MANDATE FOR 2013 by ctof magazine

cTo forum

Technology for Growth and Governance

December | 07 | 2012 | 50 Volume 08 | Issue 08

I Believe

Expand Innovation

for Retaining Customers Page 04

7 Best Practices to Get BYOD Right | IT Spending in Telecom to Reach $ 7.1bn in 2020

Best of Breed

Six Ways to

Bring Down Your Firm Page 20

Next Horizons

Offensive Defence:

A Really Bad Idea Page 34 Volume 08 | Issue 08

A 9.9 Media Publication

cto_ad.pdf 1 15-10-2012 PM 07:06:01

CMY

editorial yashvendra singh | yashvendra.singh@9dot9.in

Full Steam Ahead Expansion

and innovation seem to be the mantra for Indian CIOs in 2013

nother new year, another set of predictions. While the global economy seems to be in the doldrums, the Asia Pacific region appears to be the bright spot for IT. As Gartner’s Senior Vice President and Global Head of Research, Peter Sondergaard, said, “As global markets improve in 2013 and resume growth, Asia Pacific remains one of the bright spots of the global IT market, allowing organisations in this region to

editor’s pick 27

accelerate competitiveness.” Spending on information technology (IT) in the Asia Pacific region is forecast to reach $743 billion in the year 2013, an increase of 7.9 percent over 2012, according to market research firm, Gartner. So far in 2012, IT spending in Asia Pacific is on pace to grow 7.6 percent. According to Gartner, in the Asia Pacific region, all five major segments of IT spending are expected to grow in

Mandate For 2013 CIOs discuss their priorities, challenges and opportunities in the new year

2013. The devices segment (including PCs, tablets, mobile phones and printers) in Asia Pacific is projected to total $229.7 billion, a 12.3 percent increase from 2012 spending. Data center systems spending is forecast to reach $28.6 billion in 2013, a 9.5 percent increase from 2012. Software spending will total $33.9 billion, up 11.9 percent; IT services spending will reach $91.5 billion, up 7.5 percent, and telecom services is projected to total $359.4 billion, a 4.8 percent increase from 2012. In this issue’s cover story, we gauged the moods and mandates of top CIOs for 2013. The results were in line with the predictions for the Asia Pacific market. None of the CIOs we spoke to hinted of any budget cuts or consolidation in 2013. They are all set to carry on the bullish

fervour into the new year. And helping them in their efforts to compete and innovate would be SMAC (Social, Mobility, Analytics and Cloud) -- the most relevant and top-of-themind technologies for CIOs in 2013. By leveraging the mix of these technologies, more and more enterprise technology leaders will increasingly invest their time and energies on digital innovation rather than back office automation. There will be a strong momentum towards digitizing the customer-enterprise boundary. As we usher in the new year, do write to us about your plans for 2013.

The Chief Technology Officer Forum

cto forum 07 December 2012

december12 Conte nts

thectoforum.com

Columns

Cover Story

27 | Mandate For 2013

4 | I believe: Expand Innovation for Retaining Customers

CIOs discuss their priorities, challenges and opportunities in the new year

By Dev Sharma

48 | viewpoint: Whereâ&#x20AC;&#x2122;s the Money in Enterprise Cloud? By steve duplessie

S p i n e

cTo forum

Technology for Growth and Governance

December | 07 | 2012 | 50 Volume 08 | Issue 08

i Believe

Expand Innovation

for retaining customers Page 04

cto forum 07 December 2012

The Chief Technology Officer Forum

Six Ways to

Bring Down Your Firm Page 20

Features Next HorizoNs

Offensive Defence:

a really Bad idea Page 34 Volume 08 | Issue 08

Best of Breed

7 Best Practices to Get BYoD riGht | it sPenDinG in telecom to reach $ 7.1Bn in 2020

Please Recycle This Magazine And Remove Inserts Before Recycling

Copyright, All rights reserved: Reproduction in whole or in part without written permission from Nine Dot Nine Interactive Pvt Ltd. is prohibited. Printed and published by Kanak Ghosh for Nine Dot Nine Interactive Pvt Ltd, C/o Kakson House, Plot Printed at Tara Art Printers Pvt Ltd. A-46-47, Sector-5, NOIDA (U.P.) 201301

A 9.9 Media Publication

Cover: SHOKEEN SAIFI TYPOGRAPHY: ANIL VK IMAGING: Peterson PJ

20 | Best of breed: 6 ways to bring down your firm Success of a firm depends on its employees but the demise of a firm depends on only one employee

www.thectoforum.com Managing Director: Dr Pramath Raj Sinha Printer & Publisher: Kanak Ghosh Publishing Director: Anuradha Das Mathur Editorial Executive Editor: Yashvendra Singh Consulting Editor: Atanu Kumar Das Assistant Editor: Varun Aggarwal & Akhilesh Shukla DEsign Sr. Creative Director: Jayan K Narayanan Sr. Art Director: Anil VK Associate Art Directors: Atul Deshmukh & Anil T Sr. Visualisers: Manav Sachdev & Shokeen Saifi Visualiser: NV Baiju Sr. Designers: Raj Kishore Verma, Shigil Narayanan Suneesh K & Haridas Balan Designers: Charu Dwivedi, Peterson PJ Midhun Mohan & Pradeep G Nain MARCOM Associate Art Director: Prasanth Ramakrishnan Designer: Rahul Babu STUDIO Chief Photographer: Subhojit Paul Sr. Photographer: Jiten Gandhi

14 A Question of answers

14 |Dhamodaran Ramakrishnan, Director, Smarter Planet Solutions, IBM India/South Asia, talks about how IBM is planning to transform cities in India

RegulArs

01 | Editorial 06 | letters 08 | Enterprise Round-up

advertisers’ index

44 | tecH FOR GOVERNANCE: improve your infosec risk management practice Fifteen tips for managing infosec risk

34 | next horizons: offensive defense: A really bad idea Advocating hacking as a “defense” is just the cherry on top of a shit sundae

HP IFC CTRLs 5 Canon 7 Datacard 11 Symantec 13 Airtel 17 Riverbed 19 SAS Institute 25 IBM IBC Microsoft BC

advisory Panel Anil Garg, CIO, Dabur David Briskman, CIO, Ranbaxy Mani Mulki, VP-IT, ICICI Bank Manish Gupta, Director, Enterprise Solutions AMEA, PepsiCo India Foods & Beverages, PepsiCo Raghu Raman, CEO, National Intelligence Grid, Govt. of India S R Mallela, Former CTO, AFL Santrupt Misra, Director, Aditya Birla Group Sushil Prakash, Sr Consultant, NMEICT (National Mission on Education through Information and Communication Technology) Vijay Sethi, CIO, Hero MotoCorp Vishal Salvi, CISO, HDFC Bank Deepak B Phatak, Subharao M Nilekani Chair Professor and Head, KReSIT, IIT - Bombay Sales & Marketing National Manager – Events and Special Projects: Mahantesh Godi (+91 98804 36623) National Sales Manager: Vinodh K (+91 97407 14817) Assistant General Manager Sales (South): Ashish Kumar Singh (+91 97407 61921) Senior Sales Manager (North): Aveek Bhose (+91 98998 86986) Product Manager - CSO Forum and Strategic Sales: Seema Menon (+91 97403 94000) Brand Manager: Jigyasa Kishore (+91 98107 70298) Production & Logistics Sr. GM. Operations: Shivshankar M Hiremath Manager Operations: Rakesh upadhyay Asst. Manager - Logistics: Vijay Menon Executive Logistics: Nilesh Shiravadekar Production Executive: Vilas Mhatre Logistics: MP Singh & Mohd. Ansari OFFICE ADDRESS Published, Printed and Owned by Nine Dot Nine Interactive Pvt Ltd. Published and printed on their behalf by Kanak Ghosh. Published at Office No. B201-B202, Arjun Centre B Wing, Station Road, Govandi (East), Mumbai-400088. Printed at Tara Art Printers Pvt Ltd., A-46-47, Sector-5, NOIDA (U.P.) 201301 Editor: Anuradha Das Mathur For any customer queries and assistance please contact help@9dot9.in

This index is provided as an additional service.The publisher does not assume any liabilities for errors or omissions.

The Chief Technology Officer Forum

cto forum 07 December 2012

I Believe

By Dev Sharma Vice President-New Technology and Delivery, Pine Labs the author has 16 years of experience primarily in building business applications like transaction management, logistics, supply chain, CRM and business consulting.

Expand Innovation for Retaining Customers Don’t get complacent after creating new technology. To sustain growth, constant review is required

I believe customer needs and retention strategies drive innovation. I believe to innovate you not only have to listen to what the customer wants but interpret what your customer is asking for. Like Henry Ford was listening to his customers and they were saying that they wanted

cto forum 07 December 2012

The Chief Technology Officer Forum

current challenge the ability to interpret what your customer is asking for

to have faster horses. They were not asking for cars. That’s how greatest innovations have happened through interpretation of customer’s need. Remember Supply does not create its own demand. It is the Demand in market which determines supply. I believe the mind-set for technology innovations should be to make things simple but efficient and add value by providing right information. We at Pine Labs believe that to provide innovative payment technologies and to continue to transform the world into a networked economy you have to ask yourself few very basic questions. Those questions are, how can you add value in a way that is relevant and useful to users and then become their preferred payment stream to use? And, what can you do more, to make it easy & simple? With various regulations, finding the balance of making payments simple, cost effective yet efficient and, most important creating an extra value for our clients and their customers is the driving force of all new product offerings at Pine labs. I believe innovations based out of economy and user influences are a success. For example in India there is new advent of ecommerce but Indian users are generally resistant to make payments online.Offline payments have been the key to the e-commerce websites boom in India. This created a “need” for innovative and robust offering which packs all the features of a PoS in a compact portable size to facilitate payment acceptance in cash or card at customer’s door step. As we believe at Pine Labs that a value should be added to innovations we created a mobile PoS that streamlines product delivery to end-users and not only captures cash and card payments but also supports all the value added features like gift vouchers, loyalty programmes, EMI payments, couponing, promotions etc.

10 10101 10100010 10101001101 10111010010000 10101000101111101 0 00101010101000101 11 0 0 10111001101010101 00 010 00 10 01 00 10 01 10 11 10 01 11 01 10 10 10 00 10 00 10 01 00 01 11 1 01 01 00 01 10 01 00 00 01 10 10 10 10 1 11 01 10 01 11 01 11 00 11 01 00 01 01 00 10 1 01 01 10 01 01 01 11 00 10 0 01 01 01 0 10 10101 10100010 10101001101 10111010010000 10101000101111101 0 00101010101000101 11 0 0 10111001101010101 00 010 00 10 01 00 10 01 10 11 10 01 11 01 10 10 10 00 10 00 10 01 00 01 11 1 01 01 00 01 10 01 00 00 01 10 10 10 10 1 11 01 10 01 11 01 11 00 11 01 00 01 01 00 10 1 01 01 10 01 01 01 11 00 10 0 01 01 01 0

Put the spring back in your business within minutes Our Zero Data Loss solution ensures that your business doesnâ&#x20AC;&#x2122;t lose even a single byte of data or precious minutes getting your service back on track in the event of a downtime.

Zero Data Loss

DR Solution

Data lost in transit during a downtime is irretrievable. Traditional Disaster Recovery services take at least 4 to 5 hours to initiate the recovery process, putting a great deal of data at risk. Which is why Zero Data Loss solution makes perfect business sense.

To know more about Zero Data Loss, Write to us: marketing@ctrls.in | Call us on: 040-42030583

Visit www.ctrls.in/mumbai-data-center

CtrlS Business Solutions DR On Demand | Cloud Services | Managed Services | Messaging Solutions

LETTERS CTOForum LinkedIn Group Join over 900 CIOs on the CTO Forum LinkedIn group for latest news and hot enterprise technology discussions. Share your thoughts, participate in discussions and win prizes for the most valuable contribution. You can join The CTOForum group at: www.linkedin.com/ groups?mostPopular=&gid=2580450

Some of the hot discussions on the group are: Virtual CTO/CIO A long term IT partner for your business growth

ARe CTOs more interested in satisfying the CFO & Board rather than the consumer?

CTO is aligned to the CFO and the Board in that order, the CTO will have to also be good at resume writing as he will not last too long. But then the question arises, is the CFO aligned to the Consumer? If he is not, then even he may be in hot water sooner or later. Arun gupta, CIO, Cipla

Send your comments, compliments, complaints or questions about the magazine to editor@thectoforum.com

cto forum 07 December 2012

â&#x20AC;&#x201D;Balasubramanian S R, Business & IT Consultant

CTOF Connect

Sundar Ram Gopalakrishnan, VP- Technology, APAC, Oracle Corporation talks about the importance of an integrated security approach

http://www. thectoforum.com/ content/%E2%80% 9Cpoint-solutionsare-pass%C3% A9%E2%80%9D-0

Opinion Building Innovation Agenda for CISO Function

How would an innovation agenda for CISO function look like?

