Page 1

Alert_DEC2011.indd 18

11/17/2011 10:05:30 AM


From The ediTor

What drives a Cio’s agenda? Could his or her personal beliefs set the charter?

How Do You Set Your Agenda? Growth, cost and even personal beliefs can play a part.

Let’s take one question at a time. A recent McKinsey survey of CIOs in North America listed two things uppermost in their minds: migration to service-oriented architecture; and lean data centers. CIOs in India, I suspect, will have a wholly different agenda. SOA is still emerging, especially in India; and even though cheaper data centers are welcome, growth — rather than cost — is a more significant factor in India. Having said that, soaring salary levels — amid a shortage of qualified talent — are beginning to pose significant challenges. Recently, a Silicon Valley startup returned to its roots, citing the high cost of engineers in Bangalore. Riya’s founder, Munjal Shah, believes salaries in India for a top-flight engineer have hit a threshold, beyond which it is no longer attractive for American companies to outsource. This level, according to Shah, is 75 percent of the salary of an engineer in the United States. IT and ITES companies are already Should IT heads in all Indian eyeing lower-cost countries in order to companies have a plan to retain their advantage. While this has been manage labour costs? Or is it ongoing, it is likely to gain momentum. too early to worry over that? TCS, for example, recently opened a center in Mexico and plans to staff it with 5,000 engineers. Should IT heads in all Indian companies have a plan to manage labour costs? Or is it too early to worry over that? Are there more important things on your agenda? The second question I posed at the top is an intriguing one. Should a CIO carry his or her intellectual baggage to work? J.P. Rangaswami, the U.K.-based CIO at BT’s Global Services unit, appears to think so. “I have no problem saying I think it’s part of the job of a firm CIO…to make sure that you don’t create artificial pockets of power based on selfish motives of individuals exploiting information and not sharing it,” he told CIO in an interview you can read on page 48. He also expresses bold views on things such as open source, wiki, and use of e-mail, and writes a blog, ‘Confused of Calcutta’, the place of his birth. An economist, Rangaswami worked as a financial journalist before taking the technology position. During his stint at the investment bank Dresder Kleinwort, Rangaswami won a Best CIO award from a magazine. Clearly, he is accomplished and his views are important. He sure is an unconventional CIO, but is he right?

Bala Murali Krishna Executive Editor balamurali_k@cio.in Vol/2 | ISSUE/15

REAL CIO WORLD | j u n E 1 5 , 2 0 0 7




content JUNE 15 2007‑ | ‑Vol/2‑ | ‑issue/15

2 6 Enterprise Architecture

Executive Expectations

COVER STORy | I.t. on wheels| 26

VIEW FROM THE TOP |  34 N.R.K. Raman, CEO and managing director of i-Flex, believes that IT should stand head to head with business. If business is reviewed every quarter, so should IT.

P hoto by dr loh ia

Maruti Udyog embraced IT right at its inception. Over two decades later, it is embedded in its most critical processes, helping India's leading carmaker stay ahead of rivals, and race towards its goal of producing a million cars annually by 2010.

Cove r: Imagin g by Bin es h Sreedharan

I

Feature by Gunjan Trivedi

Interview by Kanika Goswami

Leadership The Harmonious Leader |  22 The key to becoming a better leader is to align your own values with what’s important to your organization. Column by Tom Murphy

Security THE RISK OF BEING Big Brother? |  38 Are you being asked to monitor employees as they use corporate IT? That’s a slippery slope, as litigation shows. Here’s how to do it right. Feature by Thomas Wailgum

more » 

j u n e 1 5 , 2 0 0 7 | REAL CIO WORLD

Content,Editorial,Colophone.indd2 2

Vol/2 | ISSUE/15

6/11/2007 6:16:55 PM


content

(cont.) dEpArTmEnTS Trendlines | 15 Web services | Bridge to Innovation security | How Safe Are Your Developers? Innovation | GPS Gives Weather Bots a New Ride Wireless | Streetlamps to Light up Network Web Applications | Adobe Takes on .Net, Java security | A Novel Approach Towards Anti-spam By the numbers | Walking the IT Strategy Talk Malware | Hack Contests Bad for Business Corporate security | What Data Breaches Can Do

Essential Technology | 56 IT Management | ITIL Goes Strategic

By Galen Gruman IT strategy | Shouldering Risk

By Christopher Koch

From the Editor | 1 How Do you y set y your Agenda? | Growth, cost and

even personal beliefs can play a part. By Bala Murali Krishna

Inbox | 14

NOW ONLINE For more opinions, features, analyses and updates, log on to our companion website and discover content designed to help you and your organization deploy It strategically. Go to www.cio.in

c o.in

Govern sTOP. READy. GO. | 52 The Bangalore Traffic Police is using IT to tackle a rampant problem. Feature by Kanika Goswami

Feature TRuTH & COnsEquEnCEs | 44 Into the truths of new research by Wharton professor Maurice Schweitzer. Feature by stephanie Overby

OnE VIsIOnARy’s TAKE | 48 Open Source, open e-mail and environments. J.P. Rangaswami, CIO of British Telecom, shares his views on corporate culture and free exchange of information. Feature by Diann Daniel 

j u n E 1 5 , 2 0 0 7 | REAL CIO WORLD

2 2


ADVISORY BOARD Manage ment

Publisher & editor N. Bringi Dev

COO Louis D’Mello Editorial Editor-IN-CHIEF Vijay Ramachandran

Executive Editor Bala Murali Krishna

Bureau Head - North Sanjay Gupta

Special Correspondents Balaji Narasimhan

Kanika Goswami Senior Correspondent Gunjan Trivedi

Abnash Singh

Advertiser Index Airtel

24A

Group CIO, Mphasis Alaganandan Balaraman Executive VP (IT & Corporate Development), Godfrey

APW

18 & 19

Phillips Alok Kumar

Avaya

4&5

Canon

IBC

Global Head-Internal IT, Tata Consultancy Services Anwer Bagdadi Senior VP & CTO, CFC International India Services

Chief COPY EDITOR Kunal N. Talgeri

SENIOR COPY EDITOR Sunil Shah

Arun Gupta Customer Care Associate & CTO, Shopper’s Stop

Emerson

3

D esign & Production

Creative Director Jayan K Narayanan

Designers Binesh Sreedharan

Vikas Kapoor; Anil V.K. Jinan K. Vijayan; Sani Mani

Arvind Tawde VP & CIO, Mahindra & Mahindra

President & CIO — IT Applications, Reliance Industries

Unnikrishnan A.V. Girish A.V. MM Shanith; Anil T PC Anoop; Jithesh C.C. Suresh Nair, Prasanth T.R

Photography Srivatsa Shandilya

Production T.K. Karunakaran

T.K. Jayadeep

Marketing and Sales P, Intl’ & Special Projects Naveen Chand Singh V VP Sales Sudhir Kamath brand Manager Alok Anand Marketing Siddharth Singh Bangalore Mahantesh Godi Santosh Malleswara Ashish Kumar, Kishore Venkat Delhi Nitin Walia; Aveek Bhose; Neeraj Puri; Anandram B; Muneet Pal Singh; Gaurav Mehta Mumbai Parul Singh, Chetan T. Rai, Rishi Kapoor Japan Tomoko Fujikawa USA Larry Arthur; Jo Ben-Atar

Singapore Michael Mullaney UK Shane Hannam

Events General Manager Rupesh Sreedharan Managers Ajay Adhikari, Chetan Acharya Pooja Chhabra

GE

IFC

Lenovo

BC

Ashish K. Chauhan

C. N. Ram Head–IT, HDFC Bank Chinar S. Deshpande

Microsoft

12 & 13

CIO, Pantaloon Retail Dr. Jai Menon

Tyco

9

Director (IT & Innovation) & Group CIO, Bharti Tele-Ventures Manish Choksi Chief-Corporate Strategy & CIO, Asian Paints

Wipro

6&7

M.D. Agrawal CM–IT, Refineries, Bharat Petroleum Corporation Limited Rajeev Shirodkar VP-IT, Raymond Rajesh Uppal Chief GM IT & Distribution, Maruti Udyog Prof. R. T. Krishnan Professor, Corporate Strategy, IIM-Bangalore S. Gopalakrishnan President, CEO and Joint MD, Infosys Technologies Prof. S. Sadagopan Director, IIIT-Bangalore S. R. Balasubramnian Group CIO, ISG NovaSoft Satish Das CSO, Cognizant Technology Solutions Sivarama Krishnan

All rights reserved. No part of this publication may be reproduced by any means without prior written permission from the publisher. Address requests for customized reprints to IDG Media Private Limited, 10th Floor, Vayudooth Chambers, 15–16, Mahatma Gandhi Road, Bangalore 560 001, India. IDG Media Private Limited is an IDG (International Data Group) company.

Printed and Published by N Bringi Dev on behalf of IDG Media Private Limited,

10th Floor, Vayudooth Chambers, 15–16, Mahatma Gandhi Road, Bangalore 560 001, India. Editor: N. Bringi Dev. Printed at Rajhans Enterprises, No. 134, 4th Main Road, Industrial Town, Rajajinagar, Bangalore 560 044, India

Executive Director, PricewaterhouseCoopers Dr. Sridhar Mitta MD & CTO, e4e S.S. Mathur GM–IT, Centre for Railway Information Systems Sunil Mehta

This index is provided as an additional service. The publisher does not assume any liabilities for errors or omissions.

Sr. VP & Area Systems Director (Central Asia), JWT V. V. R. Babu

10

j u n e 1 5 , 2 0 0 7 | REAL CIO WORLD

Content,Editorial,Colophone.indd10 10

Group CIO, ITC Vol/2 | ISSUE/15

6/11/2007 6:17:06 PM


reader feedback

Work and life are both four-lettered words. It’s a fine balance; it keeps on shifting depending on your priorities. Is there a right mix? The answer varies depending on the time of the day and will never be the same across the CIO community or even for the same person all the time. Arun O. Gupt GuptA Customer care associate & CTO Shoppers Stop

Work-life Balance I read the editorial (Are You Working Tonight?, May 15, 2007) with some interest. The question you pose: How is the CIO’s role strategic if he’s in office at 8:30 AM and leaves at 2:30 AM, month after month? I know many CEOs and CFOs who are in the same boat. Does it mean that the strategic content of their role diminishes? You defined the symptom, not the root cause. In a world that is moving faster day by day, the demands on time are ever-increasing. Over the last seven-odd years, I have consciously shut my laptop everyday at 6:30 PM and have spent a handful of weekends at the workplace. Does it mean that work stops at 6:30 PM everyday? No, it indicates that work can be delegated and sometimes taken offline. Sometimes I prefer to take something home and work in solitude without the usual interruptions that manifest in an office environment. Organizations today demand outcomes and do not measure activity or time spent. Quite a few CIOs are unable to delegate accountability. Governance is still alien to evolving organizations and stress is a function of whether you can depend on your team and the business users. While I have not seen too many burnouts, quite a few have a feeling of frustration and insecurity. Mobile e-mail devices add to the connected nature of the job which could potentially keep you running 24x7. 14

Inbox.indd 14

j u n E 1 5 , 2 0 0 7 | REAL CIO WORLD

The matter that you write about (Are You Working Tonight?, May 15, 2007) is very serious, both for the CIO and the organization. The reasons, of course, are completely different. For the organization, it represents a confusion of roles — it needs to ask itself the question: do we need a CIO or a super IT project manager?’ If the answer is a CIO, then some serious role clarification is called for. The CIO needs to focus on business issues. Can it be done? Of course, it can. There are any number of people who don’t clock the overtime. CIOs can keep handling an increasing number of projects as they rise but will soon you reach the absolute limit. Another way is to hand work over to others, let them grow into your role and chart out a new one for yourself; this requires moving into unfamiliar territory. The hardest part of climbing a ladder is the realization that to reach higher, you have to step off the rung you are standing on. The organization benefits by a higher throughput of projects that can be sustained, as well as a more robust service delivery. What Do You Think? We welcome your feedback on our articles, apart from your thoughts and suggestions. Write in to editor@cio.in. Letters may be edited for length or clarity.

editor@c o.in

Let others grow into your role and chart out a new one. The hardest part of climbing a ladder is realizing that to reach higher, you have to step off the rung you are standing on. If technology is truly critical to business, the CIO is responsible for educating management and getting adequate resources — in-house or outsourced. From an individual’s point of view, it is even more important to give this matter thought. The phrase work-life balance is an admission of a zero-sum game. To me, it represents a failure of imagination. In life there are only priorities and we owe it to everyone to take responsibility for sequencing those priorities. An overstressed CIO is a liability to both his or her family and the organization. My own views on the topic were substantially shaped by my first boss and Stephen Covey. The former pointed out that if I couldn’t get work done in an eighthour day, I was either over-committed or incompetent. The latter pointed out that the compass should over-rule the clock; what you choose to do is more important than hitting the schedule. That was in his book First Things First First, which I bought not having heard of Stephen Covey and simply on the basis of the title — it describes my state of mind at that time. AlAGAnAndAn BAlArAmAn Executive VP (IT & corporate development) Godfrey Phillips

Vol/2 | ISSUE/15


new

*

hot

*

unexpected

Bridge to Innovation While an enterprise can specify its terms and conditions, the IP of the idea remains with the original owner. Thereafter, the two parties can work within the mutually agreed-upon terms and conditions. For compensation, companies can announce a reward, with which the idea could become the property of the company, or the company could offer a licensing/royalty agreement if the innovator holds a patent. The site has received a good response, claims Aujla. “Currently, the site is being used by innovators to showcase their products,” he adds. For example, a Flexi PDA posted by Daniel Alexander has catapulted the innovator into the big league when it got him featured in Engadget and Gizmodo, among the most popular gadget blogs in the world. “Other innovators have also been contacted informally by interested buyers/ manufacturers through the site’s private messenger. We think that the corporate-innovator collaboration will take off once registered corporations are listed on the site,” says Aujla. May the best idea win! – Kanika Goswami

Illustrat ion by an i l t

W E B S E R V I C E S Is your enterprise caught in a debate on outsourcing innovation or keeping it inhouse? Here’s a middle path: a portal where enterprises can meet independent innovators. The portal is called ideawicket.com and it seeks to connect innovators with those in need of ideas. “Corporations can be active or passive participants on the website. They can choose to enlist themselves on Ideawicket, providing users with the option of sharing designs, innovations and ideas with the companies,” says Amar Aujla, head of the Delhi-based startup that took off in February this year. The portal has a precedent in OpenAd.net, which links freelance copywriters with the requirements of, say, ad agencies. Similarly, Ideawicket is free for innovators, but charges organizations for posting innovation requirements. The ‘companies module’, where corporations can register to post their needs, browse innovations and contact innovators, will be launched soon, says Aujla. For now, innovations can be posted under various heads, including automotive business services, creative works, industrial Internet, and so on.

How Safe Are your Developers? S E C U R I T Y How solidly does your development staff write its code? How can you judge the security skills of a potential developer you’d like to hire? A new testing process could help: amid growing Internet crime enabled in part by faulty programming, the SANS Institute will introduce a series of four exams for developers to test how well they can craft secure code. The exams will cover C/C++, Java/ J2SE, Perl/PHP and .Net/ASP, according to SANS, which runs a computer security training institute. A pilot exam program will start in August in Washington, D.C., and the

Vol/2 | ISSUE/15

Trendlines.indd 15

program will be extended worldwide by year’s end. The exams can identify gaps in a programmer’s training, then eventually enable developers to gain GIAC (Global Information Assurance Certification) Secure Software Programmer status through the GIAC program, part of SANS. The program arose from grassroots need: The IT industry has told SANS it doesn’t know how well its programmers write secure code, says Steven Crofts, director of vendor and media programs at SANS. “This is the first large-scale attempt to validate

if the people inside an organization know what they are doing,” Crofts says. According to Johannes Ullrich, chief technical officer of the Internet Storm Center, a part of SANS that monitors security vulnerabilities and the Internet’s health, Web applications, such as those used for e-commerce, are one area where programmers often need added training on the security implications of some programming language features.

