Page 1

Alert_DEC2011.indd 18

11/18/2011 6:55:17 PM

From The Editor-in-Chief

Recently, the Indian government caused eyebrows to be raised globally when

Lessons Unlearned From laptops to literacy?

it showed off the prototype of a Rs 1,600 computer. This we were informed would be used to spearhead a new campaign for literacy and inclusive growth by delivering lessons over conferencing and the Internet. Wow. What an idea sirjee! It’s radical, dramatic and leverages what’s seen as India’s strength —its IT muscle. It’s also one of the stupidest, silliest and most daft proposals to waft our way from Delhi. Many moons ago, a host of schools in the US started to equip their students with leased laptops in a government-funded project. The program was designed to increase interactivity in teaching and help kids pick up soft skills. While it improved attendance rates, schools found that it had little or no impact on grades (reading comprehension and math are still best done with paper, they learned). Worse still, schools viewed it as a critical distraction. The cost of training teachers, creating new lesson plans, putting infrastructure into place, maintaining the machines and policing the network only added to the problem. Some institutions found themselves spending more time and effort repairing laptops than on training teachers to adapt to teaching with them. Blindly throwing Can it be any different in India? The technology at a problem problems endemic to the system are many. and hoping for a solution is In our country, 23,000 schools don’t have more than a bit thick. a single teacher, with 3 percent of schools still looking for a single student. Can computers solve the problems of literacy in a country where almost 30 million kids drop out of primary school annually because of an inability to pay for books or their lessons? When textbooks, chalk, water, power, connectivity, and teachers are in short supply, high-tech investments should hardly be a priority. This is just an example of how technology is more often than not promoted with all the best intentions as a way to fix systemic issues, without a thought to how the technology will integrate with existing frameworks. Governments and corporates trip doing this all the time—just check out how many big bang tech rollouts actually succeed. IT is a great lever to boost productivity. It’s also a great a leveler, helping countries such as ours to compete with knowledge economies. But just blindly throwing IT at a problem and hoping for resolution is a bit thick.

Vijay Ramachandran Editor-in-Chief


A u g u s t 1 5 , 2 0 1 0 | REAL CIO WORLD

Content,Editorial,Colophone_Page.indd 2

Vol/5 | ISSUE/10

8/11/2010 3:34:36 PM

content AUGUST 15 2010- | -VOL/5- | -ISSUE/10

22 Security

Case study


Like you weren’t juggling enough roles, here’s another one: The CIO as a crusader for security. Drafting employees into the security fight maybe the only way you’re going to take on the many risks your company faces today. Fortunately, there are already some CIOs who have blazed a trail for you. CoVER: DESIGN BY MM SHAN IT H

Feature by Anup Varier and Kanika Goswami

Feature by Varsha Chidambaram

Knowledge management CROWD pOWER | 68 Collective-intelligence tools can shepherd the best and brightest ideas and turn them into huge bonanzas. Feature by Linda Rosencrance


InDIAn InFORmATIOn SECuRITy SuRVEy 2010 | 43

deep dive BuSInESS COnTInuITy| 83 As threats and disasters get more unpredictable, many CIOs are beginning to re-look their business continuity and disaster recovery plans. more »

Over 1,600 Indian CIOs are banking on the recovery to take security to the next level. Compiled by Kailas Shastry R., Shardha Subramanian, Supriyaa uthaiah 4

STRunG TOGEThER | 64 How HDFC Ergo gathered 20,000 leads in various repositories, allowing it a 30 percent lead conversion rate.

A U g U s t 1 5 , 2 0 1 0 | REAL CIO WORLD

Vol/5 | ISSUE/10

more »

Content,Editorial,Colophone_Page.indd 4

8/11/2010 3:34:42 PM


(cont.) departments Trendlines | 9 Innovation | RFID Makes Insurers Mooooolah Quick Take | Jethin Chandran on Telecommuting Voices| How Do You Conduct Appraisals? IT Strategy | Setting Perfect Connection Opinion Poll | Collaborate to Innovate CIO Role |No More Mr. Nice IT Guy Enterprise Apps | Six CRM Must-Haves IT Delivery | 3 Signs of SaaS Immaturity Alternative Energy | Flying on Solar License Alternative Views | Will Mobile BI Take off in India?

Thrive | 108 CIO Career |“No! Don’t Tell Me!”

Column by Dave Willmer

Mentor | 114 CIO Role |The Other Side of the Table

Column by K. Murali Krishna, Infosys

From the Editor-in-Chief | 2 Lessons Unlearned

By Vijay Ramachandran

NOW ONLINE “IT has always helped us negate the disadvantage of our smaller branch network and promoted us as key innovators in the sector,” says Rana Kapoor, founder and MD of YES Bank.


For more opinions, features, analyses and updates, log on to our companion website and discover content designed to help you and your organization deploy IT strategically. Go to


Executive Expectations View From The Top | 52 Rana Kapoor, founder and MD of YES Bank, shares why the bank takes IT so seriously and how it’s going to help change the course of the business.


Interview by Sneha Jha

Think Tank Why You’re Really Resistant to the Cloud | 19 You say you’ve weighed the pros and cons of a public cloud option and shot it down. But did you make a rational decision? Column by Bernard Golden


A u g u s t 1 5 , 2 0 1 0 | REAL CIO WORLD

Content,Editorial,Colophone_Page.indd 6

8/11/2010 3:34:50 PM

Governing BOARD

Alok Kumar Global Head - Internal IT, TCS

Publisher Louis D’Mello

Anil Khopkar GM (MIS) & CIO, Bajaj Auto

Editori a l Editor-IN-CHIEF Vijay Ramachandran EXECUTIVE EDITOR Gunjan Trivedi Associate Editor (Online) Kanika Goswami Features Editor Sunil Shah Assistant Editor Kailas Shastry Senior Copy Editor Shardha Subramanian Senior correspondent Sneha Jha CorrespondentS Anup Varier, Varsha Chidambaram trainee Journalists Debarati Roy, Supriyaa Uthaiah Product manager Online Sreekant Sastry

Anjan Choudhury CTO, BSE Ashish Chauhan Deputy CEO, BSE Atul Jayawant President Corporate IT & Group CIO, Aditya Birla Group Donald Patra CIO, HSBC India Dr. Jai Menon Director Technology & Customer Service, Bharti Airtel & Group CIO, Bharti Enterprises

Custom Publ ishing

Associate Editor Arakali A Harichandan Senior Correspondent Gopal Kishore Correspondent Deepti Balani

Gopal Shukla VP - Business Systems, Hindustan Coca Cola Manish Choksi Chief Corporate Strategy & CIO, Asian Paints

D esign & Production

Manish Gupta Director-IT, Pepsi Foods

Lead Designers Jinan K V, Jithesh C.C, Vikas kapoor SENIOR Designers Sani Mani Designer Amrita C Roy. M.M Shanith trainee designer Visaka Vardhan Photography Srivatsa Shandilya Production Manager T K Karunakaran

Murali krishna K. Head - CCD, Infosys Technologies Navin Chadha CIO, Vodafone Pravir Vohra Group CTO, ICICI Bank

Events & Audience Development VP Rupesh Sreedharan Senior program Managers Chetan Acharya Pooja Chhabra program Managers Ajay Adhikari Sachin Arora Management trainee Ramya Menon

Rajesh Uppal Chief General Manager IT & Distribution, Maruti Udyog Sanjay Jain CIO, WNS Global Services Shreekant Mokashi Chief-IT, Tata Steel

Marketing & Sa l es (Nati ona l)

Sunil Mehta Sr. VP & Area Systems Director (Central Asia), JWT

President Sales and Marketing Sudhir Kamath VP Sales Sudhir Argula General manager Sales Parul Singh Asst. GM BRAND Siddharth Singh ASSt. Manager Brand Disha Gaur ASSOCIATE MARKETING Dinesh P SR. Manager Client Marketing Rohan Chandhok Ad Sales Co-ordinators Hema Saravanan C.M. Nadira Hyder

T.K. Subramanian Div. VP-IS, UB Group V. K Magapu Director, Larsen & Toubro V.V.R Babu Group CIO, ITC

All rights reserved. No part of this publication may be reproduced by any means without prior written permission from the publisher. Address requests for customized reprints to IDG Media Private Limited, Geetha Building, 49, 3rd Cross, Mission Road, Bangalore - 560 027, India. IDG Media Private Limited is an IDG (International Data Group) company.

Printed and Published by Louis D’Mello on behalf of IDG Media Private Limited, Geetha Building, 49, 3rd Cross, Mission Road, Bangalore - 560 027. Editor: Louis D’Mello Printed at Manipal Press Ltd., Press Corner, Tile Factory Road, Manipal, Udupi, Karnataka - 576 104.


A u g u s t 1 5 , 2 0 1 0 | REAL CIO WORLD

Content,Editorial,Colophone_Page.indd 8


Page No.

ADC India Communications


Alcatel Lucent

EMG 66 & 67

Amercian Power Conversion


Canon India


Check Point Software Technologies D-Link India


26 & 27

Emerson Networks Power




Fujitsu Asia


HID India




HP Storage


IBM India


LG Electronics India


Microsoft Corporation


Microworld Software Services


NetApp India




Quest Software India


SAS Institute (India)


Seclore Technology

72 & 73

Tata Consultancy Services

75 to 82

Trend Micro


Tulip Telecom


Verizon Communications India


Western Digital Wipro Infotech

15 109

IDG offices

Regiona l sa l es Bangalore Kumarjeet Bhattacharjee, Varun Dev, Pooja Nayak Delhi Aveek Bhose, Prachi Gupta, Punit Mishra Mumbai Ajay S. Chakravarthy, Dipti Mahendra Modi, Hafeez Shaikh

Advertiser Index

Bangalore Geetha Building, 49, 3rd Cross, Mission Road Bangalore 560 027 Ph: 3053 0300 Fax: 3058 6065 DELHI

410, Hemkunt Towers 98, Nehru Place New Delhi 110 019 Ph:011- 4167 4230 Fax: 4167 4233

MUMBAI 201, Madhava

Bandra Kurla Complex Bandra (E) Mumbai 400 051 Ph: 3068 5000 Fax: 2659 2708

This index is provided as an additional service. The publisher does not assume any liabilities for errors or omissions.

Vol/5 | ISSUE/10

8/11/2010 3:34:51 PM






RFID Makes Insurers Mooooolah For years, Indian farmers have been dumping dung on insurers’ attempts to insure livestock like cows and buffaloes. And until technology stepped in recently, they’ve succeeded. Livestock is central to the survival of millions of small and marginal Indian farmers, who bank on their cows and buffaloes to feed their families and provide an alternative income to farming. Which is why the loss of livestock can be devastating. In its attempt to support them, the Indian government has been pushing insurance providers to cover cattle for over three decades. But despite its efforts, less than 10 percent of the cattle in about 100 million homes are insured today.

i n n O vat i O n

The reasons are numerous and surprising. From the farmer’s point of view, high premiums, a 40-to-60 day delay in claim settlement, and the 15-day wait to get an insurance policy, made insurance unattractive. On their part, insurers

couldn’t lower premiums because of high manpower and paperwork costs and the significant number of false claims—which had to be built into the price of the premiums. So many farmers were filing false claims, which insurers had to pay, that it made the cattle insurance business unviable. “For a while, we stopped our cattle insurance business because of the rate of fraud,” says U.C. Dubey, executive IT director, IFFCOTOKIO General Insurance. Traditionally, insurers m a rke d c at t l e with inexpensive plastic or metal ear tags which served as a means of identification.

(Continued on Page 10)

QuicK taKe

Jethin Chandran on Telecommuting


i t M a n a g e M e n t Telecommuting means flexible working hours for employees and better productivity for the organization. Which is probably why, today, organizations are warming up to the idea of enabling telecommuting and the IT team has a crucial role to play in ensuring collaboration. Anup Varier spoke to Jethin Chandran, GM – Business IT, Wipro Technologies, about various aspects of telecommuting.

What should CIOs consider for telecommuting? Today’s mantra is any time, anywhere, any device access. But the decision to allow work from home should depend on the security posture of the tasks handled by the employee. There are certain types of product development tasks, which under IP regulations, cannot be moved out of the premises. Lab intensive jobs and those requiring tighter physical collaboration in terms of document sharing, printing, and packing jobs cannot be easily handled outside of the office.

VoL/5 | ISSUE/10

Trendlines_August15_10.indd 11

What are the challenges in enabling this? Regulatory clarity is required in working from home for certain job profiles. For example, if an employee is a permanent telecommuter, you need to ensure processes and mechanisms to monitor his productivity. Other challenges are connectivity and power. IT-support needs to be provided even if the employee is working from home. Also, the HR-related processes need to be taken care of.

Jethin Chandran

How can organizations handle these issues? Organizations should develop defined processes and policies for telecommuting; otherwise it’ll not be successful. It’s not as easy as giving an employee a data card and asking him to work from home. The policy needs to be clearly articulated and supporting infrastructure should be made available. For example, he should know where to get connectivity and back up for power. Also, a proper checklist for the items needs to be maintained. REAL CIO WORLD | a u g u s t 1 5 , 2 0 1 0


8/10/2010 6:50:44 PM

What Should You Watch Out for When Conducting Appraisals? s t a f f M a n a g e m e n t At a time like this, when employees are feeling footloose and management is spending sleepless nights trying to keep their team together, it has become critical to keep your employees happy. A promotion is a good way to do so. But what do you really look for in a candidate? Varsha Chidambaram finds out from your peers:


“A CIO should give continuous constructive feedback and should not mix up loyalty with intellect. Promotions should be based on potential and increments based on performance.” Vinay Hinge VP-IT, D-mart

“Appraisals should be designed in a way that it makes it easier for employers to consider salary, promotions, transfers—and even demotions or terminations.” Subrata Banerjee Head-IT, Aluminium Sector Vedanta Aluminium

“It is important that you select the right candidate. I would look

at an employee’s success rate and contribution, his ability to work in a team and his influence over the IT and business team." Satyendra P. Tripathi Head-IT, JSL 10

Lend Your

a u g u s t 1 5 , 2 0 1 0 | REAL CIO WORLD

Trendlines_August15_10.indd 12


Write to

RFID Makes Insurers

Mooooolah (Continued from Page 9) When an animal died, its owner had to produce the tag, get a death certificate from a veterinarian, and make a claim. Typically, not all of a farmer’s cattle was insured—just the expensive ones. So when a non-insured animal died, cash-strapped farmers, “would clip the ear tag of an insured cattle, plug it onto the dead animal and claim insurance,” says Dubey. Things got to a point where farmers stopped helping sick cattle—allowing them to die—in order to claim insurance. Recently, insurers have got smarter. They are replacing ear tags with RFID microchips that are injected into a cow’s body. The chip has a specific number that can be read on speciallydesigned RFID readers. The RFID tags are also connected to PDAs, which record the entire history of the animal. When this chip is removed from a cow or bull, it deactivates so that it can’t be reused—hence putting an end to fraud. This has allowed the likes of IFFCO-TOKIO to fire up the cattle insurance business Where it used to take again and others like IFMR 15 days to insure an Holdings, a Chennai-based animal, the RFID rural financier, in conjunction with HDFC Ergo to reduce fake solution backed with claims—and lower premiums: a PDA can provide it From 12 percent to 7 percent immediately—on the for a three-year policy. Dubey says that the cost of the RFID farm. And a claim can solution (it cost IFFCO-TOKIO be settled in 72 hours. ` 10 lakh to launch) is not passed on to the farmers. Some insurers are taking the RFID solution further by including other information like the age of the animal, vaccination, de-worming, feed and yield details. Their attempt is to follow the lifecycle of the animal to ensure healthier cattle— and prevent ‘unexpected’ deaths. And according to IFMR the RFID solution allows insurers to cut down the time it takes to provide insurance and settle claims. Where it used to take 15 days to insure an animal, the RFID solution backed with a PDA can provide it immediately—on the farm. And a claim can be settled in 72 hours. — Supriyaa Uthaiah Vol/5 | ISSUE/10

8/10/2010 6:50:45 PM

Setting Perfect Connection


i t s t r a t e g y Merger and acquisition (M&A) activity is back on the agenda to rise again—particularly strategic M&As where a company buys and integrates another— and CIOs are playing an increasingly crucial role in integration success. According to Gartner's executive program analysts, CIOs in both the public and private sectors must develop worldclass M&A integration capabilities. M&As are among the biggest challenges for enterprises and their IT organizations to navigate and conventional leadership and management techniques often are not enough, said vice-president, Dave Aron. "Reaping the benefits of a merger or acquisition is a notoriously tricky business. There is no established governance body spanning the whole enterprise, there are normally aggressive goals and time frames, and there are often many surprises along the way, as each side learns about the other," he said Dave Aron. "On top of all this, the business must continue to serve clients, run operations and execute in the face of major, often disruptive, integration activity, making IT's role in M&As critical." Aron said IT plays a key role, along with other parts of the business, in five critical M&A integration phases: The due diligence/planning phase in which a basic plan of action is sketched out. In the most successful integrations, integration planning happens concurrently with due diligence and data gathering, with an initial hypothesis that is refined as information becomes available. Gartner said the idea that integrations must be conducted quickly is a myth; planning and communication should be conducted as quickly as possible but the speed of integration depends on the context and goals. The welcome phase in which a limited number of visible changes are instituted to signal the new reality that the merged organization brings. Tactics include giving everybody




a u g u s t 1 5 , 2 0 1 0 | REAL CIO WORLD

Trendlines_August15_10.indd 14

According to Gartner's executive program analysts, CIOs in the public and private sectors must develop world-class M&A integration capabilities. harmonized e-mail addresses, phone accounts and security badges, and moving key people to different physical locations. Outcomes centre on setting expectations, reducing uncertainty and motivating key staff. The initial phase in which the most urgent practical changes are instituted. Urgent outcomes will vary depending on the nature and goals of the integration but common activities include addressing legal and regulatory issues and achieving transparency through integration of financial and management information. Other goals may include presenting one face to the customer and addressing human capital


management disparities. Execution risk is highest during this phase, said Gartner, as it involves a high level of personal uncertainty, along with transitional governance and project management. The main integration phase during which most of the big process and system changes are executed. Pieces of the post integration landscape are put in place over time. For absorptionstyle integrations, it means bringing everything in the target organization onto the parent platform. For best-of-breedstyle integrations, it means putting the integration architecture in place. The reap-the-benefits phase which addresses the remaining benefits such as cost synergies or market share. The phase can also help capture lessons for subsequent M&A activities and other major transformations. Each phase of integration breaks down into workstreams—with IT representing one workstream, while functional areas and business units represent others. IT traditionally has strong project and service management skills and therefore also has an opportunity to play a larger role in the integration.

4 5

—By Georgina Swan

Collaborate to


Globally, 83 percent of CIOs say they are asked to deliver technology innovation to improve competitive advantage. Most don’t work alone. They work with:

IT’s Innovation Partners Suppliers




Professional services firms


No one







VoL/5 | ISSUE/10

8/10/2010 6:50:48 PM

No More

Mr. Nice IT Guy "If I touch your computer, you'll think that every future problem is caused by something I did. You'll tell everyone I ruined your computer. I'll be obligated to solve every computer problem you have from this day on. My own projects will be left to wither as I show you for the ninetieth time how to select a new font. If I refuse to help, you'll tell my boss I'm not a team player," so says Dilbert. This observation is spot on, and also applies to how IT gets asked to do things that have long-term ownership issues and yet you can't turn them down without looking uncooperative. Today, IT mostly finds itself in an uncomfortable situation. It's caught in a perfect storm created by collapsing budgets, increasing internal demand, and external services that undermine IT's authority and the integrity of internal solutions. IT becomes everyone's favorite whipping boy because no one really understands what IT actually does. The trouble is that everyone outside of IT expects a level of service that, given budgetary constraints, can't be supplied. Just imagine if you went to sales and asked them to start organizing building maintenance, They'd tell you to be on your way. Those aren't things on the menu of stuff they do. But they are the first to expect IT to add anything and everything to their menu and the idea that you won't do whatever they want is seen as your failure. So what do you do? Stop providing all of those services that involve anything that isn't absolutely defined and quantified, says Mark Gibbs, who has written four books and numerous articles about networking and computer technology. No more Mr. Helpful. No more "sure, you can use that application you think might be cool." You've got to justify it and we'll tell you what it will cost to support it and you'll have to find the funding. No more "we'll show you how to set up a Word document with two columns." We'll have scheduled Word classes (if we can afford them), otherwise read the freakin' manual. The goal is to make the rest of the organization think twice before they ask for something that you, IT, doesn't have on the menu. It's a tough position to adopt but, given the current realities, it may be the only strategy that IT has to ensure it gets the core work done and to stop from wishing for the hug of death. —By Mark Gibbs

Illust ration by Vishak vardhan


C I O Ro l e


a u g u s t 1 5 , 2 0 1 0 | REAL CIO WORLD

Trendlines_August15_10.indd 16

Six CRM Must-Haves If a significant CRM system project is on your agenda, here is a checklist of items that you need to look out for: A project plan focused on user adoption. A CRM system without active users and a rich set of data is just an empty shell. This is not a matter of training or even indoctrination. In the project plan, every delivery phase should be focused on things that will attract communities of users because the new features will inherently make their job easier. Incremental delivery. CRM requirements tend to change more rapidly (and more radically) than other enterprise software. The project should be delivering functionality and data incrementally, so the business users see the system becoming more valuable at least once a quarter. With a SaaS system, the project should be able to deliver something of value to the business at least every six weeks, no matter how big the project is. Integration with marketing automation. CRM systems and Marketing Automation are close cousins. But they're only cousins. The best of breed in CRM systems have weak marketing automation features, and the reverse is also true. Unless your CRM project is focused only on customer support, the system will be incomplete if it doesn't have a tight integration with e-mail blasters, landing page generators, registration systems, and event management features. Make sure that the project uses off-the-shelf adaptors for ERP, order entry, and other related systems. Integration with your email and phone systems. CRM is all about communicating with customers and collaborating with internal staff to win the deal and build customer satisfaction. So your CRM system needs to be integrated with the main channels of communication: e-mail and phone. There's nothing wrong with third-party products here, but you want to make sure that appropriate inbound and outbound e-mails are logged for each 'touch" and that the system provides "screen pops" to inform anyone who has to take an inbound call from a customer or prospect. Mobile. Sales reps and field support teams are increasingly working on the go or at the customer site, and they need real-time access to customer history, order status, and inventory information. Even if you have no requirement for this now, make sure that the technology you're buying can readily support popular devices for all the functions you're going to deploy. Social media. You don't have to use Twitter or FaceBook yourself to know that consumers and professionals log on to social media networks by the millions every day. Whether it's Salesforce Chatter for internal collaboration or Reputation Defender for brand monitoring, your CRM project needs to at least have a strategy for integrating these nextgeneration customer touch points. —By David Taber enterprise apps







Vol/5 | ISSUE/10

8/10/2010 6:50:50 PM

3 Signs of SaaS Immaturity D e l i v e r y Just when you thought it was safe to jump into the SaaS waters, a new survey finds that IT and enterprise software decision-makers don't feel totally comfortable with SaaS—namely those nagging security, integration and data migration concerns. That's the thrust of a new Forrester Research report. No doubt (SaaS) products have vastly improved since the early 2000s. "The growing maturity of SaaS combined with buyers' desire for solutions that allow them to conserve cash, deploy quickly, and avoid long-term lock-in, means that SaaS continues to gain popularity," principal analyst Liz Herbert notes. But IT executives and corporate technology buyers still aren't totally sold on SaaS. Call it the growing pains of a semi-chaotic, underdeveloped marketplace. Herbert writes: "Today's SaaS landscape is frequently characterized by multiple, fragmented and often siloed applications." Here are the Forrester survey respondents' top-three concerns: Security. Security is the top reason preventing firms from moving to SaaS, cited by more than half of the respondents. "Specific security concerns include everything from physical security (requirements for datacenters), to logical security and identity management, to a lack of robust security standards," writes Herbert.



