CIO November 15 2006 Issue by Sreekanth Sastry

Cover_october011_checklist.indd 84

11/17/2011 10:16:50 AM

From The Editor

Who says disruption isn’t good? A year back, we commenced a journey to help

Disruptive Journey It’s your suggestions that have kept us on track.

IT leaders in India to share field-tested learnings on technology management. Thanks to your proactive support, CIO India has been able to do that quite substantially. The first bit of disruption on our part was to change the way technology management was covered — by putting the spotlight on CIOs and their concerns; by trying to figure out what India’s business leaders want from IT; by seeking best practices in e-governance and by basing all this on a ‘Business Technology Leadership’ platform. A platform that we’ve expanded over the past dozen months to cover this publication, its companion website (www.cio.in) and events. The critical input we sought (and continue to do so) was ‘reader feedback’. To kickstart the process, we put in place a 20-strong Advisory Board comprising current and former CIOs. Their advice helped us choose the right path, but it’s your suggestions that have kept us on track, and given shape and definition to this publication. Thanks a ton for all the feedback you’ve sent us. The next bit of disruption had to do with changing the way the CIO team of journalists Our articles are designed went about its work. For one, our story ideas to help you share learnings were now coming from you. We also decided with peers without anyone to take a extremely focused approach to else getting in the way. our articles. They had to help you and your peers for share challenges and best practices without anyone else (us included) getting in the way. Believe me, this was one of the toughest parts of this equation of change. The final disruptive move was to bring the philosophy of the magazine and its website into other media. We started off with focused events ranging from panel discussions on security and data management to the CIO 100 Symposium & Awards. Recently, we launched podcast interviews with a bunch of your peers. To recall what I wrote in these columns some months ago: “The journey hasn’t been easy. It’s just been worth it.” In the year ahead, prepare for more change from CIO. Write in and let me know what you want. Salud.

Vijay Ramachandran, Editor vijay_r@cio.in

n o ve m B E R 1 5 , 2 0 0 6 | REAL CIO WORLD

Content,Editorial,Colophone.indd8 8

Vol/2 | ISSUE/01

11/14/2006 11:38:43 AM

content novemBeR 15 2006‑ | ‑vol/2‑ | ‑issue/01

Implementation

Views From The Top

COVER STORy | LESSONS FROM THE VERTICALS | 36

SELECTION OF INTERVIEWS | 88 The ultimate business’ perspective of the IT organization: the industry leader. Eight vignettes from the View From The Top series.

Features by Balaji Narasimhan, Gunjan Trivedi and Rahul Neel Mani

Interviews by Team CIO

Executive Coach VALuE? ADDED | 28 How CIOs can engineer a ‘tipping point’ to speed up the adoption of value management practices and prove that IT matters. Column by Susan Cramm

Peer To Peer Security Survey GLOBAL INFO-SECuRITy SuRVEy | 66 Some things are getting better —slowly — but security practices are still immature and, in some cases, ad hoc. Feature by Allan Holmes

n o V E m B E R 1 5 , 2 0 0 6 | REAL CIO WORLD

Content,Editorial,Colophone.indd10 10

EVERyONE GETS TO PLAy | 24 Good IT governance is about involving as many people as possible. And then it is IT’s job to support them. Column by Lynn H. Vogel

more » Vol/2 | ISSUE/01

11/14/2006 11:38:46 AM

content

Essential Technology | 98 Video | See what’s invading your network

By Laurianne McLaughlin Remote Management | Costs to go through the roof

By Thomas Wailgum

From the Editor | 8 Disruptive Journey | Over the past year, it’s your suggestions that have kept us on track. By Vijay Ramachandran Ram

Inbox | 16

NOW ONLINE For more opinions, features, analyses and updates, log on to our companion website and discover content designed to help you and your organization deploy IT strategically. go to www.cio.in

c o.in

Govern POWERED By EXECuTION | 94 Growth and proliferation of IT services in governance can be a reality through dialogue and execution, says M.N. Vidyashankar, IT secretary of Karnataka. Technology can be as good as its implementation, he asserts. Interview by Kunal N. Talgeri

Feature MEET yOuR NEW HOST | 82 Supply chain software has been considered too risky and important to be hosted by outsiders. That is, until you consider the risks and expense of installing and supporting it yourself. Feature by Meridith Levinson

n o v e m B e R 1 5 , 2 0 0 6 | REAL CIO WORLD

Content,Editorial,Colophone.indd12 12

CIO anniversary Silver disc

2 0

Guru Speak | Footage of John Hagel’s

presentation at the CIO 100 Symposium

White Papers | What you need to know

in storage, security and business intelligence Magazine Archive | All CIO issues from November 15, 2005 onwards Essential Downloads |

A range of software for the CIO

Advertiser Index

ADVISORY BOARD Manage ment

President N. Bringi Dev

COO Louis D’Mello Editorial Editor Vijay Ramachandran

Bureau Head-North Rahul Neel Mani

Assistant Editor Harichandan Arakali

Special Correspondent Balaji Narasimhan

Senior Correspondent Gunjan Trivedi Chief COPY EDITOR Kunal N. Talgeri

COPY EDITOR Sunil Shah www.C IO.IN

Editorial Director-Online R. Giridhar D esign & Production

Anil Nadkarni

APW President

30 & 31

Head IT, Thomas Cook, a_nadkarni@cio.in

Avaya

4&5

Canon

103

Citrix

Arindam Bose Head IT, LG Electronics India, a_bose@cio.in Arun Gupta Director – Philips Global Infrastructure Services Arvind Tawde VP & CIO, Mahindra & Mahindra, a_tawde@cio.in

EMC

Bookmark

Epson

Ashish Kumar Chauhan Advisor, Reliance Industries Ltd, a_chauhan@cio.in M. D. Agarwal

Fortinet

Freescale

Chief Manager – IT, BPCL, md_agarwal@cio.in

Creative Director Jayan K Narayanan

Designers Binesh Sreedharan

Vikas Kapoor, Anil V.K.

3, 34, 35, 41, 43, 49, 55 & 61

Mani Mulki VP - IS, Godrej Consumer Products Ltd, m_mulki@cio.in

IBM

Jinan K. Vijayan, Sani Mani Unnikrishnan A.V. Sasi Bhaskar, Girish A.V.

Manish Choksi VP - IT, Asian Paints, m_choksi@cio.in

Vishwanath Vanjire MM Shanith, Anil T PC Anoop

Photography Srivatsa Shandilya

Production T.K. Karunakaran

T.K. Jayadeep

Neel Ratan Executive Director – Business Solutions, Pricewaterhouse Coopers, n_ratan@cio.in Rajesh Uppal General Manager – IT, Maruti Udyog, r_uppal@cio.in

Marketing and Sales General Manager, Sales Naveen Chand Singh brand Manager Alok Anand Marketing Siddharth Singh Bangalore Mahantesh Godi Santosh Malleswara Ashish Kumar, Kishore Venkat Delhi Nitin Walia; Aveek Bhose; Neeraj Puri; Anandram B Mumbai Nagesh Pai; Parul Singh, Chetan T. Rai Japan Tomoko Fujikawa USA Larry Arthur; Jo Ben-Atar

Singapore Michael Mullaney UK Shane Hannam

Events Mumbai Rupesh Sreedharan

Prof. R.T.Krishnan Professor, IIM-Bangalore, r_krishnan@cio.in

Inflow Technology

Intel

Interface

Lenovo Mercury Microsoft

104 11 Gatefold, 19 & 21

Molex

MRO TEK

Netmagic

Research in Motion

Sr. VP, ISG Novasoft, sr_balasubra manian@cio.in

Rittal

Prof. S Sadagopan

Select

Sybor

Syntax

Toshiba

Vishwak

s_gujral@cio.in

Webex

Unni Krishnan T.M

Wipro

S. B. Patankar Director - IS, Bombay Stock Exchange, sb_patankar@cio.in S. Gopalakrishnan COO & Head Technology, Infosys Technologies

s_gopalakrishnan @cio.in S. R. Balasubramanian

Director, IIIT - Bangalore. s_sadagopan@cio.in Sanjay Sharma Corporate Head Technology Officer, IDBI, s_sharma@cio.in Dr. Sridhar Mitta Managing Director & CTO, e4e Labs, s_mitta@cio.in

All rights reserved. No part of this publication may be reproduced by any means without prior written permission from the publisher. Address requests for customized reprints to IDG Media Private Limited, 10th Floor, Vayudooth Chambers, 15–16, Mahatma Gandhi Road, Bangalore 560 001, India. IDG Media Private Limited is an IDG (International Data Group) company.

Former VP - Technologies, Wipro Spectramind

Printed and Published by N Bringi Dev on behalf of IDG Media Private Limited, 10th Floor, Vayudooth Chambers, 15–16, Mahatma Gandhi Road, Bangalore 560 001, India. Editor: Vijay Ramachandran. Printed at Rajhans Enterprises, No. 134, 4th Main Road, Industrial Town, Rajajinagar, Bangalore 560 044, India

CTO, Shopper’s Stop Ltd, u_krishnan@cio.in

Sunil Gujral

6&7

V. Balakrishnan CIO, Polaris Software Ltd., v_balakrishnan@cio.in

n o ve m B E R 1 5 , 2 0 0 6 | REAL CIO WORLD

Content,Editorial,Colophone.indd14 14

Vol/2 | ISSUE/01

11/14/2006 11:38:56 AM

reader feedback

how the stars shone

Benchmark Aid I’ve been meaning to write to you for sometime to tell you that I look forward to reading the magazine every fortnight. The cover story on virtualization of servers and PCs (Doing More With Less, October 15, 2006 2006) was fairly comprehensive and informative. It actually cleared some debates we were having internally on the subject. Your presentation of CIO 100 (The The Giant 100, October 1, 2006 2006) was innovative and also gave me an insight into preferences of friends in the industry. I should also add that the current format of editorial content is extremely good — the mix of domestic and global perspectives, in particular. It gives readers the opportunity to benchmark themselves against their peers in the industry. RAvi UppAl, Vice chairman and MD, ABB India

proximity to Business How can IT be strategic? I agree with your editorial, 'Who’s Your Boss' (October 15) that CIOs should report to CEOs for IT to be strategic. However, that is not always possible. And whenever it is not, a CIO has no other option but to try and make his CEO more IT savvy, and get closer to them. Under no circumstances should a CIO report to a CFO. It’s better to quit the organization. Ashok R pAtel, pA DGM(Systems) GSFC

Inbox.indd 16

n o V E M B E R 1 5 , 2 0 0 6 | REAL CIO WORLD

Overall, it was a fantastic idea to present CIOs as stars in your coverage of the CIO 100 (The The Giant 100, October 1, 2006 2006). It showed that the people CIO has honored are no less than the stars they fall under — a very nice touch. On the flip side, I was not particularly impressed with some of the topics that were revisited in the issue after they were covered at the event. I do understand that this was meant for people who didn't attended the event, but maybe you could have covered the frills and fancies that gave the event its glamorous look in greater detail, instead. It was more glamorous than we expected. Another suggestion: when you're faced with another event in future, you could pick a topic discussed during the event meet (like Dr Vyas’s presentation), and then interview CIOs who have knowledge in those areas. This will lend a wider perspective to the issue, and interest even those who were present at the event. Even topics like that of the CIO panel discussion could be thrown to an audience of CIOs. Based on their thoughts, CIO's team of editors and journalist could then provide a broad consensus. A final verdict from a few CIOs would be more meaningful for the fraternity to grasp and discuss. tAmAl ChAkRAvoRthy, Cio Ericsson India

I thought the October 1st editorial (Creating Harmony) was timely and describes the role of future CIOs. You have spoken about multi-functional teams What Do You Think? We welcome your feedback on our articles, apart from your thoughts and suggestions. Write in to editor@cio.in. Letters may be edited for length or clarity.

"When it’s not possible for cIOs to report to ceOs, they must try to make their ceOs more IT savvy. In no case should a cIO report to a cfO. It’s better to quit the organization." getting involved in project execution. I agree. Business imperatives for any organization, in today’s context, includes knowledge management, which is about leveraging an organization's collective wisdom. Alignment of IT and business is a continuous process of assessing technology and synchronizing it with business. The future role of CIO's will be quite challenging. CIO's will have to leverage knowledge and make innovative use of IT by working with multi-faceted and multi-functional teams. Your editorials are always refreshing. You pick up an issue of relative importance, concerning the IT fraternity, and deal with it very objectively. In general, I would like to say that I enjoy reading CIO; three sections specifically, besides the editorial, are of interest to me. These are View from the Top — where you feature views of industry leaders; Essential Technology — where you lend readers technological insights and Trendlines — where interesting and emerging technologies are covered. ARUn pAnde, vp-it, it it, Colgate Palmolive

editor@c o.in Vol/2 | ISSUE/01

new

hot

unexpected

IllustratIon by sas I bhaskar

toward Data insurance s e c u r i t y You can’t touch it, feel it or smell it, but losing it could cost crores of rupees in business and jeopardize your company’s credibility among customers. Still, insurers in India are yet to come up with a viable product to cover data loss. This may change, if Tata AIG launches its product for ‘data insurance’ that is initially aimed at larger Indian banks. A CIO from a public sector bank says that there aren’t any hard proposals yet, but AIG’s representatives have sent out feelers. Other insurers have shown an interest for a similar product, but the relatively poor security practices at banks are cited as a key hurdle. Best practices suggest that banks should invest between 10 to 15 percent of their IT budgets on security. But an Indian Banks Association survey showed that banks were spending only up to two percent. Few banks in India even have a chief information security officer with a dedicated team, says the bank CIO. Usually, someone from the IT department is put on an additional security detail. Many banks end up merely deploying firewalls, and intrusion detection and prevention systems that don’t leave data centers secure enough. Resolute processes and regular monitoring are still not a standard practice. Also of interest is how insurers, policy holders and courts will interpret the definition of computer data because, often, policies are built around the description ‘tangible property’. Precedence from the courts in the US, for instance, shows that claims for damages for data loss or theft could go either way. —By Harichandan Arakali

Predictive Technologies: the Next Big Thing While Jeff Wacker looks more It manager than mad scientist, as the futurist for Plano, t texas-based EDs Corp, he spends his days looking to the future of It. Wacker says, “the next big thing requires three triggers: a pent-up need; an existing technology; and a spark, a killer app, that gives reason for a technology to fill that need.” the year 2008 looks to be the start of the next cycle, with venture capitalists looking at mid-2007 as the launching point for a host of new capabilities and technologies, he says. and what’s that next big thing going to be? With a greying workforce and a skills shortage fueling the increasing automation r e ta i l

Vol/2 | I ssuE/01

Trendlines.indd 17

of It processes, Wacker says simulation modeling and prediction technologies is the next major technology shift. according to Wacker, the cost of an It failure to business is becoming increasingly high. that is fueling the need for complex simulation modeling technology to identify potential problems, so that they can be rectified before they occur, he adds. “We’ve got this whole world of predictability that is coming online. Most companies don’t have a sense-and-respond model yet. they have a cause-and-effect model.” the technology fueling this shift will include the next-generation architecture of multi-core processors, with the parallel

processing capabilities they enable offering the computing power necessary to run complex simulation programs. this will also mean that massive amounts of data will be required and generated, enabled by new holographic and crystalline storage technologies. the key, Wacker says, will be getting contextual information rather than historical information. “It’s not 'I sold five umbrellas this time last year, so I’ll probably sell five tomorrow'. but rather, 'It’s going to rain tomorrow. therefore, I’ll probably sell more umbrellas, so I should put them on display'.” — by Jeff Jedras

REAL CIO WORLD | n o v e m B e R 1 5 , 2 0 0 6

11/10/2006 8:15:51 PM

trendlines

Of Dashboards and

Scorecards

You get what you pay for. Deploying an inexpensive performance dashboard (licensable for under Rs 22.5 lakh) may yield results in the short term. But, the need to increase the scale of your dashboard will require significant additional time and investment. Plan for the long haul. Successfully deploying a dashboard or scorecard often leads to requests from other departments for similar performance management tools. If you are not prepared to rapidly expand the scale and scope of your system, the extra drain on databases and processing power will lead to slower response times. Plan for real time. Even if the business side is not requesting daily updates, being prepared to deliver them more timely data yields more valuable dashboards and scorecards, and allows the business to optimize performance more proactively. Develop effective metrics. Metrics are ultimately the key to the success of your dashboard/scorecard. Many techniques are available for ensuring that the metrics used are effective, including getting user buy-in, simplifying by using fewer metrics, avoiding perfectionism, and monitoring and revising as metrics lose business impact. Involve technical people. One common mistake is to create metrics for which no data exists. To avoid this awkward situation, make sure you assign technical people to the team.

Airplane

Flight Decks Go

Paperless

A V IATI O N TEC H N O L O G Y Anyone who’s visited a commercial airplane cockpit will tell you there’s usually a whole lot of paper in there. That 77-pound briefcase you saw the pilot lug up the gangway didn’t contain a copy of War and Peace he intends to read: it’s stuffed with navigational charts, weight and balance data, and operating manuals. Some airlines are replacing these paper-based processes with electronic flight bag (EFB) technology. JetBlue made a splash in 2000 when it equipped its pilots and first officers with laptops to access flight manuals and make pre-flight load and balance calculations that it said would reduce the airline’s printing costs and also save 4,800 man-hours a year. “The typical airline is operating hundreds, if not thousands, of flights a day. That’s a lot of paper, so there’s a definite cost and environmental benefit to the technology,” says Henry Harteveldt, vice president of travel research for Forrester. “There’s also immediacy,” so pilots always have updated data, he says. FedEx has used EFBs since 1991, but most commercial airlines couldn’t justify the technology due to implementation costs and communications infrastructure challenges. Today, more passenger airlines are getting on board. JetBlue’s laptops, considered Class 1 EFBs by the Federal Aviation Administration, are just like yours — they have to be stowed. Virgin America plans to take off next year with Class 2 EFBs, which mount in the cockpit of its Airbus A320s. The Class 2 option will be less expensive than equipping every pilot with his own laptop, says Virgin America. The ultimate goal is a nearly paperless flight deck except for one checklist. Houghton says that will increase efficiency, reduce costs and raise the quality of life for pilots — they’ll have a free hand to carry a change of clothes for dinner or a good book.

Illust ration by P C A no op

D a t a W a r e ho u s i n g Dashboards and scorecards are becoming ubiquitous business tools, according to a recent survey from The Data Warehousing Institute. The report, based on a winter 2006 survey of corporate IT professionals, BI consultants, and business sponsors/users, identifies numerous trends found in recent dashboard and scorecard deployments. The report found that a majority of groups surveyed have deployed a dashboard and scorecard, often within the same application. Also, dashboard and scorecard projects are overwhelmingly businessdriven, meaning they are initiated and guided by business leaders. Dashboards and scorecards are still in their infancy, according to the report. Most support fewer than 50 users and maintain less than 50 GB of data. Many organizations report that they haven’t spent a lot of money on dashboard/scorecard deployments. The report makes several best practices recommendations:

—By Stephanie Overby 18

Trendlines.indd 18

n o v e m B E R 1 5 , 2 0 0 6 | REAL CIO WORLD

Vol/2 | I SSUE/01

11/10/2006 8:15:52 PM

trenDlines

Finding the best It talent continues to challenge CIos. but some are tapping into a trick that external hr recruiters have used for a while now: joblogging. by scanning blogs and socialnetworking tools, CIos and their internal recruiters sometimes strike gold. “this allows us to start a conversation about what opportunities we have here,” says John leech, manager of recruitment for services at FedEx. leech says FedEx It launched the search-via-blogs strategy about a year ago. While he won’t specify how many new hires have resulted, he calls the effort very successful. one of the benefits of using blogs and social-networking sites such as linkedIn.com to recruit is being able to see candidates’ current work and interests. Google recently unveiled another innovative hiring tactic. It posted a billboard ta l e n t

BLOGS

Help Win the IT Talent Search

in Cambridge, Massachusetts, and silicon Valley, reading: {first 10-digit prime found in consecutive digits of e}.com. Google’s name did not appear on the board. If a person solved the problem and plugged the answer into a browser, he was taken to a Google site where he could submit a résumé. leech says FedEx plans to use a contest too, asking applicants to solve problems in logistics, programming and systems. Meanwhile, FedEx will be watching the blogs.

