CIO December 15 2006 Issue by Sreekanth Sastry

Cover_october011_checklist.indd 84

11/17/2011 11:31:35 AM

From The Editor

A recent survey of CEOs across the globe has thrown up a whole host of issues

A Question Of Hats Should a CIO be a business leader or a technologist first?

that are relevant to you, from business-IT alignment to outsourcing to the role of IT. The study, conducted by IBM, found that 86 percent of the CEOs interviewed, rated ‘business and technology integration’ to be of great importance and that less than 20 percent stated that their organizations have been very successful at managing change. That should be enough cause for concern for any IT leader. On a positive note, the survey confirmed that the role of a CIO in India “is that of a critical decision-maker when it comes to using technology to address the innovation challenges and opportunities for the business.” It went on to find that Indian CIOs “need to be business executive firsts and technologists second. They need to close the gap between business and IT by building the hybrid skill sets that enable IT professionals to understand the needs of the business. [CIOs] need to promote and become part of a new governance model where responsibility for business and IT is Donning the business shared by business and IT leaders.” hat may be what CIOs I bounced these opinions off a bunch require to become of your peers and the CIO Advisory Board agents of change in their members to receive reactions from both organizations. sides of the camp (see Inbox Page 16). I guess another approach to whether a CIO ought to wear a business hat or a technology one is more about the right mixture of skills that he or she brings to the table. As IIIT-Bangalore director Prof. S. Sadagopan observes, what is possibly required is a ‘T-model’ CIO with breadth at the top in terms of business applications, context and emerging areas — and depth in terms of technology. Highlighting what is also a critical area (considering the number of CIOs who report in to CFOs), Arun Gupta, director of Philips Electronics India, states that the views of the CEOs are not always echoed by other business leaders within the same company. It is this “lack of aligned thinking” that poses challenges to the CIO, he feels. I wonder if donning the business hat may be what CIOs require to become a major force in changing the way their organizations operate. What do you feel about this? Should CIOs lean more toward business or technology? Write in and let me know your thoughts.

Vijay Ramachandran, Editor vijay_r@cio.in

d e c e m B E R 1 5 , 2 0 0 6 | REAL CIO WORLD

Content,Editorial,Colophone.indd8 8

Vo l/2 | ISSUE/03

12/14/2006 7:06:24 PM

content DECemBER 15 2006‑ | ‑Vol/2‑ | ‑issue/03

Executive Expectations View From The Top | 36 If experience in the U.S. is anything to go by, technology provides immense value to stock exchanges. A look at the dividends Meyer Frucher, CEO of the Philadelphia Stock Exchange, the oldest bourse in the US, expects from IT. Interview by Matt Vilano

Executive Coach A Good Offense is a Good Defense | 23 Why it pays CIOs to map their plays before a dictate to outsource comes down from above. Column by Susan Cramm

Ph oto by Sr ivatsa Shandilya

2 6 RFID

Cover: Imagin g by Bines h Sreedharan

COVER STORy | tag it right | 26

Keynote Get Smarter About Security Risk | 20 How much you should invest in protecting corporate data depends on how good you are at assessing the threat. Column by David Apgar

BPM

For a CIO, RFID has proven process efficiencies on the one hand and significant upfront costs on the other. Where is he to strike a balance? An implementation at Madura Garments has some interesting answers.

Whose Business Is Process Improvement Anyway? | 40 Business and IT are locked in a struggle over who controls the management of business process improvements. CIOs who seek to lead the charge have their work cut out.

Feature by Kunal N. Talgeri

Feature by Meridith Levinson

d e c e m B E R 1 5 , 2 0 0 6 | REAL CIO WORLD

Content,Editorial,Colophone.indd10 10

Vo l/2 | ISSUE/03

12/14/2006 7:06:28 PM

content

Troops Want More Authentication | Guarding the Bard

Essential Technology | 54 Open Source | The New Open Sourcing

By Galen Gruman Innovation | Innovation and Strategy By Elana Varon

From the Editor | 4 A Question Of Hats | Should a CIO be a business

leader or a technologist first? By Vijay Ramachandran

Inbox | 14

NOW ONLINE For more opinions, features, analyses and updates, log on to our companion website and discover content designed to help you and your organization deploy IT strategically. Go to www.cio.in

c o.in

Govern Speaking their Language |â&#x20AC;&#x201A; 50 Dr. C. Chandramouli, IT secretary of Tamil Nadu, is pushing the usage of Tamil so that the common man can benefit from e-governance.

2 2

Interview by Balaji Narasimhan

IT versus terror |â&#x20AC;&#x201A; 46 Preventing a terror attack is invaluable. But even invaluable IT projects need realistic business case analysis to succeed. Feature by Ben Worthen

d e c e m B E R 1 5 , 2 0 0 6 | REAL CIO WORLD

Content,Editorial,Colophone.indd12 12

12/14/2006 7:06:33 PM

Advertiser Index

ADVISORY BOARD Manage ment

President N. Bringi Dev

COO Louis D’Mello Editorial Editor Vijay Ramachandran

Assistant Editor Harichandan Arakali

Special Correspondent Balaji Narasimhan

Senior Correspondent Gunjan Trivedi Chief COPY EDITOR Kunal N. Talgeri

COPY EDITOR Sunil Shah www.C IO.IN

Editorial Director-Online R. Giridhar

Anil Nadkarni

Avaya

4&5

Canon

Cisco

Citrix

Fujitsu

Head IT, Thomas Cook, a_nadkarni@cio.in Arindam Bose Head IT, LG Electronics India, a_bose@cio.in Arun Gupta Director – Philips Global Infrastructure Services Arvind Tawde VP & CIO, Mahindra & Mahindra, a_tawde@cio.in Ashish Kumar Chauhan President & CIO - IT Applications at Reliance Industries

D esign & Production M. D. Agarwal

Creative Director Jayan K Narayanan

Designers Binesh Sreedharan

Vikas Kapoor; Anil V.K. Jinan K. Vijayan; Sani Mani

Chief Manager – IT, BPCL, md_agarwal@cio.in Mani Mulki VP - IS, Godrej Consumer Products Ltd, m_mulki@cio.in

IBM

Road block

Unnikrishnan A.V. Sasi Bhaskar; Girish A.V. Vishwanath Vanjire

Manish Choksi VP - IT, Asian Paints, m_choksi@cio.in

Interface

Lenovo

Mercury

MM Shanith; Anil T PC Anoop

Photography Srivatsa Shandilya

Production T.K. Karunakaran

T.K. Jayadeep Marketing and Sales

General Manager, Sales Naveen Chand Singh brand Manager Alok Anand Marketing Siddharth Singh Bangalore Mahantesh Godi Santosh Malleswara Ashish Kumar, Kishore Venkat Delhi Nitin Walia; Aveek Bhose; Neeraj Puri; Anandram B Mumbai Parul Singh, Chetan T. Rai Japan Tomoko Fujikawa USA Larry Arthur; Jo Ben-Atar

Singapore Michael Mullaney UK Shane Hannam

Events General Manager Rupesh Sreedharan Manager Chetan Acharya

Neel Ratan Executive Director – Business Solutions, Pricewaterhouse Coopers, n_ratan@cio.in Rajesh Uppal General Manager – IT, Maruti Udyog, r_uppal@cio.in Prof. R.T.Krishnan Professor, IIM-Bangalore, r_krishnan@cio.in

Microsoft

Gate Fold

S. B. Patankar Director - IS, Bombay Stock Exchange, sb_patankar@cio.in

Oracle

Rittal

SAP

S. Gopalakrishnan COO & Head Technology, Infosys Technologies

s_gopalakrishnan @cio.in S. R. Balasubramanian Sr. VP, ISG Novasoft, sr_balasubra manian@cio.in Prof. S Sadagopan Director, IIIT - Bangalore. s_sadagopan@cio.in

Wipro

6&7

Sanjay Sharma Corporate Head Technology Officer, IDBI, s_sharma@cio.in Dr. Sridhar Mitta Managing Director & CTO, e4e Labs, s_mitta@cio.in All rights reserved. No part of this publication may be reproduced by any means without prior written permission from the publisher. Address requests for customized reprints to IDG Media Private Limited, 10th Floor, Vayudooth Chambers, 15–16, Mahatma Gandhi Road, Bangalore 560 001, India. IDG Media Private Limited is an IDG (International Data Group) company.

Former VP - Technologies, Wipro Spectramind

Printed and Published by N Bringi Dev on behalf of IDG Media Private Limited, 10th Floor, Vayudooth Chambers, 15–16, Mahatma Gandhi Road, Bangalore 560 001, India. Editor: Vijay Ramachandran. Printed at Rajhans Enterprises, No. 134, 4th Main Road, Industrial Town, Rajajinagar, Bangalore 560 044, India

CTO, Shopper’s Stop Ltd, u_krishnan@cio.in

Sunil Gujral

s_gujral@cio.in Unni Krishnan T.M

V. Balakrishnan CIO, Polaris Software Ltd., v_balakrishnan@cio.in

d e c e m B E R 1 5 , 2 0 0 6 | REAL CIO WORLD

Content,Editorial,Colophone.indd14 14

Vo l/2 | ISSUE/03

12/14/2006 7:06:34 PM

reader feedback

in the eyes of his business colleagues. Collaboration with external stakeholders through the extension of the enterprise tech platform will no longer be a good-to-have but a must-have. The challenge is in selling the concept, supported with a secure tech infrastructure to facilitate it. RAjeev ShiRodkAR, VP-IT, Raymond

According to a recent study of CEOs worldwide, CIOs need to be business executives first and, then, technologists. Joining the debate, this is what some of your peers had to say:

Aye I completely agree with this study, without any qualification whatsoever. Identifying, mooting and then executing ‘change’ is always expedited when there is a rapport between the CIO and CEO. Mutual trust and understanding is the bedrock on which this rapport is built. This can happen only when the CEO has a reasonably strategic focus with an equally strategic CIO. This must be supported with a multitude of other components, which are beyond the scope of this opinion. Specifically, the organization must have the ability to initiate working on two levels simultaneously: one on the basis of a compelling strategic business vision with a long-term game plan (say 5-7 years) and the other with an annual tactical vision with a quarterly focus. I also endorse the view that CIOs must empathise with business processes and roles in an informed manner and that technology strategies must be built to enhance customer satisfaction through robust yet flexible role-based processes. I need to emphasise: a CIO will be seen as an effective business partner only when he is able to establish credibility 16

Inbox.indd 16

D E C E M B E R 1 5 , 2 0 0 6 | REAL CIO WORLD

I agree that CIOs need to be business executives first, and then technologists. Most of the observations in the study reflect what CIOs are striving to achieve today. However, if the study is saying that Indian CIOs are not doing this, then I disagree. Quite a few have crossed the evolution curve and many are getting there. The views of CEOs are not always echoed by other CXOs within an organization and this lack of aligned thinking poses challenges to CIOs. Analysis will reveal that many innovative ideas have originated and/or been supported by IT organizations. The ‘sync’ between IT and business is a two-way street. It can only happen when both sides are amenable to joint decisions and accept each others' competencies and strengths. Measuring these in isolation will create a perception of a rift. All in all, the revelation that “the role of a CIO in India today is of a critical decision-maker" is heartening and validates that CIOs are getting due recognition. ARun un Gupt GuptA

"The ‘sync’ between IT and business can only take place when both sides are amenable to joint decisions and accept each others' competencies and strengths." nay It is generally believed that a CIO must be a business leader first, and then a technology leader. But, this is a narrow view of technology, which is primarily about solving problems imaginatively using key science and technology principles. Personally, I wouldn't divorce technology from business, though studies based on short user-surveys tend to distort this idea often. Sure, you can always ‘buy’ technology advice from consultants and focus on business. Then, why have a CIO at all? Consultants would have sufficed to advise CEOs and boards of directors! I think CIOs should be deep in technology without losing touch of business — it is some sort of a T-model: breadth at the top in terms of applications, context, knowledge of emerging area coupled with depth in technology.

Director, P-GIS, BRM - SCANZ

pRof. S. SAdAGopA op n opA

Philips Electronics India

Director, IIIT-B

What Do You Think? We welcome your feedback on our articles, apart from your thoughts and suggestions. Write in to editor@cio.in. Letters may be edited for length or clarity.

editor@c o.in

I do not completely agree. There cannot be just one view. We can also have a technologist who develops business skills. But, I do agree that CIOs need to have both technical and business skills today. S. ‘kRiS’’ Gop GopAlAkRiShnAn, President & COO, Infosys Technologies

Vol/2 | ISSUE/03

new

hot

unexpected

CIos Stop worrying whether coworkers think you’re mean, and learn to speak up and promote yourself. That’s the advice for women who aspire to occupy the C-level suite, according to a new wave of advice tomes. The fear of being labeled negatively keeps women from achieving their career goals, says Debra Condren, author of amBITCHous, which hits shelves in January. Should women in IT pay attention to Women

the current buzz on ambition? Yes, say women CIOs we spoke to: you must learn to build relationships and communicate well to succeed without being slapped with the B word. “Women don’t use their power to build a platform for themselves at work, because they are afraid it’s going to make them seem arrogant,” Condren says. Other recent titles such as Girl’s Guide to Being the Boss (Without Being a Bitch), Women Don’t Ask and Nice Girls Don’t Get the Corner Office urge women to avoid self-imposed career mistakes. “We’re not talking about the glass ceiling anymore,” says Condren. “We’re talking about what we’re doing to ourselves. Women are prone to second-guessing themselves, not getting (or taking) credit for their work and not promoting themselves.” Promoting yourself in a male-dominated field can be tricky: in 2005, the Information Technology Association of America reported that women make up 32 percent of the IT workforce.

IllUSTrATIOn By MM S HAnITH

Ambition is Not a Dirty Word

How many times have you walked sheepishly into your CEO’s office, looking for another extension on that in-house project? Sure, impossible deadlines, developers who underestimate work and new requirements are to blame. But so is the time it takes to test code. Typically, developers not only have to write the code, they to write the tests as well. And more often than not, it’s a three to one ratio; three lines of test to every line of code. And up against a deadline, guess what goes out of the window? Poorly-tested code isn’t the only fallout of manual, time-consuming unit testing. It has repercussion on QA cycles. Before an application can reach users, its code is created by developers who pass it on to

CodIng

VOl/2 | ISSUE/03

Trendlines.indd 17

Check Your Code! quality assurance (QA). QA spends more time doing basic tests rather than testing for functionality and load, because hurried developers aren’t sending them code that’s been checked for basic bugs. In the back-and-forth between developers and

QA, time-to-market becomes just another red circle on the calendar. A developing trend to automate code testing for Java, as developers write it, is allowing developers to fix more basic logic problems before code leaves them. It promises to set things straight between developers and QA, which will directly impact deadlines and code quality. “We’re consistently leveraging software best practices like unit testing," says Kamran Ozair, Senior VP and CTO, IT services, at MindTree Consulting, who has implemented a unit testing solution. "It helps us combine extreme agility in our development processes with unmatched quality,” he adds.

— By Sunil Shah REAL CIO WORLD | d e c e m B e R 1 5 , 2 0 0 6

IllUSTrATIO n By An Il T

(Continued on Page 18)

12/15/2006 3:15:50 PM

(From Page 17)

Keep Those

Handsets Clean V I r u s Mobile phone malware — viruses, worms and Trojan programs created to attack the devices — are rare in north America but prevalent in Japan and Europe, where 3G technology is more popular, according to Corey nachreiner, a network security analyst at vendor WatchGuard Technologies. By the time such malware hits domestic users’ handsets — about two years away — the programs are expected to blend into more complex threats. Some examples recently hitting overseas users include: The Doomboot trojan perpetrates denial-of-service attacks by billing itself as ‘Warez’ — premium games that have been compromised to allow free use, says Seth Fogie, VP at mobile security vendor Airscanner. Devices work until they are rebooted. Doomboot enters via Bluetooth’s discovery mode, the Web and e-mail. Cardtrap spreads to phone memory cards, which can be inserted in computers to sync up a music or ringtone download— where it can infect again, says Fogie. Redbrowser is a russian wireless application protocol browser that offers to send free SMS messages but actually charges the user rs 225 to rs 270 per message. zBuffer overflow vulnerabilities exist in the Windows Mobile software, according to Fogie, in cases where an application has not been programmed to properly check the format of incoming data. Such attacks will become more prevalent as the platform grows, he adds. mobIle

Things You Can Do Educate users that mobile phones are vulnerable and they should not install anything on them unless it’s from an authorized source. Secure and control phones. Use mobile versions of firewalls and anti-virus protection. (From companies like F-Secure and TrendMicro) IllUST rATIOn By B In ESH SrEEDHArAn

Secure phone ports. Many phones have USB ports. Corey nachreiner of WatchGuard Technologies advises getting USB control software.

And it’s harder for women to become CIOs than to achieve any other executive role, according to a 2006 study done by the University of California, Davis. Women CIOs say differences in style and priorities can hold you back if you don’t manage them. “Men spend more time together in social settings like the golf course or the bar after work,” says Judy Stahl, a former CIO for Harvard Business School. “Women may not participate as much in these non-work activities that create stronger partnerships, which can lead to promotions.” Stahl chose to spend more after-work time with her husband than with co-workers, so she worked hard to build relationships during business hours, regularly checking in and showing genuine interest in others’ work. Ambition, instead of meaning the pursuit of a passion, has come to represent a person who will step on others to get to the top, says Campbell Soup CIO Doreen Wright. Communication skills are key, she says. She recommends the book, You Just Don’t Understand: Women and Men in Conversation. One mistake: “Women tend to be selfdeprecating; they diminish compliments by saying something negative about themselves,” she says. To prevent yourself from being labeled negatively, spend extra time “explaining why you are doing things the way you are,” says Wright. “A man behaving aggressively doesn’t have to explain why they are doing it, but I take the extra time to explain my position.”

