offering. ware deals and the endless license fees are "The latter will operate as a 'switch in gone forever, some leading technology venthe cloud' allowing enterprises to virtually dors turned a savvy-eye towards leveraging provision and control apps while enjoying consumerism in the enterprise space and the scalability and cost-savings of a hosted coupled that with a brand-new agility play: solution," said Helms. piecemeal app sales. Interestingly, KEMP allows the same "When it comes time to buy, the cloud is app to be propagated over disparate operatforcing application vendors, both old and ing systems — be it Android, BlackBerry, new, to embrace a more flexible architecture iPhone, iPad, Windows Mobile or Windows so smaller components can be procured laptop. However, there are already several and mashed with others," explained Mike enterprise app stores that offer both mobile Jones, agile evangelist at OutSystems. He and desktop apps, such as GetApp.com, says this will exert pressure for standardised Force.com, Intuit Marketplace, IBM's Smart interfaces and will "challenge any vendor Market, and Google's Apps Marketplace who offers their apps using a proprietary with more sure to come. approach." In addition, many organisations "While it might not be in full operation will want the flexibility to run the applicain 2011, we will see the emergence of cloud tion in the cloud or on premise. stores," said O'Day. Harnessing disparate By reinventing their sales packaging, data sources will entail complex integration, vendors aim to emerge from the recession requiring information to be pulled from sysas aggressively agile and dominant playtems inside and outside the enterprise using ers. "But with everyone focusing on maka variety of protocols such as XML/HTTP, ing cuts and putting out fires, it is easy to SOAP, JMS, RMI, JDBC, text file, etc. Thereoverlook the larger strategic shift in how fore, some coding work is still required but enterprise technology is used, sold and not at the levels programmers paid for," said Zvi Guterman, previously enjoyed. CEO of CloudShare. "The two primary sources The promise enterprises are for software will be purchased seeking is the "ultimate notion applications with best practice of disposable apps" said Jones. SMBs back up processes and offshore develop"IT can empower individual ment for efficiency when purbusiness units to address their their data in chased applications do not exist," specific needs for tactical applivirtualised said JimVenglarik, US General cations; freeing central IT from environments Manager for Bleum, a US owned having to be involved in every and China-based applications project but assuring a standard development outsourcer. "The infrastructure," said Jones. "As

The US Government has also launched their Apps.gov, a GSAoperated website that government agencies can use to buy and deploy cloud computing applications

13%

32

cto forum 21 september 2011

The Chief Technology Officer Forum

these tactical apps become more enterprise critical then it will be much easier for corporate IT to take ownership without having to rewrite them like many situations today — a much more efficient overall approach to IT." Security vendors, such as McAfee, are offering enterprise app stores to leverage the need presented by other enterprise app stores. "The power of mash-ups has spurred the evolution of more sophisticated security and access control features to keep the corporate enterprise protected when deploying this new generation of applications," explained Paul Gardner, Associate Director at Xantus Consulting. Cloud, platform-as-a-service (PaaS) and software-as-a-service (SaaS) make it easier than ever to develop new apps and extensions (or mash-ups) to existing applications. "So, indeed, the catalogue of applications will explode," said Alex Heneveld, CTO of CloudSoft. All told, the shift to enterprise app stores is already underway. "Software needs more scrutiny than content, of course, for reasons including security, functionality, and licensing terms — and that won't change — but the degree to which standards will lower that barrier means that the music-store or app-store model is one for CIOs to watch," said Heneveld. —A prolific and versatile writer, Pam Baker's published credits include numerous articles in leading publications. She has also authored several analytical studies on technology and eight books. Baker also wrote and produced an award-winning documentary on paper-making. She is a member of the National Press Club (NPC), Society of Professional Journalists (SPJ), and the Internet Press Guild (IPG). — This article has been reprinted with permission from CIO Update. @ http://www.cioupdate.com. To see more articles regarding IT management best practices, please visit www.cioupdate.com.


c lo u d

NEXT HORIZONS

Can Cloud Really Replace Outsourcing?

S

Given the current momentum behind the cloud, its impact on offshore outsourcing is unavoidable

By Pam Baker

adagopan Singam, VP of Cloud Computing at HCL Technologies, a leading offshore IT and software development company said, “In the 'cloud era,' division between service lines will collapse, building a new outsourcing model, which is anything but conventional.” He said, “Cloud computing will help shift the focus to delivery of business services rather than delivery of IT solutions. In the process, this will enable new service definitions, service lines and business models for both the customer and service provider.”

Despite all the hype, the cloud era is not yet here. Indeed, there is some concern that some things carrying a cloud label are not cloud at all. In a recent survey by audit and tax advisory giant KPMG, both sourcing advisors and third-party service providers were polled on the maturity of cloud offerings on the market today. The “advisors were of the opinion that what is being taken to market under the cloud marketing banner is for the most part repackaged legacy offerings.” Those same third party providers, however, ranked their own infrastructure as a service (IaaS) and software as a service (SaaS) offerings as high in both quality and quantity. Further, advisors in the survey voiced concern over the total cost of ownership (TCO) of cloud resources. “There is little reliable data on the total cost of ownership of cloud resources,” said one advisor quoted in the survey results. “Yes, the initial capital expense is lower,

Illustration by shigil n

Just hype?

but are access fees and other installs going to be higher or lower than conventional licenses? I don't think we are far enough into the cycle to have good, verifiable data on TCO.”

