Page 1

Alert_DEC2011.indd 18

11/16/2011 4:55:33 PM

From The Editor

For general and author Sun Tzu, the art of war was of vital importance; a matter

Prepare for War Security has to be built into app and infrastructure design from the ground up.

of life and death; a road either to safety or to ruin. Pertinently, he lived about 2,500 years ago, in the Warring States period of China — a time of ferment and violence. Proper fortifications were critical since they provided proactive security that made the difference between survival and annihilation. Not surprisingly, forts across the world developed along similar lines: to protect inhabitants and repel invaders. Early on, architects had a pretty strong grasp of security issues and realized that multiple defences were required to deal with a siege. So, apart from being located on higher ground and having thick walls and moats, provisions were made to make things as difficult for the enemy to take the fort, like secure positions for archers to fire from. So successful were forts that countries kept building them way into the Second World War. Forts offer vital lessons in today’s infosecurity environment where threat scenarios change dynamically and the motives that drive hackers border more on the criminal than a display of technological savvy. An increasingly mobile The most critical learning is that security workplace means that was seamlessly built into the design from the an enterprise’s security ground up, unlike putting applications or infrastructure in place and then attempting perimeter is now more to cocoon them with a security framework. flexible than ever. It’s also reflective of the fact that security was taken seriously at the highest levels — something that you often have to work on. That’s why a layered approach to security was adopted, with a series of defences designed to restrict or blunt the enemy’s progress. This segregation also helped to create zones of varying criticality, so that assets could be deployed accordingly. Controlling access was vital, and it translated into limited points of entry through narrow paths that exposed the enemy to attack. This also meant striking a balance between allowing merchants and farmers to transact business while putting a check on those with hostile intent. An increasingly mobile workplace means that an enterprise’s security perimeter is now more flexible than ever. Smart security strategies that allow your organization to conduct its business, while keeping the bad guys out is going to make the difference. Human nature hasn’t changed a tad in 3,000 years since we started building forts — intruders still prefer to go after the least secure of structures, the softest of targets. A note of caution though. For all their defence-in-depth, forts couldn’t handle changes in technology and the new threats they created — the advent of cannon and later airpower did them in. Where do you stand on this? Write in and let me know.

Vijay Ramachandran, Editor

Vol/1 | ISSUE/19

Content,Editorial,Colophone.indd3 3

REAL CIO WORLD | A U G U S T 1 5 , 2 0 0 6

8/16/2006 7:48:46 PM

content AUGUST 15 2006‑ | ‑Vol/1‑ | ‑iSSUe/19


Executive Expectations


VIEW FROm ThE TOp | 34 Ramalinga Raju, chairman of Satyam Computer Services, on CIOs as the change agents of an organization.

P hoto by Sr IVatSa ShandIlya

CIOs have been cutting costs for years — but not seeing those savings coming back to IT. That’s why you have to learn to cut strategically. Feature by galen gruman

Interview by harichandan Arakali

Executive Coach ThE FOLLy OF FIngER-pOInTIng | 20 If individuals don’t accept personal responsibility when things go wrong, their organizations will become dysfunctional.

CoVEr: ImagIng by Jayan K narayan an


Column by Susan Cramm

Integration InTEgRATIOn’S nEW STRATEgy | 42 The integration-layer strategy promises to end all those complaints about IT’s inflexibility, while also reducing costs of converging old concepts with new technologies. Feature by Christopher Koch

more » 

A U G U S T 1 5 , 2 0 0 6 | REAL CIO WORLD

Vol/1 | ISSUE/19


(cont.) departments Trendlines | 13 Rural Innovation | A Teller in your Village Entrepreneurship | A Boost for Rural Innovation Domestic Trends | Domestic Market to Grow 19% Leadership | Why Change Hurts Simulation | Creatures of a Virtual World Book Review | The Art of Competition By The Numbers | Failing to Heed VOIP's Call Authentication | How Your' Fist' Can Talk

Essential Technology | 56 Open Source | Dirty Code, Licenses and

Open Source By Christopher Lindquist Open Source | Open Source isn’t an If, it’s a When By Bernard Golden

From the Editor | 3 Renounce the Rigid | Security has to be built

into application and infrastructure design from the ground up. By Vijay Ramachandran

Inbox | 12

4 8

NOW ONLINE For more opinions, features, analyses and updates, log on to our companion website and discover content designed to help you and your organization deploy IT strategically. Go to


Govern promised land |  48 Land doesn't belong to a people until they can buy, sell or mortgage it. But, until 2003, the state of affairs at the Department of Registration and Stamps, Karnataka, made citizens toil for this right. Project Kaveri gave citizens back what was theirs. Here's its story.

2 2

Feature by Gunjan Trivedi & Sunil Shah

Connecting the dots |  52 S.K. Balaraman, DGIP of Karnataka’s crime record bureau, on how its WAN project is connecting — not only every police station in the state — but clues that are bringing the big picture into clearer focus. Interview by Kunal N. Talgeri

A U G U S T 1 5 , 2 0 0 6 | REAL CIO WORLD

Content,Editorial,Colophone.indd8 8

Vol/1 | ISSUE/19

8/16/2006 7:48:59 PM

marketing & sales

Manage ment

President N. Bringi Dev

COO Louis D’Mello Editorial Editor Vijay Ramachandran


7th Floor, Vayudooth Chambers

Assistant EditorS Ravi Menon;

15 – 16, Mahatma Gandhi Road

Senior Correspondent Gunjan Trivedi Chief COPY EDITOR Kunal N. Talgeri

COPY EDITOR Sunil Shah www.C IO.IN

Editorial Director-Online R. Giridhar D esign & Production



IDG Media Pvt. Ltd.

Special Correspondent Balaji Narasimhan


Tel : +919880436623

Bureau Head-North Rahul Neel Mani


Mahantesh Godi

Harichandan Arakali

Advertiser Index



Banglore — 560 001



Delhi Nitin Walia Tel : +919811772466


38,39,40,41 IDG Media Pvt. Ltd. 1202, Chirinjeev Towers

Microsoft Gatefold

43, Nehru Place

Creative Director Jayan K Narayanan

Designers Binesh Sreedharan

Vikas Kapoor Anil V.K. Jinan K. Vijayan Unnikrishnan A.V. Sasi Bhaskar Vishwanath Vanjire Sani Mani MM Shanith Anil T PC Anoop

Photography Srivatsa Shandilya

Production T.K. Karunakaran

T.K. Jayadeep Marketing and Sales

General Manager, Sales Naveen Chand Singh brand Manager Alok Anand Marketing Siddharth Singh Bangalore Mahantesh Godi Santosh Malleswara Ashish Kumar Delhi Nitin Walia; Aveek Bhose; Neeraj Puri; Anandram B Mumbai Rupesh Sreedharan Nagesh Pai; Swatantra Tiwari Japan Tomoko Fujikawa USA Larry Arthur; Jo Ben-Atar

Singapore Michael Mullaney UK Shane Hannam

New Delhi — 110 019





Mumbai Swatantra Tiwari Tel : +919819804659 IDG Media Pvt. Ltd.





208, 2nd Floor “Madhava” Bandra – Kurla Complex Bandra (E) Mumbai – 400 051



6, 7

Tomoko Fujikawa Tel : +81 3 5800 4851

USA Larry Arthur Tel : +1 4 15 243 4141

Singapore Michael Mullaney Tel : +65 6345 8383 UK Shane Hannam Tel : +44 1784 210210

All rights reserved. No part of this publication may be reproduced by any means without prior written permission from the publisher. Address requests for customized reprints to IDG Media Private Limited, 10th Floor, Vayudooth Chambers, 15–16, Mahatma Gandhi Road, Bangalore 560 001, India. IDG Media Private Limited is an IDG (International Data Group) company.

Printed and Published by N Bringi Dev on behalf of IDG Media Private Limited, 10th Floor, Vayudooth Chambers, 15–16, Mahatma Gandhi Road, Bangalore 560 001, India. Editor: Vijay Ramachandran. Printed at Rajhans Enterprises, No. 134, 4th Main Road, Industrial Town, Rajajinagar, Bangalore 560 044, India


A U G U S T 1 5 , 2 0 0 6 | REAL CIO WORLD

Content,Editorial,Colophone.indd10 10

Vol/1 | ISSUE/19

8/16/2006 7:49:00 PM

reader feedback

Interoperability in e-governance I have been an ardent reader of CIO and am particularly happy that its editorial team has taken keen interest in e-governance and decided to dedicate a section to address e-governance eco-system issues. In every issue, CIO has covered one personality involved in the e-governance domain, including J. Satyanarayana of National Institute for Smart Government and Dr M.N. Vidyashankar of Bangalore Development Authority. Now that the magazine has taken the first step of kindling the readers’ interest by introducing to us the people involved in the e-governance vertical, I recommend that CIO addresses issues associated with the e-governance industry. One of the key areas of immediate relevance in the e-governance domain in our country is establishing and adopting standards in developing and implementing e-governance solutions. Take any e-governance project in India, and you will observe that it is done differently and independently by specific states, departments or organizations. They are executed with the immediate vision of providing a service to citizens. However, none of the solution developers and very few government organizations have taken the issues of interoperability of the information that is collected. None of the solutions today are based on standards, and this will result in tremendous inefficiency due 12

Inbox.indd 12

A U G U S T 1 5 , 2 0 0 6 | REAL CIO WORLD

to interoperability between the many solutions currently underway. The National e-Governance Plan (NeGP) recently mandated the establishment of e-governance standards under the direction of National Informatics Centre (NIC). There are six major working groups addressing standardization issues in the areas of e-governance solution architecture, metadata, local language, security, networking and government process management. I feel that the e-governance standardization process is an extremely crucial exercise where government, industry, academia and consultants need to get involved actively. I foresee an opportunity, in which CIO can introduce an e-governance forum where standardization issues are addressed regularly, which will help CIOs in government and business understand the issues involving critical information with more clarity and motivate them to get involved in the process. Our country needs this at this hour! Dr Shankara PraSaD, CEO, INKROMA e-Gov solutions, and member, National e-Gov Standards Committee.

The IT-Business Balance I have been reading your magazine with interest for the last year. What I like most is that its articles are very close to the ground realities. This is an approach that anyone who has been deeply part of a project will appreciate. What Do You Think? We welcome your feedback on our articles, apart from your thoughts and suggestions. Write in to Letters may be edited for length or clarity.


“The day is not far when business leaders will be expected to have spent time driving the IT initiatives of companies.” A recent article, (The New Game Plan, July 1, 2006) is a good example. Forwardlooking companies all over the world today have CIOs who are close to the business strategists of their companies. It is expected that they understand the business and become part of the senior management team to drive the organization towards its goals. Tecumseh (a manufacturing company) is one such example. I was a hardcore shop-floor man when I was asked to head IT. My KPI was to improve the organizational productivity and improve cost structure. Today, I am the global head for the company for business processes. I have to reengineer the processes to be ‘simple, common and global’. The day is not far when business leaders will be expected to have spent time driving the IT initiatives of companies. r ravI Global Director - Business Process Tecumseh Products

It is a pleasure to read CIO. The interview with K.V. Kamath was great. Congratulations for a good piece of work. I look forward to forthcoming issues. I have also been attending some of CIO's events, which I have observed focus on very contemporary issues. neeraj kumar GM-IT, NABARD

Vol/1 | ISSUE/19






a Teller in your village


ICICI Bank and IIT Madras’s TeNet Group are ready to take the aTM a where none has gone before, and at one-tenth the cost. I N N o v a T I o N Rural banking might take on a more sophisticated turn if a low-cost ATM being pilot tested by ICICI Bank and Vortex India, a Chennai-based startup company, leads to actual deployment in villages. “The idea was to build an ATM that can work in areas where the regular ATM wasn’t viable,” says Vortex’s managing director L. Kannan. Called ‘‘grama (village) teller’, this ATM is designed to be a virtual bank in areas where a bank has no other presence. The ATM is being pilot-tested in two locations — on campus at TeNet and at ICICI’s main branch in Chennai, says Kannan. “Real deployment will happen anytime now,” he says.

Grama teller comes in two forms: a dispenser that can be plugged into an existing Internet kiosk or a stand-alone ATM, the latter costing only a tenth of the commercially available ATMs one sees in cities, says Kannan. “An add-on is that

apart from the key pad and a debit card, we have provided biometric identification,” he says. The idea is that people in remote villages could be vulnerable to theft of their debit cards and ATM pin numbers.