“recruiting is a timing game,” says leech. “When the boss is yelling at them, when they should have been promoted, that’s when we want to make contact with them.” his advice for other CIos: “Create a strong recruiting brand that is easy to communicate. Join popular online communities and start connecting with people that have the talent. remember, you are only six people away from phenomenal It t talent. the trick is how you connect the dots.” — by C.G. lynch l

All Roads

W i r e l e s s In 1748, Gianbattista Nolli redefined modern mapmaking: he offered the first iconographic view of Rome that detailed urban streets, public spaces and building interiors. Now, more than 250 years later, Carlo Ratti has set out to revolutionize cartography again — this time with the help of cell phones, taxis and buses, and Google maps. Called Real Time Rome, the project paints a new picture of the ancient city: on seven large flexible glass screens and in fiery, fluorescent colors, Ratti's team is able to show traffic congestion, the routes of the city’s taxis and buses, and where city dwellers are congregating and moving — all with real-time wireless data. “This type of data provides an understanding of the city that we couldn’t have had a few years ago,” says Ratti, director of MIT’s Senseable City Laboratory, which studies the impact of new technologies on cities. Wireless data from GPS devices located on taxis, buses and anonymous cell phones, fuel databases that Ratti’s team uses to create the topographies. The stunning maps have been on display at the Venice Biennale art exhibition. (To see them: senseable.mit.edu/realtimerome senseable.mit.edu/realtimerome/) During a recent Madonna concert, Ratti says he saw some of the “most beautiful patterns” on the screens. “You could see the city

n o v e m B e R 1 5 , 2 0 0 6 | REAL CIO WORLD

pulsating toward where the concert was,” he says, “and how infrastructure is really being used.” The project has both simple and grand goals. Simple, because Ratti sees benefits for citizens who want to avoid traffic jams and for emergency responders who need to see the most efficient routes. Grand, because “we can change the way we design cities,” says Ratti. “It’s a way to streamline movement in the city.” To that end, Ratti is launching the Senseable City Consortium, an R&D initiative to bring together public administrators, network operators, and hardware and software companies to design smarter urban environments. “Cities, in the past, were built out of concrete,” he says. “Tomorrow, cities will be built out of silicon.” —By Thomas Wailgum

Vol/2 | I ssuE/01

IMaGE Fro M sEn sEab lE.MIt.EDu/rE altIMEroME/

Lead to Rome

trenDlines

Tackling PIn-Based

Debit card Fraud security In the first quarter of 2007, MasterCard Worldwide will introduce a new service to help banks and other card issuers detect and stop PIn-based debit card fraud in real time. “From our perspective, a PIn transaction is probably the most secure transaction” a cardholder can make, says Jerry sargent, MasterCard’s VP of debit strategy and alliance development. the new service will add to that security while at the same time alleviating growing consumer concerns about online fraud, he says. “this is really about listening to our customers,” sargent says. “We have seen all sorts of headlines about e-mail scams, ID theft and data breaches, and the concern was that as this goes out into the wider consumer world, it may have an impact on consumers using these cards,” he adds. MasterCard’s online Fraud Monitor service will use a proprietary risk-scoring model that will look at factors such as account spending, transaction histories and device-level activity to calculate the likelihood of fraud on an individual atM transaction, sargent says. For instance, if a card that in the past has been used only domestically were to be used in a large transaction in a foreign country, the

transaction would automatically be flagged as high-risk for follow-up action. MasterCard has been offering a similar fraud-detection capability for credit card and signature-based atM transactions for some time now. With the new service, the company is extending the same capability to PIn-based transactions. a lot of effort has gone into ensuring that the new service will not lengthen debit card transaction times or result in too many false positives, sargent says. a “significant amount” of historical transaction data and data on fraudulent transactions has gone into the development of the risk model, he adds. MasterCard’s new service addresses a definite need, says. avivah litan, an analyst at Gartner. Even so, it is unclear how successful the company will be in getting banks and other issuers to sign up for the service, she says. a majority of banks currently use Fair Isaac Corp’s Falcon fraud-detection system and their own homegrown systems for dealing with payment card fraud, she says.

— by Jaikumar Vijayan

Il lustrat Io n by MM shanIth

Spam That Delivers a Pink Slip

Last week, some employees at Dekalb Medical Center in Georgia received e-mails saying they were being laid off. The subject line read: ‘Urgent-employment issue’, and the sender on the message was dekalb.org, the domain of the medical center. The e-mail contained a link to a website that claimed to offer career-counseling information.

a n t i s pa m

n o v e m B e R 1 5 , 2 0 0 6 | REAL CIO WORLD

A few employees clicked on the link to learn more and unwittingly downloaded a keylogger program. Score another one for spammers. Called targeted spam or spear phishing, this type of spam that’s currently on the rise is particularly vexing because the spammer is able to ‘spoof’ the sending e-mail address to make it look like it’s coming from within a recipient's organization, making it difficult for spam filters to catch. And unlike traditional spam that is sent in the thousands, these are sent by the handful, again making it hard for anti-spam technology to detect. “I don’t think we were the only ones targeted by this,” says Sharon Finney, information security administrator at Dekalb Medical

Center. “It’s going to get ugly. Spammers are getting stealthier and more targeted: these emails had terminology specific to healthcare, so they knew we are a hospital,” adds Finney. But there are ways to detect even wellwritten fraudulent e-mails, says Rami Habal, director of product marketing with Proofpoint, Dekalb's messaging security vendor. “Our technology looks for clues in the message,” says Habal. Another way is by using sender-authentication technology that can check if a message really comes from the domain it claims to, although Habal adds it isn't perfect because not all organizations are using sender authentication. —By Cara Garretson

Vol/2 | I ssuE/01

INTellIgeNce ShArINg i . t . i n G O V e r n m e n t Members of the US government’s intelligence community are using a Wikipedia-like community networking website to share data across agencies and open dialogue about disagreements over assessments like those that led to the war in Iraq, according to project leaders. Intellipedia, based on the open-source software that powers Wikipedia, allows free-flowing discussion on topics such as terrorism and Al Qaeda, say the creators of Intellipedia. The two agencies created Intellipedia following widespread criticism about a lack of intelligence-sharing before the Sept. 11, 2001, terrorist attacks, and later mistaken intelligence reports saying Iraq was developing weapons of mass destruction. Since the agencies launched Intellipedia, it has grown faster than Wikipedia did in its early days, says Don Burke who is with the CIA’s directorate of science and technology.

In addition to restrictions on who can access Intellipedia, it has several other differences from its spiritual successor, says Sean Dennehy, with the CIA’s directorate of intelligence. While anyone with access can read the information posted on Intellipedia, only logged-in users can edit articles there — unlike Wikipedia. In addition, users can track the changes made to information on Intellipedia, allowing them to see discussions about what information ends up in an official document. Creating a space for dissenting views is important following recent criticisms of US intelligence on weapons of mass destruction in Iraq, says Fred Hassani, who has helped build Intellipedia for DNI. Not all analysts have embraced the new tool, but many younger analysts have, says Michael Wertheimer, DNI’s deputy director of analysis and CTO. Half of all intelligence analysts have one to five years of experience, he notes. —By Grant Gross

Since its launch, Intellipedia has had over 13 million page views, 3,300 registered users, and 28,000 pages created.

trenDlines

Community Network Aids

Lynn H. Vogel

Peer To Peer

Everyone Gets to Play Good IT governance is not about committees, processes, forms and procedures. It’s about involving as many people as possible. And then it is IT’s job to support them.

T governance certainly has moved to center stage. MIT’s Peter Weill published a book simply entitled IT Governance; there are conferences devoted exclusively to IT governance; an IT Governance Institute conducts research on the subject and, of course, almost every consulting firm under the sun now offers services to review and redesign IT governance processes. Everyone seems to be talking about IT governance, and most people agree that careful selection of who makes decisions about technology investments will have a major impact on how successful those investments will be. But how do you make good governance happen? The real challenge is not the designing of committees, processes, forms and procedures; it’s meeting the challenge of participation. Getting people involved is what IT governance is really about. As Weill notes, “Behavior, not strategies, create value.” For IT governance processes to make a difference, one of the primary attitudes that CIOs need to encourage is the broad participation of IT customers. At the University of Texas M.D. Anderson Cancer Center, we try to stay away from calling much of what we do ‘IT projects’ because we’ve discovered that it really does make a difference if investments are viewed as projects belonging to IT or projects belonging to the business and enabled by IT. Consequently, we have ‘business projects’ in which IT is a major and often critical component. Only infrastructure investments are called ‘IT projects’. By changing the way we speak about projects, we have been able to shift the focus of the enterprise from the technology decision to the business decision about how technology should be used. 24

n o v e m B E R 1 5 , 2 0 0 6 | REAL CIO WORLD

Coloumn - Everyone Gets to Play24 24

Vol/2 | ISSUE/01

11/10/2006 8:09:19 PM

Lynn H. Vogel

Peer To Peer

Thought Leaders, Opinion Leaders and Others Just recasting IT projects as business projects doesn’t, however, guarantee broad-based participation in IT governance. Building participation in the IT governance process requires three components: Involving thought and opinion leaders. B alancing individual needs and companywide requirements. Providing organizational support for participation. The first step is to understand that there are at least two types of participants in every organization: thought leaders (those who can think outside the box) and opinion leaders (those who are viewed as credible and trustworthy throughout the company). In health-care organizations, for example, I have identified physicians who are thought leaders — the first to try a new technology and the first to want remote access to clinical data. They subscribe to technology publications and install sophisticated networks at home. Opinion leaders, on the other hand, tend to be more conservative in adopting new technologies, but when they do embrace them, you can be sure that their colleagues will follow. A successful governance process requires a balance of participation between these two types of leaders. Both are needed to make good technology decisions. Thought leaders keep us focused on what the future holds; opinion leaders keep us grounded in what will really work. Second, the governance process needs to include both those who are deeply knowledgeable about the business processes in their own departments and people who understand the importance and potential impact of IT investments across the company as a whole. IT investment decisions must be both wide and deep in order to be truly effective. Third, and probably most important, governance processes won’t function well without strong organizational support. Participants in the IT investment decision-making process are typically volunteering their time. Tasks such as providing monthly reports on IT investment progress and assisting in the development of benefits realization and ROI studies are time-consuming. Rather than expecting volunteers to do all this on their own, you need a team dedicated to supporting them and, by extension, the governance process. Our governance team at M.D. Anderson started out as a traditional project management office (PMO). But we recognized that many of our IT-enabled business projects were actually managed by project managers within the business units. So, our focus shifted to two primary functions:

Supporting the work of the various committees, including making sure that projects were properly documented and that monthly financial reports got produced. Serving as a resource to project managers throughout the company by sponsoring training seminars. Each staff member in our new Project Support and Coordination Services Office is a trained project manager, most with formal project management certification.

The ROI of Participation After a major redesign of the IT governance process at M.D. Anderson almost two years ago, we were able to increase

Selection of who makes decisions about IT investments impacts the success of the investments. The decisions must be wide and deep in order to be effective.

n o v e m B E R 1 5 , 2 0 0 6 | REAL CIO WORLD

Coloumn - Everyone Gets to Play26 26

overall participation tenfold. We now have 200 people (out of 16,000 in the organization) taking part in IT governance. Each of these people spends at least an hour a month focusing on IT investments — discussing successes or failures, monitoring the progress of current investments and looking ahead at new directions and possible investments for the future. Are our IT governance processes functioning any better with all of this participatory behavior? The answer is yes. In a formal review of our IT governance process by an independent third party, more than 85 percent of a sample of participants thought that the redesigned IT governance processes were a definite improvement over our previous processes. Having business owners participate in the technology decision-making process creates a sense of ownership, making information technology implementations not something ‘done to the business’ by IT but something they have embraced from the beginning. Broad participation in IT governance has been a critical factor in making IT investment decisions successful at M.D. Anderson. One might even argue that without governance participation, our track record of technology success would be in serious trouble. CIO

Lynn Harold Vogel, a member of the CIO Executive Council in the US, is VP and CIO for the University of Texas M.D. Anderson Cancer Center in Houston and an Adjunct Assistant Professor in the Department of Biomedical Informatics at Columbia University. Send feedback on this column to editor@cio.in

Vol/2 | ISSUE/01

11/10/2006 8:09:19 PM

Susan Cramm

EXECUTIVE COACH

Value? Added How CIOs can engineer a ‘tipping point’ to speed up the adoption of value management practices and prove — once and for all — that IT matters.

Illust ration anil t

usiness leaders continue to view IT spending as an expense to be managed and not an investment to be optimized. This inability to quantify the value that IT delivers to the business is, in my opinion, what separates the CIO from a seat in the boardroom. Most organizations have formed investment councils and require business cases. But very few have defined a ‘concept to cash’ closed-loop management process that directs investments based on strategic portfolio targets, keeps initiatives on track by measuring success around project approach and holds senior executives accountable for demonstrating value. After all, real change isn’t easy. In The Tipping Point, Malcolm Gladwell discusses engineering change with minimum effort. Although conventional wisdom says the progress of IT value management will be evolutionary, Gladwell suggests it can move rapidly if the three Tipping Point laws are applied: the power of context (sensitivity to environmental signals), the stickiness factor (memorable content) and the law of the few (the influence exerted by the socially gifted). To explore the potential of these laws, consider the practices in place at a small, fast-growing technology company. Since its inception 10 years ago, the company has invested in technology to sustain growth with little consideration given to cost structure or vision for how IT will support its competitive positioning and core business processes. The CFO, COO and CIO make decisions regarding IT investments on a case-bycase basis. Requests and associated IT resource allocations are fragmented by department and have tenuous ties to strategy. Let’s examine the power of context. It’s amazing how often executives fail to link value management initiatives to strategies

n o v e m B E R 1 5 , 2 0 0 6 | REAL CIO WORLD

Coloumn - Value Added.indd 28

Vo l/2 | I SSUE/01

11/10/2006 8:13:49 PM

Susan Cramm

EXECUTIVE COACH

and programs that are in place and have momentum. In the tech company, there are growth concerns since its primary market is becoming saturated. Yet, IT’s top objective is the integration of its existing ERP processes to knit sales together with downstream supply chain activities. In terms of the company’s emotional energy, this initiative is a yawner and doesn’t have the ‘coattails’ to carry a value management initiative. The CIO will be a more effective catalyst for change around IT investment if he taps into the company’s emotional concerns around growth. For example, the CIO has uncovered business strategies that call for expanding sales within existing accounts by strengthening customer service and entering new markets with current products. Using this information, the CIO can help frame the business strategy so that the ERP initiative is linked directly to these goals. Now that the CIO has captured the attention of senior executives, she can demonstrate the fit between current and requested IT projects, and define a targeted IT portfolio and supporting governance. The ‘closed-loop’ management process should focus on basics such as ensuring that investments line up with portfolio targets, possess clear standards for accountability and success, and are monitored regularly via a project dashboard. Next, let’s discuss the stickiness factor. Too often, value management is designed for the needs of the enterprise and doesn’t provide value to the manager submitting the request for IT funding. To stick, the changes must benefit everyone who needs to comply. Managers will promote a process that makes it easier for them to get funding for strategic initiatives. There are several ways to accomplish this at the technology company. Senior executives could establish an experimental fund to test new product and service ideas. They might institute a fast-track approval process for growth initiatives. Or they could delegate funds to business unit or function heads for strategically aligned process improvements that utilize existing technologies and have a positive ROI. Now, let’s explore the law of the few, which identifies an organization’s influencers. A mistake in catalyzing change is to overestimate the influence of mandates from the top. Senior executives operating alone can rarely create the grassroots support necessary for a value management initiative. But by tapping the right people in the social network, support will build, provided the other two laws are respected. The tech company needs to garner sponsors for its initiative by identifying influencers in sales, marketing and customer support. CIOs pushing the rock of value management uphill need to reconsider their approaches. By viewing value management as a change initiative and leveraging Gladwell’s laws, it is possible for CIOs to accelerate the adoption of value management practices and prove, once and for all, that IT does matter. 32

n o v e m B E R 1 5 , 2 0 0 6 | REAL CIO WORLD

Coloumn - Value Added.indd 32

Reader Q&A Q: Why have organizations been slow to embrace IT value management? A: CIOs haven’t been strong advocates of it, and many

organizations have weak governance mechanisms. CIOs have long understood that proving IT value is important, but they have lacked practical approaches to making it a reality since many have little experience in finance or Six Sigma disciplines. From a governance perspective, CEOs have expressed frustration about the lack of understanding around IT value. Given the magnitude of its costs and frustration about delivery, IT is an easy target. In many cases, however, there is also a lack of measurement and accountability across the enterprise. It is hard for CIOs to sponsor a value management initiative and it’s easy to rationalize a lack of action, but the times, they are a-changing. Leading-edge organizations such as Intel are proving IT value management is real. Q: Can you discuss value management from a government perspective? A: Some IT leaders think value management is more

difficult in a government setting because there isn’t a P&L and therefore no financial definitions of value beyond costs. The good news is, there is little difference between forprofit and non-profit approaches to IT value management. The approaches that work focus on the leading indicators to value. These are operational measures that are relevant to the business such as customer satisfaction, sales calls, cycle time and so on. These measures can be defined and measured regardless of the type of organization. Value management implodes when organizations take a purely financial view, because there is not a direct correlation between many investments and the financials except in the case of cost cutting, which is no longer the main focus of IT investments. CIO

Susan Cramm is founder and president of Valuedance, an executive coaching firm. Send feedback on this column to editor@cio.in

Vo l/2 | I SSUE/01

11/10/2006 8:13:49 PM

(From left to right) Vikram Chopra, GM (passenger services application) Centre for Railways Information Systems Sunil Rawlani, head-information systems & technology HDFC Standard Life Insurance Unni Krishnan T.M., group CTO (retail business), Shopper's Stop Jay Menon, director (innovation) & group CIO, Bharti Airtel Pradeep Saha, head-IT, Max Healthcare

Cover Story - 01.indd 36

Ver t 11/13/2006 12:52:54 PM

Every industry presents unique challenges where the CIO must marshal more than the usual chunk of resources to solve extreme headaches. By Balaji narasimhan, gunjan trivedi & rahul neel mani

Lessons Learned From the

r ticals Cover Story - 01.indd 37

11/13/2006 12:52:56 PM

Cover Story | Implementation

“Either you’re part of the problem or part of the solution — or you’re just part of the landscape.”