Skills There's a dearth of skills needed to fully execute cloud services, as well. The KMPG survey found that, on a scale of one to five with five being 'very skilled', advisors gave only a score of 2.39 to end-users for understanding how the cloud works. Providers gave the endusers only a slightly higher score of 2.73. And those were the highest scores cloud end-users received. At the very bottom of the rankings, The Chief Technology Officer Forum

cto forum 21 september 2011

33


NEXT HORIZONs

c lo u d

10%

on the definition of outsourcing,” explained Paul Liu, according to both the advisors and the providers polled CIO at the global IT services provider Freeborders. "If were end-users' skills relating to both sourcing and manoutsourcing is defined as resources doing application aging cloud computing initiatives. development and maintenance, then cloud computing That's not to say that traditional offshore outsourcing enterprise emails is not really a game changer. The real paradigm shift is is a sure win in the contest. “Not only is the cloud more labour efficient than tradi- would be based in infrastructure as a service, which is shifting a company's systems, storage, and databases to the cloud. tional IT delivery, the technology makes more efficient on cloud But new architectures will need to be created that take use of non-labour IT resources, as well, and allows for model by 2014 into account the challenges of security, compliance, and delivery and management of applications in new ways,” accessibility requirements.” said Mike Eaton, CEO and founder of Los Angeles-based In the end, said Liu, “we will see a continuous moveCloudworks. “So when customers consider some of ment of services to the cloud as traditional IT environthe risks and difficulties of offshoring, such as process ments come to the end of their lifecycle.” realignment and, in some cases, quality, cloud computing may very well be an appealing alternative.” Offshore outsourcers are fully aware of the difficulties CIOs cite —A prolific and versatile writer, Pam Baker's published credits include numerwith the traditional outsourcing model. They are also highly sensitive ous articles in leading publications including, but not limited to: Institutional to the changes brewing in the cloud and are seeking ways to make Investor magazine, CIO.com, NetworkWorld, ComputerWorld, IT World, Linux their operations weather resistant. In essence, most are looking to World, Internet News, E-Commerce Times, LinuxInsider, CIO Today Magazine, build new cloud-centric outsourcing models using a blended model. NPTech News (nonprofits), MedTech Journal, I Six Sigma magazine, Computer “We are observing that business process as a service (BPaaS) is Sweden, NY Times, and Knight-Ridder/McClatchy newspapers. She has also adding new sophistication to existing outsourcing traditional back authored several analytical studies on technology and eight books. Baker also office functions,” said Singam. “This brings in enhanced cost effiwrote and produced an award-winning documentary on paper-making. She is ciencies and is attractive to the customer.” a member of the National Press Club (NPC), Society of Professional JournalWhether or not any given enterprise decides to go with the cloud, ists (SPJ), and the Internet Press Guild (IPG). offshore outsourcing or some blend of the two depends entirely on — This article has been reprinted with permission from CIO Update. @ http:// the enterprise's specific needs and the tasks at hand. www.cioupdate.com. To see more articles regarding IT management best “The impact of the cloud on the outsourcing industry depends practices, please visit www.cioupdate.com.

Security and the Cloud

A

Cloud really looks to revolutionise information technology. But revolutions are often bloody affairs By Geoff Webb

t the end of Charles Dickens’ tale of post-revolutionary France, Sydney Carton sacrifices himself in order to preserve the life of a man he considers more worthy.  It’s a noble act, immortalised by his final words: “It is a far, far better thing that I do now, than I have ever done.” Of course, he has the advantage of being able to foresee the future benefits of his sacrifice.  He is impelled, in fact, by the cer-

34

cto forum 21 september 2011

The Chief Technology Officer Forum

tainty that his short-term suffering will be repaid many times over in the next life, and indeed this one.   Sadly, the rest of us don’t have that option. In a recent Vanity Fair article on the nature of advanced persistent threats, (APT), Michael Joseph Gross recounts a discussion between an embattled CIO and his CFO discussing their vulnerability to attack: “What’s the worst that can happen if we don’t fix any of these?” the CFO asked. “We have large exposure,” answered the CIO.

