Page 1

Alert_DEC2011.indd 18

11/17/2011 3:38:09 PM

From The Editor-in-Chief

While all panel discussions at CIO | 08 The Year Ahead generated debate, none

Beware of the CFO He can ensure that you remain cost and control focused.

was as heated as the one which went over the evolution of the CIO role. Interestingly, all the panelists were convinced that moving forward the role would fall more often to a nontechnical person. As you might guess this was not a statement that their peers in the audience left unchallenged. Among the barrage of questions that followed, the one that intrigued me the most was — “How would an admin guy know which router is best suited for an organization?” Leaving aside why a CIO needed to be the person choosing routers, say five years from now, I was more worried about the present role of the IT leader who raised that issue. Strategic? I don’t think so. Reporting in to a CFO makes It’s not too difficult to figure out that CIOs view their organization among the CIOs out there, there are a fair from the restricted angle number who have allowed themselves that finance provides. to be consumed by the operational, the day-to-day, the routine. They’ve remained cost, purchase and control focused. So why haven’t they been able to make the logical leap? There’s a hypothesis in my mind that I’ve been testing over the past few months. My premise is that often the factor that hinders the growth of a CIO professionally (personally as well) is that redoubtable C-suiter: the CFO. Reporting in to a CFO gives CIOs a blinkered vision — those who do so, I’ve discovered, see their organization overwhelmingly from the restricted angle that finance provides. When I bounced these thoughts off Ericsson CIO Tamal Chakravorty, he reverted: “My experience very clearly states that as long as a CIO is under the aegis of a finance guy he will slowly but surely start feeling out of place as the business grows. A control attitude does not go hand in hand with a growth attitude. It is then that a CIO feels out of place.” Chakravorty went on to add that as long as a CIO could think and act like a CEO of his own little business there was hope. “For this to happen he needs to be part of the board room agenda, maybe through reporting to the CEO. This is the only way he can become businesssavvy and not just relate to costs,” he observed. Do you report in to a CFO? Has this impacted your role and career? Write in and let me know.

Vijay Ramachandran Editor-in-Chief


J a n u a r y 1 , 2 0 0 8 | REAL CIO WORLD

Content,Editorial,Colophone.indd 2

Vol/3 | ISSUE/04

1/3/2008 12:54:06 PM

3 0 JANUARY 1 2008‑ | ‑Vol/3‑ | ‑issUe/4 48 | Cio VieWpoinT Medical Marvels | Advances in medical technology are putting a strain on storage systems. Feature by Sunil Shah 56 | peer Speak

Storage Woes in 2008 | Efficient and secure storage could partially define the CIO role. Feature by Balaji Narasimhan


59 | experT VieW

Enough with Technology | PwC’s Sivarama Krishnan on how Indian CIOs aren’t investing enough in monitoring and compliance for security. Interview By Sunil Shah



0 30 | experT VieW Getting Aligned | Dr. Patrick Chan of IDC on how CIOs need to align if they want to deliver business value. Interview by Balaji Narasimhan

26 | Column

Get Outside Your Comfort Zone | To make a great leap forward, you need to study something completely different. Column by John Baldoni 34 | FeaTure

Look Out: Vendor Consolidation Ahead | Vendor consolidation is changing things. Here’s what to expect and what you should do. Feature by Thomas Wailgum 38 | peer Speak

The f future is Here | The identity of the CIO has never been under such scrutiny. Feature by Balaji Narasimhan


41 | experT VieW CoVEr: dESI gn by bI n ESH SrEEd Haran

Lifecycle for Storage Success | PwC’s Pradip Bhowmick on the importance of

60 | Column The Human Element in IT Security |

You have a security policy. Great. Now it’s time to send the word out. Column by Linda Brigance 65 | FeaTure

The End of Innocence | Everyone knows how bad the security problem. They just don’t know how to fix it. Feature by Scott Berinato 74 | peer Speak Secure or Quit | If CIOs have enough to do without worrying about security, who’s in charge of compliance? Feature by Kanika Goswami


77 | experT VieW future Proofing IT Infrastructure | f

PwC’s Vikas Agarwal on how IT needs to be more aligned with business strategies in 2008. Interview by Kanika Goswami

information lifecycle management and how companies need to start looking at this now. Interview by Shardha Subramanian

42 | Column Protecting Data Against Humans | Continuous data protection can help

78 | Column Carrier Ethernet Grows up | Ethernet, a

low priority a few years ago, now corners a lot of CIO mindspace. Column by Thomas Nolle

guard against human errors. Column by Bert Latamore 50 | FeaTure

Solid State Drives: Coming To a Datacenter near You | SSDs need to clear the cost and capacity hurdle to become mainstream. Feature by John Brandon


J a n u a r y 1 , 2 0 0 8 | REAL CIO WORLD

91 | FeaTure

5 Predictions for the Year Ahead | 2007 was a year of BI vendor mega mergers. How will that affect you in 2008? Feature by Diann Daniel more » Vol/3 | ISSUE/04


(cont.) DEpaRTmENTS Trendlines | 11 CIO Role | New Roles for IT Leaders Quick Take | On Unified Communications CIO Growth | Expanding Horizons Security | Workers Ignore Security Policies Research | Network Skills in High Demand Opinion Poll | Stocking Up By the numbers | Learn to Really Love Web 2.0 Leadership | Meetings: Threat or Menace? Storage | IT Disasters Push Archive Software Sale Virus | Silent Rootkits Attack PC’s Infrastructure | Study Predicts Data Center Energy


Essential Technology | 95 networking | IPv6 Checkup Time. By Bob Violino Pundit | Fix It Already!By Thomas Wailgum

Endlines | 100 Joining the Dots in 2008 By Nancy Weil

From the Editor-in-Chief | 2 Beware of the CFO By Vijay Ramachandran

NOW ONLINE For more opinions, features, analyses and updates, log on to our companion website and discover content designed to help you and your organization deploy IT strategically. go to


DVD To celebrate its second year, CIO India brings you CIO|08 The Year Ahead. This program brings together experts from security, storage and infrastructure and leading Indian CIOs to discuss the challenges and solutions of the coming year.

WhaT’S in iT For You Expert Watch | Footage from talks by industry experts, members of research agencies, and top Indian CIOs.

Presentations | Next year’s challenges and potential solutions on paper, complete with the numbers and invaluable statistics. White Papers | How you can solve some next year’s storage, security and infrastructure problems.

Photo Gallery: A behind-the-scenes peek at the conference in Malaysia.


J a n u a r y 1 , 2 0 0 8 | REAL CIO WORLD

Vol/3 | ISSUE/04


Publisher & editor N. Bringi Dev

CEO Louis D’Mello Editor ia l Editor-IN-CHIEF Vijay Ramachandran

assistant editor Gunjan Trivedi

Special Correspondents Balaji Narasimhan Kanika Goswami SENIOR COPY EDITOR Sunil Shah

Abnash Singh

ADC Krone






Group CIO, Mphasis Alaganandan Balaraman Vice president, Britannia Industries Alok Kumar Global Head-Internal IT, Tata Consultancy Services Anwer Bagdadi Senior VP & CTO, CFC International India Services

Copy Editor Shardha Subramanian

Advertiser Index



Arun Gupta Des ign & Production

Creative Director Jayan K Narayanan

Designers Binesh Sreedharan Vikas Kapoor; Anil V.K Jinan K. Vijayan; Sani Mani Unnikrishnan A.V; Girish A.V MM Shanith; Anil T PC Anoop; Jithesh C.C Suresh Nair, Prasanth T.R Vinoj K.N; Siju P

Photography Srivatsa Shandilya

Production T.K. Karunakaran

T.K. Jayadeep

Customer Care Associate & CTO, Shopper’s Stop

Compuware VP & CIO, Mahindra & Mahindra Ashish K. Chauhan

Singapore Michael Mullaney

Events VP Rupesh Sreedharan Managers Ajay Adhikari, Chetan Acharya Pooja Chhabra


52 & 53

President & CIO — IT Applications, Reliance Industries C.N. Ram







Head–IT, HDFC Bank Chinar S. Deshpande CIO, Pantaloon Retail Dr. Jai Menon Director (IT & Innovation) & Group CIO, Bharti Tele-Ventures

Mark eting a nd Sa l es VP Sales (Print) Naveen Chand Singh VP Sales (Events) Sudhir Kamath brand Manager Alok Anand Agm (South) Mahantesh Godi Marketing Siddharth Singh Bangalore Santosh Malleswara Ashish Kumar, Chetna Mehta Delhi Pranav Saran; Muneet Pal Singh; Gaurav Mehta Mumbai Parul Singh, Chetan T. Rai, Rishi Kapoor,Pradeep Nair Japan Tomoko Fujikawa USA Larry Arthur; Jo Ben-Atar


Arvind Tawde

Manish Choksi Chief-Corporate Strategy & CIO, Asian Paints


37 & 69

M.D. Agrawal Dy. GM (IS), Bharat Petroleum Corporation Limited



Rajeev Shirodkar VP-IT, Raymond Rajesh Uppal



Chief GM IT & Distribution, Maruti Udyog Prof. R.T. Krishnan


IFC, 18, 19, 20, 21, 67 & 93

Jamuna Raghavan Chair Professor of Entrepreneurship, IIM-Bangalore S. Gopalakrishnan







CEO & Managing Director, Infosys Technologies Prof. S. Sadagopan Director, IIIT-Bangalore S.R. Balasubramnian Exec. VP (IT & Corp. Development), Godfrey Phillips Satish Das CSO, Cognizant Technology Solutions




80 & 81

Sivarama Krishnan All rights reserved. No part of this publication may be reproduced by any means without prior written permission from the publisher. Address requests for customized reprints to IDG Media Private Limited, 10th Floor, Vayudooth Chambers, 15–16, Mahatma Gandhi Road, Bangalore 560 001, India. IDG Media Private Limited is an IDG (International Data Group) company.

Printed and Published by N Bringi Dev on behalf of IDG Media Private Limited,

10th Floor, Vayudooth Chambers, 15–16, Mahatma Gandhi Road, Bangalore 560 001, India. Editor: N. Bringi Dev. Printed at Rajhans Enterprises, No. 134, 4th Main Road, Industrial Town, Rajajinagar, Bangalore 560 044, India

Executive Director, PricewaterhouseCoopers Dr. Sridhar Mitta MD & CTO, e4e S.S. Mathur GM–IT, Centre for Railway Information Systems Sunil Mehta Sr. VP & Area Systems Director (Central Asia), JWT

This index is provided as an additional service. The publisher does not assume any liabilities for errors or omissions.

V.V.R. Babu


J a n u a r y 1 , 2 0 0 8 | REAL CIO WORLD

Content,Editorial,Colophone.indd 10

Group CIO, ITC Vol/3 | ISSUE/04

1/3/2008 12:54:28 PM


Steward, revenue generator, holistic business expert and change management architect are just a few of the new roles today's IT leaders are taking on. "I am no longer being asked to provide computers and software," says Matthew Kesner, CTO at Fenwick & West. "I am asked to work with clients, drive revenue, create market differentiators and automate business processes." Derek Chan, head of digital operations at DreamWorks says, "Understanding the environmental impact of the choices we make is something that has gained prominence in recent years. Power consumption and efficiency are such global concerns these days, and technology is such a significant user of resources, it is imperative to establish best practices and continue efforts to be as efficient as possible." Wynne Hayes, CTO at Constellation Energy, includes change management — specifically, people

CIO rOle




change management — among her expanded areas of responsibility. She says one of the goals of standardizing technology is to make it possible for employees to change roles or move across departments within the company and not have to learn an entirely new set of computer systems when they do move. Verizon Wireless CIO Ajay Waghray chalks up the many changes in his role as top IT executive to the extremely fast pace of innovation in the wireless industry. "Even up to a few years ago, many CIOs could get away with supporting the way things have always been done," he says. "I need a deeper understanding of the business. Staying current with industry developments and maintaining my understanding of business operations are both essential," Waghray says. "More of my time is spent thinking of ways to make our systems more seamless with the business processes they support. Over these past few years, the focus of IT has shifted more and more to the user. "

IllUStratIon by MM Shan Ith

New Roles for IT Leaders


—By Julia King

Quick take

Vinod Sadavarte on Unified Communications Many companies are resorting to unified communications so that they can create more efficiency and save considerable time for knowledge workers by transforming an employee's handheld device into a universal ‘inbox’ for all communications. To find out how useful unified communications can be, Balaji Narasimhan spoke to Vinod Sadavarte, CIO of Patni Computer Systems.

C O l l a b O r at I O n

What do you think are the benefits of unified communications? The biggest benefit is the cost savings from time. Employees, when looking for information, need to look at multiple channels, and unified communications can cut down on such wasted time. However, there are also costs associated with deployment, and companies will have to balance these costs against the savings accrued.

Vol/3 | ISSUE/04

How do you see unified communications transforming your enterprise? Thanks to unified collaboration, employees can enhance collaboration and this will lead to superior output. But I am not looking at an enterprise-wide deployment of unified communications today. This is bound to get implemented at a later date. If you are trying to push unified communications in your company, how will you justify the RoI? I feel that it can cut down on the time taken to make decisions. The value is high when compared to the cost of technology. I think that unified communications is an exciting area that holds a lot of promise.

Vinod Sadavarte

Is upfront cost a hindering factor for unified communications? This depends on where a company is on the maturity curve. REAL CIO WORLD | j a n u a r y 1 , 2 0 0 8


Expanding Horizons C I O G r o w t h While not all CIOs can become CEO, it is imperative that they attempt to expand their role beyond just IT. How far can they walk that line? Balaji Narasimhan asked a few of your peers, here’s what they said:

Workers ignore

Security Policies: Survey It's one thing to have a companywide information security policy in place. But it's a whole different ball game to get employees to actually follow the policies — even those that are IT types. A startling number of technology professionals often knowingly ignore security policies or break them because they are unaware of them, according to a survey of more than 890 IT professionals by the Ponemon Institute. More than half of the respondents in the Ponemon survey said they had personally copied confidential company information into USB memory sticks, though more than 87 percent admitted that company policy forbids them from doing so. In addition, 57 percent believe others in their organization routinely use memory sticks to store and transport sensitive or confidential company data. Among the reasons cited for non-compliance were lack of policy enforcement and convenience. Similarly, about 46 percent said they routinely share passwords with colleagues, even though a two-thirds majority of the respondents said their company's security policies prohibit them from doing so. In some cases, the violations appear to happen because employees are unsure about company policy. For instance, 33 percent of survey respondents said they sent workplace documents home as e-mail attachments. Nearly half the sample didn't know whether that practice constitutes a breach of policy. In the same vein, eight out of 10 of the IT professionals in the survey said they were unsure whether turning off network firewalls is a policy breach — which may explain why 17 percent admitted to having done so. For instance, despite widespread concerns about data leaks resulting from insider abuse or negligence, 60 percent of respondents said their companies have no stated policy forbidding the installation of personal software on company computers. "The reason why these things are happening [is] because compliance is not enforced," Ponemon said. Though companies have for years focused their efforts on securing networks against external attacks, fewer have focused on accidental and malicious data leaks from inside. Drug maker Pfizer disclosed in June that an employee's wife had exposed confidential data belonging to 17,000 employees after installing P2P file sharing software on a company computer.


“I know the CIO of a retail company who is definitely growing in his role. He knows the supply chain so well, he was made chief logistics information officer. CEO's role? He’s getting there.” trendlines

Alok Kumar Global Head - IT, TCS

“In my company, once we stabilized ERP, we started shared services, which are bringing in a lot of profit. CIOs are in a good position to do this because they cut across the entire organization." T.K. Subramanian Divisional VP - IS, United Spirits

“A person who can draw a business scenario from end to end can become either a CIO or a CEO. For example, the CEO of Wal-Mart was a CIO. Both the CIO and the CEO need to know how to deliver to the customer at a cost that the customer wants.”

M.Visweswaran CIO, Macmillan India

Lend Your


Write to 12

Trendlines.indd 12

J a n u a r y 1 , 2 0 0 8 | REAL CIO WORLD

—By Jaikumar Vijayan

Vol/3 | ISSUE/04

1/2/2008 2:59:52 PM

Network Skills in High Demand Oracle, Microsoft and SQL Server. Firewall administration ranked fourth, with approximately 55 percent seeking those skills; and wireless network administration rounded out the top-five sought-after skills. According to Robert Half's executive director Katherine Spencer Lee, network managers also can expect to see their salaries increase by an average of 7 percent in 2008, as companies delve into such technologies as Web 2.0 and depend more on network infrastructure to support the new endeavors. The need for network skills doesn't surprise technology industry watchers, who say network expertise serves as a foundation for any new technology endeavor. "IT professionals need to have a broad understanding of IT and its role within the business, and that


R e s e a r c h IT professionals proficient in networks could find themselves in demand next year, because a majority of CIOs polled cite network administration among the most sought-after skills. Research by IT staffing and consulting company Robert Half Technology, shows that nearly one-fifth of 1,400 CIOs polled by an independent research firm cited networking as the single job area in which they expect to see the most growth. Seventy percent of CIOs also ranked network administration as the second-most in-demand skill, behind Windows administration, which topped the list with 73 percent of CIOs seeking such skills. Database management came in as the third-most in-demand skill, with about 60 percent saying they see an impending need to find expertise around

means be able to tie the basics," says Neill Hopkins, vice president of skills development at CompTIA. Other jobs considered hot include help desk and user support, with 15 percent of respondents expecting more demand for those skills. Applications development came in third, with 14 percent reporting that job as hot going forward. And rounding out the top-five hot jobs was Internet/intranet development, with close to 10 percent of CIOs saying those positions are on their radar. About 13 percent of the CIOs polled said they expect an IT staff hiring increase in the first quarter of next year, 3 percent plan to cut staff and 82 percent said they expect no staff changes for the next three months. —By Denise Dubie

16 to 20

21 to 25

39% 19%

9% 25%



26 to 30


Stocking Up Research indicates that soon digital information will surpass available storage. Here's how much Indian CIOs plan to spend on storage as a percentage of their budgets.

14% Above 31

Up to 5



11 to 15

5 to 10 Source: CIO India Research


Trendlines.indd 14

J a n u a r y 1 , 2 0 0 8 | REAL CIO WORLD

Vol/3 | ISSUE/04

1/2/2008 2:59:55 PM

B Y C . G . Ly n c h

Learn to Really Love Web 2.0 You can't control the apps your end users download, but you can (and should) work with them to generate business value in a safer environment.


A recent report by Forrester Research suggests that corporate IT departments have seen demonstrable value from Web 2.0 technologies in the workplace and should continue to adopt more of those applications at their own pace. But the report also reveals that the unsanctioned use of consumer, Webbased applications (a phenomenon known as rogue IT or shadow IT) remains high, behooving IT managers to get in the trenches to find out where sensitive corporate data could be exposed. "Of the rogue usage going on, it's often difficult to see which poses privacy or security concerns," says Rob Koplowitz, a Forrester analyst and one of the authors of the study Web 2.0 Social Computing Dresses Up for Business. Around 15 percent of the IT decision-makers surveyed at firms with 500 or more employees say their workers have used technologies like blogs, wikis and really simple syndication (RSS) for business purposes. On average, about 27 percent of those companies have already made formal enterprise investments in all three of those technologies and another 16 percent have at least considered it. At least 89 percent saw limited to substantial value from the use of blogs, RSS and wikis. Meanwhile, Koplowitz says the numbers reported for rogue usage — which at Forrester's last count range from 3 percent to 8 percent — remain deceptively low. "It could be a lot higher because unsanctioned use is, by definition, under the radar," he says. "The best an IT manager can do is have some anecdotal evidence and then work from there." To avoid an ad-hoc approach to Web 2.0 adoption, Koplowitz says IT departments should start by getting a better handle on what applications users have flocked to and embrace them rather than shunning them. In doing so, IT eliminates an adversarial environment, allowing IT managers to form a long-term strategy with their users that encourages testing, setting usage policies and training. "It's becoming increasingly difficult for IT to control what tools people use in their day-to-day activities," Koplowitz says. "It's in IT's best interest to find out what's going on and offer a sanctioned alternative."

Best Practices Find out what’s out there. Learn which Web 2.0 tools business users have adopted and what kind of data flows to them. You need to know the reality of users’ needs before you can craft policy.


Establish boundaries. Decide what’s appropriate and what’s not within apps like wikis, blogs and IM. This might mean shutting down information flow to certain applications for compliance and risk reasons.


Develop a policy to provide authorized alternatives. Don’t take away business users’ Web 2.0 tools without giving them an alternative – perhaps an app secured behind a firewall or one delivered via SaaS. Robust tools have emerged in this area, and you can easily pilot test them with, say, 50 to 100 users.


Wikis and Blogs and RSS, Oh my! IT leaders say:


Trendlines.indd 16

So what are you waiting for?

“I see business value in Web 2.0 applications”

“My workers already use them”

“I have made a formal investment in those technologies”




J a n u a r y 1 , 2 0 0 8 | REAL CIO WORLD

“I’m considering making an investment”


Source: Forrester Research Vol/3 | ISSUE/04

1/2/2008 2:59:55 PM

Meetings: threat or Menace?

IllUStratI on by bInES h S rEEDha ra n

So how do you make sure your meetings are not killing morale?

Here are five tips: ScHedUle only WHen neceSSAry. The purpose of a meeting is to make a decision, says Parker. No decision needed.