WRITE TO US: The CTOForum values your feedback. We want to know what you think about the magazine and how to make it a better read for you. Our endeavour continues to be work in progress and your comments will go a long way in making it the preferred publication of the CIO Community.

This is a model that SMBs are slowly waking up to. While their IT head can chip away with his day-to-day activities, an external help (a part time CIO) can give their IT a proper direction and can review performance to ensure the company's objectives are met.

The Chief Technology Officer Forum

With organisations aggressively searching for new ways, out-of-the box solutions and un-orthodox approaches are used to beat the past matrices, benchmarks and performances To read the full story go to: http://www.thectoforum.com/content/buildinginnovation-agenda-ciso-function-0

Priyank Kothari, Associate Practice Partner GRC, Wipro Consulting Services

FEATURE Inside

Enterprise

5 Tips to Mitigate Mobile Apps Risk Pg 10

ILLUSTRATION BY anil t

Round-up

7 Best Practices to Get BYOD Right

Here are some key points to keep in mind before pressing the start button Like many other things in technology today, getting BYOD to work effectively for you is more about adopting the best practices than the tools being used. 1. Policy, policy, policy! Get your BYOD policy in place by thinking holistically and methodically about what would be the best fit for your organisation. 2. Security is paramount, so do a thorough risk analysis before giving in to the temptation of seeing your employees walk in with lots of good-looking iPads or Galaxies. 3. Think people and not necessarily devices. In many cases, IT can think about their BYOD initiatives in

cto forum 07 December 2012

The Chief Technology Officer Forum

how to manage secure access to data and applications in terms of people, not the devices they use. 4. Contractors are generally ideal candidates for BYOD. They are expected to bring their own devices, as it aids independent contractor compliance. 5. Get buy-in from top management. One of the key criteria for the success of a BYOD initiative is the senior managementâ&#x20AC;&#x2122;s commitment and support. 6. Watch your back(end)! It is very important to make sure that the backend infrastructure is ready to take on devices that are running on newer platforms. 7. The moremobile platforms, the merrier.

Data Briefing

3.6% Worldwide growth in server shipment in Q3 of 2012

E nte rpri se Round -up

They Kapil Said it Sibal

image BY PHOTOS.COM

Speaking to Hindustan Times, Sibal ruled out the scrapping of the controversial 66A (IT) Act under which two Palghar girls were recently arrested in Maharashtra.

Dell acquires software firm Gale Technologies Financial details are not disclosed maker Dell has announced that it has acquired Gale Technologies, a provider of infrastructure automation software. Gale Technologies offers software that can help customers turn discrete compute, network and storage resources into integrated solutions featuring self-service and automation, reported Xinhua. Without disclosing the financial terms of the deal, Dell said it plans to keep Gale Technologies’ employees and will continue to invest in additional engineering and sales capability. Dell also announced that it will use the acquisition to form a new Enterprise Systems and Solutions division to design and deliver integrated enterprise information technology (IT) solutions. Privately-held Gale Technologies was founded in 2008 and is headquartered in Santa Clara in the US state of California. The purchase is the latest indication of the increasing competition among technology giants to create one-stop shop which packages compute, storage, network, software and other components into a single, optimised IT solution for enterprises. Dell’s deal came a day after Cisco, announced that it intends to pay $125 million to buy Cloupia, an infrastructure automation software provider similar to Gale Technologies. Computer

image BY PHOTOS.COM

Quick Byte on Windows

“It is not Sibal’s law. It was passed by Parliament. The law has been misused but don’t forget victims who are abused” — Kapil Sibal, Minister for Communications and Information Technology

Since the launch of Windows 8 on October 26, 2012, Windows laptop sales are down by 24 percent, while desktop sales are down by nine percent compared with the same period last year, this was stated by Reuters in a report. The Chief Technology Officer Forum

cto forum 07 December 2012

ILLUSTRATION BY shigil narayanan

E nte rpri se Round -up

5 Tips to Mitigate Mobile Apps Risk A look at how IT can mitigate

the risk of errors and deliver successful mobile applications

By 2013 analysts are expecting mobile app downloads to increase from 30.1 billion in 2011 to 200.0 billion in 2016. Our shopping habits, the way we socialize, find information, consume news and even bank have all been challenged by the mobile internet, with apps being created for just about everything. According to Borland, a Micro Focus company, pressure is being put on departments outside of IT, such as marketing and sales, to develop and deliver mobile apps to meet rising end user demands and expectations. However, these ‘non-developers’ often bypass or cut vital time from critical testing

phases in order to hit delivery deadlines or simply because they are unaware of the associated risks. “If you are building an app that is the window into your business, it’s imperative that it is regularly tested,” said Chris Livesey, Vice President, Application Management and Quality, Borland. “The application may be highly creative and deliver a mind-blowing user interface, but if it’s incomplete, broken or slow it will put off existing and potential customers from returning. No one wants an app or website that falls at the first hurdle.” Continuing, Livesey said: “Functional

Global Tracker

Dip in PC sales

down sales of desktops and laptops by 5.9 per cent to nearly 2.9 million units in Q3 of 2012. 10

cto forum 07 December 2012

The Chief Technology Officer Forum

Source: gartner

High inflation pushed

and performance testing of native and webbased mobile apps is critical but it doesn’t have to add a huge amount of time to the development process. Automated testing specifically designed for mobile apps is the key. It ensures any potential issues are identified early and can be rectified, minimising the risk of failure that can cost time and money.” Borland provides five top tips for nondevelopers delivering mobile apps today: Testing time: fixing time: Often so much work goes into perfecting the application that time set aside for testing is often squeezed down, which is not a good plan. That testing time is the time you set aside to fix the application and perfect its user experience. Testing is not productive-fixing things is. Performance: it’s not “all about the app: Most defects occurring in apps are related to the residual-data conditions, connectivity or physical memory conditions of the device. For example, it’s common that a device with lots of free memory will not reproduce a defect found on one with low available memory. Exercising the app through the testing of its functional use cases make sense, but make sure the physical conditions of the app and device are also included. Work out early what you can afford not to test: Although reliability is obviously very important, testing everything every time you change anything, and on every device is going to be too painful and time consuming - you shouldn’t even try. If it is transactional, has high traffic, or is your shop window – make sure that works, all the time, on all popular devices. Time spent prioritizing on the goal pages is the best investment you can make. Reusable tests and automation save time and money: Test automation can help, as you are able to record once and replay the test many times, which increases your coverage but not your working hours. Look to your analytics to improve quality: Inspecting a site’s analytics gives a unique insight into what the real usage is, and so gives you a head-start in understanding what really needs to work. Not only that, but analytics will also help you determine how you test the evolving site over time.

INSTANT ISSUANCE GIVE CARDHOLDERS THE CONVENIENCE AND SERVICE LEVELS THEY DEMAND New financial instant issuance portfolio Datacard Group offers a full range of new innovative printers, CardWizard® software, the world’s #1 instant issuance software and unmatched global service and support. Our solutions give you the flexibility to issue permanent embossed, unembossed, magnetic stripe, EMV®-compliant cards and NFC enabled mobile devices immediately. Datacard India Private Ltd B-302,Flexcel park,S.V.Road, Next to 24Karat Multiplex, Jogeshwari (W) Mumbai-400102.India Tel:+91-22-61770300 Email:India_sales @datacard.com

Datacard Group makes it easy and affordable to launch a profitable instant issuance card program. Our Secure Issuance Anywhere™ platform empowers you to manage your card and mobile payments programs the way you want to – anytime, anywhere.

To schedule an instant issuance demo, visit www.datacard.com/cto

Datacard and Secure Issuance Anywhere are registered trademarks, trademarks and/or service marks of DataCard Corporation in the United States and/or other countries. ©2012 DataCard Corporation. All rights reserved. Datacard, CardWizard and Secure Issuance Anywhere are registered trademarks, trademarks and/or service marks of DataCard Corporation in the United States and/or other countries. EMV is a registered trademark of EMV CO., LLC. ©2012 DataCard Corporation. All rights reserved.

E nte rpri se Round -up

ILLUSTRATION BY raj verma

GSMA: Mobile penetration in India only 26% There are about 380 mobile users in the country

actual mobile phone users in India are around 26 percent of the total population, a study by global telecom body GSM Association (GSMA) has said. GSMA Director General Anne Bouverot said that on average, each user has 2 SIMs and in terms of unique number of subscribers, there are about 380 million actual users about 26 percent of the total population.

Accroding to the data released by Telecom Regulatory Authority of India for October month, out of the total 904.32 million wireless subscribers in the country, 703.92 million were active connections. The teledensity, based on total number of mobile connections, has reached 74.21, according to Trai. Bouverot said that GSMA sees India as the second largest market in the world in terms of mobile connections. “Figure we have in our research is around 906 million connections. These 906 million connections correspond to about 71 percent of the population. But, if you look at unique subscribers, in India we find that on average people have 2.2 SIMs per person,” Bouverot said. The world-wide average SIM (mobile connection) per person is 1.85 which shows that only 45 percent of the world population are actual mobile users. According to GSMA research, by the end of 2012 total mobile connections globally will stand at 6.8 billion. “If I look at worldwide number, the message that I have been passing over past few months is that there is lower mobile penetration than what we thought. Worldwide its about 45 percent of the population. But in India its actually even more exacerbated,” she said. According to the study, the total number of mobile subscribers globally will stand at 3.2 billion by end of 2012, growing to 4 billion within the next five years. GSMA has found that global penetration based on total connections is set to exceed 100 percent in 2013. Bouverot said that people in India are very savvy and they will be look at offers and promotion.

Fact ticker

Ericsson sues Samsung for patent infringement The latter is looking into the report Ericsson, the world's biggest telecom network equipment maker, said on Tuesday it had filed a suit in the United States against Samsung Electronics Co for patent infringement. Sweden's Ericsson said in a statement it had sued after Samsung had not renewed a license to use unspecified technology on the same

cto forum 07 December 2012

terms - called the Fair, Reasonable and Non-Discriminatory (FRAND) terms - that competitors have previously accepted. "The dispute concerns both Ericsson's patented technology that is essential to several telecommunications and networking standards used by Samsung's products as well as other of Ericsson's patented

The Chief Technology Officer Forum

inventions that are frequently implemented in wireless and consumer electronics products," it said. A Samsung spokeswoman said the South Korean company, the world's largest cell phone and television maker, was looking into the report and had no immediate comment. An Ericsson spokesman declined to comment on the size of the lawsuit. Ericsson's intellectual property right net revenues amounted to 6.2 billion Swedish crowns in 2011. The complaint is filed in the District Court for the Eastern District of Texas.

Cloud

ify Technologies Limited, a Managed Enterprise, Network and ICT Service provider in India with growing global delivery capabilities, announced its entry into the HP Cloud Agile Partner Program to build cloud agile solutions. As a CloudAgile partner, Sify will be able to broaden its customized enterprise class cloud services to meet their customer’s needs. Sify’s pay-per-use model for the Platform as a Service (PaaS) and Infrastructure as a Service (IaaS) services will now find greater acceptance among the cost-sensitive and performance-focused customers. HP’s converged Infrastructure is powered by the industry leading HP CloudSystem Matrix and allows Sify to reduce the total cost of ownership of customers by provisioning infrastructure and applications across physical and virtual environments with the least turnaround time. Sify will also have access to HP’s network of channel partners, sales and marketing support to help drive uptake of its cloud solutions in India.Packaged software, server, and storage offerings will be through the public cloud model. Commenting on the partnership, Mr. Kamal Nath, CEO, Sify Technologies, said, “In the course of building critical volume in the Data center business, Sify had ensured that our Enterprise clients got the best of both worlds; Technology and Applications.”

The ultimate backup appliance.

It’s not the best in class, it’s the only one in its class. In the future, all backup will look like this. But until then, there’s the NetBackup 5220 appliance from Symantec— the only fully integrated backup, deduplication, and storage appliance with industry-leading, factory-installed Symantec software. So it’s practically ready to go right out of the box. It’s hard to believe anything this simple can be so technologically advanced. But it is. See for yourself at www.symantec.com/in/nbu Interested in an NBU appliance demo? Just email sheraz_hasan@symantec.com, or call +91-22-30671526

Confidence in a connected world.

