ETM ENTERPRISE TECHNOLOGY MANAGEMENT
| THE INDEPENDENT RESOURCE FOR IT EXECUTIVES Adriaan Bloem C M S Wa t c h Derek Brink A b e rd e e n G r o u p Ju l i e C r a i g + S c o t t C r a w f o r d Enterprise Management A ssociates Mar tin Kuppinger KuppingerCole
Stay safe from harm Guidance on Security, BI and ITSM
ETM ■ CONTENTS PAGE
Contents and contributors page 7 Editor
8 Industry snapshot 9 Professional profile 82
Events and features
looking in the rear-view mirror 10 Stop
DAN LAHL (SYBASE) joins ETM’S ALI KLAVER to talk about how Sybase IQ addresses business challenges, and why it’s important to get out in front of the competition and predict what will happen in the future.
14 Shared purpose
In an economy still very much in recovery mode, the difference between success and failure often comes down to pure speed. It’s towards solving these kinds of issues that business process management was created. ETM’S ALI KLAVER talks to BPM expert MALCOLM ROSS (APPIAN) about choosing the right one. r
Step up to the BI 18 revolution
CLIVE LONGBOTTOM (QUOCIRCA) explains that even though business intelligence is highly regarded by CIOs, it’s not being utilized half as well as it should be—if at all. So when will business see the need?
Analytics—Fuel for growth
BRUCE ARMSTRONG (KICKFIRE) talks to ETM’S ALI KLAVER about the critical role of analytics in successful organizations and how smart data warehousing and business intelligence are the way forward.
26 IT IQ
Organizations are experiencing a growth in the amount of data they generate, and an accompanying demand for making sense of that data in real time. Among the many IT challenges in today’s business world, DAN LAHL (SYBASE) tells ETM’S ALI KLAVER how Sybase IQ is succeeding.
28 Searching for Agility
JULIE CRAIG (ENTERPRISE MANAGEMENT ASSOCIATES) moderates a dynamic discussion on application lifecycle management with the expert opinions of GILES DAVIES (MICROSOFT), BRIAN ZEICHICK (COLLABNET) and TIM JOYCE (SERENA SOFTWARE).
your business at its best? 36 Isperference
DETLEF KAMPS (ARCPLAN) talks to ETM’S ALI KLAVER about the trends arcplan is seeing from successful companies linking key corporate performance data with operational performance.
40 Have you got Insight?
In an economy that is highly competitive for buyer attention, is it possible to capture and hold the customers you want? JOSE SANTA ANA (OMNITURE) says that it’s easy to drive business transformation through multi-channel, customer-centric analytics.
CONTENTS PAGE ■ ETM
Contents 3D, VIRTUALIZATION AND CLOUD COMPUTING
In perfect alignment
The unwired enterprise
Finding, implementing and then working with a CMS can be one of the most difficult tasks for an organization. ADRIAAN BLOEM (CMS WATCH) says that there isn’t one perfect CMS—instead, it’s all about catering to individual needs.
In an increasingly mobile and flexible world, is it possible to keep hold of the things that matter most to your company—and in a consistent manner? IAN THAIN (SYBASE) talks to ETM’S ALI KLAVER about their Unwired Enterprise and touches on competitive advantage, opportunity, security and risk, and the steps for future success.
It’s your business... in 3D
With 3D the hottest thing in entertainment at the moment, attention is turning to how it works in the business sphere. ETM’s ALI KLAVER interviews GARTH COLEMAN (3DVIA) about his work developing 3D and 3DVIA Composer, and how it’s become a real cost-saver and market leader.
computing for skeptics 54 Cloud
The opinion on cloud computing is divided, and while it can deliver significant economic benefits, it’s not for every organization. PAUL BURNS (NEOVISE) sets the record straight for companies considering this approach to delivering IT.
SECURITY AND GRC
58 Simplifying IAM
Looking for one identity and access management solution that reduces cost, strengthens security, improves productivity and addresses compliance requirements? JOE SKOCICH (IBM TIVOLI) talks to ETM’S ALI KLAVER about his take on identity and access management and how IBM can help you.
back on cybercrime 62 Fighting
The threat of cybercrime is a risk most organizations deal with on a daily basis, but is there anything we can do about it? ED ROWLEY (M86 SECURITY) tells ETM’S ALI KLAVER that it is possible to stay safe, and within your budget.
and IT security— Where is the link? 66 GRC GRC is an essential element of your IT strategy, but how does it work with security? MARTIN KUPPINGER (KUPPINGERCOLE) tells us that they work hand-in-hand, and that a GRC view helps in optimizing investments in IT security.
70 Safety first
SAFEND’S EDY ALMER talks about a fully integrated, single server, single agent data protection solution and shows ETM’S ALI KLAVER why they are the leaders in endpoint data protection.
74 SIEM—Spiralling out
DEREK BRINK (ABERDEEN GROUP) moderates a panel discussion on security information and event management and addresses the main issues in the market with the help of TOM TURNER (Q1 LABS), PAUL STAMP (RSA, THE SECURITY DIVISION OF EMC) and RICK CACCIA (ARCSIGHT).
What Good is ‘Zig’ Data If They’ve Already ‘Zagged’? Do you have a solution to keep up with the ebb and flow of your customers’ behavior as they interact with you across multiple channels?
Omniture, An Adobe company, offers Omniture Insight™: a solution that analyzes large volumes of rapidly-changing data in real time, and complements any operational reporting or BI tool you may already have by providing deep customer behavioral analysis.
Use Omniture Insight to: » Bring together online, clickstream and offline transactional data for multi-channel analytics » Generate instant responses from billions of records for rapid data discovery » Navigate from high-level trends to the most granular transactions without pre-aggregation » Uncover patterns and trends in customer behavior with leading-edge visualization
For more information on Omniture Insight, or any of the other solutions in the Omniture® Online Marketing Suite™, visit omniture.com/omnitureinsight © Copyright 1996-2010. Adobe Systems Incorporated. All rights reserved. Omniture® is a registered trademark of Adobe Systems Incorporated in the United States, Japan, & European Community. Adobe, the Adobe logo, and the Omniture logo, are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States and/or other countries.
Editor’s Page n ETM Contributors
Fo u n d e r / P u b l i s h e r Amir Nikaein Managing Editor A l i K l av e r Ar t Director Ariel Liu A ssoicate Designer Michael Chan He a d o f D i g i t a l A l f o n s o Mu n o z Fi n a n c e D i r e c t o r M i c h a e l Ng u y e n Po d c a s t / S o u n d E d i t o r Mark Kendrick A ssociate Editors M a r y Wr i g h t Ann Read
Stay safe from harm As always, innovation is the cornerstone of all information technology—including those developments created to do harm. It’s how fast these new developments can be implemented that is key to business success or failure. In an environment that is in a constant state of action and change, how is it possible to manage your business processes in a secure and cost-effective way? We have a number of industry experts in this issue of ETM dedicated to answering this question. Adriaan Bloem from CMS Watch says that there is no “perfect” CMS—instead you have to choose elements that are exactly suited to your own business, and in that way you’ll be fast, efficient and on budget (see page 42). Paul Burns from Neovise jumpstarts a discussion on “Cloud computing for sceptics” (page 54) and Martin Kuppinger from KuppingerCole searches for the link between GRC and IT security (page 66). During the production of this issue we’ve also uploaded a plethora of podcasts on subjects ranging from a great panel discussion on SIEM (page 74) to how a company has linked key corporate performance data with operational performance (with arcplan, on page 36). Check out www.globaletm.com for more information on our other exclusive and panel podcasts. One of the most dynamic discussions I’ve had the pleasure of hosting is our panel podcast on application lifecycle management moderated by Julie Craig from Enterprise Management Associates (EMA), with input from CollabNet, Microsoft and Serena Software (you’ll find it on page 28). Hopefully in this issue of ETM you’ll find the answers and solutions to at least some of the challenges facing IT professionals today. Thank you for reading, and if you would like to contribute to any future issues of ETM, please feel free to contact us at www.globaletm.com or via email at firstname.lastname@example.org
Ali Klaver Managing Editor
Account Executives Jo e M i r a n d a Sandino Suresh Marketing Executive Michael Le Contributors Adriaan Bloem A naly st C M S Wa t c h Pa u l B u r n s P r e s i d e n t a n d Fo u n d e r Ne o v i s e Mar tin Kuppinger S e n i o r Pa r t n e r a n d Fo u n d e r K u p p i n g e r C o l e + Pa r t n e r Clive Longbottom Ser v ice Director, Business Process Facilitation Quorcirca How to contact the editor
We welcome your letters, questions, comments, complaints, and compliments. Please send them to Informed Market Intelligence, marked to the Editor, Studio F7, Battersea Studios, 80 Silverthorne Road, London, SW8 3HE or email email@example.com
All submissions for editorial consideration should be emailed to firstname.lastname@example.org
For reprints of articles published in ETM magazine, contact email@example.com All material copyright Informed Market Intelligence This publication may not be reproduced or transmitted in any form in whole or part without the written express consent of the publisher.
Enterprise Technology Management is published by Informed Market Intelligence
Headquarters Informed Market Intelligence (IMI)
IMI Ltd, Battersea Studios, 80 Silverthorne Road London, SW8 3HE, United Kingdom
+44 207 148 4444 Tokyo 1602 Itabashi View Tower, 1-53-12 Itabashi Itabashi-Ku173-0004, Japan Dubai (UAE) 4th Floor, Office No: 510, Building No.2 (CNN Building), Dubai Media City, Dubai
EtM n industrY nEWs
Industry snapshot The great debate
Since the last issue of ETM we have introduced a poll facility on gloabletm.com. The results have been surprising:
of you think Wikipedia is a reliable source of information.
of you would pay for a service that let Google know the details of who has Googled you, but dependant on cost.
of you are worried about putting sensitive information online, both business and personal, while say that they never share their information on any website. www.gloabletm.com
The Google/China row continues from censorship to China-based hacking exploits. China are still looking to tone down the Google controversy and censor all information both in print and online. Washington has asked for explanations for the cyber attack during which the email account of human rights activists was violated. Google has threatened to pull out of China entirely if cases of piracy and the censorship imposed by law continue.
Gartner acquisition Two of ETM’s valued media and research partners have joined ranks. Gartner announced last year that it had acquired Burton Group for approximately $56 million in cash. The acquisition is expected to expand Gartner’s product and service oﬀerings and increase its IT research market opportunity. The combination is also expected to drive operational eﬃciencies and cost savings. Gene Hall, Gartner’s chief executive oﬃcer says: “Burton Group is a great strategic fit for Gartner and should enable us to oﬀer a more complete solution to every level and functional expert within an IT organization.” www.gartner.com
The collapse of communication services in Haiti following the earthquake has attached a new importance to the use of social networking sites. Twitter was used as a prime channel for communications, while Facebook aided with updates and the creation of lists of those missing The full and immediate impact of the disaster was broadcast around the world in record time which helped aid and military agencies get to those most in need.
The newest Apple gadget has been released and, although there are undoubtedly improvements to be made, it’s still a big hit. iPad will work with almost all of the apps designed for the iPhone, plus, the iWork productivity applications—Keynote, Pages and Numbers—have been redesigned for iPad. Included is Safari, Mail, Photos, Video, youtube, iPod, iTunes, iBooks, Maps and more. www.apple.com/ipad
On another Google note, the internet giant has launched their own social networking site: Buzz, a hopeful competitor for the likes of Facebook and Twitter. Although in its early days, adoption is high. Buzz let’s users share messages, video and images while also allowing you to connect to the sites that you usually use, such as Twitter and Flickr—not Facebook though. www.google.com/buzz
PC users have been targeted by hackers using an Internet Explorer exploit allegedly used to break into Google’s corporate network. That news after warnings by the information security agencies of the French and German governments, which recommended that IE users switch to an alternate browser such as Firefox, Chrome, Safari or Opera, until Microsoft fixed the flaw. Although the vulnerability has since been patched, there has been widespread doubt, particularly on social networking sites, declaring that patching or even updating to IE8 will not solve the inherent problem.
PAUL BURNS ■ PROFESSIONAL PROFILE
Meet: Paul Burns President and Founder, Neovise
eovise is an IT industry analyst fi rm that uniquely adds business perspective to technology. Paul has nearly 25 years experience in the soft ware industry, driving strategy for enterprise soft ware solutions through product management, competitive analysis and business planning. He has held a series of leadership positions in marketing and R&D, and spent two years as Research Director/Senior Analyst immediately prior to founding Neovise. He earned both B.S. in Computer Science and M.B.A. degrees from Colorado State University. He shares his story so far with ETM: HOW DID YOU START OUT IN THE IT INDUSTRY?
Right after college I had the pleasure of helping implement the TCP/IP protocol stack on HP 3000 mini computers. We were writing code from scratch in basic text editors and using the draft protocol standards documents from the Internet Engineering Task force as our guide. HOW DID YOU END UP WHERE YOU ARE TODAY?
After working on code for many years, I managed software development teams and also spent time in technical marketing and product management. I became interested in the business side of technology and completed an MBA degree to get my mind around that. I also spent a couple years as an IT industry analyst covering the IT management market. Just last year I founded Neovise, an IT industry analyst firm that covers cloud computing. WHAT IS THE MOST REWARDING EXPERIENCE YOU’VE HAD?
Launching and growing Neovise has to be my most rewarding professional experience so far. It lets me bring together skills from all of my past roles and also serves as a creative outlet. WHAT DO YOUR COLLEAGUES SAY ABOUT YOU? WHAT ARE YOUR STRENGTHS?
Most of them initially see me as the quiet, serious, hardworking type. Once they get to know me they see a risk taker with a sense of humor. In terms of strengths, those seem to come from combining both technical and business perspectives. That really comes out in my research and writing. IF YOU COULD CHANGE ONE THING ABOUT YOUR JOB, WHAT WOULD IT BE?
I would like to see my clients in person more often. So much gets done on the phone and through email, but nothing can fully replace that personal interaction. CAN YOU TELL US A CASE STUDY THAT HIGHLIGHTS WHAT NEOVISE CAN DO?
One of the more common starting points for our vendor and service provider customers is to commission a Neovise Perspective Report. These are just a few pages and are used by our clients to educate their own prospective customers. These reports typically introduce an IT challenge, discuss solutions, and then offer our own perspective on offerings from the vendor or service provider. We also offer research, advisory services, speaking, in-depth white papers and other services. HOW DO YOU SEE THE FUTURE OF CLOUD COMPUTING?
I view cloud computing as including infrastructure as a service (IaaS), platform as a service (PaaS) and software as a service (SaaS). Each of those service models is separately driving significant change in IT—together they are creating the next major step in the evolution of IT. As developers increasingly use PaaS to build web-enabled software, more SaaS and IaaS deployments will naturally follow. I expect PaaS to be a real competitive control point for cloud computing. HOW DO YOU STAY UP-TO-DATE PROFESSIONALLY?
I regularly brief with vendors and service providers in the cloud computing space, so I end up with a broad perspective of both capabilities and needs. I also do as much reading and research as I can to keep up with continual change.
FACT FILE • • •
Launched on 1st May, 2009 Focus: cloud computing and IT management Services include: research, advisory services, positioning reports and analysis, webinars, podcasts, and vendor and product selection support Member of IT Service Management Forum Writer for ETM.
If people want more information about you, where can they go? They can take a look at www.neovise.com which includes my blog, profiles on more than 50 cloud computing players, and more information on Neovise.
HEAD TO HEAD ■ BUSINESS INTELLIGENCE
Stop looking in the rear-view mirror DAN LAHL (SYBASE) joins ETM’S ALI KLAVER again to talk about how Sybase IQ addresses business challenges, and why it’s important to get out in front of the competition and predict what will happen in the future. http://www.GlobalETM.com
BUSINESS INTELLIGENCE ■ HEAD TO HEAD
AK: DAN, THANKS FOR JOINING US TODAY. LET ME JUMP STRAIGHT INTO THE FIRST QUESTION—WHAT DO YOU THINK ARE THE MAJOR BUSINESS CHALLENGES THAT ANALYTICS ADDRESSES?
That’s a great question Ali, and I think as transactional systems have been quite fully built out most customers and most businesses today are really looking towards building out their analytics, their decisionmaking capabilities, and their data warehousing capabilities. This means that they can not only report on what has happened in the past and understand what’s going on today, but actually make predictions into the future on what new products, new services and new customers they can go after. So in large answer to this question, I think that the transactional systems have solved the business operational piece, but now businesses and people are looking at what they’re going to do to predict future success for their company. And that’s why analytics is so important today. AK: AT ETM WE FIND THAT A LOT OF COMPANIES HAVE SO MUCH DATA, AND THEY REALLY NEED TO DRIVE DOWN AND ANALYZE EXACTLY WHAT IT IS THAT MEANS. THEY ALSO NEED TO PINPOINT, FOR THEIR OWN BUSINESS STRATEGY, EXACTLY WHAT THEIR CUSTOMERS ARE LOOKING AT. SO HOW DOES SYBASE IQ ADD PRECISION AND VALUE TO DATA DRIVEN INITIATIVES?
You know, it’s interesting—I was having dinner with a customer in Las Vegas just two nights ago. They’re a large casino, and one of the diners got up from the table early from dinner saying that he had to go to bed in order to get up early to analyze today’s information, and tomorrow’s information, early in the morning because data never sleeps. What he was talking about was actually taking the massive amounts of data that most businesses are tracking, and turning that into information. He is then turning that information into better decisions. If you look at what that casino was aiming for, and what companies like Playphone in Europe is doing, it’s that their marketing folks, their executives and their operational people are attempting to better plan, execute and fine tune their marketing campaigns so that they can get the best return on their marketing spend for the mobile offers that they’re going to give their customers. What Playphone saw was that they were able to get a finer level of detail to actually understand their customers better, their interests, their preferences and their behaviours, so they could get almost one-to-one targeted campaigns for their mobile phone users. They were only able to complete this task running Sybase IQ, because it does enable fine grained analysis of large amounts of data. So it was a great success story that Playphone was able to talk about, and we’ve actually got that
“We see many more customers looking at this area that we call advanced or predictive analytics.”
success story up on our website. IQ really powers that system and they’re doing great with it, winning new customers, and becoming better and more efficient at the marketing campaigns that they’re running. AK: THANKS DAN, THAT’S A GREAT EXAMPLE, AND IT REALLY HIGHLIGHTS HOW IMPORTANT FLEXIBILITY IS AS WELL. HOW DOES SYBASE IQ WORK WITH NEW DEVELOPMENTS? HOW DOES IT HELP BUSINESSES EXPAND INTO NEW MARKETS AND NEW PRODUCT AND SERVICE OFFERINGS?
Well Ali, that’s a critical place where analytics is today. Historically, analytics has been kind of rear-view mirror focussed, if
FACT FILE_ Sybase
> Sybase has a rich 25-year history as a technology leader, starting from its creation in 1984 by Mark Hoffman and Bob Epstein in California. > Sybase has consistently created technology that enables the Unwired Enterprise by delivering enterprise and mobile infrastructure, development, and integration software solutions.
> Sybase products range from database to government solutions. > Database management software: Best-fit infrastructure for managing data within multiple distributed environments and for a variety of purposes. > Business continuity software: Reduces the cost of remote data recovery while reducing business risk and ensuring data integrity. > Business intelligence and analytics software:
Delivers high-performance enterprise analytics and business intelligence without blowing the budget or abandoning investments in technology and knowledge resources. > Mobile commerce: Delivers mobile services from mobile messaging interoperability to mobile content delivery and mobile commerce services. > Government solutions: Select information technology, management and mobile solutions for government agencies. > Healthcare solutions: Provides the healthcare industry with timely and secure access to vital medical information.
HEAD TO HEAD ■ BUSINESS INTELLIGENCE
mirror problems, but they actually were “Sybase then able to take a look towards the predictive aspect of the business. IQ actually comTo go back to the reporting piece—they were able to get their presses the amount KPI’s much more quickly, and they of data that needs to were able to reduce the time spent their existing reports by be stored, and actually toupcreate to 88 or 90%. They saved a lot in storage as well, so that’s a great saves you money in story. The really cool thing is that disk and compute they were actually able to add a new storage.” product line that was web-based to
you will. And now customers and businesses are really trying to figure out how they can take analytics and apply them to make better predictions—get out in front of the headlights, if you will? We have customers taking the information that they have tracked for months, years or maybe decades about their customers and their customer buying patterns, then comparing that with just-in-time data. They’re actually looking at how they can create new services, new products and new product mixes to go after new and different customers, or to get a larger share of the customer wallets. We see many more customers looking at this area that we call advanced or predictive analytics. One such company using IQ is a company called Health Trans. They were on an Oraclebased system and were really not able to get past the reporting problems they had—they were having trouble just doing that rear-view mirror work. They implemented Sybase IQ and it not only allowed them to quickly address the reporting problems they had, their rear-view
their customers. So they actually went to their customers, surveyed what they needed, analyzed that through IQ, and then came up with a new product that is web-based. Now their customers are actually doing some of their own analytics online with IQ under the covers. So it’s a great success story. Health Trans didn’t know that they would actually add this new product line to their business, but they were able to do that with Sybase IQ.
AK: THANKS DAN, THAT’S ANOTHER GREAT CASE STUDY. IT REALLY SOUNDS LIKE SYBASE IQ CAN NAIL DOWN THOSE SOMETIMES QUITE SPECIFIC REQUIREMENTS OF ANY BUSINESS. NOW I WANT TO TOUCH ON COST, BECAUSE I THINK IT’S STILL QUITE AN IMPORTANT CONCERN FOR MOST BUSINESSES, SO HOW DOES SYBASE IQ HELP BUSINESSES MANAGE COST?
I guess the silver bullet for many customers is that they would like to do all this stuff, but many times they go to vendors and it just costs a ton of money to implement systems that are going to help them in managing and
predicting their business, turning information into real data assets, and then into better decision making. That’s one place where, again, Sybase IQ really shines. To the business person it looks like just another database that goes in under the covers. But to the business, or to the DBA or the IT infrastructure people, it’s actually a way that saves money. Traditional data warehouses actually bloat out the amount of information that is being stored and analyzed because they have to do a lot of work to organize the database for analytics. Sybase IQ actually compresses the amount of data that needs to be stored, and actually saves you money in disk and compute storage. Again, the business may not see this directly, but they’ll see that in maybe chargeback costs, the costs are less. So it saves on disk storage, it saves in compute, it saves in a DBA’s time as well. In fact, we find in many of our customers that there is a 4-1 reduction in the amount of DBA resources needed to keep the analytics infrastructure up and running. A good example of that is Experian Integrated Marketing in the UK. They run a 3000-person call centre in the UK directly supporting BSkyB. In their implementation they were able to reduce the actual storage costs by about 69-70%. For them, it has become a green initiative, and instead of bloating out the size of the data warehouse they were actually able to save money on the disk footprint, as well as using commodity Linux servers so they didn’t need to buy any expensive propriety hardware. And just to finish that success story, they’re actually supporting 3000 users in real-time, and taking real-time data to their call servers to better service the BSkyB customers. So that is another great story that is not only a business success, but also a cost success as well.
Dan Lahl SENIOR DIRECTOR OF PRODUCT MARKETING Sybase Inc.
Dan Lahl has been with Sybase since 1995 and in high tech for over 30 years with extensive experience in data management, data warehousing and analytics. While at Sybase Dan has also led emerging technology areas for Sybase, including Data Federation, Data Integration, GRID and Cloud Computing. Dan is currently leading the team that is growing the enterprise software business for Sybase in the areas of data management, data movement, analytics, capital markets and development tools. Dan has a Business Administration degree from the Haas School at U.C. Berkeley and a Masters of Divinity from Trinity Evangelical Divinity School.
Source: Butler Group
ANY USER, ANY QUERY, ANY TIME.
ANY QUESTIONS? Look to Sybase IQ for all your answers. Unlimited headroom for data and users, incremental scalability to grow and adapt, the freedom to leverage standard hardware and operating system, and the flexibility to choose your reporting and analytics tools. Add the strategic advantage of faster, more accurate answers to complex queries, unbounded reporting, deep-dive data mining, and predictive analytics. Now you have insight-driven perspective into risks, opportunities, and rewards—high-performance business analytics proven in over 3,100 unique installations at 1,700+ companies. It takes a smarter analytics platform to power the new business reality. It takes Sybase IQ.
www.sybase.com/bi Copyright © 2009 Sybase, Inc. All rights reserved. Sybase and the Sybase logo are trademarks of Sybase, Inc. ® indicates registration in the United States of America. All products and company names are trademarks of their respective companies.
ASK THE EXPERT ■ BUSINESS PROCESS MANAGEMENT
n an economy still very much in recovery mode, the difference between success and failure often comes down to pure speed—how fast can you resolve company issues? How quickly can you remove waste from your supply chain? How rapidly can you lower costs? It’s towards solving these kinds of issues that business process management was created. ETM’S ALI KLAVER talks to BPM expert MALCOLM ROSS (APPIAN) about choosing the right one. AK: MALCOLM, WHAT ARE SOME OF THE COMMON BUSINESS CHALLENGES THAT BPM IS DESIGNED TO MOST EFFECTIVELY MITIGATE?
BPM is still emerging into mainstream technology for adoption by IT to solve business process management issues, as well as by the business side to more effectively manage their daily processes. The very first thing you should ask yourself is: “What is the status of the work that is in other peoples’ hands?” It really gets down to process visibility, predictability and reliability of your corporate processes. Business process management is designed to solve this challenge around process visibility, as well as control business processes through four main abilities. First, integrating all systems into one holistic process view. When I say systems, I don’t just mean your IT environments—I mean your departments and the people who participate in your process and removing
the stove pipes that often exist inside them. Second, empowering business users to capture process documentation—and empowering IT to turn that documentation rapidly into automated applications. Third, enforcement of business rules to ensure that processes, once encoded, are performed in a very reliable and professional manner so you don’t have one-off exceptions and single customer service reps doing actions outside of the corporate rules and regulations that you want to enforce on all your business processes. Fourth and finally—capturing detailed measurements and statistics on all different aspects of a business process—how long did something sit in someone’s inbox before they processed it, where is the current status of this request and so on. These are some of the things that BPM tries to solve for you to gain better control over your business processes.
BUSINESS PROCESS MANAGEMENT ■ ASK THE EXPERT
AK: BPM, BY ITS NATURE, IS A VERY PERVASIVE SOLUTION— WHAT ARE THE SPECIFIC BENEFITS FOR DIFFERENT CONSTITUENCIES IN THE TYPICAL ORGANIZATION?