– Jeremy Kirk

REAL CIO WORLD | j u n e 1 5 , 2 0 0 7

15

(Continued on Page 20) 6/11/2007

5:32:01 PM


tren d lines

GPS Gives

Weather Bots a New Ride

– By C.G. Lynch 16

Trendlines.indd 16

j u n e 1 5 , 2 0 0 7 | REAL CIO WORLD

Streetlamps to

Light Up Network

Researchers at Harvard University and BBN Technologies have designed an intriguing wireless network capable of reporting real-time sensor data across the entire city of Cambridge in Massachusetts. Scientists will initially use the CitySense network to monitor urban weather and pollution. The network could eventually provide better public wireless Internet access. The system solves a constraint on previous wireless networks — battery life — by mounting each node on a municipal streetlamp, where it draws power from city electricity. Researchers plan to install 100 sensors on streetlamps throughout Cambridge by 2011, using a grant from the National Science Foundation. Each node will include an embedded PC running the Linux OS, an 802.11 Wi-Fi interface and weather sensors, says Matt Welsh, assistant professor of computer science at Harvard. For the sensors, the streetlamp approach opens up a new range of uses — for example, performing long-term experiments like realtime environmental monitoring, correlating micro-climates with population health or tracking the spread of biochemical agents, according to BBN. A large challenge was how to design a network that allows remote nodes to communicate with the central servers at Harvard and BBN. CitySense will do that by letting each node form a mesh with its neighbors, exchanging data through multiple-hop links. This strategy allows a node to download software or upload sensor data to a distant server hub using a small radio with only a 1-kilometer range, Welsh says. People have built such networks on smaller scales before, but for private purposes, or to provide wireless Internet links in towns such as Madison, Wisconsin, and Champaign, Illinois, Welsh says. In contrast, CitySense will let academic researchers worldwide log on to the project website and submit their own research programs to run on the network. WIRELESS

Il lustratio n by MM S hanith

I N N O V A T I O N Warren Jackson, an engineering graduate student at the University of Pennsylvania, never cared all that much about the weather. Yet, when he scanned news reports about how the National Weather Service and independent researchers collected weather data, some facts didn’t make sense. For a long time, the weather service has collected most of its information using weather balloons that carry a device to measure items like pressure, wind and humidity. When the balloon reaches about 100,000 feet and pressure causes it to pop, the device falls and lands a substantial distance from its launch point. The National Weather Service and researchers sometimes look for the Rs 8,400 devices, but of the 80,000 sent up annually, they chalk up many as lost. Convinced there had to be a better way, Jackson began last summer designing a GPS-equipped robot that launches a parachute after the balloon pops, and brings the device back down to Earth, landing it at a pre-determined location set by the researchers. The parachute will be easily maneuverable. “It’s like a skydiver’s parachute,” Jackson says. The idea has so much promise that Penn’s Weiss Tech House — a university organization that encourages students to innovate and bring their ideas to market — awarded Jackson and some fellow graduate engineering students first prize in its third annual PennVention Contest, giving them Rs 2.1 lakh to further develop the idea. Jackson’s team and nine other finalists also got access to expert advice on prototyping, legal matters and branding. In its work to support young inventors, Weiss Tech House enjoys the support of faculty from across the university (including the Wharton School, and the law and engineering schools) and more than 100 industry leaders. Judges for the PennVention contest include the director of vendor relations for QVC. In three years, Weiss Tech House has helped students launch 14 businesses, including First Flavor and Humanistic Robotics. As for Jackson’s invention, he and his partners will do testing this summer before creating a production model and courting buyers.

– By Ben Ames Vol/2 | ISSUE/15

6/11/2007 5:32:03 PM


TRENdLINES

Adobe Takes on .Net,Java A P P L I CAT I O N S Adobe Systems has unveiled Apollo, an intriguing new runtime code project: it gives users an alternative for building Web-based applications that can also run on the desktop independent of a browser. Apollo lets rich Internet applications run offline, and it could threaten the popularity of programming platforms such as Java and Microsoft’s .Net, Adobe says. Apollo, like flash Player, is a runtime applet, but one in which applications built using standard Internet development technologies (such as HTMl, flash and Ajax) can run without a live Internet connection. WEB

Adobe seems to be taking a run at Microsoft, which has been ramping up its strategy to give developers tools to build Web apps. Microsoft has been trying to tie those applications to its Windows desktop oS and development environment. Adobe released an alpha version of Apollo on its Adobe labs site in March; developers can download this and a software development kit for free. look for a full release later this year, says Kevin lynch, senior vP and chief software l architect for Adobe. one example of Apollo in action: Consultancy EffectiveUI used Apollo to

build a desktop application for ebay that lets ebay’s auction site run on the desktop without being connected to the Internet or accessed through a browser. Notably, Web applications built with Apollo will automatically update to the Web any information that a user has added to the application while offline. As soon as the user reconnects to the Internet, the update proceeds, with no extra action required by the user.

– by Elizabeth Montalbano

S E C U R I T Y You know those pesky but necessary CAPTCHA boxes whose squiggly letters and digits you need to retype to make use of certain parts of sites such as Yahoo, Wikipedia and PayPal? A computer scientist from Carnegie Mellon is looking to replace many of those boxes with anti-spam boxes of his own for the purpose of helping to digitize and make searchable the text from books and other printed materials. To boot, the system could help companies better secure their Web sites. The idea is somewhat along the lines of projects like the famous SETI@Home grid supercomputer project for detecting signs of extra-terrestrial life from deep space. Organizers of SETI@ Home convinced computer users all over the world to allow their computers’ CPU cycles to be used to process information for the ET hunt when the systems weren’t otherwise being used. But in the case of Luis von Ahn’s project, he and his team are convincing organizations to replace the CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart) security boxes on their Web sites with what the assistant professor of computer science calls reCAPTCHA boxes. Instead of requiring visitors to retype random numbers and letters, they would retype text that otherwise is difficult for the optical character recognition systems to decipher when being used to digitize books and other printed materials. The translated text would then go toward the digitization of the printed material on behalf of the Internet Archive project.

vol/2 | ISSUE/15

Trendlines.indd 17

“I think it’s a brilliant idea — using the Internet to correct OCR mistakes,” said Brewster Kahle, director of the Internet Archive. “This is why having open collections in the public domain is important. People are working together to build a good, open system.” Von Ahn says it is estimated that people solve six crore-plus CAPTCHAs a day, amounting to 150,000 or more man hours of work that can be put to use for the digitization effort. His team is working with Intel to offer a Web-based service enabling Webmasters to adopt reCAPTCHAs to secure their sites. – By Team Network World

REAL CIO WORLD | j u n e 1 5 , 2 0 0 7

IllUST rATIoN by MM S HAN ITH

A Novel Approach To To ow ward ardss Ant Ant nti-sspam

17

6/11/2007 5:32:05 PM


BY MARgARET LOChER

boa o rds should Wa oa W lk the

TRENdLINES

I.T. STRATEgy ytalk

Are your board of directors spending enough time talking to you? I s there something you can do? | Corporate boards think IT’s importance has increased over the past few years — but they need to start taking action to prove it, says new research from Deloitte. Only 11 percent of boards discuss IT at every meeting according to Deloitte’s study, “The Board and Information Technology Strategies.” Twenty-two percent of the 455 respondents, all directors of companies with revenue of $1 billion (Rs 4,200 crore) or more, said that they blame IT strategy for the companies’ inability to achieve its goals. But they don’t plan to work toward improving the strategy: 52 percent said their board won’t spend any more time on IT over the next three years than it does now. Kenneth Porrello, a principal with Deloitte Consulting who directed the survey, says, “The thing that was most frequently cited as preventing boards from spending more time on IT was lack of time. Compliance matters have been a major factor in the increase of demands on boards.” Communication problems contribute to the divide: directors are not often receptive to CIOs because of lack of exposure, Porrello says. CEOs and CIOs need to determine whether their boards are spending enough quality time talking about IT, and if not, how they can make time to do so, he says. CIOs need to find opportunities to interact with their boards, to build a better understanding about what the board cares about, how the members communicate, what types of information they value and how they like to interact with management, Porrello says. “Build an understanding of the ‘personality’ and the culture of the board. Also, work with your CEO and other members of the management team to understand their longer-term plan and approach for working with the board so that you can mesh your efforts with theirs.” Aligning IT strategy with overall business goals is key. No matter how thin board members are stretched, they are passionate about wanting to contribute to strategy and business performance, Porrello says.

MANAgEMENT

Disconnect Between Wishes and Actions Directors say there’s room to improve business/It strategy alignment:

Best Practices

R

eview your board’s activity with the CEo. Take stock of the board’s past actions related to IT governance. figure out how IT issues have been addressed in the past. Ask how often the board discusses IT and how much time is allocated.

o

ffer suggestions for how the board can approach IT more effectively. Don’t complain that the board isn’t doing enough for IT — present ideas for how they can do more. Then you and your CEo can refine how the board engages in IT matters.

B

e as involved as possible and learn more about your directors personally. Keep the lines of communication open so you can develop working relationships and get things done.

We’re well- or very well-aligned: 66% Somewhat aligned: 27%

But too few boards get hands-on with It strategy:

Not at all aligned or no IT strategy: 2%

We’re completely and actively involved: 14% Somewhat involved: 69% Not at all involved: 16%

20

j u n e 1 5 , 2 0 0 7 | REAL CIO WORLD

vol/2 ol/2 | ISSUE/15


TRENdLINES

Hack Contests

M A L W A R E A pair of Gartner analysts denounced a recent hack challenge that uncovered a QuickTime bug, calling it “a risky endeavor” and urging sponsors to reconsider such public contests. The research manager of TippingPoint, the company that paid rs. 4.5 lakh for the QuickTime vulnerability and its associated exploit, rebutted by saying that at no time was there any danger of the vulnerability escaping from responsible parties. Dino Dai Zovi was the first to hack a Macbook Pro at a recent security conference. He took home the rs. 4.5 lakh prize offered by TippingPoint’s Zero Day Initiative, a bug bounty program that’s been in operation nearly two years. “Public vulnerability research and ‘hacking contests’ are risky endeavors, and can run contrary to responsible disclosure practices, whereby vendors are given an opportunity to develop remediation before public announcements,” said analysts rich Mogull and Greg y young in a Gartner research note. “vulnerability research is an extremely valuable endeavor for ensuring more secure IT. but, vulnerability research in a public venue... could potentially lead to mishandling or treating too lightly these vulnerabilities,” they added. “There are a lot of definitions of ‘responsible disclosure,’” retorted Terri forslof, TippingPoint’s manager of security research. “What it means is that the vulnerability and its exploit are kept quiet and the vendor’s given the time to patch the issue. The [CanSecWest]

organizers took great pains to secure the network that was actually used for the challenge," she added. Mogull and y young recommended that security vendors call an end to public contests. “Consider ending public vulnerability marketing events, which may lead to unanticipated consequences that endanger IT users,” they concluded. Dai Zovi, who dug up the QuickTime bug and crafted an exploit in a 9- to 10-hour stretch, has said the money wasn’t his motivation. “The challenge, especially with the time constraint, was the real draw,” he said in an e-mail interview. “on the record, I think all vulnerabilities should be disclosed only through the vendor or through a responsible third party,” said forslof. f “but users were never at risk here.” — by Gregg Keizer

Data Breaches Co Cou uld Cost Yo You ur Job C O R P O R A T E S E C U R I T Y Most IT professionals feel their jobs would be on the line in the event of a security breach and at the same time feel ill-equipped to prevent such corporate or personal data loss, according to a survey released this week. Nearly three-quarters of more than 250 IT professionals polled said they are concerned they would lose their jobs in the aftermath of a major security breach at their company. About two-thirds of the IT professionals working at Fortune 100,000 or midsize companies also said the responsibility associated with such breaches affects them personally. And while 87 percent

vol/2 | ISSUE/15

of IT organizations surveyed said they are confident in their ability to deal with viruses, spam, spyware and malware, just 35 percent felt they could deal with corporate or personal data loss. “IT departments are working endlessly to minimize security issues. But even with the range of tools these organizations have invested in, there are security gaps,” says Diane Hagglund of King Research, which conducted the survey. “Few IT professionals, those from the mid-market sector in particular, feel equipped to deal with lost corporate or personal data.” About half of the polled IT professionals cited learning different applications

associated with systems and security management as the greatest challenge in trying to secure all devices on distributed networks. Close to 100 percent use antivirus software, more than 80 percent have anti-spyware software and automated patch management, and about 70 percent put automated software updates in place. Yet, fewer IT professionals reported having automated desktop configuration (50 percent) and end-node vulnerability (35 percent) scanning products in place. “Most don’t include end-node vulnerability scanning as part of their ongoing security strategies,” Hagglund says. —By Denise Dubie

REAL CIO WORLD | j u n e 1 5 , 2 0 0 7

21

IllUSTrATIoN by b INESH SrEED HA rA N

Bad fo f r Busine n ss ne


Tom Murphy

Leadership

The Harmonious Leader The key to becoming a better leader is to align your own values with what's important to your organization.

A

s IT leaders, we know we must be agents of change. Some of us have embraced this challenge more readily than others. The main reason we have struggled to meet this new expectation is that, for years CIOs were not valued for their leadership skills per se, but rather for the project management and technical skills necessary to meet the basic blocking and tackling of IT service delivery. Now we find ourselves setting strategy and creating competitive opportunities for our companies. What this means is that we can no longer lead through control of projects and resources, expecting our staff to do as we say. Rather, we have to demonstrate we are worthy of being followed. We need to be authentic. Authenticity of leadership is the first step toward building high-performance teams.

The Leader Makes the Culture

Il lusTraT Io n by unnIKrIsHn an aV

A high-performing IT organization has a culture that I call purposeful. This culture is characterized by: A clear, compelling purpose that drives decisions and ignites passion among employees. Shared values that serve as guidelines for delivering on the organization’s promise to its constituents. A work environment that encourages individuals to take ownership of the organization’s performance and its culture. The successful integration of performance with culture starts with the CIO. We establish our organization’s shared values. Then we live them. I have experienced how powerful an organization becomes when this is done well. But I have also been in situations 22

j u n e 1 5 , 2 0 0 7 | REAL CIO WORLD

Coloumn The Harmonious Leader.in22 22

Vol/2 | I ssuE/15


Tom Murphy

Leadership

where I have neglected to connect my goals with those of my team and my company. Early in my career, I had a management style best described as 'lightning rod'. I loved to be at the center of things. I relished being the person everyone called when they needed to get something done. This role was helpful in situations where I needed to create the appearance of cohesion in a team — for instance, when the business had a negative perception of IT. I was able to cut through roadblocks and force action. It made me look good. However, I failed to notice the negative impact of my management approach over time. During this period, my decisions reflected my own purposes. I left organizations regularly, seeking the next big thing. And I left my teams rudderless because I had not developed effectively the capabilities of everyone around me. Their business relationships suffered, and negative perceptions crept back when I left. I was continuing along this path of charismatic control when I became CIO of Royal Caribbean in April 1999. The next year, Terry Pearce, author of Leading Out Loud, urged me to rise above this tendency and become a more engaged leader. Pearce was conducting a workshop with my team. Before leaving, he pulled me aside and challenged me to give away my 'power'. I began developing shared values and attempting to create a purposeful culture. I committed to staying at least five years. I told my direct reports my plans and asked them to hold me accountable. Then came 9/11. A month later, I had to lay off 50 percent of my organization. And I became a believer in what I was espousing because I saw the benefits of the new leadership approach in action. I watched as the survivors sought refuge in our shared values, relying on their belief that these would not change even though everything else was changing. I understood then that my team was motivated not by my persona but by the common cause of restoring an organization they believed in. The team became stronger with a group of leaders united in our values and purpose. Although we planned to do nothing more than maintain the current IT environment for the next year, we ended up introducing some of the most advanced IT capabilities in our industry, such as a ship-side Internet café and online cruise bookings. We also benefited from the creation of a climate where my staff was not afraid to tell the truth. We used a process I call 'undiscussables', with ground rules for discussions about uncomfortable subjects. Initially, we had 64 undiscussables, ranging from whether DB2 or Oracle was the right future database platform to problems with vice presidents whose behavior was not aligned with our values. We addressed every item. Two years later, we didn’t need the process

because we had learned to address even the most difficult issues and keep moving ahead.