Copyright © 2012 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, the Checkmark Logo, and NetBackup are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries.

scm.487_backup_appliance 9dot9.indd 1

11/20/12 3:57 PM

Smart Cities India is investing heavily in urban infrastructure

D h a mo da r a n R a m a k r i s h n a n

A Question of answers

Dhamodaran Ramakrishnan | IBM India/South Asia

Transforming cities to be sustainable

In a conversation with CTO Forum, Dhamodaran Ramakrishnan, Director, Smarter Planet Solutions, IBM India/South Asia, talks about how IBM is planning to transform cities in India by providing ‘smarter cities strategy’ What is this Smarter City initiative from IBM? A smarter city is one that uses technology to transform its core systems and optimise the return from largely finite resources. By using resources in a smarter way, it will also boost innovation, a key factor underpinning competitiveness and economic growth. Investment in smarter systems is also a source of sustainable employment. Smart use of technology can go a long way in transforming a city’s core systems. It can help create an efficient transport management system, improve healthcare, energy, public safety, education, transportation, water and develop a robust communication network to connect all businesses, people and systems. With over 2,500

smarter city projects IBM is helping cities around the world transform into sustainable cites. For instance, the City of Rio de Janeiro automated alerts of changes in flood and landslide forecast to reduce reaction times in emergencies. What kind of growth opportunities do you foresee in India? With major growth opportunities ahead, cities in India and other emerging markets are heavily investing in urban infrastructure giving them the potential to leap-frog ahead of others. India is undergoing a massive urban transformation. By 2030, the urban areas will be home to 40 percent of the country’s people – doubling the urban population within a span of 30 years. Every minute

during the next 20 years, 30 Indians will leave rural India for urban areas. At this rate, India will need some 500 new cities in the next two decades. By 2050, it is estimated that urban population will constitute nearly half of the total population in India. India’s growing economy is placing huge demands on critical infrastructure — power, roads, railways, ports, transportation systems, healthcare, water supply and sanitation. Some estimates indicate that while the government has raised its investments in infrastructure, the investment gap remains daunting with an estimated $1 trillion required to meet the country’s resource needs over the next five years. And, some of the key areas of investment will be in smart grid,

The Chief Technology Officer Forum

cto forum 07 December 2012

A Question of answers

D h a mo da r a n R a m a k r i s h n a n

water management, transportation, emergency services and city operations. This significant investment in urban infrastructure also represents and opportunity to consider how these systems interact with each other and design them in a smarter, more efficient manner. What kind of challenges the Indian cities face today? As mentioned earlier, India will need some 500 new cities in the next two decades. The smarter they become, the better for humanity. A smarter city is one that uses technology to transform its core systems and optimise the return from largely finite resources. By using resources in a smarter way, it will also boost innovation, a key factor underpinning competitiveness and economic growth. Investment in smarter systems is also a source of sustainable employment. More than half of the people on Earth live in cities, and urban populations are projected to double by mid-century. Smart use of technology can go a long way in transforming a city’s core systems. It can help create an efficient transport management system, improve healthcare facilities and develop a robust communication network to connect all businesses, people and systems. Smart systems can also provide an efficient mechanism to control and manage the use of fast-depleting resources such as water, land and energy. By using finite resources in a smarter way, cities can boost innovation and productivity, thus achieving greater competitiveness. Cities built on smarter systems would be better equipped to survive and prosper in the new environment. How can Indian cities serve as platforms of innovation? As cities grow in both numbers and population, they are taking their place on the world’s center stage, with more economic, political and technological power than

cto forum 07 December 2012

“Smart use of technology can go a long way in transforming a city’s core systems”

ever before. Economically, they are becoming the hubs of a globally integrated, services-based society. Every city is unique, but their leaders face many similar challenges— most of which call for exceptional creativity and innovation to resolve. Cities are perfect for promoting change, and renewable energies. Cities can serve as innovation platforms, creating clusters of business around green energy. Driving sustainable growth and prosperity through the strategic use of technology recognises the challenges that city leaders face. Proven solutions and new technologies for data management and resource coordination can help transform city systems to make best use of funds and talent. The demands of keeping cities viable for their inhabitants can be less daunting when the working with the right tools and innovative ideas. To sail smart towards a brighter future cites need to cultivate a thriv-

The Chief Technology Officer Forum

things I Believe in Cities can serve as innovation platforms, creating clusters of business around green energy. Over 2,500 city projects leverage on IBM to help them transform into 21st century cities. India will need 500 new cities in the next two decades.

ing academic and innovative culture, a critical mass of industry-specific skills and learning, vibrant cultural institutions and communities and fluid conduits through which knowledge flows across all these communities. This in turn will lead to evolving cities that possess the right mix of diverse talent have a powerful source of competitive advantage as they are often difficult to replicate. What are the various IBM solutions for better outcomes in smarter cities? We believe in adopting a holistic, collaborative, proactive, engagement-driven approach in evolving smarter cities and enabling citizencentric services through the use of sophisticated technologies. This include smarter buildings (schools, hospitals, homes, office and plants and rnergy, water, waste, emissions management), smarter public safety (emergency response and com-

A Question of answers

D h a mo da r a n R a m a k r i s h n a n

munications, digital video surveillance, crime analytics), smarter water management (water infrastructure management, resource planning optimisation), smarter government services (social services, citizen and business interaction and case management, visit optimisation), smarter transportation (road user charging, congestion pricing and integrated fare management, traffic prediction), smarter energy management (smart grid, electric vehicles, renewable energy and intelligent utility network communications and security), and smarter cities — operations center (improved services, operations, safety, sustainability, incident management, domain correlation and emergency response, citizen dashboards). Could you share some real like example of IBM’s smarter cities initiative? While there are scores of examples, one such instance in the public safety is IBM helping the city of Chicago to fight crime by digitising their law enforcement practices and deploying smarter video systems. Even testing a system that uses audio sensors to direct cameras to locate gunshots, determine the caliber of gun fired and pinpoint its exact location — long before 9-1-1 is dialed. In the transportation aspect IBM is working with Brisbane, London, Singapore and Stockholm to deploy smarter traffic systems. Many other cities have active bids to do the same. Stockholm has seen approximately 20 percent less traffic, a 12 percent drop in emissions and a reported 40,000 additional daily users of public transportation. When it comes to smart energy IBM leads most of the smart meter deployments globally, building intelligence into utilities to lower costs for customers and better balance the grid. Likewise, Enemalta and Water Services Corporation have partnered with IBM to help Malta become the first country in the world to build a nationwide smart grid and a fully integrated electricity and water system. Another classic success story is is the City Operations Center at the City of Rio, with infrastructure, technology, and processes to manage emergency events as well as day-today incidents. Key components include an incident management system and a weather/ flood prediction system.

cto forum 07 December 2012

The Chief Technology Officer Forum

How IBM is enabling this smarter transformation for the cities across the world? Over 2,500 city projects leverage on IBM to help them transform into 21st century cities. Consider this: smart metering in Malta helps citizens pay only for the energy they use. Predictive analytics helped slash Richmond’s crime rate by 40 percent in one year. In Taiwan, 99 percent of smarter trains run on time. Data analytics helped cut crime 35 percent in NYC. In downtown Stockholm smart traffic systems helped reduce gridlock by 20 percent. Amsterdam Airport Schiphol move 20 million more bags every year with a

“Over the past several years, IBM has been making significant investments in markets including India, Africa and Brazil” smarter baggage system. Peak energy loads fell by 15 percent when IBM helped homes in the Pacific Northwest talk straight to the grid. These are all real stories, driven by the power of sophisticated analytics. Underneath this runs a complex pattern of insights leveraging discreet flow of information, anticipating problems, coordinating resources like a cognitive system of a living organism. For almost two decades IBM has own the largest number of patents? What is the secret sauce of your innovation leadership? At IBM, we have over a century old legacy of adding value to business and society as

a leading global innovator. IBM’s innovation leadership stems from the company's long-term commitment to development and bold, exploratory research, and a collaborative approach with ecosystem which fosters cross pollination of ideas. IBM spends approximately $6 billion in R&D annually. Patent leadership is an important element of our high-value business strategy, which is focused on enabling instrumented, interconnected, intelligent infrastructures that can change how systems of all kinds work to support a smarter planet. IBM topped the list of the world’s most inventive companies for the 19 consecutive years as our inventors earned a record 6,180 US patents in 2011, more than quadrupling Hewlett-Packard’s issuances and exceeding the combined issuances of Apple, Amazon, Google, EMC, Hewlett-Packard, Microsoft and Oracle/Sun. We are a leader in the open source movement and are engaged with clients around the world to transform their businesses through the application of smart information technologies. How do you plan to drive your smarter planer agenda in India? Over the past several years, IBM has been making significant investments in emerging markets including India, Africa and Brazil among others. These investments are paying off as we remain focused on developing smart citizencentric solutions for specific industries, including government. The goal is to create groundbreaking applications and platforms that would help businesses and industries thrive. Take, for example, the potential of the spoken web. People can create voice sites using a simple telephone, mobile or landline. The user gets a unique phone number which is analogous to a URL and when other users access this voice site they get to hear the content uploaded there. Interestingly, all these voice sites can be interlinked creating a massive network, which can work like the World Wide Web. We have successfully collaborated with several government bodies in India to drive many citizen centric projects over the years and will continue to add value to the business, society and the planet.

Best of

Features Inside

Breed

CIOs Struggle With Relevance of Business Pg 22 Innovation: It is All About Culture Pg 24

illustration by raj verma

So you want to bring down the company where you work? Excellent! I just happened to take ten minutes to write out what I think are some truly great and sneaky ways! As anyone knows that the success of a company depends on its employees but few know that the utter demise of a company depends on only one employee. That’s right! Thanks to the speed of the electron, you can use the Internet to hastily end your place of employment. The Internet really has changed everything! Let’s not delay and start right now with #6! 6. Use business assets for personal gain. Remember when it was just “another day, another box of pens?” Well today with company phones, company Internet access, and company computing systems, you can fastforward through what used to be a long, slow, drawn-out process of nearembezzlement (remember, whatever isn’t expressly forbidden in the company policy can’t be punishable by company policy!). Use your corporate e-mail address and password also in your gmail and ymail accounts so you don’t forget them, Amazon, ebay, and other shopping sites, as well as any gaming or hobby sites that require a registration or login. And while you’re at it, use your office phone number or mobile number in your contact info because do you really want anyone to bug you while you’re home?! And if you’re a movie or music lover, more than likely you can download the latest torrents much faster at work than at home. The bonus is that if you have a company laptop or tablet, you

Grab responsibility like an addict grabs free needles!

6 Ways to Bring Down Your Firm Success of a firm depends on its employees but the demise of a firm depends on only one employee

By Pete Herzog

cto forum 07 December 2012

The Chief Technology Officer Forum

m a n ag e m e n t

can load it there straight-away for quick and easy viewing when you need to go off-site for a meeting. Finally, if there’s programmes you want to try before you *buy* then it’s not worth cluttering up your home PC with such things. Especially if something goes wrong, you can always wipe out the hard-drive of your work computer and take it back to IT support and tell them it just doesn’t work. The point is that eventually, the right criminal or right competitor or right lawyer will happen across your info and fast-track you to bringing down your place of work from your online activities! 5. Be stubborn. You got enough to do at work to have to learn new things. Do you use a different e-mail client or web browser at home that you’re more familiar with and more comfortable with? Then install it and use it! Same with word processing, video viewing, spreadsheets, and so on. If they expect you to be productive then you should be efficient and there’s no better way than to use what you know best. If they try to install software like anti-malware, automatic patching, “personal” firewall, or any of that crap you don’t have at home because it slows down your system, then there's no reason to let it stay on your work computers. If it’s locked on there, just search the web for ways to re-boot your computer to wipe out the root or administrative password so you have more control. And the best thing about having the administrator or root account is raw speed. You can do what you need to do without all those user rules eating up CPU cycles. You’ll install the right things that are either unsupportable by the IT staff or will be already malware infested and you’ve left a door open for a cyber-attack! 4. Be selfish. You already know that nobody climbs up the corporate ladder without having to climb over the backs of your colleagues but did you know that the people whose backs get stepped on are the ones who share their information with others? Businesses try whatever they can to get you to save your files on the corporate LAN and while they say it's to have a safe back-up the truth is they do this to keep track of how productive you are and to steal your work for their own gain. Yes, your managers only stay your managers by presenting your work as their own. So the best thing to do is to keep it away from those who can hurt you