Secure Bluetooth. If the user doesn’t need Bluetooth, disable it. If the service is needed, the end user shouldn’t accept connections from unknown parties. Set policies. CSOs or CISOs can enforce policies around downloading or opening files from unauthorized sources. —By David Geer 18

Trendlines.indd 18

d e c e m B e R 1 5 , 2 0 0 6 | REAL CIO WORLD

—By Margaret Locher

VOl/2 | ISSUE/03

trendlInes

It Takes More Than Work

trendlines

Translation Software Goes to Iraq R e c o g n i t i o n The US Joint Forces Command will deploy IBM Research’s speech-to-speech translation software to help US forces in Iraq better communicate with Iraqi police, military forces and citizens. The software’s real-time translation capabilities could help the military make up for a lack of linguists proficient in Iraqi Arabic. IBM Research’s Multilingual Automatic Speech-to-Speech Translator system (Mastor) combines work on automatic speech recognition, natural language understanding and speech synthesis that’s been underway at IBM since 2001, says David Nahamoo, CTO of speech technology at IBM Research. When used in Iraq on ruggedized Panasonic Toughbook laptops, Mastor will act as a bi-directional, English-to-Iraqi Arabic V o ic e

translator capable of handling more than 50,000 English words and 100,000 Iraqi Arabic words. For example, a US military trainer looking to work with an Iraqi policeman could speak English into a laptop’s microphone. The IBM technology would recognize his English speech, translate it into Iraqi Arabic and then vocalize that translation for the Iraqi policeman to hear, and vice versa. Later this year, IBM’s commercial partner Sharp plans to introduce a Japanese-to-English translation PDA based on some Mastor technologies, says Nahamoo.

— By China Martens

Security

Organized criminals are increasingly using rootkits to spread remote control ware (also called botware), spyware, spamware and keystroke loggers. How do rootkits attack? Well, they sneak in under the radar of computer security, hook deep into the operating system, and add malicious programs. They arrive via clicked-on links in e-mail, instant messages and websites. Rootkits have been present in 14 percent of the 5.7 million computers scanned by Windows Malicious Software Removal Tool, according to a June Microsoft report. They start as low-level programs, such as Web helper applications, that are too small for security software to notice. Then, they

Vol/2 | ISSUE/03

Trendlines.indd 19

compile and open a back door to other programs that use the computer to relay e-mail and IM spam, or steal personal and regulated information. “Rootkits demand a new type of technology that finds and eliminates wellhidden malware. It’s a much bigger job than anti-virus companies can do,” says Alan Paller, research director at SANS. Emerging rootkit detection and removal tools are immature, each using different techniques. Vendors like Websense and Sana Security claim to catch rootkits by looking for behavior indicative of hidden malware operating in the background — such as servers initiating network calls or desktops talking to each other, says Peiter C. ‘Mudge’ Zatko,

technical director at BBN Technologies. But each rootkit detection tool is able to find only certain types of rootkits (for example, kernellevel or memory-hidden). Ask: can a tool stop a rootkit from installing? Can it detect custom or targeted rootkits? If yes, can it remove them? Update browser patches, and layer your security to include behavior and rootkitlevel analysis technologies for protection, say experts. Rootkits, meanwhile, are now hiding in virtual machine (VM) configurations, used to create virtual networks on a single machine for testing. At August’s Black Hat Security Conference, researcher Joanna Rutkowska demonstrated how to use VM Ware to install a rootkit on Microsoft’s new Vista operating system. Her suggestion: restrict VM mode to only those computers that need it for development and research. — By Deb Radcliff REAL CIO WORLD | d e c e m B E R 1 5 , 2 0 0 6

Il lustratio n by Sasi Bhaskar

Rootkit Reality

12/15/2006 3:15:53 PM

trendlines

MIT Puts its Mind to Collective Intelligence Many heads are often better than one, and the brainiest institution in the country wants to officially brand that idea as a science. MIT has launched its Center for Collective Intelligence (CCI) to study how individuals harness technology to act intelligently. The center hopes to build on the current definition of collective intelligence by, fittingly, using wikis and other modes of collective input, said Thomas Malone, CCI’s director, at the center’s October launch. During the past few years, collective intelligence has captured growing interest. Wikipedia — the online encyclopedia where users can add, subtract or edit information on any subject — pioneered the collective intelligence movement, starting a controversial debate about the value of information created by a group. The best-selling book The Wisdom of Crowds by James Surowiecki has also fueled enthusiasm for the concept.

C o l l a b o r at i o n

While Surowiecki’s book made a splash everywhere from cube farms to corner offices, Malone emphasizes that the center wants to take a more serious and academic approach to collective intelligence. “There are people who think that collective intelligence is magic, and if you just add it, it’ll make everything wonderful,” said Malone. To begin defining collective intelligence, CCI has launched the Handbook of Collective Intelligence, where you can contribute and edit, on a wiki-style platform. “We hope that in the long run, the work we do in this center will help contribute to scientific understanding in many different disciplines,” Malone says.

—By C.G. Lynch

Strategic Planning: The Troops Want More R e p o r t Strategic planning is vital to an organization’s ongoing success, but many executives aren’t happy with their company’s approach to the strategic planning process. In an online survey of 800 executives conducted by The McKinsey Group consultancy, fewer than half the respondents reported satisfaction with their company’s development of strategic planning. “We discovered that people tended to be significantly more satisfied if their companies did have a strategic process,” says Renée Dye, a senior practice expert in strategy in McKinsey’s Atlanta office. Of those who reported that their company implemented a Management

Trendlines.indd 20

d e c e m B E R 1 5 , 2 0 0 6 | REAL CIO WORLD

formal strategic process, 79 percent were satisfied with strategy execution. Another pain point: only 23 percent of respondents said that a formal strategic process drives important decision making at their company. The majority, at 52 percent, credited small senior groups with making critical strategic decisions. Notably, there’s a strong correlation between monitoring of strategic plans and executive approval of those plans, according to the study. Satisfied respondents were twice as likely to say their board checks the company’s progress against the strategic plan. Still, only 56 percent of respondents overall reported that their company monitors its strategic initiatives.

Here’s where CIOs have an opportunity to improve their company’s strategic process, and subsequently, heighten executive satisfaction, says Dye. “Almost nobody reported that they did track the process. That’s where I think the CIO could play a tremendously important role. “CIOs could help establish the appropriate performance monitoring systems,” once strategic metrics are agreed upon, she says. Dye’s other advice for C-level executives: communicate strategic plans better. “We are not convinced that companies do a good job of articulating that they know what they want to achieve,” she says. —By Lauren Capotosto

Vo l/2 | ISSUE/03

12/15/2006 3:15:54 PM

Guarding the Bard Two years ago, the British Library began a centralized effort to transfer books, microfilms, newspapers, magazines and other publications to a digital format. The idea was to make its materials available to a wider audience, but practical considerations also drove the plan. A new law would soon mandate that the library collect and manage digital content. The library needs to have backups of historic and valuable works, and many materials are only in digital form. The library’s development team realized that in a few years, they would have as much as 500 terabytes to store, and wanted to keep it on one system. The library has, in fact, digitized material for the past 15 years. Now, as items are added, they are time-stamped using nCipher software and digitally signed with software written by the library, ensuring that electronic versions are identical to the originals. “Part of the initial processing of an object includes examining the entire bit-stream and deriving a cryptographically protected mathematical value from it,” explains Roderic Parker, communications officer in the Digital Object Management Programme at the British Library. “This, combined with the precise date and time of processing, gives a unique value that can be trusted by other parts of the system. The signature of the retrieved object should be the same as the signature of the object as originally received.” In a conventional library, you can examine the chemical composition, the ink and the binding of an item to determine its authenticity, says Sean Martin, head of architecture and development at the British Library. Tampering is obvious. With electronic files, how can you tell if you are looking at a real item? Over time, hardware changes and administrators are replaced, Martin says, but the encrypted digital signature and time stamp will ensure that the material you are looking at is authentic. “It’s the responsibility of a national library to have a process that shows an item is authentic,” Martin says. “We do this for physical materials; a digital collection shouldn’t be any different.” In the instance of a flood or fire, the collection will be available without interruption via the remote site. Martin says, “It’s unacceptable from a business point of view to have a national collection offline in the event of a disaster.” —By Margaret Locher

au t h e n t I C at I o n

Trendlines.indd 21

Meet Your New Host Supply chain software has been considered too risky and important to be hosted by outsiders. That is, until you consider the risks and expense of installing and supporting it yourself. The Next Big Thing in IT Simulation modeling and prediction technologies constitute the next major technology shift. Read more of such web exclusive features at www.cio.in/features

Columns Digital Subversives Are employees compromising security by bringing consumer tech into the enterprise? Perhaps, but if you use too heavy a hand to stop them, you’ll be fighting a losing battle. How to Get Inspired Inspiration triggers creativity. And, very often, that is the first step to innovation -- even in IT. Read more of such web exclusive columns at www.cio.in/columns Resources Whitepapers: Outsource to a Secure Source Real Time Collaboration - 11 Things to Consider Download more web exclusive whitepapers from www.cio.in/resource

FEATURES NEWS |

to protect it against disasters. And it plans to add at least one more.

RESOURCES

WebExclusive

The library's storage system has two locations

V Ol/2 | ISSUE/03

Features

REAL WORLD

Susan Cramm

Executive Coach

A Good Offense is a Good Defense Why it pays CIOs to map their plays before a dictate to outsource comes down from above.

ne of the most frustrating aspects of working for somebody else is the dreaded ‘dictate from above’. Dictates aren’t requests, they are demands. Most workers, when faced with an order to do something they don’t understand or support, disconnect emotionally from the task and follow through in lackluster fashion. This leads to disappointing results that reinforce the perception that those above are disconnected from reality. And the demanding executive gives up on either the idea or the people. In the end, the organization loses. For the CIO, some of these dictates are related to outsourcing, a strategy that is usually defined at the top and sometimes disdained in the middle. I was in a planning meeting recently where a mid-level executive conveyed an outsourcing dictate to his group. The discussion that followed was high on perspiration but not on inspiration: “It doesn’t save money,” “Our complex work can’t be outsourced,” and so on. Minds were closed to the positive experiences of other organizations and the opportunities that could be created. The outcome? A set of modest goals that did little to address industry cost pressures and global support requirements. Outsourcing’s value depends on the actions of those who are tasked with making it real. Done well, it saves money and allows an organization to reinvest in high-value activities such as interacting with customers, managing innovation, defining strategic direction and formulating plans. Done poorly, outsourcing can increase costs around the management of sourcing relationships and syncing up processes and can strip an organization of creativity by focusing internal resources on work that lacks innovation.

d e c e m B E R 1 5 , 2 0 0 6 | REAL CIO WORLD

Coloumn - A Good Offense Is a G22 22

Vo l/2 | ISSUE/03

12/14/2006 4:32:17 PM

Susan Cramm

Executive Coach

For these reasons, the CIO should be on the offensive when it comes to outsourcing. After all, it’s better to initiate your own program rather than have one handed down from on high. But don’t concede the game if you find yourself on the receiving end of an outsourcing mandate. You can still shift to an offensive position by taking a leadership role in the initiative and redefining it, so that it works for you and your organization while protecting the long-term interests of the enterprise. In other words, love it to death. Outsourcing is a competitive necessity in a global economy. When (not if) the call comes, try the following tactics. Focus on the opportunity. Let go of concerns and fears until you define the opportunities — beyond cost savings — that outsourcing enables. What should your organization do better and how could outsourcing help fund or catalyze the change? The participants in the planning meeting I attended had difficulty focusing on the opportunities rather than on the risks and challenges. It took effort for them to identify how outsourcing could improve leadership on activities that had degraded over time due to a lack of funding for incremental maintenance. Avoid their mistake. Demonstrate that you are serious. Reach for empirical research and get ‘lessons learned’ from organizations that use and supply outsource services. Develop a plan that shows a committed and disciplined approach. It should incorporate tenets such as an aggressive, integrated pilot program, strategic selection of offshoring locations, multiple suppliers to ensure competition and lower risks, the creation of metrics and a plan to share the benefits with the business to motivate adoption. Remember that unless you commit over time to increasing the work that is outsourced, the payoff will never be realized because the costs of establishing and managing an effective sourcing program are high. Avoid the path of least resistance. Although it is easier and less risky to outsource ‘keep the lights on’ tasks rather than IT development activities, many organizations first outsource development because of its variable nature. But placing project management, business and architectural knowledge solely in the hands of the outsourcers can lead to a withering of the internal capability to innovate. Outsource innovation-based work to accommodate peak demands and to access specialist expertise. And ensure knowledge transfer and retain control over tasks such as program management. Take care of your people. By keeping the most exciting work inside and re-focusing your workforce, you increase your odds at retaining the best and brightest. Demonstrate integrity by communicating openly and providing training, retention bonuses and severance for those who need them. You can’t really love outsourcing to death, but you can play offense to ensure that you get the best out of outsourcing and it doesn’t get the best of you.

Vol/2 | ISSUE/03

Coloumn - A Good Offense Is a G23 23

Reader Q&A Q: What trends do you see in the industry for training managers and leaders to manage well in the onshore/ offshore environment? A: Fortunately, there are plenty of resources available for those who want to teach their organizations how to manage outsourcing effectively. A good place to start is the International Association of Outsourcing Professionals, a consortium established — in its own words — to design, implement and manage the global corporate ecosystem. While organizations are becoming increasingly savvy in managing these extended sourcing relationships, they are not placing enough emphasis on reskilling the current IT workforce to assume the innovation role. As part of playing offense on outsourcing, IT leaders need to define the role for the future internal workforce and incorporate necessary developmental programs in the overall approach and work plan. Q: We are lucky enough to have an organization that doesn’t believe in outsourcing — although we do use quite a few consultants in support of projects. As a direct report to the CIO, however, I believe our organization could benefit from outsourcing in providing service to geographically remote business partners. How can I sell the program without selling out? A: You may not have to sell outsourcing at all. Instead,

simply apply the use of consultants or contractors to the service improvement opportunities you describe. The difference between the occasional use of consultants and contractors and outsourcing depends on the level of control and assumption of risk. Outsourcing entails a project- or services-based contract where the desired outcomes and pricing are negotiated and the outsourcer assumes accountability for managing the details and delivering the results. Try defining a program that mirrors the look and feel of the existing consultant relationships, and it’s doubtful you will be viewed as a sellout. CIO

Susan Cramm is founder and president of Valuedance, an executive coaching firm in San Clemente, California. Send feedback on this column to editor@cio.in

REAL CIO WORLD | d e c e m B E R 1 5 , 2 0 0 6

12/14/2006 4:32:18 PM

David Apgar

Keynote

Get Smarter About Security Risks How much you should invest in protecting corporate data depends on how good you are at assessing the threat.

here’s a reason companies are asking CIOs to solve a new kind of security risk every time they turn around. Business continuity threats, data breaches, malicious code and stolen laptops all have one thing in common — they’re the price of information technology’s success. Information security is an issue because most of our core business processes incorporate IT, and technology has started to break down the stovepipes that once protected corporate data. CIOs have always had to prioritize risks when deciding how to allocate resources. What’s different about information security risks today is the uneven ability of CIOs and their business partners to assess them. Every company faces a different mix of security risks. And every one has a different set of information advantages and disadvantages — call this risk intelligence — for assessing each of those risks. IT executives have no choice but to sort out which security risks are big, which ones are small and, most important, which ones they and their colleagues are not very good at evaluating. This last challenge is new. The methods for estimating the size of a risk usually involve polling business partners to determine the worst-case loss they expect in a given period of time. But CIOs still have to evaluate how accurate these assessments are. One company may know from experience how information integration can compromise records. Another might have learned what a data breach costs. But it would be a mistake to assume every company, or even every business leader within a company, has the same ability to assess the likelihood or impact of fast-evolving threats. So a critical new step in allocating resources for security risks is to 24

d e c e m B E R 1 5 , 2 0 0 6 | REAL CIO WORLD

Coloumn - Get Smarter About Sec24 24

Vol/2 | ISSUE/03

12/14/2006 5:08:48 PM

David Apgar

Keynote

determine which ones your organization is good at assessing before you rank the risks and estimate how much it would cost to mitigate each one.

How to Assess Risk Intelligence To assess your risk intelligence, ask yourself these five questions for each major security risk you face: How frequently do you have experiences related to the risk you’re evaluating? How surprising are these experiences? How relevant is your experience to the risk you’re evaluating? How diverse are the sources of information about the risk? How methodically do you track what you learn from past experience about mitigating risks? Score your answers on a scale of 0 to 2, where 0 means you and your business partners have less understanding about this risk and its contributing factors than others on your list; 1 means your understanding is about average; and 2 means you understand it better than other risks. Add up your answers for all five questions. Scores fall between 0 and 10; 5 means you think your ability to weigh a risk is average across the five factors. It doesn’t matter if you’re a tough or an easy grader: what you’re doing is ranking your risk competence. Now rank your organization’s information security risks by their risk intelligence score. You may want to allocate more mitigation resources to the ones that score the lowest, because these are the ones you are worst at assessing. For larger companies, it may be important to score the risk intelligence of each business unit facing a single risk. In this way, you can figure out which business unit has the clearest understanding of the threat, though you may still allocate more resources to the unit that scores the lowest. By the way, this is the opposite of the conclusion you’d draw for elective projects. It makes sense to pursue discretionary projects that pose risks we’re good at assessing. But when the risks are unavoidable, the question is different. We need to focus on the risks — or the parts of the business — where we’re most likely to make a mistake.