“We could potentially be attacked ... ” “No, no, no. What is the financial impact if we don’t do any of these?" “We’re not regulated or audited, so there won’t be any fines," said the CIO. The CFO answered: “You get no budget,” and the topic was closed. Now you could certainly argue the fault here lay with the CIO for not adequately presenting the long term risk to the company of a serious breach.  Or, that the CFO should be more aware of the fact that cor-


c lo u d

NEXT HORIZONS

porate responsibility should extend beyond just short term regulatory costs.  But, finger pointing aside, this does present an illuminating insight into the way that businesses of all kinds look at the costs, and benefits, of security.  After all, security processes are always a trade off, and security spend is, and should be, based on solid costbenefit analysis. What concerns me, though, are the implications this has for cloud security. After all, organisations on the whole tend to favour short term pain avoidance, and ignore long term security goals that map poorly to hard numbers and specific costs. So as the pressure to realise the costsavings from cloud services ratchets up (and it surely will continue to do so for some time) then the importance of ensuring the security of cloud services will diminish, lost in the cloud feeding frenzy. Yet, the move to cloud represents an opportunity to rethink security for information and services.  In fact, it demands it.  But, to get it right — to reset all the mis-

takes of the past and start out on a sound footing — requires time and planning and breathing room for the security folks.  And this is running out. Sooner or later, that almost primal urge of the corporate organism to maximise profit and avoid immediate pain will overcome caution and the wholesale adoption of cloud computing will happen. Perhaps it already is.  One thing is certain though: it will happen whether the security industry is ready or not. Cloud, unlike so many previous over hyped technologies, really does look like it will revolutionise the way individuals and businesses utilise information technology.  But there is an important lesson that we should not forget about revolutions: they are often bloody affairs, and rarely enjoyed by those that must live through them. This revolution may be much the same.  While pundits and business planners alike are chanting in the streets about liberty and the freedom to utilise any services, anywhere, the gutters may quickly run red if things in the cloud turn sour. 

Imaging by Suneesh k

Sooner or later, that almost primal urge of the corporate organism to maximise profit and avoid immediate pain will overcome caution and the wholesale adoption of cloud computing will happen...whether the security industry is ready or not If the short term pain of regulatory compliance and the cost of handling breaches begin to take a bite out of the much-vaunted cloud cost savings, then security practitioners will once again be asked to paper over the cracks and make the best of the poor planning and hasty decisions that have already become de-facto standards. And so, as Dickens wrote at opening of that very same novel: “It was the best of times; it was the worst of times … ” —Geoff Webb has over 20 years of experience in the tech industry and is a senior member of the product marketing team at Credant Technologies. Geoff provides commentary on security and compliance trends for such journals and websites as: eSecurityPlanet, CIO Update, The Tech Herald, Compliance Authority, Virtual Strategy Magazine, and many others. —This article has been reprinted with permission from CIO Update. @ http://www.cioupdate.com. To see more articles regarding IT management best practices, please visit www.cioupdate.com.

The Chief Technology Officer Forum

cto forum 21 september 2011

35


NO HOLDS BARRE D

PERSON' S NAME

3D heat map cuts cooling costs As organisations struggle with staggering power bills of data centres, G Dharanibalan, Vice President, Offering Management & Development, Global Technology Services, IBM, India/South Asia, talks to Varun Aggarwal on how IBM helps CIOs cut their energy and cooling bills with technological aids. 36

cto forum 21 september 2011

The Chief Technology Officer Forum

What percentage of a data centre budget is spent on power and cooling? How much of this can be reduced using the latest technologies? Bulk of the non-IT operational spend of data centre is towards energy bills. More than half of the energy consumption of data centres is consumed by power and cooling components. Cooling consumes the largest share of this budget. With the available technologies 30 to 40 per cent reduction in electrical consumption is possible today. In order to achieve such savings, merely changing technologies is not sufficient. All components have a range of operating conditions within which they are most efficient. The efficient 'Operation' of these advanced components is equally important in achieving the savings, forcing the need for both one-time baseline definitions of cooling inefficiencies inside an operating


G D h aran i b a l an

data centre followed by remedial and real-time monitoring of energy. Enterprises in India have started gaining a good understanding of their infrastructure capacity with regard to power, cooling and space. IBM has a research developed asset that is offered as services to clients in the form of Mobile Measurement Technology (MMT). IBM MMT assetbased services (consulting and implementation) services can help develop a real time 3D heat map of the complete data centre floor space. As a data centre analytics-based service which includes: Rack inlet hotspot identification Improve data centre airflow Calculate cooling unit utilisation Generate 'what if' scenarios To date, IBM has been able to identify potential average energy savings of up to 12 per cent of IT power costs and up to 23 per cent of cooling power costs for data centres ranging from 3,000 to 85,000 sq ft, benefits of which can be achieved in 6-12 months, yielding a potential 100 per cent return on investment after one year. Please describe Mobile Measurement Technology and its benefits. Mobile Measurement Technology (MMT) is an IBM patented initiative developed by IBM Research. It is a three dimensional (3D) technology that depicts temperature distribution of data centres. It helps businesses understand the thermal profile of their existing data centre. MMT results are used to identify, diagnose and fix trouble spots and energy inefficiencies. With the help of MMT, IBM has been able to save an average of 12 per cent energy and 23 per cent of cooling power costs for data centres ranging from 3,000 to 85,000 sq ft. One of the major challenges with existing data centres is that of high power density owing to extremely dense equipment.