B E S T OF B R E E D

You already know that nobody climbs up the corporate ladder without having to climb over the backs of your colleagues but did you know that the people whose backs get stepped on are the ones who share their information with others? the most. One way to do this is to e-mail your files and any data you need to use for your work to your own personal e-mail account. Or give your stuff strange names and use off-site file-sharing sites and P2P to have out there in the cloud and available for you at home. And none of your colleagues will know what it is by the strange file names if they happen across it. Finally, one sure thing to do is to keep all your files on your USB key and store it at home on your own PC or go to the library or an Internet cafe to work on the files if you need complete privacy. Sure you need to worry that the key might get stolen but only if it’s stolen by a fellow employee who will use it to get ahead on your ideas. One final bit of advice, don’t just stop with your own filesmove whatever those other idiots “save” to the corporate LAN too because well, if they don’t have them then they can’t use them to one-up you! So remember, by being selfish you’re making sure that nobody from the office has access to your files or even their files. The bright, unicorny side of the rainbow is that eventually, some enterprising criminal hacker or your company’s competitor may find the files and do the messy work of bringing down your company for you. 3. Be a workaholic! Take on as much as they let you and pull all-nighter’s at your desk. Grab responsibility like an addict grabs free needles! Screw lunch breaks! Coffee is the fifth food group! The more you do, the more decisions you get to make. Studies show that our willpower is affected by the amount of strain that gets put on it during the day and your willpower is what lets you analyze your decision responses when taking risks. And it’s that willpower that gets in your way from being efficient. With that out

of the way, you can take risks that you normally wouldn’t take and who can blame you because you’re so damn busy?! Nobody, that’s who! You think sleep-deprived soldiers who kill their own platoon brothers during moments of intense combat stress get blamed? Of course not! That’s why it’s called FRIENDLY fire. You see, commanders are aware that these things happen when you’re working your hardest to be the most for your company. So nobody can possibly expect that you’re really doing this to bring down your company. It’s that sneaky! 2. Be risk-proof! By adopting a “can’t happen to me” attitude you will gain the adoration of executive management as a hardedged player who’s not afraid of anything. (Warning though, if you’re female, depending how you approach this they’ll either take assertiveness as bitc*iness or sluttiness but either way they’ll be eating out of your hand.) And while your colleagues are home trying to figure out how to be as cool as you are, you’re breaking corporate rules and flouting policy like a kick-ass TV cop. You want to use your own iphone instead of the business one because it’s cooler to access corporate e-mail or carry corporate data, then do it! If you want to start using the newest ipad at work to show off a presentation at meetings then do it! If you want to use cool apps you found at the app store to do your work then do it! As a corporate hero I’m sure you’ve embraced the cloud by now in a way that’s so hot you left it face down on the mattress while you smoke a cigarette and adjust your cowboy hat. The fact is there's no need to excuse “cool!” And if those whiny corporate nerds complain to upper management about your style hurting corporate security, they’ll only get their colThe Chief Technology Officer Forum

cto forum 07 December 2012

B E S T OF B R E E D

m a n ag e m e n t

lective asses handed to them as the directives come down to change policy for executives so they can all be more like you. So while management is at the office trying to be like you, these third-party apps, cloud services, and hardware are leaking confidential info out of the company like blood out of a machete-severed artery. 1. Be curious and impulsive. You may have heard that curiosity killed the cat but really it's only the dorky ones. The cool cats can be as curious as they want and act on it without a second thought. You get an attachment in an email from somebody you don't know? Check it out! Is there a new song people are talking about at the water cooler then download the whole album. You want to know if you got any new likes to your status update in Facebook then check. And while you’re there, if you happen to see a cool game or app that your friends like, why should you be the only one who hasn't had a chance to try it? You want to see secret cor-

work door open so the rodents porate files from the bar while can get in. How's that for you're out having drinks with a sneaky?! client then do it. Use your Hopefully this article gave home computer or i-device or you some ideas on how you can even an airport computer termiquickly put yourself out of a nal if you have to. Don't give it a decline in the job using the Internet. If you're second thought. Nobody can indian pc market careful and a little lucky, you blame you for just being curiwon’t end up in jail either! At ous. If somebody sent it to you in q3 of 2012 the very least, this article has then you should see it. It’s the shown some of you that even security team’s job to keep the doing things that may be concorporate computers and devicsidered good for an office is not necessarily es safe, not yours. That’s why they install good for the security of your firm. For some anti-virus software on your computer that really good, practical information on how you can’t remove and all that other “auditto protect your business from the devices ing” crap so that you can do what you’ve just of both careless and superstar employees, gotta do. Remember, curiosity is not a check out ISECOM, a non-profit security crime. It keeps you in-the-know which is research organisation. both productive and efficient. And while management is patting you on the back for —This article is printed with prior permission from being the shining company star for always www.infosecisland.com. For more features and being able to be on top of things, they don't opinions on information security and risk managesee how you keep leaving the corporate netment, please visit Infosec Island.

CIOs Struggle With Relevance of Business

The successful CIOs of the future are going to need to create and define their own job descriptions

t the 2012 Chief Information Officer Leadership Forum, CIOs from across the business spectrum debated not only the future role of the CIO, but whether the position would continue to exist. That’s not to say someone doesn’t need to manage IT, it’s just that IT is becoming so embedded as to be indistinguishable from the business process. To make matters even more troubling for CIOs, in the wake of theconsumerization of IT and increased reliance on external “Shadow IT” services, business units now regularly do end runs around the IT department, which is making it increasingly difficult for CIOs to stay relevant. “The role of the CIO is going to vanish in the next few years,” says Yuvi Kochar, chief technology officer for the Washington

cto forum 07 December 2012

The Chief Technology Officer Forum

Post Co. “We really need to change because no one is satisfied with IT; the business is frustrated.” “The traditional role of the CIO has to go away,” concurs Joseph Spagnoletti, CIO for Campbell Soup Company. “We need to take a more consultative approach.” However, while everyone agrees there is a chronic need for change, no one seems to agree on just what exact form that these changes should take. CIOs have long been criticised for focusing too much on infrastructure rather than on information. Cases are regularly being made for the IT organisation to become the steward of all information across the enterprise. “The real goal should be to improve the use of information,” says Saad Ayub, CIO of Scholastic, Inc. “You need to understand the dif-

m a n ag e m e n t

B E S T OF B R E E D

Illustration by photos.com

In fact, as the CIO role continues to transform, IT leaders may find it easier to find a seat at the executive committee of Hovnanian Enterprises, a nationwide home builder and author ference between demand management and demand creation. That’s of “The CIO Playbook.” According to Colisto, IT leaders need to crewhy we look for people that have had experience working as a conate a plan that gains them a seat at the executive management table, sultant to the business.” not the least of which is building business cases that promote the However, not every CIO thinks it’s that simple. value of IT to rest of the business. “Don’t look at business executives “As soon as the CIO becomes in charge of information, you lose,” as customers, see them as equals,” says Colisto. says Campbell’s Spagnoletti. “You need to think like an investor The goal, says Scholastic’s Ayub, is to reach a point where IT is in your company, which means focusing more on the business being used to transform the company’s business model. outcome.” That means, says Spagnoletti, spending less In most instances, that means coming up with new time worrying about who controls the data and more products and services that drive revenue. “A lot of the time on helping users derive business value from it. time that means becoming part of the sales team to “It’s about being the conductor, not the gatekeeper,” help explain how those products work,” says Ayub. “The says Spagnoletti. “IT needs to be judged by the business challenge is that there’s no mechanism in place in most outcome you get, not what you do. Only then are busiglobal server organisations to allow that kind of business innovation ness executives going to treat you like a peer.” Unfortuto occur.” nately, because not enough IT people understand that revenue in q3 In the case of Rob Hilliard, CTO for Reader’s Digest, requirement, too many IT people wind up developing of 2012 that means spending more time working outside the a victim mentality, says Spagnoletti. Worse yet, he says, IT department. “I now spend most of my time working many IT organizations end up investing in technologies with the marketing department to advance the ideas we that, from a business perspective, never attain a real came up with in IT,” says Hilliard. return on the initial investment. Ultimately, the successful CIOs of the future are going to need to In fact, as the CIO role continues to transform, IT leaders may create and define their own job descriptions. The only thing certainfind it easier to find a seat at the executive committee, provided ty is that as time goes on that role is becoming increasingly critical they act like they belong there. That means not focusing on alignto the business, regardless of whether the job is still identified as the ing IT to the business, but rather helping define the company’s CIO’s or not. vision and values. “The trouble with the concept of aligning IT to the business is that —This article is was first published in CIO Insight. For more stories please visit it assumes IT is subservient to the business,” says Nick Colisto, CIO www.cioinsight.com.

$12bn

The Chief Technology Officer Forum

cto forum 07 December 2012

B E S T OF B R E E D

m a n ag e m e n t

Innovation: It is All About Culture Much of the focus on innovation is about who should be involved and what process should look like, but important factor is organisational culture By Larry Bonfante

cto forum 07 December 2012

The Chief Technology Officer Forum

Illustration by anil t

Innovation has become one of the hottest buzzwords in industry. We all recognise the need to find new and creative solutions to challenges as well as creating new offerings to compete in our markets. Much of the focus on innovation is about who should be involved and what the process should look like. While these are important variables, I feel the most important factor is organisational culture. Many companies that espouse the need for innovation wrongly function under what I refer to as a “culture of blame.” In a difficult economic environment, missteps can be costly. Many employees are afraid of making mistakes for fear of retribution. However, innovation by its nature requires risk taking. You have to try things that haven’t been tried before. The risk for “failure” is high. However, it all depends on how you define failure. Learning from a new approach and being able to leverage these lessons to fine-tune the next iteration is not failure, it’s education! Having the audacity to think outside the proverbial box even if the first effort didn’t hit the mark creates an environment of creativity. Very few inventors get it “right” the first time. You need the time, space and freedom to tinker, modify and improve your approach. Another major challenge in corporate life today is employees who are not fully engaged. We’ve all seen people who check their souls at the door before they reach work! The key to engagement is not to brain-

wash people into doing what you want them to do. Rather, it’s finding people’s natural talents and interests and finding ways to allow them to flex those muscles. I also find it painful to watch people who are square pegs being forced to fit into round holes. Engagement is about understanding what makes individuals tick and giving them opportunities to express themselves in the workplace. If you have employees who are naturally good communicators, put them into customer-facing roles. If you have staff members who are brilliant technologists, empower them to architect new solutions.

A fully engaged workforce looks forward to coming to work because they get to do things they enjoy doing and are competent at. If your team isn’t innovating or engaged, maybe it’s not the people. Maybe it’s the culture they’re working in!. —Larry Bonfante is CIO of the United States Tennis Association and founder of CIO Bench Coach, LLC, an executive coaching practice for IT executives. He is also author of Lessons in IT Transformation, published by John Wiley & Sons. —This article is was first published in CIO Insight. For more stories please visit www.cioinsight.com.

m a n d at e f o r 2 013

By Akhilesh Shukla Design By Shokeen Saifi | Imaging By Peterson PJ

espite various rating agencies lowering India’s growth forecast for 2013, the fact is that few countires in the world would match India’s growth. Therefore, it doesn’t come as a surprise that Indian CIOs are bullish in their outlook for the next year. Enterprise technology leaders are in the process of chalking out innovative strategies to scale up their existing IT infrastructure and are all set to make the most of new emerging technologies in 2013. According to research firm Ovum, 2013 will be a year of contradictions. CIOs are likely to be rewarded in 2013 if they take extra care in balancing competing requirements.

COVE R S TO RY

m a n d at e f o r 2 013

Adaptability: The key to Success in 2013 With world markets being sluggish, it will still be a good time to do favourable deals with multinational suppliers. However, increased price consciousness across Asia will benefit CIOs only if they can successfully use technology to deliver on promised outcomes. The year 2013 is likely to be a year of change, and CIOs will need to show they have the right stuff to make these changes happen. This will not be a time for failed projects or budget overruns, says Ovum. Skills shortages are likely to grow across the region as world ICT continues to pick up. Key staff attraction and retention are likely to be important issues for ICT managers in Asia. According to Ovum, the writing is on the wall for CIO senior executives. Technicallyminded CIOs are fast-headed for the endangered species list. CIOs will still need a to have a practical understanding of all aspects of technology, however emerging technologies such as cloud computing, and BYOD will continue to chip away at IT as a technical service provider. A CIO’s most important

attribute in 2013 is likely to be adaptability. CIOs will need to be able to quickly morph from technology evangelist, to business leader, and then back to technology again, without drawing breath. The CIOs are expected to align IT infrastructure with business and marketing strategy. The management is willing to give CIOs a go-ahead to make fresher investment where they find value and a strong return on the investment (RoI). The value could be in the form of better services experience to the internal and external audiences translating in business. “Organisations continue to make fresh and additional investment where they see value and good return. A CIO has to show the value of the investment to get approvals for fresh budgets,” says Umesh Mehta, Sr. VP & CIO - India at Jubilant Life Sciences. Mehta is expecting an increase of around 20 percent in IT budget for the new year and has some ambitious plans of scaling up IT infrastructure. Jubilant Life Sciences is building a shared services centre in Greater Noida in the next year. The center will serve HR, accounts and administrative services to the three divisions of Jubilant Group.