Continued on Page 14

A Boost for Rural Innovation Microsoft India and the International Development Research Centre (IDRC) floated a rural innovation fund recently to further Redmond’s localization initiative in India by developing applications customized to rural communities. The initiative will begin with a seed of Rs 90 lakh. It will focus on telemedicine, education and agriculture, which are areas of maximum interest to rural communities, according to Ravi Venkatesan, chairman, Microsoft India. The fund was announced at the July meeting of the M.S. Swaminathan-led Mission 2007, which brings together government agencies, business and industry, academic institutions and civil society organizations committed to bridging the rural-urban divide. Speaking at the Mission 2007 meeting, Swaminathan said, “I am confident that this fund will create an entire network of rural IT entrepreneurs who will develop local software specific to the needs ENTREPRENEURSHIP

VOl/1 | ISSu E/19

Trendlines.indd 13

of rural communities. It will lead to an entrepreneurship revolution in rural India, and will help retain educated youth in villages.” Over the next six months, the program committee of the Project Saksham fund is expected to choose from various applications. Project Saksham aims to set up connected PC kiosks in at least 200,000 villages by 2010, and also foster a parallel empowerment program to develop women as kiosk entrepreneurs. Microsoft has already piloted 300 kiosks across six states involving about 4,000 users to understand the key requirements of the rural kiosk model. Its partner in the rural fund, IDRC, has also been a supporter of projects for social development and innovation. It has funded ICT initiatives such as the International Open Source Network, whose activities revolve around Free and Open Source Software applications. — By Ravi Menon

REAL CIO WORLD | A U G U S T 1 5 , 2 0 0 6


8/16/2006 1:21:29 PM


Domestic IT Market to



T R E N d S The Indian domestic market has wriggled of the IT spending squeeze of 2002 and 2003 and has, since 2004, experienced a strong growth trajectory. International technology market research firm IDC says it will grow at a 19 percent PEG (price to earnings to growth) in calendar year 2006. If its prediction pans out, the Indian domestic market will be Asia’s fastest growing domestic market surpassing a 14 percent growth PEG for the Philippines and 12 percent for China by end-2006. Since 2004, Indian IT services companies have increased their focus on the domestic market. While it still has a small base, it is growing at almost 100 percent annually, says IDC. There is evidence of this focus: last year, large vendors collectively bagged over 100 contracts from the SMB market and saw revenues from that segment grow significantly, observed IDC. While releasing IDC’s Top Ten ICT Market Predictions for 2006, IDC India country manager Kapil Dev Singh also announced that mobility, convergence and infrastructure management would be key underlying themes for the growing outsourcing wave witnessed by the Indian IT software and services industry. He also observed that further consolidation and realignment in the industry will be built around the growth of dynamic IT applications and the proliferation of digital devices among enterprises. “With broadband prices falling, IT now has increasing relevance to smaller enterprises. Even as PC adoption rises, we will see increasing integration of IT with business in the enterprise,” said Singh. In 2006, IDC predicts that these markets will grow: WLAN equipment (94 percent) Application lifecycle management software (32 percent) Security software (29 ( percent) Content applications (24 ( percent) Systems management software (20 ( percent) Data management software (20 percent)


According to IDC, outsourcing services will take up a larger share of the domestic IT services market — which has been dominated by vanilla-plain services like systems support — and by the end of 2006, will contribute 24 percent to the Indian IT services market. The new trend is being driven by providers offering greater value through total outsourcing services, end-toend solutions and industry-specific customization, said IDC. —By Ravi Menon

The Village

aTM a TM

Continued from Page 13 Thumb prints of people can be scanned and registered on a one-time basis. So, in addition to the PIN number, the ATM will look for the correct thumb print before allowing a person to use it. Vortex developed the computer program for the thumb print recognition in-house, which has helped keep costs low. The dispenser version will cost less than the stand-alone version, for it uses the existing computer and Internet connection of the kiosk. “All we need is a minimum of 35 kbps,” says Kannan. ICICI Bank co-developed the ATM with Vortex by defining standards, pre-pilot testing and so on, he adds. The ATMs took about two years to build, and pilot testing started three months ago. Vortex is funded by Ventureast TeNet Fund, the venture arm of the Telecommunication and Computer Networking Group, ‘a coalition', according to the group’s website — of 14 faculty members from the electrical engineering and computer science & engineering departments of IIT Madras. “Term loans at 45 per cent p.a. (and) working capital at 120 per cent” — these are the terms at which finance is accessible in rural India, home to 450 million people who earn less than Rs 6,750 per year, says Vortex’s website. “So, it is hardly surprising that almost any enterprise under such circumstances is rendered unviable. The dispersed nature of settlements and low value of transactions make it unprofitable for modern banks to extend their services,” it adds. Grama teller, with its ability to recognize soiled notes, and dispense notes of small denomination, using a single denomination cassette, may change some of that. “We have the network to outsource the mass manufacturing of the ATM,” says Kannan. By 2008, Vortex aims to deploy 10,000 units in the villages of India. —By Harichandan Arakali


Trendlines.indd 14

A U G U S T 1 5 , 2 0 0 6 | REAL CIO WORLD

VO l/1 | ISSuE/19


WHy cHaNgE HURTS Change hurts. That’s not a metaphorical statement. Change — the hope of all innovative corporate leaders — induces a physiological reaction in the brain that results in stress, discomfort and pain. Scientists have known that for years. The news, according to UCLA research psychiatrist Jeffrey M. Schwartz and leadership guru David Rock, is that humans (and even large, inertia-anguished companies) can combat this physical resistance to change — by focusing attention on certain insights and ideas. When a person’s expectations are challenged, the brain fires a distress signal. But say an employee comes up with a way to cope with a new demand. Then the Aha! — the


moment of insight — creates enough positive energy in the brain to counter the negative feelings about change. If employees are going to embrace change, they need to own it. A leader’s role, according to Rock, is to help facilitate insight across the organization. But that’s not all. Individual brains are shaped by behavior. That means that in the long run, leaders who make a habit out of change can undo the hardwiring that causes brains to fight it. “If you can create in your organization a powerful expectation of change, then you can begin to create a counterbalance to these physiological reactions,” says Schwartz. The Rock and Schwartz approach has implications for time-honored leadership techniques:

Incentives — carrots and sticks — are ineffective at an individual level. Sharing your own solutions and insights with employees has limited influence on their behavior. Constructive criticism tends to focus too heavily on problems. Instead, Rock recommends “constructive creationism”: asking employees how they might develop new, improved habits and how you can help them. “Once you learn these principles, any other way of communicating is annoying,” says Rock. “You can see when you’re fighting the brain instead of harnessing its energy.” — By Samar Farah

Creatures of a

c o M P U T E R S I M U l a T I o N Researchers studying artificial intelligence are creating millions of simulated humans in order to observe how they interact and evolve. These software beings don’t have names, but they do have distinct virtual characteristics, including gender, life expectancy, size and metabolism. Their traits will be passed on as they reproduce, but the beings will also be able to learn and gain new characteristics. So far, thousands of artificial beings have been created in a single computer, but the goal is to create a cluster of computers to host potentially millions of them, says Gusz Eiben, the project leader and a professor at Vrije Universiteit in the Netherlands. The results of the research could be applied to several fields. Sociologists, anthropologists and politicians could use it to simulate reactions to events such as elections. Game developers could use the findings to create more intelligent characters that can learn and adapt. “Giving intelligence to them would make the games more challenging,” says Eiben.

VOl/1 | ISSu E/19

Computers randomly generate the beings, groups of which live in worlds that the researchers create to present them with different challenges. Built-in algorithms allow the beings to create language, work together, and distinguish between friend and foe. Researchers will discover how the beings learn and interact by studying the choices they make. At least at first, the researchers aren’t likely to develop a visualization tool that would allow observers to see figures interacting on a computer screen. Instead, graphs will plot details, like the number of beings, which over time will allow the researchers to follow their activities, including reproduction and death. The project, which began in 2004, is being funded with a $2 million grant from the European Union to five universities.

—By Nancy Gohring REAL CIO WORLD | A U G U S T 1 5 , 2 0 0 6


Il luSTRaT IO N By aNIl T

Virtual World

Getting the best of your rivals requires understanding what they’re up to. R E v I E W One of the biggest challenges managers face is figuring out what the competition is up to, according to Leonard Fuld, a consultant on competitive intelligence. In his new book, The Secret Language of Competitive Intelligence, Fuld explains how to analyze information about the competition to obtain insight and advantage over rivals. Fuld contends that the information one needs to stay ahead of competitors is


everywhere. Competitors reveal more information now than ever before, through online archives of their annual reports, press releases and PowerPoints detailing company strategy. But while the Web contains lots of intelligence gems, it is also a source of misinformation and confusion. The key to developing insight into one’s rivals is knowing how to use the data you find. Transforming information into intelligence is an art form, says Fuld, involving creativity,

Aligning IT

critical thinking — and prompt action once you’ve obtained a worthwhile insight. One way to turn information into intelligence is by developing scenarios in which you imagine what your company might do in response to its rivals. Fuld provides examples of how companies can use competitive intelligence both offensively and defensively. Google, for example, needs to be prepared for how Microsoft might react to what it does, because now

that Google is a public company, Microsoft and other rivals have greater access to information about its intentions. Finally, he advises, companies need to have more than one strategy for each action they anticipate rivals will take. Using competitive intelligence effectively means more than guessing what your rivals will do; it means being prepared for what they might do. —By Katherine Walsh

technical publications, other companies, academia or the consumer market. “What happens in the beginning is that the people in charge of the process will bring in a lot of ideas themselves that they find in different places,” Cullen observes. “If it goes well, other people will be encouraged and do the same thing.” But in the beginning, the enterprise architects should prime the pump. Promising ideas need to be bounced against potential business uses, he adds. If a company decides to pursue them, then the enterprise architecture group’s role is to deliver the technologies and IT services necessary to execute the ideas. For example, a sales management organization might be alerted to the potential for podcasting as the means for continuous sales training, but it will need a technical infrastructure and the production of training materials to turn the idea into reality. For Cullen, the bottom line is that IT needs to contribute to innovation equally with business leaders. letting the enterprise architects take a leadership role is a first step toward aligning IT with the business innovation process.

with InnovatIon unleashing the innovative power of the IT organization is a goal for many CIOs. But how is it supposed to happen? according to a recent study by Forrester Research, the solution could be to let the enterprise architects play a key role as coordinators and facilitators for a company’s innovation initiatives. The architects are the people within the IT organization who are best suited for the mission, says Forrester analyst alex Cullen, because they have an overall view of the company and are plugged into business strategy. and because they are technology generalists, they are better at seeing — and dealing with — new things than more specialized IT managers. The enterprise architecture group’s role is mainly as a facilitator: to build an innovation team, says Cullen. Participants in the ‘innovation network’ should come from all over the company and include both business and IT people. The team’s role is to behave as a funnel, channeling ideas from a variety of sources, including MaNagEMENT REPoRT


Trendlines.indd 18

A U G U S T 1 5 , 2 0 0 6 | REAL CIO WORLD

— By alexandra Heymowska VO l/1 | ISSuE/19


The Art of Competition

The Secret Language of Competitive Intelligence By Leonard M. Fuld Crown Business, 2006, Rs 979.51

'Fist' Talk


How Your Can

a U T H E N T I c a T I o N What’s the best way to ID a DJ? This is a question that John Heaven thought long and hard about three years ago, when his company, Musicrypt, was trying to create a better way for record companies to get their music into the hands of the reviewers and radio stations. In the past, this had been done by mailing thousands of CDs and press kits, but Heaven knew that online distribution would be faster and less expensive. That’s when some little-known research, begun by Allied intelligence services during World War II, saved the day. During the war, the Allies discovered they could track German telegraph operators by identifying each operator’s unique style of typing code, something known as ‘the fist of the sender'. Forty years later, researchers took this discovery to the computer keyboard and found that individuals could also be identified by the rhythm of their typing. The technology for making these identifications eventually landed in the hands of the company BioPassword. After taking about nine samples of an eight- to 16-keystroke password, the company’s software is able to identify the ‘fist’ of the typist about 98 percent of the time. Musicrypt decided to use the software to authenticate anyone who accesses its tunes. Now, BioPassword hopes to make inroads with financial services companies, capitalizing on growing fears of fraud and identity theft, as well as federal guidelines that call for banks to beef up their online authentication techniques by year’s end. The software is being used by a number of smaller regional banks, including Washington State’s CharterBank, San Antonio City Employees Federal Credit Union and the Automotive Federal Credit Union in Ann Arbor, Michigan. Nevertheless, the company has to prove itself as a credible alternative to more established competitors such as RSA Security, says Andrew Jaquith, senior analyst with Yankee Group Research. “I think they’re going to have some challenges getting over the credibility gap,” he says. “But it has the benefit of being simple, and simple is good.” — By Robert McMillan

VOl/1 | ISSu E/19

Trendlines.indd 19

Susan Cramm 


The Folly of Finger-Pointing If individuals don’t accept personal responsibility when things go wrong, their organizations will become dysfunctional and stay dysfunctional.


eople make mistakes. Things fall apart. The only surprising thing about the very common phenomena of faulty leadership and project failure is the disbelief and disappointment that people express when things go wrong, and our eagerness to look outside ourselves when searching for something — or someone — to blame. Responses to a request for stories about IT’s worst practices brought up the oh-so-familiar stories of shortsightedness, finger-pointing, incompetence and just plain meanness, they revealed their own anger and hopelessness — emotions that come from a sense of powerlessness. Consequently, none of the respondents talked about their own mistakes or discussed their own acts of commission or omission that ensured that things would go from bad to worse. The voices in these stories were largely those of the victims. But how many were complicit in their own victimization?

Taking Responsibility Early in my career, I had an abusive boss. At the time, for a variety of reasons, I lacked the courage to report the issue to my seniors and kept quiet. As a consequence, others were abused as well. I made a mistake, and I learned from it. Many years later, when I reported to an abusive CEO, I called him to account. True, I could have been fired, but jobs are easier to find than one’s dignity once lost. What really matters is not what happens to you or around you; what matters is how you respond and what you learn from it. Unfortunately, most people have a difficult time acknowledging their own accountability for the messes they find themselves in. 20

A U G U S T 1 5 , 2 0 0 6 | REAL CIO WORLD

Coloumn - The Folly of Finger-P20 20

Vol/1 | ISSUE/19

8/16/2006 11:49:42 AM

Susan Cramm


In one organization, for example, a change agent with a hefty budget and a senior-level mandate quickly created enemies due to her tendency to talk too much and belittle the work of others. While it’s true that she behaved inappropriately, why did the organization have to pull in an external coach to deliver the message in the first place? When she recently said to me, “This organization is so passive-aggressive; people never say what’s on their mind” — sure, she was partly in denial, but she also had a point. Her behavior could not have continued were it not for the fact that those around her were unwilling to step forward and call her on her behavior.

Taking Action The tendency to externalize is never more obvious than when I am playing back 360-degree feedback to a client. My first challenge is to get through the ‘buts’: “but they wanted it done cheaper and faster” or “But they didn’t involve me”. Once those excuses are cleared away, my client is able to identify ways in which he could have improved the situation. Next, to test the client’s understanding of the feedback, I ask him to do three things: write down what he’s heard and learned, commit to future actions, and meet with others to review their insights. Most clients get through the first task, although it usually requires two or three iterations before it’s clear that the words have made it from head to heart. But less than 75 percent of clients make a meaningful commitment to change, and only about 25 percent ever meet with critical stakeholders to secure support. Most people, when faced with setbacks or negative feedback, have a tendency at first to place blame externally. Only those with humility, self-confidence and discipline are able to take the steps necessary to internalize criticism and be accountable. Exploring the good, bad and ugly of one’s impact on others is a humbling process. Translating insights and commitments from thought to action requires the courage to forge more trusting, productive relationships by exposing your vulnerabilities and negotiating changes that will benefit both parties. Stop criticizing and start empathizing. Aspire to become a better leader by, in the words of Jim Collins, “look[ing] in the mirror, not out the window, to apportion responsibility for poor results, never blaming other people, external factors or bad luck.” Leaders understand that when one person changes, everybody changes. And that’s a source of hope in a messy world.