Integration. "Firms not only face the challenge of integrating SaaS with on-premise but are increasingly finding that SaaSto-SaaS integration can be difficult and often expensive," writes Herbert. "Some tools make it possible for non-IT roles to manage ongoing integration points (within reason), which appeals to business populations that are attracted to SaaS to gain independence from IT," Herbert notes. "However, sourcing and IT professionals should typically get involved to make sure that the integrations are cost-effective and avoid duplicating integration work being done elsewhere in the organization." Data Migration. Herbert writes that some areas of SaaS that are popular with companies include "peripheral/edge" areas where companies have little or no existing applications or where SaaS is supplanting lightweight Excel tools only. "But in more strategic areas, like financials or supply chain, firms planning a migration to SaaS are typically faced with a significant data migration," Herbert contends. "This has significant impact on time to deploy, lock-in/commitment and implementation considerations," such as the need for systems integration and consulting help. Companies can incur additional cost in these areas. —By Thomas Wailgum

AL t e r n a t i v e e n e r g y In a major triumph for alternative energy researchers and enthusiasts, an experimental, solar-powered plane successfully completed a 26-hour flight powered by 12,000 solar cells and sunlight-powered lithium batteries. The Solar Impulse, a slender, longwinged airplane, flew through the night over Switzerland, fueled by energy it collected during the previous day. Solar Impulse reached a height of 28,000 feet and a top speed of 78 mph in what project coordinators called the longest test flight of a piloted, solar-powered aircraft. The solar plane project was launched at the end of 2003 under the guidance of Bertrand Piccard , the first person to complete a non-stop balloon flight around the world. "This is a highly symbolic moment: Flying by night using solely solar power is a stunning manifestation of the potential that clean technologies offer today to reduce the


a u g u s t 1 5 , 2 0 1 0 | REAL CIO WORLD

Trendlines_August15_10.indd 18

do." He further added,"Down the road, dependency of our society on fossil we will probably see all sorts of vehicles fuels," said Piccard, in a statement. get a boost from solar cells on The aircraft landed where it had taken off—in Payerne, An experimental, their exteriors. But there are quite a few hurdles in the way. Switzerland. Andre Borschberg, solar-powered 57, a former Swiss air force plane successfully The first is the cost/benefit analysis. Are the cells efficient fighter pilot, flew the plane. completed a enough to actually pay off? Dan Olds, an analyst with The 26-hour flight Gabriel Consulting Group, called powered by 12,000 And there are also durability considerations. Are they the flight a "showy win" that solar cells and should help organizers gather sunlight-powered reliable enough, do they need support for solar power and solarlithium batteries. special cleaning or servicing?" Solar cells have been powered vehicles, in particular. powering some novel "What it basically proved is that projects. NASA's robotic rovers , which if you have enough solar cells, you can keep have been working on the surface one guy in the air almost indefinitely," Olds of Mars, have been powered only by said. "The wing area of the plane, where solar power. Astronauts and robots the solar collectors are placed, is bigger have worked hand in hand to install a than almost every commercial airliner. So massive solar array on the backbone of it gathered enough energy during the day the International Space Station to power to both keep the plane aloft and to store the orbiter. up enough juice to keep it flying during the night. It's an interesting and showy —By Sharon Gaudin demonstration of what solar power can

Illustration by MM Sha nith

Flying on Solar License

Vol/5 | ISSUE/10

8/10/2010 6:50:50 PM

alternative views BY sneha jha

Will Mobile BI Take Off in India? Ayes vs Nays

“I believe that with the power of 3G resting in enterprises' hands, mobile BI

will attain the next level of maturity.” Harnath Babu Head-IT, Star Union Daiichi Life Insurance


Over the last three years, the use of business inteligence (BI) has witnessed a sea change with the advent of sophisticated smartphones. This has led to a fundamental shift in the way BI technology is being leveraged to gain business value. BI is now poised to take a huge leap with mobile BI. Stiff competition has impelled Indian companies to look for ingenious ways to enhance workforce mobility and provide them with anytime, anywhere access to data assets. The business imperative of mobility coupled with the need to achieve customer centricity and grab a bigger market share has led to the use of data assets for predictive analysis. This has driven companies to deploy mobile BI for efficient information delivery. Indian companies are increasingly realizing that in a dynamic and interactive environment they need such a mechanism. In the near future, the key beneficiaries of mobile BI will be sales people and field service personnel. The ability to view sales for the month, sales history and orders can provide them with timely information to increase sales by cross-selling and up selling. For a sales agent of an insurance company, this facilitates sales opportunity management. He can use it as a facilitator to take prompt decisions by tracking the trends in customer behavior and customer preference. I believe that with the power of 3G resting in enterprises' hands, mobile BI will attain the next level of maturity. The mobile analytics environment promises improved data delivery efficiency and the ability to take timely decisions. As corporations focus on delivering real-time business data to the mobile workforce in a device independent environment, they will start embracing mobile BI.


a u g u s t 1 5 , 2 0 1 0 | REAL CIO WORLD

Trendlines_August15_10.indd 20

“Indian enterprises do not

have the necessary infrastructure to support

mobile applications that are resource hungry.” Sundaram Krishnan Head-IT, Universal Sompo General Insurance

Mobile BI may emerge as one of the most desired technologies but it will not witness a high level of adoption within Indian enterprises. One of the biggest apprehensions that corporate IT and business have is data security. Business still feels that as long as data assets and analysis are confined within their firewall, things are relatively secure. But the concept of mobile BI is quite contrary to this view. BI is data and analysis-rich and it cannot be shared through a suspect medium. Complexity is another issue which will hinder mobile BI adoption. The mobile world is an entirely different ballgame. It has several inherent complexities. It involves different vendors, technologies, devices and operating systems. Companies need to have the right infrastructure in place and they also need to have a strategy for the diversity of mobile devices. For this, they need to deal with several technical complexities which might prove to be very daunting. Right now, Indian enterprises do not have the necessary infrastructure to support mobile applications that are resource hungry. The other factor will be the cost. There’s cost implied and incurred everywhere. Cost of developing a mobile application that’s visible in a variety of handsets running a variety of OSes; cost of BI software itself that is mobile enabled; cost of providing such smartphones to your work force will be too expensive. There are limitations on the size of data that flows through such applications because of the available mobile spectrum. BI applications simply do not take this into consideration. Also, while everybody seems to own a mobile very few people own a smartphone which is a prerequisite for leveraging the value of mobile BI.

Vol/5 | ISSUE/10

8/10/2010 6:50:58 PM

Bernard Golden

Think Tank

Why You're Really Resistant to the Cloud You say you’ve weighed the pros and cons of a public cloud option and shot it down. But did you make a rational decision?


Illust ration by mm shanith

few weekends ago, I read a blog post titled Lazy, Hazy, Crazy: The 10 Laws of Behavioral Cloudonomics by Joe Weinman, coiner of the term 'Cloudonomics'. Weinman has published a great deal analyzing the economics of cloud computing, much of which illustrates that cloud computing can provide significant financial benefits. Certainly, published case studies and examples seem to dictate that cloud computing should be aggressively considered as the foundation of infrastructure initiatives. However, all too often one encounters an attitude that reminds one of the joke among economists: "Sure it works in reality, but will it work in theory?" I repeatedly engage in discussions with IT executives who bring up various putative shortcomings in public cloud computing offerings, citing questions of personnel security, data integrity, virtual machine protection, and so on. But when I query the status of these issues within their own organizations, I hear that their own practices fall far short of what cloud providers offer. Yet when evaluating public cloud service providers, the standard is not "is this an improvement over what I can do on my own?" it's "does this meet the very highest standards I can think of?" In other words, to quote Voltaire, “the best is the enemy of the good,” with executives choosing to stick with broken processes and inadequate measures rather than moving to an offering that, while perhaps imperfect, represents a significant step upward over their current environment. And, by the way, these positions are often propounded with fervor, not to say bombastic insistence. One can't help but feel that the weaker the argument, the louder the voice. Weinman’s post brings another perspective forward, which indicates why a topic like cloud computing, which should be

Vol/5 | ISSUE/10

Coloumn_Cloud.indd 23

REAL CIO WORLD | A U G U S T 1 5 , 2 0 1 0


8/10/2010 6:31:10 PM

Bernard Golden

Think Tank

evaluated logically and dispassionately, is all too often the arena of rigid positions and rapid reactions. Essentially, he examines various elements of irrational decision-making, and applies them to cloud computing. Here ares some of the elements he identifies: The Endowment Effect: People value goods that they already own more than they would pay to acquire them. In his book Predictably Irrational, Dan Ariely shows that for hard-to-acquire basketball tickets, students were willing to pay up to about $170, but weren't willing to sell them for less than $2,400. Add in the ‘choice-supportive bias’ (which rationalizes selected options and discounts unselected ones) and a stubborn fondness for existing IT technology and organization assets can be understood. The Status Quo Bias and Escalation of Commitment: We tend to prefer things the way they've always been, and invest additional amounts in past strategies which we have pursued. This can lead to inertia slowing the adoption of new approaches. Need for Status: Humans and other social primates have exquisite, fine-grained status detectors. For cloud adoption, the status associated with managing a large IT organization with a substantial asset base needs to be replaced by the status accruing to being perceived as an innovator through the use of cloud services. If you've read Predictably Irrational, you're probably familiar with Ariely’s experiments and his theme, which is that our decision-making processes, far from being the realm of impartial analysis, are skewed by experience, prejudice, coincidence, and happenstance. His work illustrates that rationality, far from being the dominant mode of decision-making is, perhaps, the rarest element in any choice process. Given the fact that so much decision-making is heavily irrational, it's not surprising that the subject of cloud computing raises such emotions. The choice of pursuing a public cloud option is never going to be based completely—or maybe even partially—on its merits. It's going to be filtered through impulses like 'The Endowment Effect’ and ‘The Need for Status’ and the like. It doesn't take a genius to recognize that those powerful factors are likely to overwhelm an objective evaluation of the opportunity. Cloud computing is by no means the first example of this kind of pitched battle regarding a new technology offering. Significant elements of IT organizations dismissed the PC at its introduction as a ‘toy’. I remember running an engineering organization in 1995, when someone in the group put an article up on the communal bulletin board that proclaimed "The Internet will never be used for important applications." Nevertheless, despite similar irrational reactions, those technologies eventually became dominant. It's a rather laughable irony that many of the people resisting cloud computing are vehement proponents of these formerly revolutionary platforms, which were just as vociferously resisted by their predecessors. How did these upstart technologies transform from too20

Coloumn_Cloud.indd 24

august 1 5 , 2 0 1 0 | REAL CIO WORLD

Given that so much decisionmaking is heavily irrational, the choice of pursuing a public cloud option is never going to be based completely—or maybe even partially—on its merits. dangerous to touch to stuffy status quo? It wasn't because of the force of logic convincing the antagonists. Far from it. The transformation happened because end users and insurgents within IT, apprehending the potential of the new platform, bypassed the official channels and decision-making processes, and either created covert applications or forced them through over the protestations of the mainstream organization— which eventually resulted in the mainstream organization belatedly adopting the innovation. It’s an idea that Rodrigo Flores—the CTO of newScale, a company that provides ITSM software, which is often used to implement ITIL practices—captures well in an article discussing how internal IT groups should respond to the use of public cloud computing. In the article, he cites a survey from that HyperStratus and newScale did in April that indicated a high use of public cloud computing. When we did the survey, the most frightening thing about it was that nearly one-fifth of the respondents, when asked about public cloud computing use in their organizations, said "I don't think so, or at least I hope not..." Flores' article is a call to action, challenging internal IT groups to get ahead of the curve and place controls around public cloud use. I must say that I am not especially sanguine about the probable response to his entreaty. I expect cloud computing will follow the same dilatory response that other innovative technologies have received from mainstream IT groups. Which is a shame. Cloud computing offers an opportunity to reconstruct the practices and economics of IT, freeing it from the Procustean bed of legacy infrastructure. Following the same old processes and living by the same old limitations—in a time when IT is literally becoming the foundation of our society—is a tragedy. Cloud computing calls for visionary leadership with its eyes on the future and a willingness to upset the apple cart. Shrinking from its opportunities—and challenges—is a recipe for irrelevancy and obsolescence. CIO

Bernard Golden is CEO of consulting firm HyperStratus, which specializes in virtualization, cloud computing and related issues. He is also the author of

Virtualization for Dummies. Send feedback on this column to

Vol/5 | ISSUE/10

8/10/2010 6:31:10 PM

Cover Story | Security


ARMS Like you weren’t juggling enough roles, here’s another one: the CIO as a crusader for security. Drafting employees into the security fight maybe the only way you’re going to take on the many risks your company faces today. Fortunately, there are already some CIOs who have blazed a trail for you. By Anup Varier and Kanika Goswami



In the new era, you’re only as good as your message. Get heard. 22



Are our social networking fears overblown? Yes, says, NDTV’s IT leader.

m a r c h 1 5 , 2 0 1 0 | REAL CIO WORLD

Cover_Story_August2010.indd 22





Secrets There is no revealed: three business must-haves for continuity a good mobile without business security policy. impact analysis.



HDFC Bank’s CISO tells you how to raise you security policy from the dead.



Four—not three, not five—ways to sell a business continuity plan. Vol/5 | ISSUE/05

8/10/2010 6:33:53 PM

Cover Story | Security


e live in an age of more. More end-points devices, more connectedness, and more unpredictability. There are just too many battle fronts for the security function to fight alone. And many IT leaders have realized that they need to call more people into the fight. That’s what this year’s Global State of Information Survey, a joint effort between PwC and CSO magazine

The new role of the IT leader with a security mandate Why being heard—across multiple audiences—is more critical than ever How to seep the security agenda into people’s subconscious

REAL CIO WORLD | a u g u s t 1 5 , 2 0 1 0

Cover_Story_August2010.indd 23

Photo by d r lohia

Reader ROI:

point to. Over 60 percent of Indian enterprises have people dedicated to employee awareness programs for internal policies and procedures and 50 percent have an employees’ security awareness program. “Enterprises are no longer investing in infrastructure and technology as much as in people,” says Sivarama Krishnan, exec. director, PwC, India. In this package we look at how IT leaders can draft more bodies into the security fight and how this new philosophy applies to new technologies.


8/10/2010 6:33:58 PM

Cover Story | Security

Have You Made Your Point? In an era in which there are too many security bases to cover, IT leaders need to call in the cavalry. And that means you’re only as good as your message. Make sure you’re heard. By Kanika Goswami and Audry Agle Risk awareness for enterprise information technology should be what the brakes are to a car. Strong brakes give people the courage to drive faster and the comfort of knowing they are in control. This is probably why there is greater emphasis on risk awareness today than ever. “Today, Indian enterprises are marking about 10 to 15 percent of their IT security budget for awareness initiatives and about 25 percent for setting security

Get Taken Seriously Burgess Cooper, CSO, Vodafone, tells you how to create an environment that makes people security-aware. Drum it in. Ensure that awareness presentations on security and privacy are held right from employee induction. Follow them up with quizzes and refresher course—until employees finally see and believe in the importance of security. Constantly refresh. Keep giving people information. It might not be important to their everyday jobs but the constant flow will tend to change perceptions and their behavior towards security. Regular newsletters , for instance, will keep talking about security, which can help grow security consciousness. Others ways include workshops, screensavers, and ensuring all new recruits and existing teams go through an awareness program. Pace Yourself. The journey has to be made year after year, again and again, on a continuous basis. Awareness of security risks and ways to handle them is an ongoing learning process. —K.G 24

A u g u s t 1 5 , 2 0 1 0 | REAL CIO WORLD

Cover_Story_August2010.indd 24

procedures processes in place,” says Sivarama Krishnan, executive director, PricewaterhouseCoopers, India. “This means that about 35 to 40 percent of the security budget is non-technology spend for risk mitigation.” And by taking care of the more ‘technological’ aspects of security, the IT industry is also driving up interest in risk awareness. An interesting evolution in the IT environment has been the fact that, today, security is an intrinsic part of most applications, which means enterprises have to invest little separately in security applications. Take for example how five years ago, even Windows 95 needed external security applications. Today, Windows 2000 comes with inbuilt security. Or how SAP is able to integrate with Active Directory without any security risks. It’s a phenomenon that industry watchers have noticed and that’s made them come to the conclusion that the balance of interest has tilted from security applications to people. “Enterprises are no longer investing in infrastructure and technology as much as in people,” Krishnan says. “Companies have realized that a large amount of money has already been spent on technologies. Today, they are increasingly seeing benefit in investing in people, their awareness, and other non-technology processes that ensure better and clearer communication.” The question is: How much is that interest worth? According to the Global State of Information Security Survey (run by CSO magazine, a sister publication to CIO), the share of IT security fell as a percentage of IT budgets in 2010. In

2009, IT security formed 15 percent of the IT budget on average, and this dropped to 12.1 percent in 2010. Is 12.1 percent enough? According to the State of the CIO Survey the average IT budget across Indian enterprises is 2.4 percent of revenue. So a Rs 1,000crore company would spend about Rs 24 crore for IT and about Rs 2.8 crore on information security. Burgess Cooper, CSO, Vodafone, says that’s an adequate figure for the most part. “Security spend is a continuous game,” he adds, “and communication and creating awareness certainly is one of the important ways of doing it.”

Spreading the Gospel With risk awareness taking center-stage as a big security strategy, newer and more innovative ways of doing it are coming to fore. Security practitioners say that the best way to get their message across to the rest of the organization is by storytelling. Awareness dawns fastest when there is a value attached to it, they say. And this is done in many ways, although most choose to do with simple communication. “One smart way is by holding sessions at the management level. Other ways include workshops, newsletters, screensavers, and ensuring all new recruits and existing teams go through an awareness program,” says Cooper. Other security heads break up their security policies into modules and impart that awareness in smaller bites. Japjit Sandhu, VP and head information security, VFS Global, for instance, swears by chewable bites. One of the reasons he uses this strategy could be because of the spread of his organization. VFS is a global travel documentation partner to many governments and an arm of Kuoni Travels. Almost anyone who has traveled between countries in the western hemisphere and India has, at some point, used the services of VFS. It has a number of applications for visa and other approvals and any security lapse in these systems can have serious repercussions.

Vol/5 | ISSUE/10

8/10/2010 6:33:59 PM

“We broke down our security policy into smaller bits,” he says. “Our policies are completely based on an ISO 27001 framework, which we have adopted within the organization because we have to cater to a lot of regulations across the globe. These smaller bits are more usable.” Sandhu and his team also carry out internal audits across various VFS sites. At the end of each audit they have a session with employees to share their security plans and why information security is so important. “We also have an internal portal where there is a learning program that is mandatory for every employee to undergo as a part of their continuing education within the organization. There is then a compulsory quiz, which is based on the content of the learning program. It is mandatory for everybody to get 75 percent or above.”

Different Strokes for Different Folks The battle for more awareness requires different strategies for different levels within an organization and various stakeholders. But the end result is the same. “In any company, the first thing that needs to be done is to align the three pillars of business—people, process and technologies—with information security vectors including confidentiality, integrity and availability. You need to ensure that the business, your outsourced vendors and employees all are aligned to your security framework and policies,” says Cooper.

game and communication and creating awareness certainly is one of the important ways of doing it,” says Burgess Cooper, CSO, Vodafone.

One important way to do that is to work security inputs into business objective formulation—and not introduce it as an add-on later. “Infosec is part of the organization, it cannot be an outsiders’ view,” says Sandhu. “One has to take the business along. My team engages very actively with business teams so that information security is included as a part of any new process that is put in place or changed. That makes our job much easier because then no rework is required at a later stage.” At Vodafone, Cooper says, they too make sure that the entire lifecycle of a product, right from development to testing, is covered with security. This, he

Keep the Chatter Up Japjit Sandhu, VP and Head Information Security, VFS Global, shows you five ways to keep the security conversation going. Know your end users. This will ensure that the right message goes to the right group. Keep it simple. Don’t use complicated technological jargon. It is very easy to make it complex but very difficult and absolutely imperative to keep it easy. Keep your ears to the ground. Listen to your users, have a channel of communications established with them and ensure the interface is used regularly. Break down your policy. Chop up your information security policy into smaller, manageable modules, instead of chunky books. You’re more likely to get read. Identify bridges. In every team there are members who people trust enough to come up and ask questions. Tap these people to ensure that your users’ doubts are cleared. —K.G Vol/5 | ISSUE/10

Cover_Story_August2010.indd 25

Cover Story | Security

says, includes any new product or website or customer service enhancements, basically any business initative. Another audience, IT leaders with a security mandate need to raise awareness levels with is the CXO community— including the bean-counters. How does communicating security with CXOs differ from the rest of the organization? As resources, they need awareness too, but as signing authorities, they need convincing as well. At VFS, Sandhu’s done a great job raising awareness and as a result communicating the importance of a new security initiative is easier. “In our company, we don’t need management buy in at all because global regulatory and compliance requirements cannot be compromised on, and that’s a natural enabler. But since I believe in the mantra of keeping it simple, whenever I have to approach my management with an investment proposal, I would say ‘this is what is happening and this is how we need to mitigate it’. It’s that simple.” Obviously, it helps Sandhu’s case that his industry deals with a lot of regulation. But it’s also a smart strategy to align with business needs, he says. The best and quickest strategy to get management buy in is to align security requirements REAL CIO WORLD | a u g u s t 1 5 , 2 0 1 0


“S ecurity is a continuous


8/10/2010 6:34:02 PM

Cover Story | Security with the business policy, he says. So, if increased security awareness can help reduce risk for customer-facing business applications, use that as a stepping stone. The market need, then, is where the security leader must look for allies. “You cannot always measure security as an ROI. The absence of fraud is a very significant benefit even though it doesn’t have an ROI figure attached to it or cannot be quantified in revenue terms. The security policy strategy should be: Keep people aware of risks in the context of business then you can actually get it across to management,” says Cooper.