No meeting. And include only the people whose input is required. redUce freqUency. A lot of meetings are just updates, progress reports and announcements, says Parker. That information could be communicated electronically. creAte An AgendA. A clear purpose (and time limit) for your, meeting is crucial, says Parker. review the objective at the start. recAp. When the time limit has been reached, close the meeting. Summarize the accomplishments, decisions and next steps. “You don’t want people going out with a different understanding of what’s been decided,” says Parker. do tHe MInUteS. Send out a draft and ask for input. Final versions should be sent once input has been incorporated. Sooner rather and later is always better. —By Diann Daniel


There's nothing like the announcement of another meeting to fill your employees with dread. Meetings are often seen as pointless time wasters. And too many are. “The main thing people hate about meetings is that they are poorly run or don’t accomplish anything,” says glenn Parker, team building consultant and author of Meeting Excellence: 33 Tools to Lead Meetings That Get Results. goal-oriented employees are often turned off, according to Steven g. rogelberg, professor of industrial and organizational psychology at the university of North Carolina. He found in a 2005 study that the job satisfaction of driven employees decreases as the number of meetings they attend increases. (Employees who aren't so driven actually liked meetings, presumably because they were seen as a chance to be social). leadershIp

it disasters

Incr cre ease Arc A chive So Software ftware Sale e the demand for replication software is starting to slow down, but sales in archiving software have grown sharply, driven by concern among CIos over recent incidents, according to market research firm IDC in its Quarterly Storage Softwaretracker tracker report. t "When I talk to CIos, the themes that I hear are business continuity, disaster recovery, information risk management and security," said laura Dubois, IDC's program director for storage software. the market for archiving software grew by 13 percent between the third quarter of 2006 and the same period in 2007, according to the IDC report. one 'formidable' product in this market is EnterpriseVault. It includes a mailbox management feature, designed to automate the backup of e-mails, and to retain copies of all e-mails without exceeding the quotas and message size restrictions of messaging servers. IDC's revenue figures include licensing costs and maintenance fees but do not include any spending on integration or consulting. the data protection market started stOraGe

Vol/3 | ISSUE/04

Trendlines.indd 17

to cool off during the third quarter, as users are reluctant to replace the systems they already have, Dubois said. "backup applications tend to be very sticky," she said."It causes a significant amount of pain to disrupt and move in a new product so once you have one in place you tend to keep it for a while." although the survey did not track continuous data protection (CDP) products, Dubois said the reputation of this technology has suffered partly over confusion of what CDP is. "the innovation in continuous data protection by and large came from small startups and emerging companies which have largely now been acquired," Dubois said. "It provides shorter recovery points but in the last couple of years there's a lot of buzz, which can be offputting users." She added confusion over CDP "probably stymied adoption early on but long term I think that's where the market's going to go." —by Greg Meckbach REAL CIO WORLD | j a n u a r y 1 , 2 0 0 8


Study Predicts Data Center

Energy Spike An AMD study has revealed fascinating changes to global data center energy use, suggesting that even small shifts in operational procedures could cut electricity consumption. The study, conducted by Dr. Jonathan Koomey, using data from industry analyst firm IDC, documents energy use across five regions: the United States, Western Europe, Japan, Asia/Pacific and the rest of the world. It forecasts data center energy consumption, estimating that by 2010 US consumption will decline relative to consumption worldwide from 40 percent in 2000 to about one-third by 2010. The Asia/Pacific region (excluding Japan) will increase its share from 10 percent to about 16 percent over that period. Koomey's report shows that electricity used by servers in the United States and Europe currently comprise about twothirds of the world's total, with Japan, Asia/Pacific and the rest of the world each falling at between 10 and 15 percent of the total. Examining electricity use by region from 2000 to 2005, the study found that server electricity use in the Asia/Pacific region (excluding Japan) grew at a 23 percent annual rate, compared to a world average of 16 percent a year, making this region the only one with server electricity use growing at a rate significantly greater than the world average. The Western European growth rate of 17 percent was slightly above the world average, while growth rates in the other regions were lower than the world average. Relatively modest changes in the way data centers are designed and operated could offset approximately half the expected growth in global data center electricity use in 2010. This new research adds detail to an AMD-sponsored study that identified the worldwide costs associated with data center energy use. Both of Koomey's studies were subject to peer review by IT industry, government and energy efficiency policy professionals. "According to a recent US EPA Report, data center energy consumption could be cut by as much as 20 percent with relatively minor efforts by data center managers, including turning on available power management features, enabling higher rates of resource consolidation, shutting off unused servers and improving infrastructure operations," said AMD marketing person Bruce Shaw. "With the findings released today we can begin to take next steps, including examining how we can power data centers around the world while addressing impacts on global climate," said Larry Vertal, senior strategist for AMD Green. —By Manek Dubash Study

Silent Rootkits Attack PC's

Illust ration by BINESH SR EEDHARAN


V i r u s Malware researchers at Prevx have highlighted what they are calling a 'massive growth' in the number of PCs harboring rootkit infections. More than 725,000 PCs were scanned using the Prevx CSI malware scanner over a two-month period. Of the around 291,000 users who scanned their PCs during October 2007, some form of spyware or malware was found on one in six. Significantly, although rootkits were detected on 15.6 percent of PCs during October 2007, that figure had risen to 22 percent by early December. According to Prevx's Jacques Erasmus: "The rise of the rootkits has begun." Rootkits are often 'dropped' or buried by other infections. They then modify a PC's operating system to hide themselves from both the user and any security products installed on the computer. By so doing rootkits can allow criminals to remotely monitor, record, modify, steal and transfer data from the victim's PC. Some rootkits are undetectable by conventional antivirus and anti-spyware applications. A tech-savvy user may believe his or her computer is 'clean', and unwittingly pass on increasingly valuable personal and financial data. Since 1 December 2007, 114,891 new users have run Prevx CSI with rootkit-detection features enabled. Of those PCs, 1,678 had what Prevx describes as 'significant rootkit infections'. That equates to 1.46 percent or approximately one in 70 systems, which is almost 15 times higher than the one in 1,000 rootkit-infected PCs previously estimated by industry experts. Ninety-three companies used the free Business scan feature of Prevx CSI. Of these companies, 68 had one or more infected PCs. Thirteen companies, or 14 percent, had one or more PCs harboring rootkit infections. "Consumers and businesses have a significant new threat to security and privacy to worry about," said Erasmus. "Rootkits are often undetectable and extremely difficult to remove. Both detection and removal are well beyond the capabilities of traditional anti-virus, anti-spyware and Internet security suites," he added. —By Matt Egan


Trendlines.indd 22

J a n u a r y 1 , 2 0 0 8 | REAL CIO WORLD

Vol/3 | ISSUE/04

1/2/2008 2:59:56 PM

Blueprint uep for

2008 2 00 To celebrate its second year, CIO brings together experts in security, storage and infrastructure and leading Indian CIOs to discuss the challenges and solutions of the coming year. Here are their thoughts. 24 | GETTING STARTED Imag In g by b In ESH SREEDH aRan


Vol/3 | ISSUE/04

REAL CIO WORLD | j a n u a r y 1 , 2 0 0 8



Started Index 26 | Column Get Outside Your Comfort Zone To make a great leap forward, you need to study something completely different.

IllustratIon by pc anoop

30 | expert VIew Getting Aligned It's a requirement if CIOs want to deliver business value to their organizations. 34 | Feature Look Out: Vendor Consolidation Ahead There's more uncertainty for CIOs as vendor consolidation changes the enterprise application landscape. Here's what you can expect and what you should do. 38 | peer Speak The Future is Here The identity and future of the CIO has never been under such scrutiny.

Vol/3 | ISSUE/04

REAL CIO WORLD | j a n u a r y 1 , 2 0 0 8


John Baldoni 


Get Outside Your Comfort Zone To make a great leap forward, you need to study something completely different.


Il lustratio n by pc anoo p

long time ago I had the opportunity to spend a season following the Grand Prix circuit in Europe. My role was that of cameraman, but more often I was a utility person, doing whatever needed doing, especially when it came to lifting, hauling or moving things. As unglamorous as my job was, I did have the opportunity to observe race teams up close. Then, as now, Ferrari was king of the hill. I marveled at the raw power of the highly tuned machines and the synchronized actions of the pit crews. I never thought that what I was observing would become a model, a generation later, for how surgeons manage patient care. One of the challenging tasks that surgeons face is the patient handoff, that is, transferring a patient from the OR to a hospital room. Research shows that such transfers account for a high percentage of patient errors, some of which can be injurious. Why? According to the Wall Street Journal, handoffs require patient history, proper medication and a full assortment of equipment, all of which needs to be managed with exquisite timing and forethought. For just this reason, Great Ormand Street Hospital in London has partnered with Ferrari racing to discover how its pit crews manage and plan for routine events as well as the unexpected ones that occur during a race. What the physicians learned contributed to their development of a new standard for patient handoffs that have resulted in a significant reduction in technical and communications errors that could have been harmful to patient health, according to the Journal report. 26

J a n u a r y 1 , 2 0 0 8 | REAL CIO WORLD

Coloumn_Get Outside Your Comfort Zone.indd 26

Vol/3 | ISSUE/04

1/2/2008 4:22:57 PM

John Baldoni


Look Beyond Your Borders Amazing? In one sense, yes. But what the good doctors did is what savvy businesspeople have done for generations — learning from the best, even when the best is not in your own field. Benchmarking is standard practice in most companies; but often such benchmarking focuses on companies in like industries. Manufacturers study manufacturers; healthcare providers study other healthcare providers. Such studies are useful, but they only end up generating incremental improvements. To make a great leap forward, you need to break out of the benchmark to study something completely different, as the doctors who studied Ferrari did. Before embarking on such a venture, however, it's good to consider what you hope to gain from such an exploration. Here are some questions to consider.

candidates through a one-day session at the Marine Corps' Quantico training center. There, future corporate leaders experience a bit of the rigor, hardship and induced stress that Marines undergo in preparation for becoming officers. Such an experience not only gets the students out of the classroom, it forces them out of their comfort zone. It gives students an appreciation for making decisions under pressure and when feeling physically uncomfortable. Through this experience they gain insights into situational awareness, that is, what is happening around them and what they must do about it.

Knowing Your Limits As valuable as information and insights gained from outside sources can be, it is essential to remain true to your roots.

Looking beyond your own four walls is liberating. It is like being a traveler. Your powers of observation are heightened and you pay attention to details. Being in new places stimulates the creative juices and in doing so you are exposing yourself to new ideas. What's your aspiration? More than fifty years ago, one man had a harebrained idea that an amusement park could be a nice clean place where families could come and have a good time. That man was Walt Disney. He set about creating the modern-day theme park that would be based, at least in part, on animated or movie attractions that his company had created. People thought he was crazy; the only models for such entertainment were traveling circuses and carnivals. Disney was undeterred. He took as his model the idea of service entertainment in which the park was the stage, customers were guests and the total show was the ‘unique guest experience’. Not only did Disney create a Magic Kingdom, he created a role model for the hospitality industry itself. What do you want to improve? For generations of customers, buying a car was one of the single most unpleasant experiences of their lives. Customers felt alternately irritated, hassled and mistrusted every time they walked onto a dealer lot. Such experiences are not what Japanese luxury carmakers wanted to follow when they introduced their upscale models to the US. So whom did they study for comparison? Not car dealers, but luxury hoteliers. The Japanese put their US dealers through an immersion course in hospitality. Eventually the entire auto industry caught on to the practice, and today customer satisfaction has improved over what it was years ago. What can you learn? Once a year, the University of Pennsylvania's Wharton School puts its MBA

Vol/3 | ISSUE/04

Coloumn_Get Outside Your Comfort Zone.indd 27

For example, as much as the hospitals can learn from racing teams or lean manufacturers about improving patient care, the lessons in diagnosis, treatment and therapy will come from fellow medical professionals. It is not likely that Ferrari can teach doctors about cardiac surgery techniques, any more than a doctor can teach a Ferrari technician about minimizing fuel consumption during a race. Looking outside your own world has strong benefits in enabling you to do what you do better, but there is another advantage. Looking beyond your own four walls is liberating. By getting outside of your own place, you can observe what others do. It is like being a traveler into a foreign land. Everything looks, feels, tastes and even acts different from what you are accustomed to. Your powers of observation are heightened; you pay attention to the slightest details. And in doing so, you are exposing yourself to new ideas. What's more, being in new places stimulates the creative juices. You cannot help but wonder: what if we did that in our place? Sometimes the results would be disastrous, but sometimes magic occurs. And that's worth all the observation in the world. CIO

John Baldoni is a leadership communications consultant who works with Fortune 500 companies. He is the author of six books on leadership, the most recent being How Great Leaders Get Great Results. Send feedback on this column to

REAL CIO WORLD | j a n u a r y 1 , 2 0 0 8


1/2/2008 4:22:57 PM



Putting Humpty Dumpty Together So that executives can make real decisions that add business value. Lauren Skryzowski

Sr. Marketing Manager, Information Platform Solutions Distribution (Retail, CPG, Travel and Transport) Information Solutions, IBM During her tenure at IBM, Skryzowski’s worked on projects involving IBM’s on-demand business and performance benchmarks for the retail industry and on IBM's SaaS opportunities. Prior to IBM, Skryzowski was director of competitive strategy for ChoicePoint, an information services firm, where she was responsible for competitive strategy, due diligence on M&A and market opportunity.

In a fast growing economy like India, what are the risks of ignoring master data management? From an IBM perspective, the biggest problem is that you’re going to follow the same path, and the challenges, that other countries have met. There’s an opportunity for India to leapfrog all the legacy investments that most of the world’s banks and large, older companies are dealing with. These companies are having to deal with extra IT expenses as they try to reduce redundant IT and find ways to take old technology and bring it into the future. India can start with fresh technology that delivers value and connects people and processes and data. It’s almost like looking into the past and asking yourself: how can I avoid those mistakes? From what I know, one of IBM’s larger clients like Bharti Telecom is a huge story of leapfrog. I worked with another division of IBM before and I’ve seen examples of other Indian companies leapfrog their peers in other countries — even if they do not compete directly. If you look at their technology investment, their speed-tomarket, their bottom line metrics, they are doing much better. Can you be more specific about these challenges that India can avoid? Let’s take an example of a website. The usual solution has been to make a database that supports that website. And rather than look internally at what your supply chain uses, you’re going to start from scratch, make a completely new database – which means that it’s not connected to the rest of your enterprise. Now, take a chocolate bar in a retail environment. Product information about

that chocolate bar goes through a predefined process. It needs to be manipulated and used not only by the people who manage that product but also by the marketing people, the logistics people, the supply chain people, the procurement people and the people who manage the website and the catalogues. And to some extent you want give your external vendors — who work with you on your website and catalogues — access to that data. The more correct data they receive, the fewer reiterations they will have with your catalogue, etcetera. MDM isn’t at the top of an Indian CIO’s priority list. Are there pointers— like a company’s size — to warn CIOs that its time to invest in MDM? It’s hard to say. The largest companies realize that they have about 48 different databases of customer information and they need to make it one, if they want to deliver value to their customers. But then again, there’s Bi-Lo, a mediumsized grocer that only serves four states in the US. They have found the need to use MDM. They have 20 people on their IT department. Another customer of ours has 1,200. But both of them have found the need for MDM. It really comes down to how much better you want to be than your competition. If you really want to be a lot better, then you’re going to make these investments because they deliver value to big and small companies. Let’s approach this from another angle. How many processes does Bi-Lo have? They probably have about at least 18 processes, including new product introduction, supply chain, merchandising, payment, procurement, etcetera.

“The decision to use MDM really comes down to how much better you want to be than your competition. If you want to be a lot better, then you’re going to make these investments." But what’s also important was that they had four different databases for information that should have been on one. So initially, they were like: “let’s build another data warehouse!” Then they said “wait a minute, maybe not.” They paused because we had been talking to them about some of our new innovations. All their processes were feeding off raw data and when that data is not available that’s when mistakes begin to happen. How do you help CIOs convince their managements about the need to use MDM? We’ve found that it is most important to get to


the line of business as well as IT. We found that these are very big joint decisions. Sometimes IT understands the problem, but they feel that they are being asked to do things that they don’t have the resources for. At the same time, there are business users who demand that IT deliver certain types of results without really knowing that IT is not capable of doing it because of the way the architecture is set up — both organizational and IT architecture. So we try to being both sides to the table. We show them both how business works today with the IT they currently have. Then we show them how business could work tomorrow with some adjustments. We’ve only won in cases in which we have been able to get IT and business to see eye to eye. I like to think of ourselves as the champion of the CIO. Because often — and I have seen this — you have these round table of executives with about seven lines of business and you have the solitary CIO. That’s one lone representative of technology when in reality there’s a lot of IT departments he or she is trying to represent. When you can’t get both to the table, do you fall back on numbers to help move the argument? How do you get these numbers? We have business value assessment teams who go and talk to business users who use the actual data on a day-to-day basis. These value assessment teams show users examples of 20 other clients they have worked with to show


The amount of an executive's time that is spent searching for data. Only 30 percent of their time is spent making decisions thanks to a lack of master data management. the benefits of doing things differently. The key is to analyze what people are doing today and estimate — based on what we’ve seen with other industry players — what benefits they can gain. We’ll try to look at it beyond saving on some licensing and IT redundancy and tell them that we can deliver productivity or other bottomline improvements. As long as an enterprise is willing to let us engage in this two week process, we can give them these bottomline impacts. Can you give an example of bottomline impact? Customer research has shown that most product introduction takes about 90 days.

The Business Value of MDM The Impact Bad Customer Data Could Have on Your Company: 66 percent of companies indicate profitability of their companies as a whole was negatively affected by poor information quality 75 percent indicate bad customer data quality is harming customer service, quality and loyalty 52 percent identify the integration of diverse systems as a major source of inaccurate information

What Master Data Management Can Do: Increase revenue and customer retention Cost reduction and avoidance Increase flexibility to support existing and new business strategy Meet compliance requirements and reduce risk exposure

But if you put in a process, you can bring this down to weeks or days. That’s the sort of improvement you can get. IBM’s MDM solution has two unique features: multi form master data management and the dictionary database. Can you elaborate on these? What we mean by multi-form is that there are multiple data domains and we believe that it’s not only about managing product data or customer data but it’s also about understanding how these interact. Most of the market is about managing product data or customer data. The other piece is like a name encyclopedia. It’s really one of its kind. Now that there’s so much more screening going on with people’s names, it’s important. Even at a call center, if you have someone input a name phonetically, this technology can suggest some names it could actually be. We have some law enforcement groups that are using it. This technology runs the name of everyone who crosses a border and fifty iterations of that name, including nicknames and translations. It also checks for last and first name switches to find out if that person should not be allowed into the country. How does IBM’s MDM solution impact people? MDM is like a bridge. MDM gives you the ability to get IT and business to work together. And because they are both part of the same process, it’s a joint decision. They start figuring out roadmaps and how they can work together. The people side is among the better benefits we’ve seen.

Expert View

Dr. Patrick Chan

Getting Aligned By balaji narasimhan CIO: You say that alignment, focus and direction are critical for an enterprise. How can a CIO drive this for his company? Dr. Patrick Chan: From a CIO’s perspective, you have to understand the vision of the organization to accomplish their corporate vision. Today, if you look at IT as a tool, it has been ingrained in the business. The CIO has to be a change agent in order to align the organization’s vision with the corporate world. CIOs are expected to cut costs and also innovate. Aren’t these pulling in different directions?

Cost cutting is always there. The alignment aspects have changed. But cost cutting and innovation don’t always contradict. For example, with virtualization, the CIO can reduce physical server costs and improve agility at the same time.

What should CIOs look out for in virtualization?

With physical servers, problems are difficult to fix. With a virtual server, it is definitely easier. But this apart, the CIO should remember that all physical server problems — like server sprawls — are also found in the virtual world. So, CIOs should plan carefully when they are using virtualization. How should the CIO cope with the increasingly mobile organization?

It all boils down to the CIO’s ability to lock and have control over the mobile workforce. The first step is to educate your workforce about the right processes that should be followed. The CIO should also find the sweet spot between control and flexibility. He should not force too much control upon his users.

“The CIO should be a good negotiator. He should know how to blend IT with business. He should be a visionary in terms of instituting transformative processes within the organization.” —Dr. Patrick Chan Research Director, Emerging Technologies, IDC Asia Pacific

What leadership skills should a CIO possess? What are the unknowns that every CIO should be aware of?

The CIO should be aware of exceptions in business response. This is very poor in the Asia-Pacific. A lot of organizations don’t have processes for this. This is crucial — for instance, in manufacturing, this can impact the whole supply chain. CIOs should spend time answering one question: can they predict what is abnormal for their businesses? You say that you have seen a lot of failures in SOA. What is the main cause? How should it be handled?

The CIO should get support from the top management, and get support from business unit heads. Without this, SOA is doomed to fail. He should also be big on both vision and implementation. If the vision is small, or if it changes midway, then the implementation will not be great.

The CIO should be a good negotiator. He should know how to blend IT with business. He should be a visionary in terms of instituting transformative processes within the organization. He should have communicative skills and must be able to tell the CEO about the importance of IT in the organization. Finally, he must be a change agent across all levels. How will the next-generation enterprise differ from the present ones?

Today’s organizations take months, if not years, to react to business changes. The enterprise of the next generation will be able to do this in a matter of weeks. Today’s organizations are reactive, but the enterprise of the next generation will be more predictive, and therefore, more responsive. Finally, the enterprise of the next generation will have deep insights into all the existing assets, like people, processes, and IT. CIO Send feedback on this interview to


J a n u a r y 1 , 2 0 0 8 | REAL CIO WORLD

EXPERT VIEW Dr. Patrick Chan.indd 30

Vol/3 | ISSUE/04

1/2/2008 7:17:48 PM



Roadmap to Virtual Infrastructure Security is one of the big benefits of virtualization. Jim Lenox

General Manager, VMWare, Asia South Based in Singapore, Lenox is responsible for developing and managing VMWare’s virtualization business in the region’s emerging markets. He brings with him over 15 years of experience in international channel and sales management. Prior to VMWare, he spearheaded international sales and channels management at companies across diverse industries such as wireless technology, aerospace and defense.

In your opinion, does virtualization have security issues that need to be resolved? There are two parts to this. If you are talking about security vulnerabilities, the answer is no. The code of the latest virtualization is very thin and is becoming thinner. It is now losing 98 percent of its footprint. Second, virtualization is now used to augment security. You can build the virtual machine the way you want. The software will take you through simple steps, so if you want to provide for end point security and block certain devices, you can do it. If you want to restrict some network access, or build a sandbox, that can be done too. Virtualization allows you to build a secure shell of a machine by defining the devices and networks. Security is actually one of the big benefits of virtualization. How are CIOs responding to desktop virtualization? At VMWare, desktops are our fastest growing area, especially from large organizations. There is quite an interest in taking a laptop and putting it in the datacenter. The biggest driver for this initiative is security. Every

time someone loses a laptop with company information, we see a spike in interest. How can a CIO approach virtualization? There are a number of easy entry points. One is virtualizing testing machines, because it makes no sense to buy boxes for testing. Increasingly, a second entry point is disaster recovery. Virtualization allows all that recovery capability on much less hardware. Another entry point would simply be network infrastructure servers — virtualizing all those servers which are very lightweight and non-mission critical. And as organizations get familiar with this, they can run more mission critical production servers, as a second phase, and then web servers and exchange databases. When resources are already well utilized, how does virtualization help? We wouldn’t recommend it as a phase if an enterprise hasn’t deployed virtual machines yet. If they already have some competencies around building and operating virtual machines, we would recommend this to a later phase typically.

What VMWare Can Deliver Innovative solutions for the difficult problems facing IT Increasing utilization, availability and flexibility Up to 70 percent savings in operational costs Server provisioning cycles cut from weeks to minutes

Freedom to run your choice of operating system Run unmodified Linux and Windows OSs Dramatic hardware costs savings 'Same Day ROI' Increased service availability Planned downtime no longer affects service availability

“Every time someone loses a laptop with company data we see a spike in interest for virtualization.” Having said that most of the users are operating databases. SAP, for instance, is supporting virtual machines. The advantage in doing so is its ability to move it box to box. Virtualization quickens the pace of server maintenance; you can drag and drop the whole virtual machine into a virtualized environment without stopping it. That gives more uptime. So while underutilization is a big driver, there are bigger drivers for enterprises bringing in virtualization. There are a lot of other advantages in terms of flexibility, mobility, etcetera, that come with the demotion capability.



No Network Fluke A speedy, reliable network doesn't happen by itself. A. Sitaramaiah

GM Sales, Fluke Networks India Sitaramaiah has over 20 years experience in the IT industry with CMC, R&D, Tyco Electronics and now at Fluke Networks. Sita, as he is popularly known in the industry, is passionate about pioneering technology that help organizations derive competitive advantage in their operations. He has a Master's degree in communications systems from the University of Roorkee and a Master's in business administration from Osmania University.

What is the business impact of slow networks? Subconsciously, people are aware of a loss in productivity. For example, in a BPO, if what you can do in ten seconds takes 45 seconds — there's a huge loss in productivity. Organizations only have tools to alert them of a service outage — not of service degradation. It is common sense that there is a huge potential of reducing the intensity and duration of service degradations. Why does service degradation arise? There are three basic laws when it comes to networks: first, networks never become slower, second networks never get smaller and third, networks never stay the same. This is why service degradations arise. All we need to do is plan for high speed which will guarantee increased throughput and reduced response time. How do you plan a WAN’s capacity? You have an infrastructure already in place. But, do you know if it is being optimally used for business purposes or non-business applications? For instance, if somebody is sharing music then that’s a completely nonbusiness purpose. This is the first thing we

need to understand. Once you have an idea of who is using your bandwidth, then you can plan your WAN capacities. People do not have even a faint idea of how this bandwidth is being used. Forget about planning, there is a long way to go. How does your integrated framework model reduce response time? Network availability is at the base of the pyramid and then there is infrastructure availability. Everyone has invested in it, but no one has a clue about how it is being used or about its response time. The integrated framework consists of a series of functions like availability, usage, response time and business views. Once you know what you want and are sure about your resources then that by itself will reduce your response time. What do you mean when you say network performance has to correlate with delivery? Any of the network performance issues that are hindering the successful delivery of applications can affect delivery. A lot of times, organizations run converged applications they have voice, real time video, etcetera,

Benefits for C-level Executives Business Benefits Resulting From Managing Performance: Faster implementation of new and improved business services Implement competitive advantage initiatives or ‘keep up’ Unified communications

Inventory, logistics, CRM, ERP Risk mitigation Better control over the infrastructure that delivers business critical services Top line revenue Incurred expense Customer satisfaction

“Once you have an idea of who is using your bandwidth, then you can plan your WAN capacities.” on one single network. There is a sudden surge in information and this upsets traffic. We need to understand the parameters and the status of the network today. Users lack an understanding of its impact. We can help them with that. What does the Network Tracker do? We provide high quality solutions that are easy to use, deploy and manage. We have faster application servers that provide efficiency with less risk. Our Network Tracker does exactly that. It tells you how your bandwidth is being utilized, it looks at the usage portion and response analysis.