Uttered by Robert de Niro in a 1998 heist film, the writer of this memorable line is still a mystery in filmdom. It doesn’t matter because the words ring true, most of all in business today. When CIO’s reporters explored the IT organizations of five business sectors — retail, healthcare, BFSI, telecom and services — their stories revealed how Indian majors are thriving on innovation to solve their organizations’ problems. Most interestingly, each vertical puts forth a series of learnings that are not unique to itself, helping you derive insights into their approaches to address your own IT challenges. The solutions are now out in the landscape. Find out, across the next five stories.

creating

RETAIL

a shopper’s Paradise Every month, one of Shopper’s Stop 50 outlets clocks seven million instances of customers using technology. Encouraged, the group is now building on its technology capability to stay ahead in the volumes game. By gunjan trivedi

etail is similar to the world’s fastest train, the TGV. Its speed, availability and extraordinary experience set it apart and has made it among the most preferred modes of transport in France. The same fundamentals separate the retail amateurs from the men. A retail organization’s ability to scale up swiftly on demand, keep merchandize available, and create a consistently g r e at c u st o m e r experience in the face of surging volumes and mushrooming customer Keeping pace with volumes numbers will dictate its Guaranteeing availability success. This is where of merchandize technology assumes a Creating customer delight pivotal role. and ensuring consistency Among the big players in the organized retail space in India, Shopper’s Stop has

Greatest Challenges

Cover Story - 01.indd 38

n o v e m B e R 1 5 , 2 0 0 6 | REAL CIO WORLD

always understood the criticality of scale, availability and experience, and has been an eager adopter of advanced, cuttingedge technology. “We deployed JDA-MMS and JDA-WinDSS, core merchandizing, store PoS application and ERP in 1998, much before the other players,” says Unni Krishnan T.M., the group CTO of Shopper’s Stop retail business that includes Shopper’s Stop, HyperCITY, Crossword, Mothercare, Desi Café, Brio and Home Stop. And Shopper’s Stop has continued to pump energy in this area. Today, says B.S.Nagesh, MD, and vice chairman of Shopper’s Stop, it has implemented pioneering technologies — like a self-checkout at HyperCITY, a first in both the retail brotherhood in India and globally.

The Number Crunchers The business and technological challenges that the retail sector face are similar to those in other sectors. What sets retail apart is the sheer volume of transactions it works with. It’s this volume that’s responsible for the high-use of technology in retail organizations. “Other sectors focus largely on ERP and CRM type of applications. We need those and much more because the number of touch points between technology and the consumer is a great deal larger in retail,” says Krishnan.

VOL /2 | ISSUE/01

11/13/2006 12:52:58 PM

Vol/2 | ISSUE/01

Cover Story - 01.indd 39

Scale Up or Get Out The TGV, even running at just 60 percent of its top speed of 515 kmph, requires over eight kilometers to brake. Retailers don’t have that luxury. IT's inability to scale up to mammoth volume transactions while ensuring the constant availability of merchandize can bring a retailer to a grinding halt. Krishnan says they’re the first to have rolled out among the most advanced replenishment applications for hypermarkets. Called E3, this sophisticated mathematical software helps HyperCITY analyze inventory trends, helping the enterprise

Shopper’s Stop was also the first in India’s organized retail space to use salesforce.com, a leader in delivering on-demand CRM solutions via the Internet as software-as-a-service, to automate its sales team. The application was customized and implemented in-house and christened IB-Force (Institutional Business). “IB-Force helps us to monitor a large percentage of our gift voucher sales, which is about 10 percent (about Rs 65 crore) of Shopper's Stop's sales,” says Krishnan.

Imaging by binesh sreedharan

The automobile industry, for instance, hardly has customers interacting directly with enterprise technologies, apart from a few dealer applications needed to help customers visualize the car they plan to buy, says Krishnan. But, retail creates a large number of customer-technology touch-points, with its self-checkouts, barcode scanners, pricechecking solutions and anti-theft devices. And the number of customers interacting with such technologies (like at the checkout counter) can easily increase from a few hundred to millions in a short period. “At HyperCITY, we've had over a million footfalls in the first three months,” says Krishnan. “At an average of two customertechnology contact points per customer and that’s about two million probable interactions between customers and technology in three months. Add to that the large number of items a customer buys per visit. (An average receipt has 30-50 items at a hypermarket.) Hypothetically, consider a 30 percent sales-conversion of two million footfalls — that translates to anywhere between 9 to 15 [times customers trigger a play of technology] in three months from a single store.” It goes without saying that technology deployed in a retail environment needs to be robust. But not robust like a tractor — there is no place for the unsophisticated in a shopping mall. Retail technology needs to be intuitive, user-friendly and has to offer a consistent experience. This requires identifying cutting-edge technologies and putting them to innovative uses. “There is a generation gap between us and other retailers in the country, as far as technology adoption is concerned. We’ve brought new-age technologies to the Indian retail market, some which others haven’t introduced,” says Krishnan. Shopper’s Stop has one of the largest installed bases of AutoCAD software, says Krishnan, because the chain uses CAD technologies to craft, draw and plan its multiple stores as they roll them out. At last count, the group had over 20 Shopper’s Shop stores and 30 Crosswords outlets. The enterprise is also at an early stage of deploying a solution to optimization store-to-floor space ratio. Called Intactix, it’s going to help the store managers visualize how to stock shelves using optimal sales and margin expectations. The application also helps analyze how much specific shelves are generating. “And it can even do a what-if analysis by removing certain merchandize off shelves and watching its impact on revenue and margins,” adds Krishnan. The group was also the first to deploy an IBM i550 performance server in the retail sector. This helps the organization consolidate all of its business units on a single box while running multiple applications, making it easier to administer and lowering the cost of ownership. “Today, we run four different enterprise applications (primarily merchandizing and loyalty applications) catering to six different retail formats on the single box, and we can still take many more. Soon we will be the first to use the i570 series of servers running on the Power5+ chipsets, which will boost our disaster recovery capabilities,” says Krishnan.

P hoto by S rivatsa Shandilya

Cover Story | Implementation

— Unni Krishnan T.M., group CTO (retail business), Shopper's Stop

REAL CIO WORLD | n o v e m B E R 1 5 , 2 0 0 6

11/13/2006 12:52:59 PM

Cover Story | Implementation refill its shelves faster at lower costs, forecast better, and address the critical element of product availability. “In a hypermarket, consumables like bread and juices fly off the shelves,” Krishnan explains. “Replenishing them every two days means we’re filling them about 180 times a year. Managing different products that need replenishment at different rates is tricky: should we buy 100 units of a product or 500? One hundred units means fresher products but also more frequent replenishment. Five hundred units allows for higher discounts, but pose a storage problem. E3 helps us find the right balance at the right time.” HyperCITY is also home to one of the group’s most innovative use of technology. Called iScan, this

Illustratio ns by P C A NO OP

Cover Story - 01.indd 40

With its price-checking solutions, barcode scanners and anti-theft devices, retail creates a large number of customertechnology touch-points.

E L A

handheld barcode scanning device lets customers scan their merchandize as they take them off shelves. When they're ready for checkout, customers don’t need to stand in a queue as their merchandize is scanned and billed — saving time and improving customer experience. The iScan represents a classic case where a piece of hardware is put to multiple use by bundling it with different apps. The same hardware doubles as stock-taking solution for inventory. It is also used — without the shopping cart — as a receiving solution at warehouses and helps managers within a store do price-checks on merchandize. Known as a platform concept, Shopper’s Stop borrowed the multiple-use approach from the auto industry and experimented with it in retail for the first time in India, says Krishnan. “Car models like Tata Indica and Indigo share the same [architectural] platform. When you create a platform, it’s easier to build more models off it by incorporating tweaks. We surprised our application provider by applying hardware and applications in new environments,” says Krishnan.

One View Shopper’s Stop primary objective as an early-mover technology adaptor is not only to empower its businesses with the agility to scale up and the power to ensure availability of merchandize, but also to eventually bring all its retail formats on a common

n o v e m B E R 1 5 , 2 0 0 6 | REAL CIO WORLD

platform — and create a consolidated view of its businesses and one view of the consumer. Each retail set-up within Shopper’s Stop drives its own business, but shareholders, management and the board want to have one view of the business. Five to six years ago, Shopper’s Stop’s strategy was to grow quickly in different retail formats even if it meant sacrificing a single view of its businesses. Later, it became hard to see growth from multiple verticals, business relationships and franchises. “Instead of having a 20,000-foot view of all our businesses, what we had a view from a hill. And as we grew, we were forced to jump from one business’ hill to another. Two years ago, we decided to get a consolidated view of all our SALE businesses, while it was still early enough to create commonality across platforms,” says Nagesh. He associates three objectives with this move. One is transparency to view all his businesses. Another is that it provides a benchmark in managing technology as a part of the business. Third is the eventual strength in acquiring a single view of the consumer across all its businesses. “We want to have a common view of one customer across our retail formats, whether he’s buying coriander leaves at HyperCITY, The Afghan at Crossword, a shirt at Shopper’s Stop, a set of baby diapers at Mothercare or a cappuccino at Brio,” says Nagesh. Shopper’s Stop is always trying to balance between common platforms and creative technological solutions. “Wherever it is feasible, we try to create common applications across our retail formats. We recently moved Crossword from legacy apps to JDA-MMS and JDA-WinDSS. As a result, we have achieved a common merchandizing and store application platform almost across all our group companies,” says Krishnan. Crossword is using four enterprise applications, down from 12. However, when differentiation is required, specific solutions are created unhesitatingly. HyperCITY's speed checkout solution using iScan is an example. This approach and the daring to take on new technologies is a characteristic feature of the group. And it’s being applied to getting a single view of the business. “I firmly believe that investing in technology should be kept at par with investments in real estate, senior management, and building capacities. Never hesitate in investing in technology,” says Nagesh.

Senior correspondent Gunjan Trivedi can be reached at gunjan_t@cio.in

Vol /2 | ISSUE/01

11/13/2006 12:53:00 PM

Dial i.t.

TELECOM

for integration How Bharti Airtel meets the challenges of integrating businesses and staying in line with growth fuelled by M&As. By rahul neel mani

Braving the Integration Blues

or a company that began with one mobile service license in 1995, the Rs 8,156-crore Bharti There was a dire need to integrate all the services that Airtel has taken rapid strides to become the Bharti Airtel provided as one brand. There was yet another bellwether in the Indian telecom industry today. need to integrate the systems and processes across circles, Its country-wide presence and market capitalization and initiate the swift migration of all heterogeneous of Rs 101.9 crore reflect a fast-growing company at one processes to one platform across the 23 circles. level. At another level, such expansion signals a huge In 2002, when the carrier embarked on the integration challenge, especially for a company whose growth has process, it had few circles to operate and was running come inorganically, through mergers and acquisitions legacy billing systems. Menon recalls the days when (M&As), as part of the industry consolidation. Ask Bharti the company bought its first off the shelf, high-end, Airtel’s IT organization. commercial billing system called Keanan in 2002. With each acquisition, the challenges grow by leaps and “The migration of just two circles from legacy to this bounds. Bharti Airtel has sought to consolidate disparate platform was extremely painful. Several business rules IT systems of different entities and standardize platforms and processes needed to be aligned with the IT systems. across the company. Says Jai Menon, director (innovation) Everything was missing. It took us several months to and group CIO of Bharti Airtel, set it right. Imagine the task of “In 2002, while on an S-curve repeating the similar exercise of growth, we were just on time. after every acquisition,” It has reflected well in the way says Menon. we adopted technology and the There was a strong belief way customers experienced within that technology wasn’t our offerings.” the problem. It was integration, The journey, which started and its alignment with business then with basic integrations thereafter, which was essential Integration in the context of internally, will culminate by 2010 to keep growth steady on the inorganic growth as One Airtel — a complete intra S-curve. The non-integrated Getting rid of legacy systems and inter-SBU integration across entities were also lying too Minimizing migration time Bharti Airtel’s divisions. The low on the capability front journey has posed three major because of the over-customization challenges: scaling up (vertically of information systems and and horizontally), capability commercial software at different enhancement and integration. entities within the company.

Greatest Challenges

Cover Story - 01.indd 42

n o v e m B e R 1 5 , 2 0 0 6 | REAL CIO WORLD

VOL /2 | ISSUE/01

11/13/2006 12:53:02 PM

Imaging by binesh sreedharan

P hoto by yatindar kumar

Cover Story | Implementation “In the absence of consolidation and integration, we were only running at 10-20 percent of total capacity,” recalls Menon. Yet another challenge lay in getting rid of legacy systems and hardware to the pave way for new and efficient hardware. “Legacy has to be a setting sun in the cases of bigger alignments and M&As. Otherwise, the situation remains the same,” asserts Menon. In its integration quest, Bharti Airtel practiced the one data model and one business process. Data residing at multiple locations on multiple heterogeneous storage systems and subsystems had to be migrated to the new data model, which would be central and accessible to all in a uniform fashion. In doing so, another challenge arose when the business logic, encoded in the legacy data models, had to be changed, migrated, mapped and then integrated to the new data model and new business logic. Says Menon: “There were fundamental challenges posed in migrating to this business data modeling. The first time around,

in 2002, we went completely wrong. It took us nearly seven months to correct this. But subsequently, after every M&A, the time kept reducing. Now, we are able to do it in a few hours.” It was also imminent to survive the decline of revenue in the voice market and cut costs by consolidating whole universe of applications and data to streamline processes that were fragmented at the circle or business unit level. Based on the experience of multiple integration exercises, the company has since created a blue book — a Center of Excellence. “It took time to create the first set of common standards, but once this was achieved, it was just an act of replication,” says Menon. In the IT model at Bharti Airtel, the base infrastructure layer primarily consists of WAN, LAN, network operating center and security layer. And so, another daunting integration task was knocking at the doors of the company: the outer physical layer of the network — the WAN. Every circle was operating on a separate WAN. Integrating the WANs onto one common protocol became necessary. Still, a heterogeneous WAN network wouldn’t have allowed diverse traffic types to travel effectively on the common infrastructure. “It wasn’t possible for us to support ‘any-to-any’ traffic patterns cost-effectively. We were not able to ensure that individual applications got the network performance they required,” says Menon. Towards this end, it became important to enable traffic engineering, where carriers direct traffic along predetermined paths. It was to make it easier to manage network build-outs and support customers. “This capability only comes through multi-protocol label switching (MPLS). Our next biggest challenge was to build a unified MPLS network connecting the core across all circles,” says Menon. With or without the mega-mergers, consolidation of WAN was the mandate for the company for reasons more than just a unified network.

Non-stop Integration

— Jay Menon,, Director (innovation) & group CIO, Bharti Airtel

Cover Story - 01.indd 44

n o v e m B E R 1 5 , 2 0 0 6 | REAL CIO WORLD

As a result of the efforts to integrate, the first phase saw intrastrategic business unit (SBU) integration. Within all three divisions — mobility, fixed line and broadband businesses — the internal information systems were migrated onto one platform. “It took us a few years to complete the intra SBU migration, but Bharti Airtel became the first telecom service provider in India to be working on a single, standardized platform internally, including HR, financials, knowledge management, learning management,” claims Menon. On the business side (customer facing application and IT systems), the company is slowly inching towards totally integrated and standardized platforms. The thrust is to first achieve integration of systems, business intelligence systems, data warehousing, so that there is one national picture to view. At the time this story was reported, Bharti Airtel was in its penultimate stage

Vol /2 | ISSUE/01

11/13/2006 12:53:04 PM

Cover Story | Implementation of bringing billing onto a common engine known as convergent billing platform. “We have also progressed sufficiently on the common CRM platform across all 23 SBUs. This is a tremendous success in inter-SBU integration. It has not only brought business-IT alignment into play, but the capabilities of IT systems have grown nearly 10 times between 2002 and 2006. On the customer side of IT, many areas like sales, order management, billing, revenue recognition, customer care and business intelligence have had to be migrated from

outsourcing partner, with some others. All partners work on a revenue sharing basis, so that there is no immediate capital expenditure; ROI doesn’t come into play. “With this kind of integration, I, as a CIO, have been able to make capital expenditures, maintenance contracts and other such micro things redundant.” All these functions are now offloaded to partners because of the ‘utility computing’ model driven by the premise that integration not only brings operational efficiencies, but also gives cost efficiencies. In the case of Bharti, the utility computing model has worked very well. The company made sure from day one that this model is directly related to business outcome because internally, in the company, most of the IT is related to revenue, which is the business outcome. “As the revenue goes higher, the percentage of spent on IT comes down,” notes Menon.

The thrust is to first achieve integration of systems, business intelligence systems, data warehousing, so that there is one national picture to view. their current platforms to one standard platform — to be 100 percent more agile,” say Menon. The entire IT infrastructure of Bharti Airtel now runs on multi-protocol label switching WAN, which helps the company support a host of applications, including the ones that are leading-edge. Migrating to MPLS-based services also cut costs for the company depending on the degree of converged traffic that Bharti Airtel was running on it. Says Menon: “Using MPLS for all three layers — data, voice and video — saved us as much as 25 percent on the network expenditure. CIOs might wonder how difficult it is to make the transition. Surprisingly, it’s less painful than anybody thinks. Technically, MPLS isn’t a service offering, but underlying infrastructure.” Through this exercise, Bharti Airtel has created an IT ecosystem which now uses one piece of middleware for 16 of its major application systems running on 1,500 odd servers. As a result of this massive integration drive, Bharti Airtel executed three large utility computing models between 2004-2006 after factoring in both capital and operational expenditures. For business and internal IT, IBM became the key outsourcing partner with 15 more providers lined up behind it. For all contact center technology, Bharti Airtel picked Nortel and seven of its associated partners. On the infrastructure front, IBM was again the strategic 46

Cover Story - 01.indd 46

n o v e m B E R 1 5 , 2 0 0 6 | REAL CIO WORLD

The Ultimate Objective

Most of the intra-SBU and some of the inter-SBU IT systems have already been stitched with one thread — and are working well. Some of the most ambitious projects like integrated CRM, integrated self care and order management convergent billing are in advanced stages of completion. “We are targeting that by 2008, Bharti Airtel — mobility, fixed line and broadband — will have one content gateway, one messaging gateway and one application gateway across all platforms, that is, PC, mobile and TV. That will make us a 100 percent integrated telecom carrier. We'll be the first telecom company in the world to achieve this,” claims Menon. Overall, the process has stemmed from the company’s quest for integration, which started early on in 2002. The company gathered the right ecosystem, got the right architecture in place, and did the migration and integration upfront. It has resulted in cost-effectiveness and the ability to recognize customers better. “On the S-curve of growth, we started very early. We wanted this whole strategy to ultimately translate into ‘rich customer experience’. And it’s nothing but a result of integration and capability enhancement in the IT systems,” asserts Menon.