Make Them Hear You Research has shown that the human mind needs to hear a message at least seven times before it actually absorbs it. In the spirit of seven’s here are seven ways to ensure people listen to the security agenda. Appeal to personal lives. Get people interested in security by arming them with techniques to secure their personal information. If they securely tend to their own business, they’re more likely to tend to their employers. Offer Lunch-N-Learn sessions where staff can get tips for what needs to be shredded or locked-up at

home, how to manage personal passwords, securing home-based wireless networks, etcetera. Your employees will welcome the opportunity to ask questions they may otherwise be embarrassed to, and you’ll be showing them that you care about them as individuals. Make the message visible. Put posters up at fax machines, shred bins, and coffee rooms. Make them eye-catching but simple; something anyone walking by can read and interpret without breaking stride—they’re more likely to remember the content. Change them at least once per month so there is always something new. If you don’t have a graphic artist on staff, hire a college kid to do the artwork, or use one of the security awareness vendors for ready-made ones. Provide treats. You’d be surprised how far a donut goes to get attention. Have an occasional celebration where Security thanks the staff for doing their part. Use their desk. If you have a clean desk policy, perform random desk checks after hours. Reward those who have no sensitive material out by leaving a small treat like a piece of candy or pack of gum and a “Thanks for Doing your Part” note, or enter them in a monthly drawing for a prize. For

“We broke down our security policy into smaller bits because these are more usable,”says Japjit Sandhu, VP and Head Information Security, VFS Global.

those who aren’t meeting the criteria, leave a gentle reminder with specifics about what needs to be corrected. Repeat offenders should be discussed with management. Bring it to their computer screen. If you have a company newsletter, be certain to include a security article in each edition and provide information on the latest incidents that have occurred, particularly in your industry. Supplement your newsletter with a monthly e-mail to all staff with a short message about a timely and relevant topic—PDA safety, emergency preparedness, or a reminder of who to call for suspicious incidents. Provide a security page on your employee intranet that lists the security policies, important contact information, links, etcetera. Require training. Training programs will be more effective if you include interactive exercises, contests, games, or giveaways. Try to keep it short, and test comprehension. Walk the talk. Perhaps the most impactful technique is for senior leadership members to display their own penchant for security. If it looks to be important at the top, you can bet it’ll be important at the bottom. Advertise internally when someone does something that thwarts a potential attack, or comes up with a control that bolsters the security of your organization in a cost-effective manner. Use incident exercises at all levels, including executive leadership. Remember that your employees can make or break your security program— keep them engaged in the process by soliciting feedback and suggestions. Provide a phone message line and e-mail-inbox—anonymous if necessary. Make it easy to use, non-threatening, and welcome stupid questions. A security-aware culture is possible in any organization as long as it is the standard by which everyone operates, and concepts are consistently reinforced. CIO

Kanika Goswami is associate editor. Send feedback on this feature to


A u g u s t 1 5 , 2 0 1 0 | REAL CIO WORLD

Cover_Story_August2010.indd 28

Vol/5 | ISSUE/10

8/10/2010 6:34:10 PM

Cover Story | Security

Threat or Treat? As social networking pervades enterprises, many IT leaders seem more focused on its security threats than on its potential. But K.Y. Iyer, NDTV’s head of IT asks: are these fears real? By Kanika Goswami and Audry Agle According to a Nielsen Company report, three of the world’s most popular online brands are social-media related (Facebook, YouTube and Wikipedia). That isn’t surprising. Especially when you know that generation Y, millennials, and the more enthusiastic parts of Gen X spend about 22 percent of their time online on these sites. It’s a level of interest that isn’t tapering off. Already, 2010 is seeing the number of visitors to Facebook and other sites increase by 24 percent over 2009. If IT leaders still need convincing that social networking will have to be part of their enterprise’s plan they should look at this: On average people spent almost 6 hours on these sites in April 2010 against 3 hours, 31 minutes in 2009. The most common reaction to that figure is to ban these sites. But the simple fact is there are benefits to be garnered from social networking, notwithstanding the security-blackhole people say it is. However, a growing number of CIOs are beginning to ask: Are the risks over blown? Does social networking suffer from the same high-profile coverage that makes airplane accidents seem more probable than car accidents? In the meanwhile, social networking is beginning to be regulated. According to the Global State of Information Security Survey (run by CSO magazine, a sister publication to CIO), 42 percent of Indian organizations have process information security safeguards in place, applications that audit or monitor employee postings to external blogs or social networking sites. But what about the majority 58 percent? They aren’t overly concerned with the security threats that social networks pose. Risk mitigation from social media is a significant part of only 27 percent of organizations’ security policies. Another indicator that social 30

A u g u s t 1 5 , 2 0 1 0 | REAL CIO WORLD

Cover_Story_August2010.indd 30

networking isn’t the bogeyman it’s painted to be? The low priority given to risks from social media or Web 2.0 technologies compared to business continuity, which formed part of 68 percent of organizations’ security policy or access control (60 percent). Is this lack of fear due to complacence? A more plausible reason is that more security heads are beginning to agree as long as their security policies and awareness education are in place, there isn’t really any reason to worry. With this new realization beginning to seep in, many more organizations are now leveraging social networking sites to drive business, evangelize products, reach out to a larger customer base, engage in market dipsticks, collate competitive intelligence, and even recruit talent. One vertical that seems to have really embraced the medium is the media. It’s using social networking site to reach out, develop business, spread its ideas and gather feedback. Take NDTV. The channel utilizes social networking for its Car and Bike show and for the most part it depends on education and common sense to keep threats at bay. In this interview, K.Y. Iyer, head IT at NDTV, talks about why he thinks the social networking threat is overstated and how he keeps his company safe.

58% of Your Peers

Aren’t overly concerned with the security threats that social networks pose.


CIO: Do you allow open access to social networking?


Isn’t that risky?


How has technology helped you achieve greater security?

K.Y. Iyer: At NDTV we allow restricted access, depending on the requirements. There are certain business units that rely on a huge amount of social networking. Resources from these units are allowed complete access.

Actually, I think the risk of hacking or outage is really blown out of proportion. At NDTV, we try to keep our users as informed as possible, so they can be aware and ensure that their actions on these sites are as safe as possible. And, we haven’t had any outages since we’ve allowed social networking from the corporate network. In any case, denying access completely isn’t very smart either. There are always ways around it, many people know that Web content filters can be bypassed—even the strongest ones. So awareness is the best weapon that an IT security person has against a social networking site combined with appropriate technology. Like any other threat, the threat posed to businesses by social networking needs to be addressed uniquely but as part of a whole.

It certainly has helped keep the casual user away, but someone who is hell-bent on getting access can find a way across the firewalls. For risk controls in place, we have perimeter firewalls, function filters, and antivirus scanners on all Web traffic. We have the ability to restrict access to any site by Active Directory user and that’s a great help. A person has to log in with his AD credentials for all services, including Internet access. All this is being powered using technology. So, I guess, IT has a big role to play in the process, and also helps to make it as foolproof as technology today allows.


Have you ever had any risk –related experiences with Facebook? Or have any of your peers? Honestly, these incidents are seriously blown out of proportion. But the risks

Vol/5 | ISSUE/10

8/10/2010 6:34:16 PM

Cover Story | Security

Vol/5 | ISSUE/10

Cover_Story_August2010.indd 31


How is NDTV leveraging social networking?

This team sees an advantage in building a user community around what they do, REAL CIO WORLD | a u g u s t 1 5 , 2 0 1 0

Photo by d r loh ia

“S ecurity all boils down to one thing: Awareness building,” says K.Y. Iyer, Head IT at NDTV, which uses social media extensively.

certainly exist. It is possible in our case, for example, for someone—with or without any malicious intent—to share breaking news or development on a news story with a friend or partner in a competing organization. That’s a business risk for us. All news channel are trying be the first to break news. There is no way for IT to be able to track what is being done on an open chat or social networking platform. That’s a risk to our competitive edge and our market standing that can affect our future revenue. An inappropriate comment could lead to a loss of credibility or even legal liabilities. A typical enterprise would have antimalware installed. But my point is: This kind of attack can come from anywhere on the net, social networking per se does not have any specific security risks. Because there is now a heightened awareness of social security sites, generally security threats are being highlighted more. Threats are evolving, changing with emerging avenues of communication, but basically they are the same. Whether it is scientific curiosity or malicious intent, there are people who want to take something that they have no right over. What I’m saying is the threat is being blown out of proportion because of security concerns that have existed all along. These threats existed in the days when enterprises allowed access to free chat systems and free mail sites. So what is new now? What else is possible? Someone puts their private pictures for the whole world to see. But then they asked for it and it may or may not concern organizations. I can assist my users and tell them what precautions to take, but it is up to them to take it—especially in their personal lives. It all boils down to one thing: Awareness building. Every security measure has a certain downside in terms of what has not been experienced yet and could still happen. So all IT security people can do is keep a balance between enabling the business and disabling users. Beyond this, it is only the knowledge of risks and what not to do.


8/10/2010 6:34:20 PM

Cover Story | Security around potential customers or drawing a group that could be customers in the future for our news offerings, products services, and NDTV as a brand. We are obviously targeting a certain type of user, a certain type of audience for our website, and we are leveraging social networking as a tool for this activity. All forms of connecting with the consumer are welcome for any organization and all of us need to look at how to engage with our customers to grow our organizations. Social networking sites are a new medium which we have to use carefully. We have a very strong Web presence in We use a lot of social networking to promote NDTV channels and websites too. A lot of these pages on Facebook or Twitter are run by the people who manage our television shows; our anchors and producers. Many of our programs have Facebook communities, for example. We are trying to get people interested in what is happening, what has happened in the past, and what could happen in the future. Our anchors are present on Facebook and interact with our viewers. This, I think, is really smart. It is true for other verticals as well. Social networking sites are a medium for organizations to communicate directly with their customers.


If you had one piece of advice for IT leaders dealing with social networking, what would it be?

I cannot pinpoint on anything black-andwhite; it has to be inline with the needs of the organization. But at the risk of repeating myself: As far as social networking goes, the risks are being blown out of proportion. We are looking at new forms of basically the same risks. There are so many more people out there with very little knowledge and they pose a risk to themselves and others. All we need to do is spread awareness of these risks, and what to do to mitigate them. That should work better than any amount of technological controls. No doubt technology helps and is essential, but do not rule out the power of knowledge. CIO Kanika Goswami is associate editor. Send feedback on this column to


a u g u s t 1 5 , 2 0 1 0 | REAL CIO WORLD

Cover_Story_August2010.indd 32

Fighting Fraud Your security plan does not stop at stemming external attacks. as an It leader you are also expected to stay on the watch for internal fraudsters. here’s how you can. Warning Signs of Fraud When an employee shows excessive or inappropriate contact with a particular vendor, or there is a familial relationship between an employee and vendor. Sloppy record-keeping can mask illicit activity. Employees living beyond their means or known to be having financial difficulty may become desperate enough to commit fraud. Employees consistently maintaining a low profile to fly under the radar and keep a fraud scheme running for months. What to Look for Embezzlement forms 70 percent of fraud cases. this could be anything from fabricating vendors to charge payments to corporate credit card misuse to taking petty cash to stealing pencils, pens and notepaper. Vendor fraud is also on the rise. Examiners are detecting fraud schemes in contract and procurement areas, where, for example, a vendor suddenly shows a marked increase in contracts over the previous year—especially low rupee amounts, no-bid contracts, which may indicate kickbacks to employees. data fraud cases continue to concern employers. Some 59 percent of employees who leave or are asked to leave a company steal company data, according to a report by the Ponemon Institute. and two-thirds of them admit to using their former company’s confidential, sensitive, or proprietary information for new employment. What to Focus on to Protect Your Company anti-fraud policies and procedures. these should be part of an overall security program with input from your company’ general counsel. a champion. look for a security champion from the highest echelons of the organization’s command-and-control hierarchy, someone from the board of directors for instance. Employee education. one of the easiest and most inexpensive ways to reduce fraud is through employee awareness and training. once security awareness has sunk in sufficiently deep, employees should be able to recognize sensitive documents and suspicious behavior and can be your eyes and ears. Employee chatter. rogue employees who can’t keep their mouths shut can be a boon for a security professional. listen to what employees are chatting about. roadblocks. Illegal activity can be detected faster by data access control, physical security, and discreet ways to report fraud. Surprise audits. these have proved to be effective in lowering fraud. When employees know that an organization practices surprise audits, they’re less likely to commit fraud. • Company documents. Simply checking financial statements can uncover fraud. A sudden increase, decrease or anomaly can lad to signs that need to be investigated. • A need-to-know culture. Access to confidential data should be on a need-to-know basis. Weekly or quarterly review of access rights is necessary, and so is terminating access immediately for any employee leaving the company. —Stacy Collett

Vol/5 | ISSUE/10

8/10/2010 6:34:20 PM

Cover Story | Security

If you’re going to treat smartphones as the new endpoint, its security better be at least as tough as laptops. By Anup Varier They may be the newest enterprise device, but mobiles are already making a name for themselves in security circles. According to the 2010 edition of the Global State of Information Security Survey, 30 percent of Indian enterprises have experienced a mobile device related security incident. That’s a number that’s only likely to increase unless organizations wake up to today’s reality. Smartphones, in particular, and mobile devices, in general, are fast becoming the order of the day—but so are the enterprise security risks associated with them. And it isn’t just mobile phones, other mobile devices like laptops, thumb drives, PDAs and iPods have entrenched themselves so deeply within organizations that it’s impossible to weed them out. What you don’t manage, they say, will hurt you. It’s a truism that’s dawning on a greater number of IT leaders as their organizations decide to offer their staff mobile solutions in a more organized manner. Secure and control has become the new mantra. Control doesn’t necessarily mean ban. “As a first step, organizations need to identify their intention behind securing an endpoint. They need to decide whether it is endpoint that they want to secure or the data that resides in it,” says Arup Chatterjee, CISO, WNS Global Services. In an era when the enterprise mobility software and applications market in India is estimated to grow at 41 percent (CAGR) and when users have access to over 650 business and productivity applications at Blackberry’s App World, banning mobility runs against common sense. There plenty of users whose productivity levels have been enhanced by mobile devices. But that doesn’t eliminate the risk. The good news is that some security leaders who have started early on the mobile path have lessons to share. Here are some.

Vol/5 | ISSUE/10

Cover_Story_August2010.indd 33

Mobile Cover At WNS, Chatterjee makes the IT department accountable for mobility. “We give our employees the option of enrolling their devices as part of the enterprise security plan but though the device is theirs, we have control over it.” But control is a double-edged sword. “There are legal ramifications to remotely wiping data if an employee complains,” says Faraz Ahmed, CISO and head regional IT, Reliance Life Insurance. “This situation necessitates the need for a legal contract that allows the organization to do so.” Ahmed backs up that contract with training. “This also ensures that if tomorrow something goes wrong, the employee can’t raise his hands and say ‘I didn’t know. Nobody told me!’” he says. Despite these safeguards, information security experts agree: The lower the exposure the better. “With the new devices harping about integration with social networking sites, there is very little that stops the users from copying information

Safety in Homogeneity Another point of control could be device standardization. It is a smart idea to use as few device variations as possible. “We have defined which devices are permitted within our environment,” says Chatterjee. “The idea is that by limiting the number and type of computing devices that will interact with the environment we are limiting the risks.” Talking about which endpoints are more insecure Chatterjee says, “In my environment, laptops are more vulnerable because they are capable of storing lot more information and though there are strategies for securing them like encryption, attacks on these are also more sophisticated.”


Security on the Go!

from their corporate e-mails onto these sites,” says Ahmed. His advice to enterprises is to avoid giving mobile access to enterprise e-mail accounts to people who do not really require it. “Be clear about who needs what and provide them that,” he says. On the bright side, Chatterjee says experience shows that end users tend to cooperate once they are aware of the reasons behind stringent measures. “If a person really respects the organization then they accept our way of life. Even our new CEO who drives a BMW uses a mobile that doesn’t have a camera while within the office premises,” says Chatterjee.

“E ven for something like remotely wiping data there are legal ramifications if an employee complains. This situation necessitates the need for a legal contract,”says Faraz Ahmed, CISO and Head Regional IT, Reliance Life Insurance.

REAL CIO WORLD | a u g u s t 1 5 , 2 0 1 0


8/10/2010 6:34:25 PM


Cover Story | Security That’s an argument that’s increasingly pertinent to smartphone owners. Without software that can scan for problems and update virus definitions, smartphones are being quietly infected without their owners even knowing about it. There is a common perception among users that viruses and malware are not problems on these new handheld devices. But security professionals say that such an outlook is superannuated. The reason these attacks are not widely reported, they say, is because the very nature of malware has changed. What used to be done for mischief and notoriety are becoming more financially motivated and hence much more discrete. As a result, it will be long after the damage is done that an enterprise or a smartphone user even becomes aware of the existence of an attack. “So whether it’s a laptop or a smartphone from our end, we ensure that anti-virus and anti-malware software is installed on these devices,” says Chatterjee. Control of data copied to external devices like USB drives and full-disk laptop encryption are considered the best bet for data privacy safeguards with 67.6 percent and 57.3 percent of Global State of Information Security Survey respondents using it respectively. “For the over 2,000 laptops provided across the enterprise, we use encryption and pre-boot authentication,”

“W e have defined which devices are permitted within our environment. By limiting the number and type of computing devices, we are limiting the risks,” says Arup Chatterjee, CISO, WNS Global Services.

says Chatterjee. But while the technology to encrypt laptop hard drives is more or less free of ambiguity and simple to deploy, protecting data on removable media and handheld devices through encryption can get tricky. “Though USBs aren’t blocked we have an outbound DLP monitoring which feeds into my security operations center and keeps a watch on what is being copied out of the systems,” he says. Even while implementing an encryption strategy, a security team needs to decide whether to choose full-disk encryption or filebased encryption, say security professionals. While the later is more appealing in terms of ease of use and being less cumbersome overall, it faces the inevitable roadblock of relying on users to put files in the encrypted folders. Unless there is a strong user acceptance and awareness, they say, such a system is bound to fail. Moreover, “If someone were to attempt cracking folder-level encryption versus a full-disk based encryption, the latter would be much tougher to crack,” says Chatterjee. Full-disk encryption also provides the enterprise the assurance that all the data on a laptop is actually encrypted and takes human errors out of the picture. As newer machines have the capacity to run full-disk encryptions, users need not be concerned about this lowering compute

speeds and slowing down performance. “If we were living in a perfect world with high speed connectivity and availability everywhere, I would have all my critical data sitting centrally in one location and provide Web-based access and ensure that only non-critical data resides on a laptop,” says Chatterjee.

Spread the Word As banal as it may sound, the most vital piece of advice for any mobile device user is: Don’t lose it! “So often one gets into a conversation at a bar or a restaurant and leaves a phone on the table. Almost all of us have lost at least one phone in our lifetimes,” says Ahmed. That’s a challenge IT leaders faced and continue to face with laptops, but with smartphones, their battle just got harder. For two reasons: Smartphones are less expensive than laptops, which makes them more common, and they are smaller and easier to lose. A laptop, for example, can’t slip out of someone’s pocket. Trouble also lies in the fact that “though the security policy for laptops in most organizations is mature, there are not many standards available on the smartphone front,” says Ahmed. At Reliance Life, Ahmed says, they have a mobile security policy, which is still undergoing a process of fine-tuning. “Everyday the threat vectors keep expanding and evolving and we need to keep a tab on what the bad guys are up to,” he says. Many IT leaders like Ahmed say that a mindset change has to come about. It all boils down to end users becoming more aware that smartphones are not merely fancy gizmos that can also be used to increase productivity. They are mini-computers and users need to take the security aspects of the device as seriously as they have for laptops. “Technology is not a silver bullet. Even when you have that in place there are the people and processes that need to be taken care of. Educating users is very important because if they are made aware and know what can go wrong, they will be very careful,” concludes Ahmed. CIO

Anup Varier is correspondent. Send feedback on this feature to


j u n e 1 5 , 2 0 1 0 | REAL CIO WORLD

Cover_Story_August2010.indd 34

Vol/5 | ISSUE/08

8/10/2010 6:34:29 PM

Cover Story | Security

Stand Up and Be Measured What you don’t measure, you can’t manage, goes the saying. Which is why Rajiv Nandwani, executive VP risk management, ING Life Insurance, says business impact analysis is critical.


By Anup Varier A CEO may like to have his morning report on his desk when he walks in—but when the building is on fire—important as that report is, it can wait. Every business unit has a specific goal, but some are more time-sensitive than others especially when working under time constraints and the limited availability of resources. Business impact analysis (BIA) is about understanding what keeps the business in business in a disaster. “Business impact analysis is the first and most critical step to any business continuity plan,” says Rajiv Nandwani, executive VP risk management, ING Life Insurance. There is no doubt in his mind that BIA is the foundation on which to build a recovery plan. More so, because it is the process that will determine what is at stake in case of a disaster, what takes priority in a recovery, and these in turn justify the need to spend on recovery capability. In order to do business impact analysis effectively, organizations need to understand the concept of judging processes based not on personal preferences or what ‘seems essential’ but in terms of the time criticality of the function. “When one has to do a business continuity management, each and every process needs to be evaluated,” says Nandwani. When he carried out BIA of his business, he did exactly that. In order to ensure that no process is left out, ING Life has a Crisis Management Office (CMO) that has representation from all the various functions within the organization. This team, post discussions with the process owners, decides on the recovery time objective (RTO) and recovery point objective (RPO) for the functions.

Vol/5 | ISSUE/10

Cover_Story_August2010.indd 35

RTO is basically the time frame within which a particular process needs to be backed up and RPO is the point from the past from which information and access needs to be recovered to ensure hiccupfree operation. All business functions and the technology that supports them need to be classified based on their recovery priority. Recovery time frames for business operations are driven by the consequences of not performing the functions. “For example, our call center is a very critical department and so for this function we have an RTO of maximum two hours,” says Nandwani. ING Life also realized that in case of an emergency they will need at least 15 employees to be shifted to their back-up site and ensure that as many seats are available. Without proper business impact analysis such identification would not have been possible. This exercise was carried out similarly for other functions as well. “So now both our offices in Bangalore—the Head office and national operation’s office—have seats allocated for an emergency,” says Nandwani. The organization, he says, needs to look at every function in same light. So what’s the repercussion for not doing business impact analysis? That question can be answered by another question: How long can a company not perform this function without causing significant financial losses, significant customer unhappiness, or significant penalties or fines from regulators or from lawsuits? On a more direct note: The perils of not performing a BIA are many. There maybe financial risks in terms of a direct loss of revenue, the cost of borrowing to meet cash flow, a loss of revenue from sales, penalties from not meeting contractual commitments or service levels and opportunities lost

“Our functions have been assigned (recovery) time-frames ranging from of two to four hours, four to 48 hours, and two to seven days,” says Rajiv Nandwani, Executive VP Risk Management, ING Life Insurance.

during the downtime. There might even be regulatory risks or penalties for not filing financial reports or tax returns on time, or any noncompliance issue. “But the greatest of them all is the loss of reputation, poor media coverage, and a dip in customer confidence,” says Faraz Ahmed, CISO and head regional IT, Reliance Life Insurance. Talking about the time frames that they allocate, Nandwani says, “The functions have been assigned ranging from time frames of two to four hours, four to 48 hours and two to seven days.” The more time an organization has to bring a business function back in service following a disaster, the more its recovery options increase. REAL CIO WORLD | a u g u s t 1 5 , 2 0 1 0


8/10/2010 6:34:32 PM

Cover Story | Security Once the planning team has a list of functions and understands what happens when they cease, they need to then look at the quantum of the impact. At Reliance Life Insurance, a very high value is attached to every outage. “If a major datacenter router goes down, it means over 5,000 employees are sitting idle and of course, a major loss of productivity with respect to the amount of time they are unable to work. And this may lead to future

businesses not coming in. Business impact analysis will help put a dollar value to these outages,” says Ahmed. Once all that information is compiled, the security teams can have a view of everything the company does and the urgency, the impact and the significance of a non-performing function. This information forms the foundation of the data needed to develop suitable recovery strategies for

A Policy That Works There are many ways to drive and enforce a security policy. Vishal Salvi, CISO and senior VP, HDFC Bank, tells you what he thinks is the most effective. By Kanika Goswami When you’re in the security business dealing with bad news comes with the territory. But, for a change, here is some good news for security professionals: More and more companies are taking their security policies seriously. That’s according to the State of the CSO 2010 Survey (run by the CSO magazine, a sister publication to CIO). Eighty-one percent of respondents to the survey agreed that their senior managements have backed a security policy and auditing process in 2010, vis-àvis only 23 percent in 2004. Here’s another inspiring fact: 66 percent say that security is viewed as an essential to business—as opposed to being an overhead cost—against 25 percent in 2004. According to security practitioners, this change in attitude is the first—and possibly the most important—step towards more effective security practices. If you find it hard to believe that the acceptance of a piece of paper is so critical to security, you are not alone. Yet many experts say that a consistent and efficient security policy may, under today’s circumstances, be the security leader’s best defense against not only past threats but the hordes that tomorrow will bring. 36

A u g u s t 1 5 , 2 0 1 0 | REAL CIO WORLD

Cover_Story_August2010.indd 36

And with newer avenues for business including mobiles and social networks, more inter-connectedness and smarter attackers, tomorrows threats will make those of today look like child’s play. But if IT leaders think that this makes the formulation of a policy the toughest part of their jobs, they are mistaken. The demands on a security professional remain tricky since they are required to ascertain the depth of a management’s interest in laying down an enforceable and clear security policy. This is where the sharpest technical skills can’t help and where experience and being trustworthy count. An IT leader also still needs to ensure the effectiveness of a policy. But what really makes an info-security policy effective? Is it a-control-for-everything approach, draconian penalties, or ensuring management buy in and hence better corporate enforcement? Vishal Salvi, CISO and senior VP, HDFC Bank, believes it is the latter. However, the security veteran is also a firm believer in measurement. In recent times, the importance measuring and reviewing the effectiveness of information security policies and procedures has diminished. In 2010, it was an exercise only 66 percent of the security

the risk that every business function of an organization can face. An efficiently designed BIA strategy and process can be a CISO’s trump card, especially in times of business growth, because that’s when each resource is worth its weight in gold. CIO Anup Varier is correspondent. Send feedback on this feature to

heads pushed, compared to 72 percent in 2009, despite that being a slump year. Another important ingredient in an effective security policy is how determined and impartial it is. Experts agree, for instance, that there should be no reprieve for a lack of implementation that a policy dictates. They also say that clauses like “exceptions to this policy may be made by contacting the executive in charge of....” undermine the infallibility of the policy itself, making it vulnerable to power play. And that leads to ineffectiveness over time. Having multiple policies containing organization-wide mandates should also be discouraged. Why? Because multiple sources make it more difficult to accomplish a consistent level of security awareness. Besides, with newer threats, policies need to be continually updated and this could also make them cumbersome, instead of efficient. The trick here, say practitioners is not to add chapters to the policy and increase its size, but to use the existing design to get additional consensus on what more needs to be done. In this interview, Salvi tells you how some of these practices have worked for HDFC Bank and what to watch out for when implementing them.