Trendline_Nov11.indd 19

11/16/2011 11:56:19 AM

Vendor Management

Enormous vendor consolidation has changed the enterprise application landscape forever. But there's more change and uncertainty on the horizon for CIOs. Here's what you can expect and what you should do.

Look Out

Vendor Consolidation Ahead

If 2007 was any indication of what's

to come, the one thing companies using expensive enterprise applications — ERP, CRM and supply chain management systems — can expect is more change in vendor alliances, pricing schemes and software innovation in 2008. On top of that, gloomy economic forecasts for 2008 could have significant financial consequences for CIOs and their IT budgets. So with an uncertain financial outlook, it looks like CIOs will (again) be asked to do even more with even less. And nowhere is that more critical than with a company's core enterprise apps and software platforms. "Globalization, rapid market change, a changing workforce and regulations have made more agile and usable applications into a business imperative," says Sharyn Leaver, research director of business process and applications at Forrester Research. "The result: process and applications professionals are on the hook to deliver more agile and usable applications."


J a n u a r y 1 , 2 0 0 8 | REAL CIO WORLD

Feature - Look Out.indd 34

By Thomas Wailgum In addition, Jeff Woods, a research VP at Gartner, says that mounting pressure from the business side to get ‘real business benefits’ from enterprise systems while also taking advantage of advances in technologies such as SOA to stabilize computing environments leaves CIOs to "make strategic decisions that are more important than the ones they had to make pre-Y2K." Here are six areas that will have a big impact on CIOs' 2008 enterprise plans:

More App Vendor Consolidation IBM buys Cognos. Oracle gobbles up Hyperion. SAP swallows Business Objects. HP acquires Opsware. And Microsoft buys a number of software makers. This past year will be forever known as the year of enterprise software consolidation and acquisitions.

Vol/3 | ISSUE/04

1/2/2008 4:32:03 PM

Vendor Management

Billions were spent by the big boys (SAP, Oracle, IBM, Microsoft) on smaller competitors that offered tantalizing application sets. So what should CIOs expect in 2008? According to a survey from technology consultancy The 451 Group, people in the software industry expect more mergers. More than 85 percent of corporate development professionals at companies that have acquired other companies within 2007 said that they ‘expect to maintain or increase current-year levels of merger and acquisition (M&A) activity in the coming 12 months’, with half of the companies expecting to increase M&A spending. The survey polled corporate development and strategy professionals from companies that collectively have spent more than Rs 600,000 crore to acquire nearly 500 target companies during the past five years. Less than 10 percent of the respondents said they expect their acquisition volume to decline. A survey by Duke University and CFO Magazine found that 40 percent of US companies plan to acquire assets in 2008. One-third of those plan to buy a company or companies, and 22 percent plan to acquire assets of another company but not the entire company. Forrester's Leaver says that she expects 2008 will see more consolidation, primarily in industry-specific niche application sets, adding: "I don't think it'll be as big as 2007. It terms of the really big offerings, there aren't that many left."

says Gartner's Woods. "This is the way you have to look at sourcing your ERP today, and the trend will only become more dominant in the future." Forrester's Leaver stresses that CIOs need to become less of an ‘observer’ with their application investment strategies (for instance, letting one or two of the large vendors drive their strategy). Instead, CIOs need to be more proactive about determining which vendors' ecosystem synchs up best with their own long-term ERP strategy. This is critical because if your vendor's ecosystem includes industry-specific applications (say you're in the retail industry) that meet your long-term needs, you will have an easier time identifying and integrating the next killer application into your ERP backbone. The differences in the major vendors' plans are obvious, Woods says. Oracle, for example, has bought or developed in-house industry-specific apps, such as in the retail or telecom space, whereas SAP has relied on its platform and its partners to develop its future killer applications, he says. The importance of what each vendor's ecosystem can deliver shouldn't be overlooked by CIOs. "Remember, without a killer app, " Woods says, "a platform doesn't live very long."

Fierce Competition Continues

While the competition in this space has always been intense, CIOs can expect more hand-to-hand combat among enterprise application providers. "I don't see, at this point, any relaxing of the competitive intensity of this industry," says Woods. And that's one piece of good news for CIOs. Even as the enterprise vendors accumulate more areas of expertise and technology platforms (through organic Before you roll your eyes at the sight of another vendor development or acquisition) and become economies unto buzzword like ‘ecosystem’, at least consider the logic and themselves, there still is plenty of vendors to play against each potential importance of the New World Order of vendor other during negotiations, say analysts. That's because "there management in 2008. is so much margin on the line," Woods says. As a natural extension of all the consolidation, and with The advice for CIOs: don't be afraid to play the vendors fewer midsize and bigger players to choose from (which is against one another. "The vendors are getting smarter about relatively speaking, of course; there are thousands of smaller when to compete and when to coordinate — what's worth software vendors out there), CIOs will have fewer options fighting over and what's not," Woods says. And if your to choose from. That said, the enterprise vendors realize business is worth fighting over, you should be able to get a that innovation and their future success is all tied to their sweet deal in 2008. relationships with smaller players, business In addition, with all of the freshly minted partners and developer communities. Reader ROI: M&As, adds Ray Wang, a principal analyst So while CIOs may be buying an SAP or How you can deal with at Forrester, now is as good as time as ever to Oracle software package on the surface, they vendor consolidation negotiate longer maintenance contracts and should also do their homework and figure out The advantages of buy new modules at significant discounts. "In who are the businesses and alliances that are a this trend the history of post-merger announcements," part of SAP's ecosystem, for example, and how What to watch out he says, "sales reps typically will be offering they match with the CIOs' enterprise technology for in third-party sweetheart deals to close out the quarter and strategies. "The ERP system is basically a maintenance business models status as an independent company." platform for an ecosystem to develop around,"

The Rise of the Vendor Ecosystem

Vol/3 | ISSUE/04

Feature - Look Out.indd 35

REAL CIO WORLD | j a n u a r y 1 , 2 0 0 8


1/2/2008 4:32:03 PM

Vendor Management

We Know About the Goliaths. Don't Forget About the Davids The goliath enterprise vendors aren't known for their innovation. But smaller vendors are. In the future, those small vendors will be building applications with greater flexibility and ‘plug and play’ adaptability than what comes out of the bigger companies' R&D departments. For example, Leaver notes that most small vendor apps are being built so that they can run on top of IBM Websphere, SAP NetWeaver and Oracle middleware products so that IT departments can ‘configure it and change it on the fly’. And with these applications, IT people have to worry less about architecture decisions, and just base their purchases on the relative usefulness of the application itself. In addition, Albert Pang, IDC's director enterprise applications research, notes that all this innovation will lead to more Web 2.0 applications for enterprise users. "It will not be long before business users are able to take advantage of tools from vendors such as Serena Software that essentially allow them to create mashup content on the fly," he says. The overriding message for CIOs, according to Pang, is that they "need to balance their systems landscape in a way that doesn't allow any one vendor to have undue influence over their strategies," Pang says. "When that happens, they can play them against each other, and they can take advantage of all these development efforts going on."

the value of maintenance," says Woods. "Almost everyone asks the question: can we rethink our maintenance approach? Now is that third party, or going off maintenance altogether, or stabilizing the system?" A big reasons for CIOs' frustration is that some vendors aren’t doing a good enough job articulating their path to the next generation of enterprise tools, Woods says. "It's a complicated decision, and there are not easy answers for it. It has to be linked to the business strategy and risk portfolio." Of course, maintenance fees are infamous for their 90 percent margins. Which makes vendors loathsome to even talk about them, let alone consider making some significant changes. Leaver, however, says that could start to change in 2008. If they want to keep their current customers happy, she says, "the application companies are going to have to rethink their pricing schemes and maintenance fees."

85% The number of corporate development professionals who expect to maintain or increase last year's levels of M&As.

What's to Come of Enterprise License Maintenance Fees? It seems like CIOs have forever complained about the sticker shock of enterprise software maintenance fees. The costs, which historically have averaged right around 22 percent a year for enterprise implementations, are a huge financial hit for many IT departments. "When the vendors emphasize tactical improvements as the primary value delivered by maintenance, that has caused people to say: 'What am I getting for my maintenance dollars?'" says Woods. During the last year or so, many CIOs have either looked into or completely turned over their ERP or CRM systems maintenance to a third-party provider such as TomorrowNow or Rimini Street. But the lawsuit that Oracle slapped upon TomorrowNow and SAP's missteps in handling the situation at TomorrowNow has cast a shadow on the third-party maintenance business model. Even so, third-party maintenance has piqued IT executives' interest and will continue to do so in 2008. "What TomorrowNow is a manifestation of the market questioning 36

J a n u a r y 1 , 2 0 0 8 | REAL CIO WORLD

Feature - Look Out.indd 36

The Supply Chain Gets Even More Wireless — and Dangerous Wireless technologies will continue to influence the future of the supply chain. At the forefront and gathering much of the attention is RFID, which, while still nascent, will continue to expand in 2008, say analysts. But it is other advances in the supply chain, such as increased use of wireless technologies for data transmissions and operational transactions in distribution centers, that have made supply chains even more efficient. Analysts point out, however, that wire-free does not mean risk-free. A recent report from Retail Systems Research (RSR) details the growing dependence on wireless technologies and monumental risks posed by the new breed of devices in the supply chain and beyond. RSR analyst Steve Rowen describes the current situation as this: wireless attackers, who now have motive and technological savvy, have identified companies' "lackadaisical treatment of data flow as a viable opportunity, extending well within the reach of highly organized crime factions," Rowen writes. "Theft of retailers' customer data is no longer just for 'hacks;' it has become very big business." Rowen’s first piece of advice for 2008: elevate the conversation. "The most successful security programs are those which gain the interest of C-level executives — early on," he writes. "This process will slightly vary from one retailer to another, but is commonly bound by a joint presentation of the company's current — and needed — security status to the board of directors." CIO Send feedback on this feature to

Vol/3 | ISSUE/04

1/2/2008 4:32:03 PM

Trendline_Nov11.indd 19

11/16/2011 11:56:19 AM

Panel Discussion

The identity of the CIO has never been under such scrutiny.

By Balaji Narasimhan


Future is here In a panel discussion titled ‘The Future is Here’, Arun Gupta, customer care associate and CTO, Shopper's Stop; Alok Kumar, global head-IT, TCS; and T.K. Subramanian, divisional VP-IS, United Spirits, debated the career progression of CIOs. The panel was moderated by Vijay Ramachandran, Editor-in-Chief, IDG. Ramachandran set the ball rolling by saying that, for many, CIO stands for ‘career is over’. What should CIOs concentrate on: business or technology to take their careers forward, he asked. Gupta said that one problem that CIOs face is that a lot of users believe that they know technology better than the CIO, and also added that many users also believe that their grasp of business is better than the CIO's. He said that their views sometimes lend new perspectives, but added that, a lot of the time, they don't get you anywhere. Gupta also said that, business and technology apart, the CIO should ensure that he can 38

J a n u a r y 1 , 2 0 0 8 | REAL CIO WORLD

Panel Discussion.indd 38

'make progress' — for himself, for his users, and for the organization’s end consumers.

What Makes a CIO: Technology or Business? Ramachandran then wondered if one could become a great CIO without a deep understanding of technology. Kumar believed that first, one needs to be current with business. He said that the CIO should look at what the CEO of his company is looking for: is he interested in business transformation, or growth, or business processes? The CIO should realize that the CEO is looking for a partner

Vol/3 | ISSUE/04

1/2/2008 4:33:00 PM

Panel Discussion who understands the needs of the business, and can implement what he wants with the aid of technology. Therefore, said Kumar, while the CIO should understand technology, his business skills are of greater importance. Then, is the CIO responsible for creating an aura around technology, and making business people believe that technology is not something that they really understand? Subramanian said that, in the old days, the CIO was no more than an IT manager, and the business heads had to listen to whatever he said. At the same time, he said, the line-ofbusiness heads also didn't have much choice, and had to take whatever was given to them by the CIO. Later, the CIO entered a new phase of cost cutting and process standardization. Subramanian added that, over a period of time, the CEO realized that the CIO had a complete view of the organization. So, CIOs became involved in all aspects of the company that involved information process and flow. Because of this, the CIO is also responsible for information security and compliance today, he averred, and went on to add that this change means that the CIO has to focus more on business rather than technology. Does this focus on business mean that anybody can do a CIO’s job? Gupta said that the CIO's role in the future is not expected to continue the way it is today. He said that this change is driven by the inherent complexity that already exists within organizations, but conceded that technology has today become more resilient and fail-safe. All this means that the focus is moving away from technology, and therefore, going forward, a lot of future CIOs need not necessarily be technologists. Adding to this, Kumar felt that today, organizations are more structured than they were around two decades ago. He pointed out that in order to manage business problems, many CIOs have specific departments dedicated, and such departments take on the onus of interfacing with both IT and the business. The CIO sits on top of such groups in order to coordinate their activities, and so, he needs to know a little about all the individual pieces, he said.

And What If You Outsource? Subramanian's opinion was that one can define the role of the IT department as being strategic,

Vol/3 | ISSUE/04

Panel Discussion.indd 39

tactical, or operational. He felt that in this day of outsourcing, if a CIO gets a very well structured outsourcing policy, then he could outsource much of the technology activities and ensure that the business can manage the operations. But Subramanian was also quick to add that all this depends on the maturity of the organization. He felt that, if the organization is mature enough, then this is possible. To buttress his argument, he pointed to Bharti Airtel, which has outsourced most of its IT activities to IBM. But, he conceded, just as Bharti has a CIO to manage strategic activities pertaining to IT, similarly, other companies too will need somebody to take strategic IT decisions. On the ability of business people to don the mantle of the CIO, Kumar said that, for example, in the retail industry, the person in charge of the supply chain management has a bird's eye view of the entire organization, and therefore, can become a CIO. He also said that he knew of five retail organizations where the CIO was also the head of the supply chain. Kumar also firmly believed that the CIO has to understand the problems of the business, and said that the CIO should take every opportunity presented to him to ensure that he understands the business, and also to communicate with business heads.

Arun Gupta Customer Care Associate & CTO, Shopper's Stop

CIO++ So, if the CIO knows the functioning of the business from end-to-end, then should he be looking to become a CIO++, asked Ramachandran. Kumar said that he knew of CIOs who were expanding their activities and taking on business roles in addition to traditional roles. He said for such a person, the next logical step could be the office of the CEO. Gupta's take on this was that, as long as the CIO remains involved in technical activities like buying routers, he cannot become a CIO++. Talking about his own experiences, he said that, in the last four organizations he worked in, he headed a profit center or has otherwise been responsible for business functions in addition to his role of a CIO. But he felt that this has more to do with individual interests, and pointed out that organizations are not going to create such positions for CIOs. It is therefore up to the individual to demonstrate that he is capable of moving beyond his current role. CIO Balaji Narasimhan is special correspondent. Send

Alok Kumar Global Head-IT, TCS

T.K. Subramanian Divisional VP-IS, United Spirits

feedback to

REAL CIO WORLD | j a n u a r y 1 , 2 0 0 8


1/2/2008 4:33:03 PM

A Look at

Storage Index

41 | expert VIew Lifecycle for Storage Success You have to start now to make information lifecycle management work. 42 | Column Protecting Data Against Humans Continuous data protection can help guard against human errors.

49 | Feature Solid State Drives: Coming To a Datacenter Near You SSDs need to clear the cost and capacity hurdle to become mainstream. 54 | peer Speak Storage Woes in 2008 Efficient and secure storage could partially define the CIO role.

Illustrat Ion by anIl t

48 | CIo VIewpoInt Medical Marvels Advances in medical technology are putting a strain on storage systems.

Expert View

Pradip Bhowmick

Lifecycle for Storage Success By shardha subramanian CIO: What do you mean by a 'formal' data strategy? Pradip Bhowmick: There has to be a formal policy for managing data, something like a lifecycle flow. It would incorporate developing a strategy of how and when data should be managed, who accesses it and at what point of time. Simply put, it is about archiving of data according to a policy in place. What are the factors for selecting appropriate information lifecycle management solution?

Relational databases are growing at the rate of 125 percent annually. According to a survey conducted by Sun Microsystems, when data is divided into essential and non-essential, storage size is reduced up to 50 percent. It is important for the CIO to know that data is most valuable when it is created and also the point of diminishing marginal returns. Considering all this, an appropriate ILM would be the one that has the ability to do an archival, can move storage from one part to another and can create metadata in no time.

How does a service storage value system provide value?

Basically, it defines specifically that infrastructure will provide all the services. The value to CIOs is that they can now ask for definitive features, there is a standard definition. They also don’t have to bother about questions like whether this talks to that etcetera. In any organization if the whole backbone of managing data is aligned with the policies and procedures, then business value is much better. What should be the focus of CIOs in terms of storage?

Why do you feel that interoperability leads to traps?

It definitely should be on having this whole policy of formal data strategy for management of data in place. It should be about facilitating communication across the enterprise so that people are informed about who is handling what process. Knowing the value of data at different points of time, if not quantitatively then qualitatively based on which a policy should be drawn. Creating a strategy, a process and a structure, and then implementing it would be the primary focus in the year ahead. CIO

People want to buy less expensive infrastructure, just for the sake of it without thinking about what the organization actually needs. Here, interoperability becomes very critical. If you have a defined set of services that you are looking for, depending on archiving data or storing data, then you will not fall for vendor pitches. You need to work your pros and cons out and then take decisions. That’s what ILM gives you.

Send feedback on this interview to

Vol/3 | ISSUE/04

EXPERT VIEW Pradip Bhowmick.indd 41

“People want to buy less expensive infrastructure, just for the sake of it without thinking about what the organization actually needs. You need to work your pros and cons out and then take decisions. That’s what ILM gives you.” —Pradip Bhowmick Assistant Director, PricewaterhouseCoopers

REAL CIO WORLD | j a n u a r y 1 , 2 0 0 8


1/2/2008 7:22:46 PM

Bert Latamore 

Technology at work

Protecting Data Against Humans Humans, tend to make mistakes and make data disappear. Continuous data protection can help.


Il lustrat io n by ANIL T

ontinuous data protection (CDP) and its close cousin, data snapshot technology (which might be considered ‘CDP on the cheap’), are the latest fashion among backup/ restore vendors. IBM, for example, is promoting its Tivoli Continuous Data Protection for files product under the slogan, ‘When once a day is not enough’. The implication, which some vendors are pushing, is that this is a replacement for other kinds of backup, better than tape but less expensive than the three-node architecture. CDP/snapshot backup, however, is a new approach aimed at a different problem than traditional backup/restore solutions, says Peter Burris, consultant and co-founder of "CDP is a first important attempt at providing protection against both human error and against data corruption caused by unanticipated interactions between applications," he says. While these issues have caused problems since the start of the computer age, they are becoming more important, Burris argues, as end-user computing moves from desktop and laptop systems to mobile handheld devices. "On a PDA, all it takes is an accidental swipe of a stylus or tap on the wrong tiny virtual button to wipe out an important e-mail or document," Burris says. Simultaneously, the advent of serviceoriented architecture (SOA) increases the potential for data corruption, not only from unanticipated interactions among applications, but also from among pieces of code inside an SOA application.


J a n u a r y 1 , 2 0 0 8 | REAL CIO WORLD

Coloumn Protecting Data Against Humans.indd 42

Vol/3 | ISSUE/04

1/2/2008 4:36:54 PM



Making Data Migration a Cakewalk Give your storage more flexibility and less complexity. Subram Natarajan

Senior Consultant-SSG Asia Pacific & EBC Program Manager, IBM In his current role, Natarajan engages with key customers across the Asia Pacific region, helping them address their IT challenges by providing them creative solutions. He recently moved from the US to help with IBM’s regional storage business. Prior to this, he was a solutions architect for the storage group in Asean /SA region. In that role, he solidified his reputation as a strong, capable technical leader who delivers results. Here he talks about a data migration solution.

Can you give us a brief background to Softek? Softek was bought and integrated into IBM at the beginning of 2006. Mainly, the idea was to provide a platform for customers to migrate data easily — from one storage device to another. Why is what Softek offers so much more important today? It is important primarily because of the dynamism that exists in the market. Because of this dynamism companies are re-locating data centers for cost reasons. They are also consolidating their numerous data centers reduce the cost of operations, power consumption, management and so on. And over 50 percent of the time, people move data because of technology refreshes — whether it is movement from one server to another or one database to another. From our survey, over 41 percent of companies migrate on a yearly basis. Out of these 82 percent have some sort of trouble. This is why Softek is gaining more importance.

Can you elaborate on the types of issues CIOs face when they attempt migrations? Mainly, the issues fall into four different categories. One is data loss and the loss of data consistency after a migration. The second is cost overruns. Third is time; CIOs specify a window of time to move, they plan for it and then the window extends, thereby impacting business. Finally, once data is moved, its performance and availability is compromised because the new environment is not conducive to the new data. What can Softek do for CIOs who currently face these problems? Softek goes to the heart of addressing two main issues: the lack of flexibility and the increased complexity in data migrations. These two cover all the challenges I just spoke about. What do we mean by a lack of flexibility? Flexibility is the ability to move from anywhere to anywhere, whenever you want, whatever you want. That’s the sort of flexibility that Softek offers and it also offers data consistency and availability, before, after and during the move.

Move Anything, Anytime It Isn’t Easy Percentage of users who experienced problems during data migrations: 64% Unexpected downtime 38% Application performance issues 38% Data corruption 38% Data corruption

And it Cost Them:

85% Excessive staff time 54% Budget overage 51% Technical compatibility issues

What Softek TDMF Can Do: Eliminate application downtime Improve performance with load balancing Free up the maintenance window for other tasks Improve the total cost of ownership of an IT environment Reduce lease/maintenance costs

“Over 41 percent of companies migrate on a yearly basis. Out of these 82 percent have some sort of trouble.” The second aspect is complexity — the interrelation between data and the different types of data. For example, if you move data, without taking into consideration related data, you may leave orphaned data in the primary, which, by itself, won’t make any sense. The end result? You have an inconsistent target and source and data is completely unavailable. With Softek, you have an assessment base that can envelope the entire environment so that information — not only data — remains intact. Today, data migration is an inevitable challenge. Softek gives CIOs flexibility and masks complexity

Bert Latamore

Technology at work

CDP also has a large price tag. Because it captures each individual database write and then adds a time stamp and sometimes other metadata, it can easily triple the total storage needed by the application. In some installations, it can use up to five times the base storage capacity. Killing Mosquitoes with a Sledgehammer Traditional backup/restore approaches are focused on protecting against device failures ranging from a hard drive crash up to the loss of an entire data center in a regional disaster. Going to backup tapes to try to recover a spreadsheet someone accidentally deleted is like killing mosquitoes with a sledgehammer. CDP works on a more granular level, focusing on individual applications or files down to the end-user device level. Thus, a CDP system may back up the Exchange database on a specific user's PC. If a user accidentally deletes a critical file, that specific database can be restored quickly and comparatively easily to the state just before the deletion without involving anyone else. The danger of this is that it can create discrepancies between the restored database and the rest of the system, so, for example, e-mails that arrived after an incident may be lost from the user's Exchange database. These, however, can be restored from the server. This, however, is exactly why CDP/snapshot shouldn't be considered as a replacement for normal backup technologies such as tape, warns Wikibon co-founder David Floyer. The discrepancies that are easily fixed on one PC or one application become impossible to manage when trying to restore an entire database. CDP also has a large price tag. Because it captures each individual database write and then adds a time stamp and sometimes other metadata, it can easily triple the total storage needed by the application. In some installations, Floyer estimates it can use five times the base storage capacity, with a similar traffic load on the network. Many data centers today are struggling to keep up with the astronomical growth in storage demand. Thus, CDP, or even snapshot backup — which puts less demand on corporate systems but still has a considerable cost — is best reserved for applications with critical latency demands, says Burris. By its nature, CDP is also a short-distance technology. Basically a near-parallel approach to data preservation, it usually backs up to a local network appliance. This precludes backing up to a safe, remote site and leaves the CDP data vulnerable to many of the same interruptions that affect the main database. An electrical outage will hit the CDP network device just as hard as the database being backed up, and a 44

J a n u a r y 1 , 2 0 0 8 | REAL CIO WORLD

Coloumn Protecting Data Against Humans.indd 44

regional disaster that wipes out the data center will take the CDP system with it. So CDP isn't a replacement for tape in a vault.