So you ask the heads of your company’s business units (let’s say there are three) what would be their worst-case loss for a security breach. Compared to their revenue, the estimate from business unit A seems too large, B seems too small, and C falls between A and B. You want to judge who is most likely to be accurate, so you score the risk intelligence of each of the three business unit leaders. The business leaders have different amounts of experience with security breaches. Because of the volume of its customer data, you give a 2 to business unit A, meaning a lot of potentially valuable experience. You give B and C each a 1 because their

It would be a mistake to assume every company, or even every business leader within a company, has the same ability to assess the likelihood or impact of fast-evolving threats.

How Assessments Help Decision Making Here’s how to apply the risk intelligence methodology. Suppose your company has been spooked by recent security breaches that have compromised customer data. You’re trying to figure out just how much — and where — to invest in security safeguards. The company’s network has never been breached, although a competitor’s customer database was compromised and the story was all over the news. Closer to home, a laptop was stolen from a salesperson’s car a few weeks earlier.

Vol/2 | ISSUE/03

Coloumn - Get Smarter About Sec25 25

experience is about average for their business segments — they keep track of the problem but haven’t suffered a breach so far. Next you ask how surprising the experience of each of these business units tends to be. The salesperson who lost the laptop works for A, so A gets another 2. B hasn’t typically attracted privacy threats, so it gets a 0. C gets a 1 because its experience in this area is about as surprising as that of most companies. Now evaluate how relevant this experience is. You believe the number of integrated customer files is a big factor. A keeps each set of data in separate systems, so it gets a 0. B has both multiple- and single-file customer systems; it gets a 2 because this experience should be highly relevant to whether the integration of files really matters. C’s experience seems average, so you assign a 1. And so on. Tallying the scores, it turns out A has the best understanding of the magnitude of your company’s problem with security breaches. Thus, you apply A’s standard for evaluating the risk to the whole company. But you decide to pilot new security systems with C because there’s reason to expect it is least prepared to deal with the risk of a security breach. Risk intelligence analysis does not replace the exercise of judgment in prioritizing security or any other IT-related risks. But laying out the main issues — the worst-case loss assessments and the reliability of those assessments — helps you apply your judgment systematically. And it provides a basis for discussing with your executive colleagues the key trade-offs in your risk management strategy. CIO

David Apgar is the author of Risk Intelligence: Learning to Manage What We Don’t

Know. Send feedback on this column to editor@cio.in

REAL CIO WORLD | d e c e m B E R 1 5 , 2 0 0 6

12/14/2006 5:08:48 PM

N.P. SiNgh, SeNior v.P. (i.t. & e-commerce) at madura garmeNtS, haS takeN r.F.i.d. live acroSS hiS eNterPriSe â&#x20AC;&#x201D; a FirSt oF itS kiNd iN iNdia. With the cartoN tag aNd itS Smaller couSiN, thiS team haS Succeeded iN imProviNg oPeratioNal eFFicieNcy iN the WarehouSe.

Cover Story | RFID

The success of automated technologies like RFID is relative to how clearly you define your business processes to support their usage.

Tagging it Right

Challenges of rolling out RFID Implications of automation in an organization How starting small can prove RFID’s prowess to management

vol/2 | I ssue/03

P hoto by srIvatsa shan dIlya

Reader ROI:

Illust ratIon s by b In esh sre edh aran

B Y K u n a l n . Ta l g e r i

When Neeraj Pal Singh isn’t on his weekly business trip to Kolkata or Mumbai, he is overseeing the technology operations of Madura Garments in Bangalore. Given his schedule, it’s only occasionally that you might run into the senior vice president (IT & e-commerce) of the Rs 585-crore garment company at the Indiranagar Club’s tennis court in Bangalore. Singh is strong on the baseline alright, but seeks to overcome that old weakness — the backhand return. Watching his game, it’s tempting to draw parallels with his pet project: a radio-frequency ID implementation (RFID) at the inventory and supply-chain level. So, imagine a tennis court with RFID readers placed on either side of the net, an RFID chip embedded inside a tennis ball — and Singh wielding a racquet preparing to face serve. The ball is served, a rally ensues, and REAL CIO WORLD | d e c e m B e R 1 5 , 2 0 0 6

Cover Story | RFID the RFID readers take turns capturing the time as the ball enters either side. The game could yield all kinds of information. For one, the numbers clocked by the RFID readers can help Singh gauge how swift his returns are, even on the backhand. Over time, this could play a small, albeit critical, role in converting his backhand game into a winner. Coupled with other wireless technologies, RFID is capable of providing a host of other information — be it on a tennis court or at the technology playground of the A.V. Birla Group’s apparel & retail company. For now though, Singh’s primary aim with RFID is operational efficiency and RFID forms the core of a year-long project.

at the Factory...

Seated in his spacious cabin at Madura Garment’s office in Bangalore, Singh calls out the timings clocked at the company’s RFID-enabled warehouse in the city: “We documented the efficiency improvements over a period of six weeks. About 3,700 cartons were brought or ‘inwarded’ to the warehouse from the factory (see infographic). This would normally have taken 300-plus hours, but now we do it in 60 hours.” The numbers are but one indicator of the RFID technology that is present at Madura’s factory, one of its warehouses, and further down, a retail outlet in Koramangala, Bangalore. The automation project is arguably also the first of its kind in India’s apparel space, the first that has been rolled out in a live environment from a factory down to the retail level. Other key players in the sector have tested the technology with success, but only as pilot projects. There is the well-documented Arvind Mills apparel store at Wipro’s Electronic City in Bangalore, which sells RFID-tagged products. Meanwhile, most other players have trained their eyes on using RFID in inventory management. “Any kind of automation at the inventory and supply-chain level will introduce process efficiencies. And these efficiencies contribute to better margins. So, automation certainly helps,” says Chinar Deshpande, CIO of the Rs 2,000-crore Pantaloon Retail. “However, unless your processes are clearly defined to the point that they support the use of technologies like RFID, you won’t benefit from them,” he cautions. Deshpande’s team is following his advice and holding on to the learnings of its Rs 30-lakh RFID pilot project, conducted last year, as it refines the synergy between its business processes. Pantaloon is expected to roll out automated technology in the near future, though it’s hesitant to put a date to it. For a CIO, RFID has proven process efficiencies on the one hand and upfront costs on the other. Where does he strike a balance? Singh’s implementation has some interesting answers.

Eye On the Waistline One of the striking features of Madura’s Rs 30-lakh RFID implementation is that, from the outset, even as the IT team worked towards a more comprehensive RFID blueprint, it kept its approach

BeFore emBarkiNg oN itS miSSioN, the tagS are Placed iN WarehouSeBouNd cartoNS. What iF oNe oF the cartoNS FallS oFF? let'S FiNd out...

. . H . H . O OO

What ElsE Can RFID Do?

focused and relatively modest. This was apparent in how it defined the scope of the rollout, limiting it to generating cost- and time-efficiencies. In doing so, it might have deferred the use of RFID’s most-touted benefits: data mining A June 2006 Aberdeen Group survey found that nearly 70 percent and analysis. This use of RFID has come of of responding companies were adopting rFId because of retailer demands. age in the US, especially at the retail level. but that doesn’t mean companies aren’t looking for other ways to use rFId. RFID can, for instance, help answer in real time security and asset management, for example, were among other drivers — and this is crucial — questions such as: is a cited in aberdeen’s survey, titled the rFId benchmark report. promotional display well-stocked? Is a specific at t texas Instruments’ educational & Productivity solutions division, promotional push generating desired results? which makes calculators, the rFId team is currently looking into areas Which slow-moving stock do we need to push where the technology could improve business processes. one area is immediately through a promotion? The swifter a preventing loss by tagging employee laptops and mobile devices as well problem area can be isolated, the quicker solutions as backup tapes (which currently rely on bar codes). another initiative can be found, and this is what RFID excels at. is tracking the preproduction calculators loaned to schools for student “RFID offers the opportunity to manage business and teacher evaluation to make sure they are returned. with real-time technology,” notes T.S. Rangarajan, Chris Parker, a t texas Instruments infrastructure manager in charge head-RFID solutions at TCS. “It offers opportunities of rFId, says that with item-level rFId tagging, the improvement in to create data warehouses and archives for better the now-manual process of receiving a returned, defective calculator, forecasts, analysis, new product planning and figuring out when and where it was built and determining which of customer behavior trends.” texas Instruments’ many suppliers’ parts contributed to the defect, t But right now, Singh is content with using his RFID would bring unprecedented transparency and efficiency to the tags to carry the tracking numbers of containers and company’s operations. individual pieces of clothing. “Attributes linked to this While Parker admits that you can get “carried away” thinking number are stored in the backend systems. These include about rFId’s possibilities, he says he won’t “try to force any of a style code, sleeve length, size, price, color, etcetera,” says that without a clear direction from the business.” Singh. His modest approach is well-founded; from the very — thomas Wailgum beginning, his mandate was clear: develop supply chain efficiencies that could demonstrate RFID’s performance effectively. The easy-to-bite metrics, he reckoned, would pave the way for future rollouts. “Our main objective was to improve operational efficiencies and tag, which varies in size and shape, and is labor efficiencies at all levels. I spoke to the management about a comprehensive affixed to cases and pallets. Each tag has an plan, which we had proposed in May 2005, but I began by focusing on the antenna and is embedded with a chip that factory and warehouse,” says Singh. This acquired the shape of Phase I. The contains a unique string of numbers that actual rollout took place between September and November this year. The IT identifies each product. Tags can be passive team is currently focusing on taking the implementation to the retail level. or active. Active tags have a battery; passive The biggest grouse for any tags, which get their energy from the readers, technology leader vis-à-vis are less expensive and more common. RFID is the cost of hardware. Then, there are the readers that identify the The system is made up of two tags as they pass by. A reader’s magnetic field components. First, there's the wakes up the passive tags as they approach, and the tags transmit their digital information — in the at the Factory, the r.F.i.d. readerS form of the electronic SeNSe cartoNS WithiN a raNge oF product code — to the 10 Feet. the PaSSive, cartoN tagS alSo reader and from there eNaBle PerSoNNel to track miSSiNg to a computer system. goodS With the helP oF middleWare. The relatively WheN the BoxeS doN't tally to expensive tags can tally a Pre-Programmed NumBer, the up a mean bill, especially

middleWare throWS uP aN alert. So, the miSSiNg cartoN caN Be traced.

REAL CIO WORLD | d e c e m B e R 1 5 , 2 0 0 6

Cover Story | RFID

d e c e m B e R 1 5 , 2 0 0 6 | REAL CIO WORLD

situation for Madura Garments and Avaana — and Madura paid no consultancy fee at all for the POC.

Made For India? Meanwhile, most apparel and retail players’ tryst with RFID — in pilot projects — has met with success. Yet, they have rarely managed to progress beyond that, primarily because the RFID industry “Even in six-figure production quantities, itself is in a nascent stage the simplest of tags is more expensive than in India. “The industry a barcode label. This difference has to be has the potential to be very bettered by other benefits in the distribution big worldwide. Global chain before RFID takes off.” estimates are $21 billion — Meheriar Patel by 2015,” says Rangarajan dGm & Head (IT), Globus Stores Retail of TCS. “However, India is way behind other geographies, including China. India does not have any major implementation so far,” he adds. Bimal Sareen, president of RFID Association of India, has a more optimistic take: “In India, the technology is firmly implanted in the early adopter phase. Pilots and production implementations are being budgeted or are already underway.” There is a tremendous amount of expectation over the value that RFID can bring, though it is accompanied by a lack of total understanding — which will be rectified over time, says Sareen, who is also the founder-CEO of Avaana. According to analysts of the domestic RFID market, the key sectors in the country that have shown interest in automating processes are retail, manufacturing, airlines, hospitality, and oil & gas. Of these, retail and manufacturing have been singled out for continuous investment in RFID in India. In terms of adoption, companies engaged in export are most likely to adopt RFID early followed by organizations that are affected by the mandates of U.S. institutions such as the FDA (Food and Drug Administration) and the HDMA

Photo by FotoCorP

in a sizeable implementation. So, unlike their US counterparts, Indian players have cottoned on to less expensive tags that are passive but also reusable, opposed to the less affordable, battery-run active tags. “We’ve even got the tags laminated,” explains Singh. “Once the ‘inward’ is done at the warehouse, we send the tags back to the factory so that they can be tagged on a new set of cartons. Similarly, after items are sold at the stores, we send the tags back to the warehouse.” In all, Madura has so far invested in 12,000 passive tags, 500 of which are carton tags that are used between the factory and the warehouse. The rest are item tags. Soon, Singh expects to take the overall number of tags to 20,000 — if he can bring the price of a tag down to about Rs 20 from Rs 35. “It will increase coverage to more items,” he says. Prior to the rollout, Singh used the interim 16 months to create buy-in for RFID across all levels, find a vendor to suit its processes and requirements — and draw out a proofof-concept (POC) agreement. The POC would prove critical in managing costs. Contrary to expectations, Madura Garments partnered with a relatively small RFID solution provider called Avaana. Customization was the need of the hour, and an Avaana would give him more room to maneuver in matters relating to costs, recalls Singh. He cites the POC agreement, “We agreed that until Avaana could prove RFID was a success, we would not pay for support. Only if the project was a success, would we go live and regularize the implementation and pay for the support.” Singh is sure that such flexibility would have been hard to wheedle out from a big player. “A large solution provider might have brought their own standard software that has limited scope for customization. If we asked for customization, they would have said, ‘We will customize it, post-POC.’ A small, hungrier player, on the other hand, would have wanted to do the best job for us — and get mileage and visibility from it," he explains. As a result, Madura Garments only needed to invest in the hardware: readers, antennas, servers at each location, and of course the back-end servers. “We have not had to pay for consulting support. The middleware that is used to track items is also Avaana’s, which they implemented here based on our inputs.” The arrangement has proven to be a win-win

at the WarehouSe, cartoNS are Placed oN trolleyS aNd takeN PaSt readerS. the rFid SyStem haS literally throWN oPeN the doorS oF the WarehouSe. Where it oNce took 300 hourS to PuSh through 3,700 BoxeS, today it takeS 60 hourS. curreNtly, cartoN tagS oNly carry a trackiNg NumBer — theSe, hoWever, are liNked to item iNFormatioN Stored iN Back-eNd SyStemS.

Cover Story | RFID (Healthcare Distribution Management Association) asserts Rangarajan. “In a recent study,” he continues, “we discovered that Indian companies require scale of operations to justify investments in RFID. In some cases, the scales have to be higher by an order of magnitude. But if you ask me, each company needs to consider RFID more from whether it makes economic sense vis-à-vis competing processes like manual handling and bar code.” Rangarajan is bang on the money with his observation about the scale needed to justify an RFID investment; its truth is reflected in Pantaloon Retail’s RFID pilot. “We were clear that RFID would not be put in use immediately because of factors such as economy of scale,” says Pantaloon’s Deshpande. The Pantaloon RFID pilot entailed 1,000 passive and reusable tags, two RFID readers and one tag writer all at a cost of Rs 30 lakh, which also included middleware and consultancy. “The technology is expensive even today, and itemlevel tagging is simply not feasible. There are a lot of practical difficulties in implementation too: placing the RFID readers at specified angles, for one. The integration between the tag reader, legacy application and the quality of the middleware used are also important,” he explains. Another Indian apparel & retail player that's been exploring automated technologies is the Rs 150-crore Globus Stores. For now, it uses barcode scanning at the inventory and supply-chain level. “Our core application increases visibility throughout the warehouse process from receipt of goods through shipment and completion of orders,” says Meheriar Patel, DGM & Head (IT) of Globus Stores. While Patel is confident that RFID will contribute to business productivity, he cites a string of challenges that are currently keeping the technology from apparel & retail chains’ best-laid plans:

Technical issues include how active antenna solutions work with passive tags over an RF range. The reading range should have at least 95 percent accuracy.

let'S SteP oN it! hurry there'S Place For more!

Poor compatibility with non-RFID infrastructure on the front-end. Patel cites a security ID system at his retail outlet that can create interference with RFID systems. “To introduce RFID would mean changing the available infrastructure at the retail level. And though there is a suitable technology solution, it doesn’t wholly fulfill the requirements I’m looking for,” he explains.

External influences, such as metalwork, the dielectric properties of some material and radio interference, can all constrain RFID remote reading.

Tag costs. Even in six-figure production quantities, the simplest of tags is more expensive than a printed barcode label. This extra cost, plus the potential greater infrastructure capital cost, has to be bettered by other benefits in the distribution chain before RFID sees more popularity — or it will find use only in applications where barcode is not suitable.

at the WarehouSe...

Cover Story | RFID

5 6

High cost of integrating RFID technology into existing inventory control systems.

Complexity. If a significant number of RFID’s greater systems capabilities are implemented, then the host system and infrastructure have a higher capital cost and complexity than a barcode system.