Reader Q&A Q: People put up with abusive bosses because they fear for their jobs. The problem is, the system produces abusive behavior. How can we change the system? A: Progressive organizations factor 360-degree feedback

into decisions regarding promotion (or lack thereof). Until this practice is standard procedure, abusive bosses will continue to exist, and only those employees who are courageous and secure in their employability will cease being victims. Q: I have been accused of the opposite behavior — of taking everything to heart. What are your thoughts? A: Those who sidestep responsibility are the problem

rather than the solution. But those who try to assume all the responsibility and fix things on their own limit their impact. It’s only by engaging others that lasting change can be made. Business is not a solitary pursuit. Q: If your employees aren’t making mistakes, you’re in trouble; they’re either doing nothing or lying. But how do you protect yourself and your employees from a manager who equates mistakes with incompetence? A: In R&D type efforts, label the work so it’s clear that

the outcome of the effort is to determine feasibility. Build contingency and risk mitigation into your plans so that mistakes aren’t as visible upward. Finally, try to keep your boss focused on the ends by keeping him out of the details — either in the planning of the approach and timing or the review of the status. Q: How can a manager build a culture in which people take responsibility not only for their own performance but for their group’s? A: If you want people to take more responsibility, make

sure they understand the organization’s goals, provide information that illustrates what is and is not working, clarify how work gets done so they know where to go and whom to talk to, push decision-making downward, and reward risk-taking and sharing. CIO

Susan Cramm is founder and president of Valuedance, an executive coaching firm. Send feedback on this column to

Vol/1 | ISSUE/19

Coloumn - The Folly of Finger-P21 21

REAL CIO WORLD | A U G U S T 1 5 , 2 0 0 6


8/16/2006 11:49:42 AM

Mike Hugos 

Total Leadership

Why Leaders Fail If you’re heading in the wrong direction, every step you take will be wrong.


hether leaders are born or made, I do not know. What I do know is that if you are a leader, you feel your pulse quicken when you see the opportunity to create order from chaos and rally people to achieve an important goal. In such situations, I find myself so eager to charge in that I’m reminded of the black Labrador retriever my family had when I was in high school. Her name was Bebe. On walks with Bebe all I had to do was lift my arm with a ball in my hand and she’d get so excited she could hardly contain herself. She wanted so much to charge off and retrieve it. Sometimes I would only pretend to throw, but Bebe would race off anyway, looking for whatever she thought I had thrown. It’s good to feel excited when an opportunity arises that calls for your leadership. But I have learned to make sure there really is a stick or a ball out there before I charge. Experience has taught me to look at the factors shaping a situation before I leap in, particularly whether the strategy being employed is right for the goal I am trying to accomplish. For in the service of flawed strategy, even great leadership will fail.

The Eager Leader This lesson became apparent to me some years ago when I was asked by a financial services company to review a high-profile system development project. The company had embarked on a project to re-create a financial reporting system that, at the time, ran only on its own mainframe. The goal was to rebuild the system using new software so that it would run on smaller and less expensive servers. Then the company would add new 22

A U G U S T 1 5 , 2 0 0 6 | REAL CIO WORLD

Coloumn - Why Leaders Fail.indd22 22

Vol/1 | ISSUE/19

8/16/2006 11:52:38 AM

Mike Hugos

Total Leadership

features and sell the system to many of its existing customers, as well as new customers. But there were problems. The reporting logic used by the legacy system was not properly documented, so it was hard to re-create it in the new system. Also, the new development software was complex and required plenty of user training. The first release of the new system often ran very slowly. It took 15 to 20 minutes to run some important reports. And customers had questions about the accuracy of some of the report calculations. Those customers who saw the first release made it clear that these problems had to be fixed. After a two-week assessment of the situation, I made my recommendations. I advised that the company organize the project using rigorous project management and that it adopt a more specific set of system development objectives. Working with the development team leaders, I used these objectives to put together a high-level plan showing the tasks, time frames and budgets needed to finish the system. My recommendations also addressed problems the company was having with the development software. This was the first time the software had been used for such a large system. In addition, the company’s development teams were not fully trained. I recommended that the software vendor send its experts to work onsite with the financial services company’s development teams. The senior managers of the company were so pleased that the COO asked me on the spot to lead the project. I felt the adrenaline rush. “Yes!” I thought, “I can whip this project into shape. I’ll show them what a real leader can do.” The company needed to have its system ready to demonstrate at an industry trade show in three months. I charged in to make it happen.

We had regular project meetings and frank discussions. We got issues out into the open, resolved them and moved on. I watched progress like a hawk, and when an activity started to lag behind schedule, I got personally involved. Deadlines were sacred. The teams worked long and hard. Under my leadership, the developers delivered the system on schedule. There were still problems, but experts from the vendor kept tinkering with the code and felt they could fix them. The decision was made to demonstrate the system at the trade show. It worked better than it had before but still failed to generate much enthusiasm. System response times had been improved

It’s good to feel excited when an opportunity arises that calls for your leadership. But experience has taught me to look at the factors shaping a situation before leaping in.

What I did Right I set up a project office and applied a rigorous management process. I re-focused each development team on one of the new objectives and made sure they understood clearly what was expected of them. This eliminated any duplication of work as well as confusion that had been caused by different teams working on the same system features due to poorly defined objectives and lax project management. I facilitated several sessions where the company’s developers and people from the software vendor pointed fingers. I cut through the excuses and double talk on both sides and got them to own up to their faults. I negotiated an arrangement in which the software vendor sent a group of experts out to the company’s office to work alongside the development teams.

Vol/1 | ISSUE/19

Coloumn - Why Leaders Fail.indd23 23

by more than 50 percent, but that meant it still took five to 10 minutes for some reports to run. And customers still questioned the validity of certain report results.

Why Things Went Wrong A few weeks later the project was finally shut down. For months afterward, I asked myself what I had done wrong. Then I realized I had made the same mistake Bebe used to make. Even though she was full of energy, there was no way she could retrieve something that was not there. I had tried to retrieve a project that was not retrievable. My leadership skills were not to blame. The project was bound to fail because the strategy driving it was not viable; scrapping the legacy reporting system in favor of some leading-edge software was a mistake. In my eagerness to start leading, I had failed to acknowledge something we all know: that leading-edge software requires a lot of testing and tweaking. That makes it risky to use for a critical project. If I had this project to do over again, I would build only new features with the new software. Existing features and reports that already worked would stay on the mainframe. Version 1.0 of the new system would be delivered fast and cheap because the only development would be to create new features, not re-create existing ones. That strategy — combined with good leadership — would deliver success. CIO

Mike Hugos is the former CIO of Network Services and the author of two books: Building the Real-Time Enterprise and Essentials of Supply Chain Management. Send feedback about this column to

REAL CIO WORLD | A U G U S T 1 5 , 2 0 0 6


8/16/2006 11:52:38 AM


Cover Story | Infrastructure


CIos have been cutting costs for years — and not seeing those savings coming back to It. that’s why you have to learn to cut strategically.

Il lustrat Io n by un n IkrIshn an av


wo years ago, when Richard Toole became CIO at pharmacy service provider PharMerica, he faced two very tough challenges: reduce IT costs and earn the trust of the business. At the time, IT organizations all over the country were facing similar pressures. The US economy was still stumbling after the double blow of 2001's terrorist attacks and the turnof-the-century financial scandals. At PharMerica, the pressure was even greater. The IT organization that Toole inherited had little credibility within the organization, and had even less when it came to driving cost savings itself. "We used to be called the 'helpless desk' when I joined," recalls Toole. Toole knew that unless he changed his department's relationship with the business, IT would always be viewed as a cost center, facing an endless stream of declining budgets dictated by others. He was determined to demonstrate financial discipline by managing IT strategically,

vol/1 | I ssu E/19


correcting inefficiencies to cut costs before he was asked to. That strategy paid off, and the trust Toole earned not only allowed him to determine the cuts and their nature but also permitted him newfound say in where the savings he reaped could be redirected. "I wanted not just to cut costs but also build capacity for the future," he recalls. First, Toole invested in building a help desk system so he could bring the poorly performing outsourced desk back inside the company. That addressed IT's most visible failure. He diverted some resources to creating an architectural team so IT would no longer be managed in silos, reducing redundancy while increasing agility. And he invested in Reader ROI:

Where the savings are Separating the operations budget line from innovation monies Five rules for infrastructure rationalization

increasing business, leadership and developer skills so his staff could deliver better service and applications with an eye toward adopting modern approaches such as service-oriented architecture and Web services. Toole's experience is hardly unique. "In a lot of cases, all the business expects of IT are tactical decisions. It's viewed as an order-taker, a big cost, just data processing," says Dennis Gaughan, research director for IT governance at AMR Research. CIOs have already done a great deal of work cutting costs. But all too often the money they've saved has disappeared into the maw of the business, never to be seen again — at least not by IT. That's why CIOs can't just cut costs; they have to have a strategic plan to cut costs. And they have to leverage that plan to gain or maintain a seat at the organization's strategic table. In that way, the cuts they make can be transformed from a way of slowly bleeding IT to death to a way of adding value to the company. REAL CIO WORLD | A U G U S T 1 5 , 2 0 0 6


Cover Story | Infrastructure CUT, BUT CUT SMART “A lot of the [IT] cost savings in the last three to four years have been accomplished by shrinking budgets," says Greg Bell, a partner in the information risk management practice at audit, tax and advisory firm KPMG. In most cases, IT cut costs without determining whether those efficiencies increased costs elsewhere, increased business risk or short-circuited a potential strategic initiative for the business. For example, the management team of residential real estate company Crye Leike Group asked CIO Gurtej Sodhi to consider outsourcing the company's call center. Sodhi declined. "My call center is one of the biggest advantages we have over our competition. The potential savings did not justify [outsourcing] it," he says. Sodhi saw the call center as the customer's touchstone to the company, and he wanted to invest in it by taking better advantage of customer intelligence for crossselling and targeted services. That's hard or impossible to do with an external, outsourced call center, he says. "CIOs may find themselves in a hole by not managing [cost cutting]," says James Kaplan, a partner at the consultancy McKinsey & Co. "Fortunately, in the last 18 months, we're seeing more strategic direction from the CIOs on cost cutting." That's because optimism about future growth has turned the businesses' priority from cutting costs across the board to building long-term efficiencies that will permit IT to focus on helping the business grow. "In 2002–2003, there was a need to reduce costs quickly," he says. That period, according to Kaplan, is over.

While CIOs will arrive at different conclusions about what costs to cut and how to make those cuts, there are several universally applicable strategies that Toole and other CIOs have found successful. They include making the IT costs of business technology demands clear to senior management so you're not stuck with supporting unfunded mandates long-term, separating IT operations from innovation initiatives, and making the infrastructure — which Forrester Research says typically consumes 76 percent of IT budgets — both more efficient and less complex. The implementation elements of a successful long-term infrastructure reduction strategy are deceptively simple: standardize as much as possible to reduce complexity; get rid of hardware, data and applications you no longer need; and understand the cost and value of delivering each IT service so you can determine what to outsource, automate or manage at the appropriate level of staff. But while these elements are straightforward, translating them into action can be hard. That's where your department heads and technology experts come in. With a clear strategy in place, they can choose the right solutions. And IT can then focus on delivering what the business really wants and needs, says Alex Cullen, principal analyst for IT management at Forrester Research, "not just be some general corporate overhead target."

KNOW THE VALUE BEFORE YOU CUT To cut costs strategically, you need to understand your actual costs and the value of your various technologies, services and

To cut costs strategically, you need to understand the actual costs and the value of your technologies, services and business deliverables. Else, the cuts may degrade important business processes.


A U G U S T 1 5 , 2 0 0 6 | REAL CIO WORLD


business deliverables. Otherwise, the cuts you make may degrade important business processes and reduce their value. A good way to clarify these issues is to seek expertise. "Add a finance person to your staff to help you understand your costs and cost drivers," suggests Forrester's Cullen. And be sure to make the costs associated with specific business initiatives clear to the business process owners so that they understand how much you're spending to support them. That can help the CIO team up with other business managers to re-evaluate the service levels they demand or the value of the IT they're using and demanding. Essentially, this approach treats IT as a portfolio of services and resources. "This improves demand management, so the enterprise picks the right things to spend money on," says AMR's Gaughan. "Portfolio management is a good approach for longterm savings," he adds. PharMerica's Toole used this approach, following the accumulated costs of each business application through the accounting ledgers, to figure out what his largest application support costs were and how they were accounted for in both business and IT budgets. (Hardware leases and purchases were his biggest expense, followed by software support and maintenance, then longdistance, local and data communications.) "We then made some attempt to calculate the value these expenses returned to the business," he says. This exercise uncovered significant waste in equipment leasing costs (mostly for old, unused or underused equipment). Not only was Toole able to reduce his leasing costs, he also got some rebates for unused equipment. But he also went further, citing the discovered inefficiencies as reasons to launch a more sweeping IT consolidation effort, getting rid of unnecessary servers, consolidating data and applications onto fewer servers where possible, and reducing special-purpose servers, applications and operating systems. That resulted in both equipment savings and lower labor costs.

Vol/1 | I SSUE/19

8/16/2006 7:47:55 PM

— Kunal N. Talgeri


CIOs must continue to examine and restructure internal operating methods, consider a consulting model approach, and/or acquire technologies that help reduce costs, says N. Nataraj, CIO of Aztecsoft. He identifies some ways to do this: • Remote Infrastructure Management: Indian organizations have good practices to remotely manage customers’ infrastructure. But when it comes to their own infrastructure, they run it in conventional ways by deploying costly resources across the geography, Nataraj points out. That must change. • Application Integration: Many organizations have monolithic applications that have the same purpose. These aren’t integrated, leading to double entries — and even the non-availability of data at the right time. It results in an increase in costs towards people, backups and space. A Web-services implementation or an SOA approach would be better alternatives to streamline processes, he says. Nataraj also reiterates the need to consolidate networks and data centers.