Bureau head-north Rahul Neel Mani can be reached at rahul_m@cio.in

Vol /2 | ISSUE/01

11/13/2006 12:53:04 PM

insuring

BFSI

against Paper-Pushing HDFC Standard Life Insurance has made a successful bid to get its people away from the clutches of paper files and back to the business of insurance. By gunjan trivedi

of paper racing around if a company handles about ten hat does it take to follow a paper trail? thousand policy files everyday. Now, imagine the impact Ask an insurance company. Take an on the organization’s turnaround time. Electronic insurance organization anywhere in content management and digitization of workflow was the world and it will look at paper as a imperative,” points out Rawlani. In 2003, HDFCSL necessary evil. That’s because with so many entwined embarked on a mission to cut out the paper chase and business processes with cascading results, variables and embrace Business Process Management (BPM). overlapping needs, insurers need to ensure well-defined The Mumbai-headquartered HDFCSL, a joint-venture workflows, which for unprepared companies means an between UK’s mutual life assurance company Standard avalanche snowballing of paper — and plenty of it. Life and HDFC, was started in 2000 to tap the evolving At one time, it got so bad that many insurers in the US life insurance market in India. As one of the first private — housed in multiple-storey buildings — used conveyor life insurance companies in India, HDFCSL’s operations belts to carry files across hundreds of desks through were characterized by manual processes that were added multiple departments. The mechanical solution, though incrementally to keep up with business requirements. it successfully reduced the time it took to move paper files In order to differentiate itself and tap the market around, didn’t address the problem. Sunil Rawlani, headmore progressively, it adopted the customer-centric information systems and technology of HDFC Standard approach and offered service as it's USP. As HDFCSL saw Life Insurance Company (HDFCSL), was certain he wasn’t unprecedented growth, their manual processes, layered going to put his money into a conveyor belt. unsystematically over time, started Rawlani was determined to crack under the pressure. to drain away all the paper The number of Excel that was clogging business worksheets, used to track efficiency. He decided to policies, mushroomed. introduce digitized content, Increased communication for automated workflow and new requirements began to agile, re-engineered processes. choke the organization. Multiple “Insurance is a conventional, Eliminating the problems of systems to handle status paper-based business with a paper-intensive workflow queries or communicating new 90-page files packed with with electronic content management decisions rendered supporting documents hopping management and BPM process control inconsistent across work-desks. These Giving business back its USP and inefficient, which hit the obese files then travel in and by focusing on service and organization’s ability to measure out of file cabinets, to agents, to not paper chasing. performance. All the while, the junior underwriters, to medical volume of paper exploded making institutes, to senior underwriters document-filing and handling and so on. Imagine the volumes

Greatest Challenges

Cover Story - 01.indd 48

n o v e m B e R 1 5 , 2 0 0 6 | REAL CIO WORLD

VOL /2 | ISSUE/01

11/13/2006 12:53:06 PM

Cover Story | Implementation

Imagi n g by bi n esh sreedharan

P hoto by kapil shroff

— Sunil Rawlani, head-information security & technology HDFC Standard Life Insurance

Cover Story - 01.indd 50

extremely tedious, and created a storage nightmare. Manually distributing work and summarizing data from proposal forms also impacted the processing time. The inability of business managers to balance workloads and a lack of insight into productivity created a vicious cycle that sucked business down. The disorder spread as misplaced documents affected policy turnaround time and created a ripple effect among interlinked files. In a firefighting attempt to stave off confusion, staff at the branch levels began duplicating documents and entered data in two places. This increased the cost of operations and worse affected HDFCSL’s USP: service. After several months of deliberations, HDFCSL deployed a BPM solution from Staffware (later acquired by Tibco) and an Enterprise Content Management solution from FileNet. “This exercise replaced paper with digital files, streamlined and re-engineered workflow, and created a more scalable, synergetic and agile business,” says Rawlani.

n o v e m B E R 1 5 , 2 0 0 6 | REAL CIO WORLD

But these changes came with a rider: it cost a lot of sweat. The changes required some of the hardest IT activities: designing an accurate business process, mapping process to defined algorithms and incorporating people, management and systems to the change. HDFCSL’s IT department did a lot of the spade work. The initial process of identifying key business processes (such as new business, claims, grievances and policy management), defining workflow rules and algorithms and weeding out non-critical processes took three months. “The core BPM team identified key business processes using statistical sampling. The process design was divided into three functions: defining, documenting and re-engineering. We prioritized mapping business processes to the BPM platform using a simple concept: address the most painful areas first,” says Rawlani. The process of mapping and designing is an ongoing process although Rawlani’s team tried to do it on the first occasion because un-ironed glitches would have cascading effects. “We called the system WONDERS: Workflow On Demand Enterprise Retrieval System. There were many lessons learnt and unlearnt. We were among the first Indian insurance companies to incorporate BPM at this scale and had to come up with innovative and creative solutions,” recalls Rawlani. It began with the creation of a core BPM team, whose job it was to identify key drivers and enablers, and design processes accordingly. The core team included people from business, HDFCSL’s in-house IT team and the vendor. Top of its list was to automate documents and workflow — Rawlani wanted paper out of the way. Documents were identified, scanned, indexed and committed to an imaging system. The system includes the most sensitive scanners available, since underwriters, who assess the authenticity of documents, need to determine things like whether the same pen was used throughout the form or whether data’s been overwritten and manipulated. Underwriters man the gates of an insurance company and based on their findings, subsequent queries are generated. Only once images are committed and crossed-check by underwriters is a case released into the organization’s workflow. His early-mover status didn’t leave Rawlani with too many references to draw on. His solution was to take a team of people from operations, the underwriting department and IT on a tour of insurance companies in various South-east Asian countries, who had used similar BPM and digitized workflow technologies. “This helped a lot, but there was still one major problem that the tour didn’t solve,” says Rawlani. The roadblock lay with the underwriters. In the manual setup, documents were verified on paper (a portrait view), but scanned images of documents on computer

Vol /2 | ISSUE/01

11/13/2006 12:53:08 PM

Cover Story | Implementation screens were viewed in landscape-mode, making the underwriters’ jobs very tedious. “We tried using larger monitors, but that didn’t work. As for portrait-oriented monitors, they were available only in the US at that time and were astronomically expensive,” he recalls. With true CIOresourcefulness, Rawlani found a solution that kept everyone happy: he deployed graphics cards that supported multiple monitors. Each underwriter workstation was connected to two 15-inch monitors. One monitor displayed the document up-straight and the other displayed the scanned policy in portrait-mode. But, the document imaging solution isn’t only a set of clever ideas. Its benefits, like proper indexing, access control, the ability to include annotations, secure storage, fast retrieval and better disaster recovery are far-reaching. It’s also ensured better human resources allocation — and that paper is eliminated from the workflow. The advanced capabilities of the BPM platform are also used to break down and monitor an automated process into steps as they are rolled out. Each step within a process is monitored and inefficiencies identified. Each step’s time is noted and monitored against the duration of the entire process. Irregularities are immediately identified using key performance indicators built into the platform. Business procedural algorithms or rules are kept loosely-coupled with the BPM using a separate business rules engine, ensuring that in the wake of changing business needs, the entire process is not altered. Tweaking only the rules helps create a more agile process, which can effectively adapt to changes. Insurance companies, for example, allocate policies to either junior or senior underwriters, depending on the body weight of the applicant. If, at some stage in the future, these parameters change or say an applicant wants to customize his policy, the entire process doesn’t need to undergo an alteration. The required changes are merely incorporated within the business rule engine.

“At first, we addressed the business processes in breadth, to automate key front-end features. Then we started to scale the depth of the process. This incremental approach helps us to address issues cropping up without disrupting the entire process, and easily secure management buy-in by being able to show benefits early on,” says Rawlani. The au t o m a t e d workflow has benefited the organization. Apart from the measurable benefits of a 300 percent improvement on policy turn-around time. For instance, the average time to issue a new policy today is 1.52.5 days, down from 5-6 days. The organization is also able to offer improved customer service with consistent experience, and enjoys improved efficiency in terms of immediate access to documents, tracking policies online, a new ease of administration, much better process manageability and control, better compliance, and overall reduction in the cost of ownership. There has also been a 40 percent reduction in the time underwriters spend handling queries. This translates into substantial ROI, especially since the number of policies issued in a year run in hundreds of thousands. (HDFCSL issued over just under 4 lakh policies in 200506, covering more than 5.8 lakh lives.) Moving ahead, Rawlani wants to bring all business processes that are not yet fully automated — such as claims — under BPM. He is working full time to bring in more third-party integration between the workflows of HDFCSL and external entities such as medical institutes or re-insurers. “I am also figuring out how to further equip our sales-force and agents with sophisticated mobile devices, which can integrate seamlessly with our workflow and further reduce our turnaround time as we deliver policies to the customers, right at their doorsteps,” he says.

BANK

The advanced capabilities of the BPM platform are also used to break down and monitor an automated process into steps as they are rolled out.

Cover Story - 01.indd 52

n o v e m B E R 1 5 , 2 0 0 6 | REAL CIO WORLD

Senior correspondent Gunjan Trivedi can be reached at gunjan_t@cio.in

Vol /2 | ISSUE/01

11/13/2006 12:53:08 PM

On the right

SERVICES

track

How the Indian Railways overcame a logistical nightmare in a mission to change the customer experience of nearly 14 million people who travel with unreserved tickets everyday. By Balaji narasimhan

s the second largest rail network in the world and the largest in Asia, statistics concerning Indian Railways are bound to impress. It boasts of coverage that exceeds 60,000 kilometers, has 300 railway yards and 700 repair shops. It runs more than 11,000 trains on a daily basis, and directly or indirectly touches the life of almost every person in India. However, not all figures concerning the Indian Railways are as impressive. For instance, almost 14 million of the 15 million people whom the Railways transports every day travel on unreserved tickets. Handling them has been a huge problem. As union railway minister Lalu Prasad Yadav said in his maiden Railway Budget speech at the Lok Sabha in 2004-05, “About 92 percent of railway passengers travel without reservation in unreserved coaches in trains in the country.” This revelation is not something new, and the Indian Railways had realized the need for an Unreserved Ticketing System (UTS) a long time ago. In fact, Nitish Kumar, in his Railway Budget in 2002-03, had announced the pilot of the Unreserved Ticketing System, at a time when the Indian Railways was celebrating its 150th Designing the system from year of operations. the ground-up As Vikram Chopra, Freezing on the right group general hardware/software manager (passenger combination services applications), Creating an extensible Centre for Railway system Information Systems (CRIS), points out, “The decision to introduce

Greatest Challenges

Cover Story - 01.indd 54

N o v e M B e R 1 5 , 2 0 0 6 | REAL CIO WORLD

UTS as a pilot project at 23 stations around Delhi was taken in January 2002, and the inauguration of the same was done on August 15, 2002.” Today, this project is showing a lot of benefits, and has been extended to 588 stations as of March 31, 2006. Further, the Indian Railways plans to cover 943 more stations in 2006-07, and ensure that a total of 6,000 stations have UTS as of March 31, 2009. While UTS is delivering excellent payback, the road taken was thorny. “As a first step towards computerizing ticketing, the Indian Railways introduced Self Printing Ticketing Machines (SPTMs),” points out Chopra, adding that, “These were standalone microprocessor-based ticket machines. While they contributed towards reducing ticket inventory and provided automated accounting at the station level, they had several limitations.” The limitations included: The system was a logistical nightmare because fare changes had to be made on each and every machine. Since these machines were standalone systems, tickets could only be booked from the station of origin of journey. Cancellation could also be only done at the same counter where the ticket was booked. Since there was no network, there was no real-time generation of revenue. Additionally, these machines were prone to tampering. In order to overcome these limitations, CRIS designed the UTS. “The project was given to CRIS on a turn key basis, and the work involved designing the system, freezing of hardware and software requirements, procuring the hardware, development of software and testing it, and finally, installation,” recalls Chopra. While implementing such a large system tends to be a complex undertaking, CRIS’ core competency in handling such installations helped. Set up in 1986 to manage all the computer activities of the Indian Railways, CRIS had implemented large projects before, like the Freight Operations Information Systems (FOIS) and Passenger

VOL /2 | ISSUE/01

11/13/2006 12:53:10 PM

Cover Story | Implementation Reservation System (PRS). But, while the PRS has been widely hailed by e-governance experts as one of the most successful e-governance projects, not only in India but across the world because of the number of citizens it has impacted, it handles only around 0.8 to 1 million reservations per day. The unreserved ticketing system, on the other hand, had to handle several million reservations a day, and be capable of scaling way beyond 10 million reservations in the future. The most important thing about the unreserved ticket system was that, since it impacted so many people, it has to be available on a 24x7x365 basis — and this applied to all aspects of the system. “The system has therefore been implemented in the high availability mode from all — hardware, software and telecommunication — angles,” says Chopra. Therefore, CRIS decided to use diskless PCs equipped with 144 MB flash ROMs. The ROM was to be loaded with three components: Red Hat Linux, Adaptive Server Anywhere Sybase RDBMS, and the ticketing application itself. The problem that CRIS faced was that

— Vikram Chopra,

GM (passenger services application), CRIS

Cover Story - 01.indd 56

n o v e m B E R 1 5 , 2 0 0 6 | REAL CIO WORLD

all these things didn’t fit into the 144 MB ROM, and so measures had to be taken to trim the RDBMS and the OS. Once this task was accomplished, CRIS faced another problem: it was using proprietary terminal servers to connect dumb terminals with the backend server. This, apart from being expensive, was also capable of tying the Indian Railways to outdated legacy methods. In order to combat this problem, the UTS team at CRIS started work on a TCP/IP terminal server, which had the advantage of being extensible. Because security was an important consideration for the Indian Railways, CRIS developed special tools to centralize the management of these dumb terminals. As a result of these tools, the security administrator can manage the ports from a central location, and even define the transmission speeds for data flow. But the finest aspect of the terminal is that it is highly fault-tolerant. While it works off the network, it can also function as a standalone system if the backend server or the telecommunications link breaks down. Once the server or the network failure is rectified, the client reconnects to the backend server and automatically synchronizes the data. Another added bonus of these efforts was that the TCP/ IP terminal server cost just one-fifth of the proprietary terminal server that was in vogue earlier. Since TCP/IP is the lingua franca of the Internet, CRIS was also able to make the UTS easily accessible over the Web. As Chopra points out, “The booking of unreserved season tickets can now be done through the Internet with the physical ticket being delivered to the passenger’s address.” The usage of the Internet apart, the overall reach of the UTS has been staggering, to say the least. “Today the UTS network covers 682 stations with 2,152 users connected to eight data centers located in New Delhi, Kolkata, Chennai, Mumbai, Secunderabad, Patna and Gorakhpur. The system issues tickets to around 5 million passengers every day, generating revenues of over Rs 14 crore,” avers Chopra. While numbers are always striking, the other benefits — both to Indian Railways and to the common man — are even more stirring. Now, travelers can buy tickets from any station and need not be restricted to the boarding station. The new UTS system also allows the purchase of an unreserved ticket three days prior to the date of journey, as the facility for booking unreserved return tickets exists. The Indian Railways has also seen benefits from the UTS. Since the burden on the ticket-issuing personnel was reduced, the same staff could be used for additional ticketing counters. The productivity of the booking clerks was also enhanced. The Indian Railways enjoyed other benefits, such as: Fares and business rules could be changed more easily, and this protected railway revenues and reduced passenger complaints. Passenger traffic is measurable on a real-time basis. Since more details of the usage of trains were available,

Vol /2 | ISSUE/01

11/13/2006 12:53:12 PM

Cover Story | Implementation analytical reports with higher accuracy could be produced for top management. More counters could be opened for ticket sales without requiring any addition in manpower. The security features incorporated into the UTS reduced the chances of fraud considerably. Of course, all this comes at a cost. While Chopra was not able to provide the final cost of the UTS system because the implementation of the system is still in progress, he says that the Indian Railways has already spent Rs 80.71 crore as of March 31, 2006. An additional amount of Rs 86 crore has been sanctioned for 2006-07.

Empowering Passengers

hile RFID (radio frequency identification) is usually seen as something that adds value to the supply chain, the Indian Railways is also implementing this technology to make traveling easier for the common man. This plan revolves around smart cards, which are issued in denominations of Rs 100, Rs 200 and Rs 500. These cards are valid for one year, but the unused amount can be transferred to a new card. These smart cards are used with ATVMs (Automatic Ticket Vending Machines), which are equipped with a touch screen. Using the touch screen, the smart card holder can enter the details of his journey and the amount is automatically subtracted from his smart card. While this usage is bound to enhance customer satisfaction, RFID is capable of playing an even higher role in the handling of freight. The Indian Railways is supposed to have 222 million freight wagons, and RFID tags embedded in the wagons will be read by readers located in sheds. Using this system, which is currently in its pilot phase, the Indian Railways hopes to streamline freight management across the country. The impact upon the country itself is bound to be huge because, as of 2004-05, the Indian Railways carried 1.65 million tonnes of freight on a daily basis. Since the network of the Indian Railways covers around 63,465 km across the length and breadth of the country, this system will make tracking of freight much easier than it is today. — B.N.

While Chopra didn’t provide any direct figures bearing upon the ROI of the project, he points out that, “While it is not possible to quantify direct savings or increased revenues on account of UTS at present, as it is still in the expansion stage, costs will come down on account of reduced ticket stock inventories and reduction in investment for increasing points of sale. Revenues will increase because of greater productivity in ticket sales by booking clerks, better availability of tickets, and more efficient services through better planning made possible by better MIS.” A study of Lalu Prasad Yadav’s Budget Speech for 2006-07 gives us some indicative figures of the ROI of UTS. Passenger earnings increased by 7 percent, and no doubt, UTS would have contributed to that . Streamlining achieved by the UTS, among others, has also enabled the Indian Railways to target an additional income of Rs 200 crore by adding additional coaches to some 190 popular trains. For 2006-07, a growth target of 11 percent has been set for passenger revenues, which add up to Rs 16,800 crore. Since the UTS already touches 5 million people per day, the averment that it is bound to add significantly towards this target is not untenable. Success apart, CRIS has no plans of resting on its laurels. “We are now planning to further enhance the UTS project with the introduction of touch screen based Automated Ticketing Machine, both with prepaid smart cards, debit/credit cards and currency in the near future,” says Chopra. Some of the innovations are also coming from slightly out-of-the-way locations. For example, the Indian Railways launched its first satellite UTS at the Pampa Devaswom complex in Thiruvananthapuram in November 2005, which is aiming at issuing unreserved tickets from non-rail heads. This system is expected to help several lakh pilgrims visiting Sabarimala by enabling them to purchase tickets three days in advance from any railway station. Another first has been achieved by the Danapur division of the east central railway, which has become the first division of the Indian Railways in which all ‘A’ ‘B’ and ‘D’ class stations have been provided with UTS facilities. With UTS expected to proliferate across the country in the coming years, these numbers are only likely to go up — along with customer satisfaction, of course.

Special correspondent Balaji Narasimhan can be reached at balaji_n@cio.in

Cover Story - 01.indd 58

n o v e m B E R 1 5 , 2 0 0 6 | REAL CIO WORLD

Vol /2 | ISSUE/01

11/13/2006 12:53:12 PM

cures

HEALTHCARE

On a large scale Enter a healthcare WAN that has succeeded in taking highlydifferentiated and specialty medical services to remote areas. By rahul neel mani

hat India is a vast and varied geography with a burgeoning population is oft documented. Over a billion people are spread across a landscape from deserts to frozen mountain ranges, whose temperatures soar to 50 degree Celsius and plummet to -30 degree Celsius. Delve deeper into the demographics, and one will find more revealing facts: a very high infant mortality rate, an unmanageable population per doctor — nearly 70 percent of the population lives in remote parts — and an average life expectancy of 63 years. In many ways, all pointers to a deeper need for India to turn to telemedicine. The modern applications of telemedicine do not simply entail a better business logic for hospitals and other healthcare service providers, but also promise to contribute toward an national cause. India has been a relatively late adopter, but is fast catching up in terms of applying telemedicine technologies. Max Healthcare Institute, the Rs 145crore super-specialty hospital, has taken a plunge in proliferating treatment and medical Infrastructure to provide ser vices through service to remote areas telemedicine. Its Training and enhancing TeleMed connects manpower capabilities primary and specialty to provide services healthcare services, Creating cost-efficiencies through images and through such a system other data, to health centers and tertiary hospitals with their

Greatest Challenges

Cover Story - 01.indd 60

n o v e m B e R 1 5 , 2 0 0 6 | REAL CIO WORLD

highly specialized staff and technical equipment in remote areas. Telemedicine is an emerging system of medicine in India, but can prove very effective in terms of delivering timely treatment for those deprived of good medical facilities, says Pradeep Saha, head-IT for Max Healthcare. “Information and telecommunication technologies have now reached a stage of maturity so that it doesn’t take much time to set up a network for telemedicine facilities between two points. “Earlier, an example of telemedicine may have been as simple as a doctor receiving advice and consultation from another doctor over the telephone. Today, telemedicine can bring a physician located hundreds of miles away into an actual examination room, thanks to a live, interactive system,” notes Saha. However, India is still far behind when it comes to attaining acceptable standards of health infrastructure and services, says Saha. “There is a shortage of computersavvy healthcare personnel. Overall, it results in the poor use of telemedical infrastructure, and the people who suffer the most are those in the remote areas. Quite early on, Max Healthcare felt the lack of training facilities with regard to information and communication technology (ICT) in medicine. In rural India, medical terms like HIS (hospital information systems, RIS (radiology information systems), and PACS (picture archiving and communication systems) are unheard of by the medical community. “There is virtually no exposure to the applications of ICT in remote areas where most people of India reside,” says Saha. “We recognized this problem and thought of putting in place a solution to bridge this gap. Max Healthcare got actively involved in the practice of telemedicine with its various

VOL /2 | ISSUE/01

11/13/2006 12:53:14 PM

Imaging by binesh sreedharan

P hoto by n aveen

Cover Story | Implementation specialty hospitals and clinics, as well as ongoing telemedicine research and training projects,” he explains. The hospital prepared a blueprint to establish tertiarylevel service delivery facilities across rural and urban locations that were integrated with Max Healthcare TeleMed. This was to bring Max Healthcare services closer to the people, regardless of the geography in question. The Max Healthcare doctors were confident that telemedicine would be a great tool to enhance the level of onsite care in small nursing homes. It would virtually eliminate unnecessary ambulance transportation and delay in providing critical medical care whenever — and wherever — required. The aim of Max Healthcare TeleMed was to empower physicians in remote areas as well as healthcare personnel to stay updated, vis-à-vis medical knowledge and the skills to provide better healthcare. Another major objective was to educate and train doctors in remote areas who were otherwise unable

to access such training for both geographical and monetary constraints. “Doctors in remote areas seldom get an opportunity to attend training sessions and thus lack knowledge to handle critical medicinal cases. Telemedicine is one of the greatest ways to provide an online training program, in which doctors — using communication links — can actually indulge in training,” says Saha. Consultation with experts and taking secondary opinions is a time-consuming job, especially if the experts are unavailable. Telemedicine bridges this gap easily. “If a doctor has a heart patient but is not able to read an electrocardiogram, the images need to be sent immediately for an expert’s interpretation. It can save a life and that’s only possible if you have a telemedicine facility with data and voice,” asserts Saha. Max Healthcare was confident that it could even monetize the rural centers through cost savings generated by identifying diseases in the early stages.