How to Live Your Values Here are three ways that you can improve your connection to your team and begin building a purposeful culture: Connect with your organization’s purpose and values. I look for the key element of the company’s strategy and attach IT to it so the team can see how their efforts enable the company’s success. Evaluate and align key IT practices so they promote enhanced performance, risk-taking and commitment.

Great leaders get people to work for a cause that is greater than any of them — and then for one another in service of that cause.

Vol/2 | I SSUE/15

Coloumn The Harmonious Leader.in23 23

We have continuous improvement teams, which look for opportunities to celebrate success, create recognition and reward programs, and streamline processes. We introduced 'No Meeting Thursdays' to allow managers time to spend with their teams. Model the organization’s purpose and values. I try to greet every person by name and express a sincere interest in what he is doing. At AmerisourceBergen we agreed as a team not to have a holiday party last year and instead donated time to a local food bank. When we promote someone, we highlight that person’s results and behaviors. We built our organization by hiring a lot of outsiders. As we started to promote from within, we proved that we were willing to work with people to grow internally. This, in conjunction with a clear career path grid, has made it easier for managers to match their staffs with projects that will help them achieve their career goals within the company. Bad leaders use control to get results. Good leaders get people to work for them. Great leaders get people to work for a cause that is greater than any of them — and then for one another in service of that cause. Engaging in a common purpose and executing that purpose according to shared principles enables your team to accomplish something no individual could do alone. This is what our role as IT leaders is all about. CIO

Tom Murphy is senior vice president and CIO with AmerisourceBergen. Send feedback on this column to editor@cio.in

REAL CIO WORLD | j u n e 1 5 , 2 0 0 7

23

6/11/2007 5:33:25 PM


Jerry Gregoire  

I.T. Organization Management

Should Innovation Stay In-house? After arguing for years that IT development is best kept in-house, our columnist decides that creativity has moved on and moved out.

F

Illust ration by an il t

or many years, I’ve used this forum and others to fret about the decline of IT as an engine of innovation and competitive differentiation. For those of us who love the job more than the title, love to design and code systems more than plan budgets and write performance reviews, it’s been painful watching hundreds of CIOs, transferred in from other departments, chop off bits and pieces of IT and throw them overboard. Sadly, most IT departments are now tasked with coordinating the installation of somebody else’s software and negotiating contracts with outside companies to keep systems running on networks that are being monitored by yet another collection of third parties. After years of arguing against outsourcing, I’ve come to realize that, because of the evolution of the marketplace, the availability of talent and, in particular, the current mind-set among corporate management, this point of view is now wrong. Or maybe I was just wrong all along. Let me give you an example. I read a poll recently that revealed that approximately one-third of Americans believe that they ought to stop wasting money on space exploration and use it to solve problems here on Earth, like housing for the poor. If you happen to agree, you should know that physicist Stephen Hawking disagrees, and he’s a lot smarter than you are. Professor Hawking thinks the inevitable world-ending consequences of a coming asteroid impact or supervolcano to be reason enough for the human race to get off this planet. Think Americans spend a lot of money on the space program? They don’t. The budget for the Mars Pathfinder Mission was Rs 675 crore. By comparison, Superman Returns (the movie) cost Rs 1,206 crore.

24

j u n e 1 5 , 2 0 0 7 | REAL CIO WORLD

Coloumn Should Innovation Stay I24 24

Vol/2 | I SSUE/15

6/11/2007 5:34:27 PM


Jerry Gregoire

I.T. Organization Management

A Fresh Approach Anyway, the years go by in this game of cosmic dodgeball, with the asteroids whizzing by our heads, and NASA can’t find the glue stick in its pencil box to keep the heat tiles from falling off the shuttle. Things are looking pretty bleak, and then along comes the X Prize and SpaceShipOne. In case you missed it, in October 2004, Scaled Composite’s SpaceShipOne vehicle was launched and flew to an altitude of 101 km, in essence matching the early Mercury launches. The spacecraft was designed and built by Burt Rutan with Rs 135 crore provided by Microsoft cofounder Paul Allen. Rutan and the team won the Rs 45 crore Ansari X Prize, which required the winner to take three people up to about 100 km two times within two weeks in the same reusable non-government-sponsored craft. This single event will be remembered as the birth of private manned spaceflight. The X Prize organization, seeing the benefit of re-invigorating a stagnant space program, was able to effect a radical breakthrough through outsourcing. Further, it was able to speed the delivery and effectiveness of the solution by making it a competition. Outsourcing the creative process. Neat! Now, close your eyes and try to imagine accomplishing this with the mighty power and resources of NASA. Getting a headache? Fun fact: It currently takes NASA about 16.5 hours to spend Rs 135 crore. This is not the only example of outsourcing as a means of circumventing bureaucracies in order to drive to a creative solution. In 2005, the Defense Advanced Research Projects Agency (DARPA) awarded Stanford University the Rs 9 crore Grand Challenge Prize for demonstrating conclusively that fully autonomous ground vehicles can travel long distances over difficult terrain at militarily relevant rates. In a competition that included more than 20 entrants, Stanford’s robot vehicle successfully completed a grueling 211-km course in less than seven hours. This was only the second year of the Grand Challenge competition. Government-funded research into semiautonomous vehicles has been going on since 1977.

The Truth About Innovation So, in case it wasn’t already painfully apparent, the US government needs stay out of the invention business. Not because they don't have smart, well-meaning people, but because the government is not wired for these kinds of efforts. Within its structure, creativity is unnecessary, and taking risks, even when successful, is not rewarded in the traditional sense. It is a world of deadlines over effectiveness, deliverables over solutions, motions over action, conformance over originality, and compliance over curiosity. And the painful truth is that all established, midsize to large organizations suffer, to some degree, from these same problems. Really talented, competent CIOs earn their money by shielding their organizations from this form of corporate calcification by chartering jobs, squirreling away development budget and

Vol/2 | I SSUE/15

Coloumn Should Innovation Stay I25 25

Outsource creative work. Maybe we could create a consortium of IT groups from noncompetitive companies to fund prizes and share results. finding ways to reward creative oddballs. But every year it gets harder to do this. Most IT shops have lost to (or never bothered resisting) the ERP wave, which significantly changed the talent profile within the departments and drove away creative types. Budgets continue to move in the wrong direction as a percentage of revenue, and money spent on new development, if there is any, comes with ROI expectations that have changed the riskreward profile to bland. It seems odd to me that so many IT departments have lost this battle. It’s a little like those who think we should not waste money on outer space. What do these people think the destiny of our species is? Is it to go out into the universe and gather answers to this puzzle or is it to just hang out here, driving our cars in circles, until the planet blows up? Likewise, in spite of the knowledge that all competitive advantage comes either directly or indirectly through the skillful application of information systems, how is it that so many CEOs have ceded their capability to the capriciousness of ERP vendors? You’ve got three ways you can go on this and, unfortunately for many of you, it’s going to require hard work. Your first choice is to hang in there and keep punching. Don’t give up your internal capability, get the budget to charter dangerous and rewarding projects, and get your HR department under control so you can recruit the right talent. Only a small percentage of CIOs are up to option one. The second choice is to find ways to outsource the creative work using a model not unlike the X Prize. There may even be a way to develop a consortium of IT groups across noncompetitive companies to fund the prizes and share in the results. The third, and probably the one I would choose, would be to quit your current job and start up one of those creative companies that would compete for those prizes. Outsourcing the creative work of IT shouldn’t seem all that radical or foreign to anyone. Companies outsource creative work all the time. Advertising, for example. Oh yeah, there’s a fourth option, of course. You can always do nothing. That’ll probably work out fine. CIO

Jerry Gregoire is the former CIO of Dell Computer and the beverage division of PepsiCo. Send feedback on this column to editor@cio.in

REAL CIO WORLD | j u n e 1 5 , 2 0 0 7

25

6/11/2007 5:34:28 PM


Reader ROI:

Keeping your systems in line with business growth How to make IT pervasive in enterprise The art of winning over business stakeholders

Maruti Udyog embraced IT right at its inception. Over two decades later, it is embedded in its most critical processes, helping India's leading carmaker stay ahead of rivals, and race towards its goal of producing a million cars annually by 2010.


ITon

Wheels Gunjan Trivedi

PHoTos by dr loHIa I ImagI ng by unnIKrIsHnan av


O

n any given day, hundreds of trucks bring thousands and thousands of packages to Maruti Udyog’s 297-acre facility in Gurgaon, and several hundred more leave with gleaming new cars. For many companies, this could be a logistics nightmare. But at Maruti, it is a slick operation. Everything happens inconspicuously — there are no long queues, frenzied honking or frustrated sighs. The reason: Maruti’s deployment of IT begins at the gate, and runs through its most critical processes. The moment a truck rolls in, its driver and his helpers unload dozens of crates carrying thousands of parts that go into Maruti’s range of cars. As soon as the crates are stacked at the receiving platform, a Maruti official uses a Wi-Fi-enabled barcode scanner to read information on the consignments. The data is updated wirelessly on the material management system. Within minutes, the entire consignment is scanned and the handheld scanner prints out a strip. The Maruti employee inserts the piece of paper into an ATM-like material receipt voucher (MRV) machine. The machine then prints a variety of data on the voucher, keeps one half for itself and spits out the other for the driver, completing the entire process of managing material in minutes. Considering that Maruti receives more than 18,000 consignments in a day, it would have sunk under a load of paperwork and serpentine queues of supply trucks if IT didn’t bring these operational efficiencies. “IT in Maruti essentially orchestrates the way business runs,” Rajesh Uppal, chief general manager-IT, proudly states. As the backbone for all operations in the Rs 14,653-crore auto company, IT enables the entire span of Maruti’s business — from maintaining a less-than-a-day inventory and manufacturing 7 lakh cars per year, to selling cars worth about Rs 66 crore in a single day!

DrIvIng skIlls

T

he extensive involvement of IT at Maruti begins with long-term forecasts of the number of cars to be manufactured. Accordingly, Maruti plans the import of 2 8 j u n e 1 5 , 2 0 0 7 | REAL CIO WORLD

components. This approach extends to medium-term forecasts, in which dealers give inputs on the number of units per model and color. The information amassed has implications at the production level, where workers know what needs to be done with, say, a car with the defined chassis number in the very next minute. IT binds all processes, by ensuring a seamless flow of real-time information across the organization. The cycle, from forecasting to production, is tightly integrated. For example, if a dealer forecasts that over the next 15 days, he would be buying 100 cars, the system processes a production plan with his forecast. It then gives him a delivery schedule stating that he will get, say, five cars of a particular color on the first day, a number of cars of the other color on the second day, and so on. Based on this information, the dealer concerned can arrange his finances as he now knows how many cars he will receive on a certain date. He picks up his consignment accordingly. At the manufacturing level, processes are expected to be adhered to with clockwork precision to meet defined deadlines. With over 6 lakh cars a year from three assembly lines in Gurgaon and 1 lakh from a plant in Manesar, the shop floors need to produce exactly to a plan. The shop floor functions with such high levels of precision and synchronicity that, if a car is in a paint-shop and its engine is being produced at another location within the plant, both functions culminate at the same time before arriving at a designated assembly line for production. IT also helps in putting the supplies in the very sequence they are going to be used on the assembly lines. “We make sure operators know of the plans that we make based on the forecasts — and produce cars in the same order,” says Uppal. “For instance, the weld-shop guy comes to know exactly where the welding needs to be done while the assembly line guy knows which components must go for a particular car in the order. All testing equipment interface with IT to ensure maintenance of consistency in terms of quality of product,” Uppal explains. To maintain the orchestration of the manufacturing plants, it is imperative for Maruti to have seamless conjunction with its suppliers, who effectively provide 75 to 80 percent of the components that the automobile giant

Vol/2 | ISSUE/15


Cover Story | Enterprise Architecture requires. Bear in mind that Maruti runs a 0.9-day inventory. “It is crucial for us to get the right kind of supplies at the right time. This kind of lean inventory is only possible if we plan our inventory at hourly levels,” Uppal says. The hourly inventory is planned based on the production sequence. So, if a car is going to arrive at the weld-shop at a certain time of the day, the component must reach the operator at the same time. This is achieved by asking the supplier concerned to supply the material an hour before the component deadline. “Through our online information portal, suppliers know every morning what they need to supply by 4 PM the next day. They update their supply schedules accordingly. As their consignment leaves for our plant, they update the details on our system,” Uppal explains. Maruti deployed its automated material receipt system in 1998 to initially manage a five-day inventory. After the introduction of a new process of daily orders, Uppal and his team tweaked the system to bring down the five-day inventory to a twoday one. Eventually, it was decided to have a less-than-a-day inventory. Since timeliness formed the essence of the lean inventory, Maruti undertook a process re-engineering exercise, and the material receipt system was also reworked to enable rescheduled supply on an hourly basis. The consignments were bar-coded and WiFi-enabled handhelds were deployed to manage the huge inflow of materials. The handhelds update the stock systems in real time as the consignment barcodes are read, and receipts are generated automatically from a material receipt voucher machine. With the help of such systems, one person can manage the entire material docking gate and issue a receipt for the supplier with complete information concering the nature of material, time of receipt, the person who receives it, etcetera, in no more than five seconds. “Earlier, for each consignment, we would take a minute to generate the receipt. Now, we generate 12 such receipts in the same time,” recalls Uppal.

InformaTIon hIghWay

i

n order to achieve efficiency and increased productivity, it is crucial for Maruti to possess an unobtrusive network that links all its core entities such as suppliers and

Vol/2 | ISSUE/15

dealers, besides maintaining real-time flow of business information. Maruti achieved this interconnectivity in the 1990s by leveraging the Internet and deploying an extensive extranet to reach its business partners. This information B2B access-point on the Internet allowed suppliers and dealers to access information pertaining to the production plan, supply status of components and vehicles, and status of payments. It also ensured seamless synergy between Maruti and its business partners. “Way back in 1995-96, I made a presentation at one of our dealer conferences on a technology called e-mail,” Uppal smiles. “I told them that e-mail will change the entire way

Every eight to ten years, we take stock of where we are and introduce changes in our IT systems accordingly.” — Rajesh Uppal