Research firm, Gartner also predicted a similar sentiment. According to it, IT spending in Asia Pacific, including India, to reach $743 bn in the year 2013. A increase of 7.8 percent over the year 2012. Interestingly, the growth in IT spend in Asia-Pacific is higher than worldwide growth forecast of 3.8 percent. IT spend will grow in all five major segments including device, data centers, software, IT services and telecom services. The device segment, including PCs, tablets, mobile phones, printers is expected to grow by 12.3 percent. Spend of data center systems is expected grow by 9.5 percent to reach $28.6 billion. Enterprises are expected to spend $33.9 billion on software, up by 11.9 percent from 2012. Similarly, IT and telecom services spending will grow by 7.5 percent and 4.8 percent, respectively, from 2012. Below are the most relevant and top of the mind technologies for CIOs in 2013.

Business Intelligence (BI) and Analytics One technology that CIOs are really excited about in the new year, and have high up on their priority list is BI and analytics. Research firm Nucleus predicts that BI adoption will double in the year 2013. Nonexpert analytics users, lower-cost options including cloud and software-as-a-service (SaaS) will drive the technology. On the other hand vendors’ efforts to make BI

“Organisations continue to make fresh investment where they see value and good return. A CIO has to show the value of the investment to get approvals for fresh budgets” —Umesh Mehta CIO, Jubilant Life Sciences Ltd

“We will continue to adopt newer technologies to help our customers. Scaling up cloud computing in the new year is on top of our agenda” —Muralidharan Ramachandran Chief Information Officer, Syntel

available to users and broader adoption will act as a catalyst. The primary value that the CIOs are looking from the adoption of BI and analytics is to their ability to translate statistical analysis into business decisions. “We are today sitting on huge data loads. The need is to filter these data and translate the information into improving and developing products and services,” says Daya Prakash, CIO, LG Electronics. LG has developed consumer durable products after analysing the information flow on its social media platform. However, the biggest and foremost challenge in adoption of BI and analytics tool will be to align it with business strategy and achieve the desired objectives. Enterprises often develop reports or applications on the basis of some interesting findings, but most of the time they do not facilitate business performance. “Predicting consumer behaviour will continue to remain a challenge, despite all the intelligence and flow of information” laments Prakash.

Mobility The year 2011-12 saw availability of information on the mobile platform. In the year 2013 people would like to make transactions and demand business applications

on handheld devices so that they can work while on the move, as well. The useability gab between the smart phones, laptops and tablets will continue to shrink. Gartner’s predicts that by the year 2013 mobile phones will overtake PCs as the most common web-access device worldwide. Smart phones will capture 80 percent of the market share by 2015. Media tablets’ shipment will reach around 50 percent of the laptops. The mobility trend is driven primarily by the employees’ desire to use their choice of hand held devices at work places. CIOs, of late, have started recognising that employeesatisfaction and retention are the key benefits of the BYOD adoption and are building business cases around cost-savings rather than productivity gains. No doubt that this growing consumerisation of devices and BYOD adoption will force enterprises to support a greater variety of form factors at workplace and make them enable enterprises application on hand held devices. The consumers, both internal and external, will demand a similar experience

and ease-of-use on these devices. “At Jubilant, we have already started having policies to support approved employeeowned devices. Though support is limited to certain applications, areas and roles within the organisation. In the new year we will adopt BYOD on the large platform and for bigger set of consumers,” revealed Mehta. According to Ovum, mobile technologies will become a key enabler but only if they can be made to deliver business value. A 2012 World Bank report pointed to the significant impact mobile is already having in bridging the digital divide in developing nations. Developing countries in Asia will continue to benefit from the relentless march of mobile technologies. In more developed countries, mobile devices have already captured the imagination of managers across all parts of the enterprise. However, it would be a mistake to believe that change begins and ends with the device. Device-focused mobile services will inevitably morph into a new wave of technology enabled innovation. In earlier times, the desktop PC enabled the disapThe Chief Technology Officer Forum

cto forum 07 December 2012

COVE R S TO RY

m a n d at e f o r 2 013

“We are today sitting on huge data loads. The need is to filter these data and translate the information into improving and developing products and services” —Daya Prakash CIO, LG Electronics

pearance of typing pools and other restrictive work practices. Mobile will be no different. It is unreasonable to expect that the latest generation of mobile technology will be any less disruptive. Indeed, 2013 will see the beginning of a shift away from a simple device focus, and into bigger change agendas aimed at service delivery reform and workplace reform.

Cloud As the cloud offering will mature, CIOs will continue to adopt cloud services for faster expansion and cost saving. But cloud is not just about cost savings. Gartner says that 90 percent of the cloud services are still on subscription, not on pay-per-use. CIOs are moving to cloud as they are attracted by new capabilities of the cloud atmosphere in designing applications and providing more resilience by architecture failure as a design concept. Further, cloud computing is carrier of three major IT trends including mobile, social media and Big Data. While mobile is personal cloud, social media is only possible via cloud and Big Data is the killer app for the cloud. “We will continue to adopt newer technologies to help our customer. Scaling up cloud computing in the new year is on top of our agenda,” says Muralidharan Ramachandran, Chief Information Officer, Syntel Ltd. Security of cloud is still haunting CIOs.

cto forum 07 December 2012

The Chief Technology Officer Forum

The organiation which had adopted cloud are hosting their non critical business applications on the cloud platform. They do not trust cloud for their critical business applications. They are still running all critical application from captive data centers. The trend will continue to remain the same. However, adoption will continue to happen in the year 2013.

Social Media During 2012, enterprise social networking was in the phase of adoption. Industry estimates that around 10 percent of organisations in established IT markets had deployed or subscribed to enterprise social media tools effectively. The need for adopting social media had become a necessity due its growing penetration among consumers. Even mobile devices were increasingly being used to access the social networks, extending the use case for such solutions to large audiences. Some of the organisation, like Tulip Telecom, has developed their own social media platform to reap the benefit. Tulip’s social media platform Grey Gambit, helped

them to communicate effectively with their community and possible clients. At the same time it made them understand the need of the consumers to develop and innovate newer products and technologies. Organisations into consumer products and services continue to harness the tool of the existing social media including facebook and twitter. “Social media has became our eyes and ears. It helps us to get a quick feedback of products and services from the market. We get to know the kind of features people are looking for in the products. We have even developed two of our customer durables products after getting feedbacks from the social network,” says Prakash. However, CIOs should not be carried away with the hype surrounding these technologies. They should not blindly follow what their peers are implementing. The need of the hour is to identify the right technology for their enterprise that fits perfectly into their business strategy. “New adoption will not be appreciated, if it does not affect business positively ” concluded Ramachandran.

m a n d at e f o r 2 013

COVE R S TO RY

“Business Intelligence tops the priority list of enterprises”

Biswajeet Mahapatra, Research Director, Gartner, in an interview to Akhilesh Shukla says that CIOs are looking forward to adopting BI, Mobility and Cloud for their enterprises in 2013 Which technologies would be on top of the mind of CIOs in 2013? As per our survey there are three key technologies —Business Intelligence (BI), Mobility and Cloud — that are on top of the priority list of CIOs for the new year. There was a lot of hype around cloud last year and we saw large-scale adoptions. But for the new year, cloud has moved to number three in the priority list of CIOs. BI tops the implementation chart in enterprises. Management today wants to use the information available with it to improve products and services. Mobility will gain bigger and better role at the work place. Transactions and applications would be developed for hand-held devices leading to mobile enablement of lots of services. Consolidation of IT infrastructure will continue to happen and so would be migration. Why do you feel these technologies would be important? The aim of every business is to make profit. The only way to make profit is have right kind of products and technologies to deliver them. Business Intelligence will help organisations to understand their customers mindset leading to newer innovations and improvement of products and services. BI's significance to improve business has made organisation and CIOs excited about the technology. Similarly, more and more workforce is getting mobile these days. People can access information on the

phone, now they want to do more on the these devices. They will demand more functionality and useability while on move. We saw a lot of banking applications on phones, as their was a demand to make transactions on the hand held. We expect to see more enterprise applications for mobile platform in the new year. Even entertainment devices like tablet would be used by enterprises at work place. Similar to last year, cloud will continue to one the key priorities for enterprises as it helps them to save cost and have fast go-to-market strategies. But the core application will continue to be hosted at the captive data center. Only non core applications will be moved to the cloud. How do you see IT budget for large and medium size enterprises changing in FY 2013-14? The economic doom is bound to have an impact on the IT budgets of organisations. The budgets will either remain flat or will see a marginal increase. A large part of the IT budget will go in the operational expenditure. We will see relatively small portion of funds used in capital investment for newer projects. CIOs would be under pressure to cut the operational cost. As the election year is round the corner we would not see any major decision of economic reforms to improve the economic scenario of the country. As a result, the budget will continue to remain the same till the new government formation happens and and some major decisions are taken to turn around the

The Chief Technology Officer Forum

cto forum 07 December 2012

â&#x20AC;&#x153;In these tough times a CIO has to manage a number of things with limited budget. Cost will continue to be a challenge, despite a cio having too many things on his plateâ&#x20AC;? â&#x20AC;&#x201D;Biswajeet Mahapatra Research Director, Gartner

decision. In short, IT is expected to increase profitability of enterprises. These things will be possible only through a robust IT infrastructure.

Tech Trends BI, Mobility and Cloud will be the three key technologies for 2013

economy. However, large enterprise could allocate handsome budget to IT department. But they would demand value form the newer investments made and existing ones. We will see handsome investment in BI and Mobility, as most of them see a good value. What would be the most likely mandate for CIOs in the year 2013? Will they focus on expansion or consolidation? The key mandate for CIOs would be to consolidate the IT infrastructure and reduce the operational costs. We will continue to see consolidation of physical infrastructure and applications. Big expansion are most likely to happen post 2015. Large enterprises for the last few years had been making large investments in IT infrastructure and IT enabled services now they will demand value out of it. The CIOs are expected to align the IT with the business and marketing strategy of the organisation to create a difference and gain market share. Further, CIOs have to develop the required skill sets in-house as organisations, most likely, will put a tab on new hiring. What would be the key developments or demands that would drive enterprise IT in new year? We will see large adoption of IT for enablement of services. Business leaders will expect technology to drive products and services. It would hold the key to improve the user experience and make its round the clock availability. CIOs has to ensure real time services, for both internally and externally audiences. IT is also expected to deliver information to understand consumer mindset and demand. More analytics will be used before making a

cto forum 07 December 2012

The Chief Technology Officer Forum

What challenges do you foresee in front of CIOs 2013? How they can overcome them? In these tough times a CIOs has to manage a number of things with limited budget and resources. Cost will continue to be a challenge, despite a CIO having too many things on his plate. He has to manage vendor, ensure economical implementation of the projects with a quality. Consolidation of technologies and applications are also assigned to CIOs to reduce cost and process. No doubt the number of projects will increase in the next year. The first thing a CIO should do is to prioritise things in his enterprise and align the IT strategy with business goals. He should focus on technologies which can help in reducing cost and improving productivity. Choosing the right technology hold the success key for any project and implementation. How will the IT adoption in India be different from that in the developed countries? Developed countries are much ahead of India as far as technology adoption is concerned. Technologies are still in maturing phase in our country. We will take at least two to three years to catch up with them. Developed countries have large-scale adoption of virtulisation, while India is conservative about its. The rate of adoption of social media is again very high among enterprises in Europe and America. India, on the other hand, is still in phase of adoption, though the quantum of adoption is on higher side. Social media will grow in the times to come. Besides, connectivity is still a challenge. Public cloud adoption, on the other hand, is not too high in India. We expect that BI will do equally good in India vis-a- vis western market. India is catching up with consolidation and virtulisation and the momentum is likely to continue.

m a n d at e f o r 2 013

COVE R S TO RY

striking the right balance

Richard Jones, Managing Director, South Asia, Informatica, says that CIOs and CFOs will be working closer to strike the right balance between where to invest and where to spend

Beyond Tech Enterprises will look beyond just technology to solve data inefficiencies

t the rate at which technology changes, it is difficult to predict what will happen two years down the line, let alone in 2020. However, there are some indicators highlighting the direction that the technology world is moving. In 2013, businesses – many of whom initially plunged into social media without a business purpose – will take a step back as they are not seeing proportionate results. They will now look at what they actually want out of social media and look at different ways to use it to engage with their customers rather than being careless about it. The hype and buzz around big data will also slow down. However, it will become more accessible to the masses instead of being dependent on a scarce group of data scientists. In this scenario, data quality will start to matter again. Data will also become borderless – and it will roam everywhere. Data will be present in different applications, inside and outside firewalls, in social networks and the World Wide Web and in enterprise systems, on mobile devices and in mainframes. Technologies are evolving to wrangle this data no matter where it roams. Shadow IT governance — Cloud applications are often adopted by shadow IT in business functions precisely because they’re so easy to use and business doesn’t want IT to slow them down. But as critical

data and business processes are now shifting to cloud, IT must find ways to enforce some governance (e.g. providing centralised cloud-based data integration services to cloud apps) without squashing business agility. Big data and the infrastructure needed to support it will become more consolidated. In order to expedite time to ‘Big Data Value’, IT will lean towards prepackaged solutions that can be plugged in, loaded with data, and ready to present to business users without the added drain on already overstressed resources. Organisations and departments will continue to seek alternative cloud-based solutions to address business challenges. With its proven value-proposition and undeniable economic benefit, IT will be forced to modify and adapt its security policies and enforcement model to support this shift of data moving of premises. The industry will see an increased adoption of data governance initiatives as enterprises look beyond just technology to solve data inefficiencies. People and processes will become an integrated major theme in 2013 – giving rise to more templatized frameworks for how to effectively implement data governance. Organisations will increasingly use B2Bi software to create and deliver new business solutions. Not just for cost cutting and increasing process efficiency but to capitalise on new business opportunities. As vendors offer software as a service and platform as a service, integration and B2B partner and data management will be core components of these offerings. Organisations will continue to prioritize cost cutting and IT operations streamlining initiatives. Even though the promise of big data is driving innovation and inspiring new application development, CIOs and CFOs will be working closer together to strike the right balance between where to invest and where to spend less. The Chief Technology Officer Forum

cto forum 07 December 2012

HORIZONS

Features Inside

IT Spending in Telecom to Reach $7.1bn in 2020 Pg 36

Four Turning Points in Cybersecurity History Pg 38 Security Hurdles When Shifting to BYOD Tech Pros? Pg 40 More

illustration by manav sachdev

Offense: It’s All the rage!