A lack of integrated solutions. Currently, there is a range of RFID application numbering systems that need unifying before uptake will see an increase.

Unresolved frequencies issues. There are no internationally agreed-on frequencies for RFID operation (other than 13.56 MHz, which is primarily used by smart cards but can also be used by other RFID tags). Permitted scanner/ reader powers also vary between countries. This limits product take-up. In the automobile industry, the Rs 14,704-crore Maruti Udyog has demonstrated mixed results with automated technologies. While it has successfully rolled out an RFID-enabled solution

the haNd-over

on the shop floor, it’s not yet satisfied with the results of RFID applications in the supply chain. “I’ve done four or five RFID pilots (at the supply chain level), but am yet to find a business case for it,” says Rajesh Uppal, general manager-IT of Maruti Udyog. “I’m trying to implement RFID in supply chain areas, such as spares, but have not found it to be cost-effective. Bar-coding, in comparison, is still a manageable technology with much lower cost of operations,” he explains. Still, the automobile maker has not completely done away with radio frequency, and in fact Uppal says he has found a way to marry it with bar-coding.

tailored to Enterprise Needs If Meheriar Patel’s list of challenges is anything to go by, enterprises in India have lots to think about before completely automating business processes. At Madura Garments though, N.P. Singh seems to have come a long way from the time when he began making enquiries about Wipro’s retail-RFID rollout at their campus. This August, he prepared for Phase I: to roll out the technology himself from Madura’s factory to one of its warehouse. But the pre-rollout work turned out to be just as critical to the project’s effectiveness. “We carried out a number of tests and runs in the staging area,” recalls Singh. His team and the technology partner developed and tested all the individual components, before integration testing them in a staging area — by creating a virtual factory, warehouse and store. “We tested the technology by performing runs with tags in empty boxes and scanning them and dispatching them to ‘stores’. Till such a time came that I was convinced about its effectiveness, we didn’t want to roll out the technology,” Singh explains. It was worth the wait. “Earlier, opening 40 cartons and bar-code scanning each piece in them took two to three hours. The RFID reader does the same task in a little more than five minutes,” says C.M. Nair, group manager (warehouse & distribution) of Madura Garments. And they've only just got started. “Though we have implemented RFID in a live environment, the project itself is in a preliminary stage — we've only linked the warehouse with the retail outlet in Bangalore,” says Nair. “Once the implementation is complete, we'll be able to increase order execution, improve inventory management and traceability of pieces. There will also be more accountability

trouSerS aNd ShirtS are takeN out oF cartoNS, aNd the cartoN tagS are SeNt Back to the Factory. Smaller tagS are NoW attached to iNdividual itemS oF aPParel, Which are SeNt to madura'S retail outletS.

vol/2 | I ssue/03

A new Generation of RFID

because of modules like a location search, and packing errors will be greatly reduced,” he explains. Gen2 tags are affordable, easier to read and do well with others. Singh echoes Nair's sentiment. “Faster inwards improves operational efficiencies, and order fulfillment RFID technology is changing. Advancements continue to make active tags percentage also goes up,” says Singh. smaller and more affordable so they can be used more widely. Significantly, the company has also Moreover, the Generation 2 tag standard, called Gen2, brings several benefits: less salvaged the time usually relegated to signal interference with other tags; cross-vendor interoperability; faster read rates billing at the warehouse. Typically, goods (as much as 10 times faster); required use of a unique identifier to help validate enter the warehouse only towards the end identity; support for authentication through an optional, encrypted, non-broadcast of every month. As a result, inwards tend to password; kill support so that a reader can disable a tag that is no longer needed; pile up towards the end of the month. “During and reduced power consumption for the readers. that period, we weren’t in a position to take Manufacturers have just begun shipping Gen2 tags. Current RFID tags are inwards. Now, we can — because of automated passive, reflecting a radio signal back to a reader. When the signal reaches the processes that have reduced billing time,” says tag, it bounces off the embedded chip, which changes the radio signal slightly Singh. With automated processes, the system to encode its data — similar to the way paint reflects back specific colors when gets updated as the inwards are ‘read’ by the full-spectrum light is shone on it. That bounce-back approach typically limits RFID reader, he adds. passive RFID tags’ range to about 10 feet. The labor efficiencies will be more visible once Active tags — essentially transponders — can have radio ranges of the deployment occurs across all Madura factories, hundreds of feet, making them ideal for tracking objects in large areas. But says Singh, who believes he has begun to achieve the they require a power source (usually a battery), radio, and an antenna and supply chain efficiencies he sought with RFID. The typically are the size of several decks of cards. They also cost between Rs RFID-enabled procedures at the warehouse can also 1,800 and Rs 3,600. These factors combine to limit their utility to just large, impact unrelated processes such as cross-docking, highly valuable objects. The active tag readers are more costly as well. where as soon as items enter the warehouse, they get But in the next few years, the active tags will get smaller and cheaper, attached to pre-placed orders and are dispatched. making them more suitable for smaller, lower-value items, says Marcus Many enterprises, however, would argue that RFID Torchia, senior wireless analyst at Yankee Group. And because most and other automated technologies aren’t relevant at all work with the increasingly common 802.11 networks, they will easily in India where the cost of labor is low. Singh’s says it’s a fit into most organizations’ IT infrastructure, he says. question of perspective. Business must look at improving “Add some software and active RFID tags, and you can know efficiencies in overall processes, he says, rather than at the exact location of an asset,” Marcus says. Plus, active tags efficiencies on individual overheads. eliminate the need for portals or gates that are used in passive Sareen of the RFID Association of India too points to RFID environments to funnel objects close enough to the readers. the bigger picture: “As Indian corporates become members According to Torchia, active tags also allow for more applications of the global marketplace — and various tariff and nonby offering two-way communications, sensor integration, tariff barriers decrease — companies that wish to sustain independent system intelligence, and constant visibility. their positions in such a competitive environment have no choice but to increase adoption of automation. It will allow — By Galen Gruman process improvements to be leveraged. The speed, quality (that automation introduces) and reduction of manual errors will be an advantage to many.” The dearth of integrated solution providers is another possible reservation that’s keeping enterprises from dipping into the RFID pool. Analysts, this is a piece of the puzzle you can’t take your eyes however, believe that there is more expertise to be gained from individual off. “Interfacing RFID with my back-end — SAP — manufacturers of the various ingredients of an RFID solution. and front-end systems was a challenge,” he says. “An integrated RFID solution essentially demands several components, each The answer was an age-old solution: of which requires different competencies,” Rangarajan of TCS. “Now, western communication. Working in conjunction with clients are asking for a single-source RFID solution provider who may or may the solution provider is absolutely critical, Singh not have all these competencies. Yet, such a solution provider is expected to asserts. “We spoke to our point-of-sale system take the responsibility for performance of the integrated solution. It all comes partners, our RFID team and Avaana’s team. Most down to how you define an ‘integrated solution’,” he says. of the changes can be made in the middleware, And, the big question for CIOs who are considering automation: how do I rather than in the back-end system which only integrate an RFID solution with existing IT infrastructure? Singh makes it clear that requires information updates,” he says.

Vol/2 | I SSUE/03

Cover Story.indd 33

REAL CIO WORLD | d e c e m B E R 1 5 , 2 0 0 6

12/14/2006 5:47:16 PM

3 Views on RFID Q: Given the upfront cost, how would you approach RFID? A: RFID’s a large one-time investment, so you want to justify it. You’re better off applying it to a large volume of merchandise. Also, unless your processes are clearly defined so that they support the use of technologies like RFID, you won’t benefit from them. — Chinar Deshpande CIO, Pantaloon Retail

Q: Where does it make sense to implement RFID? A: I don’t look for projects to deploy RFID. If RFID's the best way to solve a business problem, I’ll use it. Or something better. On Maruti’s shop-floor, it was the best option. At the supply chain level, it isn’t cost-effective yet — I’ve found bar-coding more useful.

P hotos by Srivatsa S handilya

— Rajesh Uppal Chief GM-IT of Maruti Udyog

Q: Would your management approve an RFID implementation? A: They would first want to see a pilot project and the business benefits: can RFID track inventory faster and make moving goods easier? They may not look at it as something that’s going to directly benefit the endcustomer. — N. Kailasnathan VP & CIO, Titan Industries

Finally, training personnel also constitutes one of the other changes in an RFID-enabled environment, points out Pantaloon’s Deshpande. “Initially, training is required. But more than technical training, it’s important to train personnel how to perform tasks in such an environment. The real challenge is in bringing about a mindset — to make them aware of seeing any technology development in the light of the business processes,” he explains.

A Stitch In Time At the N.P. Singh household in Bangalore, a treadmill affords the Madura senior VP his weekly exercise. His treadmill workout mirrors the project’s journey. It isn’t only that the project keeps his heart pounding, but also because he’s had to slow the project down and then speed it up. The rollout has required Madura’s IT team to pace the journey, stagger the distance over the past year — and eventually make the leap to RFID. Singh himself has had to step up the pace at times — like this September when, apart from Phase I, he had to budget time and resources for the second phase to link the warehouse with a Planet Fashion retail outlet. At the time of writing, the results and information from the retail outlet are still awaited. But Singh’s track record of staying with a well thought-out blueprint is likely to see phase II end in success. Over the next year, he plans to expand RFID coverage to other factories, warehouses and retail outlets of Madura Garments, apart from other units of the A.V. Birla Group. “The challenges now are to train the users, create discipline to ensure that they abide by the new processes — and change management, in general,” Singh met Madura’s objective to be the first to take RFID processes into a live environment. “The first-mover advantage is there. Whenever we want to roll it out at another unit, we can do so immediately. Anybody else who begins today is undertaking a project of at least six months, from planning, getting approvals, setting up teams, choosing the vendor, developinh middleware and testing, to the final rollout.” But competition aside, what sticks is that Singh has been able to innovate, not for the sake of innovation — but to increase business efficiency. Constant innovation is a telling trait and it reflects in his taste on the tennis field where he prefers an evolving Roddick to the seemingly complete player who answers to the name of Roger Federer. CIO Additional inputs on RFID technology by senior writer Thomas Wailgum. Chief copy editor Kunal N. Talgeri can be reached at kunal_t@cio.in

Share Your Opinion Do you think RFID makes sense in India, where the cost of labour is still low? How feasible and relevant is it for large enterprises to deploy this technology? And how easy would it be to convince your management to do so? Share your thoughts (or reservations) on RFID with your peers. Write in to editor@cio.in

c o.in

Vol/2 | I SSUE/03

Cover Story.indd 34

12/14/2006 5:47:20 PM

RFiD Beyond The

WaR Wa WaRehouse Rehouse

Tagging technology opens new horizons for asset management and control.

BY galen gruman

Anyone who sells consumer goods to Best Buy, Target, or Wal-Mart knows that tagging product pallets with RFID tags is mandatory. The tags help suppliers and retailers speed the tracking of inventory as it moves from manufacturer warehouses to transportation centers and eventually to retailer warehouses. But RFID has benefits that reach far beyond inventory tracking. By combining RFID tags with asset management systems, enterprises are implementing sophisticated, real-time asset control processes. “Asset management is one of the biggest growth areas for RFID,” says Erik Michielsen, RFID analyst at ABI Research. Major automakers, including BMW and Toyota, and shipping companies were among the first to deploy RFID for asset management. They used WhereNet’s active RFID tags on cars or shipping containers waiting in shipping lots. By monitoring the tags, these companies can ensure that guards are alerted when a vehicle leaves the lot outside its scheduled time or that the right container is placed on the right truck. Tags such as WhereNet’s are typically the size of 36

d e c e m B e R 1 5 , 2 0 0 6 | REAL CIO WORLD

several decks of cards, which restricts their use to large objects, and cost between Rs 1,800 and Rs 3,600. Passive RFID tags are cheaper (often costing less than a dime) and small (about the size of a postage stamp, and not much thicker), allowing them to be affixed to small items such as laptops and aircraft parts. This enables affordable tracking of a wide range of objects. For example, Virgin Atlantic Airways plans to use RFID tags on aircraft parts to track their location in repair shops and to store maintenance data so that crews can see what parts need repair while they are still in the aircraft. And, Robert Bosch Tool recently began offering RFID tags on 65 commercial-grade models of its tools for use by larger construction companies to help speed up equipment check-in and checkout at job sites. It charges between one and five percent more for the RFID-equipped tools. For about Rs 450 per tool, the company will place tags inside competitors’ tools. In the coming years, John Doherty, product manager at Bosch, expects hardware makers to offer construction companies RFID readers that can also write data, thereby allowing contractors to track repair and usage history. Many of the early adoptions of RFID for asset management have started with traditional inventory management deployments, expanding as IT proves RFID brings benefits to more parts of the organization than just the warehouse.

Nasa Retools its Chemical Operations At its Dryden Flight Research Center at Edwards Air Force Base, NASA and its contractors use lots of chemicals when developing and servicing aircraft. Many are corrosive, prone to exploding when mixed with other chemicals, or hazardous to

vol/2 | I ssue/03

Cover Story | RFID that defects are tracked and that parts going human health and the environment. They are spread across large areas, located at to the right stations in the right condition. But NASA, contractor hangars, in staging areas on runways, and on the desert floor. that creates a complex network that’s difficult NASA had used bar codes on chemical containers and had relied on staffers at the to maintain, says Greg Edds, manager of global dispensaries to scan each chemical and record the amount dispensed and to whom operations at Hewlett-Packard. Worse, if the it was dispensed. But with budget cuts for its operations staff, NASA needed a more network gets overloaded or goes down, the whole efficient approach, says Tom Ambrose, environmental and safety officer at Dryden assembly line is stalled. Flight Research Center. That’s why HP is implementing the new So the agency deployed RFID tags on all its containers. It also put readers in RFID Generation 2 tags and readers in its Brazil various storage lockers, which weigh the containers to track usage and make sure printer plant. (Gen2 tags can be read by multiple the right material is stored in each locker. This process helps avoid dangerous brands of readers and stores more data than combinations by comparing the chemicals’ actual weights with their expected earlier-generation tags.) Rather than wire each weights. At entrances to work areas, the agency has placed Intermec RFID portal station to the network, HP has deployed devices readers to monitor what chemical containers come in or leave, as well as with whom, that can read an RFID tag affixed to a unit under which is assessed by reading RFID tags on employee badges. construction to get its history and status and then The Dryden system is connected to an Oracle-based database and an asset control write the updated status to the tag as the part application called the Hazardous Materials Management System. It takes inventory moves on to the next station. every few seconds at all locations and determines what chemical containers are “The only network connection is to the where and with whom and then correlates that status to process rules, Ambrose last station on the line to upload the complete says. This helps ensure that chemicals don’t end up in the wrong place, get used by history of the product for final production unauthorized technicians, or get taken out of the facility. (Frequent checking helps tracking and historical analysis,” Edds says. overcome the occasional blip in reading a tag that leads to false alarms; the system is “So server infrastructure can be reduced. programmed to ignore instances in which a container seems to disappear for a few In case of network loss, the results can seconds but alerts security staff if it doesn’t reappear after a few cycles.) The automated system allows NASA to get by with fewer staff members, and Ambrose is now exploring whether it will allow Dryden to make some chemicals available through self-service automated kiosks, which would cut down on technicians’ travel time. By combining this data with information on container weight from storage lockers, the system can also detect how much of each material has been used, which helps fine-tune replenishment. NASA is trying to reduce the amount of tags and readers push Gillette to the cutting edge t chemical material it orders and stores, given that the disposal of unneeded or expired chemicals often costs more than the of supply chain management chemicals themselves, Ambrose says. Ambrose expects to move to Generation 2 RFID tags, Despite the hype associated with rFId, success stories from a which provide authentication, allowing NASA to control large organization, lead you to believe there's something there. who is authorized to read specific information on the tags. the Gillette Company uses rFId for both pallet and case applications. His concern is that as chemicals are shipped to or from It moves its v venus razor blades from manufacturing to a packaging center, NASA on public highways, terrorists could read the where they are placed in cases and moved to the dC (distribution Center) earlier-generation tags and figure out what chemicals to be compiled into customer orders. before the ePC (electronic Product are in the trucks. With authentication, NASA will Code), this procedure required an operator to scan the cases at least five have full access to the information; public safety times, and involved at least three different keyboard operations. the process officials such as police would have access only for a pallet to go from packaging to dC took about 20 seconds. to basic information, such as how to isolate the With ePC in place, all the cases in a pallet are scanned with rFId readers as material in case of an accident; others would have they move on the conveyor belt. Pallet to dC now takes five seconds. no access whatsoever. When a customer order is processed out of a dC, it is often a mixed order, meaning different products need to be assembled onto a single pallet. this labor-intensive task used to take anywhere from 80 seconds to 20 minutes. With rFId, the process takes 20 seconds per pallet because each pallet is spun through a ‘verification tunnel’ that knows exactly what the customer ordered and whether the pallet contains the correct products. Product manufacturers often create lots of data about their products as they move (Continued on Page 38) through the assembly line to ensure

the REal Returns of RFID

hewlett-Packard Curbs Network Downtime

vol/2 | I ssue/03

Cover Story.indd 37

REAL CIO WORLD | d e c e m B e R 1 5 , 2 0 0 6

12/14/2006 5:47:21 PM

Cover Story | RFID be stored locally, which eliminates any factory disruption.” Edds expects the RFID approach to reduce network management costs and make the assembly line more efficient, although he won’t reveal estimated savings. HP is also using RFID in its production facilities to meet mandates by several of its retailers that all product boxes have RFID tags. For example, at one of its scanner and printer assembly plants, HP tags product boxes and pallets to monitor their location in both the production facility and warehouses. That’s particularly important for HP because several subcontractors work on premises, so HP needs to record when products leave the subcontractors’ ownership and become owned — and thus paid for — by HP.