BPM is very pervasive, as you mention, and it touches almost every role in an organization. Think about executives—one of the common struggles that executives have is that they’re thinking in a longer-term view and are setting corporate goals and objectives. But how can they align those goals and objectives with their daily operations? BPM is a great tool that allows you to do high level modelling from that perspective. For example, we want to increase our revenue by 30% this year—how are we going to accomplish that? Maybe we’re going to increase efficiencies in some of our customer service areas, maybe we’re going to increase our sales force and target market areas. It’s about seeing the execution of those objectives inside the daily operations of their business. From a manager’s perspective—it’s process visibility, management of daily work and being able to see in real-time the allocation of tasks across their employees. It’s a much more effective way of collaborating with employees. From an end user perspective, it’s firstly about having access to all the data you need to complete your work at the tip of your fingers. An end user sees a collaborative task list with not only the work that they need to accomplish, but also interactions with other users, discussion threads, access to resources and documentation for help in completing these tasks. Most importantly, these detailed metrics are very valuable to the end user because they can compare their individual performance to the corporation—how quickly have I been working, what’s my average time of hiring a new employee versus another department and so on. Lastly—customers. Your customer is the most common connection point, asking for various information from the status of a request to what is going on in the organization. BPM is a great way to increase the collaboration and visibility of your internal operations with your outside constituents, partners and customers, and getting them involved in this global “business process network environment”.
AK: LET’S FOCUS ON AN IT PERSPECTIVE. HOW IS BPM CHANGING THE WAY IT WORKS WITH THE BUSINESS AND DEVELOPING NEW APPLICATIONS?
BPM is changing the way that IT develops applications, the concept of model-driven design, orchestration and business user empowerment. If you think of the traditional way—what many called a mini waterfall development approach—you’d spend several months or even a year gathering requirements. These would be written inside a Word document, and then you’d starting the coding process and go into a Java or .Net development environment. That development process might take several months or even years in large organizations. Once you’re done coding you go back to the business and deliver an application that meets all the requirements, but in the two years it took to create, the business has changed. The requirements have shifted and you now need to modify the application. What you get is a very long, drawn-out development cycle, a slow pace of IT innovation, and IT falling out of alignment because they’re not tracking with the business as it changes. BPM is a more agile software development approach with modeldriven design, so you’re orchestrating services into holistic applications and building what we call compositions, instead of applications, inside the environment. These compositions are basically designed to be fast-paced, agile and change with the business. You might have a JAD session with the business and, directly inside the modelling tool, in that JAD session, you might actually start composing the application. Next month there’s another JAD session and it’s modified, again and again. The development cycles are very agile and you introduce more features in a timely fashion. Again, it’s increasing the collaboration between business and IT using a common documentation and automation tool.
“Appian is the only environment that has no difference between our SaaS on-demand version and our on-premise offering.”
AK: OF THE BIGGEST PERCEIVED ROADBLOCKS IN IMPLEMENTING BPM SOLUTIONS, WHICH DO YOU THINK ARE REAL ISSUES AND WHICH ARE MISCONCEPTIONS?
One of the biggest misconceptions we deal with is that the BPM environment is just another tool that an IT user can use to build an application. It actually requires a lot of business user involvement in not only defining these business processes, but also managing them daily. It aligns IT better with the entire operation of the organization as well. It’s actually about getting business and IT to collaborate more effectively together in building an application, completing the daily processes and meeting a common goal.
AK: HOW ARE COMPANIES GETTING STARTED IN BPM TODAY?
It’s best to start small in BPM and focus on your process priorities and create what I would call a “process eco-system map” to chart your processes on two different axes—one axis being value to your organization, the other axis being complexity. Value to your organization might consist of things such as; “This process supports a strategic corporate goal”, “this process is a main revenue generating process” or “this process affects a lot of people inside our organization”. Complexity could include; “This process is a high risk area”, “this process is poorly documented” or “this process has a lot of integrations and rules”. Something that also adds to the complexity is the fact that a process touches a lot of people. If you’re introducing a new technology and need to educate people in its use, then this increases the complexity. What you want to focus on as an initial application is a high-value, lowcomplex process. You want it to evolve into the higher complex processes
ASK THE EXPERT ■ BUSINESS PROCESS MANAGEMENT
over time. Creating this process eco-system map is very important as a starting point to understand where your organization can best benefit from BPM technology. BPM has always had an issue in proving direct ROI because we’re often evolving from a state that was undocumented, so we had no real understanding of what the true cost of that process was. Often one of the main benefits of initial installation, or implementation, is that you suddenly gain that visibility into exactly how much that business process cost your organization. AK: I KNOW APPIAN HAS A VERY LARGE AND QUITE IMPRESSIVE CUSTOMER BASE. CAN YOU TELL US ABOUT WHAT SOME OF THESE CUSTOMERS ARE DOING WITH BPM, AND HOW YOU THINK IT’S MAKING THEIR ORGANIZATIONS BETTER?
We have a diverse customer base since the nature of our application is very horizontal. We solve business processes from the federal government and the military here in the US, to small and large enterprises around the world. For example, a global customer we’re very proud of is Enterprise Rent-A-Car. Enterprise Rent-A-Car came to us about five years ago with a key process problem around IT request management. They had initially built a solution using the waterfall development approach on a .Net platform. It affected all 65,000 employees and didn’t work out very well because it couldn’t adapt to change quickly, and they also had over 200 different processes supported by this one application. By using Appian BPM, they’ve been able to model an entirely new system that’s able to adapt quickly to how their processes evolve. They now have a common request online system that allows all 65,000 employees to see the available services in a service catalogue, submit a request to the Enterprise Rent-A-Car headquarters, and see the exact status of all the requests inside the system. They have real-time visibility that they didn’t have in the original application. Based on this success, another division, Group 32, which is among the largest subdivisions of Enterprise Rent-A-Car and does all the rental car management for Southern California, started using Appian BPM to optimize their accounts payable processes. Group 32 has thousands of cars that need to go to body shops to be repaired and then put back into service. This repair process generates a huge amount of accounts payable, invoices and payment transactions between the suppliers providing the repair services. Appian was able to automate these processes and gain visibility through the financial divisions so they could see exactly where they spend, who their most common vendors are, how effective those vendors are in responding to the repair requests, and more effectively reduce the time it takes to get a vehicle repaired, the supplier paid, and the vehicle back out on the street.
“Appian is unique through its ease-of-use and the comprehensiveness of the tool.”
AK: CAN YOU TELL US WHAT IS UNIQUE ABOUT WHAT APPIAN IS BRINGING TO THE BPM MARKET?
Appian is unique through its ease-of-use and the comprehensiveness of the tool. If you look at other BPM vendors, they’re often providing a narrow component of the entire BPM stack. By this I mean other BPM platforms provide a basic user interface such as electronic forms, a basic reporting environment and a process modelling environment. But there is more functionality needed such as content management, role-based dashboards, integration adapters, rules and a shared repository for application components. For example, when you think about automating human processes, then having your enterprise content management system natively integrated is very important. Appian is the only BPM provider that provides all of these components in one integrated suite solution, making your management and maintenance of the environment extremely easy, and your uptime to get the system going extremely fast as well. Another unique thing about Appian is that an entire solution is available as either an on-premise, or a SaaS-based on-demand offering. So, if you’d like to start modelling your processes right now, you can go to www.AppianAnywhere. com and register. We’ll have an account for you in a few minutes so you can begin using BPM. Appian is the only environment that has no difference between our SaaS on-demand version and our on-premise offering. It provides a great amount of flexibility. A lot of customers just want to dip their toe into BPM first—they can come into our SaaS environment, do an evaluation, do a pilot project, and then decide if they would like their IT department to take it in-house and manage it as an on-premise application. That’s no problem—you can transfer any time between the two environments. We’ve even had other customers say that they’ve had to cut back on IT staff and they don’t have the resources to maintain the servers. We can then transfer an on-premise environment to a SaaS-based offering and go back and forth, or have a combination of the two offerings there for one customer. It’s a great way to get quickly started with an entire BPM solution.
Malcolm Ross DIRECTOR OF PRODUCT MANAGEMENT Appian Corporation
Malcolm has been directly involved in the implementation and development of enterprise BPM solutions for over 10 years with a variety of BPM platforms. Prior to his involvement with BPM technologies, Malcolm worked for leading B2B and B2C e-commerce software providers and led numerous technology consulting engagements at Fortune 100 corporations. Malcolm received his BS degree in Computer Science with a minor in Actuarial Mathematics from Florida State University.
ANALYST FEATURE ■ BUSINESS INTELLIGENCE
Step up to the BI revolution CLIVE LONGBOTTOM (QUOCIRCA) explains that even though business intelligence is highly regarded by CIOs, it’s not being utilized half as well as it should be—if at all. So when will business see the need?
usiness intelligence (BI) has been the focus for many technology vendors over the past year or so—to the point where it has possibly been overblown and overhyped.
With the number of pure-play BI vendors shrinking rapidly as the mainstream technology vendors buy them up (for example, Oracle with Hyperion, IBM with Cognos, and SAP with BusinessObjects), you would have thought that the onslaught of information would by now have meant that the market was fully aware of what BI offers, and purchasers would have made up their minds on
which direction to go product-wise. But there seem to be many problems out there in the end-user community, not least of which is understanding what BI really is. Over the past few months, Quocirca has carried out research into perceptions of BI for both Oracle and IBM. The findings have shown that while the mid-market organizations seem to see the need for suitable business intelligence, the larger organizations have yet to fully understand what it means for them. For example, in Figure 1, we see how mid-market organizations in the UK perceive the concept of BI. When we compare this with Figure 2, where Quocirca looked at large organizations around the world, we see a completely different picture. Although
BUSINESS INTELLIGENCE ■ ANALYST FEATURE
the research was couched in slightly different ways, the overall comparison between the two data sets yields some interesting, yet worrying, findings. Whereas a third of the mid-market respondents see BI as providing them with a means of looking backwards and forwards at the performance of the business, with two thirds seeing it as providing forward-looking capabilities, only 30% of large organizations see BI as a strategic tool, with nearly one quarter stating that they do not know what BI is. Note how less than 5% of the mid-market respondents see it as being overly expensive, against 15% of large organizations. For technology vendors in the BI space, much of their messaging has been aimed at the large organizations, where “big ticket” projects are to be found. One reason why Quocirca believes the research in this market provided such a picture is that we were not talking to IT people—we were talking to lines of business people, those who have a responsibility for dealing with data and reporting on it within their business. At the mid-market level, these people will need to talk to IT to gain even basic support for their needs, and the business person will carry out a degree of research themselves into what can be provided to make their job easier. In large organizations, things become more prescriptive and employees get on with doing their jobs, rather than researching means of solving the issues in different ways. Therefore, the focus from the vendors on selling to IT people in large organizations means that the financial reporting people have little influence on what is happening. If IT are essentially unaware of the problems the end users are up against, then they are certainly not going to try and identify exactly what the problem is to add to their own workload of issues to deal with—especially with additional constraints on spending. The basic messaging around BI should be about getting the right information, in the right format, to the right person, at the right time— surely something that it would be difficult for any business person to disagree with? This may be so, but when you look at a lot of the actual messaging that comes out from vendors, it is not quite so straightforward. Some get BI confused with reporting only against formal data held in databases, others get too technical in discussing how their solutions can integrate with enterprise applications via SQL and JDBC. Your average business person doesn’t care about this—they just want to get their job done.
And for many, it is not a case of being able to report against formal data held conveniently in databases. Figures 3 and 4 show how the respective groups responded around spreadsheet use. Again, although the wording of the question and the response mechanisms are slightly different, we can see that there is a tendency in both cases to the perception that spreadsheet use is harmful to the organization. Too many people take the easy option when dealing with their data needs. They aggregate what they need by creating a new spreadsheet, and then use whatever skills they have to manipulate the data and produce graphs for distribution as required. The main problem that this introduces is that the spreadsheet is no longer a “live” document— it is now a snapshot of what has happened and doesn’t reflect what IS happening. Today’s organizations are too dynamic for this approach,
and BI must be able to support reporting against live data and information sources—including spreadsheets and the internet. So what is the real opportunity for BI? Vendors obviously have to create messaging more resonant with end user needs, and they must ensure that they talk to those who will actually be using the tools. BI has to be able to provide results that enable an end user to rapidly uncover information that they would not be able to uncover through other means within a feasible timescale. BI must also be able to embrace the whole audience who need the information created—whether they be employees, contractors/consultants, partners, suppliers or customers, and the pricing has to reflect this. On the whole, today’s BI offerings already do this—but the perception is that they don’t. The key may well be in positioning BI as a central tool for a broader group of people. This
ANALYST FEATURE ■ BUSINESS INTELLIGENCE
may require core pricing structures to be more flexible, enabling more people to become active in manipulating data and information for their businesses. Although “free” seats for readers are now pretty much standard, it may well be that vendors need to provide a more active capability to make BI strategic to the business. For example, the majority of BI tools are aimed at just a few people within an organization. A 1000-employee organization may well have less than 100 full seats of BI in place, and a 100-user organization may have less than five, or even just one. If a vendor were to lower its per seat cost by let’s say 50%, it could take that 100 user base in the large organization to 400 seats—an increase in revenues for the vendor of 200%. Effective BI is more than just “important” in today’s markets. Without it, organizations cannot be fully responsive against their competition and will be making decisions based more on “gut feel” than on reality. The markets are changing, and vendors are having to face up to open source offerings as well as niche players who are bringing novel, far more intuitive approaches to the fore. Quocirca recommends that organizations put pressure on BI vendors to more effectively meet their needs—greater reach at lower cost—and that they then use the BI capabilities to apply greater control over their data assets, and to create a more useful view of probable futures for their organization.
Quocirca’s reports on the Oracle and IBM research are freely downloadable from Quocirca’s site at http://www.quocirca.com/ prep_fuel.htm (IBM) and http://www.quocirca. com/prep_epm1.htm
Clive Longbottom SERVICE DIRECTOR, BUSINESS PROCESS FACILITATION, Quocirca In his position Clive covers the need for companies to understand the core processes in their value chains, and the technologies that should be utilized to facilitate these processes in the most flexible and effective manner. In his remit, Clive covers collaborative tools, workflow, business process discovery and management tools, servicebased architectures and outsourcing, as well as other associated areas such as security, voice/data convergence, and IT asset optimization.
Want to Accelerate Growth? Get GIL. Growth, Innovation and Leadership 2010 is HERE!
Frost & Sullivan’s premier networking event, Growth, Innovation and Leadership (GIL), brings together the best and brightest of visionaries, innovators and leaders to inspire and be inspired.This interactive exchange of fresh ideas, innovative strategies and proven best practices empowers CEO’s and senior executives with the necessary tools to accelerate the growth rate of their companies.
Join us - learn, share, engage, inspire and be inspired. CEO’s and their growth teams frequent GIL to: · · · · · · · · · ·
Focus on driving growth, innovation and leadership Discover fresh and innovative ideas Exploit opportunity in any economic climate Network with cross-industry peers Gain a 360 degree perspective of their industry Learn best-practices in driving growth Benchmark award-winning tools and strategies Actively engage in our global community Advance their ability and career Become innovators, visionaries and leaders
Attend Today! www.gil-global.com/europe Email: firstname.lastname@example.org Tel: +44 (0) 20 7730 3438
Strategic Partner GIL 2010: Europe The Global Community of Growth, Innovation and Leadership 17-19 May 2010 Emirates Satdium, London, UK
ASK THE EXPERT ■ BUSINESS INTELLIGENCE
Fuel for growth
RUCE ARMSTRONG (KICKFIRE) talks to ETM’S ALI KLAVER about the critical role of analytics in successful organizations and how smart data warehousing and business intelligence are the way forward. AK: BRUCE, HOW IMPORTANT IS BUSINESS ANALYTICS IN TODAY’S COMPETITIVE MARKET PLACE?
I would quote a study by Gartner who is one of the industry analysts tracking this space. For the last four years running they’ve created a CIO survey, and the number one priority on a CIOs list of top 10 is business intelligence and data warehousing. I would say that it has been a top priority for a long time, and continues to be. If you take a look at what’s going on in the market today and what businesses need to deal
with, being able to analyze the information that they have available to them on their customer behaviour, their products and their inventories is critical to being able to stay in business and to become leaders. One of our customers in the video advertising space, LiveRail, has seen a great shift in the market to online business. The video advertising space is expected to reach over five billion in just a few years time, so that’s one of the spaces that’s creating a whole new set of data that needs to be analyzed. LiveRail provides not only video advertising services to their big customers like Sony, but
also the video metrics associated with those ads. Who is watching those ads? Are they pausing? Are they skipping through them? It’s critical information for this new channel to get to the end customer. So there’s expected to be over 60% growth in that business in years to come. That’s just one example of how critical analytics has been, and with some of the new data types and channels to get to end customers, just how important it’s going to be in the future as well. AK: THANKS BRUCE, THAT’S A GREAT EXAMPLE. ETM IS SEEING THE SAME
BUSINESS INTELLIGENCE ■ ASK THE EXPERT
SORT OF SYNERGY WITH THAT FOCUS ON DATA WAREHOUSING IN THE FIELD. BUT WHAT DO YOU THINK IS SO DIFFERENT ABOUT TODAY’S COMPETITIVE ENVIRONMENT?
I think especially since the economic downturn last year it seems as if the dust is settling, and it remains to be seen just what the growth is going to be this year in the worldwide economy. It’s all about taking advantage in these peaks and valleys of the economy, and what we’re starting to see is that our customers are beginning to grab market shares as quickly as possible. One of our other customers—Barry Diller’s InterActiveCorp, a large division of IAC which is a multi-billion dollar holding company of web properties—is Mindspark. They became a Kickfire customer last May and have already bought three more systems from us. What they’re doing is essentially aggregating content across their various websites and analyzing the interactions between those websites so they can move traffic between them in a more effective way. They’re essentially locking out their competitive sites that may only have one or a small number of sites. Mindspark has a vast network of websites focussed on different demographics, and the ability to analyze the traffic between those sites gives them a huge advantage and allows them to take market share when it starts to pick up here. AK: THANKS BRUCE, THAT’S ANOTHER GREAT EXAMPLE AND I KNOW OUR AUDIENCE LOVES CASE STUDIES. LET’S SPIRAL OUT INTO A KIND OF FUTUREFOCUS, IF YOU LIKE. CAN YOU TELL ME ABOUT THE CHANGES THAT IT NEEDS TO PROVIDE TIMELY BUSINESS ANALYTICS?
Obviously the technology continues to evolve, and the different channels and distribution models also continue to evolve. You have increasing interest in cloud businesses and you’ve got an increasing use of open source technology. But what hasn’t changed is the need for IT to very rapidly deploy systems at a low cost and high availability. What we’ve done here at Kickfire is package in a data warehouse appliance, using MySQL, the number one open source database, which means that it’s low cost and widely accepted within small and large enterprises.
We have a data warehouse appliance that provides very high performance data warehousing at a fraction of the cost, and because it’s a true appliance with storage and server and software—all completely packaged together and optimized in a single server—we get customers who have been able to deploy a data warehouse appliance in less than a day. That kind of responsiveness is what IT really needs to drive in order to not only meet the business requirements that are constantly changing, but to begin to eat away at that backlog which has frustrated their end user business customers. So, we believe that IT needs to continue to do their job of deploying systems rapidly, costeffectively and reliably, and at Kickfire we’ve tried to help them with that task. AK: YOU’RE RIGHT BRUCE, RAPID DEPLOYMENT AT LOW COST IS ESSENTIAL IN THIS SPHERE, AND ESPECIALLY BECAUSE IT IS SUCH A HIGHLY COMPETITIVE MARKET. CAN YOU TELL US WHAT THE NEW REQUIREMENTS ARE FOR DATA WAREHOUSING AND BUSINESS INTELLIGENCE INFRA STRUCTURE?
Well, the data continues to grow. The ability to rapidly deploy data warehousing in a cost effective way, and then being able to scale the technology up, continues to be very important as the data continues to grow. It’s equally important to meet the new requirements in terms of the types of analytics. The way customers are trying to analyze the data continues to be important, so having a very flexible infrastructure from a BI perspective continues to be vital. What we’ve done at Kickfire is invented the industry’s first SQL chip. We’ve implemented SQL on silicon which allows data to be flowed through our purpose-built co-processor at 100 to 1000 times’ faster performance than general purpose computers. One Kickfire SQL chip is equivalent to over 30 general purpose computers. So rather than having to deploy a massive infrastructure with massive parallel processing and sometimes up to hundreds of general purpose CPU’s, with the Kickfire chip you can greatly reduce the cost, footprint and power consumption required, which then allows companies to scale up in a much more efficient and cost-effective way.
Rather than adding 30 new general purpose CPU’s every time your data grows, you add another single Kickfire SQL chip. We believe this is a huge breakthrough. I started my career at Teradata, I was there for 15 years and I ran the business. We went public and I ran the business for NCR when we were part of NCR. Teradata is the number one data warehouse company in the world, and it is not uncommon for customers to spend millions if not tens of millions of dollars to get high performance data warehousing using general purpose computers, which is what Teradata uses. I’ve learned from that experience and realized that not only do the high end customers demand lower cost, high performance and high reliability solutions, but there’s a whole new segment of the market, especially driven by the web, that requires much lower cost and much lower power consumption. Hence, the breakthrough that Kickfire has provided with the SQL chip enables not only the high end customers to more cost-effectively deploy high performance data warehousing, but also a whole new sector of the market, driven mostly by web-based businesses. AK: I DID A BIT OF RESEARCH EARLIER AND I WAS GOING TO BRING THAT UP MYSELF—THE KICKFIRE SQL CHIP REALLY HIGHLIGHTS THAT SORT OF FLEXIBLE BI INFRA STRUCTURE YOU WERE TALKING ABOUT EARLIER. I’D LIKE TO HAVE A LOOK AT THE CURRENT MARKET IF WE CAN—TELL ME WHICH ENTERPRISES ARE REALLY
“The way customers are trying to analyze the data continues to be important, so having a very flexible infrastructure from a BI perspective continues to be vital.” 23
ASK THE EXPERT ■ BUSINESS INTELLIGENCE
POISED TO WIN IN SUCH A CHANGED MARKET BATTLEGROUND?
We see mostly online and what we’re calling digital-based business—so not only web businesses but as I mentioned before LiveRail and video. We also have customers in the mobile app space, like Nokia and Handmark. Another one of our customers in the social networking area, Mamapedia, is the number one social networking site for mothers. They have over two million mothers online communicating with each other about everything from babysitters and landscaping, to how to raise a child in a home school environment. It’s a very popular site, growing very quickly, and our view is that businesses that are going to succeed are ones that are able to adapt to their changing demographics very quickly. When Mamapedia first started they had a smaller number of mothers online and they were able to keep in touch with their customers through newsletters. All of their business intelligence and analytics was around what exact content should be delivered to which exact mother, associated with their areas of interest. That was very effective, built a very loyal group, and really allowed Mamapedia to grow their business from there because they knew they had the formula right. Their analytics have completely changed as their business model has now shifted to attracting new mothers online, and so they’ve grown very rapidly through search engine optimization and other types of analytics that allow them to draw new mothers in who correlate with their existing mothers online.
This was a big shift in their analytics and it exemplifies what we think is going to be the critical success factor for businesses today and in the future, which is being able to rapidly respond to their customers needs and their changing business models as they grow.
AK: THANKS BRUCE, THAT’S A GREAT EXAMPLE OF RAPID GROWTH THROUGH A SHIFT IN ANALYTICS THAT YOU WERE TALKING ABOUT. FOR OUR FINAL QUESTION, TELL ME IN WHAT OTHER MARKETS ARE YOU SEEING COMPANIES LEVERAGE ANALYTICS FOR SUCCESS?
We’ve been focussed on the digital markets that we’re talking about, but in more traditional spaces we also see continuing growth in business intelligence and analytics. Traditionally financial services has been a large consumer of data warehouse technology—on the retail side they have lots of customers, and on the commercial side lots of transactions, so a lot of data comes at them in financial services. We have recently expanded our sales force to have a specialist in the financial services market based in New York, on Wall Street, to be able to go after that market. Scott Davidson, our district sales manager, has worked at Sybase and at other business intelligence companies, focussed on financial services and especially around Wall Street. Scott is beginning to penetrate the financial services market as they continue to grow in their need for analytics, but also again looking for rapid deployment and cost-effective, highperforming data warehousing.
Bruce Armstrong CHAIRMAN OF THE BOARD AND CEO Kickﬁre Bruce is a database industry veteran with 25 years of technology-specific development, marketing and sales expertise. He began his career at data warehousing giant Teradata Corporation, where he spent 15 years as part of the team that established the company as the leader in the market. Following Teradata, Bruce held the position of Vice President and General Manager of the Server Products Group at Sybase, where he ran the company’s $700 million enterprise database management business. Bruce has a Bachelor’s Degree in Computer Science from the University of California at Berkeley.
“... the number one priority on a CIOs list of top 10 is business intelligence and data warehousing.” We also see two other markets. One is healthcare, and we’ve got a relationship with systems integrators in the healthcare and health services market. A lot of this is coming from the government, essentially mandating new requirements for collecting and analyzing information, and so this is driving up the need for data warehousing technology. We are getting into that market, because it’s highly specialized, through systems integrator partners such as a company called Lancet. Finally, retail companies have also been a big consumer of data warehousing. The famous example of course is Walmart and their use of a data warehousing technology in order to analyze point-of-sale transactions. That need to analyze more and more information, and also to begin analyzing the multi-channel relationship between e-commerce as well as store-front sales, becomes more and more important. We have actually partnered with another systems integrator who is an expert in this space, a company called RSI, to be able to go after the retail market. So in addition to the web businesses, or the digital businesses that I mentioned before, financial services, healthcare and retail continue to be more traditional businesses, but will very quickly expand their use of data warehousing and business intelligence.
HEAD TO HEAD ■ DATA WAREHOUSING
IT IQ O
rganizations are experiencing a growth in the amount of data they generate, and an accompanying demand for making sense of that data in real time. Among the many IT challenges in today’s business world, DAN LAHL (SYBASE) tells ETM’s ALI KLAVER how Sybase IQ is succeeding.
http://www.GlobalETM.com AK: OUR FIRST QUESTION TODAY IS ABOUT CURRENT MARKET TRENDS, SO WHAT DO YOU THINK ARE THE MAJOR TRENDS REALLY DRIVING THE NEED FOR CHANGE IN ANALYTICS AND DATA WAREHOUSING ENVIRONMENTS TODAY?