How can such data centres be made efficient in terms of power and heat management? IBM, through its ‘Project Big Green’ initiative, has been mobilising the company’s resources to dramatically increase the level of energy efficiency in IT. This initiative was taken to help IBM clients reduce the consumption of energy within their data centres, thereby transforming the world’s business and public technology infrastructures into 'green' data centres. IBM innovation like Rear Door Heat Exchanger (RDHx) is one of the

“MMT, an IBM initiative, is a 3D technology that depicts temperature distribution of data centres. It helps businesses understand the thermal profile of their data centres” most energy efficient cooling product for high density IT racks. It is the best product in the IT industry for handling both the issues mentioned simultaneously (i.e. solve the high density problem while ensuring high efficiency of the cooling system). It can handle heat density up to 15000 watts per rack or 50,000 Btu of heat without any supplemental cooling. Moreover, IBM data centre services also have several reference cases of customer green data centre implementation where in design was chosen using analytics tools for arriving at best TCO for a given targeted PUE (power usage effectiveness).

NO HOLDS BARRE D

For instance, a company with a data centre of 2,000 sq mt could spend up to $150-$250 mn of facility operating costs over its 10 to 20 year useful life to run a data centre with up to 70 per cent of the costs being used for energy costs. If it uses efficient power, cooling, security, and monitoring capabilities, they can save enough to cover two times the capital costs to build the data centre. Such approach helps establish a facility that runs efficiently with the requisite flexibility to be accommodative of new technology and the operational reliability required to meet business objectives. Also, having MMT 1.5 deployment along with DCIMM (data centre integrated monitoring and management) dashboard can help focus on green through out the operation life of the data centre. Does one need to rip and replace the existing data centre in order to take advantage of green technologies? Data Centre infrastructure is capital intensive. Hence, it’s not always practical to rip and replace the infrastructure components like power and cooling equipment. Although greener technologies available in new products is always tempting, but we first need to put in place the best practices for operating procedures, as operating equipment within their efficiency zone is important to derive maximum benefits from new technology. We can see that the efficiency benefits of older technologies too have not always been realised, due to incorrect operation of them. Thus, there is always a scope for efficiency improvement, even with older components. Thus, a good way to begin on the green path is to start with implementing operating procedures and capacity management to derive efficiency from existing components. The documented savings of this first step, can make it easier to get budget sanctions for replacing some components with more green technology.

The Chief Technology Officer Forum

DOSSIER Company: IBM Established: 1911 Founder: Thomas J. Watson Divisions: Hardware, Financing Services, Software revenues: $99.87 Billion in 2010 Employees: 4,26,751 in 2010

cto forum 21 september 2011

37


T E C H FOR G O V E R N A N C E

s o f t wa r e l i c e n s i n g

5

POINTS

 alculate C licensing costs beyond attractive discounts Look into ELO and other means of tracking licence use

Illustration BY Prince Antony

 eek out software S vendors that have the technology in place to enforce the licensing terms F reshen and update your software licensing policies  trengthen S your provisioning capabilities

How to curb Licensing Costs

Licensing is one of the most dreaded billing experiences for a CIO. He needs to bring it under control By Pam Baker

38

cto forum 21 september 2011

The Chief Technology Officer Forum


s o f t wa r e l i c e n s i n g

T E C H FOR G O V E R N A N C E

door later, in a full panic, trying to get a last minute licence before all the work is lost to the end of the trial period. But that's not the only licensing problem enterprises run into with virtualisation. For example, software licence agreements often do not recognise partitioning as a method of isolating application instances. This is a mathematical disaster waiting to happen because it could mean that the software publisher will charge your company for every CPU on the server rather than for the CPUs you are actually isolating the application to. To illustrate: If the application cost is $47,000 per CPU, then IT will likely assume that the licensing costs for four partitioned ingly common these days, which can lead to CPUs would be $188,000. However, if the over-licensing if past or planned job reducsoftware publisher actually charges for all tions are not figured in. Other, less obvious CPUs on the server (let's say a 24-way server changes in the ranks, should be considered. in this case), this would total more than $1.1 "From my experience, there is at least 3 mn. It's not hard to see how that huge difper cent of the staff who do not need access ference between the bill expected and the because someone else in their department bill received can affect the company. is doing a majority of the work and passing Add to this the number of abandoned information directly to them. They no lonprojects and virtual machines floating ger require the use of the system on a daily around 'out there' somewhere in the data basis," said Flores. centre. These may have licences that are In other cases, employees assume they are paid for but lie unused. A 2010 IDC survey adequately covered under existing licensing found that over half of enterprise applicacontracts. IT tends to assume that, too. tions are underutilised, with anywhere from "In the past, software vendors have put the 25 per cent to over 75 per cent of licences responsibility of licence tracking and optimipaid for but unused. sation on the end user; many of whom don't The flipside of abandoned projects and have the time or technology in place to manmachines is the advent of unauthorised age the thousands of entitlements they have software copies that can ruin a company if floating around their organisation and who ever discovered in an audit. A 2010 Gartner generally assume that some measure of consurvey found that software vendor audits trol is built into their purchase that prevents are increasing in frequency. Almost two over use, said Holland. out of three of companies surveyed had "As many CIOs have discovered, most been audited by at least one software vensoftware vendors offer a variety of flexdor in the past 12 months. Gartner does ible licensing models, but have no way to this survey annually and in 2009 the numenforce them. This leaves the door open to ber audited was 54 percent; significant overuse and a big bill in the prior three years it was at the end of the year." between 30 per cent and 35 per cent. The vendors listed as Spin-ups and flame-outs carrying out the highest numOne of the newest sources companies ber of audits were IBM (41%), for excessive and unexpected Adobe (40%), Microsoft (35%) licensing costs is in the unaucarried out and Oracle (19%). thorised spin ups of virtual software audits "Penalties for use of unaumachines (VM). Unfortunately, by a software thorised software can far it is fairly common for users exceed the cost of the software," to spin up VMs and use trial vendor in 2010 warned Peter Beruk, senior software only to arrive at IT's