that taxpayers' money remains accounted for. In the past, the agency’s auditors would scan bar-code labels on each piece of equipment, which is a slow process. But now, the agency’s logistics group uses RFID tags, says Gary Orem, the group’s project manager. Quickly, the group’s IT team realized that the RFID technology could do more than just track pallets of pamphlets and stationery: it could help actively control access to equipment. The agency is now experimenting with a system to track when equipment is moved from an area, starting with the IT offices in Washington, D.C., that also house loaner equipment. Because access to the area is fairly open, it’s not hard for someone to drop by and borrow equipment without formally checking it out. So the group has placed an RFID reader on the door to detect when equipment passes through. The idea is to see how accurate the reader is at such a location. Next, they will install a motion detector to determine if equipment is coming or going, says Matthew Anderson, a programmer in the group. Then, it will tie in the RFID reader’s data with the agency’s SQL database and an asset management solution from Sunflower Systems running on an Oracle platform to enable real-time tracking of the loaner and IT equipment. The ultimate goal, Orem says, is to track all equipment in the building and see in real time when it leaves the building. It means putting readers at exits and connecting them to the agency’s asset management system to verify whether permission was granted to remove the equipment, alerting security staff — and perhaps even locking the doors. Orem would also like to track who is taking The Social Security Administration frequently equipment by having RFID tags on employees’ badges, to make sure the person takes inventory of its office equipment to ensure carrying equipment is authorized to do so. The agency is also using RFID to regulate access to its fueling center. Until recently, employees had a fuel card they swiped at the pump to (From Page 37) dispense the gasohol used in the agency’s vehicles. But this system couldn’t ensure RFID has improved order processing, streamlined inventory management and that the vehicle being fueled belonged to shipment accuracy, says Dick Cantwell, the company’s VP of global value chain. the agency. Also, the agency got mileage These factors have saved Gillette over 20 percent per distribution center, he says. and other car-status information manually, For Father’s Day, Gillette worked with a large retailer to advertise a promotion as employees filled out forms, often with for the Braun electric shaver in 19 of the retailer’s stores. The idea was to get the errors, Orem recalls. So the agency has promotions and products out on the shelves 20 days before Dad’s Day, timed to added RFID tags to the fuel pumps’ nozzles coincide with print and television advertising. Of the 19 stores tracked with RFID, and a reader to the agency’s vehicles. When only about a third managed to get the product onto the floor at the start of the the nozzle is inserted into the tank, the reader promotion. Five of the 19 stores never got the promotion onto the floor, and the validates the pump and then sends a wireless rest came in late. The reasons ran the gamut, from promotional items not shipped signal to the pump to turn it on. The reader is also on time by Gillette, to items not arriving to the retailer’s DC or not being sent from connected to the vehicle’s computer, which keeps there to the store, to items that were shipped but subsequently misplaced by data on mileage and operational status. This data the store, to shrinkage. is uploaded at the same time, so the agency gets The immediate loss is obvious. But worse still, when the retailer makes accurate records of mileage and can detect repair and a forecast for the next year, it will be based on an erroneous impression of maintenance needs automatically, Anderson says. what took place. The cost, Orem says, is about Rs 9,000 for each of the Using RFID, both the retailer and Gillette were able to track the time fleet’s 65 vehicles, a small cost, indeed, when measured elapsed between events and strategize how to reduce the pain points. against the potential savings. CIO If Gillette can move product so it gets where it needs to be on time, it means products are on the shelf when consumers want to buy them — a major step forward. Overall, Cantwell estimates Gillette has realized a return on its RFID investments in excess of 25 percent. This isn’t hype. This is reality. —By Ephraim Schwartz Send feedback on this feature to editor@cio.in

Social Security Rejuvenates Asset Management

Cover Story.indd 38

d e c e m B E R 1 5 , 2 0 0 6 | REAL CIO WORLD

Vol/2 | I SSUE/03

12/14/2006 5:47:21 PM

If experience in the U.S. is anything to go by, technology provides immense value to stock exchanges, particularly during periods of robust growth. A look at the competitive dividends that the CEO of the oldest stock exchange in the U.S. expects from IT.

IT’s

Rising Stock

View from the top is a series of interviews with CEOs and other C-level executives about the role of IT in their companies and what they expect from their CIOs.

d e c e m B E R 1 5 , 2 0 0 6 | REAL CIO WORLD

View from the Top Half Page Vert40 40

By Matt Villano Meyer (Sandy) Frucher, CEO of the Philadelphia Stock Exchange (PHLX), loves a good story. He tells them easily, like one might tell a friend or a spouse about a day at work. Even when he’s pressed for time, he weaves a juicy plot and leaves listeners begging for the conclusion. With this in mind, it seems only natural that Frucher relies on an anecdote to explain the importance of IT in his organization. His story begins last year, when Richard Baker, chairman of the US House of Representatives Subcommittee on Capital Markets, Insurance and Government Sponsored Enterprises, requested a tour of the Philadelphia Stock Exchange. Baker’s schedule was tight, so he asked to see only the most important aspects of the market. Frucher took him straight to the Operations Command Center, the epicenter of technology for the company. “He was simply blown away,” Frucher recalls. “He said, ‘You are the first exchange I’ve visited that has shown me technology

as an identification of what things are all about.’ That says it all.” It certainly does. As CEO, Frucher has engineered and overseen the technology transformation in the 216-year history of the nation’s oldest exchange. Today, it trades equities, options and foreign currency options, and provides equity clearing services. In years past, however, the portfolio was less diverse. The transformation began in 1998 — when transactions were still being processed largely on paper and the PHLX was hemorrhaging. The Securities and Exchange

Vol/2 | ISSUE/03

12/14/2006 5:28:31 PM

CIO: What are your expectations for the IT department at PHLX?

MEYER FRUCHER expects I.T. to: Keep pace with growth in business and stay ahead of the curve

Sandy Frucher: The future of our

Keep developing apt solutions and seek support from business

business depends on staying ahead of the technology curve. This is a business where

Be ready with two backup plans in a dynamic environment

Vol/2 | ISSUE/03

View from the Top Half Page Vert41 41

Imaging by Bi nes h Sreedharan

Commission hired Frucher to turn the company around and merge the PHLX into the American Stock Exchange. The merger never materialized, but Frucher worked with CIO Bill Morgan (who has held the position since 1995) to develop and execute the technology modernization. In a competitive marketplace, the PHLX needed new technology to attract trading volume from other exchanges. Last year, Frucher sold 90 percent of the company to six Wall Street firms (Citadel Group, Citigroup, Credit Suisse, Merrill Lynch, Morgan Stanley and UBS) in exchange for those companies’ options business. The deal helped PHLX rebound from a Rs 62.6-crore loss in 2005 to an estimated Rs 135 crore in earnings this year. Re-architecting the PHLX’s systems wasn’t easy. To get things started, Frucher borrowed Rs 90 crore from local banks. With help from former Philadelphia Mayor Ed Rendell, Frucher also championed a capital fee to be imposed on owners to help fund the new systems. Then came the technology itself. Frucher took a hands-on role working with Morgan to devise the systems that chart trades. He also backed the use of handheld and laptop technology that help make all of the trading electronic. Today, the PHLX executes as many as 380 million quotes a day. “Everything we do runs on technology,” Frucher says. “We couldn’t exist without it.” He spoke with CIO about his expectations of IT and how the exchange budgets for technology.

REAL CIO WORLD | d e c e m B E R 1 5 , 2 0 0 6

12/14/2006 5:28:34 PM

View from the Top

volume continues to expand exponentially. Because of this, IT must guarantee that we have the capacity to go with this expanding traffic. Secondly, I want the IT team to be strategic and be able to respond to [the other exchanges that are] our competition. The last objective I’m looking for is to have them integrate our options, equity and futures products technologically so we have things running on a common platform. We’re working on a slogan that is something like, 'One Technology, Three Markets'. We need IT to support that.

With all of these projects under way, how do you build alignment with IT? IT can’t ever go wanting. I need to make sure their part of the business is adequately funded. We made that mistake once before I arrived, and we’re not going to make it again. Bill and his whole operation go through the same rigorous budget process as everybody else, but they generally get what they need because that’s the heart of the business. The other thing is that we’ve put Bill in charge of operations. Once you determine that IT is the business, it’s silly to separate it.

You mention the budget process. How do you decide whether to fund a new technology investment? We have to ensure the integrity of our markets. When we look at new technologies and competitive technologies, we need to make sure the systems do what we need them to do and that they’re cost-effective. We ask ourselves: does it make sense? Can we save money with it? Then we put it through business analysis and make determinations accordingly. Part of that cost-benefit analysis is the opportunity cost associated with how we deploy our IT manpower. It’s not a question of straight dollars. It’s a trade-off of one system versus another system, because we’ve learned that you can’t do it all at once. 42

d ece m B E R 1 5 , 2 0 0 6 | REAL CIO WORLD

View from the Top Half Page Vert42 42

The biggest lesson I've learnt from working with IT is: never underfund it — it’s much harder to catch up. — Sandy Frucher Is there anything that you wish you’d never funded? No. In a business, you have to be prepared to fail in order to succeed. There are many times that you’re going to make investments where the investment itself doesn’t pay off in a bottom-line kind of way but is a necessary interlude at a particular moment in time.

Bill Morgan reports to you. Why do you think that’s important as opposed to him reporting to somebody else? The CEO of a business has to do two things: He has to have adequate information to run the business and has to be sure that he does not have too many direct reports. With too many of those, you are limiting your capacity to manage. You have too much information coming at you, too many people that you have to interact with on a regular basis. [But] this is a business that’s conducted from 9:30 a.m. to 4 p.m., and frequently there are disruptions in the process that are critical

to the whole market structure of the United States. If we can’t conduct business, under the law, I’m required to call a meeting of a committee that makes the determination as to whether or not to send the order flow to another exchange. So, I need to have direct contact with Bill 24/7.

Overall, what would you say are the biggest lessons you’ve learned about working with IT? The biggest lesson is never to underfund it because it’s much harder to catch up. Second, do not rely on anything you build to be a long-term solution because the world will change and there are forces that will make you change your strategies and your technologies to comply at a moment’s notice. The third lesson is what makes the other two lessons so important: the world is changing at speeds much greater than anybody could ever have anticipated, and therefore, you can never rest on your laurels.

If you could change one thing about IT at the exchange, what would it be? I would want to have triple redundancy instead of double redundancy. I’m amazed when you have a problem with something that’s so off the wall, there’s no way to anticipate it. And as soon as you fix it, something else goes wrong. That’s just the way systems are. This is one reason we decided to make the investment to build the standalone technology center — to have backups to our backups. You can’t build in enough safeguards in our kind of business. All you can do is prepare for problems and be flexible enough to solve them quickly and move forward. CIO

Matt Villano is a freelance writer and editor based in Half Moon Bay, California. Send your feedback to editor@cio.in

Vol/2 | ISSUE/03

12/14/2006 5:28:35 PM

Trendline_Nov11.indd 19

11/16/2011 11:56:19 AM

Whose

Business

Is Process Improvement Anyway

Feature.indd 44

d e c e m B e R 1 5 , 2 0 0 6 | REAL CIO WORLD

Vol/2 | ISSUE/03

12/14/2006 4:47:37 PM

By Meridith Levinson

tried to put Hammer’s and Champy’s ideas into practice. The once n the 1990s, Michael Hammer and James Champy’s golden notion of business process re-engineering took on a tarnish blockbuster book, Reengineering the Corporation, set off a tidal and fell out of fashion. Today, business process wave of business process improvement improvement has a new name — business process initiatives throughout corporate America. The Reader ROI: management — and is in vogue again. Spurred by two management gurus showed that redesigning a Why cIOs need to be the pressures of global competition, commoditization company’s processes, structure and culture could proactive about BPm and government regulation, American companies are lead to a dramatic increase in performance. But collaborating with business reexamining their business processes in search of more a lack of attention to change management and the to resolve control issues efficient ways to execute them through automation impact of these initiatives on employees yielded Why you don't have to own or even outsourcing. Companies again see business counterproductive results in many companies that process to drive change

Vol/2 | ISSUE/03

Feature.indd 45

REAL CIO WORLD | d e c e m B e R 1 5 , 2 0 0 6

IllUSt ratIo n by Un nIkrIShn an aV

Business and IT are locked in a struggle over who controls the management of business process improvements. CIOs who seek to lead the charge have their work cut out for them.

12/14/2006 4:47:39 PM

Business Process improvement process management (BPM) — the practice of continually optimizing business processes through analysis, modeling and monitoring — as a systematic approach for solving business problems and helping them meet their financial goals. “Companies are realizing that a good, solid understanding of their processes is essential to achieving any of their performance objectives,” says Roger Burlton, founder of consultancy Process Renewal Group. “Most organizations, if they’re not already doing something [with BPM], are starting to get into it.”

The PoliTical Tussle As BPM takes root in corporations throughout America, a struggle for control between the business and IT is ensuing. Historically, the business has managed its own process improvements. But the arrival of sophisticated BPM tools and IT’s ability to operate across the enterprise have given rise to the belief that IT should lead the charge. It’s an idea that naturally incites pushback from the business. Burlton notes that BPM projects dealing with CRM or supply chain management initiated by IT often get subsumed into the business when a senior line executive realizes that the very processes IT is automating are those that drive his segment’s revenue. The executive worries that, if IT screws up and his unit doesn’t meet its financial goals as a result, his bonus — and maybe his job — could be on the line. Many of them also view IT as a bottleneck, that adds cost and complexity to projects, so they’re hesitant to cede BPM to the CIO, according to Burlton. Finally, territorial instincts fuel their desire to control process management initiatives that affect their turf.

Selling stakeholders on IT-led business process change is the role of the CIO today, says Minneapolis CIO

Karl Kaiser. 46

d e c e m B e R 1 5 , 2 0 0 6 | REAL CIO WORLD

organIzatIon:

city of Minneapolis Business process to be managed: Calls to report problems or to access municipal services. Why: With more than 275 phone numbers for city government, citizens never knew which one to call. Key success factor: an intimate understanding of his stakeholders’ jobs enabled Minneapolis CIo CI karl kaiser to show city officials how a systematic approach to handling constituent phone calls could ease their burdens. Payoff: residents esidents now call one number — 311. Most calls are answered within nine seconds.

Even some IT execs are leery of leading BPM: Farrukh Humayun, National City Bank’s vice president and portfolio architect in charge of business systems, says the business must own BPM to be successful. “BPM is a business discipline,” he says. “IT can be a powerful enabling force... but the IT folks will not understand business drivers, processes or metrics as well as the business.” It’s no wonder IT executives like Humayun and others are loath to advocate for IT ownership of BPM: so many ERP and CRM projects led by IT failed when employees refused to adapt to changes driven by technology. CIOs have been told that the business needs to lead any big change management initiative and that technology initiatives must have a business sponsor to succeed. So why should BPM be any different? Well, for a number of reasons. CIOs must make sure IT is a part of these initiatives because so much technology is involved in BPM and because IT will have a hand in automation. What’s more, says Karl Kaiser, CIO of the city of Minneapolis, since processes often cut across business silos and IT is the one organization that straddles and supports them all, IT has the best vantage point for leading BPM. “Doing these things from within [a line of business] can be difficult because they can’t see the forest through the trees,” says Kaiser. “It’s better done by an outside, independent organization [such as IT] with no ax to grind.” Many BPM practitioners believe that since the business owns the processes, it should drive BPM. However, Burlton says, you don’t have to own a particular process to lead the charge. “IT doesn’t own the data stored on its servers, but they do provide the service of assuring that the data has integrity, is managed well and is secure,” he says. Similarly, IT can guide the business through a process improvement initiative by offering process analysis, modeling, design and automation services. “If anybody in an organization really understands the importance of process, it should be the people in IT because...they have more experience in building models, doing analysis and looking for optimal solutions,” says Burlton.

Vol/2 | ISSUE/03

Business Process improvement There’s no reason why IT can’t lead BPM, he adds. “The question is whether they’ll be allowed to by the rest of the organization.” CIOs who seek an active leadership role in BPM have their work cut out for them. But if they can earn the trust of the business and take charge of BPM, the payoff is big. Doing so will boost their profile and that of their IT organization. It will also facilitate their SOA plans, says Burlton, because process management initiatives identify the business services common across the enterprise that IT can then program and package for reuse as part of its SOA strategy. “If companies do process management properly across the board, IT can do service-oriented architecture properly,” he says. Finally, if IT can offer the business BPM services in the same way it provides application development services, it will increase the department’s value inside the company and bring it closer to the business. CIO talked to three IT executives who are successfully leading BPM inside their companies. They share their experiences below.