Well, as we say in the United States, that’s the $64,000 question. There are a lot of trends that we see in this analytics space, there’s a high amount of churn and misunderstanding, and a lot of people are trying to come to grips with what’s going on in data warehousing and analytics. Let me outline where we see the trends from an IT perspective. Analytics (and data warehousing) is shifting from a very strategic part of the business where you have just a few super-users that are doing data warehousing analytics. It’s moving down to operational analytics where you have lots of users demanding that data from the organization be turned into information for their decision-making processes. So we see lots of users now demanding the need for data. Second, we see users again demanding ad hoc queries—that means not just standard reports that provide one key performance indicator or KPI, but the ability of the user to drill through so they can get the answer to the next question they want to ask, and the next, and the next, all in a chaining type of series of events. So the need for ad hoc queries is also large. The third is the move from getting a reporting style of analytics to actually moving into predictive analytics—to go from the “rear view mirror” analytics to “in front of the headlights” analytics. We see a lot of people looking to do more deep data mining and using tools to do predictive analytics—that’s also a big trend. The final trend that we see is the absolute explosion of data to be analyzed. It used to be that the vendors would talk about the explosion of data, and now the customers are actually talking about the explosion of data in their enterprise. That has to be analyzed and turned into information, and then has to be really understood so that it can be turned into better decision making. So those are really the four trends that we’re seeing—the demand by more users, the need to do ad hoc query analysis, the look towards predictive analytics versus rear view mirror analytics, and then the absolute explosion of data.
AK: THANKS DAN. THOSE ARE GREAT POINTS AND WE’RE SEEING THE SAME THINGS HERE AT ETM, ESPECIALLY THE EXTREMELY HIGH DEMAND FOR USABLE DATA WHICH IS CERTAINLY A BIG ISSUE. I THINK WITH THESE TYPES OF DEMANDS IT REALLY SPIRALS OUT INTO THINGS LIKE FLEXIBILITY AND EVEN SECURITY. SO WHAT TECHNOLOGIES DO YOU THINK SUPPORT THE NEED FOR GREATER SPEED AND SECURITY OF ANALYTICS ENVIRONMENTS?
If you look at a big high level view of what is trying to handle these trends and to answer them, there are really three basic technologies that do that. The first is the traditional row-based analytical products—like Oracle, SQL Server and (IBM) DB2—and our own product from Sybase called ASE, where you’re actually taking a row-based system and trying to do analytics on top of that. That has proved around those four trends to not be as capable as in years past, so there are what we call specialty analytic servers coming out in the flavour of analytic appliances. What you do is you take the approach of throwing a lot of hardware at the problem, so that you can answer those four trends. The third area is to actually take the database of information that you have and instead of organizing it by row, organize it by column, because at the end of the day what you’re actually doing is analyzing the attributes, which are the columns. The approach that we’ve taken with Sybase IQ is to actually organize that spreadsheet of database information, if you will, into columns versus rows. And the example I like to use is one a couple of days ago—I was in Las Vegas and I bought a latte at the Caesars Palace Hotel, and I paid $4.50 with my Visa card. From a transactional standpoint, the right way to organize that is by row. But if Caesars Palace wants to understand if they’re selling more lattes than mochas or Americanos, and that they should perhaps increase the price of their lattes, they’re actually analyzing the columns, or the attributes of that information, not the rows. So doesn’t it make sense to organize that information by columns versus by rows? That’s the core value proposition of the Sybase IQ product.
DATA WAREHOUSING ■ HEAD TO HEAD
And then we’ve added a number of different things on top of that as well, like the ability to do in-database analytics, and provide security functions for data at rest, data at flight and user-authentication—plus the ability to scale out the environment through adding nodes or adding disk structures to the system. But that’s really the three basic pieces—it’s the row-based, that are kind of falling over, it’s the appliances that are really a brute force approach, and the Sybase IQ approach which is the column-based approach that we think is a more elegant and smarter approach to analytics. AK: THANKS DAN, WHAT A GREAT EXAMPLE ABOUT THE USABILITY OF DATA. I WAS WONDERING, WHAT INNOVATIONS REALLY ADDRESS THE NEED FOR GREATER USER CONTROL OF THE ANALYTICS ANALYTICAL QUERIES?
“... the Sybase IQ approach... is a more elegant and smarter approach to analytics.”
We’ve talked about the trends and if you tie that back to what’s going on with users, ad hoc queries, predictive analytics and with the people who are watching data, we’re finding that more and more people have to do self-service on their analytics. We have a number of customers who are now required to expose their information to an unknown number of people for whatever queries they want to run over the web. That’s 24x7 unknown queries, and to give that kind of requirement to an IT person or a DBA or a CIO will give them nightmares, because in the past it’s been really hard to optimize a data warehouse for that type of environment. Again, Sybase IQ is able to handle that. Take that core value proposition of organizing by column without having to do a lot of work and gyrations on top of your row-based system to optimize for analytics by adding indices, or aggregates or cubes—if you can handle that through just the core structure of the database and the query optimizers that optimized to hand the SQL coming in for analytics, then customers are able to actually provide that to their users. A good example of that is a company called LoanPerformance in San Francisco. They have to do 24x7 operations for their customers who are all over the world. They track mortgages not only in the United States but in other countries as well, and they have to be able to provide full access to their data structures, which is over a couple of terabytes, to any customer that comes in. Every month they have to update their database with more attributes and more columns—did the person pay on time? Did this mortgagee pay the full bill? Did they miss a payment? This is a very complex environment, and they realized they could only expose it to their user community using a technology like Sybase IQ. We think that we’re hitting a sweet spot of the trends, and Sybase IQ is providing not only business value, but letting those DBAs and CIOs sleep at night. AK: IT CERTAINLY SOUNDS LIKE QUITE A COMPREHENSIVE SOLUTION, BUT IT’S ALSO ABLE TO PINPOINT SPECIFIC BUSINESS REQUIREMENTS. HOW CAN BUSINESSES BETTER ADDRESS THEIR NEED FOR MANAGEMENT OF INFORMATION THROUGHOUT ITS LIFECYCLE?
their enterprise data warehouse, or even their data marts for that matter. We actually have customers, either government or non-government, that are actively managing, with IQ, terabytes of data. So in this management of data we’ve added a new option to Sybase IQ that allows you to do information lifecycle management for data warehouses. The advantage is that you can take your most recent data—let’s say your current quarter or your current month’s information—and put that on your most expensive EMC disks, if you will. Then take your data from one month, or one quarter to a year, put that on the slightly slower disks, and then take the information from a year on out and actually put those on very slow disks, because it’s not going to change and it’s really only used for archive purposes. Then you can run queries against all of that information. So within Sybase IQ we call that our VLDB (very large database) or information lifecycle option. We’re seeing a number of customers really excited about that because they can optimize not only for cost, but they can optimize for backup as well. Once you get past a year your data is probably not going to change and you don’t need to back it up as often as the most current data. The second piece that we see is that we’re actually able, through other Sybase products besides Sybase IQ, to load the data in real time. Some customers want to analyze just-in-time information with historical information. We’re able to have some of our customers like BNP Paribas over in France take information in every five minutes and load it, and then analyze it in five-minute increments. It’s pretty amazing what that customer is doing with the management of their information. Finally, we also have the capability to model the data, to change the schemas of the data, going from third normal form to star, or snowflake schema, and you can do that quite easily through other tools that we provide from Sybase like PowerDesigner and other tools. So we’ve spent a lot of time and effort to help our customers in the lifecycle management of their information. Again, we see that as a key part of that fourth trend I outlined at the outset.
In that fourth trend, which is about lots of data that need to be analyzed, we actually see a lot of customers now struggling with handling
Dan Lahl SENIOR DIRECTOR OF PRODUCT MARKETING Sybase Inc.
Dan Lahl has been with Sybase since 1995 and in high tech for over 30 years with extensive experience in data management, data warehousing and analytics. While at Sybase Dan has also led emerging technology areas for Sybase, including Data Federation, Data Integration, GRID and Cloud Computing. Dan is currently leading the team that is growing the enterprise software business for Sybase in the areas of data management, data movement, analytics, capital markets and development tools. Dan has a Business Administration degree from the Haas School at U.C. Berkeley and a Masters of Divinity from Trinity Evangelical Divinity School. 27
EXECUTIVE PANEL ■ APPLICATION LIFECYCLE MANAGEMENT
Searching for Agility JULIE CRA IG (ENTERPRISE MANAGEMENT ASSOCIATES) moderates a dynamic discussion on application lifecycle management with the expert opinions of GILES DAVIES (MICROSOFT), BRIAN ZEICHICK (COLLABNET) and TIM JOYCE (SERENA SOFTWARE). http://www.GlobalETM.com JC: PERHAPS OUR PANEL CAN START BY TELLING US A BIT ABOUT THEMSELVES, THEIR COMPANY AND THEIR ALM SOLUTIONS?
My name is Giles Davies and I work for Microsoft in the UK. In fact, I’m relatively new to Microsoft and joined about 15 months ago but my background is in development and application lifecycle management solutions. I work in a group called the developer and platform evangelism group whose mission is to secure the platform for Microsoft, so that’s around Windows and the other platforms that Microsoft has. Specifically, I work in the development tools team and I’m a tools technology specialist within that team, covering our application lifecycle solution which is primarily Visual Studio and Team Foundation Server.
This is Brian Zeichick. I work at CollabNet as a Product Manager for TeamForge which is our ALM solution for distributed teams. I have experience in scoping and designing features, analysis and goal-directed user-centric design theory. In addition, I also cover web development and standards, including rich internet applications. Founded in 1999, CollabNet is based on open source principles. We are also the company behind Subversion, which is the leading SCM (Software Configuration Management) solution. CollabNet is the ALM platform leader for distributed software teams. Our ALM tool, CollabNet TeamForge, is one of the most open and accessible platforms in the industry. It allows teams to manage the entire software development lifecycle using Agile or any other process methodology.
My name is Tim Joyce. I’m Senior Product Manager for Serena’s flagship—SCCM Solution, Dimension CM. I spend a great deal of my time talking to our customers about their pains and requirements around ALM, both specifically for SCM and the broader ALM space as well. I’ve been working with Serena ALM solutions for about 14 years now, and that’s across a number of different roles including consulting, training, marketing and product management. Serena Software is a global ALM company with around 15,000 customers worldwide. We provide a range of solutions including software change and configuration management, application developments, business process management, and of course project and portfolio management. JC: TO START THINGS OFF, I SEE APPLICATION LIFECYCLE MANAGEMENT AS BASICALLY A FUSION BETWEEN THE TECHNOLOGY SIDE OF THE BUSINESS IN TERMS OF DEVELOPING, DEPLOYING AND MANAGING APPLICATIONS, AND THE BUSINESS FUNCTIONS OF PRIORITIZING, FUNDING AND STAFFING THEM. MY RESEARCH IS SHOWING ME THAT THERE’S A LOT OF APPLICATION DEVELOPMENT HAPPENING IN TODAY’S COMPANIES, AND THAT IN FACT THE FREQUENCY OF COMPANIES REPORTING CUSTOM APPLICATIONS LEADS THOSE REPORTING PACKAGED APPLICATIONS BY A SIGNIFICANT MARGIN. THAT BEING SAID, VIRTUALLY EVERY COMPANY DOING APPLICATION DEVELOPMENT HAS SOME ELEMENT OF APPLICATION GOVERNANCE IN PLACE. FOR EXAMPLE, MOST HAVE A STANDARD DEVELOPMENT ENVIRONMENT, SUCH
APPLICATION LIFECYCLE MANAGEMENT ■ EXECUTIVE PANEL
AS ECLIPSE. MOST ALSO HAVE A STANDARD LIFECYCLE METHODOLOGY AND SOME TYPE OF CODE REPOSITORY AND VERSION CONTROL. WITH THAT INTRODUCTION, THE FIRST QUESTION I’D LIKE TO POSE IS WHY DO THE COMPANIES DEPLOY APPLICATION LIFECYCLE MANAGEMENT SOLUTIONS, AND WHAT ARE SOME OF THE ISSUES THAT ARE ACTUALLY DRIVING THESE DEPLOYMENTS?
One of the ones that I come across frequently is around project transparency and reporting to team leaders, project mangers, senior management and so on. The issue that I’ve come across a few times, particularly around reporting and status of projects, is that it’s really not to have surprises around what’s going on. So, how do we know what the quality of this project is? Are we likely to release on time? Having access to that information, and having confidence in it, is one of the big drivers for us in providing an ALM solution.
They may have a stack of individual products, absolutely. And it’s not so much the functionality within each of those pieces, it’s actually getting the understanding out of that set of products, if you like. JC: ONE THING THAT I’VE NOTICED IS THAT ILLUSTRATIONS ARE ALWAYS MORE INTERESTING THAN DESCRIPTIONS, SO I’D LIKE TO ASK THE PANEL TO TALK ABOUT A SPECIFIC CUSTOMER DEPLOYMENT AND HOW THEY DEPLOYED APPLICATION LIFECYCLE MANAGEMENT. ALSO, WHAT KINDS OF BENEFITS ARE THEY SEEING?
“They’re changing the way they work and I think that’s been very positive for the industry.”
JC: SO THEY HAVE THE PIECES IN PLACE, FOR EXAMPLE ECLIPSE, AND A CODE REPOSITORY AND THAT SORT OF THING, BUT THEY NEED TO BE ABLE TO PULL TOGETHER A BIGGER PICTURE.
My example is of a smallish company, probably in the region of about 150 in development staff, in financial services. We became involved because the company had grown through acquisition and part of the organization was .Net based, in terms of technologies, and part of the organization was Java-based. They got to a point where different teams had different stacks of products and they had a mix of technologies around version control, how to track changes and defects, different build solutions and so on. They wanted to both consolidate and simplify the tools they had and manage the infrastructure in a more efficient way, but also to address the issues around reporting. One of the other challenges we had, which I thought would be
EXECUTIVE PANEL ■ APPLICATION LIFECYCLE MANAGEMENT
interesting to chuck in was, of course, the Java technology base. So from our point of view, the development teams at an IT level had a mixture of Visual Studio and Java. What we did was introduce Team Foundation Server as the single repository that can store all of this information; all of version control, source control data, change management defects, task lists and so on, reporting capabilities and automated build, and open it up to both the Java communities and the .Net communities. We have a partner called Teamprise who offer a really first class Eclipsebased integration into Team Foundation server—who incidentally we acquired in November. We were able to offer the same capabilities to both sets of technologists. I think this is an interesting example of the ALM story—we’re looking at how we can combine all of the information they have, make something meaningful out of it and make it much more open and transparent. We also needed to support their drive towards Agile and the fact that they had different technologies in use.
One of our clients, a large global delivery service, wanted to standardize and centralize software development across its IT arm. The goal was to link various processes within their application development to enable automation and standardize across the multiple internal operating departments. To achieve this goal, the IT arm deployed CollabNet’s ALM solution, TeamForge, to work with its internal home-grown platform. They wanted to integrate their platform across a worldwide system using TeamForge for ALM—basically using it as a software development engine. TeamForge helps them overcome challenges of distributed development, allowing anyone to the core development environment via a web page or through an API. The other nice thing is that they have many other legacy tools that they wanted to continue using, and because we have open APIs, it was very easy for them to integrate TeamForge and multiple existing systems. Choosing CollabNet for ALM gave them valuable results. The platform enabled their teams, through their organization, to collaborate effectively on development processes. In addition it allowed them to improve collaboration between geographically dispersed teams through process standardization. This company was also using automated, tedious manual tasks. The CollabNet platform promoted rapid time-to-market through consistencies of tools and process. It also enabled engineers to get up-to-speed quickly on new projects, or switch projects without having to do additional training, because it was consistent throughout their whole experience. Their now centralized development environment eliminated department-specific systems that tended to create bottlenecks and inefficiencies. The company was also evaluating improving security and backup capabilities. The solution enabled them to simplify compliance processes due to better reporting and traceability. An example of this it their ISO audit. The auditor was able to come in one morning, go into one office, and do the whole ISO audit in half a day by sitting with one development manager and accessing the core development environment. This was a huge improvement over previous audits that took up to a week, with the auditor talking to each department. Teams using any development methodology—Agile, scrum or XP, or even a waterfall, can benefit from the CollabNet ALM platform.
“I’m seeing a bigger picture than just the development side of things that we’ve dealt with for so many years.”
Among the many customers that we have I think one of the great examples is a global leader in banking and insurance, geographically diverse, distributed across Europe, North America and Apac. They’ve got about 200,000 employees and revenue last year was around 90 billion Euros—so it’s a significant organization. This really started off as a release management problem, and in the words of one of the project managers, they had chaos in release management. They had multiple home grown systems, manual procedures that had grown up over the years, and of course there had been quite a lot of acquisition going on so there were a number of different, disparate systems. At the same time they were trying to scale what they did, they were bringing a new part of the business into the process they had, and they found that the current systems they had just didn’t scale to what they wanted to do. They were also very labour intensive and had the very typical, sort of heroic, late night and weekend work habit to try and get releases out of the door on time. They also had a lack of visibility of control, often because of this rather ad hoc and manual procedure, so they really had no way of being absolutely sure that what they deployed was the right stuff and went to the right place. This is a fairly classic situation. They started the implementation off with the thing that was hurting the most which was mainframe release management. They ripped out and replaced most of the numerous home grown solutions and manual procedures they had, replacing it with Serena Dimensions CM which is our software changing configuration management tool. But having done that first phase of the implementation, I think this was where it started to become an ALM solution rather than simply a release management solution. They realized the power of what they had and extended this out to add documentation, scripts and other objects to make this a collaboration platform between not just development, but development and the business. They also outsourced quite a lot of their development and have multiple geographically distributed development sites as well, so their outsourcers now directly access the SCM repository so you can see what they need to do, they can allocate work to outsourcers, and so on.
It’s giving them a single global repository for all of the collaboration, communication and sign off that goes on. They then extended this out beyond the mainframe to distributed environments, moving it out to large numbers of people with around 1000 applications under control at the moment—it’s an ongoing roll-out process. The benefits are vastly improved traceability, visibility and control.
JC: THOSE ARE ALL GREAT STORIES AND IT’S INTERESTING TO HEAR SOME COMMON THEMES. IT SEEMS LIKE THERE’S A LOT OF CHAOS AROUND THE DEVELOPMENT PROCESS— COMPANIES ARE USING MULTIPLE LANGUAGES, MULTIPLE TEAMS AND DISTRIBUTED TEAMS. APPLICATION LIFECYCLE MANAGEMENT PRODUCTS ARE A WAY TO BRING TOGETHER THIS BIG PICTURE AND ADD CLARITY TO WHAT CAN VERY EASILY DETERIORATE INTO QUITE A CHAOTIC AND DIFFICULT PROCESS TO MANAGE. THAT BEING SAID, THERE ARE SOME KEY CHALLENGES
EXECUTIVE PANEL ■ APPLICATION LIFECYCLE MANAGEMENT
THAT I SEE EVOLVING TODAY WHEN I TALK WITH COMPANIES. ONE IS THE EVOLUTION TOWARDS MORE AGILE METHODOLOGIES, AND CLEARLY IT’S STARTING TO LOOK LIKE THIS IS GOING TO BE PRETT Y MUCH THE DE FACTO STANDARD, AT LEAST FOR THE NEAR TERM. WHAT IS THE IMPACT OF AGILE METHODOLOGY ON ALM SOLUTIONS? I KNOW WE’RE STILL IN THE PROCESS OF EVOLVING FROM THE WATERFALL LIFECYCLES OF THE PAST, SO HOW HAS THIS IMPACTED THE SOLUTIONS AND THE CUSTOMERS THAT YOU HAVE IN PLACE?
I think one of the very positive things that Agile has brought to this area is that it’s made a lot of organizations think carefully about what their procedures are, how they do development, and how this fits into the broader ALM space. They’re changing the way they work and I think that’s been very positive for the industry.
I would say that moving to Agile can be a challenge, and it doesn’t occur over night. It requires a shift in mindset for the entire project team, and it can create identity crises for some project members, including product managers and testers, because their whole role is changing. The developer role is also changing. In other, more standard processes such as waterfall they’re more of a peripheral member, whereas with Agile they really become the centre of the workflow.
JC: GREAT POINTS. A FOLLOW-ON QUESTION IS THAT AGILE HAS CERTAINLY MADE AN IMPACT, BUT POSSIBLY AN EVEN BIGGER IMPACT IS THE FLEXIBILITY OF THE KINDS OF DEVELOPMENT TEAMS THAT WE’RE SEEING TODAY. WE’RE SEEING DEDICATED DEVELOPMENT TEAMS WITHIN COMPANIES WHICH ARE WORKING WITH TEAMS ACROSS THE WORLD. SOMEONE HAS TO DECIDE WHICH TEAMS DEVELOP WHICH SOFTWARE MODULE. THERE IS SO MUCH FLEXIBILITY AND CHANGE IN THIS CHURN THAT’S GOING ON THAT I THINK APPLICATION LIFECYCLE MANAGEMENT PRODUCTS CERTAINLY HAVE A KEY ROLE HERE TOO.
Some examples that spring to mind are around flexibility and distribution, so I agree, and I think the challenge is particularly where you have a distributed outsourcing model. For example, it might be that development is taking place in the UK but the testing is being performed from India through a partner or an SI. That’s
I think that working across the globe with different time zones, tools, means of communication and limited means of interacting is a real challenge. It can introduce delays, miscommunication and even morale problems. The real key to making that work is enabling communication through the use of a common toolset and a centralized repository. One of the key values TeamForge brings is that it centralizes management for users, projects, processes and assets—essentially for entire distributed teams. Users can initiate a discussion thread, and then someone in the US the next day can see it and be able to correspond very effectively.
“The age of replication and replicating TJ: A centralized repository is databases is long absolutely key. The age of replication and gone, and I think replicating databases is long gone, and I think another important thing is to be another important agnostic to the process, the platforms and thing is to be agnostic the technologies. These things change quite rapidly to the process, the sometimes and it’s important to have a platforms and the system that you can change, that will react and support new platforms as they come out, and technologies.” will support new methodologies and tools as they
I totally agree with those. The only thing I would add is probably at the tool level. It means that we have to change the tooling to acknowledge the impact of Agile as well. From our point of view, although we’re process agnostic, our own Agile process templates and so on are evolving to make sure they’re fitting what we think people need in terms of the Agile reports, the scrum type reports, and whether we just need to make sure that everything is able to be automated. We’ve also got continuous integration and the reporting and testing that goes alongside that.
a challenge organizationally because the distribution doesn’t fit particularly well with Agile, actually, although most companies are doing both at the same time—most large companies in any case. From a tooling point of view, obviously we have to try and support that and make sure that, again, it reinforces the aspects of application lifecycle management.
come in. JC: I TALKED AT THE BEGINNING OF THE PODCAST ABOUT ALM AS BEING A TOUCH POINT BETWEEN THE TECHNOLOGY OF DEVELOPING APPLICATIONS AND THE BUSINESS SIDE OF GOVERNING AND FUNDING THEM. WITH THAT IN MIND, I’M SEEING A BIGGER PICTURE THAN JUST THE DEVELOPMENT SIDE OF THINGS THAT WE’VE DEALT WITH FOR SO MANY YEARS. FOR EXAMPLE, ITIL TALKS A LOT ABOUT TECHNOLOGY SILOS, BUT I’M ALSO FINDING IN MY APPLICATION MANAGEMENT PRACTICE THAT THERE TEND TO BE TIMEBASED SILOS. IN MANY CASES, COMPANIES HAVE VERY LITTLE COMMUNICATION BETWEEN THE DEVELOPERS AND OTHER PERSONNEL WHO WORK ON PRODUCTS AT DEVELOPMENT TIME, AND THE OPERATIONAL PERSONNEL AND APPLICATION MANAGEMENT TEAMS WHO DEAL WITH THESE APPLICATIONS ONCE THEY GO INTO PRODUCTION. ONE THING THAT I’M FINDING IS THAT SOME OF THE ARTIFACTS THAT SURFACE DURING DEVELOPMENT—THINGS LIKE CLASS NAMES AND CODE MODULE NAMES—CAN BE EXTREMELY VALUABLE IN IDENTIFYING AND MANAGING APPLICATIONS ONCE THEY’RE IN PRODUCTION. IT’S VERY RELEVANT TO IT-RELATED INITIATIVES LIKE CONFIGURATION AND SERVICE LEVEL MANAGEMENT, AND TO RUNTIME APPLICATION MANAGEMENT. I KNOW THIS ISN’T THE KIND OF QUESTION THAT YOU TYPICALLY DISCUSS, BUT WHAT ARE SOME OF THE
EXECUTIVE PANEL ■ APPLICATION LIFECYCLE MANAGEMENT
WAYS THAT VENDORS ARE HELPING TO BRIDGE THIS DEVELOPMENT OPERATIONS GAP? DOES APPLICATION LIFECYCLE MANAGEMENT HAVE A MESSAGE THERE?
I’d say one of the key things is being able to link source code changes to fi xes. When a developer actually checks in a piece of code, the ID that’s associated with that code is then linked to the artifact or work item they’re working on. Later on, if someone else needs to go in and figure out what’s going on, they can look at that artifact ticket and trace it back all the way to the code that actually broke the system. Another key part is continuous build and test for quick responses and patch time. If you have that continually working, then you can see when something does break, link it back to the artifact, and then see the piece of code that broke the system.
I think one of the areas that we’re driving for is to include testers in this whole application of lifecycle management. Obviously they’re there, but they’re probably one of the key silos within the overall development organization. We come to the same point—how can we make sure that the testers know what’s coming—and that could well be through work item association—so we know that the following bugs, requirements and change requests are in this particular build? Then they understand what’s coming, know what to test and progress that through the staging environment with some confidence, having known what’s come out of development, and get rid of that “chucking it over the wall” to the testers aspect. They’re often a sort of bridge-head into the production environment, so it’s got to pass through the levels of testing before it can be released from test environments out into production environments. I agree with the virtualized test environments. One of the big issues we see—I think actually probably exacerbated by the move to Agile from the developers—is that from a testers point of view they’re seeing more and more code drops coming from development teams, and the sheer preparation work required to actually build and provision test environments prior to being able to take on new code drops can become quite daunting. So I think being able to smoothly incorporate the management of those virtual test environments as well can help in that process.
JC: A LOT OF WHAT WE’VE TALKED ABOUT TODAY IS VERY SIMILAR WITH WHAT I’VE HEARD IN TALKS WITH COMPANIES IN THE PROCESS OF DEPLOYING SERVICE ORIENTED ARCHITECTURE—BASICALLY THAT SOA DEPLOYMENTS VERY QUICKLY DEVOLVED INTO VERY CHAOTIC KINDS OF MANAGEMENT PROBLEMS IF THEY WEREN’T GOVERNED FROM THE START. IT SEEMS THAT ONE OF THE KEY VALUES IS THE GOVERNANCE OF JUST CODE, BUT THE WHOLE DEVELOPMENT PROCESS THAT ALM PRODUCTS BRING TO THE TABLE. EVERYONE’S COMMENTS HAVE POINTED TO THAT. AS THE FINAL TOPIC, ONE THING THAT I ALWAYS FIND INTERESTING TO TALK ABOUT IS FUTURES. PERHAPS YOU CAN GIVE US A ROADMAP OF WHAT YOU SEE HAPPENING IN THE ALM MARKET ONE TO FIVE YEARS OUT, AND PERHAPS HOW YOU SEE ALM PRODUCTS EVOLVING?