Offensive Defense: A Really Bad Idea Advocating hacking as “defense” is just the cherry on top of a shit sundae

By Scot Terban

cto forum 07 December 2012

The Chief Technology Officer Forum

My Twitter feed was filled with talk of “Offensive Defense” talk. What I mean by Offensive Defense is the idea that a company has the right and the legal ability to hack back against those who may have attacked them and or taken their property such as “IP” Since the advent of companies like Crowdstrike, there has been a din of chatter and a dearth of commons sense on this issue. Personally I have determined that as a rule this is a horrible idea filled with epic hubris that if acted upon by companies out there will eventually lead to much more damage to their business than some IP being stolen. I fear that in the end it will unleash a series of cascading events leading to outright lawlessness and vigilantism on the Internet. So, from the discourse that was had on Twitter with Rafal Los to the continuing speculative and vaporwear like cries by Crowdstrike and it’s founders to this blog post, I hope to once and for all set forth that in no uncertain terms that this is a bad idea. This activity should not be an offering by any company as a service and to even float the idea is an exercise is near charlatan like behavior. The new snake oil my friends is

Securit y

the idea that it’s ok to hack back against those you “perceive” as having hacked you.

Attribution Much? Firstly, lets look at the issues of attribution. I have written about this in the past and thought it was pretty clear. Attribution is never 100 percent and never will be unless you can prove in a court of law someone did something. Yes, that’s right a court of law kids. The words you are groping for are “Without reasonable doubt” If you cannot make your case in court what makes you really think you are clear to hack/attack some infrastructure because you think they did something? It’s just one of the most stupid and extralegal ideas I have ever heard and I have heard some whoppers in my time believe me. Let me put it to you simply. If there is no legal finding of attribution then there is no attribution other than hearsay. It’s as simple as that. You see, if you can prove it in court then you have hopefully had the benefit of proper forensics and findings. What gets everyone’s goat now is that many of these crimes cannot be taken to court because there is no law perhaps against what was done in some cases. In others, it turns out that due to the nature of computing and sometimes the nature of the poorly configured networks out there in use, that there is no evidence to be had to point to anyone doing anything. This is what really sticks in the craws of those who advocate the hacking back. They feel powerless and think that they are some super secret intelligence unit outside of the purview of the law or the government. (looking at you Crowdstrike) *squint* So, a key factor here is attribution that frankly, many times cannot be held up in court. So instead, lets get a kangaroo court instead and just have frontier justice huh?

So what makes you more right than say Anonymous here? On another level, lets look at the idea that Anonymous has been and is a “vigilante” organisation. Their attribution has been less than sparkling over the years here as well. What makes your company any less the vigilante or like Anonymous for acting upon suppositions that you have and hacking another company? For that matter, hacking company A while in fact it was company B

N E X T H OR I Z O N S

The cry from so many companies of late after being hacked by LulzSec and others really is quite pointless if you start taking up

the position of deputising yourselves and others to take the law into your own hands who did the hacking in the first place using company A’s assets? It’s a false assumption that you are actually getting back at the culprits when you perform these types of operations and in fact, you may be committing crimes by hacking back at the wrong infrastructure in the first place. Of course there is the idea firstly that hacking in and of itself is a crime right? So if you take part in this, pay for this service, partake at all in it, you have already committed a crime by laws on the books. *blink* Do you really think that you are then holding the moral high ground here? What happens when someone hacks your infrastructure because they thought you had hacked them? What recourse do you have then once crossing that threshold into the dark territory of hacking back? The cry from so many companies of late after being hacked by LulzSec and others really is quite pointless if you start taking up the position of deputising yourselves and others to take the law into your own hands. You are no better than those who attacked you to start and yes, you have no legal leverage at all once you do so. It’s flawed logic if any logic is being used at all here.

Are there any returns on investment here? Lets say you have decided to engage hackers or some company of them to hack back against someone you think attacked you. What if anything logically do you hope to gain from this? Your data perhaps? Well, data can be copies numerous times in various places and are you in fact sure you got the only point of exfil from the company to start? If you get the data back how do you know that you are the only ones who have it once its been in the open? You don’t, and

thus what gain is there? Oh sure maybe you can gain some intel on your attacker, their modus operandi maybe but really what do you get here? The same goes for hacking back and destroying infrastructure etc. What is there to gain? Once again are you even sure the systems you are attacking are in fact those of the real attacker or just some proxy who has no idea what the hell is going on? Really, what’s the point? Some might say you will gain intelligence on your attacker. Well sure maybe but its just as likely there will be nothing of worth there as well so where is the ROI here? You will have been paying hackers to do things for I am sure, a lot of money so really do you win if they get into the systems you want them to? Please consider just what its really worth as opposed to what you will lose if things go wrong, and they will, and it all makes the news. Once again, it’s a losing proposition I think….

Alright, we hacked in and we took the data back but look! They have some tasty data here.. Who’s to know that we took it? Ok, so we hacked back and we got the data back! YAY! But hey, look, while we were looking we also saw this other data.. It belongs to another company and, well, they are a competitor. Lets just have a look shall we? Now that is a slippery slope huh? Really I think this will happen and it will also be no good. Once again we are on the fast track to bad things and the reality is that it is bound to be something that companies will then justify as “competitive intelligence” ya know, like they do today right? Look at all of the private intelligence firms out there today who not only sweep for bugs in your corpoThe Chief Technology Officer Forum

cto forum 07 December 2012

N E X T H OR I Z O N s

te lecom

told in such stories is that Coke and other megacorps like them also use private intel firms as well to spy on others and perform dirty tricks. So none of was the increase them are lilly white here but in smartphones using this argument of hacking back as “defense” only tries to sales in q3 of legitimize the whole thing in the 2012 network sphere. Mark my words, there will be preemptive attacks if there How long until we have a already haven’t been… pre-emptive strike doctrine for the rate offices, but also have been known to install them as well in the oppositions as well. Corporations are now in fact of law “entities or people” according to politics and campaign finance. How is it they aren’t when it comes to spying on other companies or their employees? Just a thought….

47%

corporate sector?

This brings me to one of the more scary ideas to come from this whole debacle. All of this really will likely come down to preemptive strikes against other companies or entities because they have heard chatter about an offensive to come. No, I am not being too dark or melodramatic here. This I believe is already taking place within the communities today. Industrial espionage is not only about stealing secrets. It’s also about denying your competition the advantage. In fact there was a story today about how “poor little Coke” was attacked by the nasty China. What does not get

False Flags and Merc’s Lastly, once again I shall trot out the idea of false flags and add the mercenaries angle for the cyberverse. Any companies offering these services (hacking back/Offensive Defense) should be on the look out as to becoming the unwitting pawns in these games. They should also be aware that not only corporations will use them but also “cutout” corporations as well that are in fact fronts for the CIA and others who want plausible deniability. Think on that… Do you want to be a part of this? Would you like to be on the receiving end of the attacks? Talk

about APT and your “militias” huh? It’s all just bad idea after bad idea and will amount to nothing good or fruitful at all.

Final Thoughts All of this tough talk is just that. It’s trying to sell a service and make people feel empowered but in the end it will only serve to muddy the waters. From the perspectives of ethics and morality to law or just right and wrong, all of this smacks of bravado and hubris. The private companies of the world already have their toes in the pool, but advocating it be done through hacking as “defense” is just the cherry on top of a shit sundae. Everyone just stop. All you offering the services or touting the ideas should just sit back down and shut up. Everyone cries now that the government is encroaching on their rights with regard to privacy and you all want to just push that bar even further out with offensive defense actions? Morons… —This article is printed with prior permission from www.infosecisland.com. For more features and opinions on information security and risk management, please visit Infosec Island.

IT Spending in Telecom to Reach $7.1bn in 2020 The wireless subscriber market stands at 933.7 million in India and is dominated by Bharti

innov, a leading market expansion and globalisation advisory firm, today released its much awaited study to evaluate the Indian Telecom Market for 2012 in its report, titled, ‘Indian Telecom Market Overview 2012’. The study covers in detail the overall industry growth, key technology trends and government regulations that have shaped the growth of the Indian telecom sector. The released study found that the Indian telecom industry, characterised by a large subscriber base, substantial tele-density but low

cto forum 07 December 2012

The Chief Technology Officer Forum

revenues per user (ARPU), has witnessed a three-fold increase in subscribers since 2008. The wireless subscriber market stands at 933.7 million subscribers and is dominated by Bharti while the wireline segment stands at 31.4mn connections dominated by BSNL. The report also highlights new avenues for revenue generation for the telecom companies, like mVAS, cloud and datacenter services which in turn are providing ample opportunities to IT companies. Currently data center market and capacity in India is valued at over $4 billion and is expected to reach at approx. $6 billion by

N E X T H OR I Z O N S

2014; nearly 1/5th of this segment is governed by third party while the rest is captive; Lack of in-house skills, high investments, and long gestation periods pose challenges for captive data centers in India. Additionally another trend has been noticed by rising focus on MVAS opportunities necessitated by declining share of voice in telecom Average revenue per user (ARPU). Indian MVAS market is expected to move from the traditional SMS based services to Internet based and app based services. Currently valued at over $5 billion Indian MVAS industry is expected to reach well over $6 billion by 2013. Recently emerging MVAS categories are highlighted below: M- Health- Leading telcos such as Vodafone, Airtel & Aircel are partnering with healthcare companies to deliver m-health services, typical services include provision of locating hospitals, fixing appointments, registration, medical advice, facilitating treatment and blood donation process M- Governance- Amidst visible traction for M-Governance in India, government has pushed m-governance framework to aid adoption, many Indian states such as Kerala, services. Infotainment is the largest contributor to overall MVAS Gujarat, Bihar, Goa and Andhra Pradesh have initiated m-goverrevenue; categories such as Sports, Travel, News Content, Ringnance practices primarily through SMS-based platform tones, Music and Videos are largely covered in the segment Speaking about the study, Mr. Praveen Bhadada, Director-Market M-Education- Major telecom players are enabling mobile platform Expansion, Zinnov Management Consulting, said, “This study as a medium to impart education for instance : Aircel and MTS examines various trends that have shaped adoption of IT across the partnering with NGOsfor underprivileged children educational entire value chain of the telecom vertical. IT spending in the telecom initiatives; Reliance communication delivering interactive, real vertical is mature and has grown at a rate of 14.3 percent in FY 12 time courses across 105 cities; Airtel imparts education through and has reached $2.4 billion out of which the maximum spending IVR which includes English speaking courses at basic level takes place in hardware followed by services and BPOs. Focus on M- Commerce- Telecom carriers increasingly taking interest in 3G and LTE has forced many telcos to re-look at modernizing their m-commerce services as the government aids through reforms IT systems. Additionally, new avenues for revenue generation for such as M- Microfinance, M Retailing and Mobile wallet services. telecom companies like mVAS, cloud and datacenter services are Some of the recent government initiatives include increase mobile providing ample opportunities to IT companies, with payment limit to INR 50,000 by RBI, Creation of Interwhom service providers are looking at establishing strabank Mobile Payment Service (IMPS), by NPCI along tegic partnerships. Further to this, it is interesting to with 6 Nationalized banks and RBI granting Semiknow that the IT spend in this sector will cross over $7.0 Closed Wallet licenses to telcos billion by 2020.” M- Agriculture- These services bridge the information Telecom companies are facing some challenges in IT gap between the farmers and market conditions. Key will be the adoption which includes: Lack of clarity on consumer services include commodity prices, local info, weather amount of preferences, uncertain government regulations, preupdates, multiple language support etc. Reliance communication provides its service called Grameen VAS tablet shipment dictability of future IT requirements is difficult, falling ARPUs affecting profit margins, management issues in while Airtel has Bahtar Zindagi in 2012 PSUs, high operation costs in remote areas. M-Infotainment- Almost all leading telecom compaLast but not the least and drawing some analysis on nies provide information and entertainment related

Currently data center market and capacity in India is valued at over $4 billion

122m

The Chief Technology Officer Forum

cto forum 07 December 2012

illustration by manav sachdev

te lecom

N E X T H OR I Z O N s

securit y

the government regulations, the study read that a host of regulatory changes are being sought through the National Telecom Policy – 2012 such as- Promoting R&D and manufacturing in domestic telecom equipment industry, moving towards a unified license regime through which revenue could take a hit of as much as 5% due to roaming abolition, permitting spectrum pooling, sharing and trading, making additional spectrum available every five years and framing policies to ensure rapid expansion of cloud services and technologies Founded in 2002, Zinnov – meaning Zeal in Innovation – is a leading Globalisation and Market Expansion Advisory firm, with

specialization in areas like Global Sourcing, Emerging Markets Expansion, Human Capital Optimisation, Small & Medium Businesses, Innovation, Cloud Computing and Enterprise Mobility. Zinnov provides advice to global leaders in business and technology and works collectively with them to tackle prevailing organisational challenges by analyzing changing dynamics, improving performance, and building institutional capability. The services delivered to its clients through advanced reasoning and analytical techniques, provides solutions that help in integrating organizational vision, business definition and processes.