CIO: What’s the most critical first step towards a smart security policy? Vishal Salvi: An information security program can only be successful if it has management buy in. All the

Vol/5 | ISSUE/10

8/10/2010 6:34:37 PM

“You must formulate

Cover Story controls based| onSecurity threats and risks that your organization actually faces— not on your current practice,” says Vishal Salvi, CISO and Senior VP, HDFC Bank.

Vol/5 | ISSUE/10

Cover_Story_August2010.indd 37


How do you ensure effectiveness?

For effectiveness, you need to have a policy that is well-supported by documents, procedures, and clear communication, in terms of the overall requirement of control objectives. In fact, to measure efficacy, you need to build technical and procedural audit controls into it to determine what is actually being practiced. Findings from these will give you the measure of the effectiveness of your policy. The security community is increasingly feeling the need to control policy effectiveness, and not leave it to the varying awareness levels of their users. To ensure this efficiency, I think we need to start looking at and understanding human behavior better. We need to gauge

better how they respond, and accordingly start making systems which will address their behavior and their responses to risk.


What supplementary documents are most relevant?


Have you faced audiences that perceive security as a hurdle?

Policies are a high-level statement of intent. After that you have procedures which tell you how to implement those controls, and then there are standards which are technologyspecific. Those are the settings you need to implement for better security. Apart from that there are manuals and guidelines.

That is always a case. It’s the most general response among employees. People will look at security as a hurdle until they REAL CIO WORLD | a u g u s t 1 5 , 2 0 1 0


communication, interpersonal and technical skills in the world will not get you their attention if security is not what the management mandates for the organization. Once you have senior management buy in, you can then start engaging with different teams. There are many types of teams and it is important to remember that there will be teams that will be proactive in engaging with you and will agree to stand by you in a security implementation. Then there are other teams which won’t really understand the value of security. Sometimes they may even perceive security as a hurdle to their jobs. There are various techniques that one can use to engage with these teams but they can only be successful if they are backed by the CXO level.


8/10/2010 6:34:41 PM

Cover Story | Security realize its importance, which comes from experience and awareness. Enforcing a security policy will always be a hurdle unless users understand how important security is from experience. In our case, whenever there is a security incident, we use it as a ‘teachable’ moment. We take that episode and turn it into an opportunity to make people aware of the security context they need to operate within. Without these moments, we would need to use other means like enforcement, audit, and regulations to get our point across.


What’s your approach to security policies: Perfect or practical? When you formulate a policy or control, you have to try and make it an ideal control from a risk perspective. What that means is that you formulate controls based on threats and risks that your organization actually faces—not on your current practice. You should not be framing a policy based on what is happening, especially if your current practices are at a level much lower than the ideal. Your policy should be for an ideal level. But in terms of usage, it has to be practical, since it is not a good idea to have a very complex policy. That would be detrimental to both its usage and assessing its effectiveness.

7 Security Best Practices Over the years, Wipro has honed its security practices into an art form. Jayaraman Pazhamalai, GM and CISO, Wipro Technologies, shares some of the company’s best practices. 1. Security risk analysis is the first step in understanding the threat and vulnerability landscape and is necessary to develop a policy. 2. Security education—rather than security awareness or training—should be the culture that IT leaders aim for. 3. A continuous review of an organization’s security policies helps it stay up-to-date with security incidents, audit findings and changes in business demands. 4. A policy needs to have multi-dimensional perspective to arrive at a meaningful, practical, and ‘implementable’ policy. Here are some of the areas it must cover: a. Administrative aspects, conventional scope and the objectives of policy. It must also cover all the functions and roles responsible for a security implementations. b. Technical areas. These include core domain areas and social networking-related areas. c. Legal and statutory topics with an emphasis on geo-specific aspects of the policy. d. Violations and how an organization should deal with them. 5. Emerging technologies and trends. To cover these we have a cross-functional committee among management teams. 6. Education. To ensure this we do the following: a. The creation of a fictitious character to convey stories to employees. These are in the form of texts, cartoons, audio or flash video messages, posters and computer-based training modules. b. We also have training content on a self-assessment basis, which allow individuals to take a self-assessment course and find out their awareness levels. 7. A good team. One of the most important functions is building a cross-functional, cross-skilled team that: a. Has a mandate and is responsible and perseverant. b. Can ensure the segregation of duties between security operations and governance. c. Has both vendor-specific and vendor neutral certificates. d. Includes specialists in emerging areas like forensic tools and investigative capabilities. e. Has solid networking and communication skills and is able to get content from all departments.


It is good to create a policy intended for a specific audience. If you know what the policy is aimed at and who the stakeholders are, it can definitely be more efficient. There are three components: The first is user acceptance, which is for a generic policy. Then there is the legal policy that binds HR, processes and controls, these are non-IT. Then there will be some which are specifically for IT only. I think this is the way it should be. In any organization, for the general user we have what is called acceptable user policies. Then another set of policies will be something that will be applicable only for the IT teams, useful only for people who 38

A u g u s t 1 5 , 2 0 1 0 | REAL CIO WORLD

Cover_Story_August2010.indd 38

are custodians of the IT infrastructure, including ID and access management policies, etcetera. The legal policies would be organization policies. That is one example of how it can be segregated.

In my opinion, segregation makes sense because a single policy for everyone becomes too bulky to be practical. CIO


Do you think it is appropriate to segregate policies by their intended audience?

Send feedback to

Vol/5 | ISSUE/10

8/10/2010 6:34:50 PM

Cover Story | Security

As important as business continuity is for an organization, it still needs to be sold to management. Here’s how you can do that effectively. By Anup Varier To create a case for business continuity, the processes and possible effects should be made tangible to stakeholders. This means an emphasis on not just the criticality of reducing risk, but also the business value and competitive advantage that a strong business continuity plan can provide. Here are some ways you can sell a business continuity (BC) plan.

Don’t make it Greek Management needs to be shown what is meant by BC plan. “They need to be told that BC planning doesn’t just include IT and it is not just about disaster recovery in terms of IT. No doubt, IT is an enabler but a BC planning includes other important functions like finance, HR, and operations,” says Mitish Chidnavis, VP-Operations and

“Business continuity is not a one-man exercise. There has to be regular communication through multiple channels including posters, portals, quizzes, screensavers or an in-house magazine,” says Mitish Chidnavis, VP-Operations and CISO Emerging Markets, Obopay.

CISO Emerging Markets, Obopay, a mobileto-mobile money transfer provider. Also, a BC plan has to be formulated after taking into consideration the environment you work in, the priorities for the organization and the customers you serve. In order to gain acceptance, “We need to map the risk scenarios to the revenue of the company,” says Chidnavis.

Play the Compliance Card A good place to start garnering support for a BCP is regulatory requirements. This is especially true for certain industries where the standards demand action. “For verticals like financial services or insurance, BCP will be influenced and sometimes even driven by these requirements,” says Chidnavis. So if you’re selling a BC plan it’s a good idea to get acquainted with existing and upcoming regulations in your industry

Win ‘Em with Innovation Nothing gets buy in like pumping some a-ha! moment adrenaline into people’s brains. CIOs need to think beyond backups and building redundancies within the system. “We need to move away from a hot-warmcold backup kind of a mentality and bring in as much innovation as possible to ensure that business goes on as usual,” says Sandhu. Organizations across the globe have been troubled not once but on multiple instances when the under-sea cables have been cut, for instance. “So we have architecturally divided our datacenters into two zones looking at various areas of seismic activity in two different continents. This allows us to be able to route our traffic and ensure network availability,” says Sandhu.

Get Your Command Structure in Place Before going to management with a BC pitch, find out how you are going to implement it among users. “A BC plan suffers from a MYOB (mind your own business) attitude from end users. And with growing attrition rates, it is becoming even more difficult to keep pace with training and awareness programs,” says Chidnavis. So CIOs need to identify people who will be responsible for the execution of the tasks assigned to the team while carrying out a BCP. It is also key to be upfront that BC planning is not a one time venture. “Especially in view of the way threats are evolving, a BC plan needs to be continuously reviewed and revised annually,” says Sandhu. The ashcloud that started in Iceland but hit the whole of Europe wasn’t part of any company’s BC plan. “But once you realize the possibility for such an incident it needs to be incorporated into your plan,” he says. In the end the management should see that “The biggest ROI on a BCP is the reputation of an organization,” says Sandhu. CIO


Building a Business Case for BCP

and align your BCP plan with them. Show the management that, “Even for getting a contract, demonstrating that you have suitable controls in place helps,” says Japjit Sandhu, VP and head IS, VFS Global.

Anup Varier is correspondent. Send feedback on this feature to


A u g u s t 1 5 , 2 0 1 0 | REAL CIO WORLD

Cover_Story_August2010.indd 40

Vol/5 | ISSUE/10

8/10/2010 6:34:57 PM

Cover Story | Security

When Security Falls on Deaf Ears The head of IT security at a large national bank recounts the nightmare that occurred when security protocol was ignored. As told to Kanika Goswami We’ve always prided ourselves in the fact that being a bank, our security policy is foolproof and that it’s almost impossible for something as insignificant as a virus attack to bring us to our knees. But about a year ago, that’s exactly what happened. We are a large nationalized bank, with over 200 locations and a fair mix of medium and large clusters of machines. About a year ago, we faced a virus attack that we were technically equipped to handle, but when it hit us, it was still a mad scramble. It took two entire days and 20 people to control. The problem started when a high-end, shared file server got infected and all the PCs connected to it caught the bug. The attack spread rapidly since the virus could carry a dictionary payload and could infect PCs with a simple shared password. Looking back, we realize that if the password to the shared server or the linked PC to it were stronger, it would have been harder for the virus to spread. But that’s in hindsight. The unfortunate truth is those passwords weren’t strong, which made the attack lethal. It took us half-a-day to start the process of controlling the spread. We were lucky that the attack took place in a city which has multiple locations. With this first piece of good luck on our side, we moved operations to another location within the city. The next step was cleaning up the infection. Under deadline and with damage being done to our reputation every minute the virus bested us, our strategy was to spread ourselves. We wanted to make 20 copies of 42

A u g u s t 1 5 , 2 0 1 0 | REAL CIO WORLD

Cover_Story_August2010.indd 42

few customer communications suffered— and to that extent our market reputation suffered. But for the most part business was not affected significantly. But our team’s reputation took a beating. People asked why we hadn’t been able to foresee something like this. Even more embarrassing was that the issue was so visible that word of the attack reached the topmost levels of the organization, and the pressure to resolve the situation was huge.

What We Took Away

the anti-virus and physically clean up each machine. But when we got on the phone with our security vendor, we discovered that they did not yet have the anti-virus. That’s when our strategy of maintaining contacts with more than one security vendor saved us. Despite this, it still took us a whole day to source the anti-virus and start the clean up. By the end, it had taken 20 people working around the clock for 40 hours to clear out the infection from 250 PCs. That’s the sort of experience which ensures changes are made.

We learnt a lot of valuable lessons from the incident. Among the most important was using better passwords. Though this best practice was emphasized during our security education session, apparently no one took it seriously. That has changed since. And we’ve made it the most emphasized part of our security education programs. We also removed the ability for anyone to write on someone else’s PC. This will ensure a check against such spreads in the future. We learnt another valuable lesson: That it was smarter to be in an active directory environment. Until the attack, we worked in a group environment. Using an active directory would enable us to control who is logging in and when. At the point of such an outage that’s a handy capability. Personally, I learnt that the IT security policy should be very clear in terms of responsibility and accountability in such situations. We already had a policy to meet outages but unfortunately, it took an incident like this for our team to re-look at the religiousness with which procedures were followed. Today, responsibility and accountability are clearly identified and the IT team is sure that if such an incident recurs, we will respond much more effectively. CIO

First, the Damages Since the attack and the consequent shutdown took place on a Friday and Saturday, only a

The author has requested anonymity Send feedback to

Vol/5 | ISSUE/10

8/10/2010 6:35:00 PM


Security_SURVEY_FINAL.indd 18

Over 1,600 Indian CIOs are banking on the recovery to take security to the next level. COMPLIED BY KAILAS

Increase 11 - 30%


The same

More than 30%


Increase up to 10%

VOL/5 | ISSUE/10

Security spending


Eventful. That's how the last two years have been for IT. More so for security. Take 2008, when IT organizations witnessed the boom phase — security budgets were looking up, threats were under control and CIOs and CSOs were a happy lot. Unfortunately, that phase was short-lived, as 2009 reversed growth graphs. The slowdown shrunk security budgets and increased threats and CIOs stood helplessly staring into policy loopholes. But 2010 has definitely stirred the pot, if not shaken it. So says the Indian Information Security Survey 2010. Flip over to find out where security stands today and where it’ll be 12 months from now.

REAL CIO WORLD | A U G U S T 1 5 , 2 0 1 0


8/11/2010 3:58:03 PM


THE SECURITY LANDSCAPE IS Spend as a Percentage of IT Spend


The amount Chinese enterprises set aside from their IT budgets for IS.





23% 24%




Your Top 5 Spending Justifications

1 2 3 4 5

A Higher Risk Environment Has Increased the Importance of Security

Do not agree Somewhat agree Agree Strongly agree Do not know

Client requirement


Legal / regulatory requirement Common industry practice Professional judgment Risk reduction score

Your Spending Drivers 52% Economic conditions


Of Indian CIOs say that they employ a Chief Privacy Officer in their organizations.

Security Spending Over the Next 12 Months Will Increase 2009 2010

Business continuity / disaster recovery




23% 41%

Company reputation

16% 16%

12% 14%

39% Internal policy compliance

36% Outsourcing

35% Regulatory compliance 44

A U G U S T 1 5 , 2 0 1 0 | REAL CIO WORLD

Security_SURVEY_FINAL.indd 19

Increase more than 30%

Increase 11 - 30%

Increase up to 10%

Stay the same


8/11/2010 3:58:07 PM


Have You Deferred Security Initiatives Requiring...


What Technology IS Safeguards Do You Have in Place?


User Management


Deferred by 1 year or more 4%



Deferred by 6 to 12 months

Deferred by less than 6 months

Not deferred







OPEX Deferred by 6 to 12 months 10%

Deferred by 1 year or more 3%



Web content filters


Secure browsers


Secure remote access (VPN)


Centralized user data store


User activity monitoring tools


Identity management solutions


Security technologies supporting Web 2.0 exchanges


Wireless handheld device security





Deferred by less than 6 months

Not deferred





Backup Tapes






File Shares


Removable Media


None of the above




Despite the upturn, IT leaders are still deferring security projects.

How Often Do You Conduct an Enterprise Risk Assessment? 2010



11% 8%




11% 9%




11% 10%

Twice a year (or more) Once a year Less than once a year Don’t conduct risk assessment VOL/5 | ISSUE/10

Security_SURVEY_FINAL.indd 20


Of CIOs say that they don’t have application, network or personal firewalls.

Intrusion Detection and Prevention Malicious code detection tools (spyware and adware)


Locks / keys / physical security for computer hardware


Intrusion detection tools


Patch management tools


Subscription to vulnerability alerting service(s)


Tools to discover unauthorized devices


Data leakage prevention tools (DLP)


Security event correlation tools


REAL CIO WORLD | A U G U S T 1 5 , 2 0 1 0


8/11/2010 3:58:09 PM




Threats from employees/ former employees have dropped 18% from 2009.


24% 18% 0 or none

29% 27%


1 to 2

18% 19%



3 to 9


32% 33%



10 to 49

3% 4%




50 to 499


2010 2009

18% Don't know

Employee/ Former employee






4% 40%



9% 18%


12% 20%

32% 10% 0




Less than ` 5 lakh

10% 46

` 25 lakh to ` 50 lakh

Of companies could not estimate the financial loss caused by breach. That's 21% less than 2009.

A U G U S T 1 5 , 2 0 1 0 | REAL CIO WORLD

Security_SURVEY_FINAL.indd 21

` 5 lakh to ` 25 lakh

` 50 lakh to ` 2.5 crore

None Less than 1 hour 1 to 8 hours 9 to 24 hours 1 to 5 days More than 5 days Not applicable



Intellectual property theft


Brand / reputation compromised


Loss of shareholder value



24% VOL/5 | ISSUE/10

8/11/2010 3:58:09 PM




Did You Have a Contingency Plan?

Do You Have an Insurance Policy That Protects You from Security Theft?







Of CIOs say that back up and business continuity are included in their organization's security policy.

Dont know

56% 29%

Yes No Dont know



of respondents feel that

information security threats have

increased in the current economic climate. Was it Effective? Very effective Not very effective Not sure Not at all effective


Despite that,


don't have an insurance policy to protect them from security theft.



8% 2%

Why Was it Not Effective?

Of companies say that they have made a claim.

Have You Collected on a Claim? 2%

Lack of training


Delay in implementation


Incomplete plan


Lack of management support


Lack of partner cooperation


Don't know


Back up plans just don't seem to be taken seriously enough. VOL/5 | ISSUE/10

Security_SURVEY_FINAL.indd 22





Dont know

REAL CIO WORLD | A U G U S T 1 5 , 2 0 1 0


8/11/2010 3:58:10 PM


SECURITY AND NEW TECH Do You Currently Use Virtualization?

Virtualization Has Made Security... 75%


Of CIOs in 2009 said they don't use virtualization in their organizations.


2009 2010


30% 31%

70% 18% 8% 7%

f B.


No Change


Is Security for Virtualized IT Assets Adequate?

85% Of CIOs say security for virtualized

29% Very adequate

56% Adequate

13% Not very adequate

3% Not at all adequate

During the last year, CIOs have addressed the issue of inadequately trained staff in virtual environments.

Source of Potential Vulnerability in Your Virtualized Environment 2009


assets is adequate and very adequate, that's 15% more than 2009.

Biggest Risk to Your Cloud Strategy Uncertain ability to recover data 9%



Lack of additional safeguards



Policy application unclear


Proximity of data to competitor's 14%


Misconfiguration or poor implementation




Outdated approach to firewalls, identity management or access control


Access control at provider site 10%


Lack of adequately trained IT staff


Vendor's inability to enforce security policies 23%


Inadequate training and IT auditing 32%


12% 2009


A U G U S T 1 5 , 2 0 1 0 | REAL CIO WORLD

Security_SURVEY_FINAL.indd 23


VOL/5 | ISSUE/10

8/11/2010 3:58:11 PM



User Management 32%



Detection and Prevention



Wireless security standards


Centralized IS management process


Business continuity


Identity management strategy


Tiered authentication levels


Portable device




Single sign-on software

Automated password reset

Disposable passwords

of respondents

say that they currently outsource

ID management solutions

some or all of their

security operations,

Data Encryption 39%



say outsourcing

security will be top priority in the next 12 months.

Removable Media


Assessment and Compliance


21% Databases

23% Backup Tapes

27% None of the above

Monitor employee postings in Web 2.0


Risk assessments (third-party)


Penetration tests


Threat and vulnerability assessments


Integration with privacy / compliance plans


SURVEY METHODOLOGY The Indian State of Information Security 2010 is a part of a global security survey by PricewaterhouseCoopers and CIO magazine. It was conducted online during the months of May and June this year. Readers of CIO magazine and clients of PricewaterhouseCoopers were invited via e-mail to take the survey. The results are based on the responses of more than 1,600 CEOs, CFOs, CIOs, CSOs, vice presidents and directors of IT and information security from India. The study represents a broad range of industries including technology (20%), services (10%), banking and financial services (13%), manufacturing (8%), heavy engineering (10%), telecommunications (6%), education and non-profit (4%), government (3%), healthcare (6%), retail (6%), entertainment and media (3%) and transportation and logistics (3%). Thirty-six percent of the executives surveyed reported total annual sales of less than ` 500 crore, while 26 percent reported sales between ` 500 crore and ` 5,000 crore. Nineteen percent of the respondents said that their organization’s annual sales exceeded ` 5,000 crore, while 4 percent were non-profit, education or government organizations (11 percent didn’t know.) The margin of error is 1%.


A U G U S T 1 5 , 2 0 1 0 | REAL CIO WORLD

Security_SURVEY_FINAL.indd 25

VOL/5 | ISSUE/10

8/11/2010 3:58:11 PM

Trendline_Nov11.indd 19

11/16/2011 11:56:19 AM


from the TOP

Rana Kapoor, founder and MD of YES Bank, shares why the bank takes IT so seriously and how it’s going to help change the course of the business.

Yes to Change

Few Indian banks push the technology agenda like YES Bank. Partially because of its new-comer status and because of the entrepreneurial culture it fosters, the six-year old bank takes IT innovation very seriously. Take for example, its most recent tie-up with Obopay, which makes it the first Indian bank to support mobile-to-mobile money transfers. Credit for much of that innovative spirit goes to Rana Kapoor, founder and MD of YES Bank. Kapoor, a risk-taker and entrepreneur in the financial space for 30 years, knew he was raising the stakes when he started YES Bank. But the bet paid off. In the first quarter of this fiscal, YES Bank’s net profit rose 56.3 percent, the highest in its history. Now Kapoor is spearheading a move to get YES Bank to drop its corporate tag and move into retail banking—the Holy Grail of banking. But it’s going to be a hard ride because YES Bank isn’t openly accepted by retail customers. Kapoor intends to change that. And he’s banking on IT innovation—like the Obopay tie-up—to pitch in.

CIO: Tell us a little about the growth of YES Bank and its evolution.

Rana Kapoor: We like to call ourselves View from the top is a series of interviews with CEOs and other C-level executives about the role of IT in their companies and what they expect from their CIOs.


a u g u s t 1 5 , 2 0 1 0 | REAL CIO WORLD

View_FTT_August_2010.indd 82

By Sneha Jha

a ‘new-generation, private, Indian Bank’, which I am sure, will evolve to the professionals bank of the country. We have had a sequential growth over the past six years as a wholesale bank (wholesale banks work primarily

with institutions and organizations). These accounts constitute 64 percent of our business volumes. We have also established a full-service commercial bank, and this comprises 28 percent of our business. We are now leaning towards building an integrated SME and MSME (Micro, Small and Medium Enterprise) proposition. Through our enterprising branches across

Vol/5 | ISSUE/10

8/11/2010 3:52:31 PM

Rana Kapoor expects I.T. to: Help drive the bank’s retail push Keep it innovative Support superior customer service Vol/5 | ISSUE/07

View_FTT_August_2010.indd 83

REAL CIO WORLD | m a y 1 5 , 2 0 1 0


8/11/2010 3:52:35 PM

View from the Top

the country, we want to provide a superior service proposition and comprehensive banking services. In the next five years, we want to build an enduring financial institution through a culture that stimulates and fosters innovation in new products, services and processes—and new business and financial models. YES Bank’s vision is to build the world’s ‘best quality bank’ within India by 2015. And, I am sure, IT will help us manifest our vision.

Let’s talk about your career and what your banking experience has taught you. My career has fluctuated between commercial and investment banking and now to a more comprehensive banking platform. Prior to founding YES Bank, I was the CEO, MD, and main managing partner of Rabo India Finance, a corporate finance and investment banking organization. Before that, I was the general manager and country head for ANZ Grindlays’ Investment Bank. Three decades in banking has made me believe that to be a professional entrepreneur you need to nurture a powerful vision. I believe in the mantra of ‘visualize to actualize’. Once you develop a vision, you must charter out a differentiated strategic roadmap to translate that vision into reality. The success of an entrepreneur lies in his ability to differentiate his line of thinking and put together a team of execution-oriented leaders who share his passion to achieve and execute the vision.