I suppose the obvious answer is that I see them actually broadening, so there are quite a few roles that we cover collectively at the moment. For example, as we move more into integrations with production. It’s about system management solutions and how we have a flow-through from the development side of the shop through into production and operations. I would anticipate another growing area to be closer to the end users and perhaps business analysts—how they can also input into this
Julie Craig - Moderator
RESEARCH DIRECTOR, APPLICATION MANAGEMENT
TECHNICAL SPECIALIST, DEVELOPER AND PLATFORM EVANGELISM
Enterprise Management Associates (EMA)
At EMA, Julie’s focus areas are Best Practices, Application Management, Software Development, Service Oriented Architecture (SOA), and Software as a Service (SaaS). Julie has over 20 years of deep and broad experience in software engineering, IT infrastructure engineering and enterprise management. As a former IT senior engineer, she developed enterprise management solutions and deployed multiple packaged system, application and performance management products. Julie’s IT experience includes working with Enterprise Systems Group and the former JD Edwards & Company, now part of Oracle.
When we talk about automating the path to production you really shouldn’t have these “throwing over the wall” processes where you have different groups using different tools and not collaborating well. This really should be part of the same process—even if it’s not actually the same tool—the information flows through so that the other people in test, QA, production support and IT support can access the same information in the same repository. From development, all of those valuable relationships of source code to change documents, and then linking through to the objects that get deployed, mean that this information captured in development is then available to everybody else in the organization.
Giles Davies works in the Developer and Platform Evangelism Group in Microsoft UK as a technical specialist covering development tools, specializing in the full Application Lifecycle Management tooling of Team Foundation Server and Visual Studio. Giles started his development career with Microsoft technologies in the days of client/server applications before becoming an early adopter for Java, working with CORBA and subsequently J2EE. He has also worked in the Java space for a number of organizations including Borland and IBM Rational.
APPLICATION LIFECYCLE MANAGEMENT ■ EXECUTIVE PANEL
process and get more information back. We’re starting at the core around developers, testers, project managers and so on, and I see this expanding out in all directions to encompass these other slightly more peripheral aspects.
One thing that’s really going to change is how the planning aspect of ALM solutions handle things. We’ve been talking about allowing for process agnostic methods and I think that is key so you can set a plan and have it be—whether waterfall, Agile, scrum—all on the same system. Another part is being able to see the metrics of that plan at any level so that someone at C-level, for example, could zero in and see how their different project teams are doing. In the same vein, better collaboration and communication across distributed teams will also continue to grow in the ALM space.
In the short term, I think requirements management is getting much bigger play in this area. It’s often been considered as limited to the embedded space, but I see a lot of companies adopting much more formal requirements management processes and wanting those hooked more closely into the development process as well. As we get further out, and as the other panellists have said, the likelihood is that we’ll broaden what ALM means and it will spread out way beyond where it traditionally is now. This means that one single solution won’t be able to do everything. It will then be important to have a platform that will integrate closely with other tools so you’ll be able to plug in other tools that we currently don’t think of as being part of the ALM space. JC: FROM THE PERSPECTIVE OF MANAGING APPLICATIONS ONCE THEY GET INTO PRODUCTION, IT WILL BE GREAT TO SEE SOME OF THAT INTEGRATION HAPPENING BECAUSE THE OTHER THING THAT I’M SEEING FROM MY PERSPECTIVE IS THAT COMPANIES ARE STARTING TO VIEW APPLICATIONS AND DATA AS VERY VALUABLE BUSINESS ASSETS. THE APPLICATIONS THAT ARE PRODUCED DURING DEVELOPMENT ARE THE GIFT THAT KEEPS ON GIVING—IN TERMS OF VALUE OR AGGRAVATION AND COST WHEN IT GETS TO PRODUCTION TIME. SO THE BETTER THE PROCESS FOR
DEVELOPING APPLICATIONS, THE MORE COST-EFFICIENT IT’S GOING TO BE TO MANAGE THEM ONCE THEY GET INTO PRODUCTION. I’D LIKE TO GIVE EACH PANELLIST A MINUTE OR TWO TO MAKE ANY CLOSING REMARKS OR TOUCH ON WHATEVER WE MIGHT HAVE MISSED.
I think we’re certainly seeing an increased move towards application lifecycle management, and more and more organizations are recognizing that they don’t just have version control or bug tracking or whatever, but actually trying to bring this together. We’re also becoming more all-embracing—certainly from a perception point of view. We don’t require that the development teams are on an entire Microsoft stack of technologies and tools and I think that’s reality, and that’s what our tools are there to support. So I think we’re moving towards having accessible API’s, supporting the broader teams, and providing good solutions for teams out there.
We’re seeing increasing support of heterogeneous environments, methodologies and technologies. Agile is definitely on the rise, but some groups will still be using waterfall and other processes, so we need a process-agnostic platform or tool that allows for that. Using an integrated suite of different tools located in one integrated repository is also very important, as is having a culture of collaboration within ALM tools, especially for distributed teams. Visibility is also needed around the entire development process, at any level.
I think it’s been an interesting time recently where the choice of what tools organizations buy for development has really been driven by developers—this has been the case for the last few years. This is changing a little bit and I think senior management are starting to understand Agile better and what’s needed, and I think that those decisions are moving up the stack a little bit. The really interesting thing is how we as vendors are going to manage the needs of the traditional development team with the needs of the much bigger ALM scope that I think we referred to a few times on this panel. This is quite a challenge for vendors, and quite a challenge for organizations as well.
Tim Joyce SENIOR PRODUCT MANAGER
Brian Zeichick SENIOR PRODUCT MANAGER
Tim Joyce has been involved with Dimensions and other Serena Application Lifecycle Management (ALM) solutions in various roles for the last 14 years. In this time he has managed and implemented Serena ALM solutions in both large and small organizations across the world. Tim has experience of ALM across numerous industry sectors and methodologies. He is currently a Senior Product Manager responsible for Dimensions CM and as such is a certified Agile Scrum Master and Product Owner.
Brian joined CollabNet in 2008 and is an expert in goal-directed and user-centric design theory. Brian’s current projects include competitive analysis of ALM and Agile tools, scoping and designing features for upcoming CollabNet TeamForge releases, and evaluating forward-looking technologies. He has extensive experience in web development and standards, including rich internet application design and development using Flash and Actionscript. Brian’s professional experience includes work as a Senior Interaction Designer at Merced Systems, Ariba and QuadraMed.
HEAD TO HEAD ■ CORPORATE AND OPERATIONAL PERFORMANCE
Is your business performance at its best? DETLEF KA MPS (ARCPLAN) talks to ETM’S ALI KLAVER about the trends arcplan is seeing from successful companies linking key corporate performance data with operational performance.
CORPORATE AND OPERATIONAL PERFORMANCE ■ HEAD TO HEAD
K: DETLEF, FOR THOSE IN OUR AUDIENCE NOT ENTIRELY FAMILIAR WITH WHAT ARCPLAN CAN DO, COULD YOU RUN THROUGH THE HISTORY OF THE COMPANY AND THE SOLUTIONS YOU PROVIDE?
: Thank you, Ali. arcplan is an established independent business intelligence solutions provider. We have been serving organizations for more than 15 years and now have over 2500 customers. Our entire portfolio is designed to put decision-making in the hands of different users around the organization. AK: CAN YOU BRIEFLY TOUCH ON ARCPLAN’S OFFERINGS AND TELL US ABOUT THE MAIN BENEFITS?
: arcplan Enterprise is our flagship product for measuring and reporting on operations. arcplan Excel Analytics puts ad-hoc reporting into the hands of the power excel users—and we see so many of them in today’s organizations. Then we have arcplan Edge, a flexible budgeting, planning and forecasting tool to manage all your planning requirements. Regardless of the solution or combination of solutions you choose, our products are all designed around a common goal—making organizations perform better. AK: I LIKE YOUR LAST POINT—MAKING ORGANIZATIONS PERFORM BETTER. I’M SURE EVERY ORGANIZATION IS LOOKING AT WAYS TO IMPROVE. LET’S LOOK AT COST FOR A MOMENT, BECAUSE A LOT OF COMPANIES ARE STILL CAUTIOUS WITH THEIR BUDGETS AND ARE ACTIVELY UTILIZING THE TECHNOLOGIES THEY ALREADY HAVE IN PLACE TO GET THE JOB DONE INSTEAD OF LOOKING AT THE NEXT LEVEL. HOW DOES ARCPLAN TRANSLATE INTO COSTSAVING AND REALIZING TOTAL COST OF OWNERSHIP?
: We see this quite often among our customers as well. arcplan is about reducing cost and total cost of ownership. The cost savings come in so many ways. By making better decisions on operational information we’ve had customers report significant savings by improving their internal processes. In actual fact, we had one customer utilize arcplan to develop a supplier quality dashboard and, by having real-time access to the quality of their suppliers during the purchasing process, they reported a cost saving of about $250,000 per annum. That has saved millions for the organization over the last few years. The other form of cost saving we see quite often relates to the time saved in accessing key information for the company. Consolidating spreadsheets and output reports as a manual and lengthy process should be a thing of the past. arcplan enables customers to save time on reporting and, ultimately, the bigger savings come from realizing information faster and being empowered to make those business decisions that are right for the company.
“Arcplan is about reducing cost and total cost of ownership.”
AK: NOW LET’S GET DOWN TO SPECIFICS. CAN YOU GIVE US A GOOD CASE STUDY THAT HIGHLIGHTS THE SUCCESSES YOU’VE SEEN IN YOUR CUSTOMERS TO DATE?
FACT FILE • • • • • •
Founded in 1993, arcplan has more than 2500 customers and 300,000 users worldwide. Headquartered in Düsseldorf, Germany, with US headquarters in Philadelphia. arcplan delivers its solutions through a global direct sales force and a network of more than 130 partners in over 30 countries. According to The BI Survey, arcplan’s clients’ rate #1 in terms of project success. They are also the leading third-party BI vendor for SAP BW, Oracle/Hyperion and IBM/TM1. Interactive performance management applications have been deployed at arcplan customers such as Daimler, Graham Packaging, HCA, Thai Airways, InterSky, UBS, EMC and Bayer. arcplan is most often deployed to improve management process such as budgeting, planning and forecasting; financial controlling; consolidation and reporting; quality management; inventory management and supply chain management, with proven bottom line benefits.
HEAD TO HEAD ■ CORPORATE AND OPERATIONAL PERFORMANCE
: I’ve mentioned the supplier quality example already so let me touch on another case study. This is of a leading provider of integrated food and facilities management services in the US, Canada and Mexico, serving 10 million customers in 6000 locations every day. As you can imagine for them the real-time performance analysis can make or break their business. When they approached us a few years ago they indentified a few challenges. Most important was the ability to do real-time performance and accurate forecasting. This is so critical to their business but they were finding it unachievable. Management had little transparency into information and therefore struggled to understand future performance forecasts. Also, because of the size of the organization, they had a very disparate user base with different familiarity of systems. They turned to arcplan because of our ability to offer a solution that ties into their existing infrastructure and databases, ensuring that additional investments weren’t needed and that our usability would serve their growing users. Today, this customer has realized that traditional budget, planning and forecasting processes don’t need to be in silos, and that looking at the real-time operation in conjunction with corporate performance is key to their business growth. We provided them with a flexible solution that adapted to their business and multiple end-user tools to ensure adoption. While this is one example, we have dozens of success stories with customers who all faced unique challenges but with the common goal of improving performance. Time and again this is where arcplan has helped. AK: IT’S INTERESTING THAT A LOT OF SOLUTION PROVIDERS OUT THERE OFFER A SINGLE TOTAL SOLUTION, AND I THINK ARCPLAN’S POINT OF DIFFERENT IS DEFINITELY YOUR ABILITY TO TIE INTO EXISTING INFRASTRUCTURE. FOR OUR FINAL
“By making better decisions on operational information we’ve had customers report significant savings by improving their internal processes.”
QUESTION, LET’S LOOK TO THE FUTURE. WHAT WILL YOU BE FOCUSSING ON THIS YEAR, AND WHAT DO YOU SEE HAPPENING IN THE FUTURE?
: We are seeing already that BI is no longer a tool used by a small group in the organization asked to generate reports across departments. We live in a world where information is accessible in our everyday life and the same goes for business intelligence. Our portfolio is focussed on addressing the different users in the organization—whether it’s the BI analyst, the planner, or the excel user. With each new release of our products we will be adding even more users to our list. arcplan has seen the industry evolve over the last 15 years and our independence and focus on BI allows us to take steps with our products that we believe will move the industry forward.
“... arcplan has seen the industry evolve over the last 15 years and our independence and focus on BI allows us to take steps with our products that we believe will move the industry forward.” Detlef Kamps CEO, arcplan Before joining arcplan in 2008, Detlef was co-founder (in 1998) and President of RedDot Solutions Corp, the US operations of web content management specialist RedDot. Detlef ensured rapid profitable growth and a loyal, satisfied customer base and conducted the successful sale of the company to Hummingbird, which is now part of Open Text. Prior to RedDot, Detlef served as vice-president of sales and marketing at Spectrum Laboratories Inc., a California-based provider of bioprocessing solutions. At Spectrum, he defined and implemented successful direct sales, marketing and business development strategies. Detlef holds a BA in Economics from the Rheinische Friedrich-Wilhelms University in Bonn (Germany) and an MA in business administration, economics and computer science from the Freie Universität Berlin.
Looking for a better approach to Business Intelligence?
Propel your business forward through informed decisions and complete access to information. Improve Your Business Performance Scorecards & Dashboards – Track key metrics and inform decision makers about ongoing business activity. Financial & Operational Reporting – Review real time and historical data from multiple data sources with an intuitive and engaging user experience. Budgeting, Planning & Forecasting – Combine the power of Excel-based planning with the robust web based analysis of your operations to ensure true performance management.
We make organizations perform better™
With arcplan, you get cost effective business intelligence when and how you need it. arcplan’s complementary approach empowers you to simultaneously analyze information from multiple data sources such as ERP, OLAP, relational databases, and Web services. arcplan users get answers and take action faster because they can skip the costly implementation of a separate, complex analytical data store and get a robust, intuitive user interface. Visit Us at www.arcplan.com
COMPANY PROMOTION ■ BUSINESS INTELLIGENCE AND ANALYTICS
Have you got Insight?
n an economy that is highly competitive for buyer attention, is it possible to capture and hold the customers you want? JOSE SANTA ANA (OMNITURE) says that it’s easy to drive business transformation through multichannel, customer-centric analytics.
ow can companies help ensure success in today’s competitive marketplace? It goes without saying that gaining customer loyalty is at the heart of every company’s prosperity. Yet now more than ever, customers are bombarded with marketing messages from more companies through more channels. They also have a virtually unlimited array of options when buying products, whether shopping online or walking into their favorite stores. Even just one less-than-positive experience can drive a customer to switch to another vendor with a single click or phone call. And just as customers are becoming more fickle, companies face the dire need to maintain and grow their customer base in order to thrive in an increasingly crowded global economy. This means building closer relationships with customers and gaining a better understanding of their needs, gleaning insight from every customer interaction with call centers, online sites, in-store point-of-sale systems, and other channels that connect a business with its customers. Today, company managers and decisionmakers need more than information and knowledge about marketplace trends—those are typically in ample supply. What is now required is in-depth, realtime insight into customers that enables companies to recognize buyer preferences, predict behaviors, and deliver the right products and messages through the right channels— ultimately attracting and retaining loyal, longterm customers.
BI NEEDS TO EVOLVE FROM OPERATIONAL TO BEHAVIORAL ANALYTICS Business intelligence (BI) tools need to evolve to become customer-focused, dynamic and information-rich applications that can offer top executives and business managers alike unprecedented insight into their customers. In the past, these professionals had to rely on BI tools designed largely for operational reporting versus customer behavioral analysis. While the ability to drill down on sales for last month, last quarter, or the past year by region or other variables is essential, it is only part of the solution; decision-makers now also need immediate insight into customer behaviors and preferences. What has long been missing is a way to see the full picture of every customer interaction with a company, and to quickly analyze large volumes of changing customer data from multiple channels. This has been difficult because information about how a customer interacts with a company is typically in different formats and spread among many systems—the web, CRM, financials, point-of-sale systems, call centers, data warehouses, traditional business intelligence tools and other systems. To add to the challenge, the sheer volume and dynamically changing nature of customer data can make it difficult to bring together and analyze information fast enough to make findings actionable. As a result, companies have
struggled to make timely, intelligent business decisions using data that resides throughout their organizations. UNEARTHING VALUABLE CUSTOMER INSIGHT FROM MOUNTAINS OF DATA Recognizing the importance of giving companies comprehensive, multi-channel views of the customer, Omniture delivers Insight software. Omniture Insight is unique in its ability to combine clickstream information about customers’ online interactions with transactional data from offline channels such as point-of-sale (POS) systems, call center interactions, ATMs, kiosks, RFID tags, reservations and other systems. In addition to managing and gathering data across multiple channels, Insight enables organizations to quickly analyze massive volumes of rapidly evolving data in real-time. The dynamic application offers powerful visualization options that allow managers to immediately infer meaning to make quick, smart business decisions. Insight readily accepts data from virtually any source, including data warehouses and business intelligence tools, and allows users to load and analyze structured data without the pre-aggregation typically required for data analysis. The result: executives and managers can leverage Insight to efficiently uncover patterns and trends that lead to meaningful, actionable business decisions.
For a great success story, listen to the globaletm.com podcast featuring Tom Lott (Omniture) and Michael Dugan from Forbes.com.
CHANGE BUSINESS INTELLIGENCE AND ANALYTICS ■ COMPANY PROMOTION
INSIGHT IN ACTION Many businesses have adopted Omniture Insight to help them understand customer behavior patterns to improve acquisition and conversion, and increase loyalty. For instance, Dollar Thrifty needed to analyze online customer behavior and then tie that information to offline data stored in reservation systems. Dollar Thrifty, a global car rental chain with more than 1600 corporate and franchise locations in 70 countries, uses Omniture Insight to better target customers with appropriate offers and minimize the costs associated with “no shows” from customers making reservations online. Integral to achieving these aims is ensuring that the proper audiences receive information about relevant services, helping to match customers directly with their preferred services. Dollar Thrifty uses Omniture SiteCatalyst to bring web data into Omniture Insight, giving managers instant information about customer behavior online. Insight then integrates to identify particular demographics and keep To increase user engagement and all web behavior/reservations with Dollar them online longer has made Dailymotion more registrations, Dailymotion presents Thrifty’s internal data warehouse that contains attractive to advertisers as well. users with relevant content, fine-tuned information on revenue, transactions, upgrades, via a “recommendation” panel. Prior to etc. Insight is then used to identify customer BUILDING A CUSTOMER-CENTRIC implementing Omniture Insight, it was difficult segments with compelling behaviors (such as ENTERPRISE to fully understand how users were no-shows) that cross web, offline, or a For executives and managers relying on interacting with the site. After combination. These segments are business intelligence, it is an exciting time deploying Omniture Insight, then used for targeted offers or thanks to new technologies for driving business Dailymotion could see at a campaigns. “… companies are growth and transformation. Today, with granular level what content This enables Dollar realizing business solutions like Omniture Insight, companies are visitors consume; what Thrifty to easily identify realizing business benefits through customer elements they do and do not customer segments for benefits through insights never before possible. engage with; how much time timely, targeted offers insights never before they spend online, and other For optimizing a business based on a solid or campaigns, basing possible.” understanding of what attracts and motivates critical behaviors. decisions on reliable data and customers, Omniture Insight is a powerful For example, Omniture reducing problems associated solution that delivers proven benefits to Insight provided impressive visibility, with no-shows on reservations companies across an array of industries. such as the ability to compare the behavior made worldwide. At the same time, the of 35- to 40-year-old women in Germany with company uses Insight to optimize paid search the same age and gender in the UK. Armed initiatives, correlating key words and campaigns with this knowledge, the company honed to offline revenue, customer attributes, upgrades its recommendation engine so that users are and other important business data. presented with relevant content, which has in Like Dollar Thrifty, Paris-based turn increased user engagement. The ability Dailymotion is enhancing its business using Omniture Insight. The consumer video site attracts more than 59 million unique visitors Jose Santa Ana each month who upload videos about interests DIRECTOR OF PRODUCT MARKETING and hobbies, eyewitness accounts and more. Omniture Unlike many websites, Dailymotion does not have an e-commerce function. Instead, Jose is Director of Product Marketing at Omniture and has over 10 the company generates revenue from selling years experience working with business intelligence. advertising on its site. The more registered Prior to joining Omniture, Jose was an industry analyst for both members the company has and the longer the IDC and Gartner, where he covered business intelligence and data engagement time, the more attractive the site is warehousing. He has also had stints with Hyperion Solutions (now for potential advertisers. Oracle) and IBM.
ANALYST FEATURE ■ CMS
In perfect alignment F
inding, implementing and then working with a CMS can be one of the most difficult tasks for an organization. ADRIAAN BLOEM (CMS WATCH) says that there isn’t one perfect CMS—instead, it’s all about catering to individual needs.
CMS ■ ANALYST FEATURE
he life span of a web content management implementation is about three years. Of course, that’s an average and there are exceptions, but only moderate deviation. It’s not a very popular thing to say, especially to those about to start a new project. But it shouldn’t be ignored. Many find this surprising because building a website—and implementing a system to manage it—isn’t the most tasking of technical challenges. When I ask a CIO or IT director what his most complex project is the company website rarely comes up. Certainly, publishing content online isn’t exactly a trivial task, but web content management (WCM) systems have been around for some 15 years. There’s plenty of software available to help—in a conservative estimate I would say there are over 1000 systems (CMS) to choose from. So, on the surface, that would seem the logical essence of the problem. With such freedom of choice, how do you select what software to use? Obviously, a previous system must have performed underwhelmingly for it to be replaced on such short notice. The answer, therefore, must be to get a better system. CMS Watch publishes the Web CMS Report, which contains in-depth reviews of 42 different products. As one of the authors of the report, one of the questions I’m most frequently asked is: “What’s the best CMS?” The short answer to that is—it depends. The real answer is another question: “What’s the problem you’re trying to solve?” THE BUSINESS CASE FOR WCM In the mid-to-late ‘90s, website managers were happy simply to see content appear on a website. Websites were managed mostly by hand. Pages were crafted in specialized editors and then transferred to the web server. Webmasters were author, marketer, designer and technical manager. The internal rate of return for a CMS was relatively easy to calculate—using a system that
would allow you to edit content, store it in a database and then automatically publish it from there would save time and, therefore, money. Separating content, design and technology made sense. But if you already have a CMS that purports to do this, such efficiencies are increasingly hard to calculate. Likewise, return on investment benefits (increasing transactions, accelerating time to market) become deltas that are hard to quantify. Now that many enterprises are on their third or fourth CMS, it’s hard to justify another change. It’s been said that the business case for a website is much like that for a telephone system. It’s hard to put a number on it, but in this day and age you just can’t do without. A website—and the CMS to manage it—are simply the cost of doing business. There’s some truth in that. To a public that’s increasingly at home in a digital world, without a website your organization virtually wouldn’t exist. Nevertheless, I will often press the issue and ask: “Why do you even have a website?” Surprisingly few will have a real answer to this question. There are some obvious exceptions (such as e-commerce), but usually it’s quite hard to give a succinct description of the purpose. If you can’t be clear on the goals for your website, how can you possibly achieve them? I’ve seen many project plans and business cases. They’re usually quite thorough and will list many of the advantages of change and improvement. They will often focus on the soft benefits of implementing a new CMS. A new system can put business people in control of your online communications, maintain user experience and brand consistency or improve your agility. These are all compelling reasons, but each has a trade-off. You’ll have to decide which is the most important, and why. Take a hard look at how this would be achieved—without a clear sense of that, it will be impossible to infer
“A CMS shouldn’t just manage the content—it needs to manage the flow of content.”
requirements for a system to support them. Many companies have a mission statement. Perhaps it would be helpful to have a mission statement for the website, as well. Or better still—link the purpose of the website to the goals of the organization. THE CONTENT MANAGEMENT PARADOX As the web keeps innovating at a staggering pace, requirements change—what your site should do is a moving target. For instance, in recent years, there has been growing demand for “social” features (in a Web 2.0 world, a website should allow for usergenerated content, comments and ratings). A redesign will be drawn up, wireframes illustrate the functionality to be added, and a functional design describes how this should work. Of course, this impacts what’s expected from a CMS as well. The website delivery (to the visitor) is a key function (and if your site needs to be interactive, your CMS will also need to be able to manage the interaction). This, of course, is a good reason many implementations have a short lifecycle. When you find the product you were using is no longer fitting the requirements then it’s time to find
For more information, and to access the Web CMS report by CMS Watch, go to: http://www.cmswatch.com/CMS/Report
ANALYST FEATURE ■ CMS
a better match, and due to the ever-changing nature of the web, the CMS producing your site will have to adapt. But there’s an important factor here that’s too often overlooked. The system not only publishes the website to your visitors, it also manages the content coming in from your organization on the back-end. This is illustrated by the confusion the term “user” engenders in a web content management context. Are we talking about visitors to the site or about the webmasters, content managers, web editors and authors, also using the system? This is the content management paradox— the requirements of the one group of users will usually be at odds with the requirements of the other group of users. For example, you can’t simply push out your content to a website that’s organized analogous to the enterprise. This would make little sense to visitors who may not be familiar with your internal structure. But the reverse is true as well—what makes a good website structure may not be logical, or at least not very convenient, to your internal organization. For your internal users, content management is a process—creating, editing, deploying and possibly archiving or deleting (although arguably not enough of either). To them, the ideal content management system is the one that is best suited to support their content management process. There’s one big difference with visitors, however—your employees are forced to work with the system, it’s part of their job. Many of the benefits of a CMS can only be realized in the back-office. An important reason to start a new WCM implementation, whether implicit or explicit, is that the current one isn’t a good fit for the internal organization. And as with any system there’s a danger in trying to reverse this. A CMS won’t be able to enforce a procedure where no defined process is in place. In this paradox, a content management system should mediate between those two sides. It shouldn’t just manage the content—it needs to manage the flow of content. A CMS needs to bridge the gap between IT and users twice, and it needs to match on both sides. If you wonder why web content management projects have a relatively high rate of failure, or why the lifespan of implementations is so short, this is another source of the problem. It’s rare to strike a balance between the conflicting interests and, more often than not, weighting the tradeoffs was never part of the initial project.