Brick and Mortar of Telemedicine

— Pradeep Saha,

head-IT, Max Healthcare

Cover Story - 01.indd 62

n o v e m B E R 1 5 , 2 0 0 6 | REAL CIO WORLD

Telemedicine technology is generally a function of communication infrastructure and the cost of information technology hardware. There has to be a proper communication link between the center from where the telemedicine service and expert opinion are to be provided and the place where the patient is actually located. To be able to provide cost-effective services and avoid unnecessary overheads of capital and operational expenditure, Max India set up a 512-kbps primary rate interface ISDN link between the telemedicine centers and the tele-consultants. This was enough to work as a primary link between the two centers. These lines were connected with modems at both ends to transmit the data between the two places. “The pain area was not the technology, but its implementation and maintenance at the remote end because doctors and technicians needed initial training for usage. Also, there were problems of downtime, which were natural. But with time, things have improved a lot,” says Saha. The images of reports began to be scanned and sent to teleconsultants who would monitor and suggest approaches to treatment over the telephone. Quite naturally, Max Healthcare thought of adding video in the process. “It was not only difficult, but impractical to narrate readings of the bedside monitors. There was always a threat of marginal error. The error could turn fatal if the case was critical and immediately needed intervention,” explains Saha. This was overcome by adding video to the setup. Max India decided to put polycom video conferencing equipment, so that doctors could virtually collaborate in times of emergencies and critical diagnostics. “This

Vol /2 | ISSUE/01

11/13/2006 12:53:16 PM

Cover Story | Implementation further helped in providing training and online learning to the doctors,” says Saha.

Healthy Processes A medical practitioner in a remote location now schedules all his patients who require expert medical tertiary-level specialists’ advice on a particular day and time of the week. “The medical experts sitting at specialty locations are made available online during that schedule for consultations on the cases. Before hand, the remote practitioner makes available all the case history and investigations

consultant’s monitor at Max Healthcare. “We provide a similar facility at the doctor’s premise. So if there is a need for an emergency consultation, doctors in a remote location don’t have to wait for their counterparts to reach the hospital,” says Saha. With telemedicine now in place, an offsite catheterisation lab or cath lab (an examination room with diagnostic imaging equipment to support a catheterisation procedure) gets hooked with the intervention cardiologist. Also, the offsite cardiologist can send the cath lab images online to an expert cardiologist who can review the images before the off-site cath lab gives a final opinion on the study procedure. Max Healthcare TeleMed has greatly helped doctors, nurses and paramedical personnel in remote locations, providing them an opportunity to interact with superspecialists and update their own knowledge and skills. It ensures better patient management at a local level. “Max TeleMed empowers patients to avail tertiary-level healthcare services of global standards from anywhere. A patient can contact the nearest Max TeleMed Center for scheduling her second consult or follow-up with the Max Specialty doctors,” says Saha. Currently, Max Healthcare doesn’t offer telemedicine at a very large scale. People are slowly catching up with this new concept in India. With rapid developments in IT, new capabilities are being added to the core telemedicine infrastructure. “With decreasing bandwidth prices, we can now think of linking these centers with dedicated leased lines and perform virtual surgeries,” he says. The processes established by Max Healthcare have been so effective and efficient that the initiative has got the endorsement of International Technology Union’s Telemedicine division. As Saha puts it, this endeavor ensures the delivery of right healthcare irrespective of spatial separation. CIO

Patients in remote areas with chronic ailments can have follow-up consultations while sitting in their homes or workplaces. of patients to the super-specialists. It saves time, money and, most importantly, the lives of a large number of people,” says Saha. Offsite nursing homes, diagnostic centers and hospitals can now send images of diagnoses online to experts for an opinion. This takes no time in comparison to sending the images physically. The latter brings into play the possibility of a patient losing time if he is at a critical stage of treatment. TeleMed has proved to be a boon in disguise for monitoring patients while they are admitted in an intensive care unit (ICU) at a remote location. “The doctor in the local ICU connects the patient to the ICU or CCU (critical care unit) of Max Healthcare, while our expert cardiologists and other critical medicine experts review the patient’s condition online and provide expertise to a local ICU or CCU doctor in managing the patient with the best clinical practice, which is otherwise impossible,” says Saha. Further, patients with chronic ailments can have follow-up consultations with their respective consultants while sitting in their homes or workplaces. For a nominal amount, the patient is given a device that needs to be connected to an ordinary telephone line. During the consultation, this device transmits the ECG and other relevant clinical parameters to the 64

Cover Story - 01.indd 64

n o v e m B E R 1 5 , 2 0 0 6 | REAL CIO WORLD

Bureau head-north Rahul Neel Mani can be reached at rahul_m@cio.in

Vol /2 | ISSUE/01

11/13/2006 12:53:16 PM

Security Survey

The

20 06

Global State of Information

Security Some things are getting better — slowly — but security practices are still immature and, in some cases, ad hoc.

BY ALLAN HOLMES

Security Survey.indd 66

n o v e m B e R 1 5 , 2 0 0 6 | REAL CIO WORLD

Vol/2 | ISSUE/01

Reader ROI:

Why compliance with security laws and regulations remains a chimera The financial services industry’s best practices for security

The Executive Summary When it comes to information security, the reflection you see in your morning mirror is probably not that of a sharp, confident, professional IT executive. Rather, that man in the mirror is more likely to look like a gangly, awkward, not-yet-to-be-fully-trusted teenager. That’s what ‘The Global State of Information Security 2006’ survey tells us. In its fourth edition, this largest-of-its-kind survey reveals that information executives, still relatively new to security’s disciplines, are o and learning and improving but “The Global State of Information Security 2006,” a worldwide study by CIo, CSo PricewaterhouseCoopers, was conducted online from April 5 to May 22. Readers of CIo are still prone to risky behavior and CSo o and clients of PricewaterhouseCoopers from around the globe were invited to — behavior that could have take the survey via e-mail. The results shown in this report are based on the responses of devastating consequences. 7,791 CEos, CFos, CIos, CSos, and VPs and directors of IT and information security from

Inside the Study

The study by CIO, CSO and 50 countries. This includes 486 Indian respondents. PricewaterhouseCoopers (PwC), with 7,791 The margin of error for this study is plus or minus 1%. respondents in 50 countries, indicates that The study represents a broad range of industries including technology (10%), education an increasing number of executives (CEOs, (10%), consulting and professional services (8%), government (8%), telecommunications CFOs, CIOs, CSOs, and VPs and directors (6%), and financial services and banking (4%). of IT and information security) across all Thirty-two percent of respondents reported total annual sales of less than Rs 450 crore, industries and in private- and public-sector 14% reported sales between Rs 450 crore and Rs 4499.9 crore, 17% said their annual organizations continue to make incremental sales exceeded Rs 4,500 crore, 17% were nonprofit organizations, and 17% didn’t say. improvements in deploying information Job titles included CIo, CTo, VP, director and manager of IT (22%), information security security policies and technologies, although professional (12%), non-IT executive (12%), other IT titles (39%). Fifteen percent listed the rate of improvement is slower than in ‘other’ or did not answer the question. previous years. They’re becoming more – A.H. financially independent, with some security budgets increasing at double-digit rates. And they say they’re more confident in their level do what they know they shouldn’t. The survey shows us that of security, perhaps because their networks have not had a most executives with security responsibilities have made little serious virus or worm in the past 12 months. or no progress in implementing strategic security measures But teenagers, as any parent knows, live in the moment and that could have prevented many of the security mishaps have an ability to ignore what they know they should do and

Vol/2 | ISSUE/01

Security Survey.indd 67

REAL CIO WORLD | n o v e m B e R 1 5 , 2 0 0 6

Security Survey The Good News

The Bad News

Reporting Gets Aligned C-Level Security IT and physical security report to the Appointments Stall reported this year. Only 37 same executive leader percent of respondents said We employ a CISO or CSO they have an overall security strategy. And they’re planning to focus more on tactical fixes than on strategic initiatives, ensuring that in the coming year they will be more reactive than proactive. One of the most unsettling Integration on the Rise findings in this year’s study We have some integration between Improvement Slows or is the sad state of security in physical and IT security Regresses India, by a wide margin the 2004 2005 2006 world’s primary locus for IT Users compliant with outsourcing. The problem security policies 70% 68% 69% is less with the outsourcing companies than with the Have an overall dangerous waters they swim in. information security strategy 56% 37% 37% Many respondents from India admit to not adhering to the Best Practices Have an identity most routine security practices. 28% said they align security policies management strategy 21% 29% 29% The problem is obvious, but with business objectives (up from right now it’s apparently easier 25% in 2004). Have a business continuity/disaster to ignore than to address. 20% said they align security recovery plan 54% 55% 50% Harder to ignore is the spending with business objectives constant news of large (up from 15% in 2004). Have plan to report organizations losing laptops 69% of organizations said they security events to packed with unencrypted continuously or periodically rank partners/suppliers 29% 30% 28% personal data on millions of data and information according Use intrusion customers. Every year we to the level of risk it poses to the detection tools 39% 49% 47% report that such incidents organization if it were to be accessed should motivate companies to by an unauthorized user. Encrypt data before tighten security, but every year transmission 55% 51% 48% the survey indicates otherwise. Money Talks Similarly, even after Hurricane Security spending is increasing as a Katrina, which hit the Gulf percentage of the overall IT budget Health Insurance Portability and Coast seven months before we Accountability Act, and non-US launched our survey, a majority laws such as the European Union of companies still did not have Data Privacy Directive — have a business continuity/disaster been around for years. Is this an recovery plan in place, and example of adolescent rebellion, plans to complete one this year or are security executives finding have become less important to it hard to obtain the necessary security officials than in 2005. resources to comply? Complacency, it seems, The answer, says Mark Lobel, abounds. A large proportion a PwC advisory partner specializing in security, is neither. of security execs admitted they’re not in compliance with Information security still suffers from the fundamental regulations that specifically dictate security measures their problem of making a business case for security. Security is organization must undertake or risk stiff sanctions, up still calculated as a cost, not as something that adds strategic to and including prison time for executives. Some of these value and therefore translate into revenue or even savings. regulations — like the California’s security breach law, the 68

Security Survey.indd 68

n o v e m B E R 1 5 , 2 0 0 6 | REAL CIO WORLD

Vol/2 | ISSUE/01

11/10/2006 8:07:47 PM

Security Survey

But if one digs into the results, there are reasons for optimism. There’s evidence that organizations that comply with security laws are more likely to be integrating and aligning security with their enterprise’s business strategy and processes, which in turn reduces the number of successful attacks and the financial losses that result from them. In short, security can create value if it’s part of an organization’s business plan and if the executive in charge is part of a team making those strategic spending and policy decisions. The six sections that follow illustrate that global information security management practices are varied and, with a few notable exceptions, have yet to mature. The data, we hope, will bolster the argument for a more strategic approach to security. And strategy — thinking ahead, connecting actions to their consequences — is, of course, a sign of maturity.

percentage of organizations that reported having some form of integration between physical and information security has grown rapidly, to 75 percent in 2006 from 29 percent in 2003. A similar spike occurred in the percentage of respondents saying their physical and information security chiefs report to the same executive leader, to 40 percent from 11 percent in 2003. Why is that important? Just ask the US Department of Veterans Affairs and AIG, which were recently involved in high-profile cases of stolen laptops. With physical and information security combined, fewer laptops may be lost. If they are lost or stolen, that combination should make gaining access to the data stored in them nearly impossible. CIO spoke with Burgess Cooper, head (IT security) of Hutch, for an enterprise perspective of IS best practices in the Indian context. Merging physical security with information

MID-MARKET SECURITY

I. Growing Up, Slowly The 2006 survey shows that a few more companies than last year are thinking about security strategically, at least in some areas. A larger percentage of companies are aligning security objectives with business objectives (20 percent of respondents said they align all security spending with their business objectives, up from 15 percent in 2004) and are prioritizing data sets based on the sensitivity of the information contained in each application. They’re then protecting those sets with the appropriate amount of security (25 percent in 2006, up from 21 percent in 2004). One of the biggest changes from last year is that more companies are integrating physical and information security. The 70

Security Survey.indd 70

n o v e m B E R 1 5 , 2 0 0 6 | REAL CIO WORLD

Size Matters Smaller companies seem to suffer less from attacks than bigger ones, but that doesn’t mean they’re better at security.

When it comes to security, bigger isn’t always better. Sure, large companies tend to have more strategic and effective security operations than smaller companies, so they should have fewer breaches and less negative fallout from attacks. Right? Wrong. Our survey found that mid-market companies (those with revenue between Rs 450 crore and Rs 4,500 crore) experienced fewer security breaches than their larger counterparts. Nearly 30 percent of midsize companies claimed their security measures have never been compromised compared with just 16 percent of larger enterprises. Bigger companies also have less of a handle on what’s happening in their (larger) networks. They’re less likely than their smaller counterparts to know how many security breaches they’ve had (42 percent of the bigger companies had no clue versus 29 percent of midsize companies and 16 percent of the small-market companies, those with less than Rs 450 crore in revenue). Bigger budgets and more security staff also make no difference when it comes to recovering from an attack. The percentage of midsize companies that experienced network downtime lasting more than a day matches the figure for large companies: about 10 percent. Finally, midsize companies have a slightly clearer picture of the losses they sustain in an attack. Fifty-five percent knew the extent of their financial losses; just 51 percent of large companies could make the same claim.

Vol/2 | ISSUE/01

11/10/2006 8:07:47 PM

Security Survey

security, he believes, brings with it a number of synergies and challenges. “Physical security is increasingly relying on IT, and combining the two functions will result in a synergy. Merging the two will reduce costs by eliminating redundancy in resources and budget requirements. The challenges to integration are developing technical skills and bringing about mindset shifts. Security guards aren’t well trained to install firewalls, while the IT guys need training on effective surveillance techniques,” he explains. Increasing aggregation and integration of security functions also entails larger security budgets. Almost half of the survey respondents said their budgets would increase this year, with more than one out of five saying the rate of increase would be in the double digits. That’s a faster increase than the overall IT budget. More security execs are being granted more financial autonomy too.

Why is this so? Security specialists cite two factors to explain the discrepancies between the actions and outcomes of the big guys and their smaller counterparts. Larger companies most likely sustain more cyberattack attempts than smaller ones because the returns to the evil-doer are greater if the attack succeeds. Big companies also tend to be more complex and keeping tabs becomes challenging, to say the least. But the experts say the gap between mid- and largemarket companies might have been even wider if the larger companies had not followed more strategic security practices. The lesson here is that midsize companies might reduce the number of security breaches they experience (and the damage caused by them) if they did the same.

—A.H

Vol/2 | ISSUE/01

Security Survey.indd 71

However, the majority of companies worldwide — close to 64 percent — still have not created C-level security positions such as a CSO or CISO. Managing security strategically, and at the executive level, may make sense in theory, but is increasingly looking like a moot point in the boardroom. The good news is that the survey contains that proof: organizations that reported that their security polices and spending are aligned with their business processes experienced fewer financial losses and less network downtime than those that did not.

II. The Indian Scenario India lags far behind the rest of the world in instituting even the most basic information security practices and tools.

Tale of the Tape

…and have more technology in place…

Large companies may have larger security budgets and staffs…

Sm.

Mid.

Security budget more than Rs 450 crore

Use malicious code detection tools

34%

40% 50%

Use patch management tools

32%

37% 47%

Use tools to find unauthorized devices

20%

26% 38%

Use vulnerability scanning tools

26%

30% 46%

Small

Midsize

19%

Large

38%

More than 11 employees in security department

Small

Midsize

11%

Large

28%

…and follow more strategic security practices…

…but the bigger companies suffer more security breaches… Percentage saying they had no security breaches

Small

37%

Midsize

29%

Large

16%

Sm.

Mid.

Employ a CISO

14%

22%

42%

Integrate physical and information security

32%

37%

47%

Institute an overall security strategy

…and bigger losses. Percentage saying they lost more than Rs 45 lakh due to cyberattacks

31%

43%

61%

Small

Midsize

Conduct periodic security audits

40%

Lg.

54% 69%

Large

REAL CIO WORLD | n o v e m B E R 1 5 , 2 0 0 6

12%

11/10/2006 8:07:47 PM

Xxxxxxxxxxxxxxx Security Survey

Troubles in India Because security practices in India lag behind the rest of the world...

World

India

Conduct penetration tests

32%

42%

26%

Conduct threat vulnerability tests

40%

47%

33%

Have an overall security strategy

37%

47%

34%

Half of users not aligned with security policies 33%

19%

50%

Dispose of hardware securely

38%

49%

26%

Use spyware/spam detection tools

57%

65%

39%

Use encryption tools

43%

56%

40%

Use intrusion detection tools

47%

57%

31%

Use intrusion prevention tools

39%

50%

29%

Use network security tools

58%

68%

42%

Use secure remote access

56%

62%

35%

Employ user passwords

73%

78%

54%

India

...its companies suffer more cybercrime...

World

Extortion

15%

Fraud

14%

IP theft

12%

20%

Financial losses

19%

14%

29%

...and more downtime. 10% of Indian organizations experienced cyber attacks that shut down networks for more than two days. The US rate was 5%.

Working the Problem Indian companies plan to deploy the following security measures in the next year.