Because of the continuous ebb and

flow of business today, software licensing is just one of those things in IT that never seems to get under control. Cloud, outsourcing, the comings and goings of employees leaves IT managers in an expensive bind when it comes time to pony up and pay the tab for overages they didn't know they even had.

"One of the most commonly dreaded billing experiences for enterprise CIOs is the 'true-up', said Chris Holland, VP of the Cloud Services division at SafeNet, an information security and data protection company. "This is a bill for all over-usage, generally unintentional, of a software product or service over a defined period of time." In other words, the true-up translates to pay-up for licensing and related sins. The amount can be staggering but even if it isn't, the bill is still a budget-buster since its unlikely anyone penciled it in. "This cost is typically not budgeted for, and will more often than not cause major heartburn for everyone involved; from the sales rep delivering the bad news to the IT representative that receives the bill, and the CIO that has to pay it," explained Holland. Perhaps the most frustrating thing about the entire situation is that nobody wins. Not even the software publisher who may see a temporary uptick in revenue but is also likely to lose a customer over it in the long run.

Counting heads and losing seats A number of things contribute to the runaway licensing costs. For one thing, few negotiators within any given company truly understand the complexity of software licensing contracts. Nor do they have a good understanding of how many licences the company actually needs. This leads to excessive licensing. "The assumption is that the same staff members who needed it last year need it this year as well," explained Vickie Flores, VP of Information Services at Magma Design Automation. Downsizing is amaz-

66%

The Chief Technology Officer Forum

cto forum 21 september 2011

39


T E C H FOR G O V E R N A N C E

securit y

ing costs, this to-do list provides a good start: 1) Calculate licensing costs beyond attractive discounts: Discounts can cost you money 25-75% of rather than save you money licences are if you are locked in to a set paid for but number of seats – even if you have to downsize, outsource or What to do unused move to the cloud. Take every"CIOs in particular have a (IDC Survey, 2010) thing in consideration before unique challenge," said Beruk. you agree to any price and look "Managing software assets is for maximum flexibility in the contract. not the same as managing other business 2) Look into Enterprise Licensing Optimiassets, though it can oftentimes be even sation (ELO) and other means of tracking more important." licence use. You need to know what's hapIn answer to this widespread and perplexpening in regards to licensing enterpriseing problem, BSA has created an online wide (and don't forget to track licensing in training programme, billed as the first ISOvirtualised machines, too). aligned software asset management course, 3) Seek out software vendors that have called SAM Advantage. The training can the technology in place to enforce the even lead to certification in software manlicensing terms: If you agree to pay for up agement, specifically a Certified in Stanto 25 users the vendor needs to be able to dards Based SAM professional. warn you before you exceed that number But for those that need some immediate of users; enabling you to either deny addiguidelines on reigning in runaway licensDirector of Compliance Marketing for the Business Software Alliance (BSA), the leading global advocate for the software industry with policy, legal and/or educational programmes in 80 countries. "This is not a traffic ticket."

25%

tional users or add more entitlements. 4) Freshen and update your software licensing policies: Many companies are still using old policies. Make sure everyone company-wide knows of the issues and how to properly contain them. 5) Strengthen your provisioning capabilities: This way users can get what they need, when they need it but IT can identify and rapidly decommission unused or underused assets as needed.

— A prolific and versatile writer, Pam Baker's published credits include numerous articles in leading publications including, but not limited to: Institutional Investor magazine, CIO.com, NetworkWorld, ComputerWorld, IT World, Linux World, Internet News, E-Commerce Times.

—This article has been reprinted with permission from CIO Update @ www.cioupdate.com. To see more articles regarding IT management best practices, please visit www.cioupdate.com.

Edge of Responsibility in Mobile Applications The fundamental question when it comes to fraud is how do you define, transfer and communicate responsibility to the customer? By Rafal Los

I

f you work in banking, you've probably already had several of these discussions with your risk or fraud teams over the years.  At what point does the responsibility of the vendor (you) stop, and the responsibility of the customer begin?  This is a particularly difficult question when things like banking fraud come up, because we know through tough experience that even out-of-band PIN codes are relatively meaningless when the malware is living in your browser or on your computer and manipulating your transactions.