However, I’m careful in calling this a paradox. The back-end and the frontend of a website aren’t a mutually exclusive contradiction. It’s possible to find the right tools to solve the problem, but you have to carefully define it first.
“Without your own coherent scenarios, it’s more than likely that a web content management project will have disappointing results.”
UNDERSTANDING YOUR NEEDS I’ve seen quite a few RFPs sent out to vendors in a CMS selection procedure. These will often take the form of a long questionnaire (one example had over 1200 questions, most of which could be answered with a “yes” or “no”). This kind of procedure is deceivingly safe—the tally of boxes checked can be scored, which means that in the end one CMS will be objectively better than another. In reality, however, it has little bearing on what the system is supposed to achieve and how. This is illustrative of what I’ve described before—while appearing to be thorough, it falls short of understanding what is needed. So how do you create real understanding of your web content management? Scenario analysis can be an effective shortcut. For example, in the Web CMS Report, CMS Watch describes 12 common scenarios that are used to evaluate the fitness of the systems for specific uses. Of course, those scenarios are abstractions and they are theoretic archetypes of what we find organizations typically require. But your organization should be able to describe in much more detail what the process would look like, what it should achieve and how. Without your own coherent scenarios, it’s more than likely that a web content management project will have disappointing results. WEB CONTENT MANAGEMENT IS A PROCESS Content management is a process and the CMS is no more than the system to support it. But this is not just a daily concern. As I’ve mentioned before, the goal of WCM is a moving target. Content is still king and the web revolves around it, but you’ll be faced by increasing demands from users both internally and externally. Though the software still nurtures metaphors like “authoring” and “publishing”, make no mistake—producing a website is unlike writing, designing and printing a book. And yet, subconsciously, that’s still a lingering association.
CMS ■ ANALYST FEATURE
Perhaps that’s why the three-year lifecycle of WCM systems is tacitly accepted. After major effort and investment the site is published—to be overhauled once its cover and pages are too outdated for just a minor new edition. Then the cycle starts again. By contrast, looking at some of the renowned sites on the web, it’s hard to tell when they last had a major redesign. When did eBay rigorously change its look? When was the last time Amazon completely changed its functionality? And yet, if you were to hold them side by side to what they looked like five years ago, you’d see they’re entirely different. The lesson these organizations have learned is to see the web as something in constant flux and to avoid major “big bang” updates that would alienate their users. They have an emphasis on gradual evolution rather than revolution. This is something a content management process should embrace. Keep moving at a steady pace, rather than embarking on marathons every three years
THE BEST CMS So which out of those more than 1000 products is the best CMS? It’s the best system to support your own very specific scenarios, content management process, user and visitor needs and, last but not least, will enable you to have a web presence that aligns with the enterprise goals. This is far from a one-size-fits-all—there is no universally “best” CMS. And what’s more, as with any software tool, it’s no more than a means to an end. What perhaps differentiates web content management systems from other enterprise tools more than anything else is the wealth of choice. In the end, this isn’t about avoiding the three-year cycle by selecting the right product. It’s about creating a thorough understanding of what needs to be accomplished. Only that understanding will allow you to select the right tool for the job. More importantly though, it will allow you to create more value out of web projects.
Adriaan Bloem ANALYST CMS Watch Based in The Netherlands, Adriaan covers web content management, social software and enterprise search technologies. He worked in desktop publishing, web design, and as a network administrator and consultant in the legal field for several years before joining the Faculty of Law. As project manager for the migration of nearly a thousand websites to a new CMS, he evangelized new practices, educated webmasters and kept the technical oversight of the implementation of the infrastructure. Adriaan has been involved in a host of knowledge management and web content management projects for the decade prior to joining CMS Watch, both as a practitioner and as a consultant.
HEAD TO HEAD ■ ENTERPRISE MOBILITY
The Unwired Enterprise
n an increasingly mobile and flexible world, is it possible to keep hold of the things that matter most to your company—and in a consistent manner? IAN THAIN (SYBASE) talks to ETM’S ALI KLAVER about their Unwired Enterprise and touches on competitive advantage, opportunity, security and risk, and the steps for future success. http://www.GlobalETM.com
HEAD TO HEAD ■ ENTERPRISE MOBILITY
AK: IAN, FOR THOSE PEOPLE IN THE AUDIENCE NOT ENTIRELY FAMILIAR WITH SYBASE, CAN YOU GIVE THEM A SHORT HISTORY AND PERHAPS TELL US WHERE SYBASE IS PLACING ITSELF IN THE MARKET TODAY?
Sybase has been around for just over 25 years now. We started in 1984 when Mark Hoffman and Bob Epstein started in Berkley, California, so a lot of people know us as a traditional database company—we created SQL Server with Microsoft. We still have databases, we have ASE, we have replication server technology, and we have data warehousing—so we have ASE, RepServer and IQ. But also, in that last 25 years, we’ve produced design and development tools as well. People will probably know PowerBuilder and we have PowerDesigner. Traditionally, those fields are still carrying on but now we’re into mobile technologies, and Sybase’s vision is to enable the secure movement of business-critical information backwards and forwards from the data center to the mobile workforce. This is what we call the Unwired Enterprise, and that’s what I’m here today to talk about. AK: TWENTY-FIVE YEARS IS DEFINITELY SOME SOLID EXPERIENCE. WHEN YOU’RE TALKING ABOUT ENTERPRISE MOBILITY—I THINK THE JURY IS STILL OUT ON WHETHER A MORE MOBILE WORKFORCE MAKES FOR A MORE COMPETITIVE BUSINESS WORLD. BUT WHAT DO YOU THINK ARE THE MAIN BENEFITS FOR COMPANIES WHO ARE LOOKING TO IMPLEMENT THIS TYPE OF TECHNOLOGY?
Well, I actually think the jury isn’t out anymore. Seven or eight years ago we were persuading people about the benefits of mobility and we had a few innovators that really took the plunge. But now it’s virtually impossible to buy any mobile device—say a Smartphone—that isn’t capable of taking emails and business applications. Plus, users are obviously demanding the mobilization of business data. With proven benefits such as reduced billing cycles, improved field service technician productivity and efficiency, improved customer services, increased first time fix rates and improved information flow—not to mention the cost savings—I think those companies that haven’t put mobility at the front of their technology now risk their enterprise being taken over by competitors. So there are a lot of things that they need to be aware of and implement.
AK: IN MY RESEARCH FOR THIS INTERVIEW I CAME ACROSS SOME REALLY INTERESTING STATISTICS ABOUT SYBASE. YOU HAVE OVER 20,000 ENTERPRISE MOBILITY CUSTOMERS—SO FAR I SHOULD ADD—85 OF WHICH ARE IN THE FORTUNE 100. EVEN FOR A COMPANY SUCH AS SYBASE, WHO HAS BEEN IN THE INDUSTRY FOR 25 YEARS, THAT’S QUITE IMPRESSIVE. I THINK IF ANYTHING IT REALLY SHOWS THAT YOU HAVE A SOLID SOLUTION THAT IS ENTIRELY SECURE. CAN YOU TALK A LITTLE BIT ABOUT WHAT MAKES IT SO SUCCESSFUL AND HOW YOU TACKLE ISSUES LIKE DEVICE MANAGEMENT AND SECURITY?
We’ve obviously got two areas which are the main lynch-pins that companies should be aware of with mobile technology—one is security and one is management. So you have standard security, such as the authentication of users, and we have encryption of data on the device as well as in transit. You‘ve got to remember that these mobile devices actually contain lots of sensitive data and you have to really make sure that they are locked down, just in case they are lost. We also have things like antivirus port locking and technologies such as software inventory, software distribution, asset control and remote control, so that these mobile workers can still be out in the field doing their jobs and your IT guys can sort these problems out. These areas intermix a lot, so in fact, standard security and management go hand-in-hand. AK: IT’S QUITE INTERESTING TO SEE THAT COMPANIES DO FOCUS ON THE SECURITY SIDE A LOT, BUT WHAT IS EQUALLY AS IMPORTANT IS THE MANAGEMENT SIDE. IT’S NOT THAT PEOPLE FORGET ABOUT IT, BUT IT CAN BE HARD TO UNDERSTAND AND IMPLEMENT WHEN YOU HAVE YOUR EYE ON THE SECURITY FRONT LINE. CAN YOU PERHAPS GIVE US SOME EXAMPLES OF HOW SYBASE MOBILITY WORKS, AND WHAT IT HAS ACHIEVED SO FAR?
Well if you go to Sybase.com there are a lot of success stories there, but let’s just pick on a few. One big name that everyone will know is MacDonald’s. MacDonald’s has a lot of operation consultants that go out and check their corporate and other restaurants. They will gather lots of
1. 2. 3. 4. 5. 6.
Proven—34,000 enterprise customers and 91 of the Fortune 100 rely on Sybase.
Experienced—heritage in enterprise software since 1984.
Innovative—148 patents awarded in data management and mobility; 185 patents pending.
Global—4000+ employees in 60 countries.
Financially strong—exceeded $1 billion revenue mark in 2007, followed by 10% growth in 2008. In the 2008 Annual Report, Sybase reported $640 million in cash.
Market leader in data management, analytics, mobile messaging and enterprise mobility: •Leader in Gartner’s Mobile Enterprise Application Platform Magic Quadrant •Leader in Gartner’s Wireless Email Software Market Magic Quadrant •#1 in market share for mobile device management •Leading vendor in mobile middleware •Leading vendor in messaging services.
For more information please go to: www.sybase.com/mobility
HEAD TO HEAD ■ ENTERPRISE MOBILITY
information that used to take many days to process and feed back to the restaurants. Now, with Sybase technology, they can actually maintain and secure the devices used by inspectors, but also capture data straight at the source which takes hours off the internal processes so that those operation consultants can spend more time with each store manager. If we look at the City of Ottawa’s Transit Services Division, they have made their overall system more efficient, reducing the need to purchase two to three buses a year (a saving of $750,000 per bus), plus an ongoing operational saving of $70,000 per bus per year. With a fleet of over 1000 buses, the savings speak for themselves. And then we can take examples such as TVF who, among others, have managed to reduce the number of physical systems being returned to them for updates and repairs by 90%. You can image the cost savings in that alone. And if you look at Airtours, we can see that they cut communication spending by close to 60% due to their mobility implementation. These are just some of the very real-life examples of how Sybase Mobility works.
ALI: THANKS IAN, I’M SURE YOU COULD TALK ALL DAY ABOUT SUCCESSFUL SYBASE CASE STUDIES, BUT THOSE CERTAINLY DO PORTRAY A STRONG ENTERPRISE MOBILITY SOLUTION. NOW THAT OUR AUDIENCE HAS A GOOD GRASP OF THE BASICS OF WHAT YOU PROVIDE, CAN YOU TAKE US THROUGH THE STEPS AN ORGANIZATION WOULD NEED TO TAKE TO ACHIEVE, AND PERHAPS MAINTAIN, A SUCCESSFUL MOBILE WORKING PLATFORM?
What follows are really my main thoughts. Obviously companies will need to take
a strategic approach to ensure that they can really evolve and adapt, because we’re now living in an area of mobility which is moving very fast. They need to take advantage of the opportunities that will happen, but they also need to change as it goes. A great thing in any IT project is the ability to start small and move rapidly—they need to be agile. They need to identify and understand an initial project that is going to give them maximum benefit. They also need to be aware that mobility does not fix broken or badly performing processes. It’s not a magic bullet and things have to work correctly before you then go into the mobilization side. Plus, they need to plan for a heterogeneous approach because we’re living in a day and age now where new devices come out regularly. For example, the iPhone has taken the enterprise and the mobility side by storm, and I think the iPad will follow. BlackBerry is still strong and Windows Mobile is still in there, but they still need to plan for that approach. Something like a mobile enterprise application platform will help and this is something that Sybase has put a lot of time and effort into. And lastly, they need to realize that they probably will become their own mini operator. By that I mean provisioning these devices, managing and securing them, and even de-provisioning devices. AK: THANKS IAN, SOME GREAT POINTS THERE. I LIKE THE FACT THAT YOU BROUGHT UP THE STRATEGIC APPROACH, WHICH AS WE KNOW REALLY HAS TO ALIGN WITH BUSINESS STRATEGY AS WELL. LET’S GO TO OUR FINAL QUESTION, AND I ALWAYS LIKE TO HAVE A LOOK INTO THE FUTURE. WHAT WILL YOU BE FOCUSSING ON THIS YEAR, AND WHERE
DO YOU SEE THE FUTURE OF ENTERPRISE MOBILITY GOING? CONSIDERING THAT NEW TECHNOLOGIES SUCH AS THE IPAD, WHICH YOU MENTIONED, WAS RECENTLY RELEASED, THEY’RE REALLY ALLOWING US TO BE A LOT MORE MOBILE BOTH IN WORK AND PERSONAL LIFE. SO DO YOU THINK THIS HERALDS A NEW AGE FOR TECHNOLOGY AND PERHAPS ENTERPRISE MOBILITY IN PARTICULAR?
Definitely, I think it does. And this is where we’re really looking at it from the Sybase perspective. I’ve mentioned one thing already which is the mobile enterprise application platform. This is a generic term but for us it’s called the Sybase Unwired Platform. We’re able to mobilize any back-end data source, or process, on to any set of devices. So we’re very heterogeneous and we’re very agile. We are currently working with SAP to mobilise SAP processes and systems which we announced in March 2009. And extending our technologies of Afaria, we’re currently focussing on something called management as a service, which is all around managed mobility empowering organizations to secure and manage employees’ mobile devices without having to build, install and maintain their own solutions. The idea is that some of these companies don’t want to or don’t have the capability to manage these devices, but understand what we’ve said about the need for management and security. They would like to use our technology but have that supplied and administered by a third party. So to recap, we’re focussing on managed mobility and SAP along with our management security, and also our Unwired Platform.
Ian Thain SENIOR TECHNICAL EVANGELIST, Sybase Ian is the Sybase Unwired Platform and PocketBuilder Evangelist and works closely with the team in Dublin, California, and Concord, Massachusetts, on new features and demonstrations. In his customer-facing Evangelist role, Ian is very involved with the design, production and testing of Enterprise class Unwired Solutions that have been implemented using Sybase’s Unwired tools for Sybase customers around the globe. In addition, Ian is a dedicated technical expert continually working with Sybase’s key partners and clients to enhance the capabilities of the Unwired solutions that Sybase offers. Ian can also be found on Twitter @ithain and blogging on http://blogs.sybase.com/ithain
when it comes to
enterprise mobility leadership,
see why 85 of the fortune 100 chose sybase for proven enterprise mobility solutions There’s no doubt about it. Sybase is the clear mobility leader. Over 20,000 enterprise customers. More than 1,500 mobility partners worldwide. Top analyst rankings for seven years running. No other company comes anywhere close. So as you’re planning new mobility initiatives, why risk your success by going with an unproven provider? The truth is, for unwiring the enterprise and extending core data, business processes, applications and services to millions of users around the world, there’s really only one choice: Sybase.
Get the proof now at sybase.com/mobility
Copyright © 2009 Sybase, Inc. All rights reserved. Sybase and the Sybase logo are trademarks of Sybase, Inc. ® indicates registration in the United States of America. All products and company names are trademarks of their respective companies.
Tell your story...in 3D
ASK THE EXPERT ■ 3D
ith 3D the hottest thing in entertainment at the moment, attention is turning to how it works in the business sphere. ETM’S ALI KLAVER interviews GARTH COLEMAN (3DVIA) about his work developing 3D and 3DVIA Composer, and how it’s become a real cost-saver and market leader.
http://www.GlobalETM.com AK: CAN YOU GIVE OUR AUDIENCE A BRIEF OVERVIEW OF 3DVIA AND 3D—HOW DOES IT WORK?
It’s important to start with the concept of 3D and it really is everywhere today—it’s not just for the engineers of the world. You’re seeing 3D in games, you’re seeing 3D movies and we live in a 3D world. The promise of 3DVIA, as part of Dassault Systèmes, is really to look at how we can empower new communities of users, outside of engineering, to engage with 3D and how to use 3D to help tell compelling stories.
This is essentially what we call a lifelike experience where we want to be able to tell real stories about real products and how they work in the real world. This concept of lifelike experience provides relevance because you really want people to learn, understand and experience things, and that starts to happen when users begin to demand lifelike experiences and companies begin to adopt 3D-based technology to create them. It helps with the pervasive use of 3D in very effective ways—not just for entertainment, but also to add value to learning and education. What we’re doing with 3DVIA is
3D ■ ASK THE EXPERT
democratizing this use of 3D and helping industries and companies to reach this potential, in other departments, so that they can leverage the 3D data that their engineering departments are creating. This leveraging of 3D helps these other divisions, customers and suppliers to create robust communications that inform them about what their products are doing; how to engage with them; how to explain their products’ main capabilities; the concepts of how to build or service them, get replacement parts and so on. With 3DVIA Composer we have the technology to leverage and share this 3D engineering data by providing a tool for nonengineers to use. We’re making it very accessible for new stakeholders and new communities of business users to take advantage of 3D and providing a way to keep all that information upto-date, so that as engineers make their changes, other users can receive them and update all of their documents, instructions and other technical communications. 3DVIA Composer is about taking what are traditionally very manual and very disconnected processes—different departments, digital photos of real prototypes, manually-created sketches, diagrams, technical illustrations—and replacing that with 3D technology to create those types of assets and keep them up-to-date. Companies become more effective by reusing 3D data in this fashion and they don’t have to change their processes to get immediate savings. Companies then start to evolve their traditional documents and improve them through telling their story in 3D—and that provides more informative, more interactive and more engaging content. The idea here is to not just use 3D for 3D’s sake, but to use 3D to create a powerful story that’s engaging, informative and interactive. We are empowering these groups to create “interactive product experiences.” And that’s really going to change the way businesses work. AK: WHAT ARE THE MAIN BENEFITS FOR BUSINESSES THAT ARE LOOKING TO IMPLEMENT THIS TYPE OF TECHNOLOGY?
First of all, we are still engaged in educating companies about what is possible. We’re really battling the analogue way of thinking—where people are used to traditional processes, or propagating the traditional status quo. We’re helping companies understand how 3D can improve their operations. Once we start to explain that to them and how they can easily reuse 3D by getting new
people working with it and understanding it, you get comparisons to when 3D CAD first came on the scene. Twenty years ago when engineers were using 2D drafting tools, many thought 3D CAD wasn’t needed, and that they could still do everything they needed to do in 2D. Today, if you’re not using 3D for design and helping to manufacture and build all of those design-related elements, you’re not going to be very successful or competitive in revamping and creating new products. So this type of paradigm shift to 3D, which has happened in engineering already, is starting to happen outside of engineering and it is helping to speed up the creation of content for technical communications. Once you start to speed up that creation process, documentation doesn’t become a critical path action. You can ship products on time with complete documentation, and you can start building products sooner because you’ve actually built the assembly documents more quickly, people can understand them more quickly, and they can start building them with a minimal amount of training. You have better instructions if you’re using 3D, you can improve the comprehension, productivity and basically every aspect of how people are interacting with your product across your lifecycle.
“The idea here is to not just use 3D for 3D’s sake, but to use 3D to create a powerful story that’s engaging, informative and interactive.”
AK: I’D LIKE TO TOUCH ON THE BOTTOM LINE BECAUSE I KNOW IT’S STILL A CONCERN FOR MOST BUSINESSES TODAY. HOW IS 3D A COSTSAVER?
I’m glad you asked this question, because this is where the rubber hits the road. Think about technical illustrations which are really the main way a company describes what you need to do with a product. When using 3D to create these illustrations, many companies are telling us that they’re seeing an 80% reduction in the time it takes to create them—more typically it’s a 50% reduction. I had one company tell me that it took three months to do their designs in CAD, and three months or more to build the assembly instructions because they were taking digital photos of 400 parts and then assembling them, taking photos at each step, embedding the photos into a Word document, and annotating them from there—it was a very painful process.
You’d be surprised how many companies do this sort of thing because they have no other way. After giving these non-engineers 3DVIA Composer, they can now build their assembly documentation in weeks instead of months and get that product out the door more quickly. That translates not only into a speed improvement in terms of productivity, but with the 3D technology they can incorporate and rollout changes as much as 90% more quickly than they were able to do with photos and printed documents. Then, when a shop floor worker is actually building these things, an 80% improvement in efficiency, or 50%, or even 20%, are huge improvements. If you start adopting 3D and delivering your instructions and information in 3D, you’ll have more engaging, informative and interactive instructions, and this provides better education which in turn lets people perform their tasks more efficiently. I had one company tell me that by doing things correctly the first time, by brand new users and experienced users alike, they had an overall improvement of 25%. That’s 25% less errors first time around, because they have better instructions. When you repeat this over and over again for the hundreds of workers that are operating with instructions for assembly, service or operation, you have a monumental change and a huge improvement in the costs of your business. AK: CAN YOU GIVE US A CASE STUDY THAT HIGHLIGHTS HOW 3DVIA WORKS AND WHAT IT HAS ACHIEVED SO FAR?
Definitely, and this is very typical of many of the customers that we’ve worked with. I’ll pick one in particular—it’s a company called KaVo and they’re a medical device company based in Germany. They have offices worldwide and have been in the business for 100 years, providing dental equipment. They really pride themselves on excellence of design and the quality they deliver. What they would do is take a CATIA assembly that they were working with in their engineering department and build a traditional engineering drawing from that—time consuming when you’re detailing things out in a 2D world—but the engineering drawing was not really good enough to tell people how to assemble things. So the manufacturing side had to take those 2D engineering drawings and re-work them into illustrations and images to help with the step-by-step assembly processes. These groups didn’t regularly use CATIA—which is really more for engineers to use—and when trying to work in a 2D world it was taking a long time to get things done. When they went from CATIA 3D into 3DVIA Composer, they were able to create all of their instructions in 3D—what they wanted to do, explaining to users what to watch out for, showing where to install components and so on—thereby eliminating the need to build 2D illustrations. The traditional time and effort of manually producing 2D technical documentation has been eliminated and that’s resulted in a 50% improvement for them, because it’s faster to build these things in 3D. They also deliver the instructions in 3D, so they don’t have to deliver manuals and papers—they just have to provide an updated 3D document. What’s really important with this use case, and we get this all the time from our users, is the community that is accepting this instruction has a really favourable adoption. They really love the interactive instructions created by 3DVIA Composer and it’s improved their way of working. User adoption is key for any new technology and our users are very, very impressed and enjoy using the technology—both from authoring content and consuming it. The time reduction comes from actually
building the instructions in 3D, and even though they still need to create technical publications for traditional printed materials, all their work in 3D can be easily published out into various forms of 2D. From an IT involvement and integration viewpoint they have ENOVIA, which is Dassault Systèmes PLM system to manage the product lifecycle and processes. So ENOVIA is delivering data and informing people on the design side, but they also have SAP, which is managing all the change orders and the product lifecycle on the engineering side. 3DVIA Composer is a great way to link the engineering world with the manufacturing world and tie all of this data together so that all the communications, information and instructions are delivered and controlled in a very tight fashion from an IT perspective.
“3DVIA Composer is a great way to link the engineering world with the manufacturing world...”
AK: THAT’S A GREAT EXAMPLE OF 3DVIA COMPOSER AT WORK. NOW LET’S LOOK TO THE FUTURE. WHAT WILL YOU BE FOCUSSING ON THIS YEAR, AND WHERE DO YOU SEE 3D GOING IN THE FUTURE?
On the Composer side, related to what I just referred to with KaVo integrating into their IT environment, we just announced late last year an integration with 3DVIA Composer and ENOVIA SmarTeam. That’s going to simplify work for companies that have SmarTeam and want to take advantage of this technology because it’s much easier now to get started. We’re making sure that 3DVIA Composer can be installed and operational in hours, the training is one or two days, and people are up and running and extremely productive. Hooking it into the IT backend, 3DVIA Composer is fully XML compliant and there are a lot of things you can do. We have automation technologies and while there’s usually some IT effort involved in connecting all these things, IT people love it when they understand our architecture. And by providing an out-of-the-box type of integration, it simplifies that effort. Moving forward in 2010 we’re going to make sure that all of our sales channel partners are
ell your story...in 3
ASK THE EXPERT ■ 3D
capable of deploying this SmarTeam integration, and we’re also continuing to evolve and develop our strategy of PLM 2.0, as it is on the Dassault Systèmes V6 platform. Additionally, 3DVIA Composer is a very customer-orientated product and we continue to get suggestions from customers to improve the user experience. On a broader note and back to 3DVIA in general, 2010 is going to be a very big year for us. We recently surpassed 20,000 3D models on 3DVIA.com. That’s very important because when you want to get communities of new users working with 3D that don’t have access to build 3D, we provide the free tools and models—after all, without content how can you build an experience? So 3DVIA.com is our platform to connect new communities of 3D enthusiasts and you’re going to see some very interesting things happen this year. When you have bigger demand and usage of 3D in the general population, you’re going to have new generations of people coming into businesses that are used to working in 3D. When that happens, there’s going to be a whole set of people that are energized to help operationalize 3D in companies and transform how they operate.
Garth Coleman DIRECTOR, CHANNEL MARKETING, 3DVIA Dassault Systèmes
Garth is the Director of Channel Marketing for 3DVIA at Dassault Systèmes. In this role, he manages all aspects of product marketing for 3DVIA Composer, manages the North American pre-sales support team, and is responsible for maintaining 3DVIA’s market leadership in innovative, interactive 3D applications which demonstrate lifelike experiences. Garth holds a Bachelor of Engineering and Society in mechanical engineering from McMaster University in Hamilton, Ontario, Canada, and an MBA from Babson College in Wellesley, Massachusetts, USA.
“What about putting a gym in the plane?” Laura, age 10. With 3D, your customers are your best designers. Working in 3D lets you integrate your customers’ preferences into your project more easily than ever, even online. Together, you can create, share and experience your ideas - all in 3D. With Dassault Systèmes solutions, your company is empowered by a new, universal language to invent the products of the future. Discover SolidWorks, CATIA, SIMULIA, DELMIA, ENOVIA and 3DVIA at www.3ds.com © Dassault Systèmes 2010. All rights reserved. CATIA, DELMIA, ENOVIA, SIMULIA, SolidWorks and 3D VIA are registered trademarks of Dassault Systèmes or its subsidiaries in the US and/or other countries.