World

Employ a CISO/CSO

20%

15%

37%

Conduct background checks

31%

44%

42%

Monitor audit reports

41%

48%

52%

Conduct employee security awareness training 36%

46%

42%

Protect IP and data

13%

15%

23%

Deploy ID management solutions

19%

25%

24%

Security Survey.indd 72

n o v e m B E R 1 5 , 2 0 0 6 | REAL CIO WORLD

India

The widespread absence of even the most routine security tools (patch management, content filters and access control software) and policies (secure disposal of hardware, business continuity plans, setting security baselines for outside business partners) has left many Indian companies vulnerable to serious attack and the inevitable financial losses that follow. Extortion, fraud and intellectual property theft occurred last year at one in every five or six Indian companies — rates that are double and even quadruple those of the rest of the world. Nearly one in three Indian organizations suffered some financial loss because of a cyberattack last year, compared with one out of five worldwide and one out of eight in the United States. “You cannot take information security for granted in India,” PwC’s Lobel warns. Indian security officials have their work cut out for them, but they do say they plan to work to harden information security. Indian organizations lead their foreign counterparts (sometimes by a significant amount) in deploying new security measures and policies. And they’re not just tactical. A substantially larger percentage of Indian companies (nearly double the rate worldwide) reported plans to hire a C-level security executive this year. Whether the Indian organizations are able to follow through and begin to reduce the security gap is something that should show up in the 2007 survey. Stay tuned.

III. The Strategy Gap When an individual thinks he doesn’t have enough information on which to base decisions, or as many resources as he believes he needs and, for the most part, he’s not part of the planning process, what does he do? Typically, he falls back on what he knows best. For information security executives, that means focusing on technology — on tactics, not strategies. Perhaps not coincidentally, this year executives are shifting from more strategic security practices toward more traditional technology practices (compared with last year’s results). In 2005, for every technology item on the security executive’s to-do list, respondents mentioned four process fixes. This year, that ratio is nearly 1-to-1. In all, of the top dozen items on the 2006 security to-do list, seven can be described as a technological fix. Among the top five are some of the more routine security measures, including data backup, network firewalls, application firewalls and instituting user passwords. That explains why the percent of companies reporting they have an overall strategic plan in place was unchanged at 37 percent. At the very least, some of the shifts are perplexing. Dropping from the top spot in 2005 to fourth place this year is the development of a business continuity and disaster recovery plan. That’s surprising given how Hurricane Katrina underlined its importance. But news coverage about disasters and security breaches may not be a driver for security investments. Our prediction that last year’s 10th item on the information security to-do list — spending on IP protection — would move up because of the sharp increase

Vol/2 | ISSUE/01

11/10/2006 8:07:48 PM

Security Survey

Where Are Your Priorities? Your 2005 To-Do List, Prioritized 1. Disaster recovery/business continuity 2.Employee awareness programs 3.Data backup 4.Overall information security strategy 5.Network firewalls 6.Centralized security information management system 7.Periodic security audits 8.Monitor employees 9.Monitor security reports 10.Spending on intellectual property protection

Xxxxxxxxxxxxxxx

Your 2006 To-Do List, Prioritized 1.Data backup 2.Network firewalls 3.Application firewalls 4.Disaster recovery/ business continuity 5.User passwords 6.Monitor security reports 7.Periodic security audits 8.Secure remote access 9.Spyware/adware/spam detection tools 10.(Tie) Monitor compliance with security policy Employee awareness programs

Moving from the Strategic to the Tactical Ratio of technology initiatives to process initiatives 2005 1:4 2006 1.5: 1

in high-profile identity theft and the increase in the amount of digitized content did not occur. IP protection didn’t even make the 2006 top 10 list. Even some of the simpler and less costly strategic security practices dropped. Conducting employee awareness training dropped from second to a tie for 10th on the priority list. The kicker here is that designing an overall information security strategy — fourth on the list last year — didn’t make the 2006 list. What’s happening? Why has strategic planning for security become an afterthought? One answer may be that in an information vacuum, short-term solutions seem more prudent than long-range ones. Hutch’s Cooper makes a strong case for enterprise’s participation in the organization’s security. “Security is a fundamental part of business functioning, and needs to be conceived from the planning processes itself. Security audits, such as a process, infrastructure audits, or due diligence IT security reviews etcetera, are imperative to the process. Just like you cannot buy a car and then think about installing airbags and seatbelts, similarly security should not be an afterthought,” he asserts. For IS to be most effective, aligning the technological processes with the organization’s strategic plan is critical. Cooper stresses on a good security plan. It must comprise IS policy and standards, keeping in mind effectiveness and ease of implementation. Top management support is 74

Security Survey.indd 74

n o v e m B E R 1 5 , 2 0 0 6 | REAL CIO WORLD

vital, and an IT security head must always ensure he has the same, says Cooper. As far as measurement is concerned, due diligence reviews, audits, inspections and dialogues are paramount. Lastly, the IS strategy must be constantly updated and regularly reviewed. Companies that make security part of their strategic plan, Lobel says, have fewer breaches, lower financial losses and the fewest network downtimes.

IV. Compliance — Time to Get Tough

As was the case last year, a surprising portion of survey respondents admitted that they’re not in compliance with the information security laws and regulations that govern their industries. That includes high-profile laws that have been on the books for years. More than one-quarter of US security execs who said their organizations need to be compliant with HIPAA, the eightyear-old law that requires health-care organizations to protect patient information, admitted that they are not. In India, Cooper notes, enterprises are confronted with four key compliance-related issues: The law of the land, IT Act. The regulator of that particular industry, such as RBI for banking and TRAI for telecom sectors. Additional compliance related matters like SarbanesOxley (SOX) and HIPAA, depending on the business and parent company And finally, some companies that are keen on improving security focus on compliance to international security standards – e.g. ISO 27001, ITIL and COBIT. However, non-compliance runs broad and deep in all industries worldwide, and ignorance of applicable law is a big factor. Nearly one in five US survey respondents said they should be — but are not — in compliance with California’s 2002 security breach law, which requires companies to notify individuals if an unauthorized person obtains access to their private information (such as credit card numbers). But only 22 percent of all US respondents said the law applies to them. However, given that the law applies to any organization that has even one California

Vol/2 | ISSUE/01

11/10/2006 8:07:48 PM

Security Survey

for Strategic & International resident as a customer, Rules? What Rules? Studies in Washington, D.C. student or client — more than US organizations still ignoring If security is to improve, one in 10 Americans — a good security and privacy laws... Percentage of US organizations admitting they security laws need more portion of the 78 percent of need to be in compliance with a specific law but teeth. And that applies to an enterprises that think the law are not organization’s own rules as does not apply to them are 2005 2006 well. Survey respondents likely to be wrong. reported that more than twoFurther, more than oneCalifornia security thirds of users are compliant third of all US respondents breach notification law 15% 18% with their organization’s said they are not in compliance Sarbanes-Oxley 38% 35% security policies, a statistic with SOX even though they that has remained unchanged should be, and more than HIPAA (Health-care over the past three “Global one out of seven said they respondents only) 38% 40% State of Information Security” were not compliant with surveys. One of the most critical Gramm-Leach-Bliley. That’s Gramm-Leach-Bliley (Financial services factors for reducing network a slight improvement from respondents only) 17% 14% downtime is compliance with last year, but considering the an organization’s security stiff criminal penalties of not Other state/local rules, Lobel points out, but that complying, many executives privacy regulations 10% 29% requirement isn’t even in control seem to be leaving themselves objectives for information and open to lawsuits and possible …but international colleagues are related technology, or Cobit, the prison terms, and exposing negligent as well. bible for IT governance. their enterprise to fines. Percentage of non-US firms admitting they need to be in compliance with a specific law but are not Lobel suggests organizations And this is not simply an assign penalties for not American phenomenon. Half 2005 2006 complying with their own of Australian organizations security policies. But make surveyed admitted to Australian Privacy sure, he adds, that the penalty Legislation (Australia not complying with their respondents) 48% 50% matches the infraction. “You country’s privacy legislation. may not want to terminate Almost a third of UK CNIL someone who puts passwords respondents said they do not (France respondents) 35% 42% on yellow sticky notes,” Lobel comply with their country’s says, “but there have to be some Data Protection eight-year-old Data Protection Act of 1998 consequences.” Act, and nearly one-third (UK respondents) 24% 31% of stereotypically law-abiding Canadian organizations European Union Data do not comply with their Privacy Directive (Europe respondents) 45% 45% nation’s privacy act. At the root of this may be a Last year, we highlighted the Canadian Privacy Act lack of enforcement. To date, financial services sector as (Canada respondents) 38% 30% the cost of non-compliance possessing the best IS practices, is not as high as the expense and this year that industry of complying — the price of once again leads all others in labor, hardware and software. integrating information security In the absence of penalties, with strategic operations. security executives have not been able to mount a business Companies in the financial services sector — banks, case for compliance. Add to that the fact that despite highinsurance companies, investment firms — are more likely to profile security breaches and lost laptops over the past employ a CSO than other industries. Security budgets in the year, the actual damages and ID thefts that can be directly financial sector are typically a bigger slice of the IT budget tied to the incidents are small, says Jim Lewis, director of as a whole and increase at a faster rate than in other sectors. the Technology and Public Policy program at the Center That may be because financial services companies are more

V. The Best and Brightest

Security Survey.indd 76

n o v e m B E R 1 5 , 2 0 0 6 | REAL CIO WORLD

Vol/2 | ISSUE/01

11/10/2006 8:07:48 PM

Security Survey

It’s obvious, therefore, that financial services organizations are far more likely — almost twice as likely, in fact — to have an overall strategic security plan in place. Consequently, they reported fewer financial losses, less network downtime and fewer incidents of stolen private information than any other vertical. The reason for all this is also obvious. The product in the financial services industry is money, and money is the prime target of cyber criminals, including organized crime, insiders and even terrorists. Protecting the money is the industry’s most critical concern. The past few years have seen a sharp increase in cybercrime Where Do You Go to Find Best Practices? Finance (phishing, identity theft, extortion The financial services sector led other industries that handle sensitive and spyware, to name a few). data… Anytime a security executive can Total Finance Health Govt. Edu. demonstrate to top executives that investing in security can protect Had more than 10% increase in 2006 and increase shareholder value, he security budget 22% 28% 19% 19% 18% will be more likely to convince the Employs a CPO 16% 27% 36% 19% 10% boardroom to make that investment Employs a CSO/CISO 43% 73% 51% 56% 19% and make security a strategic part of the organization. Outsources vulnerability Financial services companies are and threat assessments 29% 44% 33% 31% 22% more likely than enterprises in other Conducts third-party industries to use ROI to measure the privacy audits 26% 48% 32% 27% 17% effectiveness of security investments Aligns security spending (29 percent versus an average of 25 with business objectives 68% 80% 70% 62% 55% percent), and they also are more likely Partners/suppliers to to use potential impact on revenue comply with security policies 33% 55% 57% 38% 25% to justify investments (36 percent Encrypts stored data 33% 42% 31% 30% 25% versus an average of 27 percent). These Justifies security investments arguments work. More financial by law or regulation 49% 71% 71% 64% 46% services companies saw a doubledigit increase in their 2006 security budgets than those in any other sector. Regulation plays a part too. The …which means it suffered fewer successful cyberattacks and their financial industry must adhere to the consequences. most stringent IS laws, and it leads other Total Finance Health Govt. Edu. industries in following proven, strategic information security practices. Fewer than 10 negative security events in past year 60% 62% 65% 54% 57% Following this line of reasoning about regulatory compliance, one would Attacks from e-mail virus 53% 41% 50% 51% 56% think that government, health care Incurred no downtime due and education — all highly regulated to attacks 32% 49% 39% 33% 26% and entrusted with securing private Suffered loss or damage information — would match the to internal records 30% 17% 22% 31% 34% financial sector in instituting strategic security practices. One would, however, think wrongly. According to the likely to link security policies and spending to business processes. These companies are proactive, instituting formal information security processes such as log file monitoring and periodic penetration tests. More of their employees follow company security policies. Not surprisingly, financial services companies also have deployed more information security technology gadgets, such as intrusion detection and encryption tools, and identity management solutions.

Security Survey.indd 78

n o v e m B E R 1 5 , 2 0 0 6 | REAL CIO WORLD

Vol/2 | ISSUE/01

11/10/2006 8:07:49 PM

Security Survey

survey, government, health care and option to answer that you do not know What You Don’t education, despite their responsibility how many negative security incidents Know Can Hurt You for protecting personal information occurred. This year, nearly one-third of millions of citizens, patients and of respondents admitted that they 29% of security and students, are less likely than finance do not know how many breaches or senior executives do not to follow the best tactical and strategic unauthorized access events occurred know how many negative security practices. The government within their organizations. security events they had in and health-care sectors, for the most To a certain extent, that’s their enterprise in the past part, lead other sectors in following and understandable. Attacks can be year... instituting information security policies hard to identify, and networks and moving to become more strategic. can be extensive. What’s less 26% do not know what But the two sectors are well behind comprehensible is that a significant type of attacks occurred or financial services. Only 42 percent of portion of respondents said they how... government entities report having an have not installed some of the most overall security strategy, compared with rudimentary network safeguards. and 50% don’t know 56 percent in the financial sector. Only one-third of respondents have how much money they are The education sector is even farther put in place patch management tools losing due to attacks. behind in developing, following, and or monitor user activity. Less than deploying IS practices and tools. half use intrusion detection software Educational organizations find or monitor log files (the two best themselves in this position even after methods organizations can employ to highly publicized network break-ins, including those at San detect breaches) and even fewer use intrusion prevention Diego State University and most recently at Ohio University, tools. Surprisingly, more than 20 percent of respondents which exposed students’ and their families’ data, including don’t even have a network firewall. home addresses, Social Security and credit card numbers, Installing a firewall is easy. If a significant number of and tax information. respondents haven’t even done that much, it shouldn’t be In fact, the education sector suffers more negative surprising that many more are struggling with the hard security events (viruses and worms, denial-of-service stuff. It’s hard to quantify attacks and what’s lost because of attacks, identity thefts, unauthorized entries and trafficking them. First, just understanding what constitutes an incident in illicit data), more network downtime and more downtime can be confusing. Second, the ability to track, record, correlate that lasts for many days than what the average respondent and communicate up the executive chain is lacking in most worldwide experiences. organizations. For the fourth consecutive year, there was The security future doesn’t look bright for the educational an increase in the percentage of respondents throwing their sector either. A smaller portion of educational security hands up and saying they have no idea how much money respondents than most other sectors said they plan to hire their companies lost due to attacks. It’s now up to 50 percent. a C-level security leader, conduct background checks of new “How do you calculate the loss of intellectual property hires, start checking if networks are compliant with security or the damage to a corporate reputation?” Lobel asks. “Very policies, conduct or institute employee security awareness smart people have a hard time agreeing on the value.” But programs or install encryption tools — just to name a few. until the security department can put a credible dollar figure on what the company is losing because of poor security, the boardroom isn’t going to listen to security executives asking for more money to spend on technology or on skilled security workers (cited as the top resources You know your information security strategy is working needed to improve security). The CEO wants to know how when the number of successful breaches is low, the amount security affects shareholder value. But answering that in financial losses is negligible and network downtime is kept would require a strategic overview and, as we have already to a minimum. Unfortunately, a large percentage of security seen, security professionals, by and large, don’t have one. leaders worldwide have no idea if their security plans are At least, not this year. CIO working because they don’t know any of these numbers. From 2003 to 2005, the percentage of survey respondents saying they had fewer than 10 negative information security Additional inputs by Kunal N. Talgeri. incidents remained steady. But this year, we included the Send feedback on this feature to editor@cio.in

VI. Dancing in the Dark

Vol/2 | ISSUE/01

Security Survey.indd 79

REAL CIO WORLD | n o v e m B E R 1 5 , 2 0 0 6

11/10/2006 8:07:49 PM

Trendline_Nov11.indd 19

11/16/2011 11:56:19 AM

Feature.indd 82

11/10/2006 8:20:52 PM

H o s t

Meet Your New By Meridith Levinson

Illust ration by PC A no op

Supply chain software has been considered too risky and important to be hosted by outsiders. That is, until you consider the risks and expense of installing and supporting it yourself.

Feature.indd 83

Three years ago, Kawasaki Motors USA had some unhappy dealers on its hands. The Rs 6,750-crore manufacturer of motorcycles, ATVs and water scooters couldn’t get the products into showrooms when the dealers wanted them. For example, water scooter deliveries promised in early spring (February onwards) arrived a couple of months too early — in the off-season. As a result, Kawasaki had to offer discounts and rebates to drive sales, which ate into the company’s margins, according to Roger Peterson, Kawasaki’s vice president of information systems. The reason Kawasaki couldn’t get the right products to its dealers at the right time was because, like many small and midsize companies, it lacked the technology for precise collaboration and exchange of demand forecasts with its parent company, Kawasaki Heavy Industries, which manufactures the products that Kawasaki distributes to its dealers. The cost of developing and maintaining traditional supply chain applications is too high for Kawasaki, which spends just over Rs 45 crore a year on business applications and IT infrastructure. Peterson estimates that deploying similar software in-house would have cost several million dollars and several years of effort. So in early 2004, Peterson began looking at hosted supply chain collaboration applications that ran on the vendor’s computers and that his company could access over the Internet, through a Web browser.

Early Risk While so-called hosted or on-demand software was making waves in the CRM space at the time, it was nearly unheard of in supply chain offerings. Beth Enslow, Aberdeen

11/10/2006 8:20:54 PM

Mid-Market Supply Chain Group’s senior vice president of enterprise research, who has authored a study on hosted supply chain applications, says concerns about data getting lost or stolen and system reliability prevented companies from entrusting their mission-critical supply chain activities to third parties. Obviously, Peterson considered the security and reliability of the potential hosted systems. “I had to wrestle with concerns about putting our supply chain application out with a third party over the Internet. It’s our family jewel,” he says. But Peterson had another, larger concern: Kawasaki’s three main competitors — Honda, Harley-Davidson and Yamaha that are from two-and-a-half to oneand-a-half times larger than Kawasaki — have much more sophisticated supply chain software infrastructures. “We’re not one of the big dogs. We’re competing with people who have more resources, more people, more dollars. Yet, we have all the same problems,” he says. So, Peterson decided to take a gamble on a hosted collaborative supply chain planning application from Mitrix, which his company deployed in June.

The reliability of hosted software providers’ systems is debatable. But Aberdeen Group’s Enslow says current users find those systems to be just as secure and just as reliable — if not more — than their own systems.

Today, a Viable Solution Evaluating hosted supply chain management software — whether for collaborative planning, forecasting or transportation management — is much less of a handwringing experience for CIOs today than it was a few years ago due to the business model evolving and advances in technology. Analysts say the do-or-die concerns about security have largely dissipated because vendors have beefed up their firewalls, intrusion detection systems and encryption techniques. “Security is a baseline requirement,” says Bill McNee, founder and CEO of Saugatuck Technology. “Whereas that was more of a concern two to three years ago, virtually all software-as-a-service players have overcome that.” Consequently, companies large and small are increasingly using hosted software to automate and run core business activities such as supply chain management. The same factors that drove companies to embrace hosted CRM — easier and speedier implementations, faster time to 84

Feature.indd 84

n o v e m BER 1 5 , 2 0 0 6 | REAL CIO WORLD

benefits and knowing you’ll always be on the most current version of the application — are pushing them to adopt hosted software for such aspects of supply chain management as forecasting, collaborative planning, inventory visibility and transportation management. Still, the hosting option should not be considered lightly, especially if you’re thinking about using it for something as critical as your supply chain. Though the security situation has improved, CIOs still need to vet the vendors for proper security procedures and monitor their adherence to them. Further, the issues of software reliability and integration that can make or break an in-house implementation are no less important when the software is hosted by an outsider. In fact, those concerns about security, reliability and ease of integration are even more acute in the supply chain world where more parties need to connect. Read on for examples of how two companies weighed those various considerations.