40

cto forum 21 september 2011

The Chief Technology Officer Forum

There are companies like Bank of America which offer, free of charge, mind you, protective technologies from their business partners (Bank of America page here:https://www.bankofamerica.com/ privacy/Control.do?body=privacysecur_sec_solutions) but typically they come with no warranties, little support, and are probably buried deep in the site somewhere.  Here's the fundamental question though...Where does your organisation transfer responsibility to the customer?  More importantly, how do you define and communicate that?


As more and more functionality is moved to a browser or mobile device that isn't under the vendor or enterprise's control, we have to start to draw very clear lines between what I'm responsible for as the supplier of a service, and what you're responsible for as a consumer.  This carries over nicely into the Cloud Computing world, but today I want to address this from an application security perspective. Think about when you write software, and specifications around input and output (data handling) and authentication/authorisation are discussed as requirements.  For many years developers have been told not to trust anything not coming from their system... But what if their system (say, a backend web service) is communicating with a mobile platform (say, an application on an iPhone or Android or... whatever)?  Logically the same rules apply right?  Depends on who you ask apparently. To see it slightly differently, an application that uses some home-built code on a mobile platform to authenticate a user can do it the easy way (verify the identity on the end client) or do it the hard way (verify the identity with multiple client <> server transactions).  Given the speed at which apps are expected to perform, it's easier to either cache or simply write the routine on the client side and then trust it.  The perils of this are obvious if you're a security professional, and even to some developers, yet many applications are found trusting the platform they're installed on simply because developers don't know how easy these platforms are to tamper with. So at what point does liability for misuse transfer from vendor to user?  When you develop your applications for the mobile market, do you consider these types of issues?  Do you clearly spell out the limitations of liability that are human readable, and help the user protect themselves, or do you hope that the user's machine isn't one of the vast numbers of compromised and trojaned hosts?  More importantly even ... how do you deal with hostile hosts like this? How does a developer write a piece of code to maintain functionality in a hostile environment like a mobile platform?  There is a clear shift that must happen in trust – a shift over to security over functionality... but how does one accomplish that in today's business climate?  Are there quick tips for making as few mistakes as possible? Use built-in cryptographic functionality when ever possible.  Generally the crypto functions that are on the mobile platform or remote system are better than what you can build yourself Require step-validation for each critical transaction with a nonce to ensure that not only is each transaction the intended transac-

T E C H FOR G O V E R N A N C E

Illustration BY Shigil N

securit y

We have to start drawing very clear lines between what you're responsible for as supplier of a service, and what you're responsible for as a consumer tion but that it actually comes from the user, using your application as intended Assume zero trust in the system – whether it's a desktop browser, a kiosk computer, or a mobile phone/tablet, this is the only way to ensure that you've accounted for all the failure modes Use the mobile device or browser only as a presentation layer rather than attempting to do any business logic on the remote device, this ensures that critical business logic is done on the server side where you can monitor/inspect it Use the appropriate level of security for data in motion – if you're sending credentials or critical data to web services it may be a good idea to use more than simple RESTful services, but a news feed may be just fine to send over a JSON request In the end, it is critical to let your customers know where your responsibility ends, and to understand this yourself too.  One of the most dangerous things an organisation can do is try to push that perimeter too far, and to protect every client... this can get not only incredibly costly, but also incredibly difficult to defend in court!  Ensure your developers, program managers and security staff know your line of responsibility and communicate with your customers. — This article is printed with prior permission from www.infosecisland.com. For more features and opinions on information security and risk management, please refer to Infosec Island.

The Chief Technology Officer Forum

cto forum 21 september 2011

41


T E C H FOR G O V E R N A N C E

securit y

Simple Network Security Monitoring Tools A Linux distro could well be the solution for your network security problems By Dan Dieterle

If you want a robust, cost effective and easy-to-use Intrusion Detection System (IDS) and Network Security  Monitoring (NSM) platform, look no further than 'Security Onion'.

Security Onion:

“Security Onion is a Linux distro that contains software used for installing, configuring, and testing Intrusion Detection Systems. It is based on Xubuntu 10.04 and contains Snort, Suricata, Sguil, Squert, Xplico, nmap, scapy, hping, netcat, tcpreplay, and many other security tools.” What is great about Security Onion is that it takes all the guess work out of setting up an effective IDS and takes the output of intrusion attempts and displays the critical ones in a nice user interface called Sguil. You can install Security Onion to a new machine, or just run it as a live CD to check it out. Running Security Onion with two network cards installed and matching it to a Dualcomm port mirroring device provides a cheap but powerful monitoring system. When two network cards are installed with Security Onion, one is configured as a monitoring only sensor and the other is configured to connect to your internal LAN. Simply connect the Dualcomm port mirroring device inline with whatever traffic you want to monitor. Then connect your sensor line from Security Onion to the mirrored port and you can analyse all your network traffic live. Another cool feature of

42

cto forum 21 september 2011

The Chief Technology Officer Forum

Security Onion is that it keeps a copy of all of your network traffic stored in a daily log file. Now if all the tools that are included in Security Onion are just not enough for you, you can take the raw daily captures directly from Security Onion and analyse them in Netwitness Investigator.