ANALYST FEATURE ■ CLOUD COMPUTING
Cloud computing for skeptics T
he opinion on cloud computing is divided, and while it can deliver significant economic benefits, it’s not for every organization. PAUL BURNS (NEOVISE) sets the record straight for companies considering this approach to delivering IT.
he National Institute of Standards defines IaaS as follows:
“The capability provided to the consumer is to provision processing, storage, networks and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed applications and possibly limited control of select networking components (e.g. host firewalls). ” For more information on cloud computing, PaaS and SaaS see: http://csrc.nist.gov/groups/ SNS/cloud-computing
CLOUD COMPUTING ■ ANALYST FEATURE
hile cloud computing has come to the forefront of IT industry discussions in the last year or so, not everyone has bought in to the concept. In fact, many IT professionals remain blatantly skeptical. Web searches for “hate cloud computing” and other similar terms reveal many forms of distaste. A comment posted to Twitter expresses the sentiment quite well: “For the record, I hate cloud computing and I think it’s fake.” Even Larry Ellison, fabled CEO of Oracle, has bashed cloud computing by calling it “water vapor.” In direct opposition to the skeptics are the fanatics who suggest cloud computing is the one and only best approach to delivering IT. Some cloud enthusiasts claim that cloud computing provides infinite capacity. Others assert that it is the least expensive approach to IT delivery. Still more conclude that cloud computing is quickly making the traditional IT organization obsolete. For most companies, the truth can be found somewhere between these two extremes. However, since no two IT departments are alike, there is no single best approach to cloud computing. Differences in IT organizations include size and complexity of the managed environment, level of automation, process maturity and more. What works for one company may miss the mark for others. In order to make rational decisions about cloud computing, each IT organization must make its own determination of the value—or lack of value—offered by cloud computing. To do this, IT leaders must first understand how cloud computing is different compared to traditional forms of IT. Three primary cloud computing service models have emerged: infrastructure as a service (IaaS), platform as a service (PaaS) and software as a service (SaaS). While each of these approaches have key differences relative to their predecessors in traditional IT, understanding the unique characteristics of IaaS is foundational to the entire notion of cloud computing. This may be a difficult starting point for the most extreme skeptics. After all, their primary battle cry is simply that there are no significant differences offered by cloud computing. Yet without recognition of the fundamental differences, there would be nothing left to discuss.
TECHNOLOGY DIFFERENCES When IaaS is boiled down to its technical essence, resource pooling, multi-tenancy and
elasticity are the remaining elements. Taken together in the context of application resource provisioning, these elements demonstrate how IaaS really is something new and different. Traditionally, each application is assigned a fi xed set of dedicated servers. To ensure high levels of performance during periods of peak demand, more server resources than needed on average are allocated to each application. By regularly over-provisioning in this manner, IT costs become excessive even while resources are underutilized. Through resource pooling, individual servers are brought together in a single logical pool to be shared by multiple applications. The idea is for each application to use only the amount of compute resources it actually needs at any given time. In this way, unused capacity becomes available for all applications to share. Since applications tend to encounter peak demand at different times, the total number of servers reserved for peak usage can be reduced. With a sufficient number of applications sharing a pool, the available excess capacity can be far more than any single application could ever use by itself. Some fanatics refer to this as infinite capacity. Even though this may appear infinite from the perspective of any given application, the resources are not actually infinite. Resource pooling provides the foundation for multi-tenancy. At a high level, multi-tenancy simply means sharing resources by more than one entity. In the context of IaaS, multi-tenancy can have a variety of meanings with subtle distinctions. To simplify, the most common case is used: a public cloud computing environment where IaaS is offered to multiple customers through a shared pool of physical servers that have been virtualized. In this case the shared resource is not just the overall pool, but the individual servers that make up the pool. In other words, multi-tenancy allows applications from separate
customers to run on virtual machines (VM) on the same physical server. This means different companies will share the same physical server. This level of multi-tenancy provides the flexibility to assign workloads to the most under-utilized servers. Elasticity means that the resources consumed by an application can both grow and shrink. Changes in resource consumption are typically driven by changes in demand for the application. The traditional method for handling elasticity is the combination of scaleup and scale down. Scaling-up involves moving an application to a more powerful server, and scaling down involves moving the application to a less powerful server. With IaaS, the predominant form of elasticity is scale-out and scale-in. Scaleout happens when an application utilizes additional servers to increase capacity or maintain performance as demand increases. Scale-in happens when the application releases unneeded servers as demand declines. Applications must be designed and written specifically to take advantage of scale-out and scale-in for elasticity. There are certainly other IT offerings that share some—but not all—of these technical capabilities. Cluster computing, for instance, depends greatly on resource pooling. However, clusters have traditionally been built with a relatively small number of tightly integrated, high performance servers that run one CPU intensive application at a time. Compute clouds, on the other hand, are typically built with larger numbers of loosely integrated, commodity servers in order to run many different types of applications at the same time. In other words, clusters generally lack multitenancy and cluster applications are not typically elastic. It would be incorrect to equate cloud computing to cluster computing. While other forms of computing may share some common technical attributes, IaaS remains fundamentally different. By now, even strong skeptics should understand that cloud computing—and IaaS in particular—really is something new. Of
“… IaaS can deliver strong value and game changing economics when applied appropriately.”
ANALYST FEATURE ■ CLOUD COMPUTING
course, all good skeptics know that being new or different in the world of technology is not always the same as being good or useful. Fortunately, the key differences with IaaS (resource pooling, multi-tenancy and elasticity) also carry with them some additional benefits.
IAAS BENEFITS As with the technology differences, it is most helpful to skeptics if the unique benefits of IaaS can be separated from the more common benefits. This can be challenging since every technology available is ultimately meant to offer some form of advantage. Generic technology benefits often fall into the categories of better, cheaper or faster. All of those are valuable, of course. But how often does a new technology or business model make a sizeable positive impact to the underlying economics of IT? Simply raising this question is sure to put skeptics on the defense. That initial response is reasonable because there have been too many claims in the IT industry where the latest and greatest technology over-promises and underdelivers.
“What works for one company may miss the mark for others.” Take a look at the IT unit cost curve in Figure 1 to see how shared, public IaaS environments begin to change the economics of IT infrastructure delivery. The x-axis represents how many units of IT are delivered in a given scenario. For example, with a virtual server hosting scenario, units of IT represent how many virtual servers are delivered. The y-axis represents the average unit cost for the number of virtual servers given on the x-axis. The blue curve shows a traditional IT environment where unit costs are very high in low-scale environments. It also shows how large scale traditional IT environments result in low unit costs. In other
Diagram 1 - Unit Cost Curve for IT
words, for traditional IT environments, higher scale drives lower costs. Now consider the red curve which represents the cost of obtaining different numbers of virtual servers from a public IaaS provider. In this case, the cost to the IT organization is the price paid to the IaaS provider. Notice that this “curve” is really a flat line where unit costs do not vary based on scale. Whether using one server or 100 servers, the unit cost remains the same from the buyer’s perspective. Also notice that the IaaS provider curve is much lower than the traditional IT curve for small scale environments. This is because fixed costs represent a large portion of total costs when the IT environment is small. On the other hand, the IaaS provider has a huge advantage and can offer a single unit of IT to a small customer for a very low price. This is because the IaaS provider is able to spread its fi xed costs over many customers. Then
Paul Burns PRESIDENT AND FOUNDER Neovise
the provider only has to add a small amount of variable cost (the small additional cost of providing one more unit of IT) and a profit margin to arrive at its selling price.
CONCLUSION Simply put, cloud computing provides new and unique technical capabilities that provide key economic benefits when applied to the right scenarios. Unfortunately, some skeptics have become disenchanted with cloud computing without understanding its potential. This has happened in part due to fanatics making claims that are, at the least, not accurate in all scenarios. Contrary to what some fanatics say, cloud computing is not the one and only best approach to delivering IT. However—through a combination of resource pooling, multi-tenancy and elasticity—IaaS can deliver strong value and game changing economics when applied appropriately.
Neovise is an IT industry analyst firm that uniquely adds business perspective to technology. Paul works closely with executive leaders from vendors and service providers to understand, evaluate and provide input on their solutions. Paul has nearly 25 years experience in the software industry, driving strategy for enterprise software solutions through product management, competitive analysis and business planning. He has held a series of leadership positions in marketing and R&D, and spent two years as Research Director/Senior Analyst at another firm immediately prior to founding Neovise. Paul also writes articles for industry publications and speaks at industry events. He earned both B.S. in Computer Science and M.B.A. degrees from Colorado State University.
What’s New What’s Next see it at INterop
Don’t miss the leaDing business technology event See the full range of IT solutions, learn what’s new and identify technology must-haves for your business. Interop is the only event to give you a comprehensive and unbiased understanding of the latest innovations— including cloud computing, virtualization, security, mobility and data center advances—that will help position your organization for growth.
save 30% or get a Free expo pass Register with priority code CNJXNL01
*30% off discount applies to Flex, 4-Day and Conference Passes. Discount calculated based on the on-site price and not combinable with other offers. Proof of current IT involvement required. Prices after discount applied: Flex: $2,306.50 | 4-Day: $2,026.50 | Conference: $1,606.50
coNFereNce tracks: • application Delivery
• Cloud Computing • Data Center • enterprise 2.0 • Governance, Risk and Compliance • Green it • it security and Risk Management
• Mobile Business • Networking • storage • Video Conferencing • Virtualization • VoiP and Unified Communications
©2010 TechWeb, a division of United Business Media LLC.
HEAD TO HEAD ■ IDENTITY AND ACCESS MANAGEMENT
AK: JOE, FOR THOSE IN OUR AUDIENCE NOT ENTIRELY FAMILIAR WITH IBM’S DEFINITION OF IDENTITY AND ACCESS MANAGEMENT, CAN YOU GIVE THEM YOUR DEFINITION AND PERHAPS ITS IMPORTANCE IN THE MARKET?
most importantly, what they do it to. If an organization doesn’t have a good grasp on identity and access management then they significantly increase the risk of a security breach from those people that have access to their systems.
Identity and access management is really the process of verifying and trusting identities, managing what they can do, when they can do it, where they can do it from, and
AK: I THINK FROM WHAT I’VE SEEN AT ETM A LOT OF PEOPLE STRESS THAT THE MANAGEMENT SIDE IS ONE OF THE MOST IMPORTANT PARTS.
ooking for one identity and access management solution that reduces cost, strengthens security, improves productivity and addresses compliance requirements? JOE SKOCICH (IBM TIVOLI) talks to ETM’S ALI KLAVER about his take on identity and access management and how IBM can help you. WHAT DO YOU THINK ARE THE MOST IMPORTANT ASPECTS OF IDENTITY AND ACCESS MANAGEMENT TODAY? AND WHAT WOULD YOU SUGGEST THAT COMPANIES FOCUS ON WHEN THEY’RE LOOKING AT A NEW SOLUTION?
For the most part, organizations understand the importance of managing identity and access, and most have some idea of
IDENTITY AND ACCESS MANAGEMENT ■ HEAD TO HEAD
who has access to their systems. But today, regulatory compliance is governing many businesses and organizations, and those regulations are creeping more and more into the world of IT security. For example, the payment card industry standard, or PCI as it’s known, is a great example of that. There are very specific IT security requirements in that set of regulations that we know in the industry as the “digital dozen”. Also, many of the money laundering regulations are requiring further background checks on who an organization does business with. So I would say that reporting, and the ability to report based on compliance, is a very important aspect when considering an identity and access management solution. The reporting should not just be on what users have access to, but the identity and access management system needs to report on what users—and privileged users—are doing with that access. Once the governance process is in place to properly manage the identities and access, organizations must then recertify that access on a regular basis. This recertification needs to be out of the box in terms of capabilities, just like one would find in basic provisioning and de-provisioning capabilities. Finally there needs to be a closed-loop capability in the identity and access management solution. What I mean by that is that there must be a constant and automatic reconciliation of the way things are, compared to the way things should be. This prevents the insiders and privileged users from circumventing the policies and procedures that you’ve worked so hard to put in place.
ACCESS MANAGEMENT IS A FORM OF SECURITY, BUT IT ALSO TOUCHES OTHER ASPECTS OF THE BUSINESS ACROSS THE BOARD SUCH AS BUSINESS INTELLIGENCE; GRC; IT SERVICE MANAGEMENT, AND MANY MORE. I’M SURE THIS IS AT LEAST CONFUSING FOR THOSE SMBS OUT THERE WHO ARE JUST STARTING TO LOOK AT IMPLEMENTING RELEVANT TECHNOLOGIES, BUT DO YOU THINK THERE’S AN EASIER WAY TO LOOK AT IT, AND HOW WOULD YOU COUNSEL THEM?
Tivoli Access Manager for Enterprise Single Sign-On: >Reduces password-related helpdesk costs by lowering the number of password reset calls >Strengthens security and meets regulations through stronger passwords and an open authentication device interface with a wide choice of strong authentication factors supported out of the box
First and foremost I think the important thing for SMB organizations to understand is that SMB organizations and large organizations share a common thread. They must adhere to the same regulations, and also have risks of identity and access management. So what SMB customers do in identity and access management is critical to the objectives they have in Governance, Risk and Compliance and IT service management. The solutions that are out there are priced such that very small organizations spend the same in proportion to the large organizations. But where I think the SMB organizations have an advantage is that it’s probably a lot easier and a lot quicker for them to tackle a complete identity and access management deployment because there are generally fewer moving parts to deal with.
>Facilitates compliance with privacy and security regulations by leveraging centralized auditing and reporting capabilities >Improves productivity and simplifies the end-user experience by automating sign-on and using a single password to access all applications >Enables comprehensive session management of kiosk or shared workstations to improve security and user productivity >Enhances security by reducing poor end-user password behaviour
“We have many examples of where user provisioning has reduced the human errors.”
AK: YOU’VE BROUGHT UP SOME REALLY IMPORTANT POINTS, AND PCI IN PARTICULAR CAN BE REALLY TRICKY. I’VE HOSTED QUITE A FEW PODCASTS RECENTLY WHERE PEOPLE TALK ABOUT BEING COMPLIANT AND TICKING ALL OF THOSE BOXES, BUT THEN STAYING COMPLIANT IS A COMPLETELY DIFFERENT MATTER. AND OF COURSE, IDENTITY AND
>Extends IBM Tivoli® Access Manager for e-business’s finegrained authorization and entitlements for web applications by fully addressing single sign-on across all types of applications >Enables end-to-end identity and access management by integrating the centralized identity management functions of IBM Tivoli Identity Manager with Enterprise Single Sign-On and access automation
AK: OF COURSE, THAT’S A GREAT POINT AND IT IS EASIER FOR AN SMB ORGANIZATION TO START OUT AT LEAST. NOW THAT OUR AUDIENCE HAS A PRETT Y GOOD GRA SP OF THE BASICS, CAN YOU TAKE US THROUGH THE STEPS THAT YOU THINK AN ORGANIZATION NEEDS TO ACHIEVE TO MAINTAIN SUCCESSFUL IDENTITY AND ACCESS MANAGEMENT?
>Operating systems supported: Windows. To access a demonstration of Tivoli Access Manager for Enterprise Single Sign-On, go to: www-01.ibm.com/software/ tivoli/library/demos/tamoverview.html?S_CMP=rnav
At the first level, an organization needs to understand which systems are most sensitive and critical to their well being. We’ve seen a
HEAD TO HEAD ■ IDENTITY AND ACCESS MANAGEMENT
number of these “boil the ocean” identity and access management deployments end up going south because it took too long. My advice has always been to start with your basics and the ones that are most sensitive and then add accordingly, after you have a complete identity and access management system in place—one that has exactly the kind of detailed reporting to help you achieve your compliance objectives. The components one would expect to see in a complete identity and access management solution would be user provisioning, single sign-on, federation, web access controls, as well as a security information and event management reporting, or SIEM, tool. Get this in place with your most sensitive applications and then add the others as you go along. That would be my advice.
reduced the human errors. The customers that are using our security information and event management solution have reported a significant reduction of risk because they can easily identify the parameters and the scenarios to look for that put the organization at risk. We’re also hearing about big improvements of service from our customers using our single sign-on and federation capabilities. It’s no secret that if an employee is happy with the systems that they use, that mood is passed on to the customers they serve. Last April IBM made the identity and access management solution much easier and cheaper for customers to put in place. Today, a customer can get one solution from IBM called Identity and Access Assurance, that comes complete with user provisioning, single sign-on, federation, access control and reporting. All of these are available in one package for less than half of what it would cost if a customer went best-ofbreed on these solutions.
“My advice has always been to start with your basics and the ones that are most sensitive...”
AK: THANKS JOE, SOME GOOD POINTS THERE. NOW I THINK IT’S A GOOD IDEA TO GET DOWN TO SPECIFICS. A LOT OF ETM MEMBERS LOVE HEARING ABOUT CASE STUDIES, SO CAN YOU PERHAPS GIVE SOME EXAMPLES OF GOOD IDENTITY AND ACCESS MANAGEMENT AT WORK? HOW DO YOU THINK IBM HAS REALLY CHANGED THE WAY ORGANIZATIONS SEE THIS ASPECT OF SECURITY?
Well first of all, identity and access benefits to the organization should include an improvement in operational efficiency. There should be a reduction of risk, and overall improvement of service. This is what we are seeing from our customers. We have large and small organizations telling us that a single sign-on solution has given them big returns on that investment in a short amount of time. They’re seeing two to three less calls to the helpdesk per year per employee. The savings they see are half of what they pay per employee for the single sign-on solution. We have many examples of where user provisioning has
AK: I LIKE YOUR POINT THAT IF AN EMPLOYEE IS HAPPY WITH THEY SYSTEMS THEY USE IN THE WORKPLACE, THEN THAT IS PASSED ON TO THE CUSTOMER. FOR OUR FINAL QUESTION, LET’S LOOK TO THE FUTURE. TELL ME,
WHAT WILL YOU BE FOCUSSING ON THIS YEAR, AND WHERE DO YOU SEE THE FUTURE OF IDENTITY AND ACCESS MANAGEMENT GOING? CONSIDERING THAT NEW TECHNOLOGIES ARE REALLY ALLOWING US TO BE A LOT MORE MOBILE, BOTH IN WORK AND PERSONAL LIFE, DO YOU THINK THIS HERALDS A NEW AGE FOR TECHNOLOGY?
Well certainly, pervasive computing represents one of the biggest challenges for security professionals. This notion of data anywhere and at any time could become the CIO or CSO’s nightmare. But the improved methods of collaboration also help an organization to operate more efficiently and effectively. Because the data is what the bad guys are after, we must continually improve how data security and identity and access management complement one another. IBM has focussed on making improvements here, with integration between technologies in our Information Management brand and Tivoli’s identity and access management solutions. Unstructured data, data classification and identity management will work hand-in-hand with IBM. Bringing together the intrusion detection and intrusion prevention technologies and web access technologies is another area that we’re focussing on. We’re combining the best of the technologies from the IBM Internet Security Systems and the Tivoli brands so that we create secure connections so users can use whatever device they choose. These are just some of the examples of what we’re doing that are improving how we view security today.
Joe Skocich WORLDWIDE IDENTITY AND COMPLIANCE STRATEGIST, TIVOLI IDENTITY MANAGEMENT AND TIVOLI ACCESS MANAGER FOR ENTERPRISE SINGLE SIGN-ON IBM Tivoli Joe has been providing identity and access management solutions to large complex organizations for the last 12 years. At IBM, he has been tasked with bringing new security technologies to market since 2002. These include those coming by way of acquisitions as well as those developed organically by IBM. He is currently the IBM Tivoli Executive responsible for global sales of Tivoli Identity Management and Tivoli Access Manager for Enterprise Single Sign-On.
INFORMATION SECURITY – ARE YOU BEING SMART ENOUGH?
Working smarter has never been so important and security so crucial when it comes to safeguarding and growing your business. • Smart spending to justify and get value from budgets • Smart optimization of your technology, processes and resources • Smart people – education, training and awareness
Register free* to attend now at:
www.infosec.co.uk Organised by:
CELEBRATING 15 YEARS AT THE HEART OF THE INDUSTRY EUROPE’S NO.1 INFORMATION SECURITY EVENT
27 – 29 April 2010 Earls Court London | UK
ASK THE EXPERT ■ CYBERCRIME
Fighting back on cybercrime T
he threat of cybercrime is a risk most organizations deal with on a daily basis, but is there anything we can do about it? ED ROWLEY (M86 SECURITY) tells ETM’S ALI KLAVER that it is possible to stay safe, and within your budget. http://www.GlobalETM.com
CYBERCRIME ■ ASK THE EXPERT
K: TELL US ABOUT THE STATE OF CYBERCRIME TODAY. WHAT DO YOU THINK MOTIVATES CYBERCRIMINALS?
Let’s start by looking at the state of cybercrime. At last year’s World Economic Forum in Davos, Switzerland, they estimated that online theft cost one trillion US dollars per annum—that’s more than the combined GDP of Australia and New Zealand annually. This has resulted from an increase in online business. The internet has become prevalent in almost all areas of society and business is conducted more and more on the internet and in shorter time. If that’s where the money is, that’s where the criminals appear. The state of online crime has also changed with the technology. We’ve all heard of phishing attacks and hacked websites—this has now moved on to infecting machines with viruses or Trojans that add fields to forms on banking websites on the PC itself rather than on the website. We’ve also seen software-as-a-service emerge and there are criminals hiring out their services as a cloud-based technology for other criminals who don’t have the technological capability, but still want to use the internet to perpetrate crime. In terms of what motivates them—10 to12 years ago the virus writers were a bit like graffiti artists, they were doing it for notoriety. Now, it’s all about the money. There are huge criminal organizations out there that are able to fund an army of very good developers. It’s big business for them and they will follow the money. AK: I’M SURE OUR AUDIENCE WANTS TO HEAR ABOUT A WAY TO STOP IT. ARE FIREWALLS AND ANTI-VIRUS PROGRAMS ENOUGH TO STOP AN ATTACK?
Firewalls and antivirus are an integral part of security. They need to be kept up-to-date but are no longer sufficient in themselves. We’re seeing socially engineered, targeted attacks against individuals or individual organizations. This means the traditional approach of simply relying on firewalls and antivirus is not enough. Consider blended threats for example—an email with a URL in it that links to a malicious website. This email has no attachment for an antivirus engine to scan, nor should the firewall block it because as far as it’s concerned this is just an email. This email will go straight to
the end user, the user will click on the link, be directed to the website, and then become the victim of a drive-by web infection. Similarly, criminals are not always simply concerned with financial transactions. They might be interested in the intellectual property of an organization. Companies need to put in place software or technology that will help them protect their content as it moves around the internet. It’s also important to remember that, above and beyond technology, it’s usually people that are considered the weak point by criminals and are therefore targeted, so it’s very important to educate the end users in an organization. Training people and putting in place a proper security policy that employers can adhere to is vital, and it’s an essential part of a secure network. Organizations should also keep an eye on the news to understand the nature of the changing threat. Criminal organizations are changing their approach to hacking, or scamming people using technology, so it’s always good to be aware of what they’re doing. Also—consider good old patch management. Quite often there are vulnerabilities in operating systems and other products. Organizations need to make sure they get patched because these are exploited very quickly by criminal gangs. AK: CAN YOU RUN US THROUGH THE MAIN BUSINESS RISKS OF CYBERCRIME?
with that—the downtime of the PCs, perhaps overtime paid to IT staff and so on. AK: PROTECTING SENSITIVE DATA IS EVEN MORE IMPORTANT NOW AS BUSINESSES DEPLOY REMOTE WORKING ENVIRONMENTS AND EMPLOYEES ARE BECOMING MORE MOBILE. SO HOW CAN ORGANIZATIONS PROTECT THEMSELVES AND THEIR EMPLOYEES FROM CYBERCRIME ON A MOBILE LEVEL?
As network de-perimitization becomes increasingly common, this is something that businesses have to face. However, there is technology that will allow them to ensure that remote users, small satellite offices or people on the move can be treated in a similar, if not the same, fashion as in-house employees irrespective of where people are. Increased broadband speeds and better VPN technology means that it is now acceptable for many organizations to force their users to connect to a VPN. Additionally, there are a number of cloud-based technologies out there like Finjan Vital Cloud and software-asa-service that can ensure remote users have the same level of protection. Organizations should find themselves in the clear as long as they focus on what I call the “three P’s”; people, protection and
Primarily there’s loss and theft of money. And let’s remember that cybercrime is still crime, and people are still trying to gain pecuniary advantage from perpetrating it. So loss of money is the principle risk. However, loss of information or sensitive data is also key. Imagine you’re Coca Cola for example—if your secret recipe gets leaked, that’s your business down the drain. You want to maintain your sensitive, confidential information, especially if it gives you a competitive edge. An off-shoot is that sensitive data may be subject to industry or legal regulations, such as the Data Protection Act, PCI or HIPAA. You’ve got to secure your content at the risk of a fine. Likewise, if you’re responsible for leaking information, your reputation may suffer. Slightly more obscurely, as cybercrime impacts employees, you might find a hit on staff productivity as they’re trying to work with the effects of cybercrime. Finally, when a virus or security loophole is discovered, there are clean up costs associated
Ed Rowley PRODUCT MANAGER M86 Security Ed has been with M86 Security since April 2007. With over ten years of extensive sales engineering and technical expertise in IT security, Ed plays a pivotal role in Product Management at M86. His main role is to facilitate the inclusion of customer feedback and requirements into the product development roadmap, and he is also the global product manager lead for M86’s email security solution— MailMarshal SMTP. Prior to M86, Ed held technical and sales engineering positions in Sophos, CipherTrust and Secure Computing. 63
ASK THE EXPERT ■ CYBERCRIME
policy. Train the people. Put in place various degrees of protection at different levels—at the desktop, at the gateway and in the cloud where appropriate—and have a straightforward policy that everyone understands and is trained on. AK: LET’S DO A QUICK SEGUE INTO THE CURRENT ECONOMIC CLIMATE, BECAUSE I KNOW IT’S AN IMPORTANT FACTOR. DO YOU THINK BUDGET CUTS WILL RESULT IN COMPROMISED SECURITY, AND WHAT CAN BUSINESSES DO TO MAXIMISE THEIR SECURITY STRATEGY WITHOUT REALLY AFFECTING THE BOTTOM LINE?
One big change we’ve seen is that a large number of companies seem to be outsourcing not just their IT security, but their whole IT department. Also, people have been using cloud-based solutions. Again, they can control their costs and reduce capital expenditure. Cloud-based solutions such as MailMarshal SPE and Finjan Vital Cloud mean that companies can revise how they spend their security budget. Similarly, and this is something I’m a real proponent of, most companies have something like an email gateway that has been brought in for a point solution. I’m really keen for people to realize that these products are capable of doing far more than what companies have ever used them for. A simple reconfiguration, and perhaps reading the manual, will allow companies to maintain a great level of security without spending a single additional penny because they’ve already got a solution in place. Spam is a great example of that. You’ve got
email coming in, and most anti-spam products will be looking at the content of that email, so we’re already doing content analysis. If you’re worried about credit cards or other information leaving an organization, it’s still content within an email, so you can configure these products to look for different types of content, and they’re more than capable of doing that. AK: YOU MENTIONED THE IMPORTANCE OF FINANCIAL ONLINE SECURITY AND I JUST WANT TO TOUCH ON WHETHER YOU THINK ONLINE BANKING IS REALLY SECURE THESE DAYS? WE KNOW CONSUMERS AND SMALL BUSINESSES ARE BEING TARGETED, AND ETM MEMBERS ARE CRYING OUT FOR HELP WITH COMPLIANCE TO VARIOUS REGULATIONS. HOW CAN YOU HELP THOSE PEOPLE AND ORGANIZATIONS CONCERNED ABOUT THEIR ONLINE SECURITY, AND BANKING IN PARTICULAR?