Toole's cost and value analysis also led him to stop outsourcing his ‘helpless desk’. He applied the labor savings from the infrastructure consolidation to manage the help desk internally. Although his dollar cost didn't go down, the quality of service went up dramatically. And that showed his company he could both drive fiscal restraint and improve service. Over time, that approach won Toole a separate IT innovation budget — a recognition that IT was not merely a service organization. And that in turn let Toole focus on building the right IT infrastructure (as well as applications and integrations) instead of just squeezing the one he inherited. Other CIOs have benefited from similar cost and value analyses. For example, Crye Leike CIO Sodhi analyzes every IT infrastructure project through three lenses: project cost, the impact on productivity and competitiveness. Like Toole, he found many inefficiencies in the organization he inherited, including 28 percent in excessive costs for telecom circuits and PBXs, 25 percent wastage in server utilization, 30 percent wastage in storage and inefficient distribution of IT staff to regional offices. "My CEO still says that I'm the biggest spend in the company, but he knows it could be a lot worse if we weren't as efficient as possible," Sodhi says. To ensure that his company's cost and value analyses are on target, John Von Stein has created an IT service catalog to benchmark unit costs against peers and research firms' recommendations. The CIO at the financial transaction processor The Options Clearing Corp. works closely with the finance department on this effort. The result: "We have a good handle on the costs," Von Stein says. "And our business partners understand that if you put several straws in the milk shake, it's coming out of the same pool."

SEPARATE OPERATIONS FROM INNOVATION With the costs and values understood, CIOs can separate their operations from their new initiatives. This not only lets the business understand the balance between REAL CIO WORLD | A U G U S T 1 5 , 2 0 0 6


ImagIn g by unn Ik rIshn an av

Where Can a CIO hope to Prune Costs?

P hotos by srIvatsa shandIlya

Cover Story | Infrastructure

Cover Story | Infrastructure the services it has come to count on and the services it may want to add, but also the longterm implications of making new demands on the infrastructure. "Remember that every project you did the year before goes into maintenance," says Forrester's Cullen. Truly appreciating that cold calculation helps the business team comprehend the long-term implications of technology initiatives, and also helps ensure that the CIO is always on the lookout for efficiencies to make room for those new operational requirements, he says. The average company spends about 76 percent of its IT budget on maintenance, operations and support, Cullen notes, while efficient companies fall between 50 percent and 60 percent. But the separation should not be just about budget lines. The separation also helps CIOs identify which staff and technologies are core to the business and which ones aren't. By definition, innovation is core to the business, but that doesn't mean everything else is not. Within the operations part of IT, the CIO needs to understand which aspects require special skills or focus, and which are routine. This

analysis helps determine both where to target efficiencies and where to invest. Fo r e x a mp l e, m a nu f ac t u r e r ThyssenKrupp Elevator discovered that it could safely outsource mainframe and AS/400 operations to reduce costs, but it could not outsource network management. That's because the mainframe and AS/400 systems management is "fully stable, fairly repetitive and low-volatility," says CIO Jim Miller. But it made more sense to invest in internal network management skills since ThyssenKrupp's 180 or so locations required intimate knowledge of the network connections and relationships among the locations, a level of ongoing focus that Miller concluded an outside vendor could not deliver. Similarly, document-processing equipment manufacturer Böwe Bell & Howell concluded it could outsource desktop support but needed to reallocate some of the IT staff budget to work on its SAP ERP deployment. "We were heavily invested in resources for the infrastructure, which were not lined up to our strategic areas," recalls CIO Ron Ridge.

Properly providing desktop support for the company's 2,000 employees — 1,400 of whom are in the field — would have required a significant investment in help desk management systems, he says, yet what the company really needed was to build on its ERP deployment to help the business team improve productivity and increase revenue. Understanding the operational/innovation separation made the need to change the IT strategy clear. By understanding which functions are strategic, ADP Employer Services CIO Bob Bongiorno has been able to increase the budget for IT staff working on new development efforts by 17 percent from 2005 to 2006, permitting growth from 575 to about 690 people, while keeping his overall budget nearly flat, rising by just Rs 4.5 this year to Rs 522 crore. The extra money for new development efforts came from a variety of sources, including streamlining data center operations and reducing maintenance costs. While such separation is useful for strategic management, there needs to be communication among these two IT

Timing is the Key Cost-cutting becomes pertinent when an enterprise is in sustenance mode, says Abir Basak, head (IT

infrastructure), Aviva Life Insurance India.

“Looking at the stage that we are in — in the lifecycle of our enterprise — there is little scope for cost-cutting,” he says. Aviva’s IT planning cycle, which spans three years and is based on its business roadmap, determines the IT department’s budget. Business applications, believes Basak, is where CIOs come across ad-hoc requirements from internal users. “It is essential for a CIO to analyze and consolidate those requests from an organizational perspective before delivering. It will save him a lot of money,” he says. Aviva’s IT department recently introduced an ‘asset refresh policy’, which relooks at client-end technology every three years. While components like routers and switches are used for as long as five years, client-end technology requires faster replenishment. “Old hardware is always a challenge and requires high maintenance costs. It is an important area of operation for any enterprise because maintenance can eat up a lot of your IT budget,” says Basak.

– Rahul Neel Mani

Cover Story | Infrastructure groups and the business to ensure that each does not go its own way and end up creating an environment where operations prevents innovation or where innovation strains the infrastructure. At the diversified manufacturer United Technologies, CIO John Doucette uses a CIO council to coordinate savings strategies among the company's divisions.



While there are many ways to achieve efficiencies in IT infrastructures, they tend to be variations on one basic approach: reducing complexity. "The key levers are simplifying, standardizing, consolidating and centralizing," says John Balboni, CIO of International Paper, who has cut IT costs by 25 percent over three years even though his company has

been involved in a number of acquisitions during that time. "It needs standard processes to do real consolidation," advises KPMG's Bell. So any infrastructure rationalization needs to start with understanding the underlying business and IT processes, making them efficient, then adjusting the infrastructure to support them. Part of that effort includes rethinking the service levels IT provides to business, says McKinsey's Kaplan. "Do you need 24/7 support for all applications?" he asks. "Do you need disaster recovery for all applications?" Service levels should reflect business criticality, since achieving high service levels adds significant labor and technology costs. "You have to show [business departments] what they can live with — service is really a level of gray," says Khris Hruska, technology director at child-care and education

provider Learning Care Group. Hruska worked with business managers to help them understand what service levels they really needed. Then, he tuned his resources accordingly.


Don’t Keep Multiple Systems One way Balboni has kept costs down is by not keeping acquired companies' IT infrastructures. That allows efficient usage of technology and staff while also ensuring that the business has a unified view of its customers and operations. "You don't want to serve the customer out of two systems," he says. "You have to have the same system," agrees John Williams, CIO at retailer Party America, which has grown from 36 stores to 300 in three years through a series of mergers and acquisitions. During that time, his IT staff only doubled from six to 13, thanks to enforcing the same point-of-sales

Taking the Path to Profits “Why not turn cost-cutting on its head?” asks Atul

Kumar, chief manager (IT), Syndicate Bank.

“Our 400 IT people represent not a cost, but a precious asset, for they come with the kind of domain knowledge that is very valuable in the sector,” says Kumar. “They understand the IT of banking from the inside.” Three months ago, the bank made the leap of imagination to leverage that asset. “We started a subsidiary called SyndBank Services Limited,” and hired a consultancy to help it figure out a go-to-market strategy. “Their report is expected anytime now.” Even in a complex business like profiting from exchange rate arbitrage, “the advantage of using Syndicate Bank’s IT people as against a private company that does not count banking as its business is obvious, isn’t it?” A large multinational bank looking for a local partner with BPO skills would perhaps favor another bank over a pure play BPO, he says.

– Harichandan Arakali

Cover Story | Infrastructure and back-end systems on all the acquired entities. "Every time you have a merger, you're at a crossroads. Do you go with theirs, or do you go with ours?" he says. At Party America, Williams went with his. It wasn't a question of which technology was better — both his Oracle-on-Linux environment and the acquired companies' AS/400 environments could do the job. It was a question of what skills his IT staff had. They knew the Oracle-on-Linux environment. Williams is also reducing the number of broadband providers to his stores to make vendor management and support easier. It's not just companies dealing with mergers and acquisitions that can take advantage of platform reduction. For example, ADP's Bongiorno expects ADP to save Rs 225 crore per year by consolidating 30 data centers into two by 2009. The company had been decentralized, with separate IT operations at each customer center. Centralizing the operations not only will reduce IT staff but also will allow higher utilization of equipment. "The biggest piece has been around getting more clients on a server," says Bongiorno. Doing so reduces labor, licensing and hardware costs.


Routinize the Routine The easiest way to save is to invest fewer resources in repetitive, predictable tasks, since labor is usually the largest cost in any IT organization (typically half the budget, says McKinsey's Kaplan). There are several ways to reduce that labor cost: automation, simplification and outsourcing. Often, companies employ a combination of these tactics. Outsourcing can save money, but not always. "A lot of companies don't know the cost of a service before they outsource it," says AMR's Gaughan, so they don't know if their actual costs have gone up or down. For outsourcing to be effective, "you need to think through the control issues up front so you have the ability to hold them accountable," says Böwe Bell & Howell's Ridge. "You need a higher degree of process management when you offshore," adds Kaplan. CIOs should approach outsourcing in a nuanced way. For example, Böwe Bell

vol/1 | I ssu E/19

Chargeback: and



should you charge business units for operations?


ne way to keep business units from forcing your operational costs to rise is to charge them for their share of those operations. this can rein in ever-increasing requests for technology deployments. For example, at united technologies, t “Everything is in the customer’s budget,” says CIo John doucette. Well, almost everything: of doucette’s approximately rs 900-crore It budget, rs 22.5 crore is considered general corporate overhead. “the businesses have to believe there’s value in what they’re getting. the only way to get that is for them to pay for it,” he says. other CIos think linking operations costs directly to specific deployments or business units is a bad idea. “I’m not a fan of chargebacks,” says Jim miller, CIo at thyssenkrupp Elevator. While business managers can understand why they might be charged for a data line, charging business units a share of basic It infrastructure “gets us into more arguments than its worth”, he says. If you do try to charge business units for their share of operational costs, be prepared to do some tough work, says dennis gaughan, research director for It governance at amr research. not only do you have to determine the costs per activity, you need to calculate its value to the business. “that’s not trivial,” he says. “you you have to earn a level of respect y with the business before you can even begin to do this level of analysis.” Even if you don’t charge back for operations, it does help to have an idea of those rough costs, notes alex Cullen, principal analyst for It management at Forrester research. “add a finance person to your staff to help you understand your costs and cost drivers,” he advises. that strategy works well for learning Company’s CIo John von v stein. “We don’t need to do allocation [to business units] because we have a good handle on the costs,” he says, thanks to a partnership with the finance department. — g.g.

& Howell found it cheaper to outsource desktop support and SAP hosting than to maintain its own staff and IT infrastructure for these tasks. But it manages its telecommunications systems because it doesn't want to take any risks with the customer data that telecom brings in, Ridge notes. ADP has hired cheap staff in India and Brazil to code its applications, while retaining the higher-skill project management and development staff in the United States, says CIO Bongiorno. And ThyssenKrupp saved by outsourcing its mainframe and AS/400 operations, but it also saved by firing its network management outsourcer and bringing those operations back inside the company.

On the technology front, CIOs are often pitched automation systems and virtualization as ways to gain labor efficiencies. Both are new technologies and thus tend to come from startup providers focusing on one aspect of IT, says AMR's Gaughan. At International Paper, "we work a lot on automation," says Mark Snyder, the senior manager for connectivity solutions. But some of that effort has involved developing its own monitoring tools to ensure they map to the company's specific processes. Virtualization technology saves labor by simplifying the provisioning of servers, making it a software operation rather than REAL CIO WORLD | A U G U S T 1 5 , 2 0 0 6


Cover Story | Infrastructure

Companies often leave old applications running or use older hardware as hand-me-downs for non-critical use, such as archival storage or departmental file servers. That's a mistake, as it just adds more stuff to manage.

a hardware setup task. Virtualization also promises to use more of your existing server resources, reducing the need for additional hardware. It does that by treating the hardware as a pool of computation and storage. So if an application needs just half a server's capacity, the other half can be allocated to another application rather than sitting idle. But because virtualization is a new technology, it requires a more highly skilled staff to manage and can require additional overhead to maintain the load balancing, says Gaughan, adding, "That should decrease over time."


Shift to Cheaper Equipment and Services The rise of standards-based platforms has helped lower technology costs, and CIOs should take advantage of that. That's why, as part of his data center consolidation effort, ADP's Bongiorno is replacing expensive proprietary servers with cheaper standards-based ones. Similarly, when it was time for a technology refresh, ThyssenKrupp replaced its Cisco networking equipment with Adtran hardware because of a significant cost difference. And Crye Leike has shifted from installing dedicated T1 and DS3 data circuits at its new offices (it opens several each month on average) to using cheaper DSL connections secured through virtual private networks, says CIO Sodhi.


Only Pay for What you Use An easy way to save money, says AMR's Gaughan, is to know what you have. "Often, companies have more 32

A U G U S T 1 5 , 2 0 0 6 | REAL CIO WORLD


licenses than they need," he says, because they manage licenses manually and sometimes they lose track. "You won't get your [license] money back, but you might be able to stop paying for maintenance" on those unused licenses, he suggests. PharMerica's Toole even got rebates for some leased equipment after his inventory revealed he was paying for equipment he was not using. There are tools for asset management, but they tend to be fairly manual and lots of IT groups that use them still lose track. Providers include Absolute Software, Alloy Software, IBS, Computer Associates and Novell.

says Scott Everhart, the company's vice president of technology services.