Netwitness Investigator: “NetWitness® Investigator is the interactive threat analysis application of the NetWitness enterprise network monitoring platform. Investigator provides security operations staff, auditors, and fraud and forensics inves-

tigators the power to perform unprecedented free form contextual analysis of raw network data captured and reconstructed by the NetWitness enterprise security platform.” Simply navigate to the NSM directory on your Security Onion installation, then to the sensor directory, then to the nic used for monitoring, and finally the daily logs directory. Then choose a log file. The files cap out at 128 MB by default and then another file is created with an incremented number in the file name. A sample file name would be 'snort.log.1315337092'. Next copy that file off to a flash drive and import it directly into your Windows system running NetWitness Investigator. Investigator then parses the information and gives you an amazing view of the packets captured. At the top, the program lists any threats that it detects as warnings. It also breaks the data down into easily navigable headings like Service Type, Source & Destination Country, City and IP address. You can also search the entire data collected for phone numbers, credit cards, hacker terms, or location. Finally, Investigator supports Google Earth to view packet travel and location data. Security Onion & Netwitness Investigator, a powerful threat detection combination. — This article is printed with prior permission from www.infosecisland.com. For more features and opinions on information security and risk management, please refer to Infosec Island.


Amit Haralalka

Hide time | BOOK REVIEW

“If your intentions are noble..., people go out of their way to be of help.”

A Cup of Inspiration

The Fresh Brew documents real-life accounts of IIM Lucknow alumni who dared to dream differently.

Amit Haralalka’s story could easily be one of the 25 in his book. While pursuing his MBA at the Indian Institute of Management (IIM), Lucknow, he came across a post on the alumni threads. It urged for a book on their community that would inspire others to do what their peers had accomplished. Haralalka agreed; he had been feeling the current of innate fearlessness in ‘New India’ and was toying with the means to capture this power and extend its reach. A book was the perfect way to do so. “Given my background in blogging and my experience as an entrepreneur, this was something that caught my attention,” Haralalka says. Then Haralalka’s fellow student Amitabh Thakur posted a blog in support of the book idea. Thakur was no ordinary student. A BTech from IIT, Kanpur, he was a serving officer of the elite Indian Police Service (IPS), and on study leave to complete his MBA at IIM, Lucknow. They joined hands. From software entrepreneurs to a Bollywood playback singer to documentary filmmaker to certified FIFA

coach, the authors decided to capture a large canvas of professionals — none of a traditional mindset. “We wanted a book that could relate to as many people as possible, with something for every dream. The individuals featured are different, their dreams are different, but they all share a similar spirit, a strong sense of belief in themselves and the ability to carry on no matter what.” Why 25 stories? The number was derived when Haralalka and Thakur realised that to hold a reader’s interest each story must not exceed 15 pages or else it would end up as a novel. And so a typical 250 to 300 page book would have approximately 25 stories each. The number also matched with the authors’ desire to profile a large number of interests to connect to a wider set of aspirations. While both authors met with many other challenges along the way, they also found a lot of support. The biggest encouragement came half way through the journey. Haralalka sent a handwritten request to former President Dr APJ Abdul Kalam, to write the book’s fore-

ABOUT THE REVIEWER

Rakhi Agarwal has been a journalist for 14 years, and has worked with Femina and DNA, Mumbai. She is currently working as a freelancer.

word—a request personally endorsed by Dr Devi Singh, the director of IIM Lucknow. “Given the iconic stature Dr Kalam commands, we were overjoyed when he consented. When I opened the e-mail from his office, there was a foreword attached with his signature — a moment I can never forget in my life. He has inspired me ever since I read his book, Wings of Fire.” Although the authors first thought their reader was an aspiring entrepreneur, they soon realised their audience also included mainstream professionals looking to branch out and grow their own roots. “In fact, after reading one of the stories in The Fresh Brew, a software professional quit his job and made his dream of opening a pre-school a reality.” As for the author, he has just joined the workforce but will continue to explore his potential as a communicator, both written and oral, for the benefit of society. “My next venture will be a non-fiction book again. This is a genre that I understand, have experience in, and is one that truly excites me.”

The Chief Technology Officer Forum

cto forum 21 september 2011

43


DO YOU WANT TO BE FOUND?

JURY Mr. Debabrata Gupta COO USV Limited

Dr. Armin Bruck Managing Director Siemens Ltd, India

Mr. Anirban Ghosh VP â&#x20AC;&#x201C; Strategic Planning & Business Development Mahindra and Mahindra

Dr. Arup Basu COO (Chemicals) India Tata Chemicals Ltd

Mr. Rakesh Makhija President, Asia SKF Group

Mr. P J Swamy Managing Director Varroc Elastomers Pvt Ltd

Mr. Kumar Kandaswami Senior Director Deloitte Touche Tohmatsu India Pvt Ltd

Mr. Arnab Banerjee Executive Director Operations CEAT Ltd

Mr. Jayaram Sridharan President, World Class Manufacturing Aditya Birla Management Corporation