Consideration 1 Security At a time when hacking has become a pastime, companies have legitimate fears about keeping their data in a hosted software vendor’s systems because they have no direct control. Positive past experience using an application service provider helped Kawasaki’s Peterson overcome concerns about his company sharing its production plans with its manufacturing parent company through a third-party over the Internet. He says his previous experience using an ASP, which forced him to bone up on SSL protocol, public-key infrastructure and twofactor authentication, helped him determine whether Mitrix’s security infrastructure and policies would be adequate. Also, knowing the information his company would be sharing would be limited to a discrete time horizon (no more than a 12month forward projection of its production plans) mitigated his concerns about the safety of his company’s data. In the event of breach, his company’s risk would be lower than if it used the hosted supply chain collaboration application for all of its plans (which go as far as 36 months).

Consideration 2 Reliability The reliability of hosted software providers’ systems is debatable. Aberdeen Group’s Enslow says current users of hosted supply chain software, whom she interviewed, find it to be just as secure and just as reliable — if not more — than their own systems. And Mark Koenig, VP at Saugatuck Technology, says there’s no guarantee that an enterprise customer will be any better at running an application internally than a third party “whose business it is [to run that application] and who’s invested heavily in being available 24 by 7 by 365.” That may be true, but the service outages that customers of Salesforce.com experienced in late 2005 and early 2006 renewed the focus on reliability, which was a primary concern

Vol/2 | I SSUE/01

11/10/2006 8:20:54 PM

Mid-Market Supply Chain for Paul Rizzo, PepsiAmericas’ director of logistics, when he deployed a transportation management system from LeanLogistics in 2002. To quell his worries, his company’s IT and supply chain groups piloted the system to make sure it provided the functionality and reliability he was expecting, and that it integrated well with other systems inside Pepsi. The IT group also discussed with LeanLogistics the number of transactions that its transportation management system could handle, and wrote financial penalties into servicelevel agreements in the event of system downtime. That’s a good thing because he has experienced outages. Fortunately, he says, the outages are few and far between, and the one that lasted the longest was only a few hours, which hardly crippled his organization.

Consideration 3 Integration Integration is never a picnic, whether you’re deploying software in-house or using hosted software. But the idea of linking your internal systems with a hosted system and then needing external business partners to tie in to that system

can seem particularly mind-boggling for some potential users of hosted supply chain software. That wasn’t the case for Peterson, however. Integrating his ERP system with Mitrix’s hosted supply chain collaboration system was less of a concern for him for two related reasons. First, in the 1980s, he created a metadata repository that identifies all of the relationships between Kawasaki’s data structures, programs, and jobs for online and batch programs. His IT staff uses this repository when analyzing which applications need to be modified as a result of any integration or enhancement effort. Once they’ve determined the interface points between a new application and existing applications, they use the data repository to identify all the existing data structures and processes that may require changes to integrate with a new system. Peterson knew he could rely on this resource to help the integration proceed more smoothly. Second, having been through a complicated integration project in 1999 that involved hooking up his company’s back-end mainframe systems to a new front-end e-commerce system, he knew his staff could link with the third-party system.

Living Large Hosted supply chain software can let mid-market companies meet the demands like big companies. But there are risks, says senior VP of Aberdeen Group, Beth Enslow. CIO: What challenges do midmarket companies face in managing their supply chains? Beth Enslow: Mid-market companies have to meet demanding requirements from larger customers, who are very specific about how they want their orders fulfilled, about packing and shipping, and over the kind of information they want about those orders and their status. One of the challenges midmarket companies face then is that most of them don’t have the IT infrastructure to do this in an efficient manner. They end up having to throw lots of people at the problem. What technologies can help midmarket companies work with their supply chain partners? They need a platform to exchange

Vol/2 | I SSUE/01

Feature.indd 85

information electronically, whether forecasts, order information or status information, and they need to have good visibility into what’s happening with specific orders. If you have information electronically, not only are you reducing the human cost involved in sharing information, but you can now collaborate at a deeper level because you’re able to share a wider degree of information. Sharing information electronically helps reduce errors and perhaps most importantly helps cut lead times, so that you can deliver goods more flexibly and faster to the end customer. We see midmarket companies becoming more interested in on-demand supply chain management applications because they present a less expensive and less disruptive way for them to access this technology.

What do you mean by less disruptive? Mid-market companies simply don’t have the bodies available to go through a traditional software evaluation and implementation process and then keep that system up to date. With on-demand software, a lot of that [implementation] work is now done by the vendor, which minimizes disruptions to the IT staff. For mid-market companies, ondemand has proven to be a faster way to get solutions up and running, the ROI is faster, and you won’t find yourself three or four versions behind and not having access to the newest functionality, because the vendor takes care of that for you.

—M.L.

REAL CIO WORLD | n o v e m BER 1 5 , 2 0 0 6

11/10/2006 8:20:55 PM

If you want to customize a supply chain application, forget about using a hosted provider. Customization defeats the purpose of an on-demand solution, which is designed to be one-size-fits-all. At PepsiAmericas, Rizzo says integrating his company’s existing inventory management and deployment systems with LeanLogistics’ transportation management system required just 40 hours of two IT workers. “I’ve done a lot of systems implementations in my career. This was by far and away the easiest one we ever did,” says Rizzo. “We flipped the switch, the integration worked flawlessly, and we never looked back.” Had PepsiAmericas built its own transportation management system in-house, its IT staffers would have had to connect all 50 of its carriers to the system on their own.

Consideration 4 Customization If you have any desire to customize a supply chain application, forget about using a hosted provider. Customization defeats the purpose of an on-demand solution, which is designed to be one-size-fits-all in order to provide the vendor with the economies of scale it needs to keep its costs low and make upgrades easy. “Hosted solutions are built to be very configurable, so you can have your own role-based views and flexible user interface. But if you’re looking to do hard-core customization of an app, they aren’t a good fit,” says Enslow. Hosted collaborative supply chain planning software suited Kawasaki because it reduces development time and minimizes customization needs. He didn’t see the point of customizing what he perceives is an infrastructure solution. “So much of the supply chain is just plumbing. It doesn’t have any effect on what you decide the market is really demanding and what product you actually build,” he says. “You can argue that a custom solution will let you differentiate from the competition, but I think it’s more important to have your design engineers come up with innovative product designs.”

want anyone to go to jail, that is). Because you don’t own the software you’re using, executives see the hosted model as a risky proposition because they have little control over the process and timing of upgrades, and keeping documentation up to date is more difficult. Saugatuck’s Koenig says chief compliance officers are particularly wary of hosted software because they’re the ones who are on the hook for the integrity of the systems used by their company, regardless of who is supplying those systems. So if you’re using hosted software, you have to make sure your vendor can vouch for the integrity of its systems because if your company or your vendor comes under attack by the regulator, there’s going to be a lot of finger-pointing, and you need to do your due diligence before that happens. Ensure ahead of time that you can get access to your data in the event you need to for legal reasons or if your vendor goes belly up. Data access was critical for Rizzo, who contracted with LeanLogistics while the transportation management software provider was still a relative newcomer. Rizzo wasn’t so worried about Sarbanes-Oxley — which wasn’t yet law when he implemented — as he was concerned about LeanLogistics’ longevity. Since his company’s contracted rates with its 50 transportation providers are stored in LeanLogistics’ transportation management system, he didn’t want to have to re-create from scratch all of those nuanced contracts if LeanLogistics went under, so he made sure he’d be able to get that information in a flat file from LeanLogistics by writing it into PepsiAmericas’ contract with the vendor.

So Far, So Good Aside from a few outages, only good things have come from PepsiAmericas’ partnership with LeanLogistics. Rizzo says his company has saved money on staffing in its accounts payable department because the transportation management system also pays invoices automatically, electronically. He says dispatchers are more productive because the system relieves them of mundane tasks like identifying which transportation provider can bring a truckload of Pepsi cans to a particular warehouse on a particular day. The hosted system has reduced such ‘non-value added’ work by as much as 15 percent, he says. As for the business benefits Kawasaki is seeing from using Mitrix’s hosted supply chain collaboration application, Peterson says, it’s too early to tell. At the time this story was reported, Kawasaki had just started deploying the software. But, Peterson is hopeful that, next February, the water scooters won’t start arriving until after the snow has stopped. CIO

Consideration 5 Compliance and Data Access In the post Sarbanes-Oxley world, a company’s ability to certify the integrity of its financial systems and the data contained in them is of paramount importance (if you don’t 86

Feature.indd 86

n o v e m BER 1 5 , 2 0 0 6 | REAL CIO WORLD

Send feedback on this feature to editor@cio.in

Vol/2 | I SSUE/01

11/10/2006 8:20:56 PM

Trendline_Nov11.indd 19

11/16/2011 11:56:19 AM

Beyond processes reengineering, integration of multiple systems and technology challenges of the like, a CIO ultimately seeks to fulfill the broad business objective. Who better to get insights of the business imperative than the organization’s head himself? An encore of eight CIO interviews with the heads of India’s largest organizations. Information Technology has taken tremendous strides in India Inc. over the past decade, and is now more than just a support function. Or is it? An interview with the person at the very top of an Indian company serves as the perfect reality check. That was the rationale, from which the View from the Top series stemmed, a little more than a year ago. A space for the helmsmen of India’s largest companies to outline their vision,

n o v e m B E R 1 5 , 2 0 0 6 | REAL CIO WORLD

View from the Top NEW - 02.indd 88

analyze the role of IT — and the CIO, in particular — in that context. And see how IT is evolving in Corporate India. The approaches to, and perspectives of, the IT organization have been as varied as the sectors in which the CIOs of the respective companies function. From banking and manufacturing to pharmaceuticals and IT itself, the vision is grand — as the series has shown.

Photos by Sr ivatsa Shan dilya

Views from the Top imaging bin esh s reedh aran and U NN IK RISHNAN AV

The ultimate business perspective of IT. Eight vignettes from the View from the Top series.

Vol/2 | ISSUE/01

11/10/2006 8:23:04 PM

View from the Top NEW - 02.indd 89

11/10/2006 8:23:25 PM

Anand Mahindra

vice chairman and MD, Mahindra & Mahindra,

ON R.0.I.

It’s important that you look at your business goals first. Ask yourself what you want to achieve. Think of business processes that will help serve customers better. Set metrics independent of IT. If IT helps you achieve any of those metrics efficiently, bring it in and don’t worry about doing ‘postmortems’ because it is now part of your business and overall internal rate of return.

Adi B. Godrej

chairman, Godrej Group

ON INNOVATION

Innovation is present in both products and processes. I don’t think IT can add too much to product innovation — R&D and imaginative employees contribute a lot more to this. However, increasingly, IT has a role to play in process. And I think innovation in processes is as important as product innovation. Both need to go hand-in-hand.

n o v e m B E R 1 5 , 2 0 0 6 | REAL CIO WORLD

View from the Top NEW - 02.indd 90

11/10/2006 8:23:30 PM

View from the Top

Azim Premji

chairman, Wipro,

ON TECHNOLOGY LEADERSHIP

CIOs must be as savvy about the key drivers of business as they are of IT issues. They must combine vision with a strong operational drive that translates vision into concrete and effective solutions. CIOs must have the wherewithal to engage with key stakeholders in the organization and manage change over sustained periods of time. CIOs must have outstanding people skills.

Brian Tempest,

chief mentor & executive vice chairman, Ranbaxy,

ON I.T. PRUDENCE

At Ranbaxy, we benchmark processes at the macro level. With projects like regulatory compliance and information security, there is limited justification. You canâ&#x20AC;&#x2122;t afford to reject making an investment in IT that promises a more secure and compliant organization. Nonetheless, payback is questioned. We take both a top-down and a bottom-up approach. After all, we have to defend our decisions with our investors and shareholders.

Vol/2 | ISSUE/01

View from the Top NEW - 02.indd 91

REAL CIO WORLD | n o v e m B E R 1 5 , 2 0 0 6

11/10/2006 8:23:33 PM

View from the Top

K.V. Kamath

MD & CEO, ICICI Bank

ON END-USER ROLE

User groups should own and implement their own IT. The true benefit lies in articulating your needs, having a better understanding of technological challenges, finding a way to resolve those challenges, and executing a technological solution. This leads to critical benefits. First, there is a dramatic reduction in the number of failed projects. Second, it enables reduction in implementation time. All this naturally saves costs.

N.R. Narayana Murthy founder & chairman, Infosys

ON EARLY ADOPTION

If you run a race and lead it, you have the whole horizon in front of you and can decide where to go. Being the leader also brings with it the possibility of failure. But this probability decreases as you keep improving the fitness of the organization in terms of evaluating technologies, producing proper project plans, monitoring progress and â&#x20AC;&#x2DC;owningâ&#x20AC;&#x2122; the solution.

Vol/2 | ISSUE/01

View from the Top NEW - 02.indd 92

11/10/2006 8:23:46 PM

View from the Top

Ramalinga Raju

founder & chairman, Satyam Computer Services

ON BUSINESS-I.T. ALIGNMENT

CIOs must tell management that IT should be measured on business outcomes and not on effort or investment. They should regard every one of the internal processes and support functions as a full-fledged business. IT should provide a competitive edge to the organization by making every support function perform optimally. So, CIOs must encourage managers to constantly reinvent themselves to make deployments more businessoriented and successful.

Ravi Uppal

chairman & MD, ABB India

ON I.T.â&#x20AC;&#x2122;s FUTURE

In the case of IT, the benefits are overwhelmingâ&#x20AC;Ś With human intervention, processes and results can sometimes go awry or get inaccurate. I have an increasing belief: activities that do not require creativity should use as much automation as possible. Automation brings efficiency. It brings accuracy, and makes a system immune to any kind of manipulation.

REAL CIO WORLD | n o v e m B E R 1 5 , 2 0 0 6

View from the Top NEW - 02.indd 93

11/10/2006 8:23:51 PM

M.N. Vidyashankar, IT secretary of Karnataka, believes that pressure must be applied on stakeholders if reforms in the government are to yield fruit.

Exe c

Interview | M.N. Vidyashankar

In this interview with CIO,, Vidyashankar delves into potentially proficient areas that can be enabled by IT, even as the process of building Brand Bangalore — and even Karnataka state as an IT destination — continues. He speaks on the subjects in the context of the recently-concluded BangaloreIT.in.

CIO: Are there areas in our current IT policy that need to be streamlined to changes innate to industry? What progress is being made in implementing this policy? M.N. VIdyashaNkar: In letter and spirit of the IT policy, there have been no gaps whatsoever in implementing it. To ensure that we send the right signals and attract top-notch

PHoto by S RIVatSa SHandIlya

One of the striking features of M.N. Vidyashankar’s perspective on IT implementations in governance is the fact that he prefers to base it on dialogue. On the back of project-based consultations with solution providers at one end and a finger on the pulse of the taxpaying public at the other, the IT secretary of Karnataka believes it is possible to add value to governance. The approach has yielded results during his stints as the chairman of Bangalore Water Supply and Sewerage Board (BWSSB) and the commissioner of the Bangalore Development Authority (BDA). The e-Pragati multi-purpose kiosks, for instance, were a product of such a dialogue process and sound execution during his tenure at the BDA.

ImagIng by U nnIKRISHnan aV

Over the years, technology has never failed. If there have been failures,they’ve been in implementation,asserts M.N.Vidyashankar, IT secretary of Karnataka. By Kunal n. Talgeri

e cution Vol/2 | ISSUE/01

Interview.indd 95

REAL CIO WORLD | n o v e m B e R 1 5 , 2 0 0 6

11/10/2006 8:18:18 PM

BangaloreIT.in 2006. Take the rural IT quiz, for instance. Last year, 55,000 students from across Karnataka participated. This year, that figure stands at 9.67 lakh. Look at the quantum jump. We are ensuring that the participation is at the grassroot level. Take Student Internet World. We have installed computers in all the district headquarters, and ensured that people are taught from scratch how to use a computer, access the Internet and the information available on it. We are giving fullfledged training. Even the active assistance given by deputy commissioners in many districts is helping bring about a change. Take Koppal, Bangalore Rural and Dakshina Kannada. In Mangalore, we trained 33,000 and some 26,000 in Bangalore Rural. We are training people for ITenabled governance.

companies in hardware and software, we need to develop the intellectual property front. We will be doing this in consultation with the government and all parties concerned. We are ahead of the milestones we’d set for ourselves in the IT policy. We now have to focus on the missing parts, such as IP, and also look at the changes in the market, such as the parallel growth of the semiconductor and biotechnology industry. In your previous stints heading government agencies, you stressed on using IT as an enabler through projects like e-Pragati and the Kaveri kiosks. What are the mindset changes such initiatives require in the government?

In Karnataka, the reception you get to IT initiatives is very good. People jump at it. It is important to highlight the benefits if you want the initiative to be perceived positively. For instance, Kaveri e-com was the first of its kind in Asia: a payment kiosk for all utilities and bill payments. Earlier, one had to stand in queues for these services. This is a 24/7, fully automated system spread out across the city, which provides information on all utilities. Pre-implementation, we called some of the best IT companies — and gave them our mandate, ‘This is what we require from the customer’s point of view’. We need to be customercentric for such activities. We asked the IT companies for a solution. TCS came forward with a pilot that commenced in Jayanagar, IV Block, Bangalore and lasted six months. We took the feedback and suggestions of about 6,000 customers there and incorporated them in the final rollout plan. Today, there are 75 kiosks across the city. Realistically, do you see IT as a strategic enabler for governance in Karnataka — or is it still something that is seen as technology in its own right?

Technology adds value. In the history of mankind, technology has never failed. If it has failed, it is because of wrong implementation. The sky is the limit when you consider the 96

Interview.indd 96

n o v e m B e R 1 5 , 2 0 0 6 | REAL CIO WORLD

We ensure constant interaction with IT and its representatives. That dialogue indicates the industry’s needs.” value-additions for customers. We need to keep the interests of our customers in mind. Being in a government agency like BDA or BMP (Bangalore Mahanagar Palike) means you have to ensure that technology answers every query of 60 lakh customers. When you look at customer as the focus and go to the other side of the table, you’ll realize that only technology can add value to services. Furthermore, IT-enabled government services and initiatives are free of cost — be it at BDA, BWSSB or BMP. What are the challenges in ensuring buyin, considering the skewed IT literacy levels across the state?

Let me point to one indicator from

What about the present generation working in government departments? How are they making a transition?

I personally feel an element of pressure is absolutely essential if things have to reach their logical end. A little bit of pressure is necessary. You need a mandated dispensation: “Either you get on board, or you get out.” That’s the language we need to speak. We did that very successfully at BWSSB. There was lots of opposition in the beginning — even from the customers who said, “This is going to fail”. But once everybody understood the merits of it, the demand for IT rose. In fact, customers came back to us and said, “You have done this. Why not also do this, this and even this…”It worked because there was an element of pressure and a mandate. How do you measure the tangible progress made by the IT department?

Apart from employment generated, turnover and export figures, we keep a close track of the number of units being

Vol/2 | ISSUE/01

11/10/2006 8:18:26 PM

registered in Bangalore and Karnataka. Today, we have five new IT units — new companies — registering themselves every week. We are also getting two to three new biotech units every week. We want to see that this number increases. These are units that are being cleared by the single window agency of the Karnataka Udyog Mitra or by a highlevel coordination committee headed by the chief minister. What was the response to BangaloreIT.in this year?

Qualitatively, the response has been very good both in terms of content and satisfaction levels. Some items that hitherto had not received importance in the field were highlighted, such as intellectual property (IP). The IP zone at BangaloreIT.in received maximum attention both from the research community and students from colleges. It showed in some sense that we are a very important entity in creating and protecting IP. Bangalore is not only about BPOs. We have a strong base in creating IP and with 4,100 applications for IP and patents being filed around the world, it is a current issue. We interacted with people who were keen to flag off IP. They said it has never received the attention that it deserves. The apprehension among MNCs today is that some of the developing countries that are trying to build a niche role in IT need to protect IP. We want to send the right kind of message to the right quarters that we, in Karnataka, mean business when it comes to intellectual property. Secondly, we gave people a touch and feel of WiMax during the event. People could navigate from one end to the other without the trouble of taking a cable with them. Thirdly, we had very interesting conferences on semiconductors. Bangalore is home to 65 percent of the world’ s semiconductor design components. Sixty-five percent in one city! That speaks volumes about the designing prowess in IT that Bangalore has. How much progress have Tier II cities made as IT destinations?