Chief general manager-IT, maruti udyog

REAL CIO WORLD | j u n e 1 5 , 2 0 0 7 2 9

6/11/2007 5:28:31 PM


Cover Story | Enterprise Architecture dealership. The DMS is centrally hosted on a datacenter in Bangalore and takes care of customer interacting functions such as enquiry tracking, service and spares of cars. In times of the extranet, dealers worked on two applications. One was the extranet itself that helped them interface with Maruti for all order placements, enquiries, vehicle schedules, warranty claims, fund reconciliation, and so on. The other was a small application running on the dealers' PCs to manage their daily activities. With the individual PC-based application, details of cars remained isolated at the service station used. These applications have been pulled out from the dealers and integrated with Maruti’s ERP to bring all systems online. The DMS, presently running parallel to the extranet, reaches out to more than 500 of the 700-strong Maruti dealers. Developed in phases since 2003 with the help of Wipro, at a cost of Rs 22 crore, the system will cover the rest of the dealers over the next six months, and merge with the extranet completely. “A customer can walk in to any of our dealerships now, and it will have the history and details of his car, regardless of whether the car was serviced there in the past," says Uppal. "It is an application that helps dealers run their business and ultimately to offer our customers with utomakers keep the cash registers ringing not only by selling cars but also by selling uniform experience, as we want to present precious spare parts. Maruti Udyog’s revenues from sale of spare parts are so high a single face across our dealerships.” that the carmaker has deployed a state-of-the-art IT-driven program to manage it. Today, all customer touch-point “Managing an inventory of spares can be taxing in the absence of an accurate IT interfaces are enabled by IT. The whole solution,” says Rajesh Uppal, head of IT at Maruti. “Warehouse Management System process of demand management is (WMS) facilitates increased inventory turnover and faster turnaround time.” tightly integrated. Maruti captures The WMS is automated to such an extent that no one person knows which component information from the point of enquiry at is to be picked up by which customer at which city. All an operator needs to do is follow each dealer to find out which customer the instructions from the system and assemble the spare parts in a consignment for a asked for which color, model or subcustomer. Even the size of the box to be dispatched is chosen by the WMS. This fullyvariant. The enterprise then figures out automated process cuts down human intervention and minimizes errors. how many enquiries are coming in vis-à“once the system receives the request for supply, it decides the size of the box that is vis the enquiry-to-sales conversion ratio supposed to carry the material and which truck it needs to be loaded in,” says Uppal. and what needs to be done to generate A courier carrying a handheld device scans his first instruction barcode, where he is similar enquiries. asked to pick up a box of a particular size. once that box is scanned and placed in his trolley, The DMS also supports post-sales the courier gets his next pickup instruction, much like the cues one gets in a treasure hunt. processes, such as follow-ups after This goes on till his trolley contains all the required spare parts. If the operator errs and service, extended warranties, and so on. tries to scan the barcode of a product that does not conform to the system instruction, “We maintain report cards for each car. the WMS halts him — it does not give the next instruction. We have car-related data available on the once the box is full, a packing list is automatically generated and the box is dispatched basis of chassis numbers," says Uppal. "If for consolidation and packaging. The moment the consignment leaves the warehouse, you got your car serviced at Bangalore the system notifies the dealer. and later went to a Delhi service center, “The process of warehouse management for assembling spare parts and components the same report card will be available for the shop floor is similar. However, the boxes for shop floor are not packed as the shop with the dealer there,” he adds. To floor and the warehouse are in close proximity,” says Uppal. manage customer relations better, the — G.T. in which they interface with us. We helped dealers procure modems and taught them how to dial into the systems to send e-mails to us. From that level of handholding, the dealer and supplier community has come a long way. If I need to roll out a new module in the extranet today, all I need to do is send them an e-mail with a well-defined support document, and they start using it without any effort in terms of training,” he says. Maruti has now embarked on a journey called Dealer Management System (DMS) to roll out an ERP that is tightly integrated with Maruti’s ERP for its dealers to manage their

SpArE pArtS trACkEr

Il lUSTRAT Ion by A nIl T

A

3 0 j u n e 1 5 , 2 0 0 7 | REAL CIO WORLD

Vol/2 | ISSUE/15


Cover Story | Enterprise Architecture DMS captures details such as the components that were last changed, the complaint, nature of the diagnostics, and customers’ feedback post service. The customer satisfaction levels with Maruti can be tracked across dealership points, call centers or on the website, says Uppal.

robusT ChassIs

T

he framework of Maruti’s ERP, hosted at the datacenter in its Gurgaon facility, supports its integrated production systems, planning applications, and the interconnectivity infrastructure such as the new DMS. Uppal believes that enterprise IT projects have a life span of 8 to 10 years. In this period, both the business requirements and the maturity of IT solutions to address those requirements change dramatically. “Hence, every 8 to 10 years, we take stock of where we are and introduce changes accordingly. In the past 20odd years, we have migrated our systems from one technology to another thrice,” says Uppal. Though IT in Maruti began with the Burroughs mainframes, the organization migrated in 1993 to Oracle apps deployed on the open systems of Tru64 Unix running on Digital servers. “While the strong platform based on Oracle ran our business well, it posed a problem we weren’t prepared to tackle," recalls Uppal. "Due to the high demand of Oracle-proficient resources in the market, our workforce working on the Oracle platform became one of the most sought-after Oracle resources by IT companies at the time. Attrition rates were so high that an average IT person did not last more than six months,” he explains. These high attrition rates forced Uppal and his team into a premature migration to ERP, which turned out be a huge mistake. Since Maruti was finding it difficult to sustain the Oraclebased enterprise application, the IT team thought a fullfledged ERP would be the panacea. Despite the process re-engineering that had been done less than a year before, the IT team decided to undertake another project to reverse to an ERP platform again. “It backfired on us,” rues Uppal. Within six months, the consultants announced that there was no business case for Maruti to opt for an ERP. The feasibility with respect to process re-engineering was not positive. Sustaining a mammoth migration to ERP looked impossible. The IT organization had to roll back to existing systems and declare the migration project a failure. Six years down the line, the car giant saw its third major technological churn. This time, Maruti re-engineered its processes and successfully migrated to ERP. “It was right time to re-look at ERP as our backbone and standardize the way to handle various business functions such as finance, sales and customer relations," says Uppal. "I have been on the

Vol/2 | ISSUE/15

management committee for the past 12 years, and have visibility of the medium- and long-term plans of the organization. Since we were moving away from being single-location and a one-plant company to a multiple-location organization, we decided to look at our IT strategy from a long-term perspective — hence, the centralized ERP environment.” Maruti Udyog was to go live on ERP on April 1, 2006. Eight months prior to that date, Uppal and his 50-member IT team, supported by an outsourced team of about 100 IT professionals, took on the challenge to roll out ERP. As the earlier initiative to deploy ERP had been considered an IT project, this time around, it was consciously decided that business would call the shots. A general manager of finance was roped in as project manager with IT supporting him on the technical end.

While the strong platform based on Oracle ran Maruti Udyog's business well, it posed

a problem: employee attrition.

In 1993, the workforce at Maruti on the new platform became one of the most soughtafter Oracle-resources by IT companies.

“This move ensured that ERP remained a business-driven initiative. With the MD’s office also actively driving the project to ensure that business users see through the project, the change management issue within the organization was taken care off,” says Uppal. Once the ERP framework was successfully laid out, the IT team took over and deployed the add-ons. “It was important for us to roll out an ERP because we wanted one instance, one session of an app from day one to support all businesses," says Uppal. "However, with the number of plants we have, we decided to ensure that we have one single instance of an app running. This would help us manage scalability and growth effectively.” Managing scalability is critical, especially for a manufacturing organization that is growing at more than 20 percent annually. It follows that network architecture — be it infrastructure, network or storage — is scalable, especially REAL CIO WORLD | j u n e 1 5 , 2 0 0 7 3 1

6/11/2007 5:28:32 PM


Cover Story | Enterprise Architecture

An IntEllIgEnt ShOp FlOOr T

he manufacturing sector cannot afford to compromise on precision — half-measures won't do. So it was with RFID (radio frequency identification) at Maruti Udyog. While the technology did not make economic sense at the supply-chain level, it had tremendous value on the shop floor. “I look for the best solution to solve a business problem in an area. In manufacturing, I found RFID to added value to the production process, and so my shops are run on that,” says Rajesh Uppal, CGM-IT at Maruti Udyog, as he holds a mirror to his shop floor, where RFID-enabled pallets carry products along the production line. Uppal has also made innovative use of RFID by literally twisting the robot’s arm in

the assembly line. Typically, the robotic arms on assembly lines are designed to carry out a particular set of repetitive tasks, and can swing one way or the other — not both. by adding a complex set of algorithms, Uppal’s team has coaxed the robotic arms to turn one way when working with a Zen unit, for example, and another way while assembling a WagonR. The RFID tag also helps to track down any quality issues at its root, enabling quick corrective measures. During production on a machine, instructions get 'read' from the RFID tag and the operations are performed. Results of the operation are then written on to the tag. The next machine checks the operations of

when the organization wants to reach a benchmark of producing more than a million cars per annum by 2010. Uppal and his team took a conscious decision that they would avoid a diverse application portfolio. The organization standardized the kind of technology would be used, and decided to stick with Oracle and .Net technologies. This ensured that they would not have a heterogeneous environment per se from an application perspective. “We chose long-term contracts with vendors to buy infrastructure at the right price and ensure that they would have a handle on integration issues in future. Such standardization helped us handle scalability,” asserts Uppal.

hIgher gear

T

hough the ERP is only a year old and the DMS is still being rolled out in phases, Uppal and his IT team are already on to their next project. The spotlight is now on deploying Knowledge Management (KM) at Maruti Udyog as users are increasingly demanding an established platform for effective knowledge dissemination. Implementing KM will be tougher and larger than the ERP project, says Uppal. Within the DMS, the organization will roll out a dealer-specific KM portal too. The concentrated efforts for knowledge-sharing through KM, Uppal feels, will help users and management to zero in on ways to make processes more efficient and increase productivity. 3 2 j u n e 1 5 , 2 0 0 7 | REAL CIO WORLD

the previous exercise. If everything is oK, it performs its own operation — and writes its own production parameters like temperature and tolerances, etcetera, which might be required to track it later, on the same tag. “When the product comes out, I get all the details from the RFID tag, which I keep in history for traceability,” says Uppal. “Tomorrow, if a product doesn’t behave properly in market, you can trace the problem back to the operation in question.” The RFID-enabled shop floor has been running successfully at the Manesar plant for the past six months. Uppal plans to use the technology at the plants in Gurgaon soon.

— Team CIo

Uppal is also experimenting with location-tracking of the trucks carrying cars across the nation to the dealers. More than 6,000 Maruti trucks of will be equipped with a GPS and a GSM device. The GPS will pinpoint the exact location of the truck, while the GSM device will broadcast its coordinates to headquarters, updating systems every 30 minutes. This feature will help both Maruti and dealers keep close tabs on the movement of trucks, giving dealers ample time to make arrangements to receive consignments. Despite a plethora of innovative IT solutions in place to bring in process efficiencies and increase productivity manifold, Uppal feels that Maruti still has a long way to go as far as leveraging business intelligence in its decisionmaking process. “We have achieved a basic level of analysis using BI tools at this point in time. We are not yet there as far as precise forecasting is concerned," says Uppal. "Nevertheless, we will continue our endeavor to attain maturity in this area as well as we had over a period of time in our value chain.” CIO

senior correspondent gunjanTrivedi can be reached at gunjan_t@cio.in

Vol/2 | ISSUE/15


Trendline_Nov11.indd 19

11/16/2011 11:56:19 AM


Tapping

Internal Strengths You’ve spent 22 years with i-Flex. What was the turning point in terms of IT usage at i-Flex?

View from the top is a series of interviews with CEOs and other C-level executives about the role of IT in their companies and what they expect from their CIOs.

34

j u n e 1 5 , 2 0 0 7 | REAL CIO WORLD

View from the Top.indd 34

N.R.K. Raman: There have been several high points in the past 20 odd years when we have used IT innovatively. In 1994-95, we pioneered the use of IT in CMM level 4 certifications. In fact, we were the only banking software solutions provider to get a CMM level 4 at that time

and the second company after Motorola to get a level 4 assessment. Subsequently, we had level 5 assessments. Today, there are many companies who have followed that model and been very successful. After that, we decided to automate the entire engineering process. Since we had global development centers, we wanted standardization across the organization. The internal tool we created was very effective for our software development. Later, we provided it to our

I

For N.R.K. Raman, the new CEO and MD of i-Flex, IT begins at home. In its stated mission to help financial institutions worldwide excel, i-Flex gives customers access to its own internal solutions. This reflects a culture where everyone is invited to contribute — as a result, the IT organization in i-Flex isn’t used to warming the benches. At every quarter’s business review, IT is called up to review the enterprise’s automation processes and how they impact business. Since it’s acquisition by Oracle in August 2005, i-Flex has been geared for change. Raman tells CIO India about how the financial services provider is leading Oracle into core banking solutions.

Imag ing by un nik rishnan av

BY Kanika Goswami

P hoto by Sr ivatsa Shandilya

N.R.K. Raman, CEO and managing director of i-Flex, believes that IT should stand head to head with business. If business is reviewed every quarter, so should IT.

Vol/2 | ISSUE/15

6/11/2007 5:36:13 PM


View from the Top

N.R.K. Raman, CEO & MD, i-Flex expects I.T. to: Contribute information to push forward new solutions Help customers by offering internal experience

Vol/1 | ISSUE/16

View from the Top.indd 35

REAL CIO WORLD | JU LY 1 , 2 0 0 6

35

6/11/2007 5:36:15 PM


View from the Top

customers, enabling their organization to benefit and improve overall software development process. This kind of early success encouraged a lot of us to focus on internal use of technology. Three years ago, when we were working on enterprise automation, we chose PeopleSoft as our backbone. Today, everything that we do — from recruitment to talent management, customer relationships, billing, financials, GAP accounting, reporting, consolidation, and interaction with customer — is on PeopleSoft.

How has the use of IT in BFSI changed in India, and what have driven these changes? The usage of IT in the BFSI segment has gone through several evolutionary phases. In the 1980s, it was used primarily for total branch automation process. A large number of companies invested in that and got some benefits. But there are limits to expanding beyond a certain number of branches. In the 1990s, when private sector banks like ICICI or HDFC started establishing roots in India, they used more modern platforms and implemented centralized core banking solutions with everything networked — branches, ATMs, etcetera. This opened up multiple service channels for their customers that, in turn, gave them a host of business opportunities. In the last five years, the entire scenario has changed. In my opinion, the products and services available in India today are better than even those in more advanced countries like the US or the UK. Banks are now poised to analyze business information to derive maximum value and competitive advantage. There is a mandate from the Reserve Bank of India (RBI) for banks to implement minimum requirements to adhere with risk and compliance norms. So, banks are investing in anti36

j u n e 1 5 , 2 0 0 7 | REAL CIO WORLD

View from the Top.indd 36

How does IT usage at i-flex set it apart from others in the same area of expertise?

“In my opinion, the products and services for BFSI in India, today, are better than even those available in more advanced countries.” — N.R.K. Raman money laundering solutions, among others. Today, BFSI investments in IT are next only to telecom.

What motivates IT usage in your company? The primary drivers for us have been our intent to grow our business and use IT as an enabler. Using technology to innovate and then provide niche solutions to our customers is the key enabler of our growth. Since we have over 700 customers in about 145 countries, our systems, which run 24X7, are really critical. From our own IT infrastructure to support system and disaster recovery, everything plays a critical role in terms of managing and complying with rules and regulations. Even during our quarterly business reviews, we look at our entire enterprise automation and how it impacts our business. Clearly, we treat IT as a part of our performance.

What sets us apart, in addition to what I’ve said previously, is our rich repository, which is available to all our decision-makers, project managers and division heads. When we launch new products that are developed using the latest technological applications, we can always look into our knowledge repository, to check a list of dos-and-don’ts and answers to any problem. This gives us a huge step up in terms of usage of IT in our organization.

Should CIOs have a say in top management decisions, including marketing and distribution strategies? In charting marketing and distribution strategies at i-Flex, inputs concerning the market or the positioning of a particular solution are driven by specific product or division heads. The CIO contributes with business reviews, ideas and suggestions. While these are highly valued, what ultimately drives distribution strategies comes from division heads. However, during our business review meets, a lot of technical inputs as well as ways of doing business are studied. If we want to launch a training solution or an Internetbased brokering solution, we put together a huge amount of inputs on whether it can be sold in a licensed model or deployed using an ESP model. Here, the CIO plays a very critical role in contributing information.

What is the best approach for your CIO to justify a technology strategy for i-Flex? What convinces you? We have a two-three-year planning cycle when it comes to technology initiatives. We look at the growth of each business and the role of a CIO is to assimilate all this, find a time horizon — not just a short-term

Vol/2 | ISSUE/15

6/11/2007 5:36:18 PM


View from the Top

goal — and design an entire technology platform including network infrastructure, redundancies, etcetera. Then, we have a budgeting and approval process. The CIO really drives what is required and puts up a case for investing in certain technologies. At i-Flex, we don’t look at IT as a cost but as an investment for the future, with ROI spread over the next two or three years.

Can you cite an instance when your CIO’s ideas provided impetus to business? Our own experience in implementing various automation platforms and standardization processes has enabled us to bring the same experience to our customers. We implemented a full-fledged CRM solution, which we also offer to our customers. Our leads can also link it up with their transaction processing system, which is often on Flexcube (i-Flex’s banking solution). Another tangible is automating software engineering processes, based on which we have created a tool called Promotr (Process Monitoring and Tracking). Our lead assessors have configured them for our customers too. These are very tangible results that we have been able to derive out of whatever we’ve been able to invest in our own IT.