How have you brought these lessons to bear at the bank? Piggybacking on my experience, YES Bank has been built on the pillars of knowledge banking, responsible banking, IT, human capital, and superior, highquality customer service. I have also learnt that a banker needs to align his vision 54

a u g u s t 1 5 , 2 0 1 0 | REAL CIO WORLD

View_FTT_August_2010.indd 84

“IT has always helped us negate the disadvantage of our smaller branch network and promoted us as key innovators in the sector.” —Rana Kapoor and strategy with precision deliverables. There have to be short-term, mediumterm and long-term objectives and a clear and measurable blueprint. A professional entrepreneur should cultivate skills like problem solving and strategic decisionmaking. At YES Bank, we have instilled a culture of entrepreneurship. All YES Bank leaders are empowered to make decisions that are best for the organization and are in line with over-all business objectives.

YES Bank cultivates an image of being a ‘technology bank’. What is IT’s role? Since our inception in 2004, we have known that if we were going to take on other established and well-entrenched players, we had to offer a different and compelling value proposition to our customers. In order to thrive in this highly-competitive and cluttered sector we would have to develop a strong innovation quotient in our business model and strategy, riding on IT. The first five years were about innovating to survive and keeping our cost-base low.

Hence, we outsourced our IT to Wipro as part of a seven-year partnership deal in December 2004. Wipro set up and managed all of YES Bank’s core infrastructure and hardware, branch rollouts, networking, datacenters and back-up support on a buildown-operate basis. We were the first bank in India to adopt a total IT outsourcing model. Others soon followed suit. The next five years will be about innovating to thrive. In a bid to do this, we have tied up with US-based First Data Corporation (FDC), for example, for an innovative ATM deployment program. FDC will ensure that the ATMs are installed in high footfall locations. This move will help YES Bank reduce its capital expenditure as the cost of setting up and servicing ATMs will be borne by FDC. IT has always helped us negate the disadvantage of our smaller branch network and promoted us as key innovators in the sector.

Can you give us some examples? YES Bank was among the earliest to get onto the online Real Time Gross Settlement (RTGS) and National Fund Transfer (NEFT) platforms. We were the first to enable speech-recognition in phone banking and, today, are ready to offer video-based phone banking services when 3G becomes widely available in India. We were the first bank in India to offer two-factor authentication for online funds transfers. We also offered Money Monitor, a first-of-its-kind, online financial aggregation tool in India. YES Bank introduced e-checks for the first time in India as well, where customers can make real time payments to any bank account with any other bank in India. As a matter of fact, we also introduced mobile payments—a first-of-its-kind, secure, person-to-person payment service in association with Nokia and Obopay. YES Bank will act as the issuing bank and the custodian of funds under these services.

Vol/5 | ISSUE/10

8/11/2010 3:52:36 PM

View from the Top

Despite these strides, YES Bank still has some way to go. What is your vision? I want YES Bank to be a global bank by 2020. We are aiming to become India’s No. 4 private sector bank by 2015. In order to realize this vision, we have embarked upon YES Bank’s next phase of growth, what we call ‘Version 2.0’. Towards this goal, we will be investing about ` 60-75 crore in expanding our branch network. In order to expand our pan-India footprint we are planning to open 100 new branches in the next year. We have received licenses from RBI to open 91 new branches in June 2010 and plan to scale-up our branch network to 750 branches in five years. YES Bank also plans to set up 500 ATMs by August which will be increased to 3,000 ATMs by 2015. In Version 2.0, I envision YES Bank achieving a balance-sheet of ` 1,50,000 crore, a pan-India branch presence of 750, manned by a staff of 12,000 by 2015. Currently we have an employee base of 3,030 people, which we plan to raise to 4,500 by end of this fiscal. Over the next five years, I am looking at a CAGR of 35 percent. In that five-year period, YES Bank proposes to take its loan book size to ` 1 trillion, from ` 221.93 billion now. We plan to expand our wholesale banking business. We are roughly about 20 percent of our potential. Similarly, in commercial banking we are 8-10 percent of our potential. We have less than 500 relationships in our commercial business and the potential is to expand it to 5,000 relationships. Then, in the SME business, we have a target of anywhere between 2-2.5 lakh relationships. As of now we have 7,500 customers in that business.

You said 64 percent of your business comes from wholesale banking. Do you intend to change the equation? Our focus will primarily be on branch banking with a focus on deposit mobilization. That is one area we need to improve: Our 56

a u g u s t 1 5 , 2 0 1 0 | REAL CIO WORLD

View_FTT_August_2010.indd 86

SNAPSHOT current account and savings YES Bank have outgrown the industry account (CASA), and Established: so far this fiscal and delivered 2004 granular fixed deposits. YES better than expected returns Bank is looking to increase to all our stakeholders since Assets: 36,382 crore its CASA at a percentage of our inception. total deposits from around Going forward, the single Employees: 10 percent to 20 percent by most important focus of our 3,030 2012. We have a strong focus short- and medium-term Branches: 153 on building strong, stable, strategy is to build strong President and CIO: low-cost CASA and if we do institutional relationships. Umesh Jain this our net interest margin should go up from 3 percent What are YES now to between 3.75 percent and 4 percent. Bank’s technology plans for Our long-term goal is to build CASA up to the future? 40 percent by 2015. To take our service-oriented and customer-friendly banking approach to the next level, we are innovatively leveraging What did the slowdown RFID technology to setup branches of the teach YES Bank? future. One such branch has been established We saw the economic slowdown as an at the South Extension at New Delhi. Here, opportunity. We believe in Carpe Diem or customers’ debit cards are embedded with seize the opportunity, everyday! While RFID microchips, which transmit identity most of our peers took an introspective information to relationship managers as approach, we decided to seize the moment soon as customers walk in. The customer’s and persistently pursue our business basic details and a photograph pop up on a goals. This approach helped us identify relationship managers’ screen, saving time key growth areas. We quickly realized that and eliminating introductory verification. certain industry verticals showed potential Such branches will be launched as a even during recessionary times. Our focus novel concept in partnership with Intel. was on harnessing the latent potential of The South Extension branch has been these sectors. designated as the YES Bank Intel Global Some of these verticals were Innovation Center, where such and more agribusinesses, the healthcare sector— innovative technologies will be tested live in which includes pharmaceuticals and life a production environment for the first time. sciences—and the infrastructure space. This is Intel’s only Global Innovation Center These three sectors emerged as our focus outside of China. I am quite sure that such areas. The agribusiness showed tremendous initiatives would help us stay lean, dynamic potential and proved to be relatively resilient and competitive. CIO to the economic downturn. And it is still untapped. The other big area that needs to be tapped is the services sector where there is enormous potential. Agriculture, healthcare, hospitality, infrastructure, and education will be the industry verticals that we will focus on to drive our growth. We also strengthened our in-house capabilities, pursued a differentiated business strategy, and kept a single-minded focus of delivering innovative products and Sneha Jha is senior correspondent. Send feedback on services to drive customer satisfaction. We this interview to

Vol/5 | ISSUE/10

8/11/2010 3:52:36 PM

When business intelligence is used to inform business of process changes, companies find new ways to save money and connect more closely with customers—faster.

ON THE FLY BY KIM S. NASH Actions reveal more than words, we know, and companies are watching carefully, using business intelligence and analytics tools to figure out what’s happening in their markets. But it isn’t just what makes a consumer buy a product or respond to an e-mail promotion that companies want to understand. They’re also putting business operations—where efficiency can make the difference between profit and loss—under the microscope. By using analytics to improve business processes, CIOs can help managers feed updated intelligence into their decisionmaking almost continuously. A marketing campaign can be adjusted in hours in reaction to uptake on a website. A logistics process, such as trucking equipment to construction sites, can be adjusted to changes in the price of fuel. As analytics tools become more powerful, analysis happens faster, enabling business changes that make or save significant amounts of money, says Rick Roy, senior vice president and CIO of CUNA Mutual Group, a $2.8 billion (about ` 12,600 crore) insurance company. CUNA Mutual has pored over customer


Feature_JUGGLING.indd 82

A U G U S T 1 5 , 2 0 1 0 | REAL CIO WORLD

data to identify which of its products are selling, why and to whom. Using insights from analytics to guide business process changes is a “dramatic productivity enhancer,” Roy says. Sixty-five percent of 335 IT leaders CIO polled recently say business intelligence and analytics have spurred a businessprocess change in the last year. However, there’s more work to be done: just 41 percent say their analytics and business process management (BPM) tools are closely integrated. If analytics and BPM tools were integrated, they could be used to map how best to change business processes given a particular insight from the data, says David White, a senior research analyst with Aberdeen Group. But for now, CIOs like Roy have to work with their business partners to make such determinations. Connecting analytics and business processes sometimes means creating data warehouses to collect information from multiple systems in order to study it. IT leaders also find themselves promoting old-fashioned conversation across departments.

Vol/5 | ISSUE/10

8/11/2010 3:50:17 PM


Companies where CIOs enable the best use of predictive analytics tools and techniques— including tying them to BPM initiatives—are better at financial forecasting, retaining customers and eking out more operating profit than companies that haven’t caught on, says White. He recently studied 159 organizations that actively use predictive analytics and determined, for example, that best-in-class companies retain 93 percent of their customers, compared to laggards who retain just 66 percent. Competitive pressure—along with substantial, measurable financial gains—will lead more CIOs down this road, says Tim Fleming, CIO of the Industrial Technologies sector at Ingersoll Rand, a $13 billion (about ` 58,500 crore) heavy-equipment manufacturer. “It’s not easy, but you want to do it,” he says. “You have to do it.”

by updating these capabilities quarterly, then every two months, end users caught errors and spotted trends sooner than they used to. “This gets you back in front of your user groups very frequently, so they’re seeing the value of IT,” he says. For example, business was able to identify on-time delivery problems in the Asia-Pacific region and Europe. Through analytics, Ingersoll Rand discovered the use of some incorrect data about supplier lead times. In the past, the company had relied on knowledge of factory employees to identify a problem like this, Fleming says. Also, managers, thinking about efficiency, sometimes waited until the end of each month to enter all the details about some orders. “You don’t get that service order in, we can’t invoice. If we don’t invoice, our accounts receivable balances will be lower than they should be. Then we have a forecasting issue,” Fleming says. After getting accurate lead-time data Data Enables Change to the factories, the division changed its The insurance industry may have been service-order process so managers now among the first to connect analysis tools—in enter data every week. Revenue forecasting the form of fraud detection—with automated improved measurably, Fleming says. Among workflow technology. But meshing analytics respondents to a CIO survey, accounting with other kinds of enterprise software can departments topped the list of beneficiaries produce new ways to engage customers or of analytics-driven business change. make operations more efficient. Those kinds of outcomes got Fleming the CIOs who can give business users the funding to double the analytics team in his means to connect analytics and BPM can cut division to about 15 people who help business a path to faster and more fruitful decision groups plan and implement analytics making, says Fleming. “Data starts to tell a projects. “Business decided to make a higher story. We can help them find that story,” he investment because they saw results.” says. And rewrite the ending. Analytics tools integrated with customerFleming’s division at Ingersoll Rand relationship management (CRM) or has used analytics to flush out and correct e-commerce systems can also lead to better problems in such varied processes as order processes for engaging with customers. management, global inventory and invoicing. In the past year, CUNA Mutual has used Fleming has dedicated the biggest portion of analytics to understand members of the his IT staff to analytics, he says, because the credit unions it serves. The company provides company has found it so powerful. financial products to 7,000 Doing analytics well has credit unions, and, through helped raise the profile of Reader ROI: the credit unions, to individual IT at Ingersoll Rand. The What mergeing BI members. The number of company recently replaced and BPM can do for your company credit-union members has a mix of manufacturing and How it can affect grown by 14 percent since financial systems with Oracle’s the bottomline 2000, which CIO Roy (ORCL) ERP suite. Historically, The difference attributes to people seeking IT released new reporting your reaction stable alternatives to big banks. capabilities twice a year. But speed can mean

Vol/5 | ISSUE/10

Feature_JUGGLING.indd 83

Companies that use predictive analytics tools—including tying them to BPM initiatives—are better at financial forecasting, retaining customers and eking out more operating profit than companies that haven’t caught on. But CUNA Mutual’s primary customer base is shrinking: The number of credit unions in the US has dropped 24 percent since 2000, mainly through acquisitions. To keep the remaining credit unions, and therefore itself, growing, CUNA Mutual has to know what moves credit-union members to buy a new product or service, Roy says. In 2009, the company launched an analytics project called Voyager, which uses Microsoft’s SQL Server database and analysis tools from CA Technologies and SAP BusinessObjects to segment its credit union customers by variables such as product, profitability and demographics. The first step was consolidating customer data from sales and marketing systems, and systems used by its credit unions. Then business analysts explored the data with canned reports and iterative queries on the fly. “They were able to complete in a couple hours an analysis that before would have taken one to two weeks to complete,” Roy says. “It’s game-shifting change.” Business analysts were startled to find that half of CUNA Mutual’s $2.8 billion in revenue comes from three of its 12 customer segments. Now the company wants to build financial products to attract the other nine. To appeal to Generation Y consumers, for example, CUNA Mutual is developing more Web and mobile access to products it offers to its credit unions. The company also built software REAL CIO WORLD | A U G U S T 1 5 , 2 0 1 0


8/11/2010 3:50:20 PM

BPM that automatically offers life or disability insurance to people after they take out a loan, over whatever channel the customers used to close the deal—phone, website or in-person. The new thinking has CUNA Mutual moving away from three or four large marketing pushes a year to 12 smaller ones focused on producing specific results: selling a particular product to new customers in a one demographic, or gaining more profit from an existing customer segment. “You run the marketing, test it and use what you learn to start new campaigns,” Roy says.

New Ways to Save While CUNA Mutual looks outward, at customer dynamics, Welch’s, the grape juice

and jelly cooperative, uses analytics to make internal operations, namely transportation, more efficient. During a 2007 upgrade of Oracle’s ERP suite, Welch’s saw it needed newer tools to enable more flexible queries using multiple dimensions of data, says Kevin Kilcoyne, director of customer operations at co-op. The organization does manufacturing and marketing for the National Grape Cooperative Association. Welch’s wanted to collect every data element from each year’s 40,000 orders and bills of lading, sweep it into a database and look for patterns to highlight where it could save money on transportation. Welch’s auctions its transportation business to trucking companies every year.

Richer, Faster How one company is using predictive analytics to tap more profitable customers. Dealer Services, a company that lends money to dealerships acquiring used cars, is trying to use predictive analytics to make money when its rivals can’t. The company now studies more complex data than it did in the past in order to better predict which loans will pay off. The ‘aha’ moment came in 2008, when, as the economy tanked, the private lender began to look beyond simple data points such as loan volume and number of customers. “There was underlying data from dealers that indicated something was brewing,” says CIO Chris Brady, including where a new customer had previously gotten loans. If a dealership was coming to Dealer Services because it no longer had a line of credit at a bank, that was a warning sign of what was happening in the used-car market, she says. Traditional business intelligence (BI) might point you in a direction, but predictive analytics aims to uncover a treasure map, says David White, a senior research analyst at Aberdeen Group. That’s because BI identifies relationships between a few data points, while predictive analytics evaluates how many factors work together. BI vendors are now offering predictive analytics tools that used to be available only from niche vendors such as SAS and SPSS. White knows of a department store chain using predictive analytics to formulate more profitable coupon campaigns by targeting the right customers. If a store sends a coupon to a customer who was going to make a purchase anyway, the store is no further ahead. But send the same coupon to a shopper who wouldn’t have otherwise come in, and you’ve made money, White says. Dealer Services launched in 2005, and it grew so fast that within six months, Brady says, it had met its three-year goals for revenue, number of loans and customers. It has 70 offices across the US and serves 11,000 dealerships. This growth showed that the market for used-car loans was ripe, Brady says, but the company needed better BI to understand all that was happening. Dealer Services originally analyzed data like everyone else: working off basic reports it wrote internally and some Microsoft Excel spreadsheets. This led to some individuals and departments using different numbers for the same reports, which slowed down decision making and hampered forecasting. Brady brought in Information Builders tools to do real-time analysis of how loans are performing. Managers now study data they hadn’t paid much attention to before, she says, such as the age of the loans on used SUVs and trucks. Some dealers were buying those vehicles at the same pace that they had in flush times, but the vehicles sold more slowly, raising the specter of more loan defaults. That made Dealer Services change how it monitored those dealers, she says. “The number of loans can be big for good reasons or bad,” says Brady. “If you don’t know the difference, you’re in trouble.” — K.S.N. 60

A U G U S T 1 5 , 2 0 1 0 | REAL CIO WORLD

Feature_JUGGLING.indd 84

At the time, Oracle’s reporting tools couldn’t perform the in-depth analysis Welch’s wanted quickly enough, Kilcoyne says. To prepare for the auction, it took about 30 hours to cull a year’s worth of data and then a few months for analysts to study it to decide how to formulate each bid. Analysts consider routes, kinds of transportation available and fuel pricing trends, along with carriers’ limitations and performance statistics. Because so much time was involved, Welch’s was not always able to bid out all of its distribution routes; typically it bid out only about 60 percent of them each year. The balance went largely unanalyzed and, therefore, un-optimized, says Bill Coyne, director of strategic sourcing. Welch’s hired Oco, a SaaS vendor, to provide analytics and data warehousing. Oco accesses Welch’s ERP system through a secure Internet connection, skimming the data from order fulfillment and other modules and putting it in a data warehouse at Oco. The process takes about half an hour, Coyne says. Each morning, Welch’s analysts tap into Oco to draw the fresh data to their own PCs. They can study it in pre-written reports or formulate their own queries. The time saved on data collection and analysis enables Welch’s to bid out all of its transportation routes and do it more than once per year, Coyne says. Welch’s can also tweak those routes to save money. For example, the company discovered that if it relocated some of its distribution points, it could use rail instead of trucks, further reducing fuel use. All told, Welch’s cut 12 percent to 15 percent from its $50 million (about ` 225 crore) in annual transportation costs, Kilcoyne says.

Conversations With Customers Key to game-changing decision making is the ability to detect and respond to market changes, taking into account historical knowledge. DirecTV uses analytics to save customers who want to cancel their service. The company started the program two years ago when it sought to cut churn rates. If a call-center agent can’t persuade a customer to stay, the agent will let her go, promising to discontinue service in 24 to 48 hours. During this period, a specially-trained agent calls the customer, armed with the Vol/5 | ISSUE/10

8/11/2010 3:50:20 PM

BPM knowledge of why she wanted to cancel and a series of proposals designed to change her mind. The proposals are ranked according to the likelihood that they will work, says Jack Gustafson, director of BI at DirecTV. To someone who cited a competing offer from Verizon (VZ), DirecTV will offer a better deal. To someone who complained about technical issues, DirecTV offers free service, support and perhaps upgraded hardware. How hard agents press depends on how valuable the customer has been. “There are some people we just do not want to lose.” About 60 percent of customers who want to depart are deemed worth trying to save, he says. The company uses tools from Teradata and SAS to analyze past behavior, evaluating data such as annual revenue the customer represents, her payment history and how many pay-per-view shows she buys. The program works so well that DirecTV now turns around its “called to cancel” data from inbound calls to its special agents four or five times a day, rather than overnight. Every customer saved is one less customer the company has to try to win back—an expensive process, Gustafson says, that can involve e-mails and telephone calls as well as sending someone out to reinstall the service. “When the customer first calls, they have a certain mind-set: They want to cancel,” he says. “When we call back, they’re unprepared. It’s a little psychological advantage we have.” When Coca-Cola began to focus in earnest on using analytics in online marketing 10 years ago, one push was to understand whether their efforts were driving consumers to their website. The site would then lightly tailor pages based on customers’ actions during past visits, says Doug Rollins, group director of loyalty CRM measurement at the $31 billion (about ` 139,500 crore) beverage company. A new visitor who entered a Diet Coke promotion might have been offered that option more prominently next time. Now, though, the My Coke Rewards program has helped the company develop more in-depth knowledge about loyal customers. The inside of every bottle cap is printed with a 12-digit code that customers can text or type into a website or desktop widget to accumulate points that can be exchanged for prizes and other awards. Those who opt in to e-mail marketing receive 62

A U G U S T 1 5 , 2 0 1 0 | REAL CIO WORLD

Feature_JUGGLING.indd 86

Improving IT and BPM Businesses claim to have improved their management processes and the way in which IT supports them, more than a year after the recession began to bite hard. That is according to the Oracle Enterprise Performance Management Index, a report that uses a variety of factors to score businesses on a scale of one to 10, where 10 represents perfect performance management. The report assessed organizations’ views of the quality of their processes and information governing the stakeholder environment, market model, business model, business plan, business operations and business results. Globally, firms reached a 7.04 score, a significant improvement from a year ago where the average was 5.13. For the report, 800 large organizations were interviewed. The growth of businesses’ confidence, in their processes and in the improved way IT works with the rest of the organization, has allowed many firms having taken steps to improve efficiency during the recession, the report said. Companies reported“significant improvements” in their strategic planning and reporting processes, and that they favored business intelligence systems for reporting. The downside? Many businesses still admitted they were “too internally focused”, with some weak operational integration between departments. — Leo King regular offers to gain more points, as well as other marketing pitches. Each is customized based on segments created from demographic information and behavior collected by the site. On average, 285,000 customers visit per day, entering an average of seven codes per second. Information embedded in the codes may include a region or location where the bottle was sold and whether it had special packaging, such as an Olympics logo, that Coca-Cola uses to tailor its pitches. A 43-year-old woman, for example, may receive an e-mail touting a “Family Roadtrip” sweepstakes, including a $5,000 gift card. A 20-something man might get a message offering an extra 10 points if he enters three more codes within a week. After four years,

My Coke Rewards is among the longestrunning marketing programs in Coca-Cola’s history. And as the program has grown, the company has changed the way it runs in response to insight from analytics. For example, at first the program focused on Coca-Cola, Diet Coke and Coca-Cola Zero drinkers. Now the company cross-sells and upsells other brands, including water and juice products inherited in corporate acquisitions. Doing so entailed shifting how each business unit approaches its marketing, he explains. Coca-Cola uses the FICO Precision Marketing Manager suite of statistical analysis tools to study data from its websites. Marketers look at which come-ons elicit the most and best responses, says Thomas Stubbs, Coca-Cola’s interactive marketing director in global IT. Coca-Cola also exchanges data with companies that supply prizes, including Nascar, Nike (NKE) and Sony. “As technology has evolved, we’re able to do more and have a relevant dialog with customers, not just push our ideas out there,” he says. Limited-time promotions don’t teach a company as much about its customers as ongoing interactivity, Rollins says. FICO’s business rules-management software helps determine in real-time what material to present to consumers on which platform. The company has learned that watching behavior is more meaningful than reading questionnaires Web visitors are asked to fill out, he says. For example, some consider Diet Coke a woman’s drink. “A man might not want to admit that he’s a Diet Coke drinker. He will say in a survey that he prefers Coke. But we see he enters only Diet Coke PINs and market accordingly.” The idea is not just to save business but to create new business. Successful projects spark new ones. Analytics tools help companies create more money-generating interactions with customers and shave costs from internal opserations. CIOs should connect analytics technologies with ideas about refining business processes, says Aberdeen’s White. “Meld them together and that’s very powerful.” CIO

Send feedback on this feature to

Vol/5 | ISSUE/10

8/11/2010 3:50:21 PM





e live in a world of uncertainty. The escalating number Insurance is a tough game. And when of road accidents, plane crashes, or just the growing wrath of nature manifested in cyclones or freak you have 20,000 leads a month incidents involving volcanic ash spew, will turn even sitting in disparate systems across the biggest optimist into a skeptic. Unless you’re a soothsayer, there is nothing much you can do to avoid accidents. There is a way, however, to the country, it only gets tougher. limit your damage: insurance. One of the key players of the burgeoning Indian insurance industry With an efficient lead management that many believe is in its Golden Age of growth is HDFC Ergo General system, HDFC Ergo Insurance. It was born out of an initiative by HDFC Bank to Reader ROI: enter into the general insurance sector. The company has had collected all its leads in How a CRM system an eventful start. It began operations back in 2002 as HDFC can help marketing Chubb General Insurance Company, a partnership with the one repository, allowing it a 30 The multiple benefits bank and Chubb, an American insurance company. After of consolidation percent lead conversion rate. Chubb exited, it operated as HDFC General Insurance till Why IT should initiate business solutions


Case Study_HDFC.indd 48

A U G U S T 1 5 , 2 0 1 0 | REAL CIO WORLD

the end of 2008, after which it partnered with Munich-based VOL/5 | ISSUE/10

8/11/2010 3:47:33 PM

Case File

insurance company ERGO International AG and came to be known as HDFC Ergo. With a little over eight years in the industry, it is already the fifth largest private insurer in the country. For a company that has gone through multiple management changes, it has a robust IT system supporting it. That’s because it takes its IT seriously. For example, its campaigns like ‘mobile enrolment technology' that helps the rural masses to buy insurance policies with a mobile phone. Or even its RFID-enabled cattle insurance offers. Technology has been instrumental in placing the company among the best in the country. But it wasn’t enough.