Four Turning Points in Cybersecurity History Examples of some future headlines if we made big progress toward better security By Dwayne Melacon

was just reading an article called, “4 Turning Points in Cybercrime History,” which talks about four breaches that have had significant repercussions in corporate infosec. That got me thinking about the flip side of that coin: what would a future headline look like if we’d made big progress toward better security? Take a look at some of my ideas, then add your own ideas in the comments.

1. Every enterprise adopts robust security configuration management (SCM) practices In 2014, all enterprises recognised that one of the best ways to prevent breaches was to create secure infrastructure from the outset, after observing the resiliency of early adopters of strong security configuration management during the hail of cyber attacks in 2013. Enterprises adopted reputable standards for secure configurations (many based on the Center For Internet Security’s guidelines), and implemented repeatable prac-

cto forum 07 December 2012

The Chief Technology Officer Forum

tices for creating secure infrastructure (servers, network devices, applications, etc.) This shift dramatically reduced the attack surface of enterprises, greatly increasing the difficulty of achieving a successful attack.

2. Enterprises effective in topdown, risk-based security Rather then a “peanut butter” security approach that treats all IT infrastructure and data equally, enterprises shifted to a rigorous top-down, risk-based approach to security. This shift, which began in 2014, involves systematically identifying the role and value of each part of the IT “supply chain,” which enables organisations to apply their security resources proportionally based on how each infrastructure element supports their business or (in the case of Governments) their mission. This risk-based approach has also driven better segmentation of network components, users, data storage, and the improved adoption of layered logical controls. Among other things, this approach has greatly

reduced the risk of an attacker gaining access to a “minor” system in the environment and using that foothold as a way to gain access to more important / sensitive systems. Enterprises also found that this approach enabled them to articulate the value of information security investments much more clearly to non-technical executives and stakeholders in their organisations, which decreased the amount of failed or under-funded security projects.

3. Enterprises adopt multi-factor user authentication, better password storage practices, and end-user security training In conjunction with the move to top-down, risk-based security management, enterprises took to heart the fact that many attacks have historically taken advantage of weaknesses in the user community. This drove a move to multi-factor authentication (2 or more of the “something you know, something you have, something you are” triad) which drastically reduced the risk of user

securit y

N E X T H OR I Z O N S

image by photos.com

This riskbased approach has also driven better segmentation of network components, users, data storage, and adoption of layered logical controls approach, coupled with refresher courses credential theft from compromised passand knowledge retention tests has been very word database. Additionally, organisations effective in reducing users as an attack vector. began consistently using salted password hashes when storing passwords, as well as moving to open authentication protocols for 4. Enterprises use continuous user authentication. monitoring to reinforce policies, This is another area in which the topcreate accountability, and drive down, risk-based security approach has cultural change borne fruit, as enterprises have engaged Continuous monitoring, which has been in more rigorous review of user privileges around for many years, finally became comand role-based access, which has helped in monplace in 2014 and 2015. Using this “right sizing” user privileges as they relate approach, enterprises were able to monitor to mission critical systems and their systems continuously and data using the “least privilege” compare all changes, activities, principle of security. and data movement to objective To further secure the human policies. This approach enabled element, most enterprises them to identify “outliers” early implemented security training in their processes so they were will be the to increase security awareness able to recognise and reduce amongst the user population, marketshare of attack pre-cursors, configuramaking them less susceptible android tablets tion variance, anomalous user to social engineering, phishing, behavior and other issues that in 2012 and other behaviors that enable previously went unnoticed for “attacks of opportunity.” This months or more.

43%

Furthermore, this enabled them to increase adherence to policies and practices by creating a “culture of accountability,” in which users and administrators realised they would be found out if they tried to take shortcuts or violate policies, and they began to increasingly do things right the first time, which reduced operational and security variance and increased the overall efficiency and effectiveness of their IT efforts. These are four examples of what I’d love to see as future “turning points” in cybersecurity history (yes, I know – I’m not wild about the term “cybersecurity” either, but at least people know what you mean when you say it). What about you? What would you add to the list of future turning points? Please leave a comment with your additions to the list. —This article is printed with prior permission from www.infosecisland.com. For more features and opinions on information security and risk management, please visit Infosec Island.

The Chief Technology Officer Forum

cto forum 07 December 2012

N E X T H OR I Z O N s

securit y

Security Hurdles when Shifting to BYOD Organisations must consider and take action on three major impacts when moving to a BYOD policy

Impact 1: The right of users to leverage the capabilities of their personal devices conflicts with enterprise mobile security policies and increases the risk of data leakage and the exploiting of vulnerabilities

cto forum 07 December 2012

The Chief Technology Officer Forum

illustration by shigil narayanan

eventy percent of respondents in a recent survey by Gartner, Inc. said that they have or are planning to have “bring your own device” (BYOD) policies within the next 12 months to allow employees to use personal mobile devices to connect to enterprise applications. Thirty-three percent of all organisations surveyed currently have BYOD policies in place for mobile devices, such as smartphones and tablets. “Shifting from an enterprise-owned mobile device fleet to having employees bringing their own devices has a major impact on the way of thinking and acting about mobile security,” said Dionisio Zumerle, principal research analyst at Gartner. “Policies and tools initially put in place to deal with mobile devices offering consumer-grade security must be revised to deal with these devices being under the ultimate control of a private user, rather than the organisation.” Gartner believes that organisations must consider and take action on three major impacts when moving to a BYOD policy:

Outside the enterprise’s premises, employees may define their own usage policy for personal devices. Users can, therefore, install apps and visit URLs of their choice, whereas enterprises can limit applications and Web access on enterprise-owned devices. Users can also decide the level of protection for their personally owned devices. When enterprise data is allowed on these devices, the risk of leakage increases for the enterprise, not just because of the rise of mobile

malware, but also because legitimate but unsupported apps may inadvertently create security risks for the organisation and, most importantly, because of device loss. Using mobile device management (MDM) software is one way to enforce policy on mobile devices. Users should obtain access to enterprise information only after having accepted an MDM agent on their personal devices, and possibly a URL filtering tool, such as a cloud-based secure web gateway

N E X T H OR I Z O N s

sE c u r i t y

(SWG) service, to safeguard and enforce enterprise policy on Internet traffic. Enterprises should consider using application whitelisting, blacklisting and containerisation, as well as setting up an enterprise app store, or app catalog, for apps that are supported.

Impact 2: User freedom of choice of device and the proliferation of devices with inadequate security make it difficult to properly secure certain devices, as well as keep track of vulnerabilities and updates Allowing users, rather than the IT department, to select OS and versions of mobile devices opens the door to devices that are inadequate from a security standpoint. An essential security baseline should require enhanced password controls, lock timeout period enforcement, lock device after password retry limit, data encryption, remote lock and/or wipe. The enterprise mobility baseline must also express minimum requirements on hardware — OS versions will not be sufficient.

In alignment with the mobile security policy, network access control policies should be used — for example, to deny access to enterprise resources such as email and apps from devices that cannot support the security baseline. Preventive action should be taken to ban noncompliant devices or create an alert for them by using tools such as MDM software. Nevertheless, excessively limiting the types of allowed devices eliminates the benefits of BYOD for users. There should be no compromise of security for the sake of device variety, but where it is possible to manage and secure a new device model, it should be done. The policies that are enforced will depend on the risk appetite of the organisation and the sensitivity of data allowed to reside on the device.

Impact 3: The user’s ownership of device and data raises privacy concerns and stands in the way of taking corrective action for compromised devices Most people consider data on their personal devices as their property, and would strongly

object to having it manipulated by the organisation without their explicit consent. When shifting from enterprise to userowned devices, “remote wipe,” which is a fundamental security feature in a mobile security policy, becomes complicated from a legal and cultural point of view. Thus, sufficient attention should be paid to this issue to avoid repercussions. In practice, “selective wipe” is proving to be difficult in ensuring that all business data, and only business data, has been deleted from the device. It is recommended to liaise with the legal department to obtain advice, because there may be legal implications related to device wiping. Problems may arise if the user refuses a remote wipe. Time is of the essence when performing this task, and asking the user for permission after the compromise, when a remote wipe is considered necessary, will be impacted by message exchange delays that can be critical. It is advisable to obtain the explicit, written consent of users to delete their data in case of compromises, at the time of the user’s initiation to the BYOD programme.

T E C H FOR G O V E R N A N C E

securit y

POINTS

Illustration BY SHIGIL NARAYANAN

be wary that even though security controls can reduce risk, it may cause the business to act more risky therefore not reducing damages you need to understand as a security practitioner what data is important to your board what’s important to the board is not necessarily what’s important to the business units there are too many security and compliance professionals that don’t understand the data they’re protecting information security people get hung up on their own information security risks without realising that the real impact of the other risks is far greater

Improve Your Infosec

Risk Management

Practice Fifteen Tips for managing infosec risk 44

cto forum 07 December 2012

The Chief Technology Officer Forum

By David Spark

securit y

Just being great at security is

no longer the objective. Security’s purpose is to serve the business and help the organisation manage its overall enterprise risk management profile. To learn more about how to actually do this, we interviewed six CSOs/CISOs from varied industries who have actually applied riskbased security management to their business. We asked them for their advice on what we should and shouldn’t do when building a risk-focused security operation. We boiled down their advice to 15 tips to improve your business’ infosec risk management practice. TIP 01 Realise the need for risk management For years security vendors have been able to play off the general fears of malware and cyber attacks. They’ve advised that if we just bought this product we’d be more secure. As the scope of protecting data has become more complex, we’ve slowly learned that deploying more security controls alone is not a risk management solution. “We could spend tons and tons of money and not know if we had improved security at all or if we had done the right things,” said Eric Cowperthwaite, CISO at Providence Health & Services in Seattle. “We needed a better way than just installing all the technology you can buy to figure out what we should be doing in our security programme.” For Kirk Herath, VP, CPO, Associate General Counsel, Privacy, Technology & Contract Services at Nationwide Mutual Insurance Company, building a risk management practice is arequirement in their heavily regulated industry. TIP 02 Risk management is what you do beyond basic controls “There is a basic set of security controls that must exist from an ‘I have done the right things in a due diligence perspective,’” noted Cowperthwaite.