Mantas has been deployed at the Korea Exchange Bank. Does it have customers in India? Do you see a market for it here? Mantas is a specialized anti-money laundering solution that addresses the KYC (Know Your Customer) processes. It has a very powerful behavior detection platform and can address trading and broking compliance, among other requirements. It has been deployed primarily in North America and the UK, and we now have been able to bring it to our Asian customers. Recently, the RBI called for anti-money laundering processes. So, I

Vol/2 | ISSUE/15

View from the Top.indd 37

believe this solution does have a bright future in India. We are already among the leaders in India for risk management solutions.

Islamic banking is not a strong point with many banking solution providers. What kind of work has i-Flex done in this area?

SNAPSHOT

financial solutions and the BFSI segment.

i-Flex

Revenue:

Rs 2,007.6 crore* Employee strength:

9,068

Office locations:

N. America: 7 Europe: 5

Asia Pacific: 6 Middle East: 1

What positive effect has Oracle’s acquisition had on your brand value and what kind of integration challenges do you foresee?

Oracle is known as the leader in database technology, CIO: S. Hariharan, and now, with the PeopleSoft We have invested in inSenior VP and Siebel acquisitions, they depth research into the (infrastructure services) lead the ERP applications Shariat banking laws and space as well. Clearly, this the requirements for Shariat *(FY ended March 2007) has lent a huge amount of compliance. We have a visibility and access to banks complete, end-to-end solution that use ERP. We are able to for Islamic banking workflow, work closely with Oracle in addressing product configuration, profit attribution, and the needs of top-tier banks where size does all that. We’ve invested 70 man years in this matter. We are able to combine the might of solution, and there is an ongoing investment both i-Flex and Oracle to provide solutions in terms of addressing customer needs. to these banks. It is not very useful in India since Islamic The collaboration that we have, in banking needs Shariat laws and a legal terms of technology changes, also gives framework to support it. But, today, anybody us insights into new things happening on can avail of these products because it makes the technology front — especially in fusion economic sense — sometimes even better. We architecture where Oracle has taken so are looking at trends that have the HSBCs many leaps. We are aligning ourselves and Citibanks of the world aggressively to take advantage of all those technology launching Islamic Banking solutions, in innovations and bring in newer solutions addition to standard banking solutions. for our customers on this platform. As far as Oracle goes, its entire strategy What do you attribute for BFSI is being driven by i-Flex. Not only i-Flex’s rise to? has it invested a few billion dollars in i-Flex, they have also asked our chairman Rajesh When we set up the company, our mission Hukku to lead the BFSI business unit statement said that we would enable within Oracle to create a dominant position financial institutions worldwide to excel. in the BFSI space for Oracle. Clearly, this is Our single-minded focus on this has been affirmation of their strategy to use i-Flex’s beneficial. We create innovative solutions strength to lead them into BFSI. CIO and niche services like prime sourcing and consulting, which really give an edge to our customers. Our global exposure has also powered growth. This is one of the reasons Special correspondent Kanika Goswami can be reached why Oracle has chosen us to lead them into at kanika_g@cio.in. India: 5

REAL CIO WORLD | j u n e 1 5 , 2 0 0 7

37

6/11/2007 5:36:21 PM


The Risk of Becoming

Big

Brother By Thomas Wailgum

Are you being asked to monitor employees as they use corporate IT? That’s a slippery slope, as litigation shows. Here’s how to do it right. 38

Feature.indd 38

j u n e 1 5 , 2 0 0 7 | REAL CIO WORLD

Vol/2 | ISSUE/15

6/11/2007 7:27:05 PM


Vol/2 | ISSUE/15

Feature.indd 39

Reader ROI:

Policies for guarding against misuse of invasive technologies Explaining monitoring policies to employees How to define limits and minimize risks

Kilcoyne, along with a vice president of HR, called Riel into her office. She told him that he was being placed on administrative leave with full pay. Morgan Stanley security searched his office and eventually found more than 350 e-mails on his PC, emails of which Riel was neither the writer nor the intended recipient. On September 27, 2005, 13 months after being placed on leave, Riel was “terminated for gross misconduct,” says the Morgan Stanley spokesperson. Riel filed a Rs 42 crore whistle-blower Sarbanes-Oxley suit and a Rs 42 crore federal defamation suit against Morgan Stanley. In June 2006, the Department of Labor dismissed the whistle-blower suit and said it had found no cause to believe that Morgan Stanley had violated any part of the SarbanesOxley act. It also found that Morgan Stanley had “terminated other employees in the past for similar misconduct.” In February 2007, a federal judge dismissed seven of the eight complaints Riel had filed in his suit. (A small issue concerning compensation was uncontested.) In a statement, Morgan Stanley said that the dismissal of the seven complaints and the whistle-blower suit “further confirms that Arthur Riel’s allegations are without any legal or factual merit.” Today, in light of everything that transpired, Riel says he learned a lesson that all CIOs should heed: “It’s critical that IT departments determine a policy for who should have access to what.” During his time at Morgan Stanley, he claims, “there was no policy.” REAL CIO WORLD | j u n e 1 5 , 2 0 0 7

39

6/11/2007 7:27:09 PM

Il lustrat ion by ANIL T

When he was hired by Morgan Stanley in 2000 and put in charge of the Rs 218,400crore financial company’s e-mail archiving system, gaining access to its most sensitive corporate communications, the company was already involved in litigation that involved its e-mail retention policies. That suit would end in a landmark 2005 judgment against the bank, which awarded Rs 6,594 crore in damages to financier Ronald Perelman. (In March 2007, Morgan Stanley won an appeal to Florida’s District Court of Appeal.) It was part of Riel’s Rs 2.1 crore a year job, he says, to make sure that would never happen again. To do that, Riel had what he calls “carte blanche to go through e-mail.” What he says he discovered reading company e-mails throughout 2003 were what he construed as dubious business ethics, potential conflicts of interest and sexual banter within Morgan Stanley’s executive ranks that, he says, ran contrary to the bank’s code of conduct. Based on his reading of executive emails, most notably CTO Guy Chiarello’s, Riel alleged that the e-mails showed the improper influence of Morgan Stanley’s Investment Banking division in how the IT department, with its multimillion-dollar budget, purchased technology products; the improper solicitation of tickets to New York Yankees–Boston Red Sox baseball games and other high-profile sporting events from vendors such as EMC; and the influencing, through one of Chiarello’s direct reports, of

the outcome of Computerworld magazine’s Smithsonian Leadership Award process, of which Morgan Stanley was a sponsor. (Computerworld is a CIO sister publication.) “I reported what was basically a kickback scheme going on in IT,” Riel says. E-mail exchanges that contained sexual banter and involved Riel’s boss, CIO Moira Kilcoyne, added to Riel’s conviction that something was wrong at the top. Believing, he says, that he was doing his duty, Riel claims to have sent hard copies of the offending e-mails to Stephen Crawford, Morgan Stanley’s then-CFO, on January 15, 2004, anonymously via interoffice mail. Riel’s superiors vigorously dispute his story. First, according to a Morgan Stanley spokesperson, the company asserts that Riel was never authorized to monitor, read or disseminate other employees’ e-mails “as he saw fit.” Second, the spokesperson denies that a package of e-mails was either sent to or received by Crawford. And third, after conducting an internal investigation, the company maintains that it found no evidence warranting disciplinary action against anyone identified by Riel. On August 18, 2004, moments after Riel’s BlackBerry service was shut off,

imaging an d Il lust rat ions by p c anoop

Arthur Riel says he was just doing his job.


Security

With PoWer Comes ResponsiBiliTy As the need to broaden access to systems and applications increases due to business and regulatory demands, so does the potential for malfeasance, whether it’s your network admin testing the corporate firewall on his own time and inadvertently leaving it open, a salesperson accessing a customer’s credit card information or a rogue help desk staffer hell-bent on sabotaging your CEO by reading his e-mail. Like good governments, IT departments need checks and balances, and they need to marry access with accountability. A December 2006 Computer Emergency

Readiness Team (CERT) study on insider threats found that a lack of physical and electronic access controls facilitates insider IT sabotage. The situation is even more critical now because new, widely deployed applications for identifying and monitoring employee behavior have thrust IT into what was formerly the domain of HR and legal departments. Tom Sanzone, CIO of Credit Suisse, says he works “hand in glove” with HR, legal, compliance and corporate auditors, and has formalized an IT risk function to ensure that all access policies are consistent and repeatable on a global scale. “Those relationships are very important,” he says.

yoU’VE got

TRo R uble If… Ro A 2006 study from carnegie mellon’s computer Emergency response team (cErt) center examined the psychological, technical, organizational and contextual factors that lead to insider sabotage. cErt made six critical observations about It staffers who attack their own organizations. So you could be in trouble if you’ve got:

1 2 3

Problem children. most saboteurs have personal problems (debt, alcoholism, anger and impulse control difficulties) that contribute to their malicious acts. Organizational disruption. In most cases, stressful events, including run-ins with the boss, reorganizations and organizational sanctions, precipitate insider It sabotage.

Bad attitudes. behaviors to worry about include tardiness, argumentativeness, poor job performance and security violations. these are often observed before and during insider It sabotage.

4

Insecure systems. before sabotage occurs, insiders often do things like create unauthorized backdoor accounts. that should put you on alert.

5

Dicey downloads. If you discover someone downloading password crackers, chances are, he’s going to use them.

6

Missing locks. Sabotage is facilitated by lack of controls for physical access (to rooms or buildings) and electronic access (to computing and network resources). – t.W.

40

Feature.indd 40

j u n e 1 5 , 2 0 0 7 | REAL CIO WORLD

Many CIOs have discovered that their new policing role presents the same challenges faced by the men and women who wear blue uniforms: if people can’t trust the police — or if something happens that damages that trust — then whom can they trust? (For how to repair trust once it’s compromised, see “Trtuh & Consequences" in the next story” ) “If IT does something that they shouldn’t, then the general employee thinks, I’m going to find a way to get around the monitoring because we can’t even trust the people in IT,” says David Zweig, an associate professor of organizational behavior at the University of Toronto at Scarborough. “It’s a cycle of increasing deviance, which, unfortunately, could create more monitoring.” At Network Services Company (NSC), a distributor in the paper and janitorial supply industry, CIO Paul Roche asserted control over how and when his IT department can access employee systems and, working with HR and legal, he has developed a policy for dealing with suspected employee infractions. For example, the IT policy states that IT personnel can’t start snooping around employees’ PCs without prior HR approval. “Employees know we’re not going to look the other way,” says Roche. Any CIO’s mettle — no matter how rocksolid his policy or relationships — will be tested when one of his own crosses the line and breaks the trust between users and the IT department. “The expectation has to be that if you’re going to give someone authority, at some point it will be misused,” says Khalid Kark, a senior security analyst at Forrester Research. “And who will guard the guards?”

Bad guys and do-goodeRs Despite Riel’s assertion that Morgan Stanley had no policy for which systems and e-mail accounts he could access, Morgan Stanley says Riel was never authorized to do what he did. (Morgan Stanley’s IT department was not made available for this article.)

Vol/2 | ISSUE/15


yoUr SEcUrIty

Toolbox o ox Enterprise monitoring and filtering. While the market for security applications that monitor and filter enterprise content is relatively new and small — around rs 252 crorein 2006 — gartner says it is growing. Here’s a sampling of some infosecurity products cIos are using today.

boundaries such as extranets. Securify says its “monitors” track all transactions to users to provide a view of “who” is accessing “what” applications and “where” in the network.

7 iPrism St. bernard Software claims iprism blocks Im and peer-to-peer traffic and blocks employees from visiting Urls that are phishing sites, contain threats to pcs or aren’t prohibited by enterprise usage policies.

Vontu claims that 7 is the first integrated, enterprise-class data loss prevention product that identifies “data at rest, data in motion and data at the endpoint” — meaning on servers, databases and pcs; e-mail, Im and Web; and removable media such as USbs, cds and ipods.

Metron

Vericept

etelemetry says metron tracks bandwidth usage, surfing and chatting. Its locate product passively maps people to the It infrastructure. together, etelemetry claims its “people-to-Ip” matching technology provides visibility into how each employee is using the infrastructure.

Vericept says its risk management platform gives enterprises visibility into all insider risk whether inadvertent or malicious. these include unauthorized access of confidential customer information; document leaks; unencrypted transmission of cardholder information; the posting of financial reports and source code; damaging blogs by insiders; intellectual property theft; and network and e-mail control. – t.W.

Securify Securify claims its appliance passively captures and analyzes traffic into and out of critical data centers and across corporate

Morgan Stanley isn’t alone in having to deal publicly with renegade IT employees. Wal-Mart disclosed last March that over a four-month period one of its systems technicians, Bruce Gabbard, had monitored and recorded telephone conversations between Wal-Mart public relations staffers and a New York Times reporter. “These recordings were not authorized by the company and were in direct violation of the established operational policy that forbids such activity without prior written approval from the legal department,” Wal-Mart said in a statement. In addition, Wal-Mart revealed that Gabbard had “intercepted text messages and pages, including communications that did not involve Wal-Mart associates,” which the company maintains “is not authorized by company policies under any circumstances.” Gabbard, who was fired,

Vol/2 | ISSUE/15

Feature.indd 41

claimed in an April Wall Street Journal article that his “spying activities were sanctioned by superiors.” Wal-Mart says that it has removed the recording equipment and related hardware from the system. “Any future use of this equipment will be under the direct supervision of the legal department,” Wal-Mart stated. In February, the Massachusetts Department of Industrial Accidents (DIA) disclosed that Francis Osborn, an IT contractor, had accessed and retrieved workers’ compensation claimants’ Social Security numbers from a DIA database. According to court documents, Osborn accessed 1,200 files and opened credit card accounts using three claimants’ information, charging thousands of dollars to those fraudulent accounts. In a statement, the DIA commissioner said the department was “conducting a thorough review of all

security procedures.” Osborn was fired, arrested and charged with identity fraud. Other incidents, however, are less egregiously criminal and therefore harder for CIOs to evaluate and handle. In February 2006, New Hampshire officials announced that they had discovered passwordcracking software (a program called Cain & Abel) planted on a state server. Cain & Abel potentially could have given hackers visibility into the state’s cache of credit card numbers used to conduct transactions with the division of motor vehicles, state liquor stores and the veterans home. Douglas Oliver, an IT employee who in one news report referred to himself as the state’s “chief technical hacker,” admitted to media outlets that he had installed the program, saying he was using it to test system security. He said he did so with state CIO Richard Bailey’s knowledge. (Bailey did REAL CIO WORLD | j u n e 1 5 , 2 0 0 7

41


Security not respond to repeated requests for an interview.) Oliver was placed on paid leave during an investigation that involved the FBI and the US Department of Justice. On April 4, 2006, state officials announced that the Cain & Abel program had never been turned on and that it was “very unlikely” that any credit card information had been exposed. Oliver, who had never been named as the IT worker responsible for the incident, was invited to return to his job on April 25, 2006. A more highly publicized incident occurred at Sandia National Laboratories in New Mexico. After a series of hacks on the lab’s network in 2004, Shawn Carpenter, a Sandia network security analyst, launched his own investigation. He eventually linked the attacks to a Chinese cyber-espionage group and also discovered that US government documents had been stolen. He shared his findings with the Army Counterintelligence Group and the FBI. In response, Sandia fired Carpenter in January 2005 for, as reported in Computerworld, “inappropriate use of confidential information.” But in February 2007, a New Mexico jury awarded Carpenter Rs 18.06 crore in his wrongful termination suit and in the process transformed him from a rogue IT worker into a national hero. (Sandia is appealing the verdict.) The moral is that whether they’re dealing with a malcontent, a crook or a conscientious employee doing his job to the best of his abilities, CIOs need to be alert to risks and threats in their own backyard. (For signs that there could be trouble in your department, see “You've Got Trouble If...”) “It’s not the external hacker you need to worry about so much,” says John Halamka, CIO of CareGroup and Harvard Medical School. “It’s the internal employees who have legitimate access to the systems and can do most harm.”