The MarkeTing challenge In 2001, the city of Minneapolis got serious about creating a 311 system to better handle the 10,000 phone calls made to city offices daily. At the time, if a caller needed to report a stray dog, a pothole or a bum traffic light, she had to search through more than 275 listings for city government offices in the phone book’s blue pages. Callers often didn’t reach the right office on the first try and got bounced from one municipal worker to another. Some just called 911, tying up emergency operators with reports of broken parking meters. The 311 system, which included the creation of a call center and the implementation of a ‘constituent’ relationship management system to track issues and route them to the appropriate offices within city government for resolution, would make it easier for citizens to get access to information and increase city government’s responsiveness and efficiency. CIO Kaiser took charge of the project, which the city had been mulling since the late 1990s. He was ultimately responsible for getting the project approved, obtaining funding, implementing the system and promoting it to city residents. During the implementation, he occasionally encountered municipal

employees who pointedly told him that he and his IT department shouldn’t be in charge of the project. Officials inside the Public Works department, which handles citywide maintenance such as repairing potholes and erasing graffiti, didn’t like IT meddling with their processes or weighing in on how they should coordinate their efforts with other agencies. They had their ways and they wanted to stick with them, says Kaiser. And what did IT know about repairing potholes anyway? The department, then known as Information and Technology Services (ITS), had a reputation within City Hall before the initiative started for barely being able to fix frozen computers, let alone manage large projects. Some city workers translated the acronym ITS as ‘It Totally Sucks’. Kaiser knew he had to combat the IT department’s dismal internal reputation to win over the business. So in 2002 he outsourced all IT infrastructure to Unisys to focus his department on making city government more efficient and responsive. He also renamed the department to Business Information Services to put the emphasis

Keeping Your Hand In how to drive process change without leading it.

ome organizations see business ownership of business process management (bPM) as the only way process changes will take root. In those situations, what can It do to ensure that it remains a part of bPM activities? Juniper networks CIo alan boehme has an answer. boehme came up with an effective way to keep It in lockstep with the business on process change initiatives while giving control over processes to the business. he recognized the need for a program manager who would live in a particular business function, such as sales or hr, and who would be responsible for driving process change within that function. this program manager would also serve as a single point of contact for the It department on issues of integration, automation and It support. and, thought boehme, who better to serve in this role than one of his It professionals, with his knowledge of systems and understanding of business processes and operations? boehme shared this idea with Juniper’s executive VP of sales and customer service. he told his colleague that process improvements could be sped up if someone in It focused entirely on the sales organization. If the sales group had a dedicated program manager, the CIo continued, it could make process changes more quickly to drive revenue and increase customer satisfaction. after thinking it over and talking with others in the sales organization, the executive VP agreed. he hired one of boehme’s It directors into his organization as a program manager. this new program manager has experience supporting Juniper’s sales and customer service teams. now that he’s a sales employee, he has the credibility to drive process change from within. at the same time, his understanding of the It department lets him work well with it on mapping processes to systems and detailing the integration points between systems. It’s a best-of-both-worlds, win-win situation.

— by M.l. Vol/2 | ISSUE/03

REAL CIO WORLD | d e c e m B e R 1 5 , 2 0 0 6

Business Process improvement on the information services the group provides to the business. He said that it took him “the better part of three to four years to gain the credibility that [the members of his department] are the ones that have the diplomacy in place and the understanding of business needs” to lead process change initiatives. Members of the city council also felt threatened by the 311 system. They worried that they’d lose touch with their constituents, who could now dial 311 instead of calling their councillor for help. Kaiser had a considerable sales job on his hands. He was certain that in spite of its bad rap, IT was best positioned to lead this monumental effort, which transcended the entire umbrella of city government. “I had to do a lot of selling to convince people that since IT is responsible for information services across the entire city, we cut across silos and are logically the best place to come to do things that involve change,” says Kaiser. Kaiser overcame resistance from Public Works and the City Council by articulating the unique benefits each would reap from the new system. For Public Works, explained Kaiser, the 311 system would free up employees by diverting calls to call-center agents trained to answer questions about potholes, traffic lights and graffiti abatement. Kaiser also showed managers how they could use the CRM part of the system to track how long it took the department to address problems logged through the call center and explained how that information would help them prioritize work and allocate staff. Kaiser reminded city council members of the multitude of calls they get that should be directed to another branch of city government, such as Public Works. The 311 system would enable councillors to focus on the calls where they could have the greatest impact. He also showed them in demos how they could query the system from their PCs to see how many calls came in from their wards and the nature of those calls so that they could elect which ones to follow up on. Kaiser understood his critics’ businesses so well, he was able to develop convincing messages that addressed their concerns head on. Selling stakeholders on IT-led business process change, he says, organIzatIon:

MTc holdings Business process to be managed: admitting and moving trucks inside MtC’s long beach each California terminals. Why: t traffic raffic congestion hindered productivity for trucker and terminal operators; it also heightened security risks. Key success factor: MtS got drivers to follow the terminals’ new processes by offering them better rates and preferential treatment. Payoff: Congestion was reduced by 30 percent and productivity increased by 25 percent. —M.l. 48

d e c e m B e R 1 5 , 2 0 0 6 | REAL CIO WORLD

MTC hired Larry Grotte to put in place business processes and technologies to streamline terminal operations, increase productivity and drive revenue.

is the role of the CIO today. “You have to have patience, a game plan, a vision, and be in a position to articulate what’s at the end of this and why it’s worth going through.” After a year spent selling city officials on the value of this 311 system, Kaiser obtained city funding and federal grant money for the project. Since the new Rs 2,835-lakh system went live in January 2006, an average of 67 percent of phone calls are resolved immediately, and calls are answered in an average of nine seconds. The launch of the 311 system also cemented the IT department’s reputation as a true business partner and enabler. “We have in essence become a business change agent in the city,” says Kaiser. “Once, when I walked the halls, people slammed their doors. Now they knock on my door and say, ‘We need your help’.”

carroTs and sTicks Last September, MTC Holdings hired Larry Grotte as its first CIO. The stevedoring company, based in Oakland, California, created the position because it needed someone to oversee the implementation of best practices and technologies to streamline terminal operations and increase revenue through productivity improvements as its seven operating companies. Currently, each of the operating companies that run terminals has its own processes for doing so. Grotte is charged with reconciling the operating companies’ disparate processes with standard technology. His top priority? Shepherding a pilot program of new processes and technologies for moving trucks in and out of MTC’s terminals at the port of Los Angeles and the port of Long Beach California, the second busiest port in the United States. The new process will eventually roll out to the other MTC terminals.

Vol/2 | ISSUE/03

Business Process improvement MTC competes in the stevedoring world on the basis of how efficiently it runs its terminals. The faster its operating companies can load and unload shipping containers and the faster they can get 18-wheelers in and out of their terminals, the more business they can do and the more money they can make from unloading cargo from ships and charging terminals entrance fees to truckers. “If you have a terminal that’s X number of acres sitting on a piece of dirt in the Pacific Ocean, you can’t grow its acreage but you can grow it throughput: you can either stack containers higher or move them faster. We have to keep pushing more throughput at our terminals,” says Grotte. At MTC’s Long Beach terminals, truck traffic was a nightmare. Terminal operators had no way to keep tabs on trucks inside their facility. There was no process for admitting trucks, which were all vying for entry during peak daytime hours of 3 a.m. to 6 p.m., or for moving them around the terminal. This hampered productivity, created congestion and heightened security risks. To improve operations at the two Long beach terminals, Grotte developed a system that identifies trucks as soon as they enter the terminal’s gate and directs the drivers from point to point while they’re inside the terminal. Terminal operators now affix GPS devices to trucks as soon as they enter the facility. The GPS devices, each of which has a unique identifier, connect to the terminal operating system. Traffic controllers inside the terminal use the system to monitor congestion and to tell truckers where to go next. Truckers must also now schedule appointments to enter MTC’s Long Beach terminals during peak hours. Those appointments are tracked in a new system MTC developed called VoyagerTrack. To further increase productivity and reduce congestion at the Long Beach port and on neighboring highways, MTC and an alliance of marine terminal operators in Southern California expanded their operations to 24 hours a day and created incentives to get truckers to enter their terminals at night. They offered reduced entrance fees for after-hours arrivals and charged trucking companies that continued to operate during normal business hours a ‘traffic mitigation fee’ to offset the cost of operating during hours from 6 p.m. to 3 a.m., off-peak appointments are schedules in a new system called PierPass. Knowing truckers earn their keep based on the number of containers they move, Grotte and the West Coast Marine Terminal Operators convinced the drivers that following the new procedures would increase their productivity and profitability. For example, if they made appointments to enter the terminal — day or night — they wouldn’t have to wait in line to get in. Thus, truckers could get in and out of terminals faster, giving them the opportunity to earn more revenue by transporting more cargo and making more trips. “By moving their same fixed fleets faster, trucking companies improve their profitability and their return on assets,” says Grotte. And those truckers who switch to the night shift experience have the added benefit of smoother traffic through terminals. In this manner, Grotte got nearly 99 percent of the trucking community on board with VoyagerTrack at MTC’s Long Beach terminal. “These

Vol/2 | ISSUE/03

organIzatIon:

First horizon national Business process to be managed: Improving loan processing times. Why: loans oans that require additional appraisal work or data slow down the approval process for customers and cost First horizon more money. Key success factor: a bPM PM methodology to facilitate collaboration between business and It It. Payoff: by y automating the process of handling exceptions, First horizon orizon decreased its administrative costs and improved customer satisfaction. —M.l —M.

trucker communities and marine terminal communities know they need to constantly cannibalize their processes just to stay with the game,” says Grotte. Since deploying those new processes and technologies, Grotte estimates that MTC has increased the productivity of its Long Beach terminals by 35 percent and reduced traffic congestion during the day by 30 percent. Grotte plans to roll out the new system to MTC terminals around the United States.

no ParTners, no Process Robert Salazar, the vice president of process management for financial services firm First Horizon National in Memphis, Tennessee, oversees his company’s BPM initiatives. First Horizon has been doing BPM since July 2005. Salazar’s role is to define the direction of all the initiatives and serve as a liaison among all the parties engaged in them. This makes him the go-to guy when a business manager realizes a process needs attention. In 2005, for example, the business wanted to improve its process for handling exceptions that come up during loan origination. Salazar got the process owner for exception handling (here, the executive VP of risk management) together with business analysts and with representatives from each functional group (loan processing, underwriting and IT) that plays a role in the process. The group defined and documented the scope of the process improvement project, the goals and the key capabilities to be delivered. The team analyzed existing processes, modeled new ways of handling exceptions and implemented new technology. The goals were to be more responsive to end customers, to make decisions about exceptions more quickly, to reduce costs and to increase the accuracy of the loan origination process. The key capabilities were automating a manual workflow and providing visibility into the process as well as supplying mechanisms for REAL CIO WORLD | d e c e m B e R 1 5 , 2 0 0 6

Business Process improvement tracking and escalating all related transactions. Although Salazar declined to share specific metrics, he said the cost of handling exceptions has decreased, while customer service has increased. Salazar says IT hasn’t battled the business for control of BPM. Instead, IT views BPM as a way to work with the business to serve customers. “You can’t view BPM as a technology issue. It’s all about creating business value,” he says. Salazar adds that the key to making IT’s governance of BPM work is close-knit collaboration between the two parties. First Horizon achieved that through Salazar’s reporting relationship and through a homegrown methodology he uses for BPM. Salazar reports directly to the CIO, but maintains a dotted line to First Horizon’s executive VP of operations. That dotted line gives Salazar the ability to get process owners and line-ofbusiness managers involved. His tight link to the IT department ensures that any automation effort is in sync with what line-ofbusiness managers need to run their shops effectively and with the broader IT strategy. First Horizon’s custom BPM methodology also secures the business-IT partnership by defining those who need to be involved in any process improvement initiative and their responsibilities. For example, the methodology spells out that a process improvement initiative must involve representatives from every functional group involved, and it must be led by a process owner. The process owner is responsible for ensuring that the project team stays on track, and for playing the role of tiebreaker when the team can’t achieve consensus. The BPM implementation group developed the methodology with Fuego (acquired by BEA Systems). It is based on the principles of Agile software development, which emphasizes a close working relationship between business users and developers, frequent face-to-face conversations among stakeholders and regular work reviews, both of which keep all parties on the same page. The close-knit collaboration between the business and IT resolves the control issues that dog many BPM initiatives. Since BPM is a service IT provides to the business and because Salazar reports in to the business through the executive VP of operations, line-of business managers and process owners feel comfortable approaching him for help with process improvement initiatives. And the BPM methodology he’s put in place gives the process owners the control they need over their processes. IT, meanwhile, is never left out of any planning. “I know many companies that have successful, IT-driven BPM initiatives and that’s because their goal was always to serve the business and to collaborate with the business, not to define the latest, greatest, coolest technologies,” says Salazar.

Providers of BPM Suites

usiness transformation, compliance with government regulations, quality improvement programs and the move to service-oriented architecture are all driving corporate spending on business process management suites (bPMS). these integrated packages of software tools support process improvement activities such as process analysis, design, modeling and simulation, and the coordination of sequences of steps and tasks involved in a process. Sales of bPMS are growing at more than 20 percent annually, according to Forrester research. Forrester expects the bPMS market to more than double over four years from rs 5,400 crore in 2005 to rs 12,150 crore in 2009. —M.l.

the following vendors, which gartner included in its ‘2006 Magic Quadrant for business Process Management Suites’, are poised to capitalize on that growth: Adobe Appian Axway cA FileNet Fuego (acquired by BeA Systems) Fujitsu Global360 Graham Technology

IBm Lombardi metastorm Pegasystems Savvion Singularity Tibco Software Ultimus Source: gartner

keys To success

understand the needs, concerns, pain points and existing processes of the business. Looking to the future, Process Renewal Group’s Burlton says CIOs have to become more proactive in business process management. It’s in their best interest to do so because BPM is at the center of so much IT activity. Says Burlton, “Process is so important right now because it is the linchpin of all these other things we’ve talked about for years: ERP, CRM [and now SOA]. Process holds everything together.” CIO

Just because it’s called business process management doesn’t mean IT has to take a backseat in these initiatives. As the city of Minneapolis and First Horizon National show, CIOs can successfully drive BPM if they encourage collaboration and

meridith Levinson is senior Web editor. Send feedback on this feature to editor@cio.in

d e c e m B e R 1 5 , 2 0 0 6 | REAL CIO WORLD

Vol/2 | ISSUE/03

Trendline_Nov11.indd 19

11/16/2011 11:56:19 AM

IT Versus

Terror Govern Main.indd 52

12/14/2006 5:22:22 PM

Data Mining

By Ben Worthen

Preventing a terror attack is invaluable. But even invaluable IT projects need realistic business case analysis to succeed.

n the evening of September. 27, 2001, Howard Rubin, a computer science professor at City University of New York who had advised the Clinton administration on technology issues, was home observing Yom Kippur, the holiest day on the Hebrew calendar. Observant Jews don’t work, drive or use appliances on Yom Kippur, but Rubin had a strong feeling he should pick up the phone when it rang that night. On the other end of the line was one of the most senior members of the previous administration. He wanted to know if Rubin knew how to catch terrorists with technology. Rubin’s answer has since become a technology mantra among the intelligence community: data mining. Data mining is a relatively new field within computer science. In the broadest sense, it combines statistical models, powerful processors, and artificial intelligence to retrieve information that is buried in vast volumes of data. Retailers use it to predict consumer buying patterns, and credit card companies use it to detect fraud. Post September 11, the government concluded that data mining could help prevent terrorist attacks.

A Proliferation of Projects xperts say that the government, and the intelligence community in particular, has come to rely heavily on data mining. A 2004 Government Accountability Office report found that federal agencies were actively engaged in or planning 199 data mining projects. Over the past year, The New York Times and other media outlets have uncovered top-secret programs within those agencies that collect and look for patterns in phone records, e-mail headers and other personal information. Given the administration’s commitment to using data mining tools and the pressure to Reader ROI: prevent another attack, it’s no surprise Why data mining is the that these projects are being approved preferred anti-terror IT almost as fast as they are being strategy conceived, experts say. Of course, How to apply ROI analysis government officials have to invaluable projects a reason for pursuing How to scope projects for data mining projects, success

Vol/2 | I SSUE/03

Govern Main.indd 53

Illustratio n by P C ANOOP

REAL CIO WORLD | d e c e m B E R 1 5 , 2 0 0 6 5 3

12/14/2006 5:22:23 PM

Data Mining says Robert Gourley, CTO of the Defense Intelligence Agency: “We want to protect our country and our way of life.”

No Scope, No Budget, No End

SNAPSHOT

Data Mining in the Govt.

Research at the University of Indiana. (Cate was counsel for the Technology and Privacy Advisory Committee created in 2003 by Donald Rumsfeld to study his agency’s use of data mining.)