Snapshot Advantages Snapshot capture has its own advantages that go beyond cost and complexity. Because CDP captures data as it is written to disk — while most applications hold data in buffer before writing to disk — at any given moment, it doesn't have all the most recent data. A snapshot system can trigger a buffer dump to disk just before each snapshot. This can give it a near equal latency as CDP on average, depending on the rate of change to the data and frequency of snapshots, says Floyer. Depending on exactly when in the cycle the backup occurs, it could have more complete data than continuous CDP. However, it does have performance implications, because the application must pause every time it dumps its buffer. For all these reasons, Burris says, "users need to recognize that CDP is not a new solution to the old problem of device failure but rather an answer to different problems." He says that while those problems have always been with us, they are becoming more important as hardware dependability increases and the opportunity for unanticipated application interactions also increases — and the threat of human error remains. "As a result," he says, "we will see a shift in emphasis in information protection that will increase the urgency of the need for new, creative answers over the next decade. Vendors need to step up to the plate, and users need to be clear on what they are protecting against, or they risk sticking their thumbs in the wrong hole in the dike." CIO

Bert Latamore is a journalist with 10 years' experience in daily newspapers and 25 in the computer industry. He has written for several computer industry and consumer publications. Send feedback on this column to

Vol/3 | ISSUE/04

1/2/2008 4:36:54 PM



Tools for Business

Give your enterprise's applications more oomph. Hariharan Ganesan

Managing Director, India & SAARC Prior to joining Compuware, Ganesan worked with leading companies like Peoplesoft and Oracle, Microland and TVS Electronics. In a career spanning almost two decades, he has handled regionaland national-level roles, including direct sales, channel sales and strategic alliances.

What is Business Service Management? Business Service Management (BSM) is a concept that aligns IT to the business of an organization. Keeping business success as the topmost goal, BSM helps tie business expectations to the IT elements that support its smooth functioning. For example, on the billing day of a mobile phone service provider all related IT components supporting billing have to perform. The emphasis is on whether the organization can publish all the bills rather than measuring the individual performance of underlying components like billing applications. This can be accomplished once you are able to relate all the supporting IT elements and do an intelligent correlation. The concept is quite different from conventional silobased management approach. While BSM is the end-goal, the Vantage set of products help organizations in a lot of areas like end-user experience monitoring, application performance on network, server performance, etcetera. Based on how mature an organization’s IT is, Vantage can be deployed to implement

concepts like application service management (ASM), IT service management (ITSM). Vantage gives organizations the ability to correlate performance metrics from different components of deployed IT with representations in the form of dashboards for a hawk eye view of IT performance and subsequent drill down in case of performance degradations. In Oxigen's case, Vantage is used as an outsourced app. Have there been issues? This tool is being offered by service providers worldwide in an outsourced environment. In the outsourced model, customers get the advantage of third-party services without compromising on the functionality of the tool. A service provider can bring more value by adding additional service elements. There has not been any issue with the tool because it is outsourced. Have there been any other implementation issues related to BSM? As long as we can map the critical business processes of an organization to the underlying

How Compuware Helps Oxigen: Current Status: Over 35,000 points of sale Over 7 million transactions a month Customer support in all cities Centralized call center

By End 2008: Footprint in 50 major towns. 100,000 points of sale Over 3,000 cybercafés nationwide Over 4,000 kiosks in seven states 100 kiosks in south India

250 Internet kiosks now, 1,000 in next 12 months SMS based roll-out with mobile payments, over 2,000 outlets planned 1,000 Internet kiosks at the gram panchayats level in the state of AP, growing to over 5,000 by March 2008 250 Internet-enabled outlets in AP for utilities payment and now prepaid, growing to over 2,000 Internet kiosks in six months

“Any organization running mission-critical apps to service their customers and generate revenue can use BSM." IT elements, the implementations typically go through quite smoothly — environmental issues not withstanding. What kind of market do you see for Vantage, going forward? Any organization running mission critical applications to service their customers and generate revenue is a potential candidate for BSM deployment. This applies to organizations in the areas of banking, finance, insurance, telecom and portals. Large organizations in the areas of manufacturing, retail have a strong track record of deploying BSM worldwide.



Focusing on Information Stop thinking data, think information. Praveen Sahai

Head Marketing & Corporate Affairs for India and SAARC, EMC In his role at EMC, Sahai is responsible for spearheading the marketing strategy for EMC in the region. He is also responsible for the corporate brand building and developing and enhancing relationships with internal and external stakeholders. Prior to joining EMC, he was the product marketing manager, South Asia, Sun Microsystems. He has also led a host marketing functions including integrated marketing communications and channel initiatives.

How can CIOs move their focus from technology to information? The leap has to come from the organization. This may take time because it is primarily linked to the mindset of the organization. The day the CIO stops counting the number of CPUs in a server, he will see what is relevant to the business — and then, he will move from technology to information. Regarding virtualization, what problems should CIOs be aware of? First, let’s look at the benefits: virtualization helps a CIO with the optimization of infrastructure. This is important because a CIO can no longer manage things by just adding more disks in order to boost storage. CIOs must optimize their infrastructure. Now, coming to the negatives, I don't think we have reached a stage where pitfalls are abundant. Today, virtualization is a very positive move for the industry because it is giving us what the world never had. The problems will only come when you have done it for a few years. But remember, even the best cars have problems. In your opinion, is application-based security going to replace perimeter security, or will they coexist? I think they will coexist. You still need perimeter security for organizations that are in the online space or have enterprise portals. Perimeter security will still play a vital role. But, going forward, application security will be more critical. Let me give you an example. If you store jewels in one room in

your house, you will ensure that this room is always locked. But you will still lock the front door when you go out. This is the same way in which application security and perimeter security will coexist. When will words like zeta byte and yottabyte become as common as gigabytes and terabytes are today? My personal thought is that people will use such terms in three or four years. We have a customer in India who already has 2.2 petabytes. We are doing such a solution in India for the first time. This is the single largest single-shot implementation in India. So, today itself, we are talking about petabytes. I’m sure that in 2008 we will be talking about exabytes, and by 2010, we will move to zeta bytes. After that, we may start talking in yottabytes. In 2007, information growth is expected to overtake storage capacity. Where do we go after that? If we don't get innovative with our information infrastructure, we will have problems. But technologies like virtualization and data deduplication are here to help CIOs. The technology is there, but it has to be correlated with the information infrastructure so that an organization’s propensity to buy more storage reduces, thereby creating an intelligent information infrastructure. An EMC study shows that individuals create 70 percent of digital information. What should a CIO watch out for?

“Let's just look at one thing: reducing expenditure on storage. From there comes the need to innovate and look at a new way of managing things.” All this information is unstructured data. We need a set of processes that will ensure that this data is managed in such a way that it is of relevance to the business. How should CIOs approach this problem? The CIO should realize that unstructured data has individual value, but no corporate value. So, he should make use of document and business management tools, along with data capturing and conversion tools, and ensure that unstructured data is converted into structured data. Ultimately, stored information needs to be retrieved. What are the issues involved?



The biggest issue is being able to retrieve point information when you want it. To do this, you have to plan in advance. For starters, don't spend on a halfbaked solution. Identify the needs of your organization and then plan accordingly. Sometimes, CIOs need to store data for over 20 years. Since storage media doesn’t last this long data has to be copied to newer media. How can this be automated? The complication is about predicting the future. Since you don't know what sort of technology is coming three years from now, you can't create a solution today. Let me give an example. Look at mobile phones. Even if you have changed your mobile phone in the last six months, you will still retain the number of a contact, which is over seven years old. The same is also applicable in the corporate world. Archived information is closely aligned with non-repudiation. Does it throw up requirements for managing data integrity? We have a product called Centera, which is a hardware device, and it is coupled with a few software tools.

The percentage of the digital world that will be created by individuals by 2010. But, it's organizations who will be responsible for its security, privacy and compliance Centera makes sure that your data cannot be changed once it is stored. You can only write once, but you can read as many times as you want, subject, of course, to policy settings.This is based on a low-cost SATA product line, and therefore, the cost not as expensive as with a primary storage solution. But Centera is useful in legal situations because you can prove in a court

Where the World is Going Over the next three years, digital information will multiple by six times to 988 billion gigabytes Individuals will create 70% of the digital information. Organizations will bear responsibility for the security, privacy, reliability, and compliance of at least 85 percent of that information

Where We Can Engage Strategically Information lifecycle management Grid and virtualization Preparing for service-oriented architectures

Tactically Optimizing backup Consolidation of servers and storage Disaster recovery and business continuity E-mail optimization Database optimization Enterprise application optimization Enterprise content management applications Service level management

of law in India — it complies with the Indian IT Act, the Indian Evidence Act, and with SEBI’s Clause 49. Internationally, it complies with Sarbox and HIPAA, among others. Store, protect, optimize, leverage, these according to you are the critical parts of managing data. The toughest part is obviously leveraging information. How should a CIO face this challenge? I wouldn't call it tough; I would call it instrumental. We call things tough when we have not done it. When we get the first three things right, we need to wonder: what about the fourth piece? Is the CIO telling the management that we now need to leverage the data? Is the CIO selling what he has done? CIOs are great when it comes to understanding and managing technology, but they are not always good at highlighting their achievements. Finally, what should a CIO concentrate on in a storage context? Let's just look at one thing: reducing expenditure on storage. From there comes the need to innovate and look at a new way of managing things. CIOs must stop buying more disks and start utilizing the existing infrastructure in a better way.

peer to peer

Manish Gupta

Medical Marvels By Sunil shah It’s ironic, the more medicine advances, the less the common man knows about the processes that run a hospital. How many realize the various systems that are in place to ensure that doctors and nurses get the right patient data at the right time? Does anyone realize how much information a hospital produces per patient? These were the questions, Manish Gupta, CIO for Fortis Healthcare asked his audience in a presentation titled ‘Getting Your Storage Pulse Right’. The problem, he said, is that it’s getting harder to deal with the huge amount of data being produced everyday. But for a hospital, “it’s a business-driven fact of life. It’s driven by hospitals in their attempt to create better patient care,” he said. “Before, we used to have 16-slide CT scans, today we have 64. That’s a storage jump from 50 MB to 600 MB. Every step technology takes forward, data grows 10-fold. No one’s really concerned about the data we have to store for an X period.”

The Isolated Ward It doesn’t help that most hospital systems are siloed. It’s a problem that is reflective of the healthcare industry. “Healthcare is a fragmented industry. Not only are there so many hospitals, but no two doctors think alike and data resides in silos,” he said. In an interview with CIO, Daljit Singh, president, strategy & organizational development, Fortis Healthcare said that over 85 percent of hospitals have an average of less than 30 beds. Gupta’s presentation exemplified this fragmentation both outside and inside the hospital. He showed how with its various departments like radiology, etcetera, each hospital department was doing a great job — only they were doing it in isolation.“There is no one view of the customer. The electronic data record — the one place where all records of a patient are maintained — is still a dream,” Gupta said. 48

J a n u a r y 1 , 2 0 0 8 | REAL CIO WORLD

PEER TO PEER Manish Guptha.indd 48

The Wall Street Journal, found that hospitals make most mistakes while moving patients from the operation theatre to their respective wards. These handovers need a patient’s history, their medication and specialized equipment. They need the seamlessness and accuracy that only an IT system can provide.

The Digital 'Operation' Gupta pointed out that as patient care gets better, giving doctors access to vital information is getting harder. “The move is more and more towards the digital hospital,” says Gupta. At the moment, Gupta deals with this problem by copying data into a central hub every fortnight. He has added data gateway and storage nodes at each site — be it a hospital or a test center — so that data can be cached locally. This gives data more resiliency, he said. This also helps answer a second challenge: giving doctors quick access to 600 MB files. Take for example, CT scans. “As doctors access these records, they change them. They could put a note on it or draw a graph on it and I have to link these,” Gupta said. But this only solves one part of the problem. “There has been much talk about transitional data,” Gupta explained. “But there’s a lot more persistent data in systems — data that needs to last for years.” Finally, he pointed to another storage challenge. “The total cost of storage is always hard to explain. You won’t believe it, but when I tried to sell this to my management, I used a real estate argument. And that’s what clinched the deal. I could have spoken at length about data standardization but saving 1,000 sq ft of real estate is what did it.” It seems, storage in the healthcare industry isn’t as easy a play as finding a pulse. CIO

“Healthcare is a fragmented industry. Not only are there so many hospitals, but no two doctors think alike and data resides in silos. There is no one view of the customer. The electronic data record — the one place where all records of a patient are maintained — is still a dream. " —Manish Gupta CIO, Fortis Healthcare

Send feedback on this feature to

Vol/3 | ISSUE/04

1/2/2008 4:41:02 PM

Trendline_Nov11.indd 19

11/16/2011 11:56:19 AM


By John Brandon

Solid State

Drives: Coming to a Data Center Near You

Hard disk drives have always held fort when it comes to storage requirements. But once SSDs clear the cost and capacity hurdle, they will be the next best thing in data centers.

Reader ROI:

Why SSD’s are a viable option How SSD’s solve throughput problems



or laptop owners, flash-memory drives boost battery life and performance while making notebooks lighter and more bearable for frequent business travelers. In the data center, benefits include higher reliability than their magnetic counterparts, lower cooling requirements and better performance for applications that require random access such as e-mail servers. So far, the biggest barriers to adopting solid-state drives (SSD) in the data center have been price and capacity. Hard disk drives (HDD) are much less expensive and hold much more information. For example, a server-based HDD costs just Rs 40 to Rs 80 per gigabyte, while SSDs cost from Rs 600 to Rs 3,600 per gigabyte, according to IDC.

J a n u a r y 1 , 2 0 0 8 | REAL CIO WORLD

Feature -Solid State Drives.indd 50

Vol/3 | ISSUE/04

1/3/2008 12:56:26 PM


Capacities are just as disparate. The Samsung SSD drive only holds 64GB, although the company plans to release a new 128GB version next year. Meanwhile, Hitachi America makes a 1TB HDD that's energy efficient and priced at Rs 16,000 for mass deployment in servers. Enterprise Strategy Group analyst Mark D. Peters explains that solid-state technology has been on the radar for years, but has not been a hit in terms of price and performance for corporate managers. That's about to change, he says, because the IOPS (input/output operations per second) benefits to SSDs are too impressive to ignore. Advantages include how SSD has no moving parts, lasts longer, runs faster and is more energy efficient than an HDD. And prices are falling fast. Right now, the industry trend is a 40 percent to 50 percent drop in SSD pricing per year, according to Samsung. The arrival of hybrid drives such as Samsung's ReadyDrives — which use both SSD and HDD technology — and SSD-only servers "suggests the time for SSD as a genuine — and growing — viable option is getting closer," says Peters. He was referring to a IBM announcement about BladeCenter servers that use a SSD. "Price erosion, coupled with increased capacity points, will make SSDs an increasingly attractive alternative to HDDs" in data centers, agrees Jeff Janukowicz, an analyst at IDC in Framingham, Massachusetts. Two examples of how SSDs solve persistent throughput problems for high-performance computing shows how SSD technology may make new inroads in corporations in 2008, some industry watchers believe.

Solid-state at the Stanford Linear Accelerator Center At this research center, SSD is being used for some of the most data-intensive work going on today. The Stanford Linear Accelerator Center (SLAC) in Menlo Park, California, uses particle accelerators to study questions, including where anti-matter went in the early universe and what role neurexin and neuroligin proteins play in autism. The amount of data is immense — in the petabytes — and the lab uses a cluster of 5,000 processor cores. Despite that, the discrete chunks of data that are requested and analyzed by several hundred researchers are highly granular — usually just 100 to 3,000 bytes of information. At the same time,

scientists tend to perform thousands of data requests, accessing a few million chunks of data per second. Richard Mount, SLAC's director of computing, explains that the response time for these researchers' data requests is limited not by the number of processors or by the amount of network bandwidth, but rather by disk access time. "Flash memory is over a thousand times faster than disk" drive technology," says Mount. "Hard disks are limited to around 2,000 sparse or random accesses per second. When accessing thousandbyte chunks, this means that a disk can use only 1/50th of a gigabit-per-second network link and less than 1/100,000th of a typical computer center network switch capacity." This limitation has translated into the need to make what the lab calls 'skim data sets'. In other words, pre-assembled collections of related data that at least one researcher has already requested. "There is no waiting for skim data sets that already exist, but if somebody wants one that does not already exist, then they normally have to wait for a skim production cycle that takes place once every four to six months," Mount says. To help researchers receive data in a more ad hoc manner, flash storage may be just the thing. "We have no religious attachment to flash, but we can construct flashbased storage at a reasonable cost and around 25ms latency, and we are doing so." SLAC has developed its own SSD-based system that is in the final debugging stages, Mount explains. "The first version of this will provide about 2TB of storage, but we can easily grow this to 5 or 10TB just by buying flash chips," though he reckons the scalability will require "more serious expenditure." At the 2TB level, it will serve as a test and development system only. Eventually, the goal is to use SSD technology as a cache for all particle accelerator research, which will allow scientists to access data at any time from any data store. "SSDs help the entire system run more efficiently by ensuring the I/O capability is in balance with the rest of the application system," adds IDC's Janukowicz. "The characteristics of flash-based SSDs make them a wellsuited alternative for high-IOPS applications that are read intensive. SSDs have no rotational latency and have high random-read performance. Thus, with SSDs the time to access the data is consistent and very small regardless of where on the device the data is held."

40% The current rate in the drop of SSD prices per year, according to Hard drive manufacturer, Samsung.

Vol/3 | ISSUE/04

Feature -Solid State Drives.indd 51

REAL CIO WORLD | j a n u a r y 1 , 2 0 0 8


1/3/2008 12:56:26 PM


Considering SSD at the Pacific Northwest National Laboratory At the Pacific Northwest National Laboratory (PNNL) in Richland, Washington, solid-state technology could help alleviate a supercomputer bottleneck. At the lab, researchers run tests that sustain a write speed of 80Gbit/ sec. and a read speed of 136Gbit/sec. Yet, one or two slow hard disk drives running at one quarter the speed of other disks causes performance to degrade quickly. "Solid-state devices such as flash drives can use a RAID striping technique to achieve high streaming bandwidth — just like [hard] disk drives — while also maintaining very low latency for random access," says Robert Farber, a senior researcher at PNNL. "This is a very exciting combination." The lab has not moved to solid-state technology yet. But Farber says the real debate is whether low-latency access for "seek-limited applications" — in other words, many requests for small amounts of data — can alleviate the pressure of computing bandwidth. It is not solely a price-per-gigabyte debate. "It remains to be seen how much of a price premium consumers will tolerate before robustness, power, storage capacity and physical space differences cause a mass departure from magnetic media," Farber says. At the PNNL, the latency goal for its last supercomputer was 25Mbit/sec., per gigaflop of peak rate floating-point performance. This is mostly to be able to handle the data-

SSD versus HDD


he idea of using flash-based storage in a notebook isn't new. But the high cost of flash has prevented it from replacing hard-disk drives on mainstream notebook PCs, despite some advantages in power consumption, shock resistance, and speed — until now. As prices continue to drop, flash-based solid-state drives (SSDs) have become viable options for handling your notebook's primary storage needs. Moreover, today's roomiest SSDs have 32GB of memory, enough to do more than satisfy basic storage needs — making them competitive with 1.8-inch hard-disk drives, which range in capacity from 30GB to 80GB. Are they worth the extra cost? In spite of price drops, SSDs cost Rs 16,000 to Rs 20,000 more than ordinary hard drives of the same capacity. So how does SSD justify it's sticker price? With an SSD in your notebook, you'll see better system responsiveness, and a change in the way the system handles drive-intensive tasks such as reading data from the drive, coming out of standby, and booting up. If you tends to bump your laptop around a little and need performance boosts, the extra cost might be worth it. —By Melissa J. Perenson

intensive nature of the NWChem scientific software calculations running. The lab's new environmental molecular sciences facility contains a new supercomputer with a theoretical peak floating point performance of 163 teraflops. And, like at the Stanford lab, disk speed is a critical part of the equation, so solid-state is the forerunner in solving the bottleneck. One breakthrough Farber expects in the not-too-distant future: operating systems will change their memory hierarchy to directly access SSD, turning the technology into a hard drive replacement for mass storage.

Complementary — Not Replacement Tech One question that remains: when will SSD really impact the corporate world? Some say SSD in the data center is just on the horizon, since laptops such as the Dell XPS M1330 uses a Samsung 64GB SSD. Alienware also offers a 64GB option in some of its desktop computers. And SSD is applicable across the commercial landscape; while researchers need the speed to study proteins, retailers may need or want faster POS transactions. One company to watch in this space: Violin Memory in Iselin, New Jersey. The company's Terabyte-Scale Memory Appliance provides over 1Gbit/sec. access for sequential and random-access. SLAC's Mount says he tested a DRAM-based prototype appliance from Violin, and that its upcoming flashbased system "seems a good match for our applications." A Violin spokesman explains that the two key bottlenecks in corporate computing are network speeds and IOPS for storage systems. Today, disks run at about 100Mbit/sec. for sequential operations, but only 1Mbit/sec. for random 4k blocks, he says. "In some cases, there are minimal capacity requirements which are well suited for SSDs," Janukowicz adds. "Also, in high-performance applications, the IOPS metrics can favor SSDs over HDDs." However, even with all those benefits, he says that "IDC does not see SSDs completely replacing HDDs in servers. SSDs do offer performance advantages and are a 'green' solution'. However, there are many applications that require the capacity provided by HDDs." Enterprise Strategy Group's Peters says that throughput requirements will lead to a gradual shift away from hard disk drives to solid-state technology, but it will take time in the corporate world. "Moving wholeheartedly from one technology to another is a rare thing within data centers," he says. CIO John Brandon worked in IT management for 10 years before starting a fulltime writing career. Send feedback on this feature to


J a n u a r y 1 , 2 0 0 8 | REAL CIO WORLD

Feature -Solid State Drives.indd 54

Vol/3 | ISSUE/04

1/3/2008 12:56:26 PM

Trendline_Nov11.indd 19

11/16/2011 11:56:19 AM

Panel Discussion

By Balaji Narasimhan

Going forward, efficient and secure storage could be the big differentiator in the CIO league.



2008 Information is the lifeline of every organization. This is

definitely not a debatable issue. But, how an organization stores and manages this information is definitely worth a discussion. Which is why, a panel discussion at the CIO '08 event was titled 'Storage Woes in 2008'. The panelists were Rajkumar Upadhyay, DGM - IT and BD, BSNL, Bangalore, Ajay Khanna, DGM and Head IT, Eicher Motors, and V. Subramaniam, CIO, Otis Elevator. The panel was moderated by Vijay Ramachandran, Editor-in-Chief, IDG.

Starting the discussion, Ramachandran said that nobody ever seemed to get fired for buying too much storage. So he asked whether 'when in doubt, buy more storage' was a good rule of thumb. is this a good yardstick — when in doubt, buy more storage? Khanna agreed with this argument because, if a business application goes down, then the organization is in trouble. Subramaniam’s take was that one should look at having optimal amounts of storage. He said that, while organizations spend a lot of time in planning their networks, they don't necessarily give the same attention to detail when it comes to storage. He insisted that companies have to be careful about the information they store — like the data used by applications or e-mail attachments. Therefore, argued Subramaniam, companies should keep a constant eye on their current requirements coupled with 56

J a n u a r y 1 , 2 0 0 8 | REAL CIO WORLD

Panel Discussion.indd 56

Vol/3 | ISSUE/04

1/3/2008 12:57:47 PM

Panel Discussion

the growth of information, and then come up with a strategy to implement storage. Upadhyay, whose storage requirements grow at the rate of 4 GB per hour, said that, as long as BSNL had only landline connections, storage growth was not very high. But, when BSNL started offering mobile connections, a data deluge began as government regulations required it store customers data. However, the biggest problem with storage is interoperability, he said. Because of this, he prefered to deal with vendors who are SNIA-compliant.