The Sinful Six Since the dawn of the Internet age, IT has been aware that the Web is a Pandora’s box filled with tools that anyone with a PC, a network connection and a devious mind can employ to make mischief. But now regulations such as Sarbanes-Oxley, the Health Insurance Portability and 42

Feature.indd 42

j u n e 1 5 , 2 0 0 7 | REAL CIO WORLD

Accountability Act (HIPAA), GrammLeach-Bliley and Payment Card Industry (PCI) data security standards have focused the non-IT executive’s attention on what evils can lurk alongside the business benefits IT can provide. “Business management has become much more aware that IT risk is business risk,” says Richard Hunter, a vice president and expert on security and privacy with Gartner. Consequently, even companies in lightly regulated industries have begun to pay more attention to their liabilities and their user management policies. For employees everywhere, the message is (or should be) clear: “You don’t have privacy where corporate life is concerned,” Hunter says. And 'corporate security' will always trump 'user privacy'. This, in turn, has created a more authoritative role for IT departments as they monitor and dictate what employees can and can’t do with technology. A list has emerged in IT circles, 'The Sinful Six', describing the types of Internet sites that can’t be viewed at work: those containing pornography, anything promoting gambling, anything deemed tasteless, hate material, violence and illegal activities. Roche says visiting any of these sites, along with any kind of site that is a danger to PCs (exposing them to malware and spyware), is in direct violation of NSC’s HR policies. New technologies have also made it easier for IT to identify who and where the

According to one 2005 survey,

76 percent of the 526 companies surveyed said

they conduct some form of electronic monitoring.

violators are. According to the American Management Association’s 2005 electronic monitoring survey, 76 percent of the 526 companies surveyed said they conduct some form of electronic monitoring. In a recent paper written by the University of Toronto’s Zweig, it’s estimated that more than 40 million US employees are subject to some type of electronic performance monitoring, “such as counting keystrokes, listening in on phone calls, tracking e-mail and even video-based monitoring of availability.” (For a list of monitoring tools, see “Your Security Toolbox.” ) But even though a recent Harris Interactive study of US office workers found that most employees don’t let the knowledge that they’re being monitored interfere with their non-work use of the Internet (more than half of respondents said they send and receive personal messages on their work e-mail accounts), CIOs do not want to be thought of as IT cops. “You don’t want to be the bad guy who’s enforcing the policy,” says CareGroup CIO Halamka.

The ROI of Privacy In conversations with CIOs, Forrester’s Kark says he’s discovered that most companies “don’t want to put in draconian measures to say that [their company] is going to monitor everything, even though they have the right to do so.” In those companies that create cultures with more user-friendly privacy measures, Kark says that he’s found that there’s a higher level of trust among users and management. According to Zweig’s research, monitoring “continues to violate the basic psychological boundaries between the employer and employee — one that is predicated on some minimal level of privacy, autonomy and respect. Once this boundary has been violated, a host of negative implications are likely, ranging from dissatisfaction and stress to resistance and deviance.” Therefore, he says, it’s critical for a company that wants to engender a culture of collaboration and trust to make it perfectly clear to all employees both inside and outside IT, just what IT will and, more important, will not do. “It should be communicated to everyone in the organization that the IT department does not have carte blanche,” Zweig says. “It isn’t open season on people.”

Vol/2 | ISSUE/15

6/11/2007 7:27:14 PM


Security

hoW to monitor The moniToRs And that brings us back to the IT department — those entrusted with the access, know-how and a front-row seat on all the monitoring action. In organizations where there is 'open season' on employees’ digital wakes, CIOs and analysts say there’s usually an unregulated 'cowboy culture' within IT and, most likely, little trust and respect between management and users. In such companies, Kark says he finds that more IT employees have access to a system than is actually appropriate. At one company, for example, he determined that 32 employees (including the CIO) had access to a very sensitive area of the company’s systems when, in fact, only three people actually needed the access to do their jobs; the other 29 were superfluous and therefore potential risks. Kark calls that situation “typical.” Even though anyone with PC access can wreak havoc on your systems, research from a CERT Insider Threat study shows that technology sabotage almost always comes from within the IT ranks. In 49 incidents of IT-enabled sabotage examined, 86 percent of the perpetrators held technical positions, and 90 percent of them had been granted administrator or privileged system access when they were hired. “I worry about the trusted person,” says Credit Suisse’s Sanzone. “To run an organization like this you have many trusted individuals that have access to sensitive things as part of their job. Probably, your risk is as high or if not higher [with the trusted person] than with any other.” But taking some of that power and access away from IT employees can be a delicate procedure. In the CERT study, 92 percent of all of the insiders attacked their organizations following a negative event, such as a dispute with a boss, a demotion or a transfer. “The people who have privileged access enjoy the freedom to do whatever they want to do,” Kark says. “If you put in control where there was no control before, there’s going to be some resistance.” Network Services Company’s Roche was “somewhat seriously concerned” about that kind of resistance when he instituted a new policy for how his IT staffers would monitor employees’ computers. Each IT

Vol/2 | ISSUE/15

Feature.indd 43

arE yoU

ShIpShApe? Enterprise monitoring and filtering Before CIOs start worrying about other parts of the business, they need to make sure their own hatches are battened down. richard Hunter, a vice president and analyst on security and privacy with gartner, says that cIos should regularly run It security audits on the “practices and procedures related to It operations,” including checking on passwords, logging capabilities, reviewing how systems are monitored and other access control mechanisms. the audit needs to be an objective “examination of records by an impartial third party,” Hunter says. In addition to ensuring that he has appropriate checks and balances in his It group, John Halamka, cIo of caregroup and Harvard medical School, retains third brigade, a whitehat hacking company, to conduct periodic vulnerability assessments. besides providing a checkup on his security systems, third brigade can also tell Halamka what his It I staff could do to his systems, if they so chose. (Halamka says he’s never had to fire an It I person for abusing his It I access privileges.) “What I always say is, if you don’t think you have security problems, you haven’t looked hard enough,” says Halamka. – t.W.

staffer received a specific ID and password for tapping into systems for monitoring and 'running a report' on an employee. Each monitoring event could be initiated only by HR, and would be logged. Roche credits the time he took to explain why he was instituting the policy and why it was important for the fact that he didn’t get pushback. That, and the perception that “they wouldn’t want someone doing it to them.” Kark says there are three key things that CIOs need to make certain (and communicate to their staffs) when rolling out these types of policies. First, make it clear who in IT has ownership and responsibility for each part of the process when any type of event is triggered by the HR, legal, physical security or compliance departments. Second, there needs to be a decision tree for how IT employees will respond to each incident and investigation,

with a detailed analysis of different types of scenarios and the resulting procedures. And third, CIOs and their staffs should run simulations and tests on how the processes will play out when an event happens. For all of Riel’s claims of whistle-blowing, it was, ironically, one of Riel’s subordinates who followed the proper chain of command and blew the whistle on Riel. Despite Morgan Stanley’s insistence that its procedures functioned properly, a lot of things went wrong. Of course, a lot of things can go wrong anywhere, but accepting that inevitability, and planning for how to handle it, is the key to good security and a lot less anxiety for CIOs. “We do everything we can to stay on top of this,” says Sanzone. “But sure, I worry.” CIO Thomas Wailgum is a senior writer. Send feedback on this column to editor@cio.in

REAL CIO WORLD | j u n e 1 5 , 2 0 0 7

43


Truth By Stephanie Overby

Consequences

Trust is essential to day-to-day business — and so is deception. What happens when the two collide and trust is shattered? That’s the focus of new research by Wharton professor Maurice Schweitzer.

D

eception is an integral part of life. Unseemly as it may sound, everybody lies — often several times in a day. Little white lies, the sins of omission, outright deception. And none are necessarily bad things, says Maurice Schweitzer, associate professor of operations and information management at Wharton School, University of Pennsylvania. “Deception is more nuanced that you might initially suspect,” says Schweitzer, who specializes in behavioral decision research. “A lot of lies we tell are pro-social and help us get along with people better,” says Schweitzer. “Deception is extremely functional and very much a part of the fabric of our lives.” At the same time, trust is an essential element in all social relationships, including those at work. “Trust is the social glue of the economy. It’s the glue for any transaction,” says Reader ROI: Schweitzer. “You can’t contract for everything.” Why trust matters in Any CIO who’s ever shepherded a big project that came in late, over-budget or that business dealings simply underdelivered knows just how destructive a broken promise can be to trust How deception ruptures between IT and business. relationships Although trust is a core construct in management literature, the focus of much of How CIOs can rebuild lost trust that research has been detecting deception. Precious little examines what happens after 4 4 j u n e 1 5 , 2 0 0 7 | REAL CIO WORLD

Feature - Truth.indd 44

Vol/2 | ISSUE/15

6/11/2007 6:21:14 PM


Feature - Truth.indd 45

Il lustration by ANIL T

To repair trust when deception is involved, “I’m sorry just isn’t good enough,” says Maurice Schweitzer, associate professor at the Wharton School of the University of Pennsylvania.

6/11/2007 6:21:19 PM


Security trust is broken. You spent a million more than expected on that SAP implementation that you swore would revolutionize the enterprise and the ROI is nowhere to be found. Now what? So Schweitzer, with Wharton colleagues John C. Hershey, professor of operations and information management, and Eric T. Bradlow, professor of marketing, conducted experiments between 2000 and 2004 to uncover what happens at the intersection of deception and trust. The bad news? Broken trust, when accompanied by deception, is harder to repair. A simple apology does little to reverse the damage. The good news? Trust is less fragile than most of us think. And a promise to change things followed by visible actions can work. Schweitzer talked to CIO about managing expectations, repairing broken trust and making promises you can’t keep. Why explore the issues at the intersection of trust, deception, apologies and promises? I teach a negotiations class, and deception is a chronic problem. A lot of lies we tell are pro-social: “That dress makes you look terrific!” “What a great haircut!” There’s a whole class of lies that help us get along in

liars. And also about the ethics of lying. But little on what happens once somebody lies. The common wisdom has been that trust, once broken, is impossible to repair. Trust recovery is slow or difficult. Or trust recovers, but never fully. People have always talked about trust as if it were glass: easy to break and difficult to repair. As I began to think about deception, that seemed wrong to me. With some relationships, you violate trust and the relationship ruptures completely. But in many settings, particularly the office, the relationship continues. And in many cases, trust gets repaired. You tested your theories with a money game. How did you set that up? We had to agree on a definition of trust. The meaning agreed upon was: a willingness to accept vulnerability based upon positive expectations about another’s behavior. To find out what happens when that trust is harmed, individuals were paired with each other in a trust game involving money. One player in each pair (the 'odd' player) was given Rs 252 in each round, which they could either keep or pass to the other person (the 'even' player). If the odd player kept the Rs 252, the round ended and the even player got nothing. If the odd player passed the Rs 252

“People have always talked about trust as if were glass: easy to break it and difficult to repair. That seemed wrong to me. In many cases, trust is repaired.”

a much more functional way. At the same time, trust is the glue that holds together any social relationship. If you look at deception literature, an enormous amount is focused on how to catch 4 6 j u n e 1 5 , 2 0 0 7 | REAL CIO WORLD

Feature - Truth.indd 46

to the even player, it tripled to Rs 756 and the even player could decide how much to return to the odd player. Money gave participants something they actually cared about. They were trusting

this money to someone with the expectation that if they did, that money would grow and the other person would return some of it to them. Why would I loan money? You do that with the expectation that you’ll receive something positive going forward. We explored how trust is harmed by untrustworthy behavior and untrustworthy behavior accompanied by deceptive behavior, and how apologies, promises and trustworthy behavior affected trust. A key aspect of our experiment favored trust recovery. We didn’t let the relationship rupture. Players had to continue playing even when one acted in an untrustworthy manner. But relationships sometimes rupture. If your spouse violates your trust, you may separate. But if your boss does, you may just have to deal with it. What did you discover? We went in with a clear set of predictions that the assumption that trust is extraordinarily fragile is not right. And our results suggested it was not right. We found that trust could be restored when individuals observed a consistent series of trustworthy actions, like having money returned to them each round. Or when a promise was made to change: “I give you my word. I will always return Rs 380 every round, including the last one.” People were very receptive to that. We were surprised how quickly trust was restored. And in some cases, trust eventually recovered completely. The promise to change, however, only worked initially if it wasn’t accompanied by delivery on a promise. Trust recovered a bit but it never fully recovered. It leveled off after awhile as if the injured party had written that person off. When a person’s trust was violated — and that violation included deception — it was much more difficult to restore, even when followed by a series of trustworthy actions or promises. We didn’t anticipate just how harmful deception would be to trust. We also thought that an apology would be more effective in trust recovery than it was. The apology did little. Maybe the apology didn’t go far enough. Apology has to be perceived as sincere. It has to indicate remorse and a plan to change. An effective apology can be powerful. But “I’m sorry” just isn’t good enough.

Vol/2 | ISSUE/15

6/11/2007 6:21:26 PM


Security What can CIOs learn from this? Be very careful about making promises or commitments you can’t keep. Inevitably, there is going to be a time when — intentionally or unintentionally — you let people down. But you should recognize that, if a relationship doesn’t rupture completely, chances for rebuilding trust are very high. When it comes to CIOs, people may have inflated expectations of IT. Or there may be deadlines that they expect you to meet that you miss. There’s also something called a psychological contract. For example, an IT employee has a psychological contract with the CIO that involves unwritten expectations the worker has. Those are almost invariably violated because no one is sure of those expectations. Then there are things a CIO might never have promised — daily backups of data — but people assumed the IT department was doing. It’s impossible to manage every expectation. So, it’s important to figure out what you need to do to repair trust after a violation occurs. One of the most important lessons from the research is that words can be very powerful in repairing relationships, specifically in repairing trust. But for words to be powerful, they have to be credible. And for them to be credible, you can’t have lied to people in the past. In fact, you can’t have even over-promised in the past. If you’re a new CIO coming into a situation where there’s no trust in the IT department, it might serve you well to make a very specific promise about how things are going to change. A promise to change can be very effective. But you need to make sure that the actions you’re taking are clearly observed. Make sure that employees can see your staff coming in on Saturdays to get that project done. Have the IT staff interact more with the business so they know what’s going on. People are usually willing to give you a chance, but you have to work hard to follow through on the promises you make. Does context matter when trust is broken? A critical question for managers across industries involves the role of trust in their business and the nature of the violation. When Arthur Andersen committed accounting violations, the firm faced a serious

Vol/2 | ISSUE/15

Feature - Truth.indd 47

“A promise to change can be very effective. But you need to make sure that the actions you’re taking are clearly observed.”

threat to its business. They were selling a seal of approval. When that seal is less credible, it has less value. But when Martha Stewart commits an accounting violation, she has not fundamentally threatened her business because she is selling style advice. Advice about decorating is not related to her lying. The message of my research is that trust recovery can happen, but the receiver needs to believe the message and perceive that he hasn’t been lied to previously. Senior managers at HP or Enron would have needed to convince their audience that the untrustworthy act would not be repeated, and they would want others to observe their future behavior. This can take the form of voluntary decisions to 'open their books' or have auditors inspect their work. Greater transparency can be a big help. Understanding how trust works is key for executives — like CIOs — who work globally. Correct? Yes. One strength of the US economy is that most Americans are trusting. They trust its institutions. You can fly to Cincinnati, sign a contract, get back on the plane and assume the deal you signed is going to happen. In many developing economies, that’s not the case. Business becomes encumbered

by rituals that have been put in place to develop relationships. You can’t meet a total stranger and agree on a large transaction in a short period of time. China is the obvious example. If you’re doing business there, it’s essential to develop relationships and spend a lot of time going to banquets and making toasts and traveling to different events. The building block for business there is trust in the individual. American companies have a lot of trouble when they swap out managers there every few years or so and the new manager has to start all over to build that relationship and that trust. You’ve researched the effects of emotions on trust. What did you find? We looked at the influence of incidental emotions on trust. You get a speeding ticket just before a board meeting. Or you find out you got a promotion before meeting with a new vendor. We did extensive tests to find out how emotions influence trust judgments. We found out that they have a very big impact. When you go into that meeting with the new vendor, you’ll ask yourself, “Do I trust them?” And if you just don’t know, you’ll go to your emotions. “How do I feel? I feel pretty good.” You’ll make a positive trust judgment based on emotions unrelated to the actual situation. It’s important to take that into account when trying to earn or keep trust. That’s why a really good salesperson may tell a joke to try to affect someone’s emotion. If you encounter someone in an emotional state that might negatively influence their judgment, there are three strategies. Change the emotion: tell a joke or comment on the weather. Recognize the source of emotion: “I was really sorry to hear what happened to your house.” Or harness good emotions: “I heard your kid got into Stanford!” You have to be emotionally savvy. CIO

Send feedback on this interview to editor@cio.in

REAL CIO WORLD | j u n e 1 5 , 2 0 0 7 4 7

6/11/2007 6:21:31 PM


Web 2.0 for the SuitS:

One

Visionary’s Take T Ta k ke By Diann Daniel

Feature - Web 2.0.indd 48


Web 2.0

open source, open e-mail and environments. british telecom’s Cio, JP rangaswami, gives his thoughts on corporate culture and the free exchange of information.

your typical CIO, but he is certainly an outspoken one. The current CIO of global services at British Telecom and former CIO of Dresder Kleinwort (named CIO of the Year by Waters Magazine in 2003) is passionate about IT, open source and Web 2.0. He writes in his blog Confused of Calcutta: “ever since I read The Cluetrain Manifesto, I have believed in the ‘markets are conversations’ theme” and his credo is required reading for any executive contemplating Web 2.0 and the future of information sharing. He shares his thoughts.