All Over the Place HDFC Ergo, like any other insurance company, reaches out to its customers through a network of agents, direct sales force, brokers, dealerships and bank employees. Traditionally, the leads generated by field executives would be manually entered in excel sheets and communicated to a branch office or an area sales manager through e-mails. The problem was about 20,000 leads were being generated across the country every a month. And they were updated in disparate, asynchronous systems.“Because each employee would report leads only to his immediate officer, data was fragmented and it was almost impossible to get a holistic view of all the leads that were being generated across the country,” says Mehmood Mansoori, head-IT, HDFC Ergo. The sales team was struggling to generate reports, calculate their conversion rate, or figure out which deals were getting closed— and which were not. This was beginning to trouble Mansoori. “It was undermining our efficiency. It was difficult to figure out where the gaps lay and what we could do to close them," says Mansoori. These challenges came at a time when the company had started pursuing an aggressive growth strategy. In the past two years, HDFC Ergo has grown from 15 branches to 70. This meant it needed a faster turnaround time, more successful

VOL/5 | ISSUE/10

Case Study_HDFC.indd 49

ad campaigns and a higher which takes care of leads. conversion rate. Now, it is important that all Mansoori knew he could these leads and prospects help and the answer lay in a are brought into a refined consolidated CRM system. tunnel which helps us attend When HDFC Ergo's head of to them. This way we can IT approached management extract maximum potential with his proposal for a in conversion of the leads,” SNAPSHOT centralized lead management he says. HDFC Ergo system, it wasn’t a hard battle And that’s clearly visible ESTABLISHED: 2002 to fight, he remebers. They from the lead conversion HEADQUARTERS: Mumbai were thrilled that someone rate which today stands at Girish Rao, Head IT, Marico Industries TURNOVER: could help them with 30 percent. A 30 percent Rs 1,004 crore their problems. With that coversion rate of 20,000 EMPLOYEES: settled, Mansoori began the leads equals 6,000 policies. Over 950 process of re-designing the That’s not the only thing company's lead management that makes Dhamija a system. But before that, he needed to find happy man. The system has also enabled an efficient CRM system. Mansoori settled the company to run a lot of marketing with the Sales Force Automation module of campaigns to attract more customers into Talisma 7.1. buying insurance. “With the new system, I can tag each campaign with specific attributes, be it location, size or type of Leading Edge market into the Talisma software. By further Mansoori wanted a data upload tool by customizing the software, I can compare the which the 450 field executives could effectiveness of one campaign with that of directly upload lead data into the Talisma the other. This helps us improve with each server. The vendor’s implementation team campaign,” he says. came out with a tool that periodically picks What’s more, the system is also a boon data from a specified folder and uploads it for call center employees. With simple to the server. customizations they can now closely track With the new system in place, field all the policies the company has issued and executives can now upload leads generated service customers according to their needs. from the market, third-party databases, and For example, they can alert customers if existing customers into a central repository. their policies are about to mature or offer The sales team can use the Lead Tracking them new policies. and Reporting Mechanism tool to manage With so many benefits crowding leads and track these leads across the Mansoori, what would be the ultimate customer lifecycle, and generate various benchmark to the success of the project? reports for top management. The system “The system has helped our sales agent also gives the flexibility to customize enhance their relationship with their according the user’s needs. current and potential customers. This will “A single repository of data enables us to essentially help improve traction with closely track the sales pipeline and figure our customers.” out where the gaps are, and how to close And that’s what every company in the them out. My users were thrilled with the competitive insurance sector aims for, solution, because it makes their lives so isn’t it? CIO much easier,“ says Mansoori. Akhil Dhamija, national manager, HDFC Ergo, (he is part of the retail team responsible for customizing the system) Varsha Chidambaram is correspondent. Send feedback agrees with Mansoori. “We have a team on this feature to REAL CIO WORLD | A U G U S T 1 5 , 2 0 1 0


8/11/2010 3:47:35 PM

Collectiveintelligence tools can shepherd the best and brightest ideas and turn them into huge bonanzas. Reader ROI:

How you can tap the intelligence of your organization Deciding whether you should pay for their ideas

Feature_Crowed_Power.indd 82


Power 8/11/2010 3:45:48 PM


Knowledge Management

When it comes to solving pressing business problems, conventional wisdom is that two heads are better than one. With the advent of collective-intelligence tools, enterprises are realizing that thousands of heads are even better still. Take Pfizer and AT&T, for example. One of the largest pharmaceutical companies in the world, Pfizer knows that the best solutions to its business problems don’t always come from the researchers on the front lines, says Rob Spencer, a senior research fellow at the New Yorkbased company. Often someone in another department or another country could hold the missing piece to a particular puzzle, he says. That’s why Pfizer wanted to figure out how to tap into the collective intelligence of its 86,000 employees to address its business challenges, says Spencer. To do that, Pfizer turned to Idea Central, a tool built on IBM Lotus Domino and developed by Imaginatik. Imaginatik customized its Idea Central for Pfizer, which then dubbed it the Pfizer Idea Farm. The software-as-a-service platform gives Pfizer employees a vehicle for submitting ideas for new products or process improvements, according to Spencer, noting that it has saved the company $20 million (about ` 90 crore) while helping to solve hundreds of business problems. For its part, AT&T is using an ‘innovation management’ platform to provide a forum for its employees to share information and ideas on how to improve products and services, according to Patrick Asher, innovation leader at AT&T. The forum is open to all managers globally, and the company is starting to build prototypes based on some of the ideas that have been proposed, but “we’re not ready to talk about those yet,” Asher says. The system features innovation software from Spigit running on AT&T’s own infrastructure, Asher says. Currently the program is open to the telecommunications company’s 120,000 management personnel, but AT&T is on the verge of opening it up to non-management staffers as well.

VOL/5 | ISSUE/10

Feature_Crowed_Power.indd 83

Crowdsourcing at Sun & Ski For the past year, Sun & Ski Sports has been using the Product Recommendations engine from Baynote. The system makes recommendations by tracking the behavior of all the consumers who visit the outdoor sporting goods retailer’s Website. Unlike Amazon’s recommendation engine, which mostly relies on the past behaviors of users to make recommendations, Baynote observes users’ behaviors on a site in real time, says Baynote CEO Jack Jia. Then it looks for patterns based on such things as how much time shoppers spend on particular product pages, whether they scroll up or down or through the whole page, or whether they highlight any text, click on any links or add any products to their shopping carts. Baynote then uses collective intelligence and an affinity engine to analyze the data, says Jia. The system then suggests products to the user. “Our challenge was that we’re not Amazon, so we don’t get the repeat shopping over and over so it’s hard to build a profile on someone to recommend products. It takes too long to build a profile that way,” says Scott Blair, director of e-commerce at Sun & Ski. “So collective intelligence was the better option for being able to offer up quality recommendations to our visitors.” Since the Baynote system went live, Sun & Ski’s revenue has increased by 13 percent, says Blair, who declined to give exact dollar figures. And 50 percent of the company’s online sales now come from customers who click on items recommended by Baynote, he says. — L.R.

Different Definitions So, what exactly is this thing called collective intelligence? “The definition we like to use is ‘people and computers connected in ways that seem intelligent,’” says Rob Laubacher, acting executive director of the MIT Center for Collective Intelligence, which brings together faculty from across MIT to conduct research on how new communications technologies are changing the way people work together. The MIT researchers are trying to understand how to take advantage of collective intelligence to use it for things such as organizational effectiveness, organizational productivity, profitability and teamwork, he says. “Our basic research question is: How can people and computers be connected so that —collectively—they act more intelligently than any individuals, groups or computers have ever done before?” Laubacher adds. One of the center’s major findings is described in a paper for which the center gathered nearly 250 examples of Webenabled collective intelligence, including Google, Wikipedia and Threadless, a unit of SkinnyCorp that harnesses the brainpower and creativity of a community of over

500,000 people to design and select T-shirts that are sold on the Web. The striking thing about the collection of ventures studied is its diversity, the paper says, noting that the examples exhibit a wildly varied array of purposes and methods. But after studying the various initiatives in depth, the researchers identified a relatively small set of building blocks, or what they call “genes,” that are combined and recombined in various ways in different collectiveintelligence systems, according to the paper. For example, reliance on the “crowd gene” is a central feature of Web-enabled collectiveintelligence systems, according to the paper. In fact, all of the examples the researchers studied included at least one instance of the crowd gene—they all involve at least one task that anyone is welcome to participate in, according to the paper. “There is still much work to be done to identify all the different genes for collective intelligence, the conditions under which these genes are useful, and the constraints governing how they can be combined. But we believe the genetic framework described here provides a useful start,” the researchers say in the paper. REAL CIO WORLD | A U G U S T 1 5 , 2 0 1 0


8/11/2010 3:45:55 PM

Knowledge Management With this framework, managers can do more than just look at examples and hope for inspiration. Instead, for each key activity to be performed, managers can systematically consider many possible combinations of ways to generate new ideas. Although this approach doesn’t guarantee the development of brilliant new ideas, MIT researchers say it does increase the chances that organizations can begin to take advantage of the collaborative possibilities already demonstrated by systems like Google and Wikipedia. Collective intelligence is linked to ‘crowdsourcing’—the idea that you can gain

more wisdom from crowds of people than you can from one person or small groups of people, according to Chris Andrews, an analyst at Forrester Research. But there’s also another definition of collective intelligence. “Collective intelligence is collecting information about what lots of people are doing and using that information to help produce better decisions for your interactions with customers,” says Susan Aldrich, an analyst at the Patricia Seybold Group. Houston-based Sun & Ski Sports is harnessing the collective intelligence of its customers to provide good product

recommendations for first-time visitors to its Website, says Scott Blair, director of e-commerce at the outdoor sporting goods retailer. (See Crowdsourcing at Sun & Ski) The concept of collective intelligence was foreign to people even just a decade ago, says Forrester’s Andrews. But the Internet has made the concept much more accessible and much easier to apply, he adds. “The market for innovation management tools is still developing and is therefore amorphous, but we expect this market to steadily evolve and mature—driven by strong corporate demand,” says another Forrester analyst, Chris Townsend, in a report. In his paper, Townsend quotes a 2008 IBM report that says 93 percent of 1,130 senior business executives from around the world cited innovation as a top strategic priority.

Building on the Ideas of Others

Gathering Ideas 3M, the company behind innovations like Scotch-Brite and Post-its, uses the power of the crowd to ideate. 3M’s reputation for innovation is well established, but the company wanted to include more staff in the ideation process. Traditionally, access to the company’s annual ‘Markets of the Future’ brainstorming sessions was limited. By employing a new internal social networking platform, 3M was able to foster creativity and collaboration among all its employees around the world. In the two weeks the tool was open to employees, it attracted more than 1,200 people, who generated over 700 new ideas, which resulted in nine new markets for the company to explore. The Situation: 3M’s Corporate Strategy group conducts an annual exercise to define future markets. The organization sought to broaden the scope of this process and challenge employees to focus on the future while the economy tried to correct itself. “Although not an easy task, leaders recognized that this was the ideal time to inject new fuel into the process for defining future markets,” says Barry Dayton, knowledge management strategist at 3M. What They Did: 3M’s Corporate Knowledge Management group partnered with its Corporate Strategy and Corporate IT groups to deploy Enterprise 2.0 technology to expand and manage its innovation process. Access was open to all 75,000 global employees, and 1,239 people in 42 countries participated during the two-week idea-gathering period. For another four weeks, the 736 ideas generated were filtered into 26 market clusters. All told, the new process yielded nine potential future markets for 3M. Why It Was Unique: The group dramatically broadened access to its innovation strategies and learned a new technology in an exceedingly short period. In only eight weeks, it was able to reach out to tens of thousands of global employees and identify multiple viable potential markets. The Takeaway: The biggest benefit was that this new approach supported efforts to enhance employee engagement. Additionally, there’s now a strengthened partnership between the Corporate IT and Corporate Knowledge Management groups. The strategy also demonstrates 3M’s ongoing commitment to investing in its future. — Rick Swanborg 70

A U G U S T 1 5 , 2 0 1 0 | REAL CIO WORLD

Feature_Crowed_Power.indd 84

Pfizer’s Spencer says Imaginatik’s Webbased collective-intelligence application lets employees build on the ideas of others and then allows the company to review, structure and track those ideas. The Idea Farm helps Pfizer find additional applications for drugs that are already in use, Spencer says. It lets the company pull together the right resources to rapidly and efficiently solve problems and uncover opportunities so it can have an edge over its competitors, he says. Spencer says Pfizer has been using the Idea Farm for about four years to solve business problems, which typically come to him from heads of various business units. After a 20-minute conversation with a business unit leader, Spencer says he can determine whether to pursue a problem based on its potential value to the company, how passionate the person is about finding an answer, whether that person has the resources to manage the problem and whether or not the problem could benefit from the large-scale focus the Idea Farm supports. When he decides to tackle a particular problem, Spencer says the next step is to come up with the problem statement, which he calls the challenge. Then, through the Idea Farm, the challenge is e-mailed to a group of people invited to participate. Spencer says he has conducted challenges

(Continued on Page 74) VOL/5 | ISSUE/10

8/11/2010 3:46:04 PM

Knowledge Management for groups of 200 to 20,000 people. Participants then enter suggestions into the system via a preconfigured electronic form that’s quick and easy to complete, Spencer says. Technically, the system needed to conduct a campaign can be completely set up and ready at scale in about 30 minutes, he says. However, the discussion about the business need that people are being asked to address is really the most important part of the process, and that could take as little as an hour—if the business leader has a clear and urgent need—or as long as a week, with several meetings, he says. All participants can access the ideas that are submitted and comment on them. Imaginatik says that its software has over 50 features to help capture, manage, develop and evaluate the ideas. Idea Central is much more than a wiki, Imaginatik says, because the software is specialized to support the innovation and idea-management process, with security and configuration-management, for example, geared to this particular market. Typically Pfizer’s Challenges last for six weeks and end on a particular date with a decision about which idea will best solve the business problem, Spencer says. “It is the business sponsor who sets the criteria for good ideas and then the path to implementation,” Spenser says. “Serious business needs quickly get detailed and complex, so this is far more effective than a generic approach to innovation.”

No Cash Rewards for Employees Unlike other companies, including AT&T, Pfizer doesn’t offer cash rewards to employees who submit winning ideas because, Spencer says, tangible rewards, including money and prizes, are actually quite a bad idea. “They devalue an altruistic contract with the business and beget their own bureaucratic costs,” he says. “Recognition, however, is always an excellent follow-up to a successful campaign.” Spencer says he has conducted 240 challenges over the past four years, and he does it as a no-cost internal service that benefits both R&D and the entire company. Since 2006, Spencer says the Pfizer Idea Farm has saved the $50 billion 74

A U G U S T 1 5 , 2 0 1 0 | REAL CIO WORLD

Feature_Crowed_Power.indd 86

Pfizer doesn’t offer cash rewards to employees who submit winning ideas, but AT&T does.

company (about ` 225,000 crore) about $20 million (about ` 90 crore)—or about 0.04 percent of turnover. But it’s not always just about the money, he adds. One Idea Farm project helped Pfizer shave three months off a 12-month process for setting up human clinical trials for a new drug, he says. “So the ROI becomes fairly simple—did that process help you deal with the problem faster, better, cheaper? The answer is nearly always yes,” he says. “We cut three months off a 12-month process. A finance person could put a dollar figure on that.” Pfizer’s implementation is an internal software-as-a-service setup, but it isn’t cloudbased, Spencer says, explaining that the company has added extra security features. “We own our own specific server, it is electrically isolated from any other computer with a full static installation of the necessary software on it,” Spencer says. “We share no disk space with anyone else. In addition, Pfizer and Imaginatik jointly installed a VPN to this server and also jointly implemented a third-party single-sign on solution which both gives a better end-user experience and still another layer of authentication.”

Innovation Management at AT&T “About a year ago, we wanted to re-implement how we innovate inside AT&T, so we went out and got Spigit software and created a big process called the Innovation Pipeline,” Asher says. “On the front end, we’re using crowdsourcing to get all the people across our company, not just the researchers, involved in innovating in a Web 2.0 environment. People are voting on the ideas

and commenting on them, and we’re taking the ideas that come to the top, funding them and turning them into products.” Asher says that each quarter AT&T asks employees to submit new ideas, and those ideas are then refined and ranked using Spigit’s analytics engine. The top 10 ideas each quarter that can generate revenue or enhance the experiences of AT&T customers become candidates for internal funding, he says. Asher says the top 10 ideas are completely generated from the crowdsourcing model, and he has no control over the selection of those ideas. And unlike at Pfizer, Asher says there are rewards for employees who submit the winning ideas. “We have several ways to motivate people to be involved in the site,” he explains. There are leader boards and rankings, so “that’s a competitive motivator and those are placed prominently on the Website,” he says. “We give trophies to the people who have the highest-ranking ideas each quarter, and they’re presented by our senior leadership at town hall meetings. If the idea actually gets funding, we give them cash rewards. And if the idea gets another round of funding to turn it into a product, they get another cash reward.” The Innovation Pipeline has been in operation for over six months, and “we have 22,000 people [contributing] on our Website, and that number’s growing every month,” Asher says. The collaboration software is already yielding results. A researcher in AT&T’s lab in Austin who was looking for information about a particular idea posted it to the Innovation Pipeline Website. Within two hours, an employee who works in the company’s network operations center in Dallas responded, saying he had written a report with all the supporting data the researcher needed, Asher explains. “Normally it might have taken weeks for the researcher to find out about that report, if he found out about it at all,” Asher says. “We’re not ready to put a dollar figure on that, although we will, but we’re really speeding velocity here. We’re getting things done faster.” CIO Send feedback on this feature to

VOL/5 | ISSUE/10

8/11/2010 3:46:08 PM

everything you wanted to know and more

Building A Panic Room As threats and disasters get more unpredictable, many CIOs are beginning to re-look their business continuity and disaster recovery plans.What you should remember when you join them.

Vol/5 | ISSUE/10

Deep Dive_AUGUST2010.indd 83

What’s Inside Deep Dive Case STudy Quick Relief�����������������������������������������������������������������������������������84 Features Here Comes the Wind����������������������������������������������������������������� 90 Prepping for Pandemics��������������������������������������������������������������94 Backups Forward�����������������������������������������������������������������������100 Column Acing IT Availability����������������������������������������������������������������������88 Raiders of the Lost Archive����������������������������������������������������������99

REAL CIO WORLD | A U G U S T 1 5 , 2 0 1 0


8/10/2010 6:38:54 PM

Q By Vincent Biddlecombe

uick Relief

When disaster strikes, bringing your systems to normalcy— swiftly and inexpensively–is a tough task. But with virtualization putting in place disaster recovery plans is a breeze. Here’s why.


august 1 5 , 2 0 1 0 | REAL CIO WORLD

Deep Dive_AUGUST2010.indd 84

Vol/5 | ISSUE/10

8/10/2010 6:39:00 PM

IllUSt RAt IOn By mm SHAnItH

Deep Dive | Business Continuity

Designing a disaster recovery plan has traditionally forced companies to strike a delicate balance. To create a plan that restores operations quickly, an enterprise needs to invest significant capital. On the other hand, costs can be cut dramatically if an enterprise is willing to withstand longer periods of operations downtime. During the planning stages and while the computer network runs properly, the forces to reduce costs are felt the strongest and often prevail. But when disaster strikes and the network goes down, everyone starts screaming to get the network up and running again, as fast as possible. Finding a way to walk this tightrope is a major challenge, but with the advent of virtualization, deploying disaster recovery plans that restore operations quickly—and at a reasonable cost—is quite possible. At Transplace, we have achieved the ultimate balance: A simple way to recover operations fast—at a relatively lower cost. Virtualization played a vital role in helping us achieve this. How did we do it? We developed a new disaster recovery plan based on virtualization when we moved our infrastructure to a new production datacenter in 2007. We also took that time to refresh our hardware and review our overall architecture. Previously, we ran daily backups and physically moved the data to an off-site location. With this process, we risked being down for a half day if we experienced a problem in the middle of the day. This type of plan also limited us in that we only backed-up once a day, which meant we risked losing a day’s worth of work. This plan also required us to have dedicated servers that sat idle except when we executed a recovery. After we moved into our new datacenter at the end of 2007, we began to plan our new disaster recovery

VOl/5 | ISSUE/10

Deep Dive_AUGUST2010.indd 85

It’s important to bring all of the key vendors and your internal It team into the same room at the same time. datacenter, into which we moved in February 2008. At the storage level, we deployed network-attached storage and SnapMirror software from Network Appliance to create virtual storage for our database and application servers. The former allows us to send copies of all changes to our backup facility on a near real-time basis without impacting the performance of the applications. Anytime a record changes in production, it sends a copy to our disaster recovery facility. This shared-storage approach also allows us to manage storage centrally. We buy storage only when we need it. At the database level, we deployed IBM P570s with AIX as the operating system, leveraging its logical partitioning technology. This combination allows us to partition each server to look like multiple servers, and we can run multiple database servers by sharing the capacity of the individual servers. In the disaster recovery facility of our organization, the database server runs four to six copies of Oracle that we use for testing and development most of the time, but if the need arises, we can shut down the virtual servers and run the disaster recovery instance of Oracle on that same server.

This also allows us to make the most efficient use of our Oracle licensing costs, which are basically charged by each physical CPU core. At the application server level, where we run VMware and Windows on Dell servers, the content of each virtual machine is also replicated to the disaster recovery site anytime an update occurs. With VMware and IBM database servers, we use a set of servers for testing and development. When we need to run a disaster recovery restore, we turn off the virtual servers for test and development, bring-up the ones for disaster recovery, and we’re good to go. All the data and content of the servers is quickly copied over.

Four-Step DR Process We used a four-step process that helped us execute the project in an organized way. For enterprises ready to develop a disaster recovery plan, these steps will help frame the project and ensure a reliable disaster recovery process:

Step 1: Enablement Make sure all the data is properly transferring to the disaster recovery datacenter. Ensure that all the proper hardware in the disaster recovery datacenter is in place, will remain stable and is running on up-to-date operating systems. Also, review all applications and decide how long you can go without each one. This helps prioritize the most crucial applications. Some applications might need to be restored in less than an hour while you might be able to do without others for up to 12 hours. This part of the plan becomes an internal SLA.