Storage Void Ramachandran pointed out that research done by CIO revealed that most organizations have around 35-45 percent of storage that was either underutilized or non-utilized. What should the CIO do in a situation like this? Khanna said that this figure could be a lot higher if one were to look at the underutilized storage on individual PCs. He felt that one way to handle this is to probably come up with a technology solution that can collate all this unused space and then enable it to be used. But, how can one even get an idea of space that is unused? According to Subramaniam, one should have a storage policy that defines what information should be stored on a desktop and what is stored on a centralized server. Information that is identified as an asset of the company has to be stored on the server in a protected form. This way, he said, not only is critical information protected, but both current and future storage requirements can be determined. Upadhyay said that, in practice, servers have around 50 percent of unused storage and this is more critical than data stored on laptops and desktops because data that resides on server is critical to the organization. Also, the TCO for the SAN will come down only when server consolidation is done.

its own costs associated with it. Upadhyay is pro-virtualization because he has managed to consolidate 13 area servers in Bangalore and has saved on the licenses for Oracle, real estate in terms of data center space occupied, electricity, and others. He said that he has also found virtualization to be useful when he is doing web hosting for customers. But, for his commercial application, he felt that consolidation and not virtualization is more the need of the hour. Subramaniam, while adding to Upadhyay's comments, said that benefits of consolidation include centralized information, which implies that the information can be managed more efficiently. He felt that consolidation can also avoid duplication of information, and help an organization determine what it needs, besides making disaster recovery easier.

Ajay Khanna DGM and Head IT, Eicher Motors

And the Debate Goes On The panel then looked at the issues pertaining to outsourcing storage. Subramaniam said that, in this case, you will be allowing a thirdparty to manage your data, and so the top priority would be to assess the credibility of the person who will be managing the outsourced storage. While discussing the strategy for storage, Khanna cautioned that CIOs should also look at archiving as an important issue. He said that a lot of data can be moved to offline media, and this can improve performance. Agreeing with this, Upadhyay said that ILM (information lifecycle management) is useful here because it can be used to define data and how long it needs to be stored. But more than this, he felt that consolidation is important because you can then use data mining and business information tools to convert data into information. CIO

Rajkumar Upadhyay DGM - IT and BD, BSNL

Catch 22 If consolidation is important, should organizations move towards virtualization in order to optimize their storage? Khanna disagreed and said that he was not very gung-ho about virtualization because it has

Vol/3 | ISSUE/04

Panel Discussion.indd 57

Balaj Narasimhan is special correspondent. Send

V. Subramaniam CIO, Otis Elevator

feedback to

REAL CIO WORLD | j a n u a r y 1 , 2 0 0 8


1/3/2008 12:57:54 PM

A Look at

Security Index

59 | expert VIew Staying Secure to the Core PwC's Sivarama Krishnan on how Indian CIOs aren’t investing enough in monitoring and compliance for security.

IllustratIon by MM shanIth

60 | Column The Human Element in IT Security You have a security policy. Great. Now get the word out.


65 | Feature The End of Innocence Five years ago, few knew how bad the security problem was. Now everyone knows. They just don’t know how to fix it. 74 | peer Speak Secure or Quit Don't CIOs have enough on their plates without security worries? But then who is in charge of compliance?

J a n u a r y 1 , 2 0 0 8 | REAL CIO WORLD

Vol/3 | ISSUE/04

Expert View

Sivarama Krishnan

Enough with Technology By Sunil shah CIO: Is there too much hype around security? Are CIOs suffering from security-fatigue?

What about monitoring? Is enough happening in that space?

Sivarama Krishnan: That’s partly true. Security has become paranoia. Maybe it is because security priorities are not set in relation to the size of impact. Let me give you an example: the security on a print and file server and SAP server is the same despite the fact that the importance of the latter is more.

What does a tool do? A tool helps increase effectiveness. What has happened is that we have invested in technologies like proxies and firewalls, but we don’t use the information these technologies produce to increase effectiveness. This has to be improved.

What is the cost of this one-hammer-foreverything approach?

You have been talking only about internal users and not so much about external threats. Why?

This impact is visible from the results of the CIO-PwC security survey. It’s clear that the level of satisfaction or safety-perception is decreasing despite increasing security spends. We spend so much money, time and effort in security but it’s probably not channeled in the right areas.

That’s because external threats are controllable by technology. And from an Indian perspective, external threats aren’t that high. Our online activities are far lower than much of the world.

So where do you feel that CIOs should focus their spending?

Unfortunately, security spending is still focused on technology. But security is not about technology alone. In fact, it is less about technology and more about people and processes. Having said that, the money that went into technology for security was needed. In the past, India needed those infrastructural barriers. Over the last five years, this infrastructure has been created, so now it is time for organizations to move towards creating security hygiene, creating discipline around security within the organization. This is a huge governance issue.

But surely enough has been said to caution users.

Are you saying that Indian CIOs have already spent enough in technology for security?

I think, relatively, they have spent enough. I’m not saying they have done enough spending, but that some of the spending should be focused on discipline and processes.

Send feedback on this interview to

EXERPT VIEW Sivarama Krishnan.indd 59

Executive Director, PricewaterhouseCoopers.

We’ve also seen that quite a lot of threats don’t emanate from technology know-how of hackers — it’s more about a lack of awareness by users. Every year our survey returns with this fact: 65 percent of incidents are caused by internal users.

Users can’t be blamed entirely. Organizations help them make mistakes. Look at the number of passwords users are required to remember on a yearly basis – it’s about 15. And that’s only work related passwords. On a given day, users have to remember between 20 to 25 passwords. In this paranoia of security we have created, we have created too much complexity. We have made it hard for our end users. Simplifying these password protocols will probably encourage users to employ stronger passwords. CIO

Vol/3 | ISSUE/04

“Unfortunately, security spending is still focused on technology. But security is not about technology alone. In fact, it is less about technology and more about people and processes. ” —Sivarama Krishnan

REAL CIO WORLD | j a n u a r y 1 , 2 0 0 8


1/3/2008 1:10:11 PM

Linda Brigance 

Applied Insight

The Human Element in IT Security You have a security policy. Great. Now it’s time to send the word out.


Illustration by BIN ESH SRE EDH ARAN

he air express industry, like many other businesses, has rapidly transformed the way it serves customers over the past few years, through the aggressive and ingenious use of the latest information technology. FedEx spends more than Rs 4,000 crore every year on IT. Frederick W. Smith, founder of FedEx, once said, "The information about the package is as important as the package itself." But these advances come with a price: the need to protect the system from damaging viruses, accidental data breaches and even deliberate attacks. Breaches can often start in a very personal way — with friends over a cup of coffee, at a café where employees go with a work PC and surf the net or do personal e-mail. Most of us are familiar with the technology fixes that form one side of the picture, including firewalls, passwords and digital certificates. However, the policy that supports these is equally important. It is becoming vital for any successful global business not only to have an excellent security policy in place, but also to ensure that the policy is prioritized and communicated in an efficient and meaningful way.

A Vital Protection Tool In the last six months in the US, nearly 40 percent of firms surveyed by the Computing Technology Industry Association reported a major IT security breach. How many of these could have been prevented by considering the human element in the workplace? Many stemmed from the accidental loss of a laptop, Blackberry, or mobile device; employees using unsecured networks from home to conduct 60

J a n u a r y 1 , 2 0 0 8 | REAL CIO WORLD

Coloumn The Human Element in IT Security.indd 60

Vol/3 | ISSUE/04

1/3/2008 1:10:54 PM

Linda Brigance

Applied Insight

company business; or employees downloading unapproved software onto the company network. An effective security policy is, in short, a vital protection tool for any kind of enterprise. The paradox is this: security policies often do not make it onto the management's radar screen until the organization has a major security incident. But the most effective policy is not one that is developed during a crisis, but rather, one that is developed, updated and communicated continuously after a systematic review of security needs. The question then becomes, how are the best security policies developed? Large companies and those with the most at stake have put significant resources into this area. FedEx delivers more than 33 lakh packages each working day and the information that goes with them, and understands the significance of solid IT security — not only in the server room, but also in the boardroom.

company can be useful to see what they can find out and assess where you are most vulnerable. They find weaknesses in all areas of the company, like naming conventions used for sensitive data or weak passwords that can be determined easily, to name a few examples.

Nominate Enforcers Choose the people who will own and enforce the policy. Crucially, they should include people from outside the IT department: legal, HR, audit and, of course, various user

Identify your company's weakest links. Policies that seem simple may often have significant consequences. One example might be how often we insist that passwords be changed.

Pathway to a Policy In a global corporation, a security policy is most effective when it is aligned with the company's business strategies at both the headquarters and regional level. Otherwise, issues such as varying risk tolerance levels among business units and cultural differences between the legal and business sides of the operation may arise. Security policies also need to be cost effective and be constantly communicated. Everyone in the company needs to be responsible for IT security — not just the IT department.

Legal Compliance Look at areas where you are legally obliged to have security policies in place. Complying with the relevant laws will mean you have the right controls in place before you are audited or face any new cyber threats.

Prioritize Information Look at the information used in critical decision-making by your organization and customers. Prioritize the information that is the most business-critical or sensitive. Obvious areas include updated financial information, customer data or company information that should be kept secure, like credit card information used for billing. Sensitive data or systems used by customers or vendors are also key.

groups. You need senior management buy-in to make it happen, and senior management needs to be educated on the importance of information security and the risks of not having a strong policy enforced. At FedEx, our Enterprise Security Council serves this function. It is led by our US headquarters, with participation by regional representatives from around the world. This group continues to evaluate and expand our security policies to ensure that information is safely guarded at all times. These people also act as the liaison with other stakeholders in the organization to pre-test the policy.

Develop a Clear Process Finally, decide on a clear development process. One of the biggest mistakes companies make is that they try to do everything at once, without a grace period for transition, and without defining the resources they're willing to put in. Unreasonable deadlines and expectations only cause resistance. Policy review and update are a vital part of this development process — not a day goes by without new threats emerging, while old ones have yet to be dealt with. It is important to have policies circulated and understood at every level and in every division of the company, so that good security habits become routine and their importance is not questioned. People who own and understand good security policies are also the best weapon in promoting good corporate security. CIO

Identify Weak Links Identify your company's weakest links. Policies that seem simple may often have significant consequences. One example might be how often we insist that passwords be changed. Bringing in the ‘White Hat Hackers’ to your

Vol/3 | ISSUE/04

Coloumn The Human Element in IT Security.indd 61

Linda Brigance is vice president and CIO for FedEx, Asia Pacific. Send feedback on this column to

REAL CIO WORLD | j a n u a r y 1 , 2 0 0 8


1/3/2008 1:10:54 PM



Toward Secure Mobility Vista can help your enterprise manage security and cost better. Prasanna Meduri

Director Client Business, Microsoft India During a 11 year tenure at Microsoft, Meduri has held different roles and recently he led the technology evangelism team. He heads the Windows client business group in Microsoft India and is responsible for the business and marketing strategy for the Windows product family. Prior to that, Meduri was based in Singapore where he built the vertical industries strategy for Microsoft. Here he speaks about securing access to data and cost saving.

In the future, securing mobile access to data will be a major issue. What tools does Microsoft provide to ensure security to mobile access to data? A lot of tools are provided as part of Vista and related offerings. For example, we have a feature called Windows Bitlocker drive encryption, which allows you to encrypt the entire file system on your laptop, and the encryption key can be either stored on the TPM chip-trusted party module, which a lot of laptops have. It can also be stored on an active directory in case you have a directory server running in your organization, or on a USB drive. Today, if somebody loses a laptop, it is very easy to plug out the hard disc, boot it on another machine, run some diagnostic tools and get access to all the data. Laptop prices are coming down and the market is growing at 200 percent. More and more companies are buying laptops for users. More than the asset itself, they are worried about data getting into wrong hands. The second part is that customers don’t want to spend too much on rolling out new offices, start branch offices, new locations and so on. Now we have technology called Intelligent Application Gateway, which ensures that without having a VPN infrastructure, you can connect and have a tunneling into the corporate network with just the normal Internet connection. And all this with the complete level of security that VPN provides. There is a lot of excitement in the IT community regarding this because all you need is a laptop and an Internet connection. We also have related

technologies as a part of WS 2008 and Vista. Say, you are roaming and you suddenly come back to the office and connect to the network, a health audit is done on your machine. Only if it passes the audit, will it be allowed to access corporate information. This feature is called Network Access Protection. What is the kind of platform should an organization have before it can successfully adopt Windows Vista enabled best practices? The biggest benefit in rolling out Vista is that you will get some savings. But when you couple those savings with helping your organization move from basic to standardized or standardized to rationalized, the upside on those benefits is much higher. Let’s say a customer does not have a directory so there’s no mechanism for him or her to authenticate users connecting into the network. Or because he or she doesn’t have a directory, they have got a workgroup environment and every time an application is commissioned, he or she is actually building identity management into that application. If you take identity management as one of the pillars, CIOs would build in a set of users into each individual application, which used to be a big overhead. One of the pillars here is identity and access management. If you have an identity management solution in place, you can roll out the new application and that application should get authenticated users off the same central directory. You don’t need to create a separate set of logic and users for each of those individual applications.

“The new technologies that we have around application virtualization are really helping CIOs bring down the costs while improving agility.” How best CIOs can synergize people, process and technology in their enterprises while improving IT maturity to gain better overall ROI? A lot of companies use imaging technology to roll out an operating system in new software. What they do is they combine the operating system and office and all other applications into a package called the image and push that image on to a new PC which is being commissioned. The challenge that used to be there earlier was each type of PC, laptop or desktop, depending on your vendor, driver and all were unique to that particular machine. It was an independent image, so whenever you created it, you had


to have one image for Lenovo laptop, one for Dell desktop, another for an Acer laptop and so on. With Vista we have created imaging software that allows you to create a single image for the entire organization. In Infosys, they had three people working part time on imaging. Now they’ve brought that down to just one person. That’s saving. So when people move up the infrastructure optimization model, they see a reduction in the number of people required to do the same task. It means they free up their people to actually focus on the more long term strategic issues, not on firefighting and troubleshooting. For a typical CIO, how critical are desktop technologies to the overall enterprise IT environment? In companies today, people are spending more and more time on their PCs. Five years ago, you hardly got any mail, today an average user gets about hundred mails a day. People are working for eight hours on their PCs, and problem on the PC directly impacts the productivity of the people. Desktop deployment technologies are critical. When a new person joins the company, how quickly does the person have access to my training network, my training resources and the critical applications that he needs to


Fewer support calls were made for Microsoft Vista in its first 180 days in operation in comparison to Microsoft XP. work on. Earlier it would have taken many days to allow him to do that. Now, day one he gets a laptop, he’s got a smartcard and he’s got access to the entire network. His productivity starts kicking in straightaway. A lot of new interesting stuff, specially in the area of application virtualization, where there is a lot of cost involved. Today the procurement cost of a PC is only 30 percent of the cost of a license, there are a lot of hidden costs associated with support, application migration, testing, productivity downtime etcetera. So new technologies that we have around application virtualizations are really helping CIOs bring down those costs while improving agility. In this environment, the applications

Core Infrastructure Optimization Basic


No centralized enterprise directory No automated patch management Anti-malware not centrally managed Message security for e-mail only No secure coding practices in place Cost to IT: Rs 52,800/PC

Integrated directory services, PKI in place Formal patch management process Defense in depth threat protection Security extended to remote and mobile workforce Cost to IT: Rs 9,200/PC

Standardized Using enterprise directory for authentication Automated patch management tools deployed Anti-malware is managed centrally Unified message security in place Cost to IT: Rs 23,200/PC

Dynamic Full identity lifecycle management. ID Federation, Rights Mgt Services in use Metrics driven update process Client quarantine and access policy enforcement

are not sitting on the desktop, it also helps in updated version of the applications, the next time the user logs in, he gets the updated application. A robust desktop platform enables us to combine online services in a very efficient way and delivers efficiency in the employees also. So it is a combination of what resides on the server with what resides on the desktop. A robust platform enables us to combine all the abilities into one productivity leap. How does Microsoft’s Softgrid take care of security vulnerabilities? It allows you a very tight control over your entire application environment. I wouldn’t say just Softgrid, but coupled with certain other technology like having a directory in place. Having something like Vista at the desktop side really helps you jack up security considerably. As an example, one logs in and works on some application. Then some data of that application would be stored in registry or cash, which some other user on the same machine could use to gain access to a particular application. Softgrid logs on just one user, so every user sees only icons and applications related to his particular work environment. When he logs off, all those applications disappear, there is no data stored, the second user sees no sign of what the first user left behind.



Security is Everything And its such a complex issue that it can never be 'solved'. Teo Choo Siong

Security & Privacy Services Product Manager, Global Technology Services, Asia Pacific, IBM Siong helps manage and execute business through a pan-AP team, driving contracts and projects in security and privacy services with leaders in India, China, Korea, Australia and all ASEAN countries. Prior to this, he has performed many pan-Asia Pacific, pan-Asean and Singapore roles within a period of 13 years at IBM. In his last role, he was product portfolio manager for ITS Asia Pacific where he managed the overall portfolio of services.

Should CIOs view security differently? As the accessibility to computing power has increased and become more complex than before, the IT environment has also become equally complex. The IT environment is now so dynamic that CIOs can never say that security is a ‘solved’ problem. The only certainty in front of CIOs is that security threats will continue to grow and they will need to find new and better ways to ensure immunity. To do that, they will need to put a comprehensive risk management strategy in place that limits the impact of threats, improves business resilience and creates an enterprise free of fear. How does the CIO find the sweet spot between security and productivity? CIOs needs to understand the trade-offs between security and organizational impact when implementing security policies. The key is to involve the line of business in discussions and understand the potential impact, if any, early in the game. The ROI on security spending needs to take into account any possible productivity impact. A coordinated business-IT effort will ensure that security implementations do not hamper productivity but serve to

enhance it by ensuring no disruptions due to security breaches. Security is a brand issue. Should management be paying more attention? IT security is important to enterprises, regardless of size or type of businesses that they are in. The damages that can result due to breaches in security, loss of financial data and IP cannot be emphasized more. The extent of consequences includes not only brand damage but also law suits, financial losses, etcetera. You say a focused approach is necessary for managing security. Can you elaborate? When implementing security solutions, CIO should move away from merely looking at point products that addresses a particular area of security. They should have a holistic view. They should consider the overall control systems to be put in place, ensure that new implementations can be integrated into the existing infrastructure to avoid siloed products. This is especially true when helping the enterprise grow in a new area of business. Can you tell us about IBM's security model? IBM sees IT security changing as more collaborative business models appear, more

Why IBM? Deep industry expertise Proven methodologies and best practices Thousands of customer projects Industry-leading technologies and solutions in key focus areas Security governance, risk and compliance

Identity and access Information security Application security Threat and vulnerability management and monitoring Physical security Industry’s most extensive ecosystem and partner network

“CIOs should move away from merely looking at point products that address a particular area of security.” sophisticated criminal attacks occur, and increasingly complex infrastructures emerge. Today's wide array of security technologies — implemented tactically in silos — is not sufficient to deal with the new reality of risk. IBM's approach is to strategically manage risk end-to-end across all five domains of IT security, namely: information security, threat and vulnerability, application security, identity and access management and physical security. The IBM security model looks at security from four key areas of: assess, defend, access and monitor. Key to implementing this model is the use of the IBM Security Framework, which looks at these areas from the perspective of the five domains mentioned above.

Global Information Security

By Scott Berinato

The Fifth Annual Global State of Information Security

Five years ago, when CIO and PricewaterhouseCoopers collaborated on the first Global State of Information Security survey very few people knew how bad the problem was. Now everyone knows. They just don’t know how to fix it.

The End of


Awareness of the problematic nature of information security is approaching an

all-time high. Out of every IT dollar spent, 15 cents goes to security. Security staff is being hired at an increasing rate. Surprisingly, however, enterprise security isn't improving. For the fifth straight year, CIO, CSO and PricewaterhouseCoopers (PWC) present select results and analysis from the "Global State of Information Security" survey, the world's largest, most comprehensive annual information security survey. And the first question is: are you feeling anxious? Are you feeling the disquiet that comes from knowing there's no reason why your company can't be the next TJX? The angst of knowing that these modern plagues will keep coming at you no matter how much time and money you spend trying to stop them? The chill that comes from knowing how much you don't know? Yeah, you're feeling it. You're feeling it because you're seeing it. According to the 2007 survey, a comprehensive canvassing of 7,200 respondents on six continents, you see the information security problem more clearly than ever before. You're seeing it because you've created tools and systems in order to see it. For example: You've added processes. Three years ago, only 37 percent of companies reported having an overall security strategy. This

Vol/3 | ISSUE/04

Feature - The End of Innocence.indd 65

year, 57 percent did. Also, nearly four out of five companies conducted enterprise risk assessments, at least periodically. You've deployed technology. Nine out of 10 respondents said they use firewalls, monitor users and rely on intrusion detection infrastructure, and that number approached 98 percent when responses were limited to larger companies (more than Rs 4,000 in revenue). Encryption is at an all-time high, with 72 percent reporting some use of it (compared to 48 percent last year). You've hired people. The number of CISOs and CSOs employed continues to rise. And the mean number of information security workers per company has topped 100, most likely due to more outsourcing and the use of contract employees. You've crafted an infrastructure for understanding. You're seeing it, and that's why you're feeling it. You're undergoing a shift from a somewhat blissful ignorance of the serious flaws in computer security to a largely depressing knowledge of them. Awareness may be at an all-time high, but awareness doesn't equal improvement. The sad fact is that the strides made to date have not crossed the threshold from seeing to fixing. REAL CIO WORLD | j a n u a r y 1 , 2 0 0 8


1/3/2008 1:12:45 PM

Global Information Security

"That next level of maturity has not been reached," says Mark Lobel, a principal with PwC's advisory services. "We have the technology but still don't have our hands around what's important and what we should be monitoring and protecting. Where's that console that says, 'Hey, credit card numbers are crossing the firewall and this is a PCI issue that has a real business impact?'"

likely sources of Incidents Recognition of the insider threat is a sign that awareness is increasing, largely due to the controls that have been put in place over the past five years. Who aTTacked us?

"I See," Said the Blind Man Five years ago, 36 percent of respondents to the Global State of Information Security survey reported that they had suffered zero security incidents. This year, that number was down to 22 percent. Does this mean there are more incidents? We don't think so. We believe it simply means that more companies are aware of the incidents that they've always suffered but into which, until recently, they had no visibility. Those once inexplicable network outages are now known to be security incidents. Perhaps a spam outbreak wasn't considered a security incident before, but now that it can deliver malware, it is. Awareness is higher, and that's because companies have spent the past five years building an infrastructure that creates visibility into their security posture.

The Infrastructure Is in Place Baseline deployment of people, process and technology continues to rise steadily, sometimes dramatically. Among those companies that don't have these techniques in place, the priority for adding it is remarkably low, indicating that most people who think they need these things now have them.



PrIorITY For 2008

PeoPle: You have a... CSO CISO CPO

21% 22% 16%

28% 32% 22%

13% 17% 14%

Processes: You have... An overall security strategy A baseline for customers/partners Centralized SIM

37% 25% 34%

57% 42% 44%

13% 10% 11%

TechnologY: You dePloY... Firewalls Encryption IDS/A-V/other detection* Data backup User security/ID management* IPS/filters* Internet security*

77% 43% 57% 78% 73% 44% 31%

93% 72% 90% 82% 89% 83% 70%

15% 25% 28% 14% 33% 22% 14%

* Before 2007, these categories were not consolidated. The percentage listed is the highest percentage given for one of the subcategories now consolidated into the new category.