On the Enterprise’s Suspicion of Web 2.0 A superior order problem that affects a lot of Web 2.0 is that if people don’t want to share, they won’t share. No system in the world is going to force them to when they have a cultural bias against it. Web 2.0 is first and foremost about culture in that sense. Those are core values, and if people don’t get those values then you are met with, “This looks trivial. This is not work. Have you looked at the security implications?” All the usual objections to a Web 2.0 model.

On InformationControlling Cultures Sharing information does not demean your having it. Personally, I want to see the pockets of power based on behind-closed-doors alliances destroyed. And I have no problem saying I think it’s part of the job of a firm CIO and their policies to make sure that you don’t create artificial pockets of power based on selfish motives that exploit information. The people who do that haven’t understood the value of teaching, learning, and sharing information or the wisdom of crowds.

Vol/2 | i SSue /15

Feature - Web 2.0.indd 49

Why does open source work? Because given enough eyeballs, all bugs are shallow. Now the bug that may be shallow may be an information bug. So if you put the facts out, then a fact that you got wrong is more likely to be corrected if there are 1,000 people seeing it rather than 100 people seeing it. There is a self-correcting capacity when you have a large group of people seeing things, which is very, very powerful in a firm. The training costs for new hires and induction plans or programs is that much lower if you have the concept of transparent information in place.

On Enterprise Web 2.0 There may be a lot of hype about Web 2.0, but its use in the enterprise is still in the early-adopter phase. I talked with Andy McCaffee at Harvard [Business School] about this because he did five case studies of what we did at Dresdner Kleinwort to adopt Web 2.0 technologies in the enterprise. We asked who else is using these technologies aggressively, and we realized that there’s pockets of experimentation but widespread usage is rare. One of the reasons I joined BT is because the use of collaborative tools is already widespread, and therefore I’m not pushing water uphill or pushing against a closed door. When I negotiated my job, they said, 'Of course you can keep your blog going, just make it clear what’s your personal opinion and what’s your professional opinion.' Staff read my blog, and I freely discuss things that are challenging me at work. I don’t think people realize the blog is like a conversation at the dinner table or lunch table. And of course, you don’t break customer confidentiality; you don’t say things that are injurious to caste or creed or color.

On What Web Technologies Can do for Your Customer I believe the biggest transformations will be in such areas as collaboration, collective intelligence, and predictive market tools based on Web technologies. I want to create a seamless and unified customer experience, whether customers come to a portal, a call center, whether they are dealing with the head office, or whether they are dealing with an individual. We can make all those experiences the same. This is easier said than done because many times you go to a firm, and your Web experience is different than your kiosk experience is different than your service desk experience or your call center experience.

On the Inadequacy of E-Mail as a Collaboration Tool E-mail was the only collaboration tool in town for years, and it’s not fit for that purpose anymore. If you want to share reference material, for example, a wiki is a much better way of doing it. Then you don’t have people looking at different versions; there is only one version, it’s the latest. If you want audit trails, you can see the history; you can see when the last edits were made. A wiki is much better than e-mail because the former enables collaborative edit on a single article, people can see what others’ edits are, and it gives you the wisdom of crowds faster. You can use blogs for the preliminary conversation elements. Where the answer is not known somebody posts an opinion, people comment on it, and a conversation begins in order to reach a conclusion, which REAL CIO WORLD | j u n e 1 5 , 2 0 0 7

49

illuSt ration by mm Shanith

J. P. Rangaswami is not


Web 2.0 may well go onto a wiki. What the blog and the wiki do is take away the attachment culture, genuinely allowing multiple people to look at the same thing at the same time, and they take away the threat of sequential commentary and complication of managing an e-mail chain.

What E-Mail Is Good for E-mail is a great broadcast medium for messages you want to push out to people and a host of point-to-point transactions. It’s perfectly reasonable to have some push communication where you want all staff to get something. You can choose different models of doing it, but e-mail is the best first element. For example, this e-mail is to tell you there’s a new sheriff in town, his name is such and such, he rides in tomorrow. For further details go to this URL. Now the point is it’s short. It’s broadcast. And it’s broadcast without being spam because it’s meaningful information. There are times when the whole enterprise or a particular department would like to operate in broadcast mode. There are all kinds of regulatory things that need to be sent out. But don’t confuse that with corporate spam where people keep you on lists you have no interest in being on or using your name to cover themselves. Or worse, using your mailbox as a place to score points over each other.

On an Open E-mail Policy At the bank [Dresder Kleinwort], I had a dozen people on my team able to read my incoming and outgoing e-mail. I flipped the usual model people have: I outsourced my mailbox to my team and I insourced my phone. The calls that interest me the most are from someone I’ve never heard of on a subject I know nothing about. And if it’s a salesman trying to sell me something, it takes me two minutes to tell him, look, I’m not interested. As for e-mail, I can have members of my team see and deal with much of it. And they can learn from the e-mails I do deal with and see how I handle things, and they get experience dealing with things they might not otherwise. So what I start doing every 50

j u n e 1 5 , 2 0 0 7 | REAL CIO WORLD

Feature - Web 2.0.indd 50

it’S t’S P Part of a Cio'S Job to make Sure that you don’t Create artificial pockets of power baSed on SelfiSh motiVeS.

time I get a management team together is I’ll have a couple of people be on my PA reading my mail as soon as I’ve established the right terms of trust with the people who send me confidential things and say, are you happy with my whole management team seeing it? For confidential things, you can always call me. E-mail can lend itself to some darker behaviors such as using the “cc” to avoid being held responsible if something goes wrong, people replying to only certain people on a group e-mail list, or team members complaining about each other via e-mail when they are under stress. They don’t do that if everybody can read what they write. An open e-mail policy helps people take ownership. And by not allowing these dark areas to exist, by shining a light on the places these things happen, it creates a more harmonious dialogue. I think there is something open source about opening up the mailbox, which is that transparency is good, it’s accountable because after all you’re working for an enterprise, there shouldn’t be many secrets, and it stops the attacking and whining of others in e-mail. If someone wants to say something very confidential then they can choose other routes. You wind up with all the positives. One is getting people to appreciate what you do. Then there’s the learning that can be done, there’s teaching that can be done, there’s modeling and succession planning. And that’s not trivial.

J.P. Rangaswami’s Credo* I believe that it is only a matter of time before enterprise software consists of only four types of application: publishing, search, fulfillment and conversation. I believe that weaknesses and corruptions in our own thinking about digital rights and intellectual property rights will have the effect of slowing down or sometimes even blocking this from happening. I believe we keep building layers of lockin that prevent information from flowing freely, and that we have a lot to learn about the right thing to do in this respect. I believe identity and presence and authentication and permissioning are in some ways the new battlegrounds, where the freedom of information flow will be fought for, and bitterly at that. I believe that we do live in an age of information overload, and that we have to find ways of simplifying our access to the information; of assessing the quality of the information; of having better tools to visualize the information, to enrich and improve it, of passing the information on. I believe that Moore’s Law and Metcalfe’s Law and Gilder’s Law have created an environment where it is finally possible to demonstrate the value of IT in simple terms rather than by complex inferences and abstract arguments. I believe that simplicity and convenience are important, and that we have to learn to respect human time. I believe we need to discuss these things and find ways of getting them right. And I have a fervent hope that through this blog, I can keep the conversations going and learn from them. CIO

*From Rangaswami’s blog, Confused of Calcutta Send feedback on this column to editor@cio.in

Vol/2 | i SSue/15


Trendline_Nov11.indd 19

11/16/2011 11:56:19 AM


p o St y d a e R B y K a n iK a

I: Reader RO vel a network-le in Develop g stem sy e ur pt ca information l of the potentia Unraveling ta da real-time

52

j u n e 1 5 , 2 0 0 7 | REAL CIO WORLD

Govern Main - 01.indd 52

G o s wa m i

Go

Vol/2 | ISSUE/15


GIS

t

he burgeoning population of road vehicles in Bangalore is widely seen as a sign of the change in its economic landscape. In the literal sense though, the landscape has posed a string of issues for governance, the traffic police on the ground, and the common man. But, as most analysts have stated in recent times, the lack of a single view among governing bodies is a critical factor that has compounded traffic management. Given this backdrop, the Bangalore Traffic Information System (www.btis. in) is a fresh project that is expected to provide a far more accurate definition of the traffic problem. It could go some way in developing a common view of the issue before arriving at micro and holistic solutions. Little wonder that M.N. Reddi, additional commissioner of police-traffic in Bangalore City, is excited about the latest public-private initiative. Reddi researched on similar interactive websites that provide live information by SMS on traffic-congested zones, speeds of vehicles in certain areas, and directions from one point in the city to another. As a city synonymous with India’s IT industry, the technology application seemed almost inevitable in Bangalore, says Reddi. The initiative is based on Mapunity Information Services, an application

Vol/2 | ISSUE/15

Govern Main - 01.indd 53

developed by the N.S. Raghavan Centre for Entrepreneurial Learning (NSRCEL) at the Indian Institute of Management, Bangalore. The geo-spatial application is written in Ruby on Rails, an Open Source system, and uses the database Postgis/Postgres. In addition to these technologies, APIs such as Google Maps and Open Layers would be used to provide spatial information. The NSRCEL offered its GIS systems for the project, and sought to work out a realtime monitoring technology based on cell phone. With support from Reddi’s traffic police force at one end, Mapunity tied up with Bharti Airtel at the other to use its service and towers towards this end.

deStination Mobility The logic of the system is based on cell phone congestion, says Dr. Ashwin Mahesh, CEO of Mapunity. “The idea is simple: if phones are proxy for people, as in highway traffic planning in many parts of the Western world, the congestion of phones will be proxy for congestion of people.” So, the system called for installation of micro towers in select congested areas at traffic crossings, which was taken care of by Bharti Airtel. The permissions to erect these towers, as well as the selection of the spots that would yield maximum data, were

overseen by Bangalore Traffic Police. “As part of the administration, we drove the project and provided support to Airtel to put up the towers in extremely congested crossings,” says Reddi. “There are 700 new vehicles being added to Bangalore’s choked roads everyday. Infrastructure cannot keep pace with it, so there has to be some monitoring mechanism. For BTIS, Mapunity provides the grey cells, Airtel is the facilitator, and the traffic police is the user of the data. With the information, we can take trafficrelated decisions,” he explains. In effect, the information system monitors traffic densities — as indicated by cell phone signal congestion — to provide data in real time on the pattern of movement at different locations between towers. This forms the first step towards planned movement in the city roads. The data can be located geo-spatially at any time on a city map by Bangaloreans on the website, or received by commuters through SMS. Currently, there are 150 towers that have been installed, of which about 70 have been put up by Airtel solely for this initiative. Further, cameras have been installed at critical points to capture live feeds. “We have installed up to eight cameras at various points. Essentially, we are looking at an object recognition algorithm and accounting algorithm REAL CIO WORLD | j u n e 1 5 , 2 0 0 7

53

ImagIng by an Il t

In a city synonymous with the IT industry in India, the Bangalore Traffic Police is using information technology to tackle a rampant problem — and move forward.


GIS that will look at those feeds in real time,” says Mahesh, who also wants to develop various delivery platforms for information since the amassed data have several uses. “Right now, it’s on the Web and SMS. But, we’d like to create a product that can be used from radio stations and in hotel lobbies. It could be a plasma screen in the lobby with

be avoided, the Traffic Control Room plans to use the data for better transportation route planning. The broad agreement between the key stakeholders is that the traffic police department will facilitate the tower installation in congested junctions, Airtel will map the traffic patterns, and Mapunity

“Infrastructure cannot keep pace with the growth in vehicle population, so there has to be a mechanism to monitor the traffic.” — M.N. Reddi Addl. Commissioner of Police, Traffic, Bangalore City

will have a limited footprint, serving only people in that limited area of the junction. It would not be handled by the overlying BTF layer that would otherwise handle telecom traffic. So, Airtel wanted a solution for call drops at intersections; the traffic police only needed to map people at the intersection; we could use these micro towers to get our data,” he explains. The website was launched on June 1 this year, and carries detailed traffic and movement coverage for the eastern and southern parts of the city. In the next phase, they plan to extend the service to Bangalore North and West. Other services include safety instructions, information on roads and diversions in the city, level-ofservice mapping, passenger information system, origin-destination studies and route optimization among others. The service will remain free for a few weeks before becoming a paid service — that would pave the way for a strong revenue model for the website. Two weeks into its operation, the website is getting about 4,000 requests on SMS every day. The numbers seem to be growing by about 5 percent everyday. The website has been getting another 2,000 people, some of whom enquire about new services. “The carpool service, for instance, is not operational. Yet, a few dozen have called in and shown interest in being notified when the carpool service begins,” he says.