NOMINATIONS OPEN TILL OCTOBER 31ST. APPLY/ NOMINATE NOW!!! For further information please email at maulshree.tewari@9dot9.in or call +91 9717597903 For partnership opportunities please email at nabjeet.ganguli@9dot9.in or call +91 9820060094


MANUFACTURING LEADERSHIP

AWARDS & CONCLAVE 2011 Honouring the Top 100 Manufacturing Professionals in India Manufacturing Leaders are truly the master of all trades, dealing with multiple, complex, interlinked issues through the daily course of their jobs. However, there are hardly any platforms that publically recognize and honour these inspiring individuals. Manufacturing Leadership Awards 2011 is a cross-sector platform to recognize these Leaders of today and tomorrow, and to share their stories with the broader manufacturing community

HIGHLIGHTS 100 awardees 10 award categories Eminent jury panel Open nomination process (including self nomination) Day-long, exclusive conference for winners to enable knowledge sharing Sharing of awardee stories via a special publication, distributed to top 1,000 manufacturing companies

WHY PARTICIPATE Get recognized as a star, by Leaders of the industry Join an exclusive club of achievers Learn from successful peers in an exclusive knowledge forum Share your company's success story

a rath a M rand 2011 ITC G ber 14, em bai Dec Mum

WHO CAN APPLY Senior-level manufacturing executives (with 10+ years of experience in leading teams) Leaders of projects implemented at a manufacturing facility in India Leaders of achievements accomplished on or after April 1, 2010; and currently operational

AWARD CATEGORIES Manufacturing Strategy and Management Manufacturing Innovation and Design World-Class Manufacturing and Operational Excellence Manufacturing Collaboration and Partnership Manufacturing IT and Automation

Manufacturing Safety and Risk Management Green and Sustainable Manufacturing Energy Efficiency in Manufacturing Manufacturing Supply Chain Management People & Skill Management in Manufacturing

* All entries submitted should be independently verifiable * Multiple entries are permitted for any individual * Applicants can be domiciled anywhere or be citizens of any country

visit http://www.industry20.com/MLA100-2011


VIEWPOINT Steve Duplessie | steve.duplessie@esg-global.com

Treat The Cause Not The Symptom Virtualise Your Data

In IT we LOVE to treat the symptom of our ills, never the cause. We buy infrastructure to support data. Storage doesn’t support applications. It houses and delivers data to those applications. Servers do execute applications, but only once that application has been fed the data it requires. Networks let us share the results of an application done chewing on its data – or act as a transport to get the requisite data from where it is, to where it is needed. Virtual infrastructure is cool – but it’s not the real issue. It’s treating the symptom and not the cause of our IT issues. If we had no data to worry about, we’d have no infrastructure issues to deal with. Virtual or physical, it wouldn’t matter. The cause of all of our ills is data.  Lots and lots of data. Lots and lots of the EXACT SAME data. Get rid of the data, get rid of the headache. How? Virtualise it. In simple terms, virtualisation allows one physical thing to appear to be many logical things. This is

44

cto forum 21 september 2011

true whether we’re talking about a server or a data set. The fundamental value proposition of virtualisation is that ONE is easier to deal with than MANY. It’s as simple as that. The bottom line is that there are two types of data in our organisations: PRODUCTION data and COPIES of PRODUCTION data. We take copies of production data, then take copies of those copies, and we use them in all of our other business functions within IT. We use them for protection. We use them for Business Intelligence. We use them for Business Sustaining. We use them for Business Execution (CRM, Marketing).  Each one of those business functions has its OWN SILO of infrastructure (virtual or real) with its OWN storage housing its own copies of the exact same data!!! Each has its own processes, specialists, and outrageously redundant expenses. All in support of a different ‘application’ using the exact same data. Smells wrong, doesn’t it? I’m not saying that you shouldn’t perform these business functions.

The Chief Technology Officer Forum

About the author: Steve Duplessie is the Founder of and Senior Analyst at the Enterprise Strategy Group. Recognised worldwide as the leading independent authority on enterprise storage, Steve has also consistently been ranked as one of the most influential IT analysts. You can track Steve’s blog at http://www. thebiggertruth.com

On the contrary, I’m saying you should enable yourself to do even MORE of these types of intelligent business functions. What I am suggesting is that you might consider the implications of treating your COPIED production data silos a bit more intelligently. I’m not going to give you the answers here – as you are smarter than I am – but I want you to think about how you could gain efficiencies across the board if you used the concept of a ‘single system of record’ for your copied data. I’m not even talking about your production world – leave that alone. Just imagine what could happen if there were one single ‘master’ repository for production copied data – that fed everything else – virtually. You could have one way of snapping data, instead of 87. You could have one way of protecting data. One way of accessing data. One single data ‘silo’ for infrastructure, and so on. The possibilities are endless.


Run applications up to 50x faster.

What IT performance can be. With WAN optimization solutions from Riverbed®, you can increase application performance up to 50 times faster over the WAN, delivering LAN-like performance just about anywhere — from remote offices to the data center to the cloud. Learn more at riverbed.com/50x For any queries, please contact marketingindia@riverbed.com

© 2011 Riverbed Technology. All rights reserved.



Forging a Symbiotic Partnership