THE BEST CUTTING ENABLES INNOVATION To reduce costs in a way that supports the business strategy requires aligning IT costs to the value of the services they provide, says Forrester's Cullen. "The solution to the CIO's problem is not something he buys from his vendor," he says. "People and processes are the big issues." The CIO should not expect to retain all the money he saves his organization, but routinely gaining efficiencies "builds credibility with the CFO, COO and the board," says The Options Clearing Corp.'s Von Stein. "So we get more latitude in getting a 'yes.'" At Crye Leike, CIO Sodhi has a seat at the management table, "so I have a say in how we will use some of the savings." By having management trust and continually demonstrating a commitment to efficiency, some CIOs get a discretionary innovation budget. PharMerica's Toole has such a budget, and so does ADP's Bongiorno, who gets to keep any savings beyond a set target. "The only way we're going to get more for IT is for us to find the savings," he says. And that's just fine with him. CIO


Broom that Closet Perhaps the most neglected costsavings opportunity is junking old equipment and software. Companies often leave old applications running or use older hardware as hand-me-downs for non-critical use, such as archival storage or departmental file servers. That's a mistake, as it just adds more stuff to manage, thereby driving up infrastructure and support costs. "Old stuff is evil," says United Technology's Doucette. "Every asset needs to have a set life." An added plus is that getting rid of old stuff makes room for new stuff. For example, The Options Clearing Corp. replaces its Solaris servers every three to five years with new models that have two or three times the previous capacity, typically for the same price. That strategy keeps the number of boxes to manage low, even as processing demands increase,

Galen Gruman is a San Francisco-based freelance writer. Send feedback on this feature to

Vol/1 | I SSUE/19

8/16/2006 7:48:12 PM

Recognizing the

Value of Change How does the top executive of a computer services company view his CIO? When an entire company is geared towards delivering value to the IT departments of customers in sectors such as finance, retail and manufacturing, heads of internal IT must have a head for such businesses.

View from the top is a series of interviews with CEOs and other C-level executives about the role of IT in their companies and what they expect from their CIOs.


A U G U S T 1 5 , 2 0 0 6 | REAL CIO WORLD

View from the Top.indd 34

CIO: How do you see global trends affecting your business?


The cost of internal IT in most like-sized computer services firms are roughly the same, says Satyam’s chairman and MD Ramalinga Raju. “The difference will be in the value you extract from it.” CIOs or CTOs must ask their IT managers to “constantly re-invent themselves” to meet the changing needs of both their internal customers and the customers of the company itself.

P hoto by S rivatsa Sh an dilya

BY Harichandan Arakali

Ramalinga Raju: Satyam has built its business by capitalizing on global trends — from less than a million dollars in revenues when it went public in 1992 to well in excess of a billion dollars in the last financial year.


Ramalinga Raju, founder and chairman, Satyam Computer Services, says that as CIOs inevitably become linked closer to business strategy, their role as change agents will expand and they must find a seat in the top management.

Vol/1 | ISSUE/19

8/16/2006 5:03:54 PM

View from the Top

Ramalinga Raju expects I.T. to: To act as a business catalyst To re-invent itself and become more businessoriented Vol/1 | ISSUE/16

View from the Top.indd 35

REAL CIO WORLD | J U LY 1 , 2 0 0 6


8/16/2006 5:03:57 PM

View from the Top

There has been a twenty-fold increase in the global GDP over the last century (from $2 trillion to $41 trillion) and this increase can be attributed primarily to inventions and innovations that have taken place within that century. IT and the virtual delivery of services, in particular, have had a dramatic effect on the manner in which ‘value creation’ happens in this new world order. Perhaps, only disruptive technologies such as biotechnology and nano-technology can rival this in the current century of knowledge. The rate of change is accelerating while cycle times for delivering value are shrinking. IT is acting as a catalyst that transforms businesses. Naturally, we are applying the same technologies, tools and principles in the way we manage our own business as we do in delivering innovative solutions to our customers. Some global trends we are observing are: Accelerated growth in the global GDP (global GDP grew at 3.6 percent between 1990 and 2000, but grew much faster at 7 percent during 2000-2004); The proportion of services in the global economic pie increasing at about one percentage point a year (which is now at 71 per cent of global GDP); Global trade increasing at more than one percentage point a year ( which is now at 54 per cent of global GDP); And, the phenomenal growth of virtual delivery of services riding on the back of IT platform. For example, IT and BPO exports from India are estimated to exceed $60 billion by 2010 starting from a base of about $100 million in 1990 (a growth of more than 600 times). This last one is the most important from our perspective.

What would you like to see improved about IT, both within Satyam and in the industry? The global knowledge and technology base is far ahead of our current ability 36

A U G U S T 1 5 , 2 0 0 6 | REAL CIO WORLD

View from the Top.indd 36

“The cost of IT in most organizations is about the same. But it's the value we extract that will determine how competitive we are.” — Ramalinga Raju

to leverage the same. While technologies are changing by the day, mindsets tend towards change by the generation. Change management seems to be at the center stage of every business activity. This is the case particularly when it comes to applications in IT. It is a much larger issue than the industry generally recognizes. It took almost 20 years before established global systems integrators recognized and accepted the value of global sourcing and offshoring, but not before seeing more than half-a-dozen competitors in India grow from almost nothing to market capitalizations of $5 billion to $20 billion. The principle challenge we face within Satyam is coping with high growth rates without compromising on delivering leading-edge solutions to our customers. The networked and distributed leadership environment that we have built thrives

on IT acting as a catalyst. We are constantly encouraging our colleagues in IT to understand and respond to the ever-changing requirements of internal customers, and the competencies we offer to our external customers. The cost of IT in most organizations is about the same. But the value we extract from it will determine how competitive we are.

What should CIOs tell management to boost the success of IT deployments? That they should measure themselves on the business outcomes they produce and not on effort or investment. They should regard every one of the internal processes and support functions as a full-fledged business. IT should provide a competitive edge to the organization by making every support function perform optimally. A lot of value has been accrued to Satyam on account of automating many processes through IT — it is the backbone on which more services are getting delivered virtually. CIOs should encourage their managers to constantly reinvent themselves to make their deployments more business-oriented and successful.

And how should CXOs view IT within their enterprises? CXOs should view IT as an investment that the organization makes to achieve superior returns for its shareholders and increased and enhanced offerings to its customers. Most CXOs are aware that the most important strategic assets of an organization are its soft assets. IT offers a great opportunity for enterprises to integrate these soft assets and capitalize on them. In that sense, IT is the glue, which connects the disparate entities of a company.

Vol/1 | ISSUE/19

8/16/2006 5:03:59 PM

View from the Top

It is also important to realize that the influence of IT goes beyond a company and affects the entire value chain. Though technology gifts us with enormous scope for innovation, we need to be sensitive to the fact that it also introduces standardization and commoditization fairly quickly. Each organization is unique with its own culture, processes and so on. CXOs ought to appreciate this fact and must play to their strengths to derive maximum business value from their IT investments.


Satyam Computer Services Offerings:

Consulting and IT services Sales from operations:

Do you see your CTO as an operations and support person or as a strategic person? Is this changing, and how?

Rs 4,634 crore (March 2006)

Clearly, technology is an important component Staff: of strategy for us, like most 26,511 other global corporations. Operation Spread: The distinction between Over 50 countries operations and strategy is Development getting increasingly blurred. centers: 20 The CTO’s role definitely calls for providing a strategic Customers: 468 companies perspective to our business, (including 149 but ‘operationalizing ’ Should CIOs be Fortune Global 500 strategies using technology and Fortune US 500 early adopters companies) is also a key result area of cutting-edge for our CTO. Our CTO technologies? is also the main change management agent within the There is no right or wrong approach to that decision. I would like organization. The strategic and operational to reiterate that the analysis needs to nature of the role will only be reinforced be at the level of asking what business with the increasing share of infrastructure benefit or competitive advantage the management services, BPO and engineering adoption of cutting-edge technologies design services in our business. can offer. The business value and the risks-rewards associated with choosing Should Indian companies to adopt or not should form the basis of manage their own IT or that decision.

outsource it?

Shouldn’t CIOs be part of top management? The CIO is an important change agent, especially since IT is closely linked to business strategy — and this is a phenomenon which will become more accentuated in times to come. This role calls for greater intimacy between the CIO and top management. CIOs ought to be part of top management. Such a move would allow organizations to make prudent IT decisions, and hence strategy.

Vol/1 | ISSUE/19

View from the Top.indd 37

Competition is forcing companies to continuously ask themselves some very tough questions. Some of these include: how can they continuously improve, how can they add more value, how can they continue to delight their investors and customers alike. If it appears that the answer to these questions lies in outsourcing tasks that aren’t at the heart of their business, then they should certainly do so. Improved service level agreements — more than cost reduction — should be the driving force for outsourcing. Companies

benefit because they manage what is core to their business and are able to manage risk in a smarter fashion. They also develop the competency of working with external vendors. At Satyam, we have very effectively managed to outsource some of our support tasks to a rural BPO initiative called GramIT. This has enabled us to achieve faster and better results. It doubles as a corporate social responsibility initiative by creating employment opportunities for the rural youth.

How should CIOs leverage outsourcing? The rapid growth and expansion of the IT services and BPO market has enabled CIOs to choose from a larger vendor pool than ever before. However, the trend is shifting towards vendor consolidation. This emphasizes on the adoption of lasting partnership models where benefits are accrued simultaneously to either parties. CIOs now realize that outsourcing is not a zero-sum game and hence look out for synergies when they choose partners.

Does Satyam actively pursue projects with large Indian corporates? Indian GDP has grown at a fast pace in the last 15 years and has doubled in this timeframe. The BRIC (Brazil, Russia, India and China) Report predicts that India will be one of the largest global economies in the not-too-distant future. Indian companies have started embracing IT to remain globally competitive. This has opened up a new world of opportunities for companies like Satyam. We are going after such opportunities in a very focused and aggressive manner. It is expected that our growth rate in this market will exceed the company’s overall growth rate. CIO Assistant editor Harichandan Arakali can be reached at

REAL CIO WORLD | A U G U S T 1 5 , 2 0 0 6


8/16/2006 5:03:59 PM

Integration’S New Strategy Old concepts and new technologies have recently converged to generate a new strategy to improve IT responsiveness while reducing integration costs. It’s the integration layer, and it may put an end to all those complaints about IT’s slowness and inflexibility. BY CHRISTOPHER KOCH

Feature_New.indd 42

8/16/2006 5:18:29 PM


For years,

whenever Wisconsin state CIO Matt Miszewski tried to discuss systems integration with agency heads, he sensed a fog settling over the room. “You could see it in their eyes,” he says. “They tuned out.” Worse, when the fog cleared, it was replaced with anger. Difficulty with integration, Miszewski could tell they were thinking, was just another IT excuse for slowness, inflexibility and inability to give them what they wanted. And he couldn’t blame them. Technical limitations and time pressures often made integration a haphazard affair. Rushing to meet deadlines, developers cobbled together direct links (point-to-point integration) to share data and business logic among applications. While that kind of integration is quick and relatively simple, over time it has crippled the health and flexibility of most IT architectures by creating a cobweb of hundreds, even thousands, of brittle linkages that have to be torn apart and reassembled every time one of the applications changes. All those links, built over decades, have created a crisis that goes far beyond IT. The rise of the Internet has made businesses completely dependent on IT to add new capabilities. The foundations of those new capabilities often lie buried inside old systems that weren't designed to communicate with one another, let alone over a global network. Adapting those systems to communicate — that is, systems integration — can take so long that entire generations of business opportunities can grow old while IT fiddles with the wiring. Unable to explain the complexity of their problem, CIOs wind up on the defensive, with only the most patient, tech-savvy CEOs able to commiserate.

Vol/1 | ISSUE/19

Feature_New.indd 43

But markets don’t commiserate with anyone. They see only one speed: fast. Unsurprisingly, CEOs’ three primary complaints about IT — that it is too expensive, too slow and too inflexible — all lead back to integration. In short, the business is tired of waiting for IT to catch up with its demands. And so are CIOs.

How the Integration Layer can Untangle the Enterprise All this is hardly news. CIOs have been painfully aware of integration’s costs for years. What they’ve lacked is a unified strategy for dealing with those costs. But recently, some old concepts and some new technologies have converged to generate a new, winning strategy that promises to blow away the cobwebs and radically improve IT’s responsiveness (while also reducing integration costs). It is the integration layer, a virtual stratum in the architecture that is composed of two major pieces: messaging and services. The foundational piece — known as the messaging infrastructure — is like a good executive assistant, translating, routing and monitoring information from different systems without these systems needing to connect directly. Adding, changing or removing a system becomes a matter of modifying a single link, rather than ripping apart connections to all the different systems it may need to communicate with.

Reader ROI:

How messaging and services work together How to get developers to write service components Creating tight IT-business alignment

But while the messaging infrastructure makes connecting systems easier, it doesn’t free business processes from their mainframe prisons, or eliminate redundancies in applications, or provide any impetus to create a useful architecture. Indeed, a good messaging infrastructure can perpetuate the chaos by making it easier to deal with. Of course, not every company has redundant systems and processes. For them, messaging may be enough. But for most companies — especially big ones with dozens of different ERP systems all doing more or less the same things — messaging alone won’t create an effective integration layer. Messaging is an IT solution, not a business solution. It has long lacked a higher purpose, a strategy. Service objects (or just plain ‘services’) is that strategy, and it is the second core piece of the integration layer. The idea behind services is simple: technology should be expressed as a unit of business work—like ‘get credit’, and ‘find customer record’ — rather than as an arcane application such as ERP or CRM. This is an old concept, based on object-oriented programming from the 1980s. Services extract pieces of data and business logic from systems and databases around the company and bundle them together into chunks that are expressed in business terms.