P hoto by Sr IVatSa Shan dIlya

the lonG hoRizon

live feeds,” he adds. This will benefit travelers, for instance, who can work out alternative routes if the common road to the airport is blocked. Large displays would also be useful at software technology parks because there are large numbers of movements originating and ending in such large complexes. While commuters can be aware of particularly congested roads that can 54

j u n e 1 5 , 2 0 0 7 | REAL CIO WORLD

Govern Main - 01.indd 54

processes the data to turn it into readable traffic information for the end-user. “We all had a congruent interest,” says Mahesh. “For any telecom service provider, congestion means a drop off. Airtel wanted the network to reach into congested areas too. They were interested in serving people in junctions where congestion typically takes place. They were coming up with micro towers, which

The biggest takeaway of the traffic information system has been the data on commuting patterns. Earlier, it could take months to do a physical survey of a few thousand households in a locality to study their commuting patterns. On the other hand, with cell-phone signals, Mahesh says, “I can give you data about a million and a half households by tomorrow morning.” By mapping movements onto a network and a dynamic capture system, transport planning has become not just faster, but more flexible. “Cell phone signals provide very easy data feed. Companies can also use this data to ascertain major populated areas, work

Vol/2 | ISSUE/15

6/11/2007 7:38:03 PM


GIS is also on the anvil. “All of junctions using Airtel’s micro this will be integrated into towers. In time, people will the Traffic Management be allowed to customize these Centre. This will give us locations, identifying them ample information to asses with keywords like ‘home’ SNAPSHOT a situation. Then, we can and ‘office’. The carpool will take subjective field action. also have a group messaging BTIS This will also ensure a platform that makes it ROAD NETWORk: transparent traffic control possible to query many 4,200 km system,” says Reddi. pool partners at the same REgISTERED “Besides, the advantage time, thereby increasing the vEHICLES: of using cell-phone data likelihood that at least one of 28 lakh to trace density of traffic them will be able to share on PEAk HOuR TRAffIC is that information based a given day. CENTRAL AREA: 10,000 PCU* on this can give out very The BTIS initiative has good OD (origin density) called for tremendous manPEAk HOuR TRAffIC PERIPHERAL AREA: statistics, telling us where hours in terms of investment, 3,000-5,000 PCU the traffic is originating, asserts Mahesh. “We put in * Passenger car which direction it is moving, about six to eight months equivalent and the accurate congestion into this project. The Traffic situation,” he adds. Police personnel also invested Insofar as the spatial a good amount of time and locations, there are about 1,200 locations effort — there were eight constables and in the database, monitoring about 200 five ACPs who were working on this, in addition to their regular duties. Towards the end of the project, Artel put in about Rs 10 lakh for the final expenditures. So, I think the investment in this project is more in terms of effort than money,” he explains. It’s what Mahesh deems a social entrepreneurship project. t the Center for Infrastructure and t transportation Studies at rensselaer For Reddi, the initiative is another Polytechnic Institute (rPI), director george list is leading a pilot project called step in the direction of tech-enabling the advanced t traveler Information System, or atIS. With atIS, the speed, the Bangalore traffic police. It’s a bid to location and direction of approximately 200 cars equipped with wireless gPS and systematize what otherwise translates to pocket PC devices are tracked by a central server at rPI. When these cars travel along complete chaos on the roads of Bangalore, certain roadways, their location is plotted on a map. based on the progress of the cars, especially at peak hours. In a few months, the drivers are sent voice-based updates that alert them to impending traffic problems when the Traffic Management Centre is and recommend alternate routes. up and running, Bangalore and its harried Something else that could ease traffic congestion is often given short shrift by state commuters should get some relief — or, at and local transportation agencies, and yet doesn’t have to include whiz-bang technology: the very least, there will be a method to the “making traffic signals work more efficiently can improve traffic,” says Shelley row, madness they encounter. CIO associate executive director of technical programs at the Institute of transportation t Engineers (ItE). recently, the national transportation t operations Coalition released the national t traffic Signal report Card, in which 378 transportation agencies in 49 states rated their own traffic signal operations. the overall grade: a d-minus. When it comes to managing signals, the city of bellevue in Washington came in at the head of the class. mark Poch, the city’s traffic engineering manager, says 90 percent of bellevue’s 173 traffic signals are networked to a central computer. Closed-circuit tV cameras monitor traffic flow, enabling engineers — with the help of a PC — to tweak signal timing as situations warrant. the incremental effect is significant, Poch notes. take a busy intersection with 50,000 cars and shave delays for each car by just five t seconds. multiply that throughout a metropolitan area, and there will be huge savings in time and gas. Special correspondent Kanika Goswami can be —t team CIo contacted at kanika_g@cio.in locations, heavy traffic roads, buses and other modes of transport,” notes Mahesh. Reddi says there is a larger purpose behind the whole exercise. “The traffic police department has two major advantages from this project. First of all, with this data, congestion mapping will be at the fingertips of our traffic personnel and every cop will have information of sensitive areas. So, regulation can be easy. This database will help us identify problem areas without waiting for human intervention. Secondly, this is a step towards setting up a Traffic Management Centre in a few months in Bangalore,” he explains. The center will consist of a large number of cameras feeding a large media wall for constant real-time monitoring as well as analysis of the information coming in. BTIS will be an important source of this information. It will feature a helpline, live video streams and call-in information from users. An Accident Detection System

The AmerIcAn c WAy

a

Vol/2 | ISSUE/15

Govern Main - 01.indd 55

REAL CIO WORLD | j u n e 1 5 , 2 0 0 7

55


Essential

technology Illustration by PC Anoop

From Inception to Implementation — I.T. That Matters

The new update to the IT Infrastructure Library could help you improve IT-business alignment and change your focus from fire-fighting to service delivery.

56

Essentisl Tec.indd 56

j u n e 1 5 , 2 0 0 7 | REAL CIO WORLD

ITIL Goes Strategic By Galen Gruman I.T. MANAGEMENT | ITIL is an acronym that some CIOs don’t understand well. If they’re aware of the IT Infrastructure Library, it’s in the context of two of the library’s books that provide guidance on improving help desk services (such as handling support requests) and on improving IT operations (such as managing software changes within the data center). In other words, ITIL is something that the operations staff uses. But the IT Infrastructure Library — the set of practices and service approaches outlined in a series of guides and supported by a host of toolkits, certifications, consultancies and user groups — can do more than serve as a best-practices framework for solving specific operational needs. A growing number of CIOs are using ITIL for better business alignment. It helps them create operational consistency across departments and locations, as well as with contractors and suppliers. It helps IT focus on delivering service to business units and customers, not just delivering technology. “The old model is that success is fulfilling a requirement or delivering on schedule. ITIL says success is based on whether the business value is where it needs to be,” says Jo Lee Hayes, VP (enterprise technologies) of SLM, the mortgage lender known as Sallie Mae. As Rudy Wedenjoa, director of enterprise operations management at General Motors, puts it, “ITIL cares about how to organize the chaos of operations.” GM saw the use of ITIL

Vo l/2 | I SSUE/15

6/11/2007 5:51:16 PM


essential technology

as critical to ensure operational consistency and a focus on service delivery when the company sought to move from a single IT contractor model (involving its former EDS subsidiary) to a global, multiple-supplier outsourcing model to handle its IT needs. GM realized that the various suppliers, as well as GM’s own IT staff, would need a common language and viewpoint to deliver consistently, Wedenjoa says. To date, however, ITIL has come under some fire for telling IT departments what to change but not how. And its independent volumes have caused many organizations to apply ITIL only to a few operational areas, missing the larger benefits possible. An updated version promises more realworld examples, best-practice models and metrics — and emphasizes the entire IT lifecycle and ROI issues. CIOs say the change is welcome.

problems from occurring in the first place, Sansbury says: “About 70 percent of incidents [problem reports] are caused by poorly controlled change. ITIL helps create the control.” Independent ITIL consultant Malcolm Fry agrees: “Looking for root causes is now important — you just can’t keep fixing things.” That’s why Rich Taliani, vice president of IT at Guardian Life Insurance, has promoted the use of ITIL. “We’re trying to get out of the reactive mode.” He notes that ITIL helps create a consistent level of process across the organization by creating a standard methodology to apply within IT (including language). However, many organizations have missed or ignored ITIL’s other aspects, like financial management (such as determining the cost of implementing a change), capacity management, software asset management,

To date, ITIL's independent volumes caused organizations to apply it to a few operational areas only, thereby missing the larger benefits possible. Get Out of Reactive Mode The current version of ITIL, version 2, consists of eight books, each offering a framework for a specific IT operational process. Most organizations use just two — the Service Support and Service Delivery books — in a tactical way, to improve their help desk operations through better incident and problem management. Some organizations also use the books to improve their change-management efforts, notes Ed Holub, a Gartner research director. Although these are natural areas for IT to try to fix, especially organizations mired in constant fire-fighting, something more substantial has to happen before IT can become a business enabler rather than a back-office support organization, says John Sansbury, head of practice for service management at the Compass consultancy. IT organizations should prevent the

Vol/2 | I SSUE/15

Essentisl Tec.indd 57

lifecycle configuration management and license change management, says Fred Broussard, a research manager at IDC, a sister company of CIO’s publisher. One reason: The current ITIL presentation, says Fry, is “more focused on projects than on the lifecycle.” Recognizing that many organizations view ITIL tactically, in a limited fashion and often at a lower organizational level than the CIO office, the UK Office of Government Commerce (ITIL’s creator) has revamped ITIL. The updated version, composed of five core books, integrates more material and presents a more IT lifecycle–oriented framework that further emphasizes ROI and other business values. It should make ITIL’s broad applicability more obvious. But organizations already have to view technology from a lifecycle perspective to make the connection, notes SLM’s Hayes.

“If you don’t have horizontal thinking, you will have a very difficult time adopting ITIL,” she says. The new library will also have more real-world examples and best-practice models, as well as metrics. These changes should help overcome previous ITIL books’ general guidance, which many companies found difficult to translate to their specific needs, says Compass’s Sansbury. “The current ITIL tells you what but not how, which is pretty important,” notes IDC’s Broussard. “It lacks a lot of detail; it’s very descriptive, but not prescriptive,” says Hayes. And the new version will cover how to apply ITIL principles in outsourced operations, something the current version gives scant attention to, Sansbury adds. That’s critical for companies like GM that outsource much of their IT operations, and for companies that rely on vendors to develop key processes in their applications rather than do this work in-house.

Make IT Service-Minded One hope for the new version is that it will speak more to the CIO and other senior IT executives so that they see ITIL’s utility and begin promoting its approaches and even demanding them across their organizations, says consultant Fry. “The CIO can pick up a book to better understand the operations specifically for, say, change management, an area that he may have no experience with,” he says. “You can’t take for granted that if the IT managers are taking care of the operations you don’t have to worry about it as CIO,” says David Wheeldon, director of service management at Hewlett-Packard Education EMEA, UK, and co-author of the new ITIL book on Service Operations. But that doesn’t mean the CIO should become the hands-on manager for that issue. “I’ll read the new ITIL, but I won’t figure out how to modify my systems for it,” notes Hayes. “But I will aggressively ask how my vendors are going to modify their systems for it,” she adds. Similarly, a CIO should push IT operations managers on how they’re using it. REAL CIO WORLD | j u n e 1 5 , 2 0 0 7

57

6/11/2007 5:51:16 PM


essential technology

Overall, a CIO should use the new ITIL books to set the goals for being a serviceoriented organization, develop the metrics to assess whether the operational goals are being met and help develop or buy the processes that help the IT organization make the shift, Fry recommends. “ITIL drives the strategic direction that IT is about services,” says George Spalding, a vice president at the consultancy Pink Elephant and co-author of the new ITIL book on Continual Service Improvement. “And it provides a definition of success,” he adds. This shift to service orientation is particularly critical for companies constantly fighting technology fires, which causes executive management to question the CIO’s abilities and prevents a view of IT as a business enabler from taking root. “No one cares about the CIO’s strategic vision, if the help desk stinks,” Spalding says. And as more and more customerfacing processes become automated, tolerance for poor service plummets. “CIOs

service requirements and controls, Six Sigma focuses on repeatable processes, and Capability Maturity Model Integration (CMMI) focuses on improving technical and managerial maturity. Using all of these could help the IT organization succeed as a business enabler across the board. Using ITIL in a vacuum, IT might improve operations but let poor controls continue and miss chances to generate new business, consultants say. Conversely, says Fry, an organization pursuing these other approaches but not ITIL risks having an operational foundation that can’t support the maturity achieved elsewhere. You don’t have to use all these methodologies to succeed, but an organization tackling improvement holistically should do better than one that treats these as one-off efforts, he says. An understanding of ITIL will also help a CIO deal with a request from IT operations managers for a configuration management database (CMDB), meant

Understanding ITIL can also help a CIO in dealing with requests for a database to track components and the relationships among them. don’t have room for error any more,” Fry says. Using ITIL, a CIO can “ask a pile of questions for real change,” he notes. For example, you might ask whether an IT effort changes capacity requirements, has a recovery strategy built into it and has realistic service-level agreements — all lifecycle issues often neglected if you’re focused on delivering technology.

Improve the Big Picture A CIO also can integrate ITIL approaches as part of a cohesive services effort, Fry notes. For example, the Control Objectives for Information and related Technology (Cobit) standard provides a complementary framework for developing policies around 58

Essentisl Tec.indd 58

j u n e 1 5 , 2 0 0 7 | REAL CIO WORLD

to track both the components and the relationships among them for the software, hardware and other aspects of IT systems. The goal of a CMDB: help IT identify up front the implications of proposed changes — from new hardware to a software patch — on the entire system, then resolve the issues before implementing the changes. The CMDB concept is coming into vogue both because vendors are offering CMDB tools and because it’s a natural next step in the ITIL process after an organization has resolved incident and support management problems. However, a CMDB is a big investment that involves significant process change, technically and politically. Understanding how a CMDB

Where your peers stand:

3% of organizations have completed ITIL efforts 49% are in progress 32% plan to start within the next 18 months 16% have no plans Source: Gartner

fits into the operational improvement that ITIL promotes will let the CIO assess whether the organization is actually ready to implement a CMDB, or whether work is needed to provide the right process and cultural foundations. That’s a calculation that Guardian’s Taliani is now making. Guardian split its ITIL efforts into two phases, the second of which will require a CMDB — but before committing, Taliani wants to ensure it will be used effectively. So he’ll make sure ITIL adoption is deep before deciding. (With shallow adoption, IT people could revert to old practices as demands increase, he points out.) If the ITIL adoption takes root at Guardian, he expects to commit to at least a basic CMDB effort. CIO

Galen Gruman is a frequent contributor to CIO. Send your feedback on this feature to editor@cio.in

Vo l/2 | I SSUE/15

6/11/2007 5:51:16 PM


Pundit

essential technology

Shouldering Risk Security should be laid on backs that can carry the burden — and out of consumers' hands. By CHRISTOPHER KOCH I.T. STRATEGY | Who has the best shot at mitigating risk? Who is best qualified to shoulder the responsibility for owning risk? Only when you begin to think of this from a risk perspective you begin to see that the IT industry, government and the media have all delegated the responsibility for consumer IT security to the individual. And you begin to see that perhaps that strategic decision has become completely outdated and therefore, whacked.

The ISP will use its economic muscle to demand improvements in the software that consumers are too ignorant, powerless or complacent to contemplate. At the organization level, think of IT security and you think about a cyberproof vest, shielding the company from all outsiders. The early threats from viruses and website graffiti taught business executives to think of security that way. Yet from a risk perspective, this is hopelessly incomplete. The risk was, and is, in the data. Now

encryption is expensive and complex. Few executive teams would have felt compelled to spend the extra money when perimeter security seemed to be working. So, the failure today is not with IT, but with businesses unwilling to quantify the risk they face. And there are people trained to cut through the irrationality of human perceptions about risk. They’re called actuarials, and they work for big insurance companies that are much more capable of shouldering security risk than CIOs and

The second wave of IT security has led to a disastrous notion that the first generation failed. We’re starting to see some leakage around this absurd thinking. ISPs are beginning to give away security software with their service. This might seem like a waste of money since most new computers these days come pre-loaded with security software programs. But from a risk perspective, the cost to the ISP becomes trivial. Unprotected computers heave spam on customers and other ISPs, clog the pipes, ruin customer satisfaction and make the ISP the highway for increasingly serious criminal activity. ISPs are much better equipped to shoulder the responsibility for mitigating the risk, too, because they can define and enforce the default. And the uniformity of the software across customers means the ISP has better knowledge of the impact of the software on customers and its network. 60

ET-Pundit.indd 60

j u n e 1 5 , 2 0 0 7 | REAL CIO WORLD

companies are madly encrypting all their data in an attempt to keep it from walking out the door in a laptop or thumb drive. But this second wave of IT security has led to a disastrous perception problem: the general sense that the first generation of IT security failed. All that money invested in the perimeter didn’t protect companies and now they need to spend a lot more. If you elevate the discussion to risk, you immediately see that it's not a failure of the IT organization at all. It’s a failure of organizations like TJX and most government agencies to consider risk from a more allencompassing perspective. Don’t you think that a CIO somewhere argued for encrypting data back in the day when perimeter security was the emphasis of most companies? That discussion would have ended quickly because

CEOs. Insurance companies could exert pressure for protective measures more broadly and with better accuracy than individual companies and certainly better than CIOs whose companies have negligently scoped the risk of loss of customer information and property down to an issue of IT security. You can’t leave this in the hands of the CIO or within the IT budget any more than you can leave it in the hands of consumers. With law enforcement agencies unable to deal with the sudden globalization of crime, we have to stop kidding ourselves that this has much of anything to do with IT anymore. CIO (Concluded) Christopher Koch is the executive editor of CIO-US. Send feedback about this column to editor@cio.in

Vol/2 | ISSU E/15

6/11/2007 5:51:53 PM

CIO June 15 2007 Issue  

Technology, Business, Leadership

Read more
Read more
Similar to
Popular now
Just for you