State of the Art

ut some experts are beginning to question whether an IT strategy of he government’s data mining projects fall Projects: unlimited scope, budget and schedule will into two broad categories: subject-based 199 best serve that end. It’s a conundrum CIOs systems that retrieve data that could help 131 operational face every day. IT projects, no matter how an analyst follow a lead, and pattern-based 68 planned vital, tend to fail when controls don’t exist or systems that look for suspicious behaviors Departments: just fall away in a crisis. Lack of oversight is across a spread of activities. 52 agencies the chief cause of project failures, according Most data mining experts consider subjectincluding: to the Standish Group, an analyst firm that based systems a version of traditional police Dept. of Homeland tracks IT success rates. It leads to overly work — chasing down leads — but instead Security ambitious projects, an unwillingness to of a police officer examining a list of phone Dept. of Defense change the original vision and inattention numbers a suspect calls, a computer does it. Defense Intelligence to signs that something isn’t working. One subject-based data mining technique Agency “No one [in the government] has looked at gaining traction among government National Security data mining from an IT value perspective,” practitioners and academics is called Agency says Steve Cooper, former CIO of the link analysis. Link analysis uses data to Source: Data Mining: department of Homeland Security. “I couldn’t make connections between seemingly Federal Efforts Cover a figure out [the value of data mining] when I unconnected people or events. If you know Wide Range of Uses, GAO was in DHS, and I can’t figure it out now. But someone is a terrorist, you can use link that didn’t stop us from using it.” analysis software to uncover other people In other words, according to Cooper, no with whom the suspect may be interacting. one has done a business case analysis to determine if the For example, a suspicious link could be a spike in the government is getting a return on its investment. Instead, number of e-mail exchanges between two parties (one of a rationalization is usually sufficient: if a project has a which is a suspect). Many experts believe that the NSA chance to catch just one terrorist, then it is worth it. project analyzing millions of domestic phone records is Given that the government’s track record on IT project this kind of link analysis system. management is particularly poor, experts worry that projects could drag on for years and that good projects could be thrown out with the bad because of privacy owever, link analysis projects are useful only if and civil liberties issues. (In fact, Congress has already they have a narrow scope, says Valdis Krebs, an IT halted a number of data mining projects, including the consultant who famously developed a map showing the Department of Defense’s Total Information Awareness connections among the 9/11 hijackers — after the fact. project, an ambitious 2003 attempt to create a massive Successful link analysis requires a reliable starting point database containing just about everything and anything — a known terrorist, for example, or a phone number that could be used to identify possible terrorists. associated with one. Link analysis becomes less effective Experts are also concerned that in its zeal to apply IT when it’s used in an attempt to spot anomalous behavior. to anti-terrorism, the government could disrupt the crime“If you’re looking at the ocean, you’ll find a lot of fish that fighting processes of agencies that are charged with finding look different,” says Krebs. “Are they terrorists or just and stopping terrorists before they act. As any good CIO some species you don’t know about?” If the government knows, if users see a system as an obstacle to getting their casts the net too wide, he adds, the projects could cost jobs done, they will rebel or simply ignore it — in this case, more, take longer and raise the risk of ‘false positives’.” with potentially disastrous consequences. One example of a data mining project with a more Among data mining experts, there is a growing sense realistic scope is one that the DoD is currently testing that that the government needs to apply the same kind of sifts through the data the agency has on everyone with a analysis to its anti-terrorism IT strategy that CIOs in the security clearance, looking for patterns that could identify private sector use to keep their projects from spinning out spies. These patterns might include purchases that are out of control. “There’s no oversight procedure,” says Fred of line with someone’s pay grade, unreported foreign travel Cate, director of the Center for Applied Cybersecurity or e-mail exchanges with a person known to work for a

Finding the Hidden Linkages

5 4 d e c e m B E R 1 5 , 2 0 0 6 | REAL CIO WORLD

Govern Main.indd 54

Vol/2 | I SSUE/03

12/14/2006 5:22:26 PM

Data Mining foreign government, says a counter-intelligence official involved with the project who requested anonymity. The parameters for these searches are developed by counterintelligence officers, based on their experience of what suspicious activity looks like. As the technology improves, the DoD hopes to rely on artificial intelligence to decide which patterns warrant attention. However, even systems that have more limited scope, such as the DoD’s security clearance system, are sending out mixed signals. “Right now, it’s information overload,” says the counter-intelligence official. “With the rules we have now, we would have a ton of false positives.” His goal is to refine the system and eventually show that the concept works. This, he hopes, will encourage people to share more data. He doesn’t anticipate getting usable results for three or four years. The factors that will determine the project’s future are the same as with any IT project: how well the technology performs, the problems the DoD uses the system to solve and what it does with the results it gets.

Projects Get the Axe

f anti-terrorism data mining is going to improve, the business rules aren’t the only aspect that need change. After all, a system is nothing without good data. Sometimes law enforcement has a detailed profile of a terrorist suspect. But in other cases all they have is a name. “Names alone are not a helpful way to match people,” says Jeff Jonas, data mining’s acknowledged superstar, who made his name protecting Las Vegas casinos from cheats. Jonas, for example, shares his name with at least 30 other Americans. After 9/11, the government began replacing the Computer Assisted Passenger Pre-Screening system (Capps) — which only tracked passenger data collected from airlines (names, credit card numbers, addresses) — with Capps II, which would add information culled from data brokers. Capps II first gained notoriety in 2003, when reports surfaced that Northwest Airlines and JetBlue gave passenger records to the Transportation Security Administration so it could test the new system. Critics asked about privacy safeguards and in response to the outcry Congress withheld funds for Capps II until the GAO completed a study on how exactly the TSA intended to protect privacy. In August 2004, the TSA pulled the plug on its Rs 450 crore-plus investment in Capps II in favor of a new system called Secure Flight. Secure Flight and its predecessor share many characteristics, most notably combining passenger records with data purchased from commercial databases. According to a recent government audit, DHS and the Department of Justice spent more than

Rs 112.5 crore in 2005 buying data for fighting crime and preventing terrorism. In September 2005, the Secure Flight Working Group, a collection of data mining and privacy experts who the TSA asked to review the project, filed a confidential report that was highly critical of the system. Within a week, the report was on the Internet. It read: “First and foremost, TSA has not articulated what the specific goals of Secure Flight are.” Bruce Schneier, a security expert who was a member of the working group, sees Capps II and Secure Flight as examples of how the lack of proper scope has damaged anti-terror IT efforts. Even if you managed to design a data mining system that could comb through phone records or credit card transaction and spot terrorists with a 99 percent success rate, it still wouldn’t be good enough, argues Schneier. For example, if 300 million Americans make 10 phone calls, purchases or other quantifiable events per day, that would produce 1 trillion pieces of data a year for the government to mine. Even 99 percent accuracy would produce a billion false positives a year. That’s why Schneier wasn’t surprised when he read a January article in The New York Times reporting that hundreds of FBI agents were looking into thousands of data mining–generated leads every month, almost all of which turned out to be dead ends. “[Data mining] is a lousy way to fight terrorism,” he says By contrast, says Schneier, data mining has worked to prevent credit card fraud because con artists act in predictable ways and operators of credit card data mining systems have drawn a clear ROI line for an acceptable level of false negatives and positives, and

Even a data mining system with 99 percent accuracy could potentially produce a billion false positives a year.

Vol/2 | I SSUE/03

Govern Main.indd 55

12/14/2006 5:22:26 PM

Data Mining adjusted the system’s settings accordingly. For example, most credit card issuers are willing to accept losses of several thousand dollars to prevent alarm bells from ringing every time a customer goes through a checkout line. If false positives are infrequent, customers don’t mind the occasional disruptions. With system sensitivity correctly calibrated, a handful of thieves may get away, but the system as a whole isn’t compromised. Capps II and Secure Flight had no such ROI mechanisms. But rather than re-examine the goals and scope of the projects, the government simply expanded them to include profiling, a hunt for common criminals and more. And as happens with IT projects whose goals are too broadly defined, the system is still not active despite a go-live date of November 2003. “TSA was never willing to re-evaluate the scope of the project,” says Jim Dempsey, policy director of the Center for Democracy and Technology, who was part of the TSA’s Secure Flight Working Group with Schneier. “So now, five years after 9/11, we still don’t have an automated system for matching passenger names with names on the terror watch list.”

because ecause data mining is so new, it stands to become Anti-terror even more of The IT Business an effective Case tool with D time — If ManageD properly.

espite prominent failures like Capps II, there is still a general feeling that data mining can be an effective tool. And because the technology is so new, it stands to become even more helpful with time — if managed properly. “This is an evolutionary project,” says Rubin. “And it is being fueled by events. When that happens you get there eventually. You figure out how to get the man on the moon.” Indeed, CIO has learned of one example of an antiterrorism data mining project that has worked — a link analysis system that helped investigators at Guantanamo Bay figure out which detainees were likely to be terrorists. In 2002 and 2003, the Criminal Investigative Task Force (CITF), a branch of Army Intelligence, was assigned to interrogate detainees at Guantanamo and determine who was a terrorist and who was simply in the wrong place at the wrong time. In this instance, CITF had reliable data about the detainees, including where they were captured, who they

5 6 d e c e m B e R 1 5 , 2 0 0 6 | REAL CIO WORLD

associated with at Guantanamo and other details about their behaviors and relationships. Investigators used a commercially available tool from software vendor I2 to construct a chart of all the detainees, including every known attribute about a detainee and his links to other suspects. This information was then fed into a University of Massachusetts–developed system called Proximity to examine these attributes and links, compare them with the profiles CITF had on known terrorists and known innocents, and calculate the probability that a given detainee was a terrorist.

A Need for more Oversight

he Guantanamo system had a limited scope, a reliable starting point culled from human investigations, and a fair shot at reducing the number of false positives and negatives. In other words, the technology was carefully applied, says Robert Popp, who was deputy director of the Information Awareness Office at the Defense Advanced Research Projects Agency. But it’s an exception. Most data mining projects are not subjected to a rigorous business case analysis. Two current intelligence CIOs who were otherwise unable to comment for this story agreed that this is an issue that they struggle with. The DoD’s Technology and Privacy Advisory Committee (TAPAC) developed a 10-point system of checks and balances that it recommended every agency head apply to data mining projects, but Cate says that it has never been implemented. Similarly, the National Academy of Sciences recently appointed a committee to develop a methodology that the government can use to evaluate the efficacy of its anti-terror data mining projects, but the target date for its report is more than a year away. What’s left is the status quo. That’s troubling to people like Cate. “There are some extraordinarily smart people [working on data mining systems], and I would be hard pressed to think that they are wasting their lives on something that doesn’t work,” he says. “But one of the things [TAPAC] kept focusing on was that you have to be able to show that it works within acceptable parameters,” a responsibility that he says rests with agency heads. Agency heads aren’t accepting that responsibility, says Cate. “As far as the oversight process is concerned, it is clear that [data mining to prevent terrorism] is a disaster.” CIO

Ben Worthen is senior writer. Send feedback on this feature to editor@cio.in

Vol/2 | I ssuE/03

Trendline_Nov11.indd 19

11/16/2011 11:56:19 AM

Dr C. Chandramouli, Chandramouli IT secretary of Tamil Nadu, is pushing the use of the local language, so that the common man can benefit from e-governance.

Lan g

Interview | Dr. C. Chandramouli

By Balaji NarasimhaN Narasimha CIO: What was the rationale behind the Tamil Software Development Fund that was set up in the state?

Dr C. ChanDramOuLI: In order to encourage research and development in computing in Tamil, a sum of Rs 1 crore was provided to the Tamil Virtual University as Tamil Software Development Fund (TSDF). The main objectives of TSDF is to provide financial support in the form of grants to catalyze the development of new software as well as further developing existing Tamil software by both individual developers and developers in the corporate sector. The Tamil Virtual University is the certifying authority for all the software developed by individuals as well as corporates. How have successful projects like RASI and SARI inspired other projects?

n guage Interview.indd 59

Speaking Their

P hoto by Sr IvatSa ShandIlya

RASI (Rural Access Service to Internet; CIO, December 1, 2005) and SARI (Sustainable Access in Rural India) are the pioneering projects that were implemented in Tamil Nadu

ImagIn g by mm ShanIt h

It isn’t hard to figure out that to bridge a digital divide, it is imperative to speak the language of the constituency — literally. This is what Tamil Nadu’s IT secretary, Dr C. Chandramouli, is determined to do. When Dr Chandramouli isn’t busy wooing IT companies to set up shop in Tamil Nadu, he’s focused on pushing e-governance initiatives that impact the lives of citizens — and prime among these is the development of software in the local language.

12/14/2006 5:05:07 PM

Interview | Dr. C Chandramouli to take citizen services to rural areas. Based on the experience gained in the implementation of these projects, the government of Tamil Nadu is currently taking up a project to set up village resources and service centers in 12,618 panchayats in Tamil Nadu. The hardware required for the project has already been supplied to 7,000 panchayats and the remaining will be supplied during the current financial year. The applications and the development of user databases is currently being undertaken. This will ensure the availability of a large number of government services at the doorstep of the citizens in rural areas. Similarly, urban resources and service centers are being planned in all urban areas.

Integrated treasury management system Integrated tax administration system School management and administration system Panchayat management and administration system Municipal management and administration system Simplified and integrated administration of registration Simplified transport management system Electronic document management system Welfare and benefit management system

To encourage R&D in Tamil computing, a sum of

Rs 1 crore was provided to the Tamil Virtual University as Tamil Software Development Fund. Tamil Nadu occupies an enviable position where IT is concerned. What ingredients went into this successful mix?

Tamil Nadu has been focusing on its strengths in the IT sector like a human resource pool, its work ethic, the availability of communication infrastructure, a comfortable power situation, its strategic geographic location, a mature manufacturing sector, extremely competitive costs, a high commitment to quality, an extremely peaceful and conducive labor climate, a strong commitment to good governance and maintaining public order and a proactive and investor-friendly government. Simultaneously, the government is focused on providing a sound infrastructure base. This two-pronged strategy has yielded excellent results. 60

Interview.indd 60

d e c e m B E R 1 5 , 2 0 0 6 | REAL CIO WORLD

Tamil Nadu State Wide Area Network (TNSWAN) is expected to be ready by December 2006. Once this is up and running, what projects are expected to utilize the capabilities of this network?

Many projects will leverage TNSWAN. These include: Employment portal Land administration system e-Procurement Integrated public distribution system Police computerization and administration system Statewide grievance redressal State personnel management system State information and services portal Secretariat knowledge system Agriculture integrated application Health management and administration system

Tamil Nadu has set up a village resources and services center (VRSC) to bridge the digital divide. How does the VRSC propose to do this?

In Tamil Nadu, about 6,500 panchayats have been computerized and the remaining 6,000 are to be computerized soon. The VRSCâ&#x20AC;&#x2122;s main objective is to bring all government services under one umbrella and cater to citizensâ&#x20AC;&#x2122; needs effectively. A draft project report is being prepared in consultation with technical experts and the project is estimated to cost Rs 55.20 crore. These centers will offer all services to citizens in the localities. We feel that these centers will bridge the digital divide effectively. One of the expectations of e-governance projects is that they should reduce corruption. Have the e-Governance initiatives of Tamil Nadu achieved this?

Yes. The e-governance initiatives that are being implemented in the state have brought in more transparency to the stateâ&#x20AC;&#x2122;s administration and improved citizen services notably. Good examples of this are STAR (Simplified and Transparent Administration of Registration) and REGiNET (Registration Network). These projects have made it easier for citizens to get an encumbrance certificate. This certificate can be got online by applying with the required details, and the certificate will be delivered at the doorstep of the citizen.

Vol/2 | ISSUE/03

12/14/2006 5:05:12 PM

Officially, only 15 percent of egovernance projects succeed in India. What do the figures look like in Tamil Nadu? What went wrong with the projects that failed?

As far as this state is concerned, no major failures have been found so far. Can you tell us more about the directorate of e-governance?

Tamil Nadu government is committed to harnessing e-governance as an enabler to usher in a new era of digital governance where services will be delivered to the citizens through convenient and easily-accessible delivery channels. We will create a model e-governed state in the country. For this purpose, an officer of IAS cadre has been posted as an officer on special duty to create the directorate of e-governance. The e-governance directorate is meant to be a facilitator of the public-private partnership (PPP) model. Letâ&#x20AC;&#x2122;s come back to the Tamil Software Development Fund. What projects have emerged from this fund, and how have they benefited citizens?

The fund has yielded the following software products: Idham 2000, an advanced Tamil interface for Microsoft Windows, was developed by Manoj Annadurai of Chennai Kavigal in Chennai. This project was founded to evolve a userfriendly Tamil desktop environment for Microsoft Windows. OCR for printed Tamil text by Dr V. Krishnamoorthy of Learnfun Systems, Chennai, is another completed project. The scope of the project is to recognize the printed Tamil character and its success rate is about 80 percent. The Tamil OCR software will be useful for publishers, the government as well as private offices by saving the time and energy used in retyping and proof-reading. A Tamil Web browser and search engine is an R&D project developed by Dr. Geetha of the Anna University.

Vol/2 | ISSUE/03

Interview.indd 61

Localizing Windows 95 and 98 by N. Anbarasan of Applesoft, Bangalore, is also complete. This project aims at developing a set of utility programs to localize Open Office with some basic Tamil-specific features to meet the requirement of typing in Tamil. This is used by many Tamil computing communities. Machine aided Englishto-Tamil translation was developed by Duraipandi of Ultimate Software Solutions. This software is used to translate simple sentences with one finite verb from English to syntax-structured Tamil. It is compatible with Tamil lexicon.

SNAPSHOT

Tamil Nadu G2G Treasuries

30 district treasuries

G2B Commercial Tax

323 assessment circles and 29 check-posts

G2C Group Provident Fund

Seven lakh state government employees covered Agriculture Marketing Network

63 markets

Land Records

to provide information in the regional language via mobile devices based on a request from native users. Some of this includes information in Tamil for railways, airways, stock, and others. The Tamil Virtual University is now engaged in the process of evolving a 16-bit encoding system for Tamil. This new encoding system will go a long way in the promotion of Tamil language computing. Before taking over as the IT secretary, you were secretary for personnel and administrative reforms. Did this experience help you with your current responsibilities?