Object Lessons in Services At telecom company Verizon, the service called ‘get CSR’ (get customer service record) is a complex jumble of software actions and data extractions that uses Verizon’s messaging infrastructure to access more than 25 systems in as many as four data centers across the country. Before building the ‘get CSR’ service, Verizon developers wanting to get at that critical lump of data had to build links to all 25 systems — adding REAL CIO WORLD | A U G U S T 1 5 , 2 0 0 6


8/16/2006 5:18:29 PM

Integration their own links on top of the web of links already hanging off the popular systems. But with the ‘get CSR’ service sitting in a central repository on Verizon’s intranet, those developers can now build a single link to the carefully crafted interface that wraps around the service using the Web service standard simple object access protocol (SOAP). Those 25 systems immediately line up and march, sending customer information to the new application and saving developers months, even years, of development time each time the service is used. Though the productivity savings for IT are huge, the strategic implications for Verizon are just as important. Create enough services and you can start to build a map of the business expressed in technology — a service-oriented architecture (SOA). The SOA is the blueprint that guides development of the integration layer and its two major components: messaging infrastructure and services. “When I said we have 18 slightly different versions of ‘credit check’ buried inside different applications in different agencies,” says Miszewski, “the agency heads could understand why having all those different versions was a problem, and they could support creating a single version that everyone could use.”

Toby Redshaw, Motorola’s vice president for corporate IT strategy, architecture and ebusiness, had a similar experience when he told his 80-year-old mother about IT’s central catalog of business services. “When I was done explaining it, she said: ‘Manufacturing broke its work up into pieces 200 years ago. What’s taken you so long?’” When your business has an integration layer containing services, “a change in business policy can be made quickly rather than opening up an application project,” explains Randy Heffner, vice president for Forrester Research. Integration becomes strategic, rather than an afterthought. Integration also becomes a lot cheaper (at least 30 percent cheaper, according to estimates by research company Gartner) and faster too, taking months off development cycles for new projects. Anecdotal evidence pegs the financial and productivity gains much higher. At Motorola, Redshaw says that in some cases, integration costs have been reduced by a factor of 10. Shadman Zafar, Verizon’s senior vice president for architecture and e-services, says that his catalog of services let him skip forming a project team for the development of a phoneline ordering process, because the services necessary to compose the process were already in place. “With point-to-point integration, we

Verizon Senior VP Shadman Zafar: "If developers feel pushed to the wall, they won't opt for the best possible design — just the best design to get the job done."


Feature_New.indd 44

A U G U S T 1 5 , 2 0 0 6 | REAL CIO WORLD

would have had a central project team to write the overall integration, and local teams for each of the systems we needed to integrate with. With [the phone-line process], we had a single team that was focused almost entirely on end-to-end testing.” That saves time and resources, and improves the quality of new applications, because testing is no longer the last hurdle of an exhausting application development process; instead, it’s the focus. If you can do all this, CIOs will be waiting for the business to catch up — not the other way around.

The Need For Centralized Management Nothing in IT is simple, including the creation of an integration layer. The goal of the strategy is to minimize redundancy by having as few messaging infrastructures as possible and creating a single repository of services. Therefore, by definition, the integration layer demands centralized IT management. “Absolutely,” says Rick Sweeney, chief architect for Blue Cross and Blue Shield of Massachusetts. “There are probably a million ways to architect an integration layer, but you can’t have a thousand different ways inside your company.” For example, Verizon, though geographically dispersed, has a centralized business and IT model, so there was no conflict over the composition of the integration layer or the SOA strategy behind it. Indeed, the original impetus for Verizon’s strategy was to eliminate the redundancy of systems that resulted from its mergers and acquisitions of other telecom companies such as GTE and Nynex. That wasn’t easy. When Zafar’s team began picking over the remains of those systems in 2001, it combed through every button and drop-down menu in every application — roughly 2,900 in all — looking for shards of software functionality that might be incorporated into a service component. From the thousands of function points they found, the team isolated between 200 and 500 functions that are needed for the more than 90,000 business transactions (such as setting up a new landline account) that Verizon performs. Then, the team looked across the infrastructures and found five to 25 redundant versions of each function. Zafar says that gave

Vol/1 | ISSUE/19

8/16/2006 5:18:31 PM

him all the incentive he needed, and all the proof that Verizon CIO Shaygan Kheradpir and other company executives demanded, to approve the integration layer strategy.

The Trouble with Developers Surprisingly, a services strategy, despite its obvious advantages, may not be all that popular among developers. “Developers want everything to be easy,” says Clint Petty, a director in professional services for software and services vendor CommerceQuest. Services are not easy — at first. Extra work is required to create an interface, the part that describes what the service does in business and technical terms and how other systems access it. Good interfaces are like good friendships: easy on the surface with no hint of the relationship’s history of ups and downs. “A good service knows who it is, can describe itself to others and show who wants to connect to it,” says Jeff Gleason, director of IT strategies for the financial markets group of Transamerica Life Insurance and Annuity. “The essence of service-style integration is that the interface is intelligent and communicative.” Developers writing links to a good interface need only write the basic communication code that accesses it — a programming version of a handshake and a hello — and the service does the rest. The developer doesn’t need to know what the service is composed of, what computer language it is in, or even how it works — only what it does in business terms. But developers need incentives to build those interfaces. “Everybody is focused on getting a new application up and running now,” says Verizon’s Zafar. “And their primary focus is not on how they can continue to add value to other systems. If they feel pushed to the wall, they won’t opt for the best possible design — just the best design to get the job done.” Zafar first created a centralized development methodology and services repository to ensure that services and their interfaces were being developed consistently. He also does architectural reviews at the beginning of a project (to get developers to promise to use existing services and build

Vol/1 | ISSUE/19

Feature_New.indd 45

Integration Evolution The four stages of maturity.



A single, dedicated connection between two applications to exchange information, point-to-point is the traditional (and before the mid-1980s) integration method. It’s quick, easy and inexpensive. But as more connections and applications are added to the infrastructure, point-to-point becomes a cobweb of complexity and cost. If one of the applications in the web changes, all the links to other applications must be rewritten. When CFOs and CEOs complain about IT being slow, inflexible and expensive, they are talking about point-to-point integration.



A third party — usually proprietary middleware — is inserted into the infrastructure to broker and manage communications among applications. Applications link via the messaging infrastructure, rather than to each other, thereby reducing the need to rewrite links when applications change. The messaging infrastructure is often constructed as a central conduit, with applications feeding into it like airline flights into a hub city. But the hub can become a choke point. It usually requires a centralized, dedicated staff of specialists to construct and deconstruct links, robbing developers of the flexibility of point-to-point links. Improvements in middleware and Web services have reduced the need for every message to go through the hub. Using Web services, for example, developers can link applications directly again. But messaging remains a tactical solution to a strategic problem.



A concept that dates back to the development of object-oriented programming in the 1980s, the services strategy has enjoyed a renaissance with improvements in middleware and the arrival of Internet standards and Web services. The idea is simple: technology should be expressed as a chunk of a business process — ‘get credit’, or ‘find customer’, for example — rather than as an arcane application such as ERP. The service is often a composite of different applications and data, all hidden behind a complex interface built to make linking among services easy. By chunking data and business logic together into a piece of a critical business process, chances are that it will be used again and again, reducing development time. Developers regain the flexibility of point-to-point, but this time the links — ideally, constructed using Web services — are standard and can be more easily torn apart and rebuilt. Even better, the services approach comes with an SOA.


Business Configuration

Create enough services in the SOA repository and you can begin to represent the processes of the company in chunks of software. Changing a process no longer requires expensive rewrites of software and tearing apart convoluted integration links; one can combine and recombine services into new applications and workflows, often without the need for much more than mundane communication programming or, possibly, without the need of IT at all. Businesspeople can use a single screen to drag and drop services together into workflows. The integration logic is automatically generated to link the different pieces together. Integration goes from the primary IT inhibitor of business change to an ally. — C.K. REAL CIO WORLD | A U G U S T 1 5 , 2 0 0 6


8/16/2006 5:18:31 PM

Integration On the website where services are stored, Zafar ranks those that get the most reuse and puts the developers’ names beside them. The chances for stardom for individual developers are good, because Verizon also publishes some Web services to external partners. “It’s exactly like the open-source model,” says Zafar. “People take pride in seeing their code being reused by others.” But before developers outside the company will use services — and before business leaders will sign off on their use — they need some guarantees that the work done by others will not bring down their own applications and businesses. (This

new ones during the project) and at the end to see if the developers have met their promises. When Zafar began developing a services catalog (known in Verizon as the 'IT Workbench') in 2001, many did not. “We had to stop some projects,” he recalls. “People learned that they had to reuse the enterprise assets.” As the catalog has grown, more positive reinforcements have come into play. Though the development methodology is heavily centralized, Zafar says he encourages developers to submit refinements and best practices that, if they are good enough, are incorporated into the overall methodology.

How the Integration Layer Works Presentation Layer Applications from any business unit can use services designed to complete common requests, such as ‘look up customer record’.

integr ation layer

Service Layer The interface accesses the service ‘look up customer record’. The service consolidates the different slices of the application to carry out the service function. = Interface = Service

Messaging Layer A messaging layer collects and processes data from systems across the company. = Middleware

DatA Layer Data housed on servers or mainframes in multiple locations becomes easily accessible.


Feature_New.indd 46

A U G U S T 1 5 , 2 0 0 6 | REAL CIO WORLD

Lookup Customer Record

Lookup Customer Record

Lookup Customer Record

could happen, for example, when a service designed to handle 10,000 transactions a day is added to an application that runs 20,000.) Though a centralized development framework may not always be popular with developers, it certifies that all work is done in roughly the same way and to the same standards. To that, Zafar adds service-level guarantees, including transaction-handling capacity, transaction speed, hours that the service will be available and an agreedon price for using it. “Unless you have a framework for development and service and accounting agreements, no one will trust the service on a mission-critical application,” says Zafar. “This is why SOA is still a toy in many companies today.”

Is an Integration Layer Right for You? Given the potential roadblocks to moving to an SOA, it’s important to evaluate whether it should be a short- or long-term goal. Because a messaging infrastructure is necessary to support grander visions of services and an SOA, most companies begin there. Many may not need to go further. “SOA is being presented as the latest silver bullet,” says B. Lee Jones, CIO of Stratex Networks, a wireless telephone equipment manufacturer. “I still need to be convinced that the ubiquitous interface is something I need to have. I don’t look at it as a downside to have some redundancy in my applications, because my systems ain’t broke.” Jones has reduced integration costs and increased flexibility by using intelligent middleware and minimizing customizations in his packaged applications. Still, he says, “If I had a problem with integration, the promise of SOA is good. I’m willing to be convinced.” Larger organizations can find convincing evidence based on the number of integration cobwebs they have hanging off their major systems. “Count up the number of point-to-point connections to a particular system and you can predict what the most popular service will be,” says Wisconsin’s Miszewski. That’s how he chose his first service pilot. A function sitting inside one of the Department of Transportation’s systems that converts addresses into pinpoints on graphical maps looked like an old mirror in the attic, enveloped in dusty point-to-

Vol/1 | ISSUE/19

8/16/2006 5:18:31 PM

Integration point connections. At first the agency was fearful, concerned about not only the higher transaction loads on the system as it became available as a service but also the loss of ownership of the system itself — typical for organizations new to a services approach. But “once we developed two or three services, they got it,” says Miszewski. “Once you take the fear away, there is only cost savings and productivity improvement in front of them, and adoption becomes much easier.” Though services can save time and effort even when they are only small pieces in applications that are otherwise traditionally developed, the real long-term strategic payback comes when they become the backbone of an important cross-enterprise business process. At Verizon, the orderplacement process — at least the IT part of it — is now composed entirely of services, each representing a particular unit of work in the process. The process begins when the credit verification service qualifies the customer. The address verification service ensures that Verizon can provide telephone service at the customer’s address. Next, the reserve service retrieves and locks a new phone number. The activate line service makes the actual phone line go live. Finally, the start billing service begins the phone usage collection and billing process. (The line test service comes into play if the customer has trouble with the new line.) However, some work still requires people. In the ordering process, those boundaries between automated services and human interventions are often marked by event notifications. For example, if a customer tries to set up a new account but fails because Verizon doesn’t serve that area, Zafar has programmed an event into the system to notify customer service representatives when service becomes available.

The Final Steps Think of events as the referees of the business process. For example, events can be programmed to send an e-mail notification to a customer service representative (“that phone number is not available”) or to kick off a service-based unit of work (“find new phone number”). Like services, events are defined in business rather than technology terms.

Vol/1 | ISSUE/19

Feature_New.indd 47

The Problem With Web Services Can you trust your company’s critical transactions to a medium as unreliable as the Web? Some CIOs dream of kicking out their integration vendors and replacing their messaging infrastructures with free, standard Web services. That would eliminate the usual problems of incompatibility across different platforms, expensive software and vendor lock-in. But limitations still exist in the standards and the transport pipe that Web services use to communicate: the Web, or, more specifically, the HTTP transport protocol. Think about all the times you’ve attempted to access a website or send an email and failed — without any notification or explanation. That’s the problem. Partly because Web services standards have not yet been fully developed to ensure secure, reliable transactions and partly because the Web itself is inherently unreliable, CIOs have to look beyond Web services to guarantee that their service object workflows inside and outside the company will not break down. Vendors are filling the gaps in Web services standards with products that provide a stable messaging infrastructure and manage the services in an integration layer. Though the market is still fragmented into niches, it’s rapidly consolidating. And just as in enterprise software, vendors are assembling expensive integration suites that are not always easy to buy by the chunk — which can make initial investments expensive and difficult to justify. But for the foreseeable future, investments in proprietary middleware are necessary to build a reliable integration layer. — C. K.