J a n u a r y 1 , 2 0 0 8 | REAL CIO WORLD

Employee/former employee Hacker



securITY execuTIves onlY

51% 54%

69% 41%

84% 40%

We've Seen the Enemy; It's You This year marks the first time 'employees' beat out 'hackers' as the most likely source of a security incident. Executives in the security field, with the most visibility into incidents, were even more likely to name employees as the source. Have employees suddenly turned more malicious? Are inside jobs suddenly more fashionable and productive than they used to be? Probably not. Most security experts will tell you that the insider threat is relatively constant and is usually bigger than its victims suspect. None of us wants to think we've hired an untrustworthy person. This spike in assigning the blame for breaches and attacks to employees is probably more like the dip in companies that report zero incidents — a reflection of awareness, of managers' ability to recognize what was always there but what they couldn't previously determine. "What's happening is we're doing a better job with logging and understanding situations," says Ron Woerner, former information security manager at ConAgra Foods, now security engineering consultant at TD Ameritrade. "For a while, I think, ignorance was bliss. Now, with all the technology in place, we're learning that we all have the same problems." Here's how building a security infrastructure can lead to more employees named as culprits in security incidents: A CISO is hired. He has the tools to investigate internal network anomalies and the authority to ask business unit leaders to provide him with information for an investigation. His deployment of user-monitoring tools helps him identify insider threats. Then he centralizes security information management software that automatically detects anomalous network behavior. Then maybe he adds a periodic risk assessment process (another trend on the rise, according to the survey), and suddenly his office is finding previously unknown vulnerabilities being exploited. Perhaps he adds an anonymous e-mail/hotline function for whistleblowers. With all of this and more in place, a company has increased its odds of detecting security incidents. But here's an odd paradox: despite the massive buildup of people, process and technology during the past five years, and fewer people reporting zero incidents, 40 percent of respondents didn't know how many incidents they've suffered, up from 29 percent last year. The rate of 'Don't know' for the type of incident and the primary method used to attack also spiked.

Vol/3 | ISSUE/04

Global Information Security

I dunno What You Don't Know... Could Fill Volumes It doesn't bode well that after years of buying and installing systems and processes to improve security, close to half of the respondents didn't have a clue as to what was going on in their own enterprises. But when close to a third of CSOs and CISOs, who presumably should have the most insight into security incidents, said they don't know how many incidents they've suffered or how these incidents occurred, that's even worse. The truth is, systems, processes, tools, hardware and software, and even knowledge and understanding only get you so far. As Woerner puts it, "When you gain visibility, you see that you can't see all the potential problems. You see that maybe you were spending money securing the wrong things. You see that a good employee with good intentions who wants to take work home can become a security incident when he loses his laptop or puts data on his home computer. There's so much out there, it's overwhelming." Woerner and others believe that the security discipline has so far been skewed toward technology — firewalls, ID management, intrusion detection — instead of risk analysis and proactive

Increasingly, those involved in information security reply 'Don't know' when asked about the number and nature of security incidents.

Number of incidents Type of attack Primary method used



2007 cso/cIso

29% 26% 26%

40% 45% 33%

29% 32% 20%

intelligence gathering. If most of the investment has been put into technology, most of the return will come from there too. The tools will do their job. They will tell you what's happening and block the most ham-fisted attacks. But technology is largely reactive. It provides alarms and ex post facto reports of anomalies. Intrusion detection, for example, is not terribly effective at threat intelligence — understanding the nature of vulnerabilities before they affect you. All IDS boxes know is that some preset rule has been broken. Think of a glass break sensor on a window at a museum. That piece of technology is extremely effective at telling you that someone broke the window; it does nothing to explain how and why a painting was stolen, nor can it help you prevent the next window from being Five truths have emerged from five years of the Global State of broken and the next painting Information Security survey. from being snatched. Furthermore, even a cursory look at security Few are cocky. About one in 12 of you think very fter five years of conducting the survey, trends de m o n st r at e s highly of yourselves. Since 2003, the number of we have noted some critical trends in that adversaries, be they respondents who claimed 100 percent of their information security. We've also uncovered disgruntled employees users were in compliance with their security non-trends: numbers that remain so constant or hackers, have far more policies hovers around 8 percent. and predictable that we can now call them sophisticated tools than the Size doesn't matter. Company size does not conventional wisdom. Here, then, are five pieces ones that have been put in affect spending. When the information security of wisdom that never seem to change. place to stop them. Antibudget is measured as a percentage of the IT Spending lags. CIos are always about 10 percent forensics. Mass distribution budget, it remains constant no matter how many happier with security policy's alignment with the of malware through employees a company has or what its revenues business than CIos are with security spending's compromised websites. are. Size of company matters less in security alignment. over the years, 85 percent of CIos have Botnets. Ke yl o gge r s . spending than in industry. Technology companies said that their security policies are completely or Companies may have spent spend the most; non-profits and educational somewhat aligned with the business, while just 75 the past five years building up enterprises spend the least. percent said that about spending. After all, who their security infrastructure, Banks lead. Financial services companies are doesn't want more money? but so have the bad guys. Partners too. You're more confident in your own attacked more but suffer less. over the years, Awareness includes a new security than that of your partners, suppliers and respondents in the money business have reported level of understanding of more security incidents without an appreciable vendors. once again, 80 to 85 percent of CIos how little you know about increase in losses or downtime as a result. They do were either very or somewhat confident in their how the bad guys operate. As this despite not having significantly larger security security, but when asked about partners and arms races go, the bad guys budgets than others. vendors, the number dropped to between 70 are way ahead. percent and 75 percent. — By Scott Berinato

Conventional Wisdom



J a n u a r y 1 , 2 0 0 8 | REAL CIO WORLD

Vol/3 | ISSUE/04

Global Information Security

security dollars come from IT Funding for information security comes from (could check more than one)

Why You Have to Change Your Strategy


What can be done about all this? Be strategic. Security investment must shift from the technology-heavy, tactical operation it has been to date to an intelligence-centric, risk analysis and mitigation philosophy. Information and security executives should, for example, be putting their rupees into industry information sharing. "Collaboration is key," says Woerner. They should invest in security research and technical staff that can capture and dissect malware, and they should troll the Internet underground for the latest trends and leads. Dozens of security companies do just this and provide subscriptions to research services. "We have to start addressing the human element of information security, not just the technological one," says Woerner. It's only then that companies will stop being punching bags. Only then will they be able to hit back.

IT Strikes Back Speaking of striking back, the 2007 security survey shows a remarkable (some might say troubling) trend. The IT department wants to control security again. In the first year of collaboration on this survey, CIO, CSO and PwC noted that the more confident a company was in its security, the less likely that company's security group reported to IT. Those companies also spent more on security. The reason CIO and CSO have always advocated for the separation of IT and security is the classic fox-in-the-henhouse problem. To wit, if the CIO controls both a major project dedicated to the innovative use

reporting to IT Respondents have some reporting relationships to the following:

IT Neutral Security



2007 (>$1B revenue)

41% 76% 44%

53% 79% 46%

60% 68% 48%

of IT and the security of that project — which might slow down the project and add to its cost — he's got a serious conflict of interest. In the 2003 survey, one CISO said that conflict "is just too much to overcome. Having the CISO report to IT, it's a death blow." And every year after that, the trend was for the security function to gain increasing autonomy. More security executive positions were created. More decision-making power was shifted to security. And more security groups reported to functions outside of IT, including the legal department, the risk 70

J a n u a r y 1 , 2 0 0 8 | REAL CIO WORLD



50% 40% 30%

FI FInance coMPlIance/reg.

rIsk legal

MarkeTIng hr

20% 10% 0




department and, most significantly, the CEO. The trend was even more pronounced at large companies. In 2007, this trend didn't slow down; it flipped. What's more, the reversal was most pronounced in the largest companies. For example, respondents chose from 12 possible functions to which their CISO could report. Those 12 functions were divided into three categories: 1. IT (CIO, CTO) 2. Neutral (board, CEO, CFO, COO, legal) 3. Security (CSO, risk, security committee, CPO, audit) To allow respondents to select more than one of these answers, we created 'shares' — the percentage of respondents with some reporting relationship to one of these three categories. Here are the results. A 12 percent rise in the number of security executives reporting to IT is hugely significant. And when you slice that by large companies, it's a 19 percent rise. Notice, too, that bigger companies show fewer information security executives reporting to neutral functions. M. Eric Johnson, an economist who specializes in information security issues at Dartmouth College, says, "We actually analyzed the org charts, and the solid-line relationships are going back to IT and the CIO. CISOs have gobs of dotted line relationships, but IT is dominating reporting structures and the budgets." Indeed, the trend is even more pronounced when you follow the money trail. Another hallmark of an evolved security function is its convergence with physical security, usually under a CSO. This makes sense both for operational efficiency and because threats are becoming more converged. Access control is a classic example of convergence paying dividends. By combining building access and network access in one system, you save money, improve efficiency and create a single view into both physical threats (illegal entry) and digital ones (illegal network access). And for four years, convergence of physical and IT security steadily increased. Until this year.

Vol/3 | ISSUE/04

Global Information Security

And Furthermore...

Who Wants to Know?

Privacy Best Practices eMPloY cPo

More data points to ponder from the Global State of Information Security survey.

"Uh, Boss? Can We Talk?" Are security and IT communicating enough with the CEO? By comparing their answers, one finds some startling disconnects.

What Boss Thinks; What You know CEOs seem to think their enterprises are a lot more secure (and their employees more reliable) than CIOs and security leaders do. Conversely, CIOs and security leaders are a lot more optimistic about their budgets than are their CEOs. cIsco/cso We've had fewer than 10 security incidents We've had an unknown number of incidents An employee or former employee was the source of the incident We do not conduct enterprise risk assessments Security spending will increase in '07 Spending will stay the same












31% 41% 41%

21% 53% 32%

13% 57% 28%

InFosec dIr.

We need to Be But are not in compliance With Again, CEOs are far more confident than their CIOs and security execs that their enterprises are compliant. Either the CEOs are clueless, or the people who should know aren't telling.

HIPAA Sarbanes-Oxley State privacy breach laws



9% 9% 10%

14% 20% 12%

cIsco/cso InFosec dIr.

27% 32% 21%

Overall > $1B revenue

22% 30%

54% 66%

66% 58%

70% 79%

Financial services Consumer financial Retail Health insurance Healthcare provider Technology

33% 41% 14% 53% 49% 22%

64% 69% 51% 73% 72% 49%

60% 55% 66% 49% 65% 72%

80% 90% 58% 81% 64% 77%

More on Privacy While 60 percent of survey respondents posted privacy policies internally, only 24 percent posted policies on their external websites. Only 28 percent audited their privacy standards through a third party. Sounds like a cover-your-butt ploy; after all, if you don't have a policy posted, you can't be sued for violating or not living up to it. And if you haven't had your privacy audited, you don't have to fix all the problems an audit would find.

Respondents who do not keep an accurate inventory of user data: 69% Respondents who do not keep an accurate inventory of where data is stored: 67% Region of Risk One of the areas of the world where the focus on information security has intensified is Latin America, specifically Brazil and Mexico. Researchers and law enforcement believe that cultural differences in acceptance of less-secure online transaction methods and fewer controls and regulations on banking activity have made the region the banking center of choice for the Internet criminal underground. Here are some select findings.

Privacy — Better, But... Perhaps because of the sheer number of incidents involving privacy breaches, companies have improved their privacy practices. They are increasingly separating privacy from security and also separating security governance from tactical security. That means, for example, the people deploying monitoring tools aren't the ones setting the usage policy for those tools. But more work needs to be done. Some of the key steps to ensuring data privacy — encrypting databases, classifying data by risk level — haven't become standard practice. The industry least likely to have adopted privacy practices is technology. A privacy leader? Consumer banking. 72

J a n u a r y 1 , 2 0 0 8 | REAL CIO WORLD

seParaTe seParaTe classIFY PrIvacY & securITY daTa BY securITY gov. & oPs. rIsk

Overall U.S. and Canada South America Brazil Mexico China India

InFosec BudgeT as % oF IT BudgeT

do noT conducT rIsk assessMenT

BudgeT WIll rIse More Than 10% In '07

> 1 daY doWnTIMe

15% 12% 19% 16% 21% 19% 21%

23% 19% 36% 43% 33% 32% 17%

20% 16% 30% 29% 28% 26% 33%

8% 7% 15% 21% 13% 13% 9%

Vol/3 | ISSUE/04

Global Information Security

Who's in Charge?

Physical and Information Security Converge, Then Diverge

"What I hear from CIOs," says Johnson, Signs of IT's control and influence "is at the end of the day they're are peppered throughout the survey responsible for failures anyway. They're Information and physical security are separate. results. For example, when asked what on the line whether security is separate security guidelines their companies or not." Why wouldn't the CIO want revenue $1B or followed, respondents were far more to control something he's ultimately overall More likely — in some cases two or three responsible for? 2003 71% na times more likely — to cite more general On the other hand, maybe security was 2004 50% na IT guidelines like ITIL than securitynever as separate as it seemed. Companies 2005 47% na specific ones like SAS 70 and various created CISO-type positions but never gave 2006 25% 36% ISO security standards. them authority. "I continually see security 2007 46% 55% What's going on here? Johnson has one people put in the position of fall guy," says theory: "Security seems to be following a Woerner of TD Ameritrade. "Maybe some Information and physical security report to the trajectory similar to the quality movement of that separation was, subconsciously, same executive leader 20 or 30 years ago, only with security creating a group to take the hit." Woerner revenue $1B or it's happening much faster. During the also believes that the trend of the security overall More quality movement, everyone created VPs budget folding into the IT department 2003 11% na of quality. They got CEO reporting status. could be a direct result of security auditing 2004 26% 22% But then in 10 years the position was gone that focuses primarily on infrastructure. 2005 31% 24% or it was buried." That is, when auditors look at information 2006 40% 33% In the case of the quality movement, security weaknesses, they recommend 2007 34% 27% Johnson says, that may have been partly technological fixes. And IT buys the because quality became ingrained, a technology. Why should IT be charged for corporate value, and it didn't need a another department's expenses? separate executive. But the evidence in the Whatever the reason, the trend is survey suggests that security is neither disturbing to some security professionals, ingrained nor valued. It's not even clear especially at a time when they play an companies know where to put security, ever more central role in corporate crises, which would explain the 'gobs of dotted and in society in general. line' reporting structures. The state of Internet security is That brings us to another theory: eroding quickly. Trust in online organizational politics. What if separating transactions is evaporating, and it will security from IT were creating checks on require strong security leadership for software development (not a bad thing, that trust to be restored. For the Internet from a security standpoint)? What if all this security awareness the to remain the juggernaut of commerce and productivity it has survey has indicated actually exposed the typical IT department's become will require more, not less, input from security. insecure practices? But right when the best and brightest security minds are needed One way for IT to respond would be to attempt to defang most, they're being valued less. CIO security. Keep its enemy close. Pull the function back to where it can be better controlled. Scott Berinato is executive editor of CSO. Send feedback on this feature to

Respondents that do not integrate physical and information security personnel: 69% Of those, percent with no plans to integrate personnel: 80%


The Global State of Information Security 2007 survey, a worldwide study by CIo, CSo and PricewaterhouseCoopers, was conducted online from March 6 through May 4, 2007. Readers of CIo and CSo o and clients

Vol/3 | ISSUE/04

of PricewaterhouseCoopers from around the globe were invited via e-mail to take the survey. The results shown in this report are based on the responses of 7,200 CEos, CFos, CIos, CSos, VPs and directors of IT and IS, and security and IT professionals

from over 100 countries and with 498 respondents from India. Thirtysix percent of the respondents were from North America, followed by Europe (28%), Asia (23%) and South America (12%). The margin of error for this study is +/- 1%.

REAL CIO WORLD | J a n u a r y 1 , 2 0 0 8


Trendline_Nov11.indd 19

11/16/2011 11:56:19 AM

Panel Discussion

By Kanika Goswami

Don't CIOs have enough on their plates, without worrying about organizational security? But then who is in charge of compliance?

Secure orQuit Quit Information security is no longer about technology.

With time it has assumed an increasingly strategic role. CIOs have more than enough on their plates, organizational security is another field they have to answer for. Given the rapidly advancing scope of IT applications: can a CIO handle anything more and stay competent? Vijay Ramachandran, editor-in-chief, IDG Media, asked a panel of three CIOs at CIO’s Year Ahead Program. He asked Anwer Bagdadi, Sr. VP and CTO, CFC India Services, Amit Kumar, Group CIO, Max New York Life and Max Healthcare and Shirish Gariba, CIO, Elbee Express: do CIOs have enough on their hands, without having to worry about the challenges of organizational security? Everybody acknowledged that CIOs have a lot to handle, but Bagdadi pointed out, “We must understand that its not an issue of one against another but its an issue of what is your market position or competitiveness is, how regulatory your industry is. These factors are important when you take a stance on security.” CFC India Services has a separate security head who doesn’t report to the CIO, he reports only to the board and he is responsible for every aspect of security, Bagdadi said. However, he said that concept is not accepted in India. To this Ramachandran asked: do CIOs think 74

J a n u a r y 1 , 2 0 0 8 | REAL CIO WORLD

Panel Discussion.indd 74

Vol/3 | ISSUE/04

1/3/2008 1:13:45 PM

Panel Discussion having security responsibility that resides with a CSO works better? And is it time a CSO role emerged in India? Gariba clarified that though his organization currently did not have a CSO role, he, and some CIOs in the audience were in favor of this. They said that security is a business enabler and a risk management tool, and it should be given to experts, not left to CIOs. “It is not a technology conversation so it is best left to a security expert and he should not report to a CIO. It should be a peer position or security will be compromised,” Gariba said. Kumar from Max, offered a different viewpoint on the issue of having a separate CSO role. He said it depended on the maturity level of the organization. “Organizations come in two types: mature ones which understand information security, right from the CIO level, and those that do not understand it. Having a separate CSO make sense for the first type. For the other half, they cannot handle a separate CSO role and that’s where CIOs should be responsible to ensure that compliance does not fail.” But is the CIO actually qualified to handle security? Can it be buried in the list of a CIO’s KRA? From the audience, Ashwini Kumar, DGM-IT, Ircon International said that CIOs do need information on security, despite a separate CSO function since it requires experience in IT to build anything securely. Avinash Arora, director-IS, New Holland Tractors India, had a clear view on this. “CIOs should be involved in in IT security and its processes. Only when an organization has matured enough can we leave it to a CSO.” He also said that a CSO function should actually report to the CIO, only because technology is so much a forte of a CIO, the final decisions on IT should always be left to them. The discussion then turned to compliance: with the increasing presence of regulatory controls, is it wise to separate this role?

The Roadmap Kumar helped lay down a roadmap for security implementation. He talked about the various activities to ensure security, starting with making policies on security assurance, creating awareness and, of course, security audit. “The quality of any organization is

Vol/3 | ISSUE/04

Panel Discussion.indd 75

inbuilt into development and other processes as well, yet companies still have a quality control department. The CSO can decide highlevel policies, put together a development department, get legal perspectives, ensure training programs, and also do audits. Then the implementation part can be performed.” The kind of tools to be used have to be decided by the CIO. As also how these tools are to be monitored, checked, controlled and justified. The CIO should also point out to the CSO the failings of the process, the hurdles and issues, and ask for solutions. Here Arun Gupta, CCA and CTO of Shopper’s Stop felt, “Internal audits continue to report to CFO, even after so many years. In the same way I can see the role of the CSO also being split over a period of time. I guess it’s a matter of the maturity of the organization and the ability of the CIO to detach from this role and say that he should be more of a facilitator. I guess a lot of organizations are beginning to make this change.” Is this the way forward? CSOs being the policy face and CIOs being the implementation face of security? Bagdadi had specific views on this: “The role is clear. The security chief role is not a technologist, it’s more of a business interfacing or risk management role.” He insisted that there are multiple matrices to be taken into account, including geographies, business areas, technology, people and regulations, “Security technology can be a very specific area, and you can choose people who specialize in it. The key in all this is to focus on the kind of position that the company enjoys, and not personal opinions of the CIO,” he said. But what if there are oversight issues ? Gariba felt that security oversights get highlighted more if they are not buried under the IT label, and besides, security budgets typically do not warrant too much spending. “If it is a separate function by itself, reporting to the board, it will be noticed and that will make sense. In addition, in terms of budget approvals, security is the last on the list, it gets hardly three to four percent.” More importantly, if security is not highlighted separately, the IT team itself, he added, will shove problems under the carpet and pretend nothing’s wrong. CIO

Kanika Goswami is special correspondent. Send feedback

Amit Kumar Group CIO, Max New York Life and Max Healthcare

Anwer Bagdadi Sr. VP & CTO, CFC India Services

Shirish Gariba CIO, Elbee Express


REAL CIO WORLD | j a n u a r y 1 , 2 0 0 8


1/3/2008 1:13:52 PM

A Look at

Infrastructure Index

IllustratIon by pc anoop

73 | expert VIew Future Proofing IT Infrastructure IT needs to be more aligned with business strategies in 2008. 74 | Column Carrier Ethernet Grows up Ethernet, a low priority a few years ago, now corners a lot of CIO mindspace. 87 | Feature Five Predictions for the Year Ahead 2007 was the year of BI vendor mega mergers. How will that affect you in 2008?

Vol/3 | ISSUE/04

REAL CIO WORLD | j a n u a r y 1 , 2 0 0 8


Expert View

Vikas Agarwal

Future Proofing IT Infrastructure By KANIKA GOSWAMI CIO: What role can IT play in securing the future of the organization, in terms of business? Vikas Agarwal: IT’s value proposition is so firmly established and so well demonstrated that it can safely be said that business, today, can not survive without it. IT services, built with a clear vision of business outcomes and aligned with business requirements, act as enablers. They help in gaining the competitive advantage and contribute tremendously to growth opportunities. IT has redefined the speed to market and can be an effective tool to improve efficiency and productivity. It has redefined the way businesses are conducted by enabling offshoring, real time monitoring of business performance and also, by adding new avenues and levels of customer services. You talked about the importance of IT infrastructure as beyond just technology. Could you elaborate?

It comprises of whatever it takes to deliver ‘business focused’ IT services. Typically, out of the total IT spend of an organization, infrastructure would account for 40 to 50 percent. IT Infrastructure comprises of technology and non-technology components. Technology includes the hardware, the software, third party services, networking infrastructure and the accommodation for all this. But equally critical are people, processes and documentation. People would include the roles, the skills required and organizational structure. Process includes the standards and guidelines that define the lifecycle of infrastructure.

at many instances. On one end of the spectrum are organizations, who traditionally, are early and aggressive adopters of technology, the other end is occupied by those which adopt technology only when compelled by market forces. A mixed approach, with a judicious tilt towards tested and proven technologies would be a good idea. How important is simplification of IT in streamlining the organization for the future?

Complexity in deployment of technology has become an impediment both for business and for IT. From business perspective, complexity may slow down or hold up business flexibility and transformation which in turn may affect efficiency and profitability. From the technology perspective, complexities make IT management a cumbersome job and reduce efficacy. IT has grown from a back office function to a business enabler and a critical business tool. But somewhere during this transformation, many organizations have got their hands tied backwards in a mesh of multiple layers of architectures and a plethora of interfaces.

Do you think the way forward will be with tried and tested technologies or emerging technologies?

While business may demand deployment of new technologies, the ‘new’ here may not mean ‘emerging’

Send feedback on this interview to

EXPERT VIEW Vikas Agarwal.indd 77

Principal Consultant, PriceWaterhouseCoopers

Do you think outsourcing could be one of the ways to cut costs?

IT Outsourcing is catching up. But to look at it merely from a cost savings angle would be akin to missing the bigger picture. And unless very well designed and appropriately implemented, outsourcing may not live up to the promise of business benefits including ‘cost savings.’ The key points to be considered are what, why, how much and from where to whom. It would be advisable to take into account all the aspects like service levels, service management and governance. CIO

Vol/3 | ISSUE/04

“On one end of the spectrum are organizations, who traditionally, are early and aggressive adopters of technology, the other end is occupied by those which adopt technology only when compelled by market forces. " —Vikas Agarwal

REAL CIO WORLD | j a n u a r y 1 , 2 0 0 8


1/3/2008 1:15:01 PM

Thomas Nolle 

Reality Check

Carrier Ethernet Grows up Ethernet might not have ranked high on the priority list a couple of years back but today, it sits right on top.