For example, said Cowperthwaite, with physical security you put locks on doors, add alarm systems, and closed circuit TV. Although there isn’t a full consensus on information security of what that basic set of security controls should be, most know to include anti-virus, firewalls, intrusion protection systems, and spam filtering. “This is not risk management at all. This is equivalent to putting a lock on the door,” said Cowperthwaite. TIP 03 Assessing your assets is table stakes “If you don’t know what your crown jewels are you can’t do risk management,” said Cowperthwaite. “If I don’t know what it is that I need to protect on behalf of my organisation I can’t possibly be successful in going beyond foundational due diligence security.” “You need to understand as a security practitioner what data is important to your board if it gets out and what data is important to just the functionality of the organisation,” said ErinJacobs, CIO/CSO for UCB, Inc. “Understand how data moves in and out of the organisation.” After doing a data map, Jacobs learned, “What’s important to the board is not necessarily what’s important to the business units. And what’s important to the business

T E C H FOR G O V E R N A N C E

units might be different to what’s important to security teams.” “There are too many security and compliance professionals that don’t understand the data they’re protecting,” said Jacobs. “It’s hard to consume especially with how frequently people are changing jobs and roles.” For Jacobs, who has been at her job for seven years, she’s still making new discoveries every day. TIP 04 Find the business’ risk tolerance “You can write rules that are risk-averse and risk-absolute. We have found that is a recipe for disaster,” said Herath who advised instead that you have discussions with the business about their risk tolerance. It’s exactly what Jacobs does at UCB, Inc: “We assess the risk appetite of our organisation and the organisations we serve and apply controls around that.” Be wary that even though security controls can reduce risk, it may cause the business to act more risky therefore not reducing damages. This phenomenon is a function of risk compensation or the Peltzman effect, introduced by Sam Peltzman, who noticed that safety restrictions on cars, such as seatbelts, don’t reduce fatalities. It just makes people more dangerous drivers, said Andy Ellis, CSO for Akamai. “People have a set point of risk tolerance. There is so much risk that they will tolerate and every time you take risk away, they accept more,” said Ellis. “At Akamai, infosec grades a product not on how secure it is, but rather on the product manager’s understanding of the product’s risk.” Information security exists because of the business. “You must always be doing right by the business. Too often security people think their fiduciary duty is to the goddess of security. Your goal is to be the most awesome security person ever, and you must be the security rockstar,” said Ellis. “That is not how you get trusted by business. You get trusted by business is by demonstrating every day that you are trying to make the business succeed.” TIP 05 Get out of your office and obtain input from the business Canon manages risk through conversations that are continuous, flowing, and supportive, The Chief Technology Officer Forum

cto forum 07 December 2012

T E C H FOR G O V E R N A N C E

securit y

said Quentyn Taylor, Director of Information Security, Governance and Risk at Canon for Europe, Middle East and Africa (EMEA). “I want my people out there talking to the business and suggesting ways forward. I don’t want people to end a conversation with, ‘No, you can’t do that.’ I always want it to be a case of ‘That might not be the optimal way. There may be a better way of achieving exactly what you want to achieve,’” said Taylor. Cowperthwaite’s team at Providence Health and Services has an unskewed crowdsourcing technique to assess their organization’s assets. They connect with the business by issuing an anonymous survey to 125 senior operational officers asking them what they think is the most important information. “You can’t do risk management if you’re not engaged with what everybody else is doing operationally every day. So get out of your office. Stop fiddling with firewalls and go find out what your business does,” said Cowperthwaite. “You have to have agreement with people that are impacted and have to do the work.” It is security’s responsibility to become business aware and learn about business operations, said Taylor who advised security professionals to simply look at the organisational chart for team leaders to learn from and ultimately then influence through an inevitable two-way dialogue. TIP 06 The business must be accountable for infosec risk

“Information security people get hung up on their own information security risks without realising that the real impact of the other risks is far greater” TIP 07 Risk can be determined by regulators While compliance does not equal security, falling out of compliance can be financially damaging and therefore highly risky. “We exist because of GLBA (GrammLeach-Bliley Act),” admitted Herath of how regulators often manage his risk. “It’s hard in a highly regulated industry to make what academics might think is a perfect risk calculation.” While Nationwide has had an infosec practice prior to GLBA, Herath confessed that it changed dramatically as a result of this regulation. Cowperthwaite agrees and points out that HIPAA security rules dictate that his health organization must have access management. It’s not an addressable specification, it’s a requirement. Referring to “TIP 2,” it’s not risk management at all, but rather a basic foundational thing that he has to do.

Your business’ security department should never accept the risk for a specific TIP 08 Risk management issue, warned Roland Cloutier, VP, CSO at ADP Worldwide, who has seen many changes depending on what’s companies screw this up. The business reasonably possible must accept the risk. Risk-based security management exists “[When a corporate officer because we don’t have an infisigns a risk acceptance letter] nite amount of resources. Not it changes the tone of the cononly are we looking at assets, versation. They’re looking for but also what our business and your (security’s) help and they its staff can reasonably do. As respect that you sat down and we evolve the notion of what partnered with them to deliver is reasonable for our business, dip in windows PC the options. And they know you we need to have conversations sales since launch will support them going forbetween information security of windows 8 ward if they run into obstacles and the business so that we specific to that risk or the board design policies for which orgahas questions,” said Cloutier. nizations can adhere.

24%

cto forum 07 December 2012

The Chief Technology Officer Forum

“What was science fiction ten years ago is considered highly reasonable and therefore expected by regulators and courts today,” said Herath who noted that 12 years ago encryption wasn’t affordable, interoperable, or practical. Today it’s very much all of those things. “The law doesn’t require us to be absolute, but the law requires us to be reasonable,” said Herath. “It inherently calls out that you have the ability to manage your own risk and your own space based upon the size, scope, scale of your organization.” TIP 09 Manage the unknown risk and measure success based on risk management adoption “We make risk judgments based on what we’re aware of and what feels really present to us,” said Ellis noting that traditional risk thinking can cause us to make bad awareness decisions. Ellis highly recommends considering unexpected or even unknown events. He takes this to such an extreme that he actually has meteor strikes and zombie apocalypses built into Akamai’s incident planning – likelihood of these events happening is another matter. (Editor note: Ellis claims the zombie apocalypse incident scheme was in place before Joshua Corman joined Akamai.) “I want to see my risks go up. I want to know they’re being documented well. I want to know they’re being entered into the platform,” said Cloutier of creating a greater library of “risks he knows.” Knowing about and managing more risks is a measure of your organisation’s maturity,

securit y

said Cloutier. To get there, ask yourself these questions: How fast did you identify the risks from the time that they started? How fast did you come to risk resolution (agreement with the business)? How fast did you close that risk? Did you impact the enterprise risk measurement? TIP 10 Risk management is often about balancing risk and opportunity “Risk and opportunity are two sides of the same coin,” said Taylor noting that security can sometimes be close-minded saying that we can’t accept that risk. “In some cases you can say, ‘We can accept that risk and that gives us the opportunity and ability to exploit that situation.” Risk management is only downside risk. That’s where infosec operates. Conversely, business leaders deal with upside risk every day, noted Cowperthwaite. TIP 11 Use the KISS (Keep It Simple) Principle Don’t try to numerically quantify risk-based security management. There’s a belief that risk-based security management can be boiled down to numbers and that you can quantify the risk and compute the annualized loss, said Ellis. “Well, I expect I could lose this much money. So if I spend this much resources then I can mitigate it by this percentage and that was a good investment,” mimicked Ellis of this common approach. “That belief stems from the fact that there are risk disciplines like that.” While Ellis thinks this might work for fraud and petty theft, he doesn’t believe it will ever work for general information security because of the qualitative variables. The desire to quantify is understandable since a lot of risk speakers at conferences are from the financial services area, noted Taylor. TIP 12 Don’t overstate impact of risk in terms of the business “Security and risk management professionals have convinced ourselves that our business counterparts just don’t understand what we do. Clearly if they understood, they would agree with us,” laughed Cowperthwaite of this admittedly very dangerous thinking.

T E C H FOR G O V E R N A N C E

“Information security people get hung up on their own information security risks without realising that the real impact of the other risks is far greater,” said Taylor noting that other business-centric risks such as the economic climate and what’s going on with the Euro have stronger continuous impact on the business. Cowperthwaite boiled it down to very obvious numbers. His health organization is a $12.5 billion business that just made an affiliate agreement with a $3 billion company. “That’s a $3 billion bet. That’s our biggest risk right now. Cybercrime is not a $3 billion risk,” said Cowperthwaite. Look at the T.J.Maxx breach, that cost them $256 million. It’s bad, but not at the same level as this business risk. “This is where we have to be conscientious about educating in an honest way about the impact. Don’t try to tell them how big or small the deal is. Just tell them what it is,” said Cowperthwaite. “With the exception of a data warehouse catastrophe, there is almost no information security risk here at Nationwide that comes anywhere near matching our other enterprise risks around the markets, around natural disasters,” said Herath who admitted a single hurricane can cost them $400 million.

Similarly, at Nationwide, every application put into production goes through a security certification and accreditation process where it’s given a risk-assessed grade of low, medium, high, or severe, said Herath. As you’re defining your process, make sure to be speedy, because as Cloutier noted, “The most painful thing about risk assessment is risk assessment itself.”

TIP 13 Define your process and make it repeatable and fast

In order for a security-based risk management strategy to be successful, it is clear that we need to better align our security efforts with the goals of the business. That partnership with our business counterparts is crucial to the success and advancement of our careers. “Our livelihood depends on trust and confidence,” said Cloutier. “You have to build up a bank of goodwill and it’s a continuous process,” said Taylor. “You’re all working towards the same goal. You’re all trying to hit the same targets and you’re just trying to help them out and help them achieve those targets.” And that confidence and trust is built over time and by listening to the needs of the business. “We have to demonstrate that you can make the business succeed,” noted Ellis.

Risk management must be a business process dictated at the corporate level and it has to be a non-option, said Cloutier. At ADP, their risk management process is centralized, clearly defined, consistent, predictable, and fair across all business units.

In order for a security-based risk management strategy to be successful, it is clear that we need to better align our security efforts with the goals of the business

TIP 14 Get input on how well you’re doing While Cowperthwaite’s team surveys business leaders on what information they think is important, they also ask how well they think the infosec team is doing to protect it. Answers to that question can greatly change the risk profile, said Cowperthwaite. For example, when they asked how important cybercrime was, it was listed, by importance, in the middle of the pack of 40 issues. But when they asked the business how well they thought they were doing to protect against cybercrime, they didn’t think it was going so well so the issue moved up in importance. CONCLUSION & TIP 15

Getting better at risk management requires building trust and confidence over time

—This article is printed with prior permission from www.infosecisland.com. For more such features and opinions on information security and risk management, please visit Infosec Island. The Chief Technology Officer Forum

cto forum 07 December 2012

VIEWPOINT Steve Duplessie | steve.duplessie@esg-global.com

Illustration by Haridas Balan

Where’s the Money in Enterprise Cloud? Stop whining that I’m a pessimist — I’m not!

Moving existing legacy applications to the cloud take armies of consultants, tons of dough, and an obscene amount of time. In order to see significant MONEY spent to migrate/move existing apps to the cloud (private or public), we must overcome certain obstacles. Forget consumers, or small business. When we talk large enterprises, where’s the money going? Everybody is “planning” or looking, but where’s the spend? For new applications—or “green field”—the spend is clearly going to Amazon. I’d guess 90 percent plus. For old/existing/legacy applications—what’s actually getting deployed, and where? The overwhelming conclusion one must make at this point is nowhere. We’re talking a good game, but who’s doing it in earnest? I’m not seeing it. Having said that, stop whining that I’m a pessimist—I’m not. I believe that we’ll see a semi-orderly transition to the cloud for existing apps in much the same way you do— things like e-mail are happening, as

cto forum 07 December 2012

are file data moves (OFS)—but there is little to no MONEY being spent on it. So what are the gates? Cost (check), Complexity (check), and Time (check). Sound familiar? It’s not easy to to take even a singleinstance, limited interdependent application on a single stack and move it out to the cloud. It’s not cheaper. If anything it’s more expensive. And it’s not easy to plan and accomplish—it takes time, something IT is woefully short of. Thus, in order to see significant MONEY spent to migrate/move existing applications to the cloud (private or public), we must overcome these obstacles. In order to do that we must (excuse my simple mindedness):

A: Find a way to lower the REAL costs of moving from my own kit in my own data center to a secure instance executing in the cloud. If I have to buy all new stuff to do it, and then pay someone else to

The Chief Technology Officer Forum

manage the stuff, it’s not going to be any cheaper.

About the author: Steve Duplessie is the Founder of and Senior Analyst at the Enterprise Strategy Group. Recognised worldwide as the leading independent authority on enterprise storage, Steve has also consistently been ranked as one of the most influential IT analysts. You can track Steve’s blog at http://www. thebiggertruth.com

B: Find a way to make it simple—I really want to ship an entire SYSTEM (virtual, presumably) that contains everything as is, from where it currently resides, to the cloud. With one button. C: Do B, and you solve for time. There isn’t any additional time involved. Sounds simple, ya? But no ones done it. Moving existing legacy apps to the cloud take armies of consultants, tons of dough, and an obscene amount of time. That’s why no one is out there talking about how much money they are MAKING on this stuff, only how much they are SPENDING. Big difference. Added Bonus Consideration I Stole Recently: People dramatically overestimate what will change within two years, and radically underestimate what will change in ten.