If services represent what the business does, events define when those things should be done. Most enterprise business processes today have the smarts of a stump, says David Luckham, electrical engineering research professor emeritus at Stanford University and a pioneer in event-based programming. The true value of serviceoriented processes will be realized only when they can sense and respond to events that matter to the business. This kind of capability could begin to take off by 2007, predicts Gartner analyst Roy Schulte, when standards for what he calls complex event messaging begin to emerge. But the integration layer won’t truly be all grown up until it becomes a business responsibility rather than an IT responsibility. In theory, as the links between services and events become simpler and more descriptive, businesspeople should be able to take over the linking duties themselves by ‘dragging and dropping’ services they

see on a screen in order to create new processes or modify old ones. That model has already been introduced by business process management software vendors, but the packages aren’t yet capable of putting an entire SOA in the hands of businesspeople. When they are, the only remaining barrier to IT-business alignment—the sense among businesspeople that they cannot control their own destinies—will dissolve. It will take time, but the vision is there; and with the rise of Web services standards, CIOs can begin to construct that vision themselves, right now. CIO

Send feedback on this feature to

REAL CIO WORLD | A U G U S T 1 5 , 2 0 0 6


8/16/2006 5:18:31 PM

Govern Main.indd 48

8/16/2006 5:35:11 PM

PRO ROm mIsed

Land BY Gunjan Trivedi & Sunil Shah

Reader ROI:

Simple ways to safeguard a large database How to bring employees on your side in large e-deployments Where to look while plugging security leaks

Vol/1 | I ssu E/19

Govern Main.indd 49


nce a database of sorts, the ink-based thumb marks along the walls of the Department of Registration and Stamps’ offices in Karnataka are conspicuous by their absence today. Soon, few will recall how citizens who visited the department’s sub-registry offices left signs of their ordeal on the walls. All this has become a small part of the department’s legacy, thanks to the success of the Rs 1.2 crore Karnataka Valuation & e-Registration (Kaveri) initiative. If you were a bureaucrat in 2003-04, you wanted a Kaveri, one of the most high-profile e-governance projects in Karnataka. Its impact was tangible because Kaveri sought to make the process of getting government approval for land-related transactions more efficient. It would underline every land deal in Karnataka — buying, selling, leasing, mortgaging — that required the approval of the inspector general of registration (IGR) & commissioner of stamps of Karnataka.

Il lustrat Ion by MM sh anIt h

Until 2003, with the poor efficiency of Karnataka’s Department of Registration and Stamps, citizens chose less-than-legal means to buy, sell or mortgage land. With Project Kaveri, the department have given citizens ownership of their land in the true sense.

REAL CIO WORLD | A U G U S T 1 5 , 2 0 0 6



Photo by sr IVatsa shandIlya

Investing in Data Security

the value of a property in order to pay less stamp duty — in return for a bribe. People who resorted to such means Much like the e-governance initiatives in other states, did not realize that in the long run, the false valuation Kaveri’s automated gateway has been designed to adversely affected property evaluation. exclude corrupt elements. In the process, the Centre for The C-DAC think-tank wanted to avoid the problem Development of Advanced Computing (C-DAC), which SNAPSHOT designed the software, also built a secure database — an KAVERI of corruption at the level of the data-entry person who also took photographs and thumb impressions. They area of paramount concern. “We haven’t had a security OffERINg: Computerizing stamp decided to lock the fields of a database after the operator lapses in three years,” says C. Krishnappa, IGR & fee processes confirmed the accuracy of the data with the applicant. Commissioner of Stamps (Karnataka), Bangalore. COST Of PROjECT: Only the IGR, or someone he authorizes, would have Says Zia Saquib, executive director, C-DAC (Mumbai): rs 1.2 crore the permission to make changes. “The discretion of the “Most database apps depend on the credibility of database TRANSACTIONS SRO has been removed. I can definitely say that Kaveri administrators. We gave administrators no authority SINCE 2003: has drastically reduced corruption. It still exists, but it’s to change the database. Our idea was simple: make it >18lakh been reduced drastically,” says Krishnappa. transparent, and build confidence among users.” REvENuE (2004-05):rs The Kaveri fillip at the SROs began during the Kaveri’s database has triggers built-in, which prevents 2,253.55 crore tenure of D. Satyamurty, the IGR in 2003. Though changes to the data. The moment an unauthorized DISTRICT OffICES: his predecessors had tried to computerize the system, update is attempted, the application logs the event 27 budget overruns, project delays and unsuccessful with information such as the user’s credentials like Sub-REgISTRAR integration software forced them to shut down the an IP address and a user name. “So, even a technicallyOffICES: initiatives. Satyamurty planned the overhaul under proficient person trying to change the records on the 203 a five-step program, which entailed business process database will trigger an event flag. This will lead to an DEPARTmENT STAff reengineering. To keep from being bogged down by investigation,” explains Saquib. 1,500 the numerous challenges along the way, including In the pre-Kaveri days, several sub-registrar offices staff members’ anxiety about their jobs, he kept two (SROs) led by dishonest officials asked citizens to leave objectives clear: automate the registration process a 100 percent and behind their original documents for further processing. The applicants deliver registered documents quickly. were then called a few weeks later to collect a receipt on plain paper — usually of no legal standing and often with altered identifying information, including plot numbers. Unsurprisingly, citizens who wanted to resell property didn’t possess the original deeds and met Any reengineering would directly affect a department with one of the with anger and frustration. Further, locating the floating sheets of highest citizen-to-government interactions. A failed project on a statepaper, replete with discrepancies of value and property boundaries, wide scale would have been a disaster. became an official nightmare. Fortunately for Satyamurty, C-DAC had created a similar system for The facility also provided enormous scope for the government of Maharashtra called Project Sarita. Customizing corrupt SRO officials to advise citizens to modify that to the environment in Karnataka meant developing a software solution after factoring in a different set of regulations and departmental workflow. In comparison, Sarita had been a simpler facility. “The hard part was creating software that followed the rule book,” says Bhojanaike, headquarter subregistrar at the Gandhinagar SRO in Bangalore. “These rules were made during the British era. They didn’t know we’d introduce computers,” he says. The Kaveri project envisioned an application that could define immovable property, search against its description, evaluate its value, calculate administrative and registration fees, help register relevant documents, and authorize the registered document. The department also introduced biometric devices to enable digital thumb prints. “The technology isn’t rocket science, but its impact at the grassroots levels is huge,” says Saquib. Taking the application to the people meant — C. Krishnappa, IGR & Commissioner implementing it across the 27 District Registrar of Stamps (Karnataka), Bangalore Offices (DROs) and 203 SROs. It was also important

Realty Bites

“The discretion of the SRO has been removed. Kaveri has drastically reduced corruption. It still exists, but it’s been reduced drastically.”

5 0 A U G U S T 1 5 , 2 0 0 6 | REAL CIO WORLD

Govern Main.indd 50

Vol/1 | I ssuE/19

to consolidate data, at the end of the day, with the core systems in the IGR’s office over dial-up connections. The project would work on public-private participation and a Build-Operate-Transfer (BOT) model. The department roped in ECIL (Electronics Corporation of India Limited) and CMS Computers to help implement it across towns and cities in the state. Another challenge was bringing over 1,500 department staffers on board. Krishnappa talks of the initial trepidation in the department. “It was a challenge convincing the staff of the benefits and getting them to understand that this wouldn’t get in their way,” he says. It required a process of ‘delearning’ and taking them into confidence. The problem of convincing employees, Krishnappa stresses, wasn’t as important as persuading citizens that the system was reliable. Part of the problem was that the general public didn’t expect efficiency from a government department. It says something of the size — Zia Saquib, of this problem that three years after the project was Executive director, C-DAC, Pune launched, the department still takes printouts of the certificates on stamp paper. This is despite bar-coded receipts with clear information. “It is a solid legal document. Nobody can mess with it,” says Saquib. The Rs 2-worth 60 percent from 2002-03. The increase in revenue comes despite the stamp paper, Bhojanaike says, is used to retain the familiar appearance reduction of stamp duties on conveyance by 2 percent and registration of documents and reassure applicants. fees by 1 percent, says Saquib. Citizens are getting used to the change. M. Seema, who wanted to The Kaveri experience has prodded the department to keep mortgage her property for a Rs 10-lakh loan, didn’t bat an eyelid when developing hi-tech tools. For instance, the property database of the she was asked to sit in front of a Web camera and use a biometric device Kaveri application, which contains maps of properties and plots across to take her thumb print at an SRO in Bangalore. the state, is largely populated with GIS feeds from a US satellite. The GIS solution deters fraudulent modifications to maps, and allows the exact location and coordinates of a property to be fed into the system, thereby plugging another opening for corrupt elements. The system If Kaveri has managed to take away years of anxiety among citizens, also shows up properties with disputes using historical records it has also made the Department of Registration and Stamps more maintained by the Archeological Survey of India. “Disputed plots efficient — and accountable. Computerizing the system allows the surface even before building starts. This saves people a lot of time, department to update information across the state, a far cry from when effort and money,” says Saquib. they used ledgers to track changes of land prices. Many innovative changes that were not initially part of the project Pre-Kaveri, ‘same-day registration’ was unheard of. “Returning blueprint have been added. The department has broadened its services original documents took years. Now, applicants walk out of SROs to include certificates for marriages, societies, partnership firms, with their documents within a half-hour,” says Saquib. Over 18 lakh personal wills, etcetera. documents have been registered through Kaveri since its launch. For now, the department is focusing on making registration possible The task of searching for documents, the first step of the transaction across jurisdictions. (Currently, land has to be registered at an SRO which used to take days, is now a matter of seconds. “A search for whose jurisdiction it is under.) “A property in Jayanagar (in Bangalore) property information and history used to be an impossible task. should be able to be registered in Yelahanka, says Krishnappa. Now, all you need is a plot number and up comes a clear record of There are also plans to integrate Kaveri’s data with other governing information, including the property owner, seller, date of sale, price, bodies, such as the income tax (I-T). The I-T department can analyze and whether the plot is being disputed,” says Saquib. registration data to figure out the spending trends on immovable With the back-office automated, it is now possible to generate properties of a segment of people and map it to their I-T returns. reports. Today, the officials in charge of DROs and SROs heading into “Kaveri has brought about a remarkable change for citizens. When a meeting with the inspector general of registration carry accurate and my father bought property, he faced a lot of challenges. Today, I do not,” up-to-date information of the day’s transactions. says Saquib. CIO Revolutionizing the way the department works has also made it one of the highest revenue-generating government agencies in Karnataka. Senior correspondent Gunjan Trivedi can be reached at The department’s revenue increased to Rs 2,253.55 crore in 2004-05, up Copy editor Sunil Shah can be reached at sunil

Photo by P hotoCorP

“The technology is not rocket science, but its impact at the grassroots levels is huge.”

The After Effect

Vol/1 | I ssu E/19

Govern Main.indd 51

REAL CIO WORLD | A U G U S T 1 5 , 2 0 0 6 5 1

8/16/2006 5:35:23 PM

Connect i the Dots In 1999, the State Crime Record Bureau (SCRB) in Karnataka — which is the repository of all data related to crime in the state — undertook a project to deploy a wide area network (WAN) across the state. S.K. Balaraman, DGIP of the bureau talks of how it entailed connecting 840 police stations, 234 circle offices, 118 sub-divisional police offices, 28 district police offices and the three commissionerates in Bangalore, Hubli-Dharwad and Mysore onto one network. B y K u n a l n . Ta l g e r i


Interview.indd 52

A U G U S T 1 5 , 2 0 0 6 | REAL CIO WORLD


he WAN project demanded a change in day-to-day work processes at police stations across Karnataka, as the personnel would now have to use a computerized interface to report crime. Towards this end, the deployment of the Crime Criminal Information System (CCIS), developed by the National Crime Record Bureau (NCRB), had begun as far back as the 1970s. But having

the infrastructure in place, which has involved an investment of Rs 45 crore, would have been futile unless it was going to be used effectively. Balaraman, who has overseen the process at SCRB since 2000, explains how that particular challenge was met — and why the WAN was seen as a model IT implementation at the 37th All India Police Science Congress in June.

Vol/1 | ISSUE/19

S.K. Balaraman, DGIP of Karnataka’s Crime Record Bureau, talks of how technology is clueing in the force in the fight against crime.

S.K. BALARAMAN: The process began in 1999. We identified three police constables to be trained from each police station across the state, which is a huge number: close to 6,000 personnel from the constabulary. The officers in the district headquarters were more familiar with the IT requirements as these offices had computers. We trained the constables in batches by organizing three-day sessions at the SCRB office and the training center of the Directorate of Information Technology in Bangalore. We also set up training centers at the district police offices (DPO), a railway police office and at the three commissionerates. These had the training accessories and

Vol/1 | ISSUE/19

Interview.indd 53

software installed, apart from a dedicated server and five thin-clients to train 10 persons at a time. How receptive were police personnel to the transition?

It is hard to generalize. For example, we have had cases of inspectors in parts of Karnataka who bring learnings even from their homes to the police station — they see how their children optimize their use of computers and discuss this at police stations. Such personnel have been keen to learn more about technology even after our training programs. The constabulary has also been very happy about the change. We now have to focus on how the midlevel officers adapt, learn and understand computers because that wasn’t part of their police training when they passed out. The

results are positive. In fact, we have now given training institutes like Karnataka Police Academy and police training schools the necessary infrastructure and software, so that computers become a part of the police training program itself. What sparked off the use of computers in police stations in rural areas? How did it start?

Over the years, we have had a wireless wing that also takes care of the teleprinter network to communicate messages from one control room to another. In December 2004, we were asked to start using the e-mail facility. It meant passing on the same messages at lower costs. We began by directing police stations to use the computer to report cases, just as they had been using typewriters. REAL CIO WORLD | A U G U S T 1 5 , 2 0 0 6


the state must have been a mindboggling process. When and how did SCRB begin the IT training program?

ImagIn g by b I nESh SrEEdharan

CIO: Training police personnel across

Photo by Sr IVatSa Sh an dIlya

t ing


8/16/2006 5:38:30 PM

Interview | S.K. Balaraman police stations in the these parts have to make an STD call to their district headquarters to hook onto the intranet. The challenge is how to connect the remote police stations with the taluk headquarters.

Coming to the WAN installation, hasn’t a 62 kbps leased-line link proved insufficient for such a large deployment?

Yes, the need for more bandwidth has gone up. As of now, we have a dial-up network that uses existing telephone lines at the police stations, circle offices and sub-divisional police offices. The network is used by all our control rooms, and to send messages like routine communications and daily police station reports to district headquarters. Most of this data (the average file is rarely more than 300 KB) are sent as text and photo attachments. So, we have problems, say, when we have a photo to be sent to all police stations. Currently, we are experimenting with higher bandwidth on a virtual private network. And we plan to scale it up when we deploy a comprehensive software program,

Tell us more about the CCIS, and how WAN is being used for data transfer?

With WAN, the exchange of information is more efficient.