Il lustratio n by MM Shanit h

here has been interest in carrier Ethernet for a decade or more and — let’s be honest —more than a little hype, too. In the early days, the focus was on how Ethernet was going to displace SONET and Synchronous Digital Hierarchy as a low-level optical technology. Then we were going to have Ethernet to the home, or maybe to every business site. Recently, with the advent of Provider Backbone Transport (PBT, also called Provider Backbone Bridging and PBB-TE), we’ve heard people say that Ethernet was going to replace MPLS. Is all this just part of a fascination with technofantasy, or is there something going on here? There’s something going on. When I surveyed ten network operators about their priorities in 2005, carrier Ethernet didn’t rate in the top three for any of them. Today, ten out of ten rate carrier Ethernet as either No. 1 or No. 2 among their technology issues, and the reason they give is PBT. With PBT, Ethernet acquires traffic-engineering features that many believe are as good as or better than MPLS; that, of course, is why there’s so much fuss about the battle between PBT and MPLS today. The real story here lies deeper, however. Network operators are looking hard at what should have been the real issue of next-generation networks (NGN) all along, which is how these networks can best form the foundation for all the services future enterprises and consumers will buy. Ethernet isn’t a replacement for SONET, nor is it the basis for enterprise-transparent LAN services or something; it’s a contender for the foundation of NGNs, and that’s not only


Coloumn.indd 78

J a n u a r y 1 , 2 0 0 8 | REAL CIO WORLD

Vol/3 | ISSUE/04

1/3/2008 1:15:51 PM

Thomas Nolle

Reality Check

Ethernet isn’t a replacement for SONET, nor is it the basis for enterprise-transparent LAN services or something; it’s a contender for the foundation of NGNs, and that’s not only big news to the industry, it’s a big change in the Ethernet mission. big news to the industry, it’s a big change in the Ethernet mission. If Ethernet is going to be useful as the foundation for flexible service delivery, it needs some critical capabilities, and vendors are starting to step up and offer them. One capability that’s critical is scalability and traffic engineering, which PBB and PBT provide. These let Ethernet infrastructures scale handle not only major metropolitan areas but whole countries, and simultaneously provide for stringent service-level agreements (SLA) and controlled failover modes to handle node and trunk problems. Nortel has been the vendor champion of PBT from the first, Nokia Siemens and Huawei Technologies have joined in, and smaller players, such as Extreme Networks and Meriton Networks, also have been very visible in their support. A related challenge is the need for a control plane. PBT achieves its benefit in part by dispensing with all the discovery and adapting that take place with standard Ethernet bridging, but you can’t route traffic or engineer capacity if you can’t find nodes and endpoints. PBT was designed to use an independent control plane, and two vendors have stepped up to provide one: Avici Systems’ Soapstone Networks business unit, which is exiting the router business to focus on control plane development; and start-up Gridpoint Systems. Both vendors offer carrierEthernet control-plane tools, and both have demonstrated their ability to create and control predicable, Ethernetbased service infrastructure in a number of trade shows and events. The third challenge is the support of services, which is what this is supposed to be about. Service support for infrastructure means support for the three connection topology models that the Metro Ethernet Forum (MEF) defined years ago—E-Line for point-to-point, E-LAN for multipoint and E-Tree for multicast. Hammerhead Systems just announced full support for the MEF models for carrier Ethernet and MPLS, as well as interworking between MPLS and PBT (Hammerhead also announced a partnership with Soapstone). Network operators BT Group and DT have expressed a level of commitment to carrier Ethernet and PBT, and it’s pretty likely that in 2008 at least four other major operators will join them. Carrier Ethernet and PBT have got the vendors named here good engagement with operators

Vol/3 | ISSUE/04

Coloumn.indd 79

worldwide; in fact some of these vendors tell me that they’re almost consumed with requests for information and for devices to test. Not everybody loves PBT, particularly router vendors that favor IP/MPLS. Cisco, Juniper Networks and AlcatelLucent are counted in the camp of PBT opponents, though they all surely are considering PBT support as operators become increasingly strident in their demands to hear about it. Ericsson’s position is less clear, but I’ve recently heard there is a movement within that company to provide support for PBT in some form. Foundry Networks is said to be looking at PBT as well, but there are no references to it on the company Web site. The two main drivers behind PBT are stringent SLA control and cost. The adaptive behavior of IP, with its dynamic reconfiguration and routing, makes it difficult to write enterprises the same kind of SLAs they had for frame-relay services, which inhibits convergence. This is one reason an ex-BT executive has given for BT’s interest in PBT. While advances to MPLS — particularly T-MPLS — promise similar nonadaptive behavior, carrier-Ethernet switching products are reported by operators to be about 40 percent less expensive than routers, so PBT has a significant cost advantage over T-MPLS, if there are no other reasons to deploy routers. Whether the network is a greenfield — having neither significant router nor significant Ethernet infrastructure — is the big issue for PBT. If a network is a greenfield, building a carrier-Ethernet PBT network would be significantly less expensive than building a T-MPLS network using routers. Metropolitan networks seem a pretty sure place to deploy carrier Ethernet and PBT, although IPTV in the form offered by Alcatel-Lucent deploys IP features in these networks. In wider-area applications, where some routers are almost certain to be used, the cost advantages of PBT may be smaller. The enhancements to carrier-Ethernet controlplane and service models may make the difference between carrier Ethernet as a niche player and carrier Ethernet as a full-scale infrastructure alternative to IP/MPLS. CIO

Thomas Nolle is the president of CIMI Corp. , a technology assessement firm. Send feedback on this column to

REAL CIO WORLD | j a n u a r y 1 , 2 0 0 8


1/3/2008 1:15:51 PM



The New Digital Big Bang Technology is unlikely to limit infrastructure capacity deployment. Arvind Mathur

Chief Achitect, Gobal Services, Mathur is responsible for architecting services, solutions and the product portfolio across Sify’s business lines. He is a key driver for Sify’s ‘Smart Expansion’ initiatives which promise a highlyscalable, application-aware core network supporting a variety of hosted applications that will deliver business value to a range of enterprise segments. Mathur has over 18 years of international experience in the telecommunications and networking arena.

How is globalization affecting infrastructure? Globalization is resulting in the construction of ubiquitous IP networks that connect geographically dispersed branch offices to their headquarters or to wherever their central applications reside. Technical standards help stitch together interprovider IP-MPLS networks to construct seamless global coverage to make this possible. Globalization therefore ‘mandates’ network infrastructure to support tripleplay applications that can be prioritized on a per customer basis. To meet the growing business requirements of globally integrated enterprises, the infrastructure layer is clearly witnessing integration with a new multi-services layer, often collectively termed as ‘managed services’. These managed services take comprehensive control of the wide area network, security, applications, hosting and often extend to the local area network of the organization. Enterprises seeking to collaborate and scale, globally look at high availability data centers to host their services — for both primary as well as secondary (DR) sites, business continuity practices, hosted and/or managed applications including messaging, storage, hosted CRM and SCM; and other workforce management solutions that reside on the service provider infrastructure. Globalization is also resulting in enhancing of infrastructure for the delivery of e-learning solutions that integrate and homogenize global workforces that are required to operate in uniform and globallydefined environments. As enterprise requirements evolve from network-centric to application-centric,

infrastructure is adding the smarts to monitor and manage application performance to meet the business requirements more directly — especially in a managed/hosted distributed application environment. Globalization is also powering the rise of the utility data centers for managed and unmanaged hosting of infrastructure, since in a connected world it does not much matter where the data resides. Globalization is also the key driver for network virtualization. If there was one message you had for CIOs, what would it be? They should take cognizance of the fact that complex global networks require both infrastructure and application expertise to succeed and that comprehensive security protocols supported by appropriate policies and controls will determine the ultimate uptime of the enterprise network. What are the check points in the future? There are several. Managing services to achieve economy is a must. Scale and uniformity on a global basis — be it collaboration, workforce integration, security, software-as-a-service, e-learning, storage and application performance would also be an important check point. Focus should be on comprehensive network security on-net as well as off-net. We need to adhere to global standards that will ensure network longevity and — to the extent possible — a defined path for technology upgrades. What are key deliberations for the CXO? The emerging global integrated enterprise fashions its strategy, management and

" There is a vast gap that needs to be bridged for seamlessly combining and integrating global workforces in terms of collaboration.” operations towards the integration of production and value delivery worldwide. Key deliberations for the CXO will be integrating global offices, branch offices, supply chains and mobile workers. It would also include enabling global collaboration, delivery and balanced productivity. In addition, CXOs have to run and manage applications smoothly and reliably. And finally, add and show IT value to business. How will infrastructure help deliver collaboration? Globalization inherently and fundamentally requires integration of geographically dispersed workforces (systems, people and processes) that span multiple countries and cultures.


These global work-sites will rarely have the same infrastructure or tools or processes. There is a vast gap that needs to be bridged for seamlessly combining and integrating global workforces in terms of collaboration (voice, messaging, video, SCM, CRM, global training and the like). These unifying, collaboration technologies can be hosted and managed by service providers with global accessibility through an ubiquitous IP network. What does the multi-service, application aware IP offer? Broadly, it offers application SLAs. Simply defined, they are application performance objectives expected from a WAN. It also includes real time application flow monitoring across the entire network. It offers application performance reporting on application performance across the network as well as per user. Other than that, there is a pro-active help desk which would deal with quickly detecting and correcting application performance issues. It provides an SLA-based cost allocation, which is billing according to application performance achieved. In addition, it also includes network rightsizing and application performance management, which offers the right level of bandwidth to achieve application performance objectives as an ongoing partner to the enterprise. There is an application discovery, which automatically identifies all active


the amount bandwidth for data services are expected to grow in India at CAGR. applications. And finally, it offers bandwidth on demand. What does the innovation-centric demand model include? It’s a model that traces the path of innovation, starting from invention. The model would suggest that innovation occurs and user pattern shifts and new applications emerge. The rate and impact of these new behaviors can be modeled historically and projected into the future without knowing the specific details of these changes in advance. Are networks sized correctly for apps? If not, what’s the impact on the organization cost-wise? Let’s put it this way, WAN capacities on the national long-distance network are available to scale on a fairly massive basis, and thus not a limiting factor for running most

Growth of the Digital Universe Impact on Network Infrastructure By 2009, the total capacity of the optical backbone is expected to be 3 million Petabytes per month or 3000 Exabytes per month This translates to a global optical capacity of 9259 Tbps In 2007, the amount of information created will surpass, for the first time, the storage capacity available Bandwidth for Data Services in India are expected to grow at CAGR of 47% from 213 Gbps (2007) to 435 Gbps (2009)

Key deliberations for the CxO Integrate global offices, branch offices, supply chains, mobile workers Enable global collaboration, deliver enhanced productivity Run and manage applications smoothly and reliably Optimize and reduce cost of operations Add and show IT value to the business

applications. Capacities on international networks exiting India are still expensive but have adequate scale built-in and hence again should not be a show-stopper though additional cable systems and more competition should help drive economics in-line with global trends. Ubiquitous local access is a challenge for various reasons: not everyone owns copper in the ground (DSL); fiber can be laid by service providers very effectively — but may not prove to be cost-effective for small bandwidths; and wireless access because of limited spectrum, bandwidth or throughput limitations (as compared to fiber) and expensive horizon technologies (WiMax) that are difficult to deploy cost-effectively today on a broad coverage basis. Enterprise-users can, depending on the criticality of their operations and applications, opt for standard or highlyresilient architectures for their networks, which can be supported via SLA’s by service providers across the access, metro, national and international networks at appropriate price-points. This time next year, what do you expect of changed infrastructure? The year ahead holds a lot of promise. I would emphasize on enhanced reach, resilience and capacities both on the domestic and international sectors covering semi-urban and metro networks, national long-distance networks and international networks mostly over fiber cable systems. Availability of large data centers that cater to a range of managed services besides utility hosting would also be a part of the changed infrastructure.



Optimizing and securing Core Infrastructure Windows Server 2008 paves way for simplified IT. Pallavi Kathuria

Director-Business Group, Servers, Microsoft India After spending about eight years in various capacities at Microsoft’s corporate office in Redmond, Kathuria moved into her present role in January 2007. During the years she spent in Redmond, she worked on various roles in the server business, including pricing and the servicing division. Here she speaks on the roadmap for WS 2008 and the advantages it will afford to the CIO.

With WS 2008's launch just around the corner, what should CIOs look out for while chalking out a seamless migration roadmap? For an early migration to WS 2008, CIOs should consider software compatibility, application support, ISV certification, hardware age and of course, training and support. In your opinion, why will Windows Server 2008 make CIOs sit up and notice the new server OS? WS 2008 is the next generation server operating system that will help maximize control over IT infrastructure while providing unprecedented availability and management capabilities. It would also seek to deliver a significantly more secure, reliable and robust server environment than ever before. It is designed to provide organizations with the most productive platform for powering applications, networks, and Web services from the workgroup to the data center. How does WS 2008 help IT heads maximize control over infrastructure? WS 2008 gives IT heads more control over their servers and network infrastructure, allowing them to focus on critical business needs. It provides enhanced scripting capabilities and task automation tools. Rolebased installation and management eases the task of managing and securing multiple server roles in an enterprise. The new server manager console provides a single source for managing a server's configuration and managing system information. IT staff can now install only the roles and features they need, and wizards automate many of the time-consuming tasks of deploying systems. Additionally, enhanced system management tools provide information about

systems and alert IT staff to potential problems before they occur. Why is interoperability being stressed so much in WS 2008? Microsoft is committed to ensure that the Windows platform works with other key platforms and systems in the heterogeneous computing environment of our customers. WS 2008 provides significant enhancements in network, data, application and management interoperability. This will provide greater flexibility, improve information sharing, reduce computing costs, and help leverage existing investments. Therefore, Interoperability is one of the key pillars of WS 2008. How does the Forefront family of products help standardize the way enterprise security is handled? Today’s security market landscape is complex and fragmented. Poor interoperability, separate management consoles for each product, and a general lack of unified event reporting and analysis all pose challenges to the IT Heads. The Microsoft Forefront family of business security products helps provide greater protection and control over the security of network infrastructure. They provide simplified management, reporting, analysis, and deployment and thus help standardize the way enterprise security is handled. With highly responsive protection supported by Microsoft technical guidance, Microsoft Forefront helps enterprises confidently meet ever-changing threats and increased business demands. Microsoft has expanded virtualization rights for the data center and enterprise versions of WS 2008. What impact do you

“ Infrastructure optimization makes infrastructure a strategic asset that enables agility within the organization. It creates a ‘people-ready' business environment.” see this having on enterprise adoption of the OS? WS 2008 delivers an enterprise-class platform for deploying business-critical applications. The data center edition includes unlimited virtualization licensing rights while enterprise edition comprises the right to run up to four additional virtual instances with one server license. These virtual instances provide a cost effective way to virtualize and deliver significant value along with the scalability and reliability features of WS 2008. It will provide flexibility to rapidly provision new servers and to test and roll out


patches or other changes to business-critical applications. It also reduces infrastructure costs by consolidating underutilized servers and applications with virtualization licensing rights. How does Hyper-Visor benefit enterprises? Hyper-V provides customers an ideal platform for key virtualization scenarios, such as production server consolidation, business continuity management, software test and development, and development of a dynamic data center. A core component of Hyper-V is a thin layer of software between the hardware and the OS that allows multiple operating systems to run, unmodified, on a host computer at the same time. This will benefit enterprises as it provides increased reliability and security for running virtual instances. It provides simple partitioning functionality and is responsible for maintaining strong isolation between partitions. It has an inherently secure architecture with minimal attack surface, as it does not contain any thirdparty device drivers. How should CIOs look at optimizing infrastructure to look at maximum TCO savings?


The percentage of today's IT infrastructure to sustain and run existing capability. This number, in a desired IT infrastructure, would come down to 55 percent. Infrastructure optimization helps realize the value of investments in infrastructure, makes infrastructure a strategic asset that enables agility within the organization, and ultimately helps create an infrastructure for a ‘peopleready business.’ To get maximum TCO savings, CIOs should consider optimizing Infrastructure to a state where the costs involved in managing desktops and servers are at their lowest. Processes and

A Strategic Infrastructure Turn your IT infrastructure into a strategic asset with a different approach that… Looks holistically across the infrastructure Addresses underlying structure and complexity Creates an integrated, uniform environment Adopts IT solutions that support proven Best Practices Prioritizes and sequences IT projects in a structured, systematic manner

Challenges and Trends Today’s IT 30% new capability 70% sustaining and running existing capability

Desired IT 45% new capability 55% existing capability

Challenges Technology Change Regulatory Compliance Competition Security Keep Business Up and Running Customer Connection Business results and new value End user productivity Cost reduction

policies have been optimized to play a large role in supporting and expanding the business. Security is very proactive, and responding to threats and challenges is rapid and controlled. Zero touch deployment is used to minimize cost, the time to deploy, and technical challenges. The number of images is minimal, the process for managing desktops is very low and a clear inventory of hardware and software is maintained. Security is extremely proactive with strict policies and control, from the desktop to server to firewall to extranet. This kind of optimized infrastructure will lead to maximum TCO savings. a bulk of an IT budget is spent in just treading water rather than adding new business values. How can IT department flip that equation? Day-to-day pressures require tons of time, resources and effort, but don’t necessarily push the business ahead. It’s these pressures that consume most of the IT budgets today. IT departments can flip that equation by moving from an unmanaged environment toward a fully automated management and dynamic resource usage environment. Infrastructure management should be changed from manual and reactive to highly automated and proactive. Security should also be improved from vulnerable to dynamically proactive in a more optimized infrastructure. The more IT professionals are enabled by systems that can self-manage to adapt to changing business demands, the more empowered they will be to add new business value and contribute to the success of the business.



It’s What You Don’t See That Matters It is important for CIOs to reduce power consumption in their datacenters. K. Bala Chandran

Managing Director, ADC KRONE Joining ADC KRONE in 1991 and after serving in various positions in the go-to-market and business development, Chandran is currently the MD for India & SAARC markets. Over the years he has played a key role in positioning ADC through its acquisition of KRONE as a key player in the network infrastructure space covering copper, fibre and wireless within the Indian market and also expanded the company’s operations into cabling infrastructure for enterprises.

What drives change? Cost is a big driver for change. It challenges the fundamentals of business. It makes you reinvent yourself constantly. People want to do more with less. Change can never happen overnight. Business is not assured based on past accounts. Vendors like us need to be there before customer arrives with a problem. Second is the perception of quality. It is the value that you get out of the service that drives change. It may not necessarily be an element of the products design and engineering. It also depends on what channels you use to get to your customer. You can claim you are 24/7 but, are you there when your customer needs you? Demanding environments in the market have driven change. What do you think should be the focus of the new CIO? We need to focus on technology, innovation and on controlling cost. Focusing on information and getting what you want is being enabled through focusing on technology. India is now the undisputable leader in IT; there are lots of

customers based out of US. The dollar is getting weaker and the Indian rupee is getting stronger. It is a great feeling to know that the economy is getting strong even if the software industry is facing a challenge in margin reductions. At the end of the day, you need to address the margins; it’s about people and the infrastructure. There is a need to look at infrastructure that delivers technology. I want to emphasize on the fact that it’s not by buying cheap products that you manage TCO. It’s by managing your TCO that you manage cost. We should not focus on technology for technology’s sake. What do you mean when you say morphing into the realm of facility management? A lot of services have to be rendered to run the facility. You need heating, ventilation and air condition. You need people to be directed to parking, security passes, cameras, public address systems, and then you have lighting. Heating, ventilation and power consume a lot of energy. If you had a facility in your computer through which you can decide when you want the lights off and when you want them on, you can program it by building intelligence into the

Why ADC KRONE? How does ADC KRONE support? Solutions and best-practices are engineered for uptime Believes and invests in technology Propagates and trains market advancements Understands and supports futureproofing in a balanced manner Intelligent Physical Layer management

National reselling arrangements and bonded warehouse facility ADC KRONE was founded in 1935 Present in the Structured cabling industry globally since early ’90’s Have survived and grown in a tumultuous industry where business and sales models have undergone disruptive evolution

“Focusing on information and getting what you want is being enabled through focusing on technology." building management. Using power only when it is required, you save an enormous amount of money. What is an intelligent building? Intelligent building is basically computerizing all your energy, ventilation, lighting, communications systems, which is already on a technology backbone, and a lot of building automation. You put everything into a building monitoring system and run it through a twisted cable which you would use for LAN, making the building more intelligent.



Not Yet, But Soon Power will be a vital factor in a CIO's Datacenter equation. Arvind Chandrasekhar

Business Development Manager, AMD India Chandrasekar has held technical and management positions since joining AMD in 2001. Prior to this, he was the technical specialist for India and SAARC for AMD. Chandrasekar successfully held AMD evangelism and technical education that was needed for this developing market. Here he says that electricity, whether Indian CIOs accept it or not, is going to be a major factor soon.

Why is datacenter design becoming imperative today? If you go back into the various stages that people lived through in IT, design has been the most elementary thing — that’s what decided the foundation of the future. The data center’s design, today, is what decides what your data center is going to look five years from now. This design captures a lot of elements that would probably be missed out. This is because, typically, IT managers were not a part of a building’s design. They were given a floor and were told to do whatever they wanted to do with it. This cycle needs to be broken, because unless companies put their critical equipment in the right place there are chances of having unforeseen surprises. In your experience, has an oversight in data center design ever caused a direct impact to business? Very much. One large organization decided to outsource a certain amount of their data to a hosted data center. Obviously the design elements were out of their control. They put

in their servers and immediately ran into a roadblock. The rack spacing was such that their regular cable would not go from the server to the storage. This directly impacted their go-live date. AMD is also an active member of the Green Grid. Can you explain why the green initiative hasn’t taken off in India? The Green Grid is essentially a consortium of companies whose objective is to evolve better, more sensitive devices from an energy perspective. You are right about the fact that, in India, it hasn’t taken off the way it should have. The reason is largely because CIOs have never paid the cost of power for a data center’s operations. All those costs were being picked up by facilities. Also, look at the way power is provided in India. Companies go to the electricity department and request a certain amount of power. If these organizations don’t use the amount of power they asked for, they are penalized. There’s no initiative to reward people for conserving power.

Key IT Challenges Budget reductions Staff reductions Workloads/datasets double every 5 years Power/Cooling facing 15 percent annual increase 1996: 7 servers/rack VS 2006: 22 servers/rack Energy costs could soon exceed hardware costs

What AMD Can Do Cost reduction Reduction of power consumption/ heat generation Performance increase Memory capacity expansion Dual Core and Quad Core Virtualization Code migration to 64-bit Dynamic Power Scaling Acceleration for Virtualization

"CIOs have never paid the cost of power for a data center’s operations. All costs were being picked up by facilities.” And there isn’t a ceiling on how much they can use. These controls exist in the US and Europe and even in China. What this means is that no one plans backwards and looks for more energy sensitive devices. What are the cost benefits of going green? Better servers mean less power use and less heat. It means less air conditioning. Then there more are indirect benefits like a lower load on the UPS and the consequent costs savings on back-up generator cost. Look at some baseline calculations. Over a five year period, these intangible costs can add up to five times the cost of your capital.



Managing Change CIOs need to outsource infrastructure. Rohit Khanna

Country Leader, Infrastructure Solutions, Global Technology Services, IBM Rohit Khanna brings over 19 years of deep industry experience in various roles within the IT and consulting industry in India and the US. Rohit's experience spans a wide range of sectors such as healthcare, education and the public sector. His areas of forte include business strategy, business process transformation and technology implementations. Here he says that CIOs should partner with vendors if they want to effectively drive change and make their jobs more strategic.