Step 2: Testing Develop detailed procedures and processes on how and how often to test the disaster recovery plan. We recommend at least once per quarter. real CIo World | A U G U S T 1 5 , 2 0 1 0


8/10/2010 6:39:02 PM

Deep Dive | Business Continuity

DR in the Cloud Yields ROI

Moving your DR to the cloud not only ensures real-time back up, but also saves a ton of money. The promise of cost savings derived from cloud computing is attractive, but concrete financial returns are not always quickly achieved. Except, perhaps, when it comes to disaster recovery. Offloading the expense of buying your own hardware, software and networking capabilities for use during a prolonged outage, as well as that of the ongoing maintenance of duplicate infrastructure, can produce measurable savings, says Eric Heidrich, director of IT at Help At Home. He expects to save $150,000 (about ` 67.5 lakh) over three years, mainly by cost avoidance. Infrastructure-as-a-service is the original impetus for cloud computing, says Judith Hurwitz, CEO of the consultancy Hurwitz and Associates, and it can be cost-effective. Other companies also see cloud computing as a means for disaster recovery. hired Iron Mountain to back up and restore data and applications in the event of a prolonged outage, said CIO Daniel Flax. Help At Home is a private company that assists the elderly and disabled with household chores-like cleaning, cooking and errands-and routine health care. The company employs 13,000 field workers in nine states. Since Heidrich arrived at Help At Home in 2008, he has virtualized nearly all of the company’s servers on VMware. He had been doing backups with SonicWall’s continuous data-protection appliance. The vendor constantly searched files and databases for changes, and Help At Home paid a monthly fee, he says. But SonicWall’s appliance wasn’t backing up operating systems or imaging any servers, because that required the added expense of installing SonicWall software on every Help At Home server. Yet restricting SonicWall’s use to only data meant that in a disaster—such as a long power outage caused by a storm—no server images or application configurations would be saved. This type of outage hasn’t happened yet, but the company must prepare, Heidrich says. For full disaster recovery, he first considered making one of the company’s 85 offices the fail-over site. But duplicating and maintaining that infrastructure would have cost about $190,000 (about ` 85.5 lakh) over three years, he says. That price tag includes a four-node storage area network, two switches, three servers and an uninterruptible power supply; a fast Internet connection between the main office and the branch; about 120 hours of set-up and configuration time, amounting to $15,000 (about ` 675,000) in labor and three hours per week of ongoing maintenance, at a cost of $20,000 (about ` 9 lakh) over three years. Instead, Heidrich found Iland, a cloud infrastructure vendor, through a Google search for VMware-related disaster-recovery ideas. Using Iland costs Help At Home only $48,000 (` 21 lakh) over three years, Heidrich says. He counts the difference—about $140,000 (about ` 63 lakh)— as money saved. Iland taps into Help At Home via a VPN and uses its replication product to copy any changes in VMware images to Iland servers every night. Some critical applications, such as client management and billing, are replicated more often. If a disaster occurs, Iland can restore all of Help At Home’s virtual machines on its own hardware, and branch offices will be redirected to Iland. Restoring in the cloud is much quicker than other disaster-recovery scenarios, Heidrich says, “and there’s no hardware to buy.” — Kim S. Nash

You also need to determine how to measure success so that you can evaluate the testing and document the findings to compare one test to another with a high level of validity.

Step 3: Cutover Documentation You need to document exactly how you will cut over if and when a disaster strikes. There will be some elements similar to the test process, but there will also be differences for how you execute procedures while under a live disaster recovery. With all the pressure your IT staff will be under, it’s critical that this step is clearly and thoroughly documented by you.

Step 4: Returning to Normal Production Infrastructure Just as important—as how to cut over to your disaster recovery infrastructure—is to know how to return to your normal production infrastructure. It’s not always a case of doing things in reverse, and it’s a process you should also test.

Lessons Learned It’s important to bring all of the key vendors and your internal IT team into the same room at the same time. This gives everyone a chance to voice concerns, explain how their piece of the puzzle contributes to the overall project, and to understand the functions of the other parts of the project. If you get yourself into a position where you act as the go-between among your vendors, important information will undoubtedly be lost in translation. Enterprises should take a good look at compression technologies. With all of the data that needs to be copied to the disaster recovery site all day long, it’s important to reduce the amount of bandwidth you require so that your network runs efficiently. CIO

Send feedback on this feature to


august 1 5 , 2 0 1 0 | REAL CIO WORLD

Deep Dive_AUGUST2010.indd 86

Vol/5 | ISSUE/10

8/10/2010 6:39:02 PM

By StePhanie BaLaouraS

Deep Dive | Business Continuity

Acing ITAvailability | Forrester often gets inquiries such as, “What requirements should we keep in mind while developing disaster recovery (DR) plans?” Technology supports disaster recovery preparedness, but it doesn’t constitute a strategy. You need a framework to manage disaster recovery preparedness as a continuous process, not a one-time event. It’s also important to periodically update business impact analysis (BIA) and


most cost-effective solutions to achieve recovery objectives or SLAs. Determining the criticality of IT systems and writing meaningful, achievable objectives or SLAs with business owners are often far more challenging than the implementation of the technology itself. Forrester Resesrach uncovered four best practices: Classify systems for criticality. Whether you are developing a strategy for

tiers. Each service tier has associated availability rate, recovery objectives, the technology pre-requisites, and service delivery cost. This simplifies your strategy and helps communicate with the business. Measure availability from the enduser perspective. Well-written objectives must measure unplanned and planned downtime. They must take into account timing of the downtime—end of month or quarterly close, for example—and

determining the criticality of It systems and writing meaningful SlAs with business owners are often far more challenging than the It implementation itself. risk assessments (RAs) that provide the key inputs into the development of your disaster recovery strategy. Organizations that take this proactive holistic approach, often use the term IT service continuity rather than ‘disaster recovery’. However, businesses become increasingly dependent on IT, they demand greater levels of IT availability, forcing IT teams to revisit their strategies for both local high availability and IT service continuity. If money were no object, IT leaders could implement solutions that would enable zero downtime and zero data loss. But the pressure on IT costs means that they must justify their investments by categorizing IT systems in terms of criticality and implement the

VOl/5 | ISSUE/10

Deep Dive_AUGUST2010.indd 88

operational high availability or IT service continuity, determining criticality requires that you perform a business impact analysis. For each business process, you must map dependent IT systems, calculate the cost of downtime, and determine availability rates and recovery objectives. Develop tiers of service for both availability and IT service continuity. To reach the next level of maturity, IT leaders must shift their thinking from DR to IT service continuity. IT service continuity is less a reactive response and more focus on the nearly continuous availability of IT services. Once your range of recovery objectives is determined, it helps to develop an IT availability and service continuity catalog. The catalog is a range of service

they must measure downtime from the perspective of the user. Include availability and continuity needs in app development and testing. Too often, availability and continuity are considered after an app has been deployed. At this point, the choice of infrastructure and app processing and logic will limit certain availability and continuity options. The cardinal mistake when developing IT service continuity strategies is to lead with technology. It might seem complicated to conduct a BIA and RA with a cross-function team of stakeholders, but it’s critical. CIo Stephanie Balaouras is a Principal Analyst at Forrester Research. Send feedback to

real CIo World | A U G U S T 1 5 , 2 0 1 0


8/10/2010 6:39:05 PM

Trendline_Nov11.indd 19

11/16/2011 11:56:19 AM

Deep Dive | Business Continuity

Here Comes The

Wind By Joan Goodchild

Business continuity and disaster recovery plans need to be tailored to the weather. The effects of various types of disasters can be so different that some risk management professionals have begun including characteristics of a disaster into their planning. Take for example, how business continuity planners in tornado alley (an area in the US where tornados are most likely to occur) say that the effects of a tornado have much in common with cyclones—but also key differences. Tornadoes have smaller funnels, but can appear in groups, may feature dramatically higher winds, and can strike with far less warning than a major cyclone typically provides. Good BC/DR planning must take those differences into account in everything from employee and facility safety to network uptime. One such proactive organization is the Cancer Treatment Centers of America. The group of hospitals, operates in tornado country, literally has lives on the line if something goes wrong with their business continuity plans. That’s why Chad Eckes, CIO of the Illinois-headquartered organization, believes there is no room for complacency. Keeping things running smoothly 100 percent of the time is always the goal. “I think you will find most CIOs will say 100 percent up time is impossible,” he says. “But why would you ever target anything less


A U G U S T 1 5 , 2 0 1 0 | real CIo World

Deep Dive_AUGUST2010.indd 90

VOl/5 | ISSUE/10

8/10/2010 6:39:05 PM

VOl/5 | ISSUE/10

Deep Dive_AUGUST2010.indd 91

phone system. If any of these core systems go down, it could be a patient’s life. You can’t call a code blue if your phone system is down. It’s that critical that everyone takes this that seriously.” Unlike cyclones, which are a type of storm system that often originate over tropical waters and come with much advance warning, tornadoes are isolated storms that form with less warning for weather officials. They form in moist, warm air in advance of a cold front and are often seen in their hallmark funnel-cloud shape; a violent, rotating column of air which is in contact with both the surface of the earth and a cloud. Tornadoes can stretch more than a mile across and stay on a destructive ground path for many miles, wiping out structures and picking up objects and debris along the way. With tornado patterns in mind, the Cancer Treatment Centers of America built their two datacenters in such a way that they sit about 59 miles (about 95 kilometers) apart and in a pattern in which the likelihood

With tornado patterns in mind, the Cancer Treatment Centers of america built two of their datacenters so that they sit 95 kilometers apart and in a pattern that makes it nearly impossible for a tornado to hit both of them at the same time.

of tornado hitting both of them is nearly impossible, says Eckes. The locations were chosen based on information CTCA got from the Federal Emergency Management Agency (FEMA) about weather patterns. The decision was based on historical events and what the likelihood would be of natural disaster hitting both facilities. Eckes says the Cancer Treatment Centers of America made sure the facilities, which have identical data, were sitting in a northsouth arrangement and more than 30 miles (about 48 kilometers) apart to ensure one facility would always be operating. According to the National Oceanic and Atmospheric Administration (NOAA), tornadoes typically move from southwest to northeast. “The first main design from a BCP standpoint was to have complete redundancy in our data. Anytime there is any production data written to the primary it is immediately mirrored over to our DR datacenter,” says Eckes. “Literally, we are up to date in our second center within 15 seconds. That is, with a complete copy of all clinical systems.” The Cancer Treatment Centers of America data has five layers of redundancy, from mirroring of data with an EMC SAN, to disk backups, to snapshots of patient data that are taken every four hours and stored on local servers within each hospital. “If our redundancy fails in terms of our network back to our two datacenters, we need to have that data in the hands of our clinicians,” says Eckes. “So they can go to this centralized server in their hospital, print out the PDF or copy it to a PC and still have all the information they need, like allergies, medications, treatment clinical pathway. Everything is there for them to care for their patients.” Structurally, considerations were also made due to the possibility of tornadoes hitting the datacenters. While cyclones can produce high winds that cause real CIo World | A U G U S T 1 5 , 2 0 1 0


than 100 percent? We have always operated well over five-nines in terms of up time. But if I were satisfied, those potential moments of down time could be the moments a patient is being impacted.” The mission of Cancer Treatment Centers of America, according to Eckes, is to offer healing and hope to complex cancer patients. It’s a goal that everyone with the organization is mindful of, regardless of their job, he says. “Everyone at CTCA draws a line everyday in how their job touches the patient.” The Cancer Treatment Centers of America has hospitals in Arizona, Illinois, Oklahoma and Pennsylvania. But CTCA’s primary operations in Illinois is within the tornado alley, which means keeping an eye on the weather and having a business continuity plan that is resilient in the event of a damaging storm, particularly in the spring, when tornadoes are most common in that part of the US. The Midwest and the Central Plains of North America see more tornadoes each year than any other part of the world. “We had a key decision to make a few years ago about whether we run centralized datacenters or decentralized. Going back to that core principal of the mother standard, we made the decision by bringing it back to patients and its impact on patients.” Eckes and Cancer Treatment Centers of America decided centralization was the best option so the same information was available to all employees, regardless of the facility they are working in. From a BC/DR standpoint, Eckes says a centralized datacenter with a backup facility was the better way to go in order to avoid any downtime in the event of an emergency that takes one of the datacenters offline for any period of time. “We have migrated to all digital. There is no paper backup. We have our bedside monitors directly connected into our electronic health records. Our phones are all VOIP. Paging is integrated into the


8/10/2010 6:39:06 PM

Deep Dive | Business Continuity damage, preparations in cyclones zones often consider flooding as the most damaging potential factor. However, a tornado does most of its damage with extremely high winds; tornadoes can generate violent wind speeds in excess of 250 miles per hour (about 400 kilometers per hour). In comparison, a category 5 cyclone may hit land with sustained winds of 155 miles per hour (about 250 kilometers per hour). Tornados are measured on the Fujita scale; a system which assigns levels of destructive power based on post-storm assessments. This scale runs from an F-0 storm, which causes little to no measurable damage, all the way to an F-5 which can completely eliminate all structures in its path. While most tornadoes

rank lower than F-3, according to FEMA, they can still cause damage to a facility, particularly on windows and roofs. “One of the important things for us was ensuring there were no exterior windows facing into the datacenter,” says Eckes. But Eckes says structural modifications weren’t enough to give him peace of mind, so the Cancer Treatment Centers of America built their recovery center in an old bank vault with the specific risk of a tornado in mind. The vault is in a brick building with a datacenter that is surrounded by a perimeter of 18 inches of poured concrete that is reinforced with rebar. “The likelihood of a tornado being able to hit, even at F4 level, is near impossible,” says

shelter from the storm a bunker mentality can be helpful for security, backup and business continuity. When Hurricane Ike bore down on Houston two years ago, the Continental Airlines’ flight operations center, located on the 14th floor of a glass-sided downtown high rise, suddenly went dark. For the airline’s pilots and flight crews, however, business proceeded as usual. Here’s why: At that same moment, 42 miles (about 65 kilometers) north of the city and some 60 feet underground—in a hardened Cold-War era bunker built by a paranoid millionaire oilman to survive a nuclear holocaust—Continental’s backup datacenter took over. throughout the ordeal—from Friday morning, as the storm approached, through Saturday, when winds above the Westland Bunker in texas, gusted to 125 miles per hour (about 200 kilometers per hour), until Sunday evening, when operations resumed in Houston—the airline managed an 89 percent on time rating for its global flight schedule. locating a backup datacenter in an underground bunker may seem like overkill, even in a hurricane zone. But the facility met all of the airline’s requirements—including cost, says John Stelly, managing director of technology at Continental. the bunker, run by real estate partnership montgomery Westland, has been converted into 33,000 square feet of rack-ready datacenter space complete with air conditioning, redundant network and power sources, uninterruptible power supply systems and backup generators. Continental leases 2,000 square feet underground and another 12,500 square feet of office space above ground, in a hardened building complete with 3-inch-thick bulletproof windows. the airline can house its entire operations staff of up to 125 people at the backup site. Continental began looking for a fallback datacenter after Hurricane Katrina. the site “was far enough away to be out of harm’s way but close enough for folks to drive to,” Stelly says. the blast-resistant facility is admittedly a bit much for even Continental’s backup needs, but the four-feet-thick walls and high security entrance are nice extras, Stelly says. Also, connectivity options at the Westland facility were a plus. the network and power feeds for the bunker were sourced from areas well away from Houston, while pricing was competitive with above-ground co-location facilities. — Robert l. mitchell

Eckes. “This is about as much protection as we are going to get without having an underground bunker.” According to FEMA, the best defense for personnel that may be in the immediate destructive path of a tornado is protection in a basement, cellar or other underground storm shelter. If there is none, staff should be advised to go to the lowest floor and into a small center room such as a bathroom or closet, under a stairwell, or in an interior hallway with no windows. Geoff Craighead, vice president of HighRise and Real Estate Services at Securitas Security Services and author of High-Rise Security and Fire Life Safety, advises clients he works with in tornado zones to consider all physical elements of a building when created a business continuity plan. “Creating a business continuity and disaster recovery plan requires a comprehensive evaluation of all physical factors that during a crisis may impact key business processes,” he says. Tornado warnings, when they are possible, are often broadcast on both radio and television, which of course can be monitored in the average security or network operations center. Craighead says if an organization is warned there is possibility of a tornado in the near future, preparations could include securing or moving outdoor objects such as trash containers, planters, signs, furniture, and vehicles that may blow away or cause damage to people or property. Craighead also recommends pruning tree branches that may cause damage to the building if time permits. Occupants should clear all objects from desks and working areas and all exposed paperwork should be stored in closed cabinets and other containers, he says. Valuable equipment and documents should be moved from outer offices to interior rooms. “Building management, engineering or security staff, or floor wardens may conduct walkthroughs of the building to ensure that appropriate precautions are being undertaken,” says Craighead. CIo

Joan Goodchild is senior editor, CSO (a sister publication to CIO). Send feedback on this feature to


A U G U S T 1 5 , 2 0 1 0 | real CIo World

Deep Dive_AUGUST2010.indd 92

VOl/5 | ISSUE/10

8/10/2010 6:39:06 PM

Trendline_Nov11.indd 19

11/16/2011 11:56:19 AM

Prepping for

Pandemics By robert Zhang

Don’t think that a pandemic like the H1N1 flu won’t touch your organization� Even a contained swine flu outbreak could disable IT departments� By tam Harbert

Deep Dive_AUGUST2010.indd 94

8/10/2010 6:39:17 PM

Deep Dive | Business Continuity

Il lUStRAtIO n By mm SHAn ItH

When the first cases of H1N1 flu appeared early in 2009, Gartner was getting lots of calls from alarmed clients wanting to know if and how they should adjust their disaster recovery plans. Now? Not so much. “It’s a very, very silent period right now,” says Ken McGee, Gartner vice president and research fellow, who attributes the tepid reaction in the business community to the mild effects of the flu worldwide. “Despite the fact that it’s the first pandemic of the information age, it hasn’t compelled people to the kinds of readiness activities we would’ve expected,” says McGee. That’s a mistake, business continuity experts say. In India, the flu peaked in July and August of 2009 and it seems to be making a comeback. There have been sporadic reports of the flu in Tamil Nadu, Karnataka and West Bengal, where the flu might have mutated. There’s no telling whether or when the pandemic will worsen. Unlike a one-time disaster, flu pandemics are protracted and tend to come in waves, says Scott McPherson, CIO of the Florida House of Representatives, who is on a crusade to push organizations to better prepare for the pandemic. Business continuity plans typically deal with disasters that bring down infrastructure, but most don’t take into account an illness that can bring down 40 percent of your workforce, even if only temporarily. In the US, a joint survey conducted by Forrester Research and Disaster Recovery Journal found that 32 percent of companies polled had business continuity plans that did not include a workforce recovery component. Is your IT department prepared for significant staff outages? Read on for some advice from business continuity experts on what adjustments your company should be making to weather the flu season.

Boost your department’s Flu IQ First and foremost, companies should educate their employees about the flu. IT leaders should coordinate with HR or the executive team to make sure employees know how to prevent the spread of the virus and how to recognize the

VOl/5 | ISSUE/10

Deep Dive_AUGUST2010.indd 95

symptoms of the illness, and to determine the conditions under which employees should not come to work. For example, a company may specify that anyone with two flu symptoms—fever and muscle aches—should stay home, says McGee. The company also should clearly spell out its policy on staying home to recover from the flu or to care for sick loved ones. Most important, says McGee, the organization should demonstrate that it is as concerned about the health and safety of its employees as it is about BC. “There’s no way in the world you’re going to get IT employees, or any employees, to address the needs of business before they address the needs of their families,” says McGee. Inside the IT department, mandate that employees wipe down all hard surfaces with antibacterial cloths every day. Datacenters, can be breeding grounds for the flu because the air is re-circulated and colder than normal, which can make them more susceptible to the flu, says Kevin Burton, CEO of Burton Asset Management, which specializes in DR and BC. “You’re more likely to get sick from an airborne illness in a raised-floor environment like a datacenter or in an airplane than you are sitting in a cube farm or in a restaurant,” he says.

Clarify Goals with Top management “The biggest mistake clients make is they assume they have to put together this complex response plan before even discussing things with management,” says McGee. Ask the CEO and the board what they want to do if there is a serious outbreak. First, at what rate of absenteeism should any pandemic response plan go into effect? Would parts of the company be shut down? How many people would need to be outfitted to work from home? Without answers to such basic questions, IT could spend a lot of time and money setting up remote access capabilities for hundreds of people, for example, when only 50 were needed.

Identify Critical skills In DR, it’s common to identify systems that are critical to business operations, notes

Business Continuity Medicine How to keep your enterprise pandemic-ready� Watch for the signs Prepare your staff Get your plans vetted by management Figure out which skills are critical Be prepared for work-from -home employees

Burton. But the people who are critical to those operations are often overlooked. For that reason, a skills assessment is a key next step in any pandemic plan. “Once you’ve identified the critical apps that support the business functions, you have to drill down further and ask: Who supports those? Do you have only a few people with these skills?’” says Barry Cardoza, VP and manager of business continuity for Union Bank NA in San Francisco. For example, you may have only a handful of overnight tape-backup operators companywide. It’s a relatively low-level job that’s often not on management’s radar, yet it’s a vital function, says Burton. If all your tape operators are home sick, the organization might go a couple of weeks without a backup. McPherson recommends that companies cross-train employees. Build a matrix of critical skills and train at least three people in each skill or task, he suggests. “So if both Jim and Joe on the server team are ill with flu, then Susan can step in and reconfigure a server or add some users to the network,” says McPherson. Just make sure all three aren’t in the same department or physical location, notes Cardoza. Because it’s so highly contagious, the flu is likely to sicken clusters of employees in specific geographic locations or departments. If your experts are centralized in a single location, they could all wind up ill at the same time. “That’s the kind of thing that really concerns me,” Cardoza says. “If there is a real CIo World | A U G U S T 1 5 , 2 0 1 0


8/10/2010 6:39:21 PM

Deep Dive | Business Continuity cluster, do we have people outside of that cluster who can support IT?”

Prepare for Telework

Datacenters, in particular, can be breeding grounds for the flu because the air is re-circulated and is cold, which can make people more susceptible to the flu.

Burton recommends that you move critical people out of crowded buildings as a precaution, setting them up to work from home even before an outbreak occurs. And the ‘worried well’ aren’t the only ones who the contract includes the facility and the will need to work from home: Schools are equipment, but not the professionals who considered the biggest breeding grounds for perform the work. the flu, which means there’s a strong chance If the flu is causing many clients to turn that employees who are parents or guardians to outsourced facilities, these providers will will ask to work from home while they care for be under tremendous stress, says Burton. sick kids or cope with school closures. “If these third-party DR services can even That’s why IT needs to beef up its systems staff up, under a pandemic situation the perto handle a potentially massive increase in hour fee for subject-matter experts is going telework. Part of your skills assessment to be exorbitant,” he says. According to the should include a determination of which scarcity dynamics forecast by his firm, an jobs can be performed remotely and which e-mail administrator could cost $850 (about cannot, says McPherson. For those that can’t, ` 35,000) an hour, if one can be found at all, you should ensure that other employees he maintains. have been cross-trained. Many DR firms are busily signing For those jobs that can be performed contracts now with staffing agencies that remotely, do you know how many of those have skill sets in areas where they have employees have computers at their homes? recovery sites. “We are aware of two Poll your workers to see what technology firms that are actively putting locks, with they have available. guaranteed pay rates, on key platform Also, consider the situation from the expertise to make sure they can handle perspective of an employee new to telework. the professional services requirement “Imagine an employee connecting from home, that will occur during [flu] declarations,” having to get through remote takeover of a says Burton. computer or virtual desktop to be able to get to Also make sure you know where key Attachmate in order to get to the mainframe, so information—such as passwords and they can do their work,” McPherson explains. license keys—are kept, in case whoever is “That could be problematic. the keeper of this information becomes ill. “Ideally, all these steps should’ve This is a common oversight, says Burton. been done three years ago, when the flu “I’ll ask them to open up the e-mail recovery first popped up,” McPherson continues. If that never happened, he says, the most that companies Provision employees with remote access can do now is evaluate their technologies current capabilities, determine

section of their DR plan and show me their Exchange license key and admin password. Ninety percent of our customers fail that test,” he says.

Monitor the Flu’s Progression Have an early warning system for flu outbreaks. In addition to monitoring information, pay close attention to the local news in areas where your company has a presence. Did the local school just send 100 students home with the flu? If flu cases are rising rapidly in a given area, work with HR to increase the precautions at that facility and make sure the other steps outlined above have been put in place.

Take care of Employees When They Get Back Finally, pay special attention when employees return to work, says Burton. Workers may be physically weak or emotionally stressed. In addition to being sick himself, an employee may have been caring for sick family members as well. Or perhaps he’s under economic pressure because he or another household breadwinner lost income or incurred expenses because of the flu. If the pandemic becomes particularly virulent, an employee may even experience the death of a friend or family member. Burton suggests having a 10-minute intake interview to catch up with returning 86% employees. “If not handled carefully, the after-effects of 72% the flu on employees could be substantial. It will require a 26% degree of vigilance to keep the 22% upset these events might cause from spilling over into the 17% workplace,” he says. CIO

Workforce Continuity Strategies

which jobs are appropriate for telework and find out which employees have broadband and a computer at home.