As of now, Mysore, Belgaum and HubliDharwad are making very good progress.

Vol/2 | ISSUE/01

Interview.indd 97

Having said that, you need is hassle-free in a customergood infrastructure facilities friendly environment. in Tier II and III cities, before we can actually make How are you looking to a breakthrough. While we make this environment have some kind of a base in more viable for private SNAPSHOT Mysore, Belgaum and Hublicompanies? KARNATAKA Projects Dharwad, we need to develop We are partnering with all Bhoomi kiosks IT infrastructure if technology the infrastructure agencies Kaveri, Registration is to ensure that it really in and around Bangalore, department Khajane, Treasury proliferates to the remaining particularly the Karnataka department 24 districts of Karnataka. Industrial Areas Development No. of STPI* The ITES is an ideal Board, to ensure that we have 4 sector for Tier II and Tier the wherewithal to develop Companies III cities. It demands a PC, industrial areas and SEZs, registered per good college education and which are the order of the day. week: student population — and We are ensuring that state-of5 in Bangalore connectivity. Karnataka is the-art technology is introduced Exports the highest networked state and that connectivity is not Rs 40,000 crore per annum in the country: 50,000 kma problem. The absolutely plus of networking across the essential IT infrastructure Employment 3.5 lakh people city. You have a strong base of requirements must be in place, engineering graduates across and people should have access *software technology parks of India the state. So, ITES is ideal for to it without any hassles. We Tier II and Tier III cities today. are aiming at a culture of plugYou don’t need any additional and-play. infrastructure, as such. If you’re talking of software and hardware, I’d say you need a lot more How much of a case is the IT department infrastructure to develop these centers as making for basic infrastructure, which has IT destinations. It is difficult to develop dogged Karnataka as an IT destination? that level of infrastructure overnight. We ensure constant interaction with IT and its representatives — and associations like Electronics City Industries Where and how can Brand Bangalore Association. The dialogue is something forge a path ahead? that has to be continued. Unless we have Bangalore IT.in is Asia’s premier that firm channel of dialogue, we’ll find event in IT. We have already announced it hard to tell them what we are doing. the dates for this event for 2007 and What we need to do is something that the the dates for Bangalore Nano (March industry tells us. 17th next year). Nanotechnology, we Two, we are also laying down timelines realize, promises to hold the attention of for projects we are working on — and everyone for the next 30 years. An event ensuring that we stick to them. We take around it will help set Bangalore up as people from the industry for periodical a destination for nanotechnology. In the inspections of various projects that they US, such events have been planned up to consider are important. This also enables 2011. That’s the kind of perspective one us to maintain an element of certainty needs to have. Unless you build that kind about the direction of our projects. CIO of perspective, you cannot ensure that the best in the world will participate in your events. It also ensures that you imbibe a competitive culture locally. Our broad role is to catalyze and enable the private sector to come to Chief copy editor Kunal N. Talgeri can be reached at Bangalore and to ensure that their entry kunal_t@cio.in REAL CIO WORLD | n o v e m B E R 1 5 , 2 0 0 6

11/10/2006 8:18:28 PM

Essential

technology Streaming video clips are invading your network. Get a grip now or deal with the pain later.

Essentisl Tec.indd 98

n o v e m B ER 1 5 , 2 0 0 6 | REAL CIO WORLD

From Inception to Implementation — I.T. That Matters

Video Bellyaches By Laurianne Mclaughlin

| Every single day, according to YouTube, people watch more than 10 lakh streamed video clips on the site. Do you know how many your employees watch? You should. The soaring popularity of Web video can expose your company to bandwidth problems and other trouble if you don’t manage it wisely. Video — both recreational and business-related — now eats up more of your network’s bandwidth than ever before thanks to several converging trends. In addition to YouTube, a growing pool of video on news and sports sites like CNN and ESPN tempts employees to dive in at work. Advertising companies push clever viral video clips to promote products from sports drinks to movies. Low-cost video cameras and editing software encourage people to produce family vacation blockbusters and share them online with friends and colleagues. On a different (and more legitimate) note, companies increasingly use video for employee training. (Video training costs less than in-person training, especially for companies with multiple, far-flung offices, and can help verticals such as the food services industry satisfy regulatory training requirements.) And as companies offer more and more video on customer-oriented websites, their own employees must review those videos over the WAN.

Video

Vol/2 | ISSUE/01

11/14/2006 5:37:16 PM

essential technology

The problem is this: your enterprise network is a pipe that has just so much bandwidth, and if streamed video consumes too much of that pipe at once, applications run slowly and documents take a long time to open. These situations, of course, can prevent critical business from getting done expeditiously and prompt the dreaded question: what’s going on with the network? IT needs to get a handle on video before it degrades the enterprise’s ability to conduct its business. Yet, industry research shows many CIOs have not done the baseline analysis to understand how much of the overall pipe is being taken up by video, business apps, regular Web browsing and other sneaky bandwidth-eaters like Skype. Flatly ordering employees not to watch streamed sports coverage while at work may or may not be part of your bandwidth management plan; that depends on lots of factors including your corporate culture. But now’s the time to explore strategies and tools to better manage video.

Nobody Wants a Video Clog As a CIO, maybe you’re tempted to say, “There’s an easy answer to video pollution. From now on, there won’t be any streaming video on my network. End of problem.” But at a growing number of enterprises, it’s impossible to deny employees access to video. They need it to do their jobs. And once your company starts working with video, you may be surprised how quickly the amount of it grows, CIOs say. “Two years ago, we weren’t doing one-third of what we’re doing now with video,” says Steve Worling, manager of IT infrastructure for the National Association for Stock Car Auto Racing (Nascar). “We post a lot of video clips on the Intranet.” As Nascar.com and its partners deliver ever more race highlights and driver interviews to fans, Worling’s employees must review them, which means they work with more video every day over the network. And all that video traffic must compete with the other apps on the WAN for bandwidth. Consequently, “We’re seeing those pipes get more congested,” Worling says. His peers in industries like travel and entertainment

Vol/2 | ISSUE/01

Essentisl Tec.indd 99

see a similar situation developing as their companies offer up more video to consumers, and their employees spend more time working with video over the WAN. At Nascar, Worling’s bandwidth woes are compounded by the fact that in certain departments like legal, users send a lot of large documents between offices on the WAN, taking up another big slice of the pipe. One result: those users saw it taking longer to trade and open those important documents, says Worling. So now, one of his priorities is to tackle the bandwidth problem.

Analyze This! As IT tackles video, it faces several options: block streaming video entirely, set defined limits or use a ‘dimmer switch’ approach to ensure that critical apps get bandwidth first. To make sure employees understand the rules about video use, you’ll want to update your company’s Internet use policy. You may also need network appliances to help manage video, or a bigger Internet pipe. But the first item on your to-do list must be analysis. Take a close look at what’s lurking on the WAN. Companies already use Web filtering technology to block offensive sites and monitor employee surfing, but it’s surprising how few have taken a cold hard look at bandwidth utilization on the WAN down to the level of specific apps and sites, says Forrester Research senior analyst Robert Whiteley. You need to understand which applications take what percentage of your overall bandwidth pipe, says Whiteley. For instance, you want to know if employee visits to YouTube are taking 10 percent of that overall pipe, because you might need to make that bandwidth available for business apps — say the new Web apps you’re rolling out as part of your SOA strategy. “It’s amazing how little quality-ofservice research is done,” Whiteley says, to ensure that the apps, which are most important to business, get the necessary amount of bandwidth to keep them humming. Just 11 percent to 13 percent of IT organizations analyze bandwidth usage down to the detail of individual applications, according to Forrester.

Video Tools Appliances to enforce rules and manage bandwidth. If the heavy use of streaming video, Web apps, or large documents are clogging your WAN pipe and degrading application performance, network appliances can help you manage the situation. Traditional bandwidth allocation appliances help ensure that critical applications get bandwidth priority. Newer appliances offer rules you can set for video. Juniper WXC 500 and 250: These bandwidth allocation devices can help an enterprise deal with video and applications that are taxing WAN bandwidth. With 40GB to 3-terabyte hard drives, they also store pieces of frequently revised large files, so that only the changes travel over the WAN. Cisco WAE appliances: These WAE modules and appliances are part of Cisco’s WAN optimization solution that monitors and manages how bandwidth is used by different applications and video. Cisco Application and Content Networking System software for these appliances and add-on modules for Cisco Integrated Services Routers will add functionality specifically for video, including compression, caching and other tricks to reduce video-related data over the WAN. Blue Coat SG appliances: Can make video rules easy to apply, based on your preferences. For example, you may want to block specific sites or parts of sites, at specific times, or simply slow down streaming video when the WAN pipe becomes clogged. Uses caching, compression and intelligent handling of the video stream to reduce the amount of video-related traffic on the WAN. —L.M.

Companies such as Cisco, Expand and Packeteer have long offered bandwidth management products, such as Cisco’s WAN optimization hardware and software solutions, which can help you monitor and REAL CIO WORLD | n o v e m B ER 1 5 , 2 0 0 6

11/14/2006 5:37:16 PM

essential technology

manage bandwidth allocation. But now they are addressing the video trend. Cisco offers software that gets added to its WAE appliances or its widely deployed Integrated Services Routers to specifically manage bandwidth problems related to video. The software, according to Cisco, will compress and cache the video (so it doesn’t travel repeatedly over the WAN) and eliminate unnecessary ‘chattiness’ between apps and video (like instructions and status updates).

Tool Talk A new breed of appliances from companies such as Blue Coat offer caching and compression, plus the ability to ensure oversight of all video traffic and then simplify that oversight. These boxes, which usually live at the Internet gateway on the network, offer a wide variety of rules and policies that can be applied and managed. Blue Coat’s SG appliances give you the option of blocking all streaming video, video from specific sites or just from parts of sites. Or you can choose to block all streaming sites except a specific group during business hours. Then there’s the dimmer switch approach: letting streaming video take only a certain percentage of your overall bandwidth — after that, users will only have slower video. In the future, says Joe Skorupa, a Gartner research VP, CIOs can expect to see more multi-function WAN appliances that will handle caching, compression, application performance monitoring, blocking, security and maybe VPN tasks. Another reason to consider an appliance is if your company has centralized servers to simplify Sarbanes-Oxley compliance by putting all backup data in one location. In that case, your users are now sending more and more data over the WAN rather than grabbing it from a local server. This can cause documents or apps to slow down. Nascar’s Worling, who experienced this problem, is adding bandwidth optimization appliances from Juniper to Nascar’s network (Juniper’s WXC 500 and WXC 250 models). But that change alone won’t be enough to address Nascar’s needs. If you have a large amount of business-related video traffic, an 100

Essentisl Tec.indd 100

n o v e m B ER 1 5 , 2 0 0 6 | REAL CIO WORLD

Your Internet Use Policy Employees need to understand the rules. How can you construct a solid policy? Here are some key tips: 1. Get HR involved. IT should list the technologies to be mentioned in the policy, and HR should ensure that the rules are explained in layman’s terms, says Jennifer Berman, a managing director with CBIZ Human Capital Services, a business services firm. 2. Be clear and specific. “Use real examples of what’s permissible,” Berman says. Address online shopping, sports scores, streaming video. The more specific, the better, she says. The policy templates she provides to clients increasingly mention new technology such as video, social networking and IM. 3. Understand that video can fuel hostile workspace claims. There are inappropriate videos on sites such as YouTube, says Scott Fisher, an attorney at law firm Fowler White Boggs Banker, that could lead to discrimination, harassment and hostile workplace suits filed against companies that have allowed those videos to come into the enterprise. 4. Make avenues for complaints clear. Employees must understand how to report violations, says Fisher. And managers need training on how to deal with violators, says Berman. 5. Review policies at least yearly. “There’s so much in this arena that takes place in a year. You want to make sure your policy covers a new situation or device,” Fisher says.

— L.M.

appliance will often help, but you may also need to upgrade your Internet pipes.

Time for a Bigger Pipe? In some cases, setting rules with users and implementing network appliances will give you adequate control over the video situation. But for companies with heavy video consumers, you may also decide you need a better Internet connection. Nascar came to this conclusion and recently installed a 20Mb Internet connection, replacing a 3Mb T1 in its Daytona office at about the same monthly cost. (Nascar’s provider, Brighthouse, brings fiber right to the building and offers competitive rates.) Nascar currently has a 5Mb connection at one of its offices and is looking for alternatives to T1 for its other offices in New York City and Los Angeles. Later this year, Worling will also deploy multiprotocol label switching (MPLS)

network infrastructure to tie offices together with 1.54Mbps data connections. “[MPLS] will allow all the offices to talk to each other without routing through one central point like the Daytona office,” Worling says. “We currently share point-to-point T1s that point back to the Daytona office with our voice applications.” With the MPLS design, data from branch offices won’t have to travel back and forth to Daytona as much, which improves the WAN bandwidth picture. Still not convinced you need to change the way you manage video? Well, clogged pipes and lethargic apps are not the only problems the video explosion is introducing to the enterprise. Does the word storage get your attention? How about security?

Wait... It Gets Worse As companies create more video, IT must store it. And video files aren’t small. Worling must store a growing amount of video that

Vol/2 | ISSUE/01

11/14/2006 5:37:17 PM

essential technology

Essentisl Tec.indd 101

RESOURCES | ESSENTIAL TECHNOLOGY | GOVERN | TOP VIEW | COLUMNS FEATURES

editor@cio.in

NEWS |

Laurianne McLaughlin is technology editor. Send feedback on this feature to

Features

WebExclusive

Nascar uses for crash analysis. His storage requirements and costs are rising. “We just bought a SAN and are consolidating some storage,” Worling says. At Purdue University, interim VP for IT and CIO Gerry McCartney says it’s hard to forecast the video clip volume on the network in the next few years, and this complicates his storage planning. “We’re seeing an increase in e-mail storage, and we attribute part of that to videos sent via e-mail,” he says. Purdue students currently get a storage limit of 500MB, but the college may increase that limit to 1GB, partly due to the video factor, he says. That means Purdue’s e-mail servers require more storage. The university is also increasing storage due to video training used to teach employees ERP applications, McCartney says. And in addition to storage, security could become a videorelated headache for CIOs, says Forrester’s Whiteley. Today’s hackers are writing small, nimble pieces of spyware and virus code that they can quickly modify to work with various types of programs, including IM, VoIP or the player software that people use to view video clips, Whiteley says. Today, the risk is theoretical, he says, but should be on a CIO’s radar. In one of the first examples of malicious code being delivered via video tools, anti-spyware vendor Webroot reported in August that it located a Trojan horse program called Zlob, pretending to be an update to Windows Media Player. Users clicking on video clips were asked to download the update, which included the Zlob malware, and it proceeded to seek out other malware to install on those PCs, according to Webroot. The problem with malware like this is you typically don’t know what the intent of the virus writers is — to install ‘bot’ software to control the PC, to look for data on your network, or just to cause mischief. Bottom line: CIOs will need to watch how the amount of video on the network evolves and be prepared to change the rules accordingly, says Matthew Miszewski, CIO of Wisconsin. “Our normal Web filter blocks inappropriate traffic,” he says, but he hasn’t had to make a move like forbidding ESPN during business hours for bandwidth reasons. “We’ve thought about it,” he says. “But I don’t think it would be a popular move. If it gets out of hand, we have the ability to lock it down.” Do you? CIO

How to put the Money Where the Mouse is With a flexible I.T. infrastructure, a streamlined business organization and attention to customer convenience, e-Trade is modeling the future of Web-based banking. Making PCs Manageable Virtualization can reduce the time and expense of managing desktops by a magnitude. But the choice of technologies and approaches is downright dizzying. Read more of such web exclusive features at www.cio.in/features

Columns No Small Change Process orientation isn’t enough to ensure buy-in from your team. Who’s your Boss? Whom a CIO reports to is directly related to IT’s impact in an organization. Read more of such web exclusive columns at www.cio.in/columns Resources Podcasts from CIO Live Atul Kumar, the CIO of Syndicate Bank discusses the challenges of holding on to the talented people within your organization. S Sridhar, CIO, Hutchison Essar talks about the innovative uses of VoIP Download more web exclusive whitepapers from www.cio.in/resource

REAL WORLD 11/14/2006 5:37:17 PM

Pundit

essential technology

RemoteWorker Costs to Go Through the Roof You'd best get on top of your company's remote management issues, or pay for it later. By Thomas Wailgum

Remote management | At a recent Gartner Symposium/ITxpo, I picked up an interesting tidbit regarding the management of remote workforces. Gartner made this ominous prediction: “Through 2010, companies that do not implement new, more-stringent remote worker policies and network access controls, along with management tools, will see remote worker costs increase by

remote-worker strategy. “The problem is that different remote access technologies are managed by different groups, and new technologies are cropping up that no one is managing,” said Paulak. “Many costs get buried in the company, and the hidden costs are growing rapidly while the centrally managed costs are declining. These costs could be controlled if they were part of a centrally managed remote access service.”

their work on a non-company standard PC through 2008,” Gartner reported. For his part, however, Paulak was somewhat pessimistic in his comments about IT’s desire to fix the problem. “Many networking managers don’t want that to happen, however, as it takes a hidden cost that the business units have to pay and turns it into a known cost that the networking or IT department has to pay,” said Mr Paulak. “Yet,

Most companies control employees’PCs, but Gartner says this“is being challenged by those who refuse the company PC.”The biggest offenders are C-level executives. five to 10 times and the number of security breaches increase exponentially.” Got your attention? Gartner threw out more statistics: “The known costs of centrally supporting remote access services will double by 2008, and the unknown costs without centralized management will triple.” I’ve always wondered about the relevance of such predictions. Does anybody really care about stuff like this? It turns out the answer is yes; many people do care about stuff like this, which is why I wanted to talk about it. First, with Gartner’s predictions in mind, are you really concerned about managing the costs of your remote workers? And what, if anything, are you doing about it? Gartner’s Eric Paulak, a managing VP, sees the chief problem as a lack of a centralized 102

ET-Pundit.indd 102

n o v e m B E R 1 5 , 2 0 0 6 | REAL CIO WORLD

What he’s getting at is what I’ve been hearing from more and more CIOs lately: a shift to more centrally managed IT. The critical caveat that almost all CIOs will include with this strategy is “...where it makes business sense.” That’s good. An interesting data point that came out of the Gartner gathering provided evidence of the dearth of centralized and standard IT policies, and the fine (and tricky) line that IT walks: while most companies maintain ownership and control over employees’ PCs, Gartner stated that the arrangement “is being challenged by more employees who refuse company standard-issue PC.” The biggest and most frequent offenders? C-level executives. That’s priceless. “Fifty percent of C-level executives will perform 80 percent of

if these costs were centrally managed, the company would be able to control its costs much better. IT/networking/remote access managers should push their companies toward more-aggregated services to control rising costs. This will require buy-in from the CFO because it may increase IT costs, but it should lower total corporate costs by up to 40 percent.” It’s good advice, I think, if you can do it. (Good luck if you are taking away the non-company-issues toys of your C-level colleagues.) Will you heed it over the next four years? Does centralizing IT costs make sense to your organization? CIO

Send feedback on this column to editor@cio.in

Vol/2 | ISSUE/01

11/10/2006 8:26:34 PM