How can a CIO best drive change? The best way is to partner with your vendor, and together share the experiences that vendors have from a global perspective. This is the only way that you can get management to appreciate what you are doing. It is very important for CIOs to get out of a transactional mode. In many cases, CIOs are still perceived as IT managers, while in reality they should be thought leaders. Their jobs are not to prepare bills of material. Their focus should be on reducing costs and improving profitability through the strategic usage of IT. This is necessary in the future, because the industry has to integrate with a global system and move towards becoming a truly global enterprise. You say that CIOs should shape the destiny of their organizations. Does this not put the CIO on a collision course with the CEO? I think it is very important for the executive team to understand that they are all partners. Innovation is not confined to any one individual — innovation can happen at any level. The CIO brings his own perspective,

and I think that it is very important to bring that perspective, because, without IT, you can't build a robust and global business. Why do you feel that infrastructure management is not a core competency? Do you think it should be outsourced? Infrastructure management should not be the core competency of most organizations. Organizations are in the business of running their businesses and are not in the business of running an IT organization. Rather than spending money on non-core areas, they should spend it on improving their business. But why should CIOs outsource specifically to IBM? One of the biggest pluses is that we are one of the few global organizations that has the resources to offer end-to-end solutions. This saves customers from dealing with multiple vendors. Many CEOs still don't understand the power of IT as it is applicable to the next level of business. IBM gives you the power to leverage an organization’s infrastructure

At Your Service Risk Mitigation Consulting Data center building Business continuity High availability Security

Services Management IT resources optimization FM / EUS / Data services

Systems and network Management Strategic outsourcing

Enabling growth Fully integrate technology & business functions to operate together Innovative business model Leveraging IBM research Robust, scaleable and flexible infrastructure

“In many cases, CIOs are still perceived as IT managers, while in reality they should be thought leaders." globally on demand, and I think that this is the critical reason why an organization should come to IBM. Do you think that companies are hesitant to outsource security? With security, there is a certain process and a governance model that is available and can be demonstrated. So, I don't see security outsourcing as an issue at all. But it is difficult to give figures pertaining to how many companies outsource their security to us.

Business Intelligence

2007 was the year of BI vendor mega mergers. What will 2008 mean to business intelligence? Here are five predictions for the year ahead-and one wild card to watch.

Predictions for the Year Ahead By Diann Daniel

As the amount of data businesses create increases daily, so does the need to use that information faster, for better decisions. No longer does business intelligence belong to rarefied analysts closed off in a room. Best-in-class organizations use today's data to make today's decisions and give their frontline employees the tools to do that.

1. IT-Business Teamwork will be Crucial

Reader ROI:

Why teamwork is important Why BI will be a greater force than open source in the future

Vol/3 | ISSUE/04

Feature.indd 91

The business intelligence landscape is changing rapidly — more and different types of data, new tools, frenetic MandA activity — and in this rapidly evolving world, communication between IT and the business side is key, says Colin White of BI Research. Defining the core values that you want to use to measure business performance, your key performance indicators (KPI), will remain paramount. These values are not about the technology, they are about what's core to your business. IT's understanding of business needs and communication around technology will become even more important as some types of BI tools become easier for non-IT folks to implement, and as the types of data used in BI change. Last word: In order for BI to help you gain competitive advantage, IT needs to deeply understand the business case for BI-what performance indicators it should measure and how, how employees actually REAL CIO WORLD | j a n u a r y 1 , 2 0 0 8


1/3/2008 1:18:32 PM

Business Intelligence

work, how BI tools will fit into those patterns and so on.

2. Operational Business Intelligence will Lead the Way For many companies, business intelligence has been successful in its traditional strategic and tactical use, says BI Research's Colin White. Studying historic data can yield valuable insights on what approaches are working and which need to be changed. But looking at what happened two months ago does nothing to help you save a customer you've already lost, nor does it help you recognize a customer's receptivity to buying more products at checkout time. So the drive to extend actionable business intelligence to a broader audience-frontline employees and even customers and partners-will continue in 2008, putting the spotlight on operational business tools. Operational BI can automate operational data collection and integration; it can also report and alert creation and certain decisions or actions. For example, operational BI tools can recognize customer inactivity and automatically generate an alert to be sent to an account manager. Last word: Operational BI is the trend for 2008 for the simple and crucial reason that it brings relevant information to employees as it is needed, allowing them to respond to problems or opportunities.

3. Open Source and SaaS Tools will Become More Attractive Last year's wave of BI vendor consolidations has left room for smaller vendors to innovate. Customers looking for less expensive, easier to manage BI solutions may turn to open-source BI and softwareas-a-service tools. "Companies are focused on BI's total cost of ownership, and they want to know how they can acquire BI capabilities without the high prices," says Aberdeen Group's David Hatch. He and other analysts think that more companies will turn to open-source BI, and in turn, vendors will be likely to respond 92

Feature.indd 92

J a n u a r y 1 , 2 0 0 8 | REAL CIO WORLD

by increasing the number of offerings. (Currently JasperSoft and Pentajo are the main open-source BI vendors.) In addition, BI offered via SaaS can help IT respond quickly to business needs and requires less IT manpower than in-house BI, though costs may add up over time. Last word: Look for pockets of business needs that may be served by newer, more targeted BI tools. Keep in mind that while many experts think open-source, BI will become a greater force. Some consider it not adequately tested as a complete business solution. With software-as-a-service tools, carefully evaluate and monitor the costs that may accumulate long-term.

4. Structured and Unstructured Data will be Needed for BI Face it: Your company doesn't have to deal with just more data, but more data in many more places. Consider these types of information: Comment fields, customer comments left on voice mail, competitors' prices listed on the Internet, blogs that mention your product, wikis that contain instructions, and customer complaint e-mails are all potentially valuable sources. This data can help your company price, operate, stock, sell and serve customers more effectively. A car company that conducts automated searches to scan blogs for discussion of problems can use the information to spot patterns that may point to manufacturing flaws. White says the idea of folding such information into BI may pose a problem for those whose idea of business intelligence is the 'gold standard' of data, similar to those people who see Wikipedia as inferior to traditional encyclopedias. White recommends viewing these new sources as a valuable way to better inform business decisions. Companies will still need to make choices about how they use different kinds of information, of course. Last word: Companies that can find and capitalize on information such as comments by customers and competitors will find themselves ahead of the pack.

5. BI Competency Centers will Increase in Importance. As the amount and variety of data grows, business will need a BI competency center — a group of IT and business leaders whose buy-in and evangelizing will make or break the success of a BI implementation. This group creates the BI vision, manages the spending and tools, sets standards for using those tools and helps define business intelligence success. This group should also keep in mind the four pillars of a successful BI implementation, according to consultancy Gartner: user training, data stewardship, a focus on metadata and a focus on possible next steps to be taken. Last word: Successful BI requires structure and process support. New tools and new types of information will not change those requirements.

The Wild Card: Effects of BI Vendor Consolidation For the BI marketplace, 2007 was all about mergers and acquisitions. What will that mean for 2008? The largest pure-play vendors have already been snatched up by the giants. Experts are divided on just how much MandA activity will continue and what the consolidation will mean for customers. Many analysts say that MandA activity in the business intelligence space will be mostly about megavendors rounding out their purchases to create more complete product lines. Still, it won't be easy for megavendors to integrate all the various solutions they've acquired. And you won't be stuck with only megavendors to choose from: Smaller players will continue to innovate, analysts say. Last word: The results from the IBMCognos, SAP- Business Objects, OracleHyperion and other deals have yet to fully play out. While vendor alliances matter, keep your eyes on the prize-your core business goals and whose solutions will best help you reach them. CIO

Send feedback on this feature to

Vol/3 | ISSUE/04

1/3/2008 1:18:32 PM

Terima Kasih! That's THANK YOU in Malay and sums up our appreciation for your invaluable support to Malaysia. Presenting Partners

Knowledge Partners

Hosted by

An Event by


technology Despite the hype, enterprises seem to be in no hurry to adopt the nextgeneration Internet protocol. Here’s why.

Vol/3 | ISSUE/04

Essentisl Tec.indd 95

From Inception to Implementation — I.T. That Matters

IPv6 Checkup Time By Bob Violino Networking | One fact has become clear about IPv6, the next-generation Internet protocol developed to gradually replace the current IPv4: Adoption by US enterprises is not happening on Internet time. Even those who see potential in the technology, like Dan Demeter, CIO of talent management company Korn/Ferry International, are taking it slow. He plans to introduce IPv6 by 2010 as part of a worldwide network upgrade for his company. “We believe that [by] adopting IPv6 and restructuring our network routers and servers, we can deliver faster and more reliable and secure client solutions,” Demeter says. Also, Korn/Ferry employees use BlackBerry mobile devices to access key company executive search data, and Demeter wants to explore the potential of IPv6 for providing additional mobile services. Among its top benefits, IPv6 promises a significant increase in the number of addresses available for networked devices such as mobile phones, and simpler administration of networks. But Demeter says Korn/Ferry is in the exploration stage, with no firm time frame for a pilot test. “Our approach is to focus on the areas where we can derive the most benefits REAL CIO WORLD | j a n u a r y 1 , 2 0 0 8


1/3/2008 1:19:30 PM

essential technology

and move ahead in gradual fashion as our experience grows and as we ensure that all the infrastructure components are compatible with IPv6.” He’s not alone. Federal government agencies are mandated by the Office of Management and Budget to move their network backbones to IPv6 by June 2008 — and so are the contractors that do business with agencies. But outside that space, few organizations seem to be deploying the standard. Research firm Gartner estimates enterprise adoption at less than 1 percent. Should IPv6 be on your drawing board yet? Consider the key issues and the experiences of early adopters carefully. Several factors are fueling the sluggish adoption rate. A study by Cisco in 2006 cited the lack of dedicated funding and IT staff for IPv6 implementations. Another hurdle: “The fact that IPv6 implementation is viewed more as a technology issue than a business benefits driver probably also is an obstacle to its immediate widespread adoption in the US,” says Michael A. Gold, a senior partner

IPv6. Other countries, notably China, have pushed the implementation of IPv6 more aggressively than the United States. Among the other possible benefits of IPv6, the technology enables a more simplified network architecture that removes network address translation devices. This clears the way for powerful peer-to-peer capabilities, says Erica Johnson, senior manager of software and applications and IPv6 consortium manager at the University of New Hampshire’s InterOperability Laboratory. The lab oversees the Moonv6 project, a global effort to test IPv6 equipment from different vendors. IPv6 also includes a greater amount of usable address space for additional nodes on the network, allowing better utilization of multi-user technologies such as VoIP, interactive video and collaborative applications, she notes. But Johnson concedes that even with the potential gains from IPv6, building a business case for adoption will be a challenge for many. “A lot of that has to do with testing and

Soon,many home appliances — even dog collars — will be Internet connected. Each of these devices will require using an Internet address in order to communicate across the network. in the litigation group of Los Angeles law firm Jeffer, Mangels, Butler & Marmaro and co-chair of the firm’s Discovery Technology Group. “This is very shortsighted in terms of global competition,” Gold says. “In the not-too-distant future, many home appliances — even dog collars — will be Internet connected. Many automobiles are connected today. Each of these devices will require using an Internet address in order to communicate across the network.” Quite simply, the system will run out of addresses some years from now without 96

Essentisl Tec.indd 96

J a n u a r y 1 , 2 0 0 8 | REAL CIO WORLD

education,” she says. “It’s not going to be a light switch; we don’t have a Y2K effect with deploying IPv6.” Some analysts are more blunt. “Commercial enterprises have little reason to adopt IPv6,” says David Willis, research VP at Gartner. “Migration costs are very high for established IP networks, and attempts to transition even moderate-size networks have revealed many unexpected problems and hidden costs.” Willis says most of the benefits of IPv6 “can be delivered with current IP [IPv4] workarounds such as network

address translation and IPsec [the Internet security protocol].” Willis adds that he expects IPv6 to creep into the enterprise as we see stronger Vista rollouts in 2008. Enterprises will use various approaches to support both IPv4 and IPv6 for several years, he says.

EarlyAdopter Lessons CIOs starting to explore the IPv6 issue can learn from the approach of early adopters like engineering and construction giant Bechtel. By 2003, the Source: US Department Gartner of Defense, a big Bechtel customer, had called for department-wide deployment of IPv6 by 2008. Bechtel began seeing RFPs from the US Army and other customers explicitly calling for IPv6 products and services. So in 2004, Bechtel launched a phased, enterprisewide deployment of IPv6 “designed to develop broad awareness and competence in the new protocol, with the initial deployment focused on our government business unit,” says Fred Wettling, Bechtel fellow and technology strategy manager. The company sees an opportunity to create an IT infrastructure that will be a platform for future innovation, he says. “This is a technology that can transform the way we do business.” Wettling says Bechtel sees IPv6 as an enabling technology, as the Web was in the 1990s. For example, the company is exploring how IPv6 will help with wireless sensor networks to help track logistics, and with mobile ad hoc networks that can be set up quickly at the start of a project. Bechtel’s IT group tried to minimize the problems and costs associated with a broad technology change by using a planned, gradual approach spanning several years. This included sending three dozen people to an ‘IPv6 boot camp’ run by Native6 (now part of Command Information, a provider of IPv6 training and services) and creating an IPv6 lab to perform distributed configurations and testing without putting Bechtel’s production network at risk.

Vol/3 | ISSUE/04

1/3/2008 1:19:30 PM

essential technology

“We set up small IPv6 labs at four locations, each with a few servers, routers, switches, and put them in isolated networks within each office and interconnected them across the Internet,” Wettling says. By the end of 2006, Bechtel had enabled IPv6 on the production networks and hundreds of computers at four of its primary sites, and created a scalable model for future deployments. The company instructed all its application developers on how to configure machines for IPv6. Today, Bechtel has more than 9,000 computers (desktops, portables and servers) in 70 cities worldwide running IPv6. The majority of its offices support IPv6, and the company is turning on other offices one at a time.

Hardware Hiccups What challenges did Bechtel encounter on its road to IPv6? While most of the applications weren’t affected by the change in IP version, several presented problems. First, some databases weren’t set up with big enough fields to accommodate IPv6 addresses and had to be expanded. Also, not all commercial or internally developed applications have the needed IPv6 attributes in them. Some of Bechtel’s monitoring and configuration software had to be tweaked to display IPv6 data. “Not all products out there [such as Windows XP] have the IPv6 features we want,” Wettling adds. “XP doesn’t fully support IPv6 as well as [Microsoft’s] Vista does.” Bechtel will start deploying Vista later this year, he says. For these reasons and others, aeronautics manufacturer Lockheed Martin figures its move to IPv6 will be a huge undertaking. “The transition to IPv6 will require a greater effort than the Y2K bug,” says Frank Cuccias, director of Lockheed’s IPv6 Center of Excellence. “Remember that Y2K only affected a subset of systems; IPv6 will affect almost all current systems.” Lockheed Martin, given its many government customers, began looking at IPv6 seven years ago in its labs. The 98

Essentisl Tec.indd 98

J a n u a r y 1 , 2 0 0 8 | REAL CIO WORLD

Is It Really Necessary to Upgrade to IPv6? In economics, someone who hoards resources to drive up its price is rather whimsically referred to as a troll. Recently, one of my colleagues suggested that perhaps the US government's interest in IPv6 is part of a plot to drive up the market price of IPv4 addresses. The U.S. government is the single largest owners of IPv4 address space — and also the biggest proponent of moving to IPv6. My colleague's semi-facetious theory is that by artificially tightening the market, the government can increase the value of the resources it owns. "Why wouldn't IPv4 space be sold off like unused spectrum or surplus computers?" he asked. He's got a point, even if calling the feds ‘address trolls’ seems a bit much. Lately, a lot of enterprises have been seeking help in smoothing their transitions to IPv6. Yet when they are asked why they want to move to v6, the answer boils down to, 'We don't want to. We have to.' There's a growing sense that we're running out of v4 address spaces, and migration to v6 is a painful necessity. But that raises more questions than it answers, starting with the reality of address exhaustion. The reality is that thanks to rfc1918, which permits enterprises to operate their own private class A addresses, no enterprise will run out of private address spaces (so long as it's willing to implement network address translation, or NAT). A number enterprises have implemented NAT as a security measure and for them, this is pretty much a non-issue. That raises the question of exactly how necessary migration to v6 truly is. If you're a carrier in one of the countries that got shortchanged during the initial address allocations, you don't have a choice. The only problem IPv6 indisputably fixes is address exhaustion — which is a problem for carriers, not enterprises. All the other so-called benefits of v6 come at a cost — v6 consumes considerably more bandwidth than v4 (because of its larger address space), which is an issue over low-speed links, such as wireless. What happens in a free market when a manufacturer tries to promote an inferior product? Easy: the market value of the older version skyrockets. Remember New Coke? If eBay had been around back then, Coke Classic would have been selling at Rs 240 a bottle. Which brings me back to my colleague's contention: there's no better way to drive up the market value of a resource than to create artificial scarcity. Calling the Feds ‘address trolls’ doesn’t sound so far-fetched after all. —Johna Till Johnson

company is in the midst of a pilot program to convert part of its Global Vision Network to IPv6. So far the program is progressing well, Cuccias says. “We realize that if our customers are moving to IPv6, we need to be out in front of the technology,” Cuccias says. The company launched the pilot to illustrate to its customers that it’s not as simple as buying new IPv6 hardware and turning it on, he says. A potential IPv6 challenge is developing network engineering expertise, says Korn/ Ferry’s Demeter. “While IPv6 presents several advantages over IPv4, it requires the engineering and systems operations

talent to design, build, and maintain the network to maximize its potential and to justify the investment,” Demeter says. Gartner’s Willis sees no urgency to adopt IPv6. “There is no real driver besides the IP address shortage,” he says. “What this means is that we’ll be living in a mixed IPv4/IPv6 environment until well past 2013. Coexistence of both protocols is easy, although it will drive support costs up while we are in this mixed environment.” CIO

Bob Violino is a New York-based freelance writer. E-mail feedback to

Vol/3 | ISSUE/04

1/3/2008 1:19:30 PM


essential technology

Fix It Already! If IT isn't aligned with the business by now, CIOs should quit or be fired. By Thomas Wailgum I.t. management | I've been listening to CIOs, reading about CIOs and hearing their problems for almost 12 years now. And I am sick and tired of having to listen to CIOs' alignment struggles: the seemingly insurmountable challenge of aligning their IT department's mission and priorities with their business’s mission and priorities. This so-called predicament has been on our radar for decades. We've written ad nauseam about alignment challenges. In addition, my inbox receives a steady stream of survey results that detail the cumulative admonitions from CIOs regarding their alignment failings. According to a CA report, IT executives around the world are

CIOs feel that they are effective or very effective in enabling IT to prioritize based on business needs. About half the respondents report their efforts are only somewhat effective, and for 13 percent of companies, the situation is much worse. Mind you, this survey was completed in 2007, not 1987. From my perspective, alignment woes have become an all-too-convenient excuse for underperforming IT chiefs. The word is a crutch that CIOs use to cover up their fear of actually talking to, engaging with and fleshing out core business needs. It allows CIOs to hide from actually solving those strategic business problems. And rather than making IT transparent — the

every morning at their jobs and collect that pay check when they haven't fulfilled the most fundamental responsibility of their job description? Please don't whine to me about how the business side doesn't understand IT. Just look at the insane rise of consumer technologies and applications, and the momentous effect it's already had on enterprise IT. Businesses love technology these days. The problem is CIOs are either too obtuse in their dealings with their business peers or spend too much time in the air-conditioned server rooms. All business executives worth their salt want to get as much as they can

Alignment woes have become an all-too-convenient excuse for underperforming IT chiefs. seeking to do a better job of aligning IT investments with business goals, but only about half believe they are doing so. The report polled 300 CIOs and IT executives at companies with more than Rs 1,000 crore in annual revenues. It gets worse: 74 percent of respondents believe that better prioritization of IT spending based on business needs is a critical IT management goal. Now, there are many ways you can interpret that data point, but to me it says: almost three-quarters of CIOs have yet to align basic IT spending with business priorities. It's a goal. In fact, the survey found that only 38 percent of

Vol/3 | ISSUE/04

ET-Pundit.indd 99

opposite of the unwieldy and unmanageable cost center that it is notoriously known as — CIOs seem to want to stay separate. Aloof. By this point in IT's evolution it seems incredulous to me that CIOs wouldn't have realized the criticality of solving any potential business-IT disconnect, and then actually doing it. CIOs claim to know all about the alignment imperative. Results from our 2008 State of the CIO survey, which polled more than 550 IT leaders, show that 100 percent of respondents say that aligning IT and business was their number-one priority. How can CIOs in good faith show their face

out of their IT investment. They know how critical IT is to the business. I believe that one of the chief causes of alignment difficulties is self-inflicted on CIOs' part. In many conversations and interviews I've had with CIOs and other IT personnel, they always refer to the rest of the company as the ‘business’ and themselves as ‘IT’. For that mindset to change, a revolution has to start at the top, with you, the CIO. Are you ready to do something about it? CIO Send feedback on this column to thomas_wailgum@

REAL CIO WORLD | j a n u a r y 1 , 2 0 0 8


1/3/2008 1:20:18 PM

By NaNcy Weil

Personal Technology

Joining the08 0 , Dots ina2 rs nalysts, vendo

to We’ve listened iends talk nd our geek fr a ts n a lt u s n o c some 08, accepting about IT in 20 . Here jecting others re d n a s st a c fore r 2008. Believe fo s n o ti ic d re p are our peril. us at your own

option, Linux A Linux Year toward wider ad p lim to s ue in well as in As Vista cont enterprise, as roads into the in or will become aj m OS r e ne ak will m e time, the lea m sa e th At nsumer IT. co government e users and in option for hom and the e ive ct nc lia tra Al at t e a mor e Open Handse th by d mlin, the re ur Ze sp platform. Jim electronics, Android mobile ally s "re le' a og as Go 08 of 20 advent undation, sees Fo x k he's nu in Li th e th president of r Linux," and we tions to hrough year fo ica kt pl ea ap br e g, rc in ou st -s intere assorted open ct pe Ex . at th right about follow along.

Who's Hacki ng Whom? A major intern ational incide nt will erupt w both) of anot hen Chinese her governm hackers com ent. Classifie will be tense promise the de d documents and ugly for a fense or secu will be breach time. rity system (o ed. Accusatio r ns will be trad ed. Relations hips n Evolutio Network ill not only w s rk o tw Mobile ne andsets, e id outs h open up to pplications, but nd a nd devices a er Wi-Fi a singly off a re c d se a will in -b n o of locati , a plethora nt, search dia conte e M s. d e n ic a serv pping orks, sho social netw rvices will all be of se a variety e mobile parts of th sult? standard . Re xperience ry network e volve in ve e to "have , id e S Networks ke Ja ys," says ers radical wa ture Partn n e V d e e . Lightsp ile ob artner, m general p

To The Desktop ion on desktops. Virtualization Comes ls and seeing virtualizat ing into their crystal bal gaz are rs , Lightspeed general ato ers stic Egg ry gno pro Bar , Many be a sort of Thin Client 2.0 will t tha t dic e about reducing pre s nts lyst While some ana different. "Thin clie wer ture, envisions something ruc lications to ast app infr ng rise oni erp visi ent pro r, ntly partne ization is about intellige ual virt p kto Des ts. cos up-front capital in desktop virtualization desktop users," he says. will find IT shops using del mo l keen on sfu so ces 't ren suc re we rs mo He envisions a pters are finding that use ktop," he ized servers. Early ado des ual full virt a h n wit tha n ing ctio isfy jun con ch less sat "user experience [is] mu it lead? We'll leave that that model because the r. How? And where will yea new the in nge cha to says, but that will start s. to the 2009 prediction

Grow ing Pa ins Of Social So ne end. S tworking w cial Netwo ill inva ervice rking sa de becom e stan kin to the Sa corporation da s le socialnetwo rd in that m by year's rk o a comp anies. ing applica rket segme ffering will tions w nt. Inc "It will predic reasin be d ill s ts gly, CEO o Konstantin riven more eep into all m f Jaxtr. Gueric by ind ividua anner of ke, co "We're peers la -fo are do social ing." beings under of Lin doptions," k -- we li ke to s edIn and ee wh at our


J a n u a r y 1 , 2 0 0 8 | real cIo World

will rate IT at corpo ill bring th g d n a r w in e s r e m o ye s, f c nsu nes emplo m mber en co ed Li Blurr ions betwe ne-buying growing nu tection fro ro rho ct p e in iP v s d t . t e r n is n a in lu a D y e b e ue to miscr ecurit erpris contin to the ent al with it. S t of cyber ork lo e in w t d e e e devic tments to ers and th ache for n ate IT. d ar or ish IT dep , spam, ph a huge hea s with corp s e e r s g e r o to p hack IT me ntinue home will co trators as is admin

Vol/3 | ISSUE/04

January 1 2008  

Technology, Business, Leadership

January 1 2008  

Technology, Business, Leadership