AU-KBC Research Centre, I have discharged a wide 201 rural taluks Chennai, has created array of responsibilities in the All figures for 2005-06 Tamil WordNet to enhance state and central government machine translation. before taking up the present WordNet is designed to serve assignment. Each of these as a lexical reference system experiences has helped in my that captures various relationships current assignment. between the words in a language. Tamil nouns, verbs, adjectives and adverbs are Can you give us a brief glimpse of some organized into synonym sets representing of the stateâ&#x20AC;&#x2122;s upcoming e-governance a lexical concept. These synonym sets projects? are then linked by different relations. Some of the applications that will be taken up on a priority basis in the immediate future include the statewide Tamil Linux PC is a project to evolve a grievances redressal application, the user-friendly Tamil desktop environment government information and services in Linux by Tamil PC Team. This project portal, the rural delivery infrastructure has also been completed and is used by and the employment portal. CIO the Tamil computing community. Another project is Localization for Tamil in mobile phones by Velammal Engineering College, Chennai. This is a major development that aims to send and receive SMS in Tamil. The project Value Added Services in Regional Language on Handheld Devices by the department of CSE, College of Engineering, Anna University, was completed recently. This project is designed

Special correspondent Balaji Narasimhan can be reached at balaji_n@cio.in

REAL CIO WORLD | d e c e m B E R 1 5 , 2 0 0 6

12/14/2006 5:05:13 PM

Essential

technology Do-it-yourself integration and support for open source costs plenty. So do consultants. But a new, less expensive approach has emerged.

Essentisl Tec.indd 62

d e c e m B ER 1 5 , 2 0 0 6 | REAL CIO WORLD

From Inception to Implementation — I.T. That Matters

The New Open Sourcing By Galen Gruman open source | Open source has many allures: no license costs, a wide range of support venues and the ability to work directly with code for customization or quick repairs. But it can create IT headaches, too: the mantra of open source has been ‘release early and often’, which means IT managers using a disparate group of open-source apps face frequent updates and patches, and must craft rules about how and when to apply them. Most enterprises soon find that with the do-it-yourself approach, maintenance and integration costs equal — and sometimes exceed — the maintenance cost of commercial software, due to the in-house resources needed to track, test and apply patches and updates. The other option, using professional services firms to do that work, costs at least as much. But a new, potentially less expensive approach is emerging — a certified, pre-integrated suite of open-source components from one vendor, which stays updated and integrated via periodic suite releases.

Vol/2 | ISSUE/03

12/14/2006 4:41:53 PM

essential technology

This option could make open-source adoption easier, for example, for smaller enterprises that don’t have the staff or services dollars to support the traditional open-source integration and maintenance approaches but want to use proven open-source technologies like Linux, EnterpriseDB, Postfix, Tomcat and Apache more broadly. “By creating a standard set of services, providers create cost savings and improved quality,” says Julie Giera, a vice president at Forrester Research. For instance, hardware-and-consulting vendor Unisys recently announced its Open and Secure Integrated Solutions (Oasis) suite — a group of open-source tools optimized for large enterprise customers, with a service-level agreement (SLA) that remains in effect as long as the

sizes. But in reality, pre-integrated suites make the most sense if your open-source software is very stable, is used in an ‘install and forget’ approach, with just occasional upgrades as you refresh your technology platforms. In other words, with preintegration you choose ease over flexibility. Also, the pre-integrated approach appeals more to smaller enterprises than large ones, simply because smaller enterprises have fewer IT resources. “When it fits their IT needs, the suite approach makes sense for small and medium businesses,” says Terry Retter, a director at the Pricewaterhouse-Coopers Technology Center, an advisory group. California construction firm Rudolph and Sletten is a case in point. “I’m in a mid-market company, so I don’t have the resources to deal with a do-it-yourself

CIOs at smaller enterprises like the idea of pre-integration when it’s applied to specific vertical application areas,such as CRM orWeb management. customer doesn’t modify the software. The established trio of automated opensource support vendors — OpenLogic, SourceLabs and SpikeSource — now offer pre-integrated suites, or stacks, of opensource components in addition to their previous offerings (management tools that track and patch open-source software across an enterprise). And Red Hat sells a release of the JBoss application server with other middleware components integrated. However, the pre-integrated approach will not suit every IT department. Many CIOs lack enthusiasm for it, due to issues like vendor lock-in and lack of flexibility — and you should weigh these factors as you consider the fit for your organization.

Who Wants Pre-integrated Suites? Theoretically, the pre-integrated approach should appeal to enterprises of all types and

Vol/2 | ISSUE/03

Essentisl Tec.indd 63

stack,” says CIO Sam Lamonica. That’s why he relies on his operating system and application vendors to provide and maintain integrated suites. For example, Lamonica uses the IT GroundWorks management suite, which includes Nagios, Linux and JBoss. In this case, a commercial vendor includes open-source components as part of its product. That’s fine with Lamonica, since the vendor worries about integration. Plus he suspects it keeps the price down. CIOs like Lamonica at smaller enterprises tend to like the idea of pre-integration when it’s applied to specific vertical application areas, such as CRM or Web management, but dislike the idea of pre-integrated middleware suites into which they must then integrate other applications. At larger enterprises with more resources, CIOs might be more apt to pick multiple open-source integration and

maintenance approaches — balancing the needs for vendor and application flexibility against the costs of maintaining that flexibility. At insurer AIG, for example, “all of our decisions are valuedriven,” says Jon Stumpf, senior vice president of engineering at the insurer’s IT subsidiary, AIG Technologies. Sometimes, the pre-integrated approach will have the best value, but sometimes it will not, he notes. Large companies with heterogeneous platforms prefer the flexibility of a horizontal infrastructure on which they run various applications and data systems, and are willing to pay for the in-house or outside resources needed to integrate and maintain them, says Stumpf. CIOs at such large enterprises may see value in pre-integrated horizontal suites, if they provide more value than other options and don’t hinder needed flexibility, he says. The University of Pennsylvania follows a similar ‘what fits best’ approach, says Robin Beck, the university’s vice president for information systems and computing. “I’d want a [pre-integrated] stack where it makes sense,” she says. Beck is perfectly happy that companies like IBM and Oracle include the open-source Apache Web server in many of their products, taking on the responsibility for ensuring that Apache remains integrated with their software. One other possible appeal of the precertified suite approach: you might want to choose a suite that’s been customized by the vendor when you don’t have the resources or inclination to customize it yourself. That’s why analysts think this concept makes sense for smaller companies. In the future, they envision vendors providing customized suites for a swatch of users — the same customization could work for all independent insurance agencies, for example, or non-chain booksellers. (Right now, such users have to use standard open-source components without specific tweaks for their business processes, pay REAL CIO WORLD | d e c e m B ER 1 5 , 2 0 0 6

12/14/2006 4:41:53 PM

essential technology

consultants to do customization work, or buy a commercial product designed for that specific industry.)

Lock-In and Support Concerns Despite the promised benefits of preintegrated stacks, some CIOs have strong reservations about adopting them: besides the lack of application flexibility, fears include vendor-lock-in and inadequate support. After all, one reason people choose open source is to take advantage of a dynamic community that quickly adopts innovation. A pre-integrated suite that changes on the vendor’s schedule can eliminate that dynamism.As AIG’s Stumpf notes, “If the suite is ‘take it or leave it’, unless it exactly matches my assessment of what I need, I’ll pass on it. If the stack is rigid, it’s no different than going all-IBM or all-Microsoft,” he says. Plus, many open-source components tend to be run with other components in de facto suites, which the open-source community tests and maintains, Beck says. That lessens the need for vendor-managed

But concerns run deeper than application choices. “For me, an offering like Unisys’s Oasis is backsliding,” says Rasch, because customers aren’t supposed to update or modify it, in order to retain their servicelevel agreement. (Customers who do such modifications would likely need additional Unisys professional services, says Ali Shadman, Unisys vice president and general manager for open-source solutions, systems and technology unit.) To address the need for flexibility, a CIO could treat the suite as a starting point, an initially integrated collection of applications that you may choose to maintain internally or hire external resources to maintain. But this approach does have some level of vendor dependence, says Raven Zachary, senior analyst and head of the open-source practice at research firm The 451 Group. The likely need for services spending is not lost on Hewlett-Packard, OpenLogic, SourceLabs, SpikeSource and Unisys, as well as others, Zachary says. “They see that the stack is not the business, but IT consulting is,” he says.

CIOs could treat the suite as a starting point but even this creates vendor dependence. It's this slippery slope into dependence that scares smaller firms . suites, at least for common combinations of open-source software, she says. “It will be hard for an integrator to provide a value above and beyond what the open-source community will do,” says David Rasch, CTO of IntelliContact, which provides e-mail marketing, RSS feed and blog management software to small businesses. Even where de facto suites don’t exist, Rasch doubts that third parties can put together a broad enough range of preintegrated suites to meet different customers’ needs. “The amount of what people want integrated varies widely,” he says. 64

Essentisl Tec.indd 64

d e c e m B ER 1 5 , 2 0 0 6 | REAL CIO WORLD

This slippery slope into dependence on consulting services particularly scares smaller firms with limited IT budgets. “We hear horror stories about being locked into a vendor and having their technologies forced on you,” says Jason Miller, bioinformatics department software manager at the Institute for Genomic Research. “A 300-person company can manage its IT itself,” he says, noting that he brings in consultants only when he has a time crunch. But these fears of vendor lock-in and consulting run amok are not limited to small companies: “I don’t want the open-

Find Your Suite Spot When evaluating pre-integrated opensource suites, analysts recommend that CIOs keep the following caveats in mind: Focus on software you don’t intend to change much. Integration maintained by outsiders proves most effective when your need for change is rare. Otherwise, you’ll either lose the integration or end up paying your staff or an outsourcer to keep reintegrating. Understand what value is really added. Many open-source components are commonly used together, so you can find de facto suites integrated from a variety of sources, at little or no cost. A suite’s cost — both up front and for support — should reflect its unique value, such as optimizations for your industry or better performance that benefits your operations. Gauge what must be specialized. Essentially, a custom open-source suite is no different from custom commercial software. The more specialized the offering, the more you are tied in to its provider for support and services — so be sure the customization is worth losing broad support from the open-source community. —G.G.

source environment to become a mirror image of the proprietary environment,” says the University of Pennsylvania’s Beck. A final worry: will having a single support entity actually simplify IT efforts? IntelliContact’s Rasch understands the one vendor support argument but doubts most providers’ ability to live up to the accountability he needs. And Rudolph and Sletten’s Lamonica is skeptical that enough providers would support companies of his size in the first place. “There aren’t many third-party providers who are willing to or capable of providing open-source solutions to

Vol/2 | ISSUE/03

12/14/2006 4:41:53 PM

essential technology

us,” he says, noting most services firms aimed at the mid-market are certified by Microsoft or Cisco Systems “and don’t want to rock that boat.”

Better Options Coming Soon? CIOs considering pre-certified suites right now face a big contradiction: although pre-integrated suites make the most sense for smaller enterprises willing to trade off flexibility for lower maintenance costs, vendors so far have aimed the offerings at the big guys. That mismatch could keep these suites off the table for many CIOs, for now. For example, Unisys targets its Oasis offerings to large enterprise customers such as Fortune 500 financial services companies. One reason: it costs too much to sell to smaller companies given what they’re likely to spend, says Unisys’s Shadman. And although OpenLogic offers several pre-configured stacks, it concentrates on large companies, notes Kim Wein, vice president of marketing. After surveying customers, HewlettPackard says it found little customer demand for pre-integrated suites, so it offers ‘blueprints’, standardized do-ityourself guides for integrating the opensource components it provides, as well as full-blown custom integration services. HP makes its consulting services available to smaller companies through resellers. But the cost of the software support is the same as for a large company, notes Jeffrey Wade, worldwide marketing manager for HP’s open-source and Linux organization. Looking ahead, analysts expect additional open-source suites aimed at the mid-market to emerge, bringing in more appropriate choices for CIOs. Application and operating system vendors will ultimately drive opensource suites, rather than consulting firms or middleware-oriented vendors like SpikeSource and OpenLogic, The 451 Group’s Zachary predicts. Companies like Red Hat and MySQL have years of

Vol/2 | ISSUE/03

Essentisl Tec.indd 65

Open-Source Suites Just what will you find in the new crop of pre-certified suites? Here’s a sampling of options: Red Hat: Offers the JBoss Enterprise Middleware Suite, with the JBoss application server, plus tools for portal management, business process rules management, caching, distributed transaction management, messaging and development. SourceLabs: Offers the SASH stack (SASH is the acronym for the open source application frameworks — Apache Struts, Apache Axis, Spring Framework and Hibernate) for Java middleware, comprising Spring Framework for business logic and component integration, Apache Axis for Web services, Apache Struts for Web application development, and Hibernate for object-relational mapping and data abstraction. SpikeSource: Offers three pre-integrated middleware stacks: the LAMP Stack (composed of Linux, Apache, MySQL and a choice of Perl or PHP) for websites with dynamic databasedriven content, the Tomcat-based Servlet Stack for dynamic websites written using Javabased Web technologies, and the JBoss-based J2EE Stack for Web applications using Java Servlets and Enterprise JavaBeans. Unisys: Offers three Open and Secure Integrated Solutions (Oasis) suites — one for application servers and two for open-source databases — using technologies such as the JBoss application server, and the MySQL or PostgreSQL databases. In the application server, Unisys includes its own Java virtual machine, designed for high-transaction scalable environments, and its own application-level security software. — G.G.

experience supporting their open-source offerings, which interact with many other tools, so they’d be natural suite providers, says Judith Hurwitz, president of the Hurwitz & Associates consultancy. It makes sense for application vendors — such as database, CRM and accounting app makers — to incorporate open source into their wares, delivering pre-integrated suites on CD or even pre-installed on a server, Zachary says. After all, he says, long before open source, vendors have done that in the mid-market with proprietary software for everything from managing dentists’ offices to handling auto parts retailers’ accounting. Meanwhile, CIOs should define their needs before evaluating today’s suites. Large enterprises can ask if the new open-source suites fill key application needs at less cost than the do-it-yourself

or externally customized approaches. Encourage vendors to meet those key needs: by shaping the demand, CIOs have a better shot at getting truly useful integrated suites, AIG’s Stumpf says. CIO

Send feedback on this feature to editor@cio.in

REAL CIO WORLD | d e c e m B ER 1 5 , 2 0 0 6

12/14/2006 4:41:54 PM

Pundit

essential technology

Innovation and Strategy Your IT department's innovative energy probably has a lot to do with the culture of your company. By Elana Varon Innovation | I’ve been reviewing the numbers from CIO US’ latest State of the CIO survey that have to do with IT innovation. This year, we defined who is an innovative CIO based on how respondents answered questions about their involvement in innovation at their companies. Nearly all CIOs say innovation is an aspect of their jobs. However, there’s a group that not only counts innovation as a major part of their role, but

of projects. And yet, the innovators feel they are even more burdened than their peers by demands from the business. It can’t be that the innovators are better than other CIOs at managing their time. I think the difference comes down to the emphasis companies — and the CIOs themselves — place on IT as a strategic contributor to the business. The survey results bear this out: innovative CIOs are

bring to their jobs hands-on experience in defining their company’s value to customers. I also think that it’s very difficult to be an innovator if you work at a company where IT is viewed merely as a cost of doing business. Companies are going to invest the most in whatever drives growth. You can’t innovate with IT unless you have some freedom to spend money on new projects. Granted, these projects have to have strategic value.

The survey results bear this out: innovative CIOs are more likely to report to the CEO and are more likely to be members of their company’s executive team. also reports business innovation to be the most important contribution IT makes. We looked at how the overall answers of these CIOs stacked up against their peers. The most revealing statistic in the whole survey is the importance innovative CIOs place on strategy. No less than 70 percent of the innovators said strategic thinking and planning is the personal skill most pivotal to their success — significantly more than the respondents as a whole. They also spend more time on strategic planning and decision making than other CIOs. It’s no surprise then, that finding the time for strategy work is far less of a hurdle for innovative CIOs. Most respondents cited lack of time for strategic thinking as their top hurdle — tied with an overwhelming backlog 66

ET-Pundit.indd 66

d e c e m B E R 1 5 , 2 0 0 6 | REAL CIO WORLD

more likely to report to the CEO, more likely to be members of their company’s executive team and significantly more likely to believe that IT should proactively envision business possibilities. If we’re going to define innovation (and I do) as the creation of a product or service or process that creates new value, to be an innovator you have to be deeply connected with the value proposition of your business. And I would argue that it’s impossible to be truly connected unless you are in the room when that value proposition is being developed. Another finding from our survey that I think is related is that a significant percentage of the innovative CIOs have held jobs in marketing. The point here isn’t that they know how to promote IT; rather, they

But if it’s all you can do to keep the lights on, you’re not going to have much left for R&D. This doesn’t mean, by the way, that you have to have a huge IT budget or work for a big corporation. The vast majority of the innovators in our survey work at companies with less than Rs 4,500 crore in revenue, and their IT budgets are not larger than the average as a percent of revenue. According to Rob Austin, a professor at Harvard Business School who studies innovation — the way big companies are structured, and the importance large organizations place on predictable outcomes — may work against innovation. For now, I’d like to know what you think about these numbers. CIO Send feedback on this column to editor@cio.in

Vo l/2 | I SSUE/03

12/14/2006 4:43:43 PM