Inter-district cases can be cracked that much faster.”

which will encompass all arms and functions of the police from law and order to motor transport and finance. This program is being developed by Wipro; it’s too early for me to give details about when it will be implemented. CIO: What were the challenges SCRB faced when it put forth the WAN proposal?

Our objective was to put a computer in each police station because it would help us in ensuring total connectivity. The idea was welcomed by the state technical advisory panel, and we got funding support from the modernization committee: a modernizationof-police grant from the Centre. From 2000 onwards, the investment in phases has been 54

Interview.indd 54

A U G U S T 1 5 , 2 0 0 6 | REAL CIO WORLD

about Rs 45 crore. Implementation began in 2003. Each police station already had a phone. And the starting point was to connect all district headquarters between themselves. The infrastructure we put in place then was enough for transfer of small files. By then, each police station also had the NCRB’s Crime Criminal Information System (CCIS) software to register cases and the collation-collection of crime data. (The computerization program in Karnataka had started as far back as the 1970s.) We also started giving hardware in phases, before investing in training of personnel. Today, last-mile connectivity is our big challenge — we want to connect police stations in the most remote areas. Some

We have about 95 lakh records in the state’s servers on the back of Crime Criminal Information System. With the WAN, each district can now access and have its own records — we have a store-and-forward system, whereby the cases are recorded in the respective police station, and then forwarded. All records are registered on computers first, instead of being handwritten or typed. In the long run, we can access this data and also ensure that it’s not tampered. This data typically consists of (FIRs) first information reports, crime details forms, arrest/court surrender forms, charge sheet forms, court disposal forms, etcetera. To what extent are the benefits of technology visible?

Recently, all newspapers in Bangalore carried the photo of a wanted criminal. That picture had been digitally created by the SCRB’s portrait building system based on the inputs of the victim. It’s possible to do something like this at every police station throughout the state. And with the WAN in place, it’s easier to transmit such information with more efficiency and to more police stations at limited costs. Inter-district cases can be cracked that much faster. It has also made record verification possible across the entire state. We can also scan important documents to ensure they are not tampered with. CIO

Chief copy editor Kunal N. Talgeri can be reached at

Vol/1 | ISSUE/19

8/16/2006 5:38:42 PM


technology The intricacies of free and open-source software licenses require an honest conversation between you and your legal department.


Essentisl Tec.indd 56

A U G U S T 1 5 , 2 0 0 6 | REAL CIO WORLD

From Inception to Implementation — I.T. That Matters

Dirty Code, Licenses and Open Source BY CHRISTOPHER LINDQUIST OPEN SOURCE | Karen Copenhaver, a partner at law firm Choate, Hall & Stewart, tells a story about running a seminar for a large company. The goal of the seminar was to make it clear that software developers had a responsibility to abide by their company’s guidelines surrounding the use of open-source, free and other third-party code. Copenhaver thought it went well. Then the development group’s manager came up to her and said, “You know, these fellows can’t get everything they need to get done every day, and worry about all of this stuff.” The manager’s words lie at the core of an issue that affects countless development departments around the globe. Faced with shrunken budgets, tight deadlines, the fear of jobs being shipped off to the lowest bidder and expanding demands for ever-more-complicated software, programmers are tempted to grab bits, pieces and even large bites of code from various third-party sources in order to get things done more quickly. The consequences of this (to be kind) borrowing can be anodyne; that is, no one ever notices the code, the product ships (either externally or internally),

Vol/1 | ISSUE/19

8/16/2006 5:44:51 PM

essential technology

and life goes on. Or the consequences can be catastrophic. Dirty code, according to intellectual property lawyers, has led to expensive delays during many mergers and acquisitions. And thanks to the efforts of a single programmer — Linux kernel contributor Harald Welte — at least 100 companies have been forced either to remove or release as open-source various pieces of GPL code that they borrowed without properly complying with the license. It doesn’t have to be this way. Companies can avoid problems resulting from the use of open-source code. Legal experts we spoke with offered numerous tips and tactics for maintaining the flexibility necessary to take advantage of this important tool in the software developer’s box while limiting the risk.

Assume You’ll Get Caught Copy some code, change the variables, tweak the white space... Who’ll ever know? Perhaps at one time, there wasn’t much chance that anyone would identify code that had been illicitly lifted from someone else’s

service, ProtexIP/OnDemand, has been downloaded by hundreds of companies and has been used in more than 140 merger and acquisition due diligence transactions totaling an estimated Rs 40,500 crore, according to the company. Searches for suspicious code are becoming de rigueur during the due diligence surrounding mergers and acquisitions. The culture surrounding open-source and free software has had an impact as well. Whistle-blowers have outed their employers over open-source code misuse. Some GPL violations have also been called to the attention of the world by interested users who notice suspiciously familiar behavior in commercial products. (For instance, network hardware maker Linksys, soon after its 2003 purchase by Cisco, was famously inspired to release the firmware to its WRT54G router when motivated users uncovered that pieces of the firmware were based on Linux.) Dedicated GPL defender Welte, who owns copyrights on pieces of the Linux firewall code, has used that copyright to encourage (or, through suits brought in German courts,

At least 100 companies have been forced either to remove — or release as open source — various pieces of GPL code that they borrowed without properly complying with the license. work. But times have changed. Sourcecode compliance tools from the likes of Black Duck and Palamida, which can scan millions of lines of code and compare them with huge databases of known software, allow companies to locate (and locate pretty quickly) previously created code — even if variable names and white space have been modified by the borrower. Black Duck’s client list has grown more than 300 percent during the past year and now includes 11 Fortune 500/Global 500 companies. Its hosted code assessment 58

Essentisl Tec.indd 58

A U G U S T 1 5 , 2 0 0 6 | REAL CIO WORLD

force) more than 100 companies either to remove infringing code or release their corporate source code to the public. The companies involved range from smaller firms to corporate giants, such as Asus, Belkin, Fujitsu Siemens and others. Welte’s plans to create a non-profit organization in Germany to aggressively pursue such copyright infringement may help accelerate his efforts. “In our view, it is necessary to raise public awareness and to make cases public,” says Welte. But, he insists, “this is not a witch hunt or some kind of religious

Know Your (Open) Sources Just because a piece of code a developer downloaded off SourceForge says it is released under the Mozilla Public License doesn’t mean that all code wasn’t itself stolen from someplace else. In the Linksys router case, for instance, Linksys reportedly bought chips from Broadcom, which in turn received firmware from overseas third parties. This made it difficult to clearly define what Linksys should have known about its code. For that reason, experts say it’s worth trying to get the code you use from trusted sources. The people behind larger, more public opensource and free software projects often claim to be very careful about who they let contribute code and how thorough they are in determining the origins of that code. Some companies that deal in open-source code — including Red Hat and Hewlett-Packard — offer indemnification programs that could help protect your company, should the code you’re using be found to infringe on someone else’s intellectual property rights. — C.L

battle. It’s just making corporate users play by the rules when they have, for whatever reason, overlooked them.” Even given all this, the odds that you’ll get caught may still be slim. However, as open-source software finds its way into ever-more-critical systems inside your company, the risk to your company if you are caught has increased dramatically.

Talk to the Lawyers W  hat unusual patent provisions exist in the Mozilla Public License? H  ow far does the GPL go to protect derivative works? Heck, what is a derivative work?

Vol/1 | ISSUE/19

8/16/2006 5:44:51 PM

essential technology

Like it or not, attorneys — not developers — are in the best position to answer questions like these, particularly as they pertain to your business or to your approach to using open-source software. Getting your legal department involved early is the best way to ensure against running into problems in the future. The key is to make it clear up front that open source is a critical piece of your development plans, so that the legal folks will take that into account. It might seem easier to simply avoid the hard questions, but doing so only increases your risk. “It really is incumbent on CIOs and other IT managers to understand that this is a real issue,” warns Mark Radcliffe, a partner at DLA Piper Rudnick Gray Cary and chairman of a committee working to develop GPL 3. Just because you bring in the lawyers, however, doesn’t mean you’ll get decisive

on a simple prohibition,” says Radcliffe. “That’s not realistic.” Instead, he says, companies must establish rules. In his experience, those rules can vary dramatically. He knows of one “major Silicon Valley company”, for instance, that has a development agreement that refers to open source as ‘infectious software’. Others, he says, have developed entirely separate due diligence processes for dealing with open source during acquisitions. And he knows of one company that uses open source internally but prohibits it in products that it makes available to customers. The key is to give developers rules for when and how to integrate external code of any type into their projects. “What is very clear,” says Radcliffe, “is that if the people who are actually doing the coding

Developers need to be made aware of the consequences of not following the rules — not just for the company, but for themselves too. answers to all your licensing questions. Open-source case law isn’t a well-trodden path. “It would be easier to advise clients if there was more case law in the area,” admits Ira Heffan, an associate at Goodwin Procter who in 1997 wrote a law review article that argued that the GNU General Public License was enforceable. He notes, however, that there have been efforts to reach some consensus on open-source matters, including a so-called moot court held in early 2006 at the University of Washington that produced legal briefs and helped establish dialogues with some federal circuit judges on various open-source matters.

Create Ground Rules While meeting with your legal representation, it also will pay to establish some ground rules for opensource use. “Some people used to rely 60

Essentisl Tec.indd 60

A U G U S T 1 5 , 2 0 0 6 | REAL CIO WORLD

don’t have direction and some type of enforcement mechanism, they’re going to pull whatever they can off the Internet whenever they can.”

Investigate Your Code While a few years ago a claim of ‘we didn’t know about this open-source stuff’ might have carried some weight in court or with a potential (and now unpleasantly surprised) merger partner, that’s no longer the case. Open-source products are mainstream now, not esoteric, and the responsible use of code has become a given. Consequently, legal experts say that it’s important for companies to have a process in place for carrying out investigations into the provenance of their code. Choate’s Copenhaver, who is also a counsel for Black Duck, says that companies should establish a schedule for

senior executives to be briefed on issues and possible remediation at a set time after the investigation is complete. The goal, she says, is to keep the company from feeling a need to react to incomplete findings. The process also should involve regular meetings with developers who are found to be using free or open-source code without properly following licenses, she says. These developers need to be made aware of the consequences of not following the rules — not just for the company, but for themselves too. “Anyone who’s had the experience of having just finished something only to have to take it all apart and re-QA it” will not want to repeat the experience, says Copenhaver. And to keep developers from feeling the need to grab code on the sly, management needs to help them. “The problem with the fellow who says, ‘These guys can’t get their job done and worry about all this,’ is that he hasn’t built a structure to support the developers so they can get their questions answered quickly,” says Copenhaver. Getting those answers, she asserts, will be a matter of building trust between the development and legal staffs. “What we really want to get to is an honest conversation. If what you’re saying is, ‘Just say no, we don’t use any of this [opensource] stuff,’ what you’re really saying is, ‘Don’t ask, don’t tell’. What you need to be saying instead is, ‘We can get an enormous amount of leverage and competitive advantage by making the best use possible of these available resources. But [we need to do] it fully understanding what our compliance obligations are’.” CIO

Endline: Send feedback on this feature to

Vol/1 | ISSUE/19

8/16/2006 5:44:51 PM


essential technology

Open Source isn’t an If, it’s a When Don't throw your hands up. Open source is here to stay and you ought to roll with it. Many of the open-source oppositions you have need re-looking into. BY BERNARD GOLDEN

| I had the opportunity to speak to many attendees at the Catalyst Conference recently (see the first part of my take on the conference in the July 15 issue). As I mentioned in that column, they work at large, mainstream companies: Pfizer, Hartford Insurance, and Cargill, to name just a few. Time and again, when I shared with them my involvement with open-source software, I got the exact same response: “I


doesn’t provide the same level of inadequate support that proprietary vendors deliver! I think the concern about open-source support is more a reflection of not having any experience with it. Certainly some aspects of it are different than the traditional support relationships organizations are used to. However, different is not the same as worse. (In fact, it was the quality of community support that first opened

They provide ‘one throat to choke’ for those who prefer that kind of arrangement. Finally you have the option of supporting yourself, since you have access to the source code of the product. While this probably isn’t a realistic option for most organizations — given their desire to focus on implementing, not creating software — it is available. In any case, it provides a fallback for companies that isn’t possible with traditional proprietary

The concern over open-source support is more a reflection of not having any experience with it. Some aspects are different from traditional support, but different is not worse. understand open source is good, but we need one throat to choke.” It’s striking that they all used the identical phrase — it’s almost like they’re programmed to respond with this objection. For them, there’s an assumption that open source can’t provide support equivalent to what they get from their proprietary vendors. One thing is clear, just from their phraseology: the expected relationship with a vendor is adversarial. When I’d ask people I was speaking with about how good their vendor support actually is, I mostly got grimaces. It’s obvious there’s a lot of dissatisfaction with the typical customer/ supplier interaction. So, the comment about wanting one throat to choke is ironic — people are complaining that open source 62

ET-Pundit.indd 62

A U G U S T 1 5 , 2 0 0 6 | REAL CIO WORLD

my eyes to the potential of open source; perhaps I can describe that situation in a future column). Certainly any organization should at least explore the issue of open source with some real world experience rather than just assuming it is inadequate. Some things to keep in mind: Community support (that is, support from other product users as well as the development team, delivered via email lists and forums) must work pretty well, considering how many organizations rely on it. Why not assess it instead of rejecting it out of hand? If you still feel that community support won’t work for you, many open-source products have one or more companies that offer commercial support arrangements.

software. I’ve lived through the “oh, yes, that bug is fixed — it’s in the next version.” Translation: mandatory upgrade if you want your problem solved. Worse, of course, is, “that’s a bug, but we aren’t planning to address it in the near future.” Admit it — you’ve lived through this kind of thing as well. My belief is that using open source isn’t an if, it’s a when. It’s fascinating to hear these objections to using open source; one can’t help but get a sense of Fin de Siecle (end of century) for the established software order. CIO (To be concluded) Bernard Golden is CEO of Navica, an open-source consultancy, and the author of Succeeding with

Open Source (Addision-Wesley, 2004). Send feedback to this column to

Vo l/1 | ISSUE/19

8/16/2006 12:06:04 PM

August 15 2006  

Technology, Business, Leadership

Read more
Read more
Similar to
Popular now
Just for you