Well, as prime targets, banks are extremely aware of the security issues surrounding online business, so they’re probably more secure than most. The problem really lies with cybercriminals targeting banks’ customers. Good old phishing attacks with links to a fraudulent website have been causing problems for many years. Pharming attacks followed that, where legitimate requests would be directed to a fraudulent website. Similarly, there have been reports of cleaning staff that have been paid to install key loggers onto machines and record information. To be really secure people need to know what to look for. It comes back to training people to understand what a phishing email looks like. It’s hard to believe, but some people still fall victim to lottery scam emails—if it sounds too good to be true, it probably is. From a compliance perspective—PCI, HIPAA and the Data Protection Act— most of it is little more than having in place a basic set of good security practices. Having antivirus, using a firewall, putting in place gateway protection with some content filtering that will search for credit card information, and so on. It’s really straightforward and usually requires a lot less work and investment than people expect. From a banking perspective, businesses and consumers alike should never be afraid to contact their bank. And always remember that a bank
“A simple reconfiguration, and perhaps reading the manual, will allow companies to maintain a great level of security without spending a single additional penny...” 64
will never ask you for your account password by email or phone. Then it’s down to the simple things like making sure your antivirus is up-to-date, understanding what to look for, looking for that padlock in your browser and using gateway products to control traffic. It may well be worth investing in something like that. M86 Security deals with looking at and identifying fraudulent applications or websites as they’re accesse AK: LET’S LOOK TOWARDS THE FUTURE. HOW DO YOU THINK CYBERCRIME CAN BE STOPPED? WHERE DO YOU SEE THE FUTURE OF CYBERCRIME GOING?
When speaking about cybercrime I tend to drop the cyber part of it and just call it crime, because that’s what it is. And as long as people are performing financial transactions on the internet, the cyber criminals will find a way to take their share. That said, it’s encouraging to see police forces responding to the growth in cybercrime. The Association of Chief Police Officers (ACPO) recently put out a statement committing to a more uniform strategy towards combating e-crime in the UK. That’s certainly welcome, but it’s also the problem. From a UK perspective they’re committing to a strategy, but the international nature of cybercrime makes it very difficult for enforcement agencies. Criminals based in China, Russia and North Korea are maybe using zombie PCs dotted around the world in order to perpetrate crime in other countries. It’s difficult to find the criminals, but it’s even more difficult to successfully prosecute them. Until there’s more co-operation between countries, wiping out cybercrime is not going to happen. Recently, we’ve seen the shutting down of some service providers who have been turning a blind eye to cybercriminals, particularly spammers. That’s been quite effective on a short term basis, but they soon bounce back, and spam reached new highs after having a brief hiatus. From an M86 Security perspective, we’ll continue to develop new tools for our customers—behavioural analysis techniques that will identify cross-protocol or blended threat attacks of the type that I mentioned earlier that target both email and web users. And of course our Security Labs will follow the criminals, see what they’re doing, identify new threats and predict what’s going to happen next. We’ve got a very strong Security Labs team based around the world looking at a vast amount of traffic, both web and email, and that’s how we’ll address future problems.
Cybercriminals: Masters of Stealth You can't stop what you don't know is coming.
The new weapon in the cybercriminal's tool kit is a blended threat and it can look like just about anything: • A credit card alert. • An online shopping confirmation email. • A prize notification. • Even a customer service survey from a well known retail store. Blended threats are spam attacks; stealth like and covertly disguised to look like something else — something familiar — until they attack. And when they do, the damage can range from compromised personal or corporate data, to the “recruitment” of computers into a network of bots, to keystroke recording that collects passwords and other information. Prepare for combat and protect your network and data from ambush. What you can’t see can hurt you.
Download the “Fighting back on Cybercrime” podcast today: www.m86security.com/ETM
ANALYST FEATURE ■ GRC AND IT SECURITY
GRC and IT security —where is the link? G
RC is an essential element of your IT strategy, but how does it work with security? MARTIN KUPPINGER (KUPPINGERCOLE) tells us that they work hand-in-hand and that a GRC view helps in optimizing investments in IT security.
GRC AND IT SECURITY ■ ANALYST FEATURE
irtually every organization has an IT security department. Few have clearly defined responsibilities for GRC (Governance, Risk Management and Compliance). But GRC is becoming increasingly important—and GRC approaches might be what help organizations in improving what they’re doing for IT security. GRC became one of the really hot topics in business and IT, especially in larger organizations, over the course of the last few years. However, there is a lot of confusion about the terms associated with GRC. In many organizations, few people have a clear view of what GRC involves and requires, and few organizations have an organizational structure for GRC with clearly defined responsibilities. Of these organizations, many have limited their GRC initiatives either to some aspects like “business only”, “risk only” or “IT only”. Very seldom will you find organizations that have a well-defined GRC strategy and roadmap, covering the organizational as well as the IT aspects of GRC, and supporting an evolution towards an integrated GRC approach including the organizational structures and processes, control frameworks, supporting technology and so on. Despite the current lack in that area, we clearly observe that GRC initiatives are maturing—however slowly. Like with most evolutions, beyond that “top-down” approach where frameworks like COSO and COBIT might be helpful guidelines, GRC also has to be understood at all levels of the organization. “Bottom-up” approaches are thus required using GRC principles and methodologies to improve the daily business in different parts of the organization. One of the most logical starting points for bottom-up GRC approaches is IT security. IT security is still driven mainly from a technical perspective in most organizations. IT security experts are experienced technicians. But IT security is not a green field for technicians— instead it is a required element to support successful businesses. We are convinced that IT security can benefit from a GRC view through better focus and optimized investments.
COMPLIANCE AND IT SECURITY The most obvious link between IT security and the broad field of GRC is the “C” in GRC— compliance. There are many regulations that explicitly or implicitly require specific actions in the field of IT security. While several of the US regulations are more explicit, European
regulations tend to be more implicit, frequently being filled by formal guidelines for auditors or specific practices of auditors. Data protection and privacy laws are good examples of where IT security is in fact driven by regulatory compliance. Access to specific information has to be restricted. And IT security has to take action to ensure that part of regulatory compliance. But does IT security really know how to do that? To some extent, yes, but many employees in IT security departments are acting without explicit knowledge of the regulatory context of their actions. One might argue that this isn’t relevant as long as they are doing their job, and that it is the responsibility of management to ensure that regulatory compliance is met. However, given that compliance is enforced by operative people it appears to be a good idea to strengthen the connection of specific actions in IT security and compliance requirements. Thus, the risk of failure and gaps will be reduced. People know the reason they are doing specific things and usually do a better job than the ones operating without that context.
RISK AND IT SECURITY Compliance is just one (and, from my perspective, minor) element in the relationship between GRC and IT security. Risk is far more important and—usually implicitly—something that has affected IT security since its very beginning. IT security is performed to mitigate risks, nothing else. IT risks are tightly connected to business risks. Every IT risk is associated with a business risk. That might be cost risks for penalties, lost customer relationships, lost data or recovery. It might be performance risks with respect to the time-to-market, when applications aren’t ready in time. Every IT risk can be easily associated to related business risks. That’s particularly true for IT security. On the other hand, not every business
risk is associated with an IT risk. That’s especially true for strategic risk, but also for some operational risks—the traffic jam which leads to a delayed supply of goods, and breaks in production, is at least only very indirectly associated with IT. But for most operational risks, there is an associated IT risk. The risk of abuse in trading on derivatives is directly connected to access controls and SoD rules or, from a risk perspective, the access or authorization risks. The good thing with risk is that there are established methodologies, proven concepts and experienced people at least on the business side. The other good thing is that key concepts of risk management are easy to understand and therefore easier to adopt, for example, for IT and in particular IT security. There are many examples of KPIs or KRIs (key performance/risk indicators) that might be used as a foundation for defining risk controls in IT security. Beyond that it isn’t rocket science to describe IT risks and their relationship to business risks in a structured way. A few days in an intensive workshop should deliver significant results.
FROM IT SECURITY TO INFORMATION SECURITY It might be a good idea to move a step forward and focus on information security. IT— information technology—is about information, and business is interested in information, not in technology. This means that information, not systems, should be in the centre of what is done. Is the information secure, regardless of where it resides? At rest, in transition, in use? Across different systems and even beyond the boundaries of the organization in case information is allowed to leave the (diminishing) perimeter of the organization? In fact, the question is whether information is at risk. And if we look at any regulation, it is about information, not technology. The transition from a technology-centric view towards an information-centric view has to be understood in the context of the broader evolution of
“… focus today should be on using risk as a key concept and building GRC strategies.”
ANALYST FEATURE ■ GRC AND IT SECURITY
IT towards more consistent approaches of information management. In any case, when applying GRC principles it is a good idea to have an information-centric perspective and to define risk as “information risk” instead of “technology risk”. Information is the value for business, and information is at risk.
RISK AS A KEY CONCEPT Actions in IT or information security can be controlled using risk indicators. Risk indicators are metrics that show the level of risk and can be associated with other metrics like the potential business impact—and thus be valued. On the other hand, knowing risks allows you to identify actions (organizational or technical) to mitigate these risks. Based on the costs of these actions and the valued business impact, decisions can be made. The first is always about whether it makes sense to mitigate a risk or not. Some risks are too expensive to mitigate or it is just impossible to mitigate them. In fact, that is the same decision when insuring yourself, but based more on facts (the KRIS, the business impact and so on) and felt risks than in personal life. Probably the best example for the limitation of risk mitigation is life insurance. They don’t mitigate the risk of dying; they only mitigate the impact on family and relatives. Beyond that basic decision the questions are about how to mitigate risk and what risks to mitigate in what order. Risk awareness in information security supports the decision making, starting from IT security strategies down to building the specific project portfolio. A risk ratio is probably the best criteria to decide about your strategy for information and, as the foundation, IT security.
MULTIPLE LAYERS OF GRC A big threat with all approaches that start partially top-down and partially bottom-up is to end up with a consistent solution. There is always the risk of having several incomplete, incompatible approaches at the end of the day. That’s even truer with GRC, where we have somewhat inconsistent technical approaches at several layers. Starting at the top, there is what vendors claim to be “enterprise GRC”, with “enterprise” for “business”. The term “enterprise GRC” is wrong at least for most of these solutions because they cover only some aspects of the entire GRC topic—mainly some business controls with usually pretty limited ability to
support automated IT controls. The latter are not only relevant for IT but for business as well—the most relevant information for the business is held in IT systems. However, most of these systems focus on manual controls which are of somewhat limited value—having a risk attested after the problem occurred isn’t sufficient. The layer below might best be described as CCM (Continuous Controls Monitoring), even while there are several other terms used by vendors. Overall this level of GRC is about business-process and business controls mainly, even while some tools might explicitly support IT controls as well. The layer below are specific GRC tools for specific types of business applications, like the ones focussing on access controls in ERP systems or the growing market of tools for Access Governance. But there are several other tools which aren’t commonly understood as part of the GRC landscape. SIEM (Security Incident and Event Management) and IT Service Management tools (ITSM) are examples of this—tools which support the implementation of specific IT controls. That becomes obvious once you look, for example, at the broad range of controls defined in the COBIT standard. The lowest level consists of specific tools at the system level which, for example, extract specific data for the higher level tools.
When focussing on the relationship of GRC and IT security, the areas of SIEM and Access Governance are of particular interest. While the notion of risk is part of several Access Governance tools, it is widely missing in SIEM tools. However, working on a consistent strategy which, over time, integrates the different layers of GRC tools definitely makes
“IT security is performed to mitigate risks, nothing else.”
sense. Interestingly, there is currently only one vendor who at least started with such integration. The acquisition of Archer by EMC (the RSA division of EMC) will lead to some integration of an Enterprise GRC tool with SIEM solutions, hopefully complemented over time by other elements of the bigger GRC picture.
FOCUS ON RISK, FOCUS ON GRC STRATEGIES From an IT management perspective, focus today should be on using risk as a key concept and building GRC strategies. IT security is something which is much better to manage when looking at it in the context of business risks. One short term impact will be that decisions about IT security investments can be made on a more solid foundation—and tactical investments (like many of the ones currently done in the DLP or Data Leakage Prevention space) might be reduced.
Martin Kuppinger FOUNDER AND SENIOR PARTNER KuppingerCole Martin established KuppingerCole, an independent analyst company, in 2004. As founder and senior partner he provides thought leadership on topics such as Identity and Access Management, Cloud Computing and IT Service Management. Martin is the author of more than 50 IT-related books, as well as being a widely-read columnist and author of technical articles and reviews in some of the most prestigious IT magazines in Germany, Austria and Switzerland. He is also a well-known speaker and moderator at seminars and congresses.
Expect more from your business intelligence dashboards
Our award-winning products integrate visual data exploration and interactive dashboards to make BI analytics fast, easy and fun. Create interactive reporting dashboards with drag and drop ease. + Combine different databases into a single view + Publish interactive dashboards to the web + Link and filter all of the charts simultaneously + Create reporting dashboards based on live data
Tableau is changing the way companies are analyzing and sharing their data. Learn more at www.tableausoftware.com/etm
Copyright ÂŠ 2010 Tableau Software. All rights reserved.
ASK THE EXPERT ■ ENDPOINT DATA PROTECTION
Safety ﬁrst S
AFEND’S EDY ALMER talks about a fully integrated, single server, single agent data protection solution and shows ETM’S ALI KLAVER why they are the leaders in endpoint data protection.
ENDPOINT DATA PROTECTION ■ ASK THE EXPERT
K: EDY, CAN YOU TELL US A LITTLE BIT ABOUT SAFEND’S HISTORY?
Safend is the leader in endpoint data protection. The company was founded in 2003 and we released our first product in 2004, available through retailers globally since 2005. We added Lenovo as a global distributor in 2006, and then we also released the first extensions to our antihardware key logger protection—anti-network bridging. Our first partners joined in 2006. First of all Websense, then Fujitsu BSC in Japan and another large encryption vendor. In 2008 we added additional common criteria certification for EAL2, and released Safend Encryptor and Safend Reporter. This was the year we reached the 1000 customer mark, and in 2009 we reached in our 2000 customer mark. Right now we’re close to 2.5 million installed endpoints. This year we also released Safend Inspector. Today we are 65 people strong, our MD is mostly in Israel, and we have a global presence both in Europe and the US. AK: IT SOUNDS LIKE YOU’VE GOT SOME REALLY STEADY GROWTH THERE WHICH IS FANTASTIC.
logger protection. The second component of the suite is Safend Encryptor. Whereas Safend Protector encrypts the external and removable storage devices, Encryptor enforces encryption on the internal drive. This is primarily used for laptops to ensure that if the laptop is lost the data on it is still protected, so the risk is now limited to the cost of the laptop. Safend Encryptor is different from most other products because it doesn’t require any change in the way the organization works, not for the helpdesk, and not for the end user. Everything is completely transparent while still being very easy to use, and the encryption is industry standard. Our third and newest component of the three, released recently, is Safend Inspector. Safend Inspector basically rounds up our suite and a lot of the data from all aspects on the endpoint. Inspector does data classification—not just decisions based on user, machine and device, but the actual data content. You can stipulate that no customer data is to go out the organization in any way except if it’s sent by email to a known partner, or even to a known distribution inside the organization. This is transferred to a maximum of 100 customers at a time to a USB because a sales person may need it on the road. We’re controlling all of those channels—email, IM and web. We’re controlling transfer to external storage and printers. As a corollary to that, we have Safend Discoverer. Safend Discoverer relies on everything that Inspector knows how to do, but is for data tracking. Inspector controls data being actively transferred or used by an application. Safend Discoverer can scan the entire drive for each and every endpoint in the organization and come back with a map of all the sensitive data. This will allow you to do a very thorough, up-to-date risk assessment without investing a lot of effort. And this will allow you to better decide what steps you need to take to protect your data.
“… we developed all of the components in-house and they’re working AK: CAN YOU RUN US THROUGH THE together, tightly TYPES OF SOLUTIONS YOU PROVIDE AND GIVE SOME EXAMPLES OF HOW integrated.” THEY’VE WORKED FOR YOUR CUSTOMERS?
We’ve been growing very nicely and have been recognized by Deloitte in Israel as the seventh fastest growing company. We’ve grown 1700% in the past five years and we’re doing very well on the European lists as well. Our growth is primarily in the UK and Germany, Italy, France and elsewhere in Europe.
All of our solutions are part of one single product, run by a single management server, with a single endpoint installation. Anything we do is enabled by license only and doesn’t require any additional management beyond initial deployment. Our first product is Safend Protector. Safend Protector is port and device control. It controls which devices can be connected to which computer for which users. The product is very granular and it allows you to have complex policies that would allow the people who need to connect these devices to connect them, while blocking those that don’t from leaking sensitive data. This is a product that instantly gives you a big leap in your level of security because it limits both the number of devices and the number of people/computers that can access sensitive data in the first place. To augment that, we can encrypt the level of storage you are using inside your organization. So not only will it limit the number of devices that are being connected, it can also enforce their being encrypted. Even if you’re transferring sensitive data to a device, you make sure it is either encrypted by us, or pre-encrypted in hardware, and we allow only those devices. The same is true also for encrypted CDs and DVDs. This is a feature that’s very popular with our helpdesk customers who need to distribute test results to their stations. We give them an encrypted CD/DVD that is created on the spot, and even when it leaves the premises and is no longer their responsibility, it’s still protected. In addition, we have wireless control on Protector and hardware key
AK: THAT’S AN AMAZING RANGE OF SOLUTIONS EXTENDING ACROSS A VARIOUS INDUSTRIES, BUT HOW DOES SAFEND COMPARE WITH THE OTHER DATA LEAKAGE SOLUTION PROVIDERS OUT THERE? WHAT WOULD YOU SAY IS THE SAFEND POINT OF DIFFERENCE?
Our main point of difference is the fact that we developed all of the components in-house and they’re working together, tightly integrated. For example, we can define a policy that would say if the removable storage that’s connected to your computer is encrypted, you are allowed to transfer to it—let’s say a hundred records of customer data. If it’s not encrypted, we’ll allow you to transfer one record at most, which would probably be your own or another person’s, and that’s a risk we’re willing to accept. Any other device we do not provide you with as an organization is completely blocked. This kind of integration between the encryption or device control and content inspection is unique to us because we’re the only product that has all those components under one roof and one policy. Our product has been recognized as best-of-breed at point product as well, not just as a whole fleet. Safend Encryptor, for example, won a best-buy from SC Magazine this year, competing against the largest in the business. Safend Protector has been recognized as a leading product both on functionality and ease-of-use, and we expect Inspector to be recognized in a
ASK THE EXPERT ■ ENDPOINT DATA PROTECTION
similar way. For an end user, the ability to quickly deploy Encryptor and Protector so they reduce risk in a short time, and then adding on Inspector without any additional deployment and only fine-tuning the policies in the process, is a unique offering that none of the other players in the industry can mimic.
POINT SECURITY GOING, AND HOW ARE YOU POSITIONING YOURSELF TO HELP PROTECT COMPANIES IN THE FUTURE?
As I said before, when we’re looking at regulations, and the compliance requirements in many vertical industries and for many different governments in the world, the awareness is there. When we started five years ago our toughest problem was to explain why people and organizations needed to solve a problem in the first place. Maybe a laptop will be lost, maybe it won’t. If it is lost, who knows whether the person who stole it is actually interested in the data? They could only be interested in selling the hardware. All of this made it very hard to quantify how important data protection was. I think that we’ve come a very long way in the past five years, and now when we reach out to organizations they understand very well the importance of protecting data. So this is a place where we see a lot of adoption, and the bulk of the curve is now moving into adopting data protection which means they’re not leaking data where they shouldn’t be. Going forward, we have just rounded up all the different components of our suite and we expect 2010 to be an execution year. We will grow even faster than the 60-70% rate we’ve had to date, because this is a year when everything turns together. The product is now fully ready for the market, and we’ve been working with our customers for the past five years and adding those components on request. The requirements are there, the awareness is there, and we’re expecting this market to grow at a tremendous rate. If we’re looking beyond 2010, we’re expecting to continue to add additional components and possibly integrate beyond the endpoint so that we extend our range and make sure we’re protecting the data not just inside the organization; not just with its partners which we can do today; but all the way down to the individual consumer. This is one of the areas where we expect to see additional things coming from Safend.
“… the bulk of the curve is now moving into adopting data AK: SO SAFEND SOLUTIONS protection which means ARE MANAGED BY ONE SYSTEM WHICH ONLY MAKES IT EASIER they’re not leaking data FOR YOUR CUSTOMERS. LET’S BE A BIT MORE SPECIFIC—HOW where they shouldn’t WOULD YOU COUNSEL THOSE COMPANIES LOOKING AT COMPLYbe.” ING TO HIPAA OR SOX REGULATIONS, FOR EXAMPLE, BUT THEY’RE NOT QUITE SURE WHERE TO START? WHAT WOULD BE THE BEST SOLUTION FOR THEM?
There are more than just those regulations today. Protecting customer data, employer data and credit card data is a form of concern across the US, Western Europe and Japan. And it’s now extending beyond that as well. South Africa has a legislation in process as a preparation this summer for the large number of visitors they’re going to get for the World Cup. Australia has some nice legislation going on, and the awareness around personal data is rising everywhere. The number of very high profile cases, such as HMRC and MBTA, went well beyond just security and IT press to global coverage because of the importance and the severity of losing this type of data. So people are using our solutions to comply with PCI and to make sure that credit card data is protected. But they’re also using it for a large number of local, state and federal regulations that have been springing up in response to this threat. The UK’s Data Protection Act has specific directives for local councils called the GSCX (GovernmentConnect). The US has legislation in 46 of the 50 states dictating the protection of customer data, or else you have to step up and tell those customers every time you lose their data. When you look at laptop theft, it’s not a question of accepting the probability that this will happen. This is something that invariably, if you allowed deregulation, happens once a month if not once a week if you’re a very large organization. Similarly, emails sent by mistake to the wrong address, or somebody being over-zealous and taking work home on their removable USB device, are all breaching compliance for various regulations. If you’re encrypting that data, and you’re making reasonable efforts to protect it when compared to your peers in the industry, then you’re considered to be in compliance with them. You don’t have to step up and announce a breach which is a very, very expensive process. Our solution ensures that you don’t have to do that, even if somebody loses a backup tape or laptop, or if someone accidentally tries to send an email with an excel file that has customer data in it. AK: YOU’VE USED SOME VERY SPECIFIC AND DAY-TO-DAY EXAMPLES. I’M SURE A LOT OF OUR CUSTOMERS ARE SEEING AND EXPERIENCING THE SAME THINGS IN THEIR BUSINESS LIVES. FOR OUR FINAL QUESTION, WHERE DOES SAFEND SEE END-
Edy Almer VICE PRESIDENT OF PRODUCT MARKETING Safend Prior to joining Safend, Edy managed the Encryption and Endpoint DLP products in the Endpoint Security Group at Symantec. He managed the memory cards product line at M-Systems prior to its acquisition by Sandisk and previously drove the launch of several flagship projects at Orange, Israel’s fastest growing cellular operator, resulting in 100,000 new 3G customers one year after launch. As the CTO of Partner Future Comm, Edy charted the strategy for potential venture capital recipient companies. He holds a Bachelor’s degree in Electrical Engineering from Technion, and an MBA from Tel Aviv University.
EXECUTIVE PANEL ■ SECURITY INFORMATION AND EVENT MANAGEMENT
SIEM— Spiralling Out
DEREK BRINK (ABERDEEN GROUP) moderates a panel discussion on security information and event management and addresses the main issues in the market with the help of TOM TURNER (Q1 LABS), PAUL STAMP (RSA, THE SECURITY DIVISION OF EMC) and RICK CACCIA (ARCSIGHT) http://www.GlobalETM.com 74
SECURITY INFORMATION AND EVENT MANAGEMENT ■ EXECUTIVE PANEL
DB: I’D LIKE TO BEGIN WITH A QUICK OBSERVATION FROM MY OWN RESEARCH AT ABERDEEN. WE CONDUCT BENCHMARK RESEARCH, AND IN THIS PARTICULAR AREA ABOUT HOW ENTERPRISES ARE LEVERAGING THEIR SECURITY-RELATED LOGS AND INFORMATION IN EVENTS. WHAT WE FOUND WAS THAT ENTERPRISES ARE REALLY DOING THEIR BEST TO ADDRESS THREE THINGS AT A TIME REGARDING THEIR IT INFRASTRUCTURE. THE FIRST THING IS TO ENHANCE THEIR SECURITY. THE SECOND IS TO ACHIEVE AND SUSTAIN REGULATORY COMPLIANCE. AND THE THIRD THING, IF THEY CAN GET TO IT, IS TO TRY AND IMPROVE THE EFFICIENCY AND THE COSTEFFECTIVENESS OF THEIR ONGOING OPERATIONS. SO THERE’S THE SECURITY ELEMENT, THE COMPLIANCE ELEMENT, AND THEN THE OPERATION ELEMENT. ANYONE WHO DOES A QUICK REVIEW OF YOUR RESPECTIVE WEBSITES, GENTLEMEN, WOULD SEE THAT YOUR COMPANIES ARE IN PRETT Y SOLID AGREEMENT WITH THESE USE CASES AND YET, AT THE SAME TIME, I THINK EACH OF YOU HAS A DIFFERENT TAKE AND SEES THE MARKET IN YOUR OWN UNIQUE WAY. AS I INVITE EACH OF YOU TO MAKE SOME INTRODUCTORY REMARKS OF YOUR OWN, PLEASE ALSO INCLUDE YOUR THOUGHTS ABOUT HOW YOUR COMPANY SEES THE EVOLUTION OF USES CASES, THAT IS THESE THREE, PLUS WHAT ELSE? LET’S BEGIN WITH RICK CACCIA FROM ARCSIGHT.
“... you’ve got to be able to aim for what you want your organization to look like.”
I think these use cases make a lot of sense, and we certainly see them in the customer base. First, I think security is definitely a big concern and that’s both in traditional network security scenarios, hackers, worms and so on, and also in new scenarios such as data breaches from fraud, bots, social engineering, and theft from malicious insiders. Second, it’s hard to separate security and compliance—they’re two sides of the same coin. You can improve security to comply with regulations protecting data and transactions, and then in turn by demonstrating compliance, you’ve likely taken steps to improve your data security. We definitely see that these are linked and have created products to help customers. Finally, one thing we hear from customers very often is that the threat and the risk landscape is growing faster than our department, head count and budget. Given that the only way to keep up is to dramatically improve operational efficiency, as you indicate in your survey, the only way to do that is automation. We see a world of new security threats piling on top of old ones, new regulations piling on top of old regulations, and customers looking to manage that with a set of products to automate security, data protection, user monitoring, risk management and compliance reporting. We believe that security is one area where it pays to have the very best, and it’s basically pointless to have anything other than the best. So if you can’t see and manage a risk, what’s the point of spending the money? From ArcSight’s perspective, we focus therefore only on threat and risk monitoring in its different forms.
expanding the use cases, I feel like customers are getting savvier about what they want and need from their solutions in each of these places. If you think about achieving security, achieving compliance and improving efficiency—they’re goals, and they’re enabled by a set of processes that you’re putting in place. I think customers are coming to the conclusion that these goals are made more efficient by technology, and SIEM is just one of those. So there are three things to look at. First, I think people are coming to the conclusion that SIEM is a fact-base for these sets of processes. Any of the programmes they have in place around enhancing security, compliance or efficiency should be able to exist without SIEM. Second, they’re starting to see that SIEM needs to be fed by other elements of the IT infrastructure, but those elements need to be fed as well. Whether that be IT service management—EMC has a product, there’s Peregrine, and BMC Remedy—whether it be compliance management— RSA just made an acquisition of Archer in this field—or whether it just be internal ticketing systems for those processes that can be dealt with within the small confines of the team. We’re really looking to see if SIEM is able to feed those other processes. Third is that people are beginning to need the ability to incorporate content that is relevant to addressing the needs of each of those use cases. For example, on the security side, we work very closely with our AntiFraud Command Centre in Herzliya, Israel. We also work closely with other parts of EMC, for example VMware, around the operational and security aspects of virtualization, and in Ionix with the wider aspects of IT service management. I think rather than looking at widening those use cases, it’s more a case of a concentration on the process aspect of them that we’re seeing as the real change.
I think those three use cases are certainly bang on. But rather than
DB: THANK YOU PAUL, AND IN BOTH CASES WE’VE HEARD THE EXAMPLE OF FRAUD WHICH IS SOMETHING THAT WE’RE HEARING NOW THAT PERHAPS WE DIDN’T HEAR 12 TO 24 MONTHS AGO.
Yes, I think the three buckets have been accurately identified here—security, compliance and operational efficiency. I also think there’s an evolution in those very big buckets. If you look at security, we see across our customer base much greater sensitivity and concern about being a “target of choice” as opposed to previously being a “target of opportunity”. That’s exactly the fraud use case—the ability to monitor the activities of your users or consultants. We have a large retail chain whose problem statement was that they had a very large consultant group that they wanted to be able to monitor. They were concerned about being a target of choice. Now, I think this point has probably already been made, but there’s a growing understanding by all customers that compliance can’t just be solved by logging and reporting in and of itself. Compliance is very tightly twinned to security, and there are very concrete examples of this such as in the energy and utility market where the NERC standard demands greater sophistication around the ability to discover assets on your network and profile, and to be able to monitor the protocols that are traversing the network. Utility and energy companies facing the NERC requirements are equally concerned about their role as part of the critical infrastructure as they are about meeting an auditor’s requirements.
EXECUTIVE PANEL ■ SECURITY INFORMATION AND EVENT MANAGEMENT
Operational efficiency used to be neatly bucket-ized as something a mid-market company would care about. Large companies demand intelligence, complexity and flexibility, and in the past have been prepared to sacrifice efficient operations in order to get the first two. But the reality is that the largest organizations in the world need operationally efficient security operations, and now demand technologies that are efficient to implement. To give another customer example, we have a large auditing and consulting firm whose services arm will go out and do implementations and recommend first generation SIEM technologies because of all the highdollar services associated with them. But that consulting company and their worldwide SOC for incident management uses our technology, because their requirement is to be able to do worldwide incident response without adding additional head counts. So those are the buckets, and I think we see the evolution of use cases in those as customers become more concerned about being a target of choice than a target of opportunity, and they demand an efficient response.
diverse logging sources into a security intelligence platform. It isn’t just the ability to integrate, they also need as much of this automated as possible. For example, we have a retail customer who’s got 50,000 devices going into our product. The need to be able to recognize and start to normalize those sources automatically is pretty critical because manual associations wouldn’t satisfy them. The second part is broader surveillance data, because that’s really what enables being able to satisfy some of these more discriminatory use cases. In addition to logs and host data, we see customers increasingly asking for: intelligent use of their vulnerability information from their vulnerability scanners; visibility into the network and its behavior, and what applications are doing in areas of the network that lack security devices to provide visibility or have hosts that they are unable to log from. Add onto that third party intelligence feeds—the collective security intelligence that exists out there—whether it’s geographical information about IP address ranges, lists of black IP’s or other threatening subnets, should become part of pre-built content that’s of value to a lot of our customers. Think of how someone monitors a 911 network or a 4G wireless cell phone network—it’s a combination of a variety of things; knowledge of the individual; hosts within that network; the control towers; the servers and call managers that enable that infrastructure to run; the ability to bring in the security telemetry that protects that network, and also the network information itself about how hosts within the network are behaving. We spend a lot of time making sure that we do the traditional logging well for customers because that will always be one of the core values of a SIEM technology to the customer. But then we need to address how we can supplement that with much broader surveillance to provide a more intelligent response to these use cases we talked about earlier.
“There is actually an analogy here between the business intelligence market and what we would call the security intelligence market.”
DB: IN SOME WAYS WE’VE TALKED ABOUT EVOLUTION IN ALL THREE BUCKETS—THERE’S EVOLUTION IN SECURITY IN TERMS OF RISK AND THREATS, AND FRAUD CAME UP IN EACH ONE OF YOUR COMMENTS. THEN THERE IS THE CONSTANT CHANGE IN THE REGULATORY LANDSCAPE AND THE NEED, I GUESS PARTLY DRIVEN BY COST MEASURES AND THE ECONOMY, TO GET MORE VALUE OUT OF THESE RESOURCES THAT WE HAVE IN LIMITED QUANTITIES. SO THE EFFICIENCY ASPECT CAME THROUGH LOUD AND CLEAR. MY SECOND QUESTION IS ABOUT THE LIFECYCLE ASPECT OF INFORMATION AND EVENT MANAGEMENT. IT’S TRADITIONAL TO USE A KIND OF LIFECYCLE MODEL TO DESCRIBE THESE THINGS FROM CRADLE TO GRAVE, AND IN THIS CASE IT GOES FROM THE INITIAL IDENTIFICATION AND INTEGRATION OF DIFFERENT DATA SOURCES—THE FEEDING OF THE SIEM THAT I THINK PAUL MENTIONED—TO THE MANAGEMENT OF THE COLLECTED DATA, AND FINALLY THE INTERPRETATION. I THINK WE’RE ALL AGREED ON THE MOST IMPORTANT THING WHICH IS TAKING SOME KIND OF ACTION ON THE IMPORTANT DATA, LEARNING, REPORTING, PRIORITIZING, AND FEEDING THE OTHER SYSTEMS IN THE ENTERPRISE. SO MY FIRST QUESTION WAS REALLY ABOUT TAKING ACTION USE CASES, AND I WANT TO ASK ABOUT HOW WELL YOU ALL APPROACH THE IDENTIFICATION, INTEGRATION AND THE SOURCES OF THE DATA THAT YOU MIGHT DIFFERENTIATE YOUR OFFERINGS BY. TOM, COULD WE BEGIN WITH YOU FROM Q1 LABS FOR THE FIRST COMMENT?
I think that in order to be able to satisfy those use cases we must all be very good at the integration of a customer’s data sources, which change all the time. I normally break it into two main areas of focus. The first part is the more traditional log sources, and there is a constant need to respond to customers who want to be able to integrate new and
I think Tom’s point about things changing is a good one. And I think that because of it, identification and integration are two great ways of looking at the problem. In practice, identification comes in phases and what we’ve seen is that in the first phase the customers know what kind of data sources they want to pull in, and then it’s really just a matter of having the connectors for these sources. If they do—great, let’s get moving. Then you do the project and the customer can do their basic monitoring and everyone is happy. The bigger problems start to arise in the follow-on phases—the customers monitoring their Cisco firewalls, their Linux servers and their Windows desktops. Then management says OK, phase two, now we want to pull in our customer order processing apps. We want to pull in the DLP logs from Symantec or McAfee—different vendors than you maybe bought the SIEM from. We want to pull in the badge reader logs into the data centre, we want to pull in users from oracle identity management, and now suddenly you’ve got a different set of feeds, not quite in the mainstream, and then you’ve got an integration problem. We believe that the ability to collect from those follow-on rings, the second, third and fourth rings of data sources, without requiring vendor engineering to get involved, is a key differentiator. One of the biggest complaints we hear when we replace a competitor’s product is: “The other guys quoted me four to six weeks and they needed
EXECUTIVE PANEL ■ SECURITY INFORMATION AND EVENT MANAGEMENT
engineering to get involved to get the next three data connectors built.” The way we look at it from an ArcSight perspective is that we don’t know what the hot security device is going to be in a year, but we know you’re probably going to want to monitor it. And so as you’re looking at these problems you better pick an architecture that lets you pull in these new sources easily. I think sometimes the inability to look at that causes customers to trip up down the road.
When you talk about identification you’ve really got to see that knowledge is key. Common infrastructure, as Rick said, are the second and third layer of things that you want to incorporate into your SIEM. You also need knowledge of your own organization and the ability to adapt what you’ve got, or to create new things that are specific to your organization. I think it’s absolutely true that you do need to be able to customize this to the organization’s requirements, but it’s still key to have that inbuilt knowledge. One thing that we believe is that there’s been far too much reverse engineering in this space so far. That was fine when there were dozens of things that you needed to monitor, but now there are many hundreds of different event sources that we need to monitor. We as an industry do need to keep up with that—we can’t expect the customer to have to do it themselves and to deal with it when those different infrastructure components change. That’s why we’ve been putting in place a partner project which is akin to the RSA Secured programme which really is the big differentiator in the token market. It’s not so much that our tokens are better than anybody else’s, but the real differentiator is what our tokens work with. We’ve got to put in place a much more sustainable programme; from being able to talk to these different people that you’re going to collect information from, and to be able to make sure that when they update we’re right with them, we’re in lockstep with them, and we’re not ages behind. And that’s difficult to do. The second thing is that customers still need a lot of guidance—and not just in navigating the product, pulling in information and interpreting it—but guidance on what they actually need to look for. They need relevant, timely content.
Derek Brink - Moderator VICE PRESIDENT AND RESEARCH FELLOW, IT SECURITY Aberdeen Group
Derek joined Aberdeen Group as a senior high-tech executive experienced in strategy development and execution, corporate/ business development and product management/product marketing. Prior to Aberdeen, Derek’s industry experience includes postions with RSA (now a division of EMC), Gradient Technologies (new Entegrity) and Transarc (a subsidiary of IBM). Derek earned an MBA with honors from the Harvard Business School and a BS in Applied Mathematics with highest honors from the Rochester Institute of Technology. 78
We’ve got a research team that’s based out in Herzliya, Israel, that’s part of our Anti-Fraud Command Centre that I was talking about earlier, who are involved on the front line of security research, and are then being able to feed us rules, watchlists, mappings between vulnerabilities, and different things they’re seeing on their network. We’re able to feed those into rules that are able to be put into our product. So, it’s first of all being able to get in that information and being able to interpret it, but also being able to give the customer that guidance as to what to actually look for. And I think that’s really where we think differentiation is going to occur going forward. DB: ONE OF THE CORNERSTONES OF THE BENCHMARKING STYLE OF RESEARCH THAT ABERDEEN USES IS THAT WE’VE LOOKED NOT ONLY AT THE TECHNOLOGIES, BUT AT THE STRATEGIES AND THE CAPABILITIES THAT COMPANIES HAVE TO HAVE IN PLACE TO HELP THEM BE SUCCESSFUL. WE’VE ALL HEARD IT SAID A HUNDRED TIMES—PEOPLE, PROCESS AND TECHNOLOGY—AND THAT’S WHAT I’M TALKING ABOUT HERE. EVERY STUDY I DO I CAN SHOW YOU TWO DIFFERENT USERS OF THE SAME SOLUTION FROM THE SAME VENDOR, AND ONE OF THOSE WILL BE AMONG THE LEADING PERFORMERS, AND ANOTHER ONE WILL BE AMONG THE LAGGARDS. SO MY THIRD QUESTION IS REALLY ABOUT THIS VERY IMPORTANT ISSUE OF NON-TECHNOLOGY CAPABILITIES AND SUCCESS FACTORS, IF YOU WILL, THAT YOU WOULD IDENTIFY FOR OUR LISTENERS—ESPECIALLY THE THINGS THAT THEY MIGHT WANT TO HAVE IN PLACE EVEN BEFORE THEY GET INTO THE TECHNOLOGY PURCHASE DECISION WITH YOUR COMPANIES. LET’S PUT THIS ONE FIRST TO PAUL STAMP FROM RSA.
When you talk about people, process and technology, I think there’s a big reason why technology is last in that little triumvirate. First of all, from a people perspective, you need to know where you want your programme to be and where you want your roles and goals to be.
VICE PRESIDENT OF PRODUCT MARKETING ArcSight
Rick Caccia is a vice president in the products group at ArcSight, a leader in the SIEM industry with clients in all aspects of the federal and state government. Rick has spent over fifteen years designing, implementing and managing security and identity infrastructure software. Earlier in his career, Rick led product management at Oblix, an identity management leader, and was later Senior Director of Product Management at Oracle. Prior to ArcSight, he led product management for the Messaging and Web Security business unit at Symantec.
SECURITY INFORMATION AND EVENT MANAGEMENT ■ EXECUTIVE PANEL
It’s unlikely that you’re ever going to be able to get there before you start making the technology decisions, but you’ve got to be able to aim for what you want your organization to look like. An executive sponsor would be nice, but you realize that that’s not necessarily going to always be the case. When you’ve got this “roles and goals” kind of approach in place then you’re able to staff this appropriately, whether it’s to be able to put the right resources to maintain the infrastructure—some products have more moving parts than others— there’s a certain amount of effort involved there. There’s a kind of business rule maintenance; the ports, event sources, and rule sets that are more SIEM-specific, but as you put a SIEM in place you are going to spot more policy violations and threats that are inherent in your infrastructure, so you have to be able to staff towards those. But in order to do that you need the right set of skeleton processes defined around your threat management—what do we do when Microsoft issues a new bulletin with 1500 critical security vulnerabilities? What do we do when we spot something on our network that we really don’t like to see? What do we do when the auditor finds something that they don’t like? What do we do when we’ve created these reports out of our systems and we need to distribute them to the different people to get them reviewed and alerted? As we said, you should be able to take your SIEM out of the equation. Your SIEM is just simply the fact base that feeds those processes. But you have to have at least an idea of what those processes are going to be before you really put your technology in place. If you have those roles and goals sorted out, if you have those processes put in place, then I think you should be set to go to put in the right technology.
I actually don’t disagree with anything that Paul just brought up. If you think about the things that should go into the preference and awareness stage before a customer starts to go out and think about buying a product, I think Paul has highlighted the process part of it very interestingly. This is a big enough market now where being able to talk to people in your industry, with the challenge you have, should be an important part of your diligence. Those of you that have been in technology long enough
know that vendors have become very good at running very tight proof of concepts that don’t always meet the true goal of your project. A protection against this is the information that can be found from the trusted parties you already rely on—your reseller partners, analyst firms, even on LinkedIn. That’s a key thing that I think people should do more of. One thing that perhaps Paul didn’t touch on was that ultimately you’ve got to have agreement between the people who evaluate the product, and those who end up being the eventual users. I often see that as a disconnect in customer scenarios where the evaluation team isn’t actually going to be the operational team for the SIEM, and that’s some upfront work that can be done before you even start to think about vendors. There’s also the diligence that goes into looking at a solution, beyond needing to run an evaluation as you would use the product in your network, which is ensuring that your manufacturer of choice supports you. What is the professional services engagement going to look like? What do other users say about the support capability of the vendor in question? These are all the things that ultimately can help as upfront work to lead to a much more satisfactory choice. Ultimately there is the time to value. Once you embark on a SIEM project your head is up above the fox-hole in terms of making the project successful. I think that’s very good upfront work you can do that’s not even tied to vendor selection in any way, shape or form.
I think the success factor question is an easy one. I think the biggest success factor is understanding what you want to do, when you want to do it, and then having a clear plan to get there. I know that sounds a bit like a truism, and kind of hokey, but you’d be surprised how often we encounter new customers who either try to do everything at once, with no good idea of how to use the data they’re integrating, or else they just want to do some monitoring, and then they can’t show a lot of value to management. So I think the point is to understand where your big impact comes from. Maybe the first step is to make sure you can detect bots, if you’re a bank. Maybe the second step is monitoring your admins to protect your confidential data. Perhaps then your third step needs feeds from badge readers or video cameras if you’re in a different industry.
SENIOR MANAGER OF PRODUCT MARKETING, INFORMATION AND EVENT MANAGEMENT GROUP RSA, The Security Division of EMC
Paul is responsible for reinforcing RSA’s position as a market leader in the Security Information and Event Management space. Paul has been active in the information security industry for the past 11 years and is regularly featured in the media. Prior to joining RSA, Paul was Principal Analyst for Forrester Research, covering security information and event management and data security, and a security architect with Unisys Corporation. Paul holds an MA (Oxon) in Mathematics from Oxford University.
SENIOR VICE PRESIDENT MARKETING AND CHANNELS Q1 Labs
As Senior Vice President of Marketing and Channels, Tom is responsible for all product management efforts, demandgeneration programs and channel marketing initiatives at Q1 Labs. Prior to joining Q1 Labs he served as director of marketing for endpoint security at Cisco Systems where he helped elevate the company to number two in the host-based, IDS/IDP market. Tom holds a Bachelor’s degree in English and Spanish from the University of Newcastle-Upon-Tyne, United Kingdom. 79
EXECUTIVE PANEL ■ SECURITY INFORMATION AND EVENT MANAGEMENT
So you figure out what you want to protect, then which types of rules help you do the detection you need, which data sources are needed to feed those rules, and then you figure out if you do it all at once or in phases, and if it is in phases, what is in each phase. And this isn’t rocket science. ArcSight did over $150 million in SIEM sales last year, and we have most of the Fortune 500 as customers. And nearly half of our new revenue each quarter comes from existing customers buying more. We learned in that process that helping those customers make the most of what they’ve spent and how to get more and more leverage from what they’ve already bought is the key to success. And I think as Tom and Paul also mentioned, you don’t just dump a bunch of technology on someone and say: “Go figure it out, good luck to you”. DB: I AGREE WITH THE COMMENTS THAT YOU ALL MADE, AND WE FIND THAT IT’S VERY CRITICAL FOR THE ULTIMATE SUCCESS OF THESE PROJECTS TO DO THE KIND OF THINGS THAT YOU’RE TALKING ABOUT. WE’VE COME TO THE LAST CHANCE FOR THE PANELLISTS TO MAKE SOME BRIEF CLOSING REMARKS. I’D JUST LIKE TO ASK YOU TO TALK ABOUT WHAT YOU SEE FOR THE SECURITY INFORMATION AND EVENT MANAGEMENT MARKET GOING FORWARD IN THE NEXT 12 TO 24 MONTHS. LET’S BEGIN WITH RICK CACCIA FROM ARCSIGHT.
We see two trends happening. First, I think log management will expand and be seen as an enterprise-wide function, and you’re going to see log architectures span the whole organization, not just in security, another one in IT, and so forth. We think log management will be seen as a fundamental piece of enterprise architecture. Second, the basic user cases that were done five years ago will remain, but the big steps now are being taken around expanded scenarios— privileges of monitoring, data privacy and protection, fraud detection—I think we all mentioned fraud detection. New cutting-edge malware detection, catching new zero-day attacks and so forth are also there. I think customers will figure out how risky these areas really are and they’re going to demand new solutions to address them, so we expect SIEM to be seen as something broader, something along the lines of enterprise level risk and threat management, and not just network security.
This is a vibrant market. It’s growing fast and it represents a demand that customers have to hit those three big buckets we talked about at the beginning. Certainly we as a company have added over 500 customers last year using our product. I think where SIEM goes from a technology or a solutions standpoint is that it is more than just network security monitoring—ultimately it’s an aggregation platform for intelligence. There is actually an analogy here between the business intelligence market and what we would call the security intelligence market. The change in the threat landscape, and the increasing requirement from a much broader set of customers to get intelligence, integration and automation (which honestly used to be the preserve of the top 500 companies in the world), are going to drive that convergence. We think that SIEM’s have always done a good job at responding postincident, and now SIEM’s will start to look at what can be done prior to the incident. So there is definitely a convergence between event monitoring and incidence response and risk management that will be occurring in the market.
Whereas I don’t disagree with Rick and Tom, I think there are a
couple of things that need to happen before we really get to the much more expanded use cases. First of all, the existing data that we’re collecting has to be able to integrate into our strategic processes more effectively first. We have to incorporate the business relevance of the information that we’re collecting. That’s less of a technology problem, but an easier way to be able to map the reports you need to run and why, what the regulations are, the policies, and the business objectives that are impacted by running the report. In order to make those determinations, the algorithms, the fields, and so on already exist within the products—it’s just that there needs to be much more of a closed loop process. For example, from a risk perspective, being able to incorporate the results of your business continuity planning process, or to be able to feed your compliance management processes more effectively. I think that that’s where we need to go right now, so then we can start to get the appropriate investment to make these technology purchases to take us to that next level. One of the big reasons why we went into the GRC marketplace is to help us to do that—to really take the manual process management of the stuff that our products spit out, to actually make them relevant to the business, rather than just trying to spit out more.
Next-Generation SIEM Solution www.Q1Labs.com 890 Winter Street | Suite 230 | Waltham, MA 02451 USA | 781-250-5800
EVENTS AND FEATURES ■ 2010
Events and features 2010
ETM is focusing on: BI, GRC and Security IRM UK DATA GOVERNANCE CONFERENCE EUROPE 2010 DATES:19 – 21 April 2010 LOCATION: London, UK URL: http://www.irmuk.co.uk/dg2010
GARTNER ENTERPRISE ARCHITECTURE SUMMIT DATES: 17 – 18 May 2010 LOCATON: London, UK URL: www.gartner.com/it/page.jsp?id=1219217
eCOMM AMERICA 2010 DATES:19 – 21 April 2010 LOCATION: Burlingame, CA URL: http://america.ecomm.ec/2010
MIT SLOAN CIO SYMPOSIUM DATE:19 May 2010 LOCATON: Cambridge, MA URL: www.mitcio.com
RFID WORLD ASIA 2010 DATES: 19 – 23 April 2010 LOCATION: Singapore URL: www.terrapinn.com/2010/rfid
GARTNER SOURCING SUMMIT DATES: 30 May – 1 June 2010 LOCATON: Tokyo, Japan URL: www.gartner.com/it/page.jsp?id=1267919
TELECOM WORLD CONGRESS 2010 DATES: 20 – 22 April 2010 LOCATION: Amsterdam, Netherlands URL: www.terrapinn.com/2010/twc
GARTNER PPM AND IT GOVERNANCE SUMMIT DATES: 7 – 9 June 2010 LOCATON: Orlando, FL URL: www.gartner.com/it/page.jsp?id=1216519
INTEROP LAS VEGAS DATES: 25 – 29 April 2010 LOCATION: Las Vegas, USA URL: http://www.interop.com/lasvegas FRONT END OF INNOVATION CONFERENCE (FEI 2010) DATES: 3 – 5 May 2010 LOCATION: Boston, MA URL: www.iirusa.com/feiusa BIO INTERNATIONAL CONVENTION DATES: 3 – 6 May 2010 LOCATION: Chicago, IL URL: www.convention.bio.org TDWI WORLD CONFERENCE DATES: 9 – 14 May 2010 LOCATION: Chicago, IL URL: www.tdwi.org/Education/Conferences/ index.aspx UX Lx: USER EXPERIENCE CONFERENCE DATES: 12 – 14 May 2010 LOCATON: Lisbon, Portugal URL: www.ux-lx.com/speakers.html
INTEROP TOKYO DATES: 7 – 11 June 2010 LOCATON: Tokyo, Japan URL: www.interop.com GARTNER OUTSOURCING SUMMIT 2010 LATIN AMERICA DATES: 8 – 9 June 2010 LOCATON: Sao Paulo, Brazil URL: www.gartner.com/it/page.jsp?id=1188515 GARNTER SOA AND APPLICATION DEVELOPMENT AND INTEGRATION SUMMIT DATES: 14 – 15 June 2010 LOCATON: London, UK URL: www.gartner.com/it/page.jsp?id=1128412 GARTNER IT INFRASTRUCTURE, OPERATIONS AND MANAGEMENT SUMMIT DATES: 14 – 16 June 2010 LOCATON: Orlando, FL URL: www.gartner.com/it/page.jsp?id=1219216
CODE GENERATION CONFERENCE 2010 DATES: 16 – 18 June 2010 LOCATON: Cambridge, UK URL: www.codegeneration.net/cg2010 ENTERPRISE ARCHITECTURE CONFERENCE EUROPE (EAC 2010) DATES: 16 – 18 June 2010 LOCATON: London, UK URL: www.irmuk.co.uk/eac2010 GARTNER SECURITY AND RISK MANAGEMENT SUMMIT DATES: 21 – 23 June 2010 LOCATON: Washington, DC URL: www.gartner.com/it/page.jsp?id=1180650 2ND ANNUAL CLOUD COMPUTING WORLD FORUM DATES: 29 June– 1 July 2010 LOCATON: : London, UK URL: www.cloudwf.com GARTNER APPLICATION AND ARCHITECTURE SUMMIT DATES: 12 – 13 July 2010 LOCATON: Tokyo, Japan URL: www.gartner.com/it/page.jsp?id=1267916 GARTNER BUSINESS INTELLIGENCE AND INFORMATION MANAGEMENT SUMMIT DATE: 14 July 2010 LOCATON: Tokyo, Japan URL: www.gartner.com/it/page.jsp?id=1267917 TDWI WORLD CONFERENCE DATES: 15 – 20 August 2010 LOCATON: San Diego, CA URL: www.tdwi.org/Education/Conferences/ index.aspx
Interested in contributing? If you’re an analyst, consultant or an independent and would like to contribute a vendor-neutral piece to future issues of ETM, please contact the managing editor: Ali Klaver: email@example.com.