Check in with DR Outsourcers If you’ve contracted with a third party for DR, take a close look at that contract. In many cases,

Use another internal site as an alternative for work Arrange for mobile recovery units Subscribe to shared seats at a business continuity/ disaster recovery service-provider site Subscribe to dedicated seats at a service provider site None of the above


Source: Forrester Research/Disaster Recovery Journal survey of 259 business continuity decision-makers and influencers. Multiple responses allowed.

Send feedback on this feature to editor@


august 1 5 , 2 0 1 0 | REAL CIO WORLD

Deep Dive_AUGUST2010.indd 96

Vol/5 | ISSUE/10

8/10/2010 6:39:22 PM

By david taBer

Deep Dive | Business Continuity

Raiders of the LostArchive | The starting point for SaaS apps: Everything related to the apps is in the cloud, so data maintenance, redundancy, and recovery is the responsibility of the SaaS vendor. But the reality is more complex. Let’s start with the basics: The database underlying the application. For service continuity, nearly any SaaS vendor must have clustering or replication strategies for the customer data. While data backup is


export tool. For example, a client of ours is dealing with the discovery phase of a lawsuit from a disgruntled employee, and they need to show that the employee was not logging into the system as often as they were supposed to do. Two years ago. The cost of recovering that data from the SaaS vendor involves fees that would make even lawyers blush. Further, the SaaS backup systems will not do a snapshot of the system’s object

this reason, some CRM objects can never be removed from a system. The easiest things to archive from the system are old attached documents, e-mails, notes, and leads. However, the whole point of making an archive is to be able to get to the data if needed, so make sure that each archive includes a ‘readme’ file that includes the checklist of how the archive was made. For objects that are more central to the CRM system, creating

If a SaaS customer needs to recover data to some historical point in time because of a user error, getting this data out is a chargeable extra. included for free in SaaS applications, data recovery is free only if it’s needed to recover from a vendor’s error. If a customer needs to recover data to some historical point in time because of a user error, getting this data out is a chargeable extra. So, backup your own data regularly. If your SaaS vendor has an automatic export or archive function that pushes the data to local file storage, use it. If not, use a highspeed data loader. For a CRM system, a complete weekly snapshot taken early Saturday morning works best, and we typically recommend keeping six months worth of backup files. But it’s not quite that simple, because there is inevitably data that you’ll need which is omitted from the standard 99

A U G U S T 1 5 , 2 0 1 0 | real CIo World

Deep Dive_AUGUST2010.indd 99

model, metadata, customizations, report definitions, or your code. These don’t need to be backed up every week, but it doesn’t hurt for configuration control purposes. The next thing to consider is archival: Removing inactive or obsolete records from the online system. This may be required because of your company’s information retention policy, performance issues, or a desire to reduce storage charges. I have yet to find a situation where data that’s been untouched for seven years needs to stay in a CRM system. But CRM data is never a simple database. Depending on the vendor, CRM databases comprise between 10 and 200 tables, and user-level objects may create some really amusing pointer chains across tables. For

an archive can be quite complex. But, it’s easier to hide unwanted data than to actually remove it from the system. Hiding the data typically involves setting special record type values to indicate inactive data. The key to this strategy is making sure that all views, reports, workflows, trigger thresholds, and external interfaces are modified to exclude the marked records. This may sound complicated, but with proper configuration management this approach can be more straightforward than archiving the most deeply embedded CRM data. CIo

David Taber is the CEO of SalesLogistix, a certified consultancy. Send feedback to this column to

VOl/5 | ISSUE/10

8/10/2010 6:39:24 PM

Deep Dive | Business Continuity


F RWARD W By Al Sacco

The technologies have arrived to vastly improve backup and recovery performance and reliability. Here’s how to put them to good use.


ver get the feeling that your backup system is behind the times? Do you read trade magazines and wonder if you’re the only one still using an antiquated backup system? You’re not the only one. But your backup system could probably use some modernization. New technologies have changed the nature of the backup game in a fundamental way, with disk playing an increasingly important role and tape moving further into the background. Many of the liabilities and performance issues that have dogged datacenter backups forever now have plausible technology solutions, provided those solutions are applied carefully and dovetail with primary storage strategy. It is truly a new day. Before you contemplate a modernization plan, you need a working understanding of new high-speed disk-based solutions; schemes that reduce the volume of data being replicated; and how real-time data protection techniques actually work. 100

A U G U S T 1 5 , 2 0 1 0 | real CIo World

Deep Dive_AUGUST2010.indd 100

With that under your belt, you can start to apply those advancements to the real world data protection problems every datacenter faces.

The Disk in the Middle Disk-to-disk-to-tape (D2D2T) strategies have gained popularity in recent years due to the great disparity between the devices being backed up (disks), the network carrying the backup, and the devices receiving the backup (tape). The average throughput of a disk drive 15 years ago was approximately 4MBps to 5MBps, and the most popular tape drive was 256KBps, so the bottleneck was the tape drive. Fast-forward to today, and we have 70MBps disk drives, but tape drives that want 120MBps. Disks got 15 to 20 times faster, but tape drives got almost 500 times faster! Tape is no longer the bottleneck; it’s starving to death. This is especially true when you realize that most backups are incremental and hold on to a

tape drive for hours on end—all the while moving only a few gigabytes of data. D2D2T strategies solve this problem by placing a high-speed buffer between the fragmented, disk-based file systems and databases being backed up and the hungry tape drive. This buffer is a disk-based storage system designed to receive slow backups and supply them very quickly to a high-speed tape drive. The challenge faced by some customers (especially large ones) was that many backup systems didn’t know how to share a large disk system and use it for backups. Sure, they could back up to a disk drive, but what if you needed to share that disk drive among multiple backup servers? Many backup products still can’t do that, especially FibreChannel-connected disk drives. Enter the virtual tape library, or VTL. It solved this sharing problem by presenting the disk drives as tape libraries, which the backup software products have already learned how to share. Now you could share a large VOl/5 | ISSUE/10

8/10/2010 6:39:25 PM

Deep Dive | Business Continuity disk system among multiple servers. In addition, customers more familiar with a tape interface were presented with a very easy transition to backing up to disk. Another approach to creating a shareable disk target is the intelligent disk target, or IDT. Vendors of IDT systems felt the best approach was to use the NFS or CIFS protocol to present the disk system to the backup system. These protocols also allowed for easy sharing among multiple backup servers. But both VTL and IDT vendors had a fundamental problem: The cost of disk made their systems cost effective as staging devices only. Customers stored a single night’s backups on disk and then quickly streamed them off to tape. They wanted to store more backups on disk, but they couldn’t afford it. Enter de-duplication.

The Magic of Data De-duplication Typical backups create duplicate data in two ways: Repeated full backups and repeated incrementals of the same file when it changes multiple times. A de-duplication system identifies both situations and eliminates redundant files, reducing the amount of disk necessary to store your backups anywhere from 10:1 to 50:1 and beyond, depending on the level of redundancy in your data. De-duplication systems also work their magic at the sub-file level. To do so, they identify segments of data (a segment is typically smaller than a file but bigger than one byte) that are redundant with other segments and eliminate them. The most obvious use for this technology is to allow users to switch from disk staging strategies (where they’re storing only one night’s worth of backups) to disk backup strategies (where they’re storing all onsite backups on disk). There are two main types of de-duplication. Target de-dupe systems allow customers to send traditional backups to a storage system that will then de-dupe them; they are typically used in medium to large datacenters and perform at high speed. Source de-dupe systems use different backup software to

eliminate the redundant data from the very beginning of the process and serve to back up remote offices and mobile users.

Backing Up as You Go Continuous Data Protection (CDP) is another increasingly popular diskbased backup technology. Think of it as replication with an Undo button. Every time a block of data changes on the system being backed up, it is transferred to the CDP system. However, unlike replication, CDP stores changes in a log, so you can undo those changes at a very granular level. In fact, you can recover the system to literally any point in time at which data was stored within the CDP system. A near-CDP system works in similar fashion except that it has discrete points in time to which it can recover. To put it another way, near-CDP combines snapshots with replication. Typically, a snapshot is taken on the system being backed up, whereupon that snapshot is replicated to another system that holds the backup. Why take the snapshot on the source before replication? Because only at the source can you typically quiesce the application writing to the storage so that the snapshot will be a meaningful one.

Protecting Your Transaction Systems Disk-to-disk backup systems, de-duplication, and CDP were all developed to solve specific problems. So let’s have a look at the challenges of today’s datacenters to see how these technologies can help. The first challenge: High-volume transaction systems that are intolerant


to data loss. Most industries experience double-digit increases in the volume of transactions every year. That’s just the nature of computing. And along the way, organizations have grown increasingly worried about data loss, thanks to highprofile customer data debacles that have created one public relations nightmare after another. Depending on the volume of transactions and tolerance of downtime, companies that want to minimize risk turn to internal disk-based systems rather than tape (which has an unfortunate tendency to escape the datacenter) as their primary backup target. The question is whether or not they use traditional backup software to get there. Switching from tape to disk as the primary target—while still using traditional backup software—makes it easier to create backups of transaction logs that can be used to rebuild those transactions easily in case of data loss. In addition, the use of disk allows those transaction log backups to be replicated offsite so they can be used even in the case of disaster. Using disk as the primary target for backups can also help in full recovery of large databases, as the aggregate performance of the disk system can be easily matched to the recovery time objective (RTO) of the restores you are likely to perform. But the true power of disk in a recovery system can be realized only by switching from a traditional backup system to CDP or near-CDP. Traditional backup still suffers from the laws of physics. If you’ve got a 20TB database to restore and a five-hour RTO, you need to be able to restore more than 4TB per hour, leaving a little time to replay the appropriate amount of transaction logs. A CDP or near-CDP system solves this by presenting an already-recovered image during an outage. Both CDP and near-CDP systems can present to a recovery server a read-write image of the most recent backup of the system to be recovered. This includes presenting a read-write image of the latest version of the operating system and application to the


VOl/5 | ISSUE/10

Deep Dive_AUGUST2010.indd 101


real CIo World | A U G U S T 1 5 , 2 0 1 0


8/10/2010 6:39:25 PM

Deep Dive | Business Continuity server or virtual server that will be used in a recovery scenario. In fact, some CDP software systems even use incremental restore capabilities to continually keep a VMware image up to date to be used in a recovery. The number of lost transactions a business can tolerate in a recovery scenario will determine the recovery point objective (RPO), and the amount of downtime it can afford will determine the RTO. The more aggressive a business’s RTO, the more it will be led to choose CDP or near-CDP. The more aggressive its RPO, the more it will need to choose CDP over near-CDP. Many near-CDP systems cannot do any better than a one hour RPO, because that’s how often they can take a snapshot; customers looking for a oneminute RPO are usually forced to choose a true CDP solution that does not rely on snapshots.

Protecting E-mail Systems The next challenge is backing up and recovering e-mail systems. Most modern e-mail systems are at their heart database systems, so the backup systems work in similar ways. But the typical recovery request of an e-mail system differs markedly from that of a database. Databases are rarely recovered, but when they are, they are fully recovered up to the point of failure. Rarely are databases restored in part; that is, rarely do you restore a single table in a database (database recovery mechanisms do not even have that ability). Usually, your only choice is to restore the entire database to an alternate location and then export the table you need to restore. E-mail systems, on the other hand, often receive recovery requests for a single table or even a single row in that table. In other words, they are often asked to restore an individual user’s mailbox, folder, or even a single e-mail message. Oddly enough, in the first half of the current decade, the only way to restore at this granular level mirrored what you did with databases: Restore the entire e-mail application to an alternate location, and then drag and drop the mailbox, folder, or e-mail that you needed to the appropriate server. The advent of recovery storage groups in Exchange changed all that. With recovery groups, admins can restore only the storage group containing the affected user or e-mail, then drag and drop what they need. To take advantage of this feature, however, you must ensure that Exchange admins split their servers into multiple storage groups from the start. Other advancements in the e-mail department include the ability of some backup software to extract user-level information from Exchange Information Store backups. This is another benefit of using disk-based backups. Placing all e-mail backups on disk allows the backup software to do its own querying and extraction of parts of the backup, facilitating quick restores of users and folders. Unfortunately, these advancements in e-mail backup and recovery are unlikely to help you with electronic discovery. As you know, companies now commonly receive electronic discovery requests as part of a lawsuit or government investigation. Most backup software is so ill-equipped to handle such requests, the best way to modernize your backup system 102

A U G U S T 1 5 , 2 0 1 0 | real CIo World

Deep Dive_AUGUST2010.indd 102

Top 4

BACK UP AND RECOVERY PROBLEMS When it comes to backups, there are a number of potential bottlenecks. Problem 1: Feed speed: the primary disks may not be fast enough to perform normal operations and read all the data for backup at the same time. Also, the Ethernet lAn network may be slow or busy. solution: One way to fix these problems is to move the backup data flow from the network to the SAn. When SAn came along in the 90’s, backup was (and still is) one of the killer apps for the SAn. moving the flow of backup data from the lAn to the SAn removes the server and lAn bottlenecks from the process which makes the process faster. Problem 2: Tape subsystem: Backup jobs may be queued waiting for slow tape resources to become available. solution: Virtual tape libraries (Vtl) can provide many virtual tapes to remove the constraints of having to share a limited number of physical tape resources. With a virtual tape solution, you can right click and create a new tape drive at any time. If a new lt04 drive costs 5K, then every time you right click to create a new drive in a Vtl, you not only create a new tape resource, but you save 5K to boot! Problem 3: media requirements: If full backups are performed on databases to assure fast recovery, the same data gets stored every night, which requires a lOt of tapes. solution: data de-duplication helps solve the media problem. Simply add de-dupe to the mix, and all of a sudden there is a lot less data to store. de-dupe also helps with replication of data by reducing the costs of WAn bandwidth required to move data to the dR site. Problem 4: Backup server: the backup server may be overwhelmed by the number of backup streams coming over the lAn. solution: the last problem that remains is the backup server, and the fact that the backup process is still typically performed only once a day, which provides a less than optimal recovery point objective (RPO) for many apps. With large data sets, it may take many hours to recover, which also has a negative impact on recovery time objectives (RtO).

— By Chris Poelker VOl/5 | ISSUE/10

8/10/2010 6:39:26 PM

Deep Dive | Business Continuity for electronic discovery is to not use it for discovery purposes. Install an e-mail archive system instead. These systems make it much easier to extract all kinds of information from your e-mail system. This is especially true when you are asked for e-mails with various search criteria over long periods of time. Take, for example, a request to create a PST file of all e-mails containing the words “square,” “circle,” “rectangle,” or “triangle” that were sent by Joe Smith to Fred Barney between February 2005 and March 2009. Satisfying that request with backup software would be nearly impossible; doing it with e-mail archive software is a piece of cake.

Reducing Risk with Encryption While encryption is not a new technology, high-speed encryption for large-volume backup systems is new. Today’s backup encryption systems can encrypt as fast as the backup target can run, and include a variety of key management systems to meet a number of different environments’ needs. Everyone has heard tales of woe about unencrypted backup tapes being lost or stolen. While this has always been a problem, it’s a bigger issue now, because government regulations won’t let you sweep such incidents under the rug. Instead, you are required by law to notify. Customers fret when their data goes AWOL—except if that data has been encrypted. The strategy is simple: Either encrypt tapes or don’t send them anywhere. There are a number of encryption options, including backup software encryption, SAN appliance encryption, and tape-drive encryption. Pick one of these methods, and if a tape is stolen or lost, it won’t be readable—and you won’t have to notify any-one (with most laws on the books, anyway). Alternatively, if de-duplication and replication are in place, you can forgo sending tapes anywhere at all. Just back up to a de-dupe system—and replicate over a high speed connection to another de-dupe system off-site. Now you have on-site and off-site backups and you haven’t touched a tape. If you 104

A U G U S T 1 5 , 2 0 1 0 | real CIo World

Deep Dive_AUGUST2010.indd 104

want to make tapes, you can do so at the off-site facility, so the tape never needs to be shipped. It can be locked in a tape library, a locked cage, a locked datacenter, or a locked building. With the right rules in place, those tapes don’t even need to be encrypted.

Protecting Virtualized Environments Virtual servers can be a big help in recovery scenarios. They make it much easier to create a set of recovery servers at the recovery site that match the computing capabilities in the datacenter. The recovery servers may not be as fast, but they will have the same operating system, and they will at least think they have the same

HEN IT COMES TO BACKUPS, YOU NEVER HEAR FROM ANYONE UNTIL SOMETHING GOES WRONG. hardware, which solves an important part of the recovery problem. Backing up is another story, because you run smack into the laws of physics. When you put 20 physical servers into one physical server as VMs, everything runs fine until you need to back them up—at which point the fact they’re sharing the same physical storage becomes painfully apparent. VCB (VMware Consolidated Backup) was the first “solution” to this problem, but it never really solved much. VCB may have made backups slightly faster, but it cost a lot and required another physical server plus staging storage to create image-level backups. To modernize

backup infrastructure to support virtual environments, organizations running VMware should upgrade to vSphere and look for a backup product that supports its vStorage API. This removes the need for a physical proxy server, a staging area, two-step backups, two-step restores, and full backups in order to get incremental backups. You can use a VM as your proxy server, you don’t need a staging disk, and you get change block tracking, which allows the backup app to ask a VM what blocks have changed since the last backup.

Backing Up is Hard to Do One of the biggest challenges of managing a backup infrastructure is that no one wants the job. In large companies, the backup admin position is an ever-revolving door staffed time and time again with junior people. In smaller companies, backing up the infrastructure is a peripheral duty that is often ignored. The result is the same in both cases: Bad backups. One solution to this problem is cloud backup services—or managed backup services, depending on your preferred terminology. The idea is simple: Outsource this undesirable part of IT to a company whose staff specializes in it and you’ll never look back. Cloud backup services take advantage of many of the technologies mentioned here, but allow customers to use the service without having to manage the process. Instead, customers simply install a piece of software on the systems being backed up, and the cloud backup service does the rest. But as with any backup system, make sure you have a way to verify that backups are working the way they’re supposed to be working. The unglamorous world of backups is like the rest of IT, only more so: You never hear from anyone until something goes wrong. Modernizing your infrastructure, when planned and executed carefully, can reduce your liability dramatically. But as you make those improvements, remember the backup mantra: Test everything and believe nothing. CIo Send feedback on this feature to

VOl/5 | ISSUE/10

8/10/2010 6:39:26 PM

Y O U R L i F e & C A r e e r PA T H

“No! Don’t Tell Me!” BY DAVE WILLMER C i O C A r e e r Maintaining a positive relationship with your boss is key to a productive, satisfying job. And the actions you take—completing your work on time, putting in extra effort when necessary, volunteering to assist with critical initiatives—can help strengthen this bond. However, in some cases, simple words can break it. Here are eight phrases that make managers cringe, with explanations about why you should avoid using them in the workplace: 1. "Just a heads-up ... I won't be able to finish the project that's due tomorrow." It's important to notify whoever you are reporting to when a project is headed for trouble, but the time to do so is well before the situation has become critical. Sitting on a problem until just before the deadline can turn a bump in the road into a multi-car pileup. Give your boss enough time to coordinate the help you need. 2. "That's not in my job description." Economic conditions have greatly increased the value of IT professionals who can pitch in when and where they're needed. Doing so isn't just about sacrificing for the good of the team. Tackling problems outside your comfort zone also helps you build a well-rounded skill set that can open up opportunities throughout your career. 3. "So that's what you wanted? Whoops!" Similarly, when you don't understand what's expected of you, ask for clarification right away, rather than forging ahead in what may be the



Eight phrases your boss doesn't want to hear.


Thrive_Aug_2010.indd 108

a u g u S T 1 5 , 2 0 1 0 | REAL CIO WORLD

Vol/5 | ISSUE/10

8/10/2010 6:49:54 PM

In the wake of an unsuccessful project, focus on suggesting ways to improve future results rather than assigning blame.

Dave Willmeris executive director of Robert Half Technology, a leading provider of IT professionals

threeminute coach Help ! How can I get slackers to pick up the pace? Robert Hewes is an executive coach with Camden Consulting Group, which assists individuals and organizations achieve their career goals.

Always select one important professional development skill or competence that your staff member needs to develop or improve. To identify that goal, look at the work that needs to be done. Perhaps the person needs to sharpen a technical skill, develop a strategic skill, handle conflict better or communicate more effectively. Talk with your staff member and have them create a short write-up of what the goal is, why it’s valuable and what steps they can take to achieve it. Then—and here is the part that makes a big difference but that most people skip—look for work opportunities where the person can apply this goal. To cap the effort, check in every other month for the next several months to discuss progress toward the goal. Sometimes take the opportunity to offer real-time feedback about an area of professional development in their current role. This is not something you will the have time to do weekly, but keeping an eye out for learning opportunities can make a difference. Providing real-time actionable feedback will go a long way toward meeting your goal of positive change. Additionally, take time once a quarter to conduct group professional development exercises with your whole team. Everyone will get something out of it without anyone feeling singled out. Furthermore, it’s a tremendous way to promote team camaraderie. Never ignore it. Don’t let too much time pass without doing some form of professional development for your people. This is one of the cases where you are making an investment in people. We hear a lot about doing that, but turn the words into actions. CIO


wrong direction. Asking questions at the outset of a new task or project can also demonstrate that you're thinking strategically rather than just following directions. You might ask, for example, "Should I also run tests on X and Y to see if they're related to that problem?" 4. "Dave's being a jerk. Make him stop." Exhaust your other options before appealing to your manager for help with minor interpersonal difficulties. If a colleague isn't returning your e-mail requests, have you tried following up by phone or in person? On the other hand, note that any serious breaches of acceptable office behavior should be immediately brought to your manager's attention. 5. "I hate to say this, but it was all Tom's fault." Leave the performance evaluations to your boss. In the wake of an unsuccessful project, focus on suggesting ways to improve future results rather than assigning blame. Providing unsolicited assessments of a colleague's performance doesn't inspire confidence in your ability to work with others. 6. "Will you be my Facebook friend?" Inviting your boss into your social media network is often a no-win proposition. Even the best-case scenario—in which your boss happily joins your network— can have disastrous consequences if sensitive personal details spill into your professional life. At the same time, keep in mind that your boss may also prefer to establish a boundary between home and office; nearly half of executives surveyed say they are uncomfortable being friended by the employees they manage. 7. "I didn't think you needed to know." Even supervisors who take a hands-off approach to managing appreciate being kept in the loop about the status of important engagements or resource needs. So when in doubt about whether to raise an issue, put yourself in your boss's shoes: Would you want to know about it? Will raising it help your team meet its objectives? Even telling your boss that a project is running smoothly can be helpful, since it lets him or her know you've got everything under control. 8. "Surprise! I'm outta here." Replacing a productive team member is expensive and time-consuming. In fact, keeping such workers on board is probably one of your boss’ key imperatives. Instead of blindsiding your boss once you've decided to leave, discuss any concerns that may cause you to look for other employment opportunities as they emerge. He or she may be able to address the issue and improve your on-the-job satisfaction. Being open about such things also alerts your boss to problems that may be dragging down the whole team, not just you. CIO

for initiatives ranging from e-business development and multi-platform systems integration to network security and technical support. Send feedback on this feature to


a u g u st 1 5 , 2 0 1 0 | REAL CIO WORLD

Thrive_Aug_2010.indd 110

Send queries you might have to

Vol/5 | ISSUE/10

8/10/2010 6:49:55 PM

Insights from Members of the CIO Governing Council

K. Murali Krishna

The VP, Computers and Communications Department, Infosys Technologies, Krishna joined the company in December 1984. During his 25-year tenure, he has taken on different job roles. He established and managed Infosys' Systems Integration practice for seven years in Chicago. In October 2007, he moved into an IT executive’s role for the country’s second largest software service exporter.

The Other Side of the Table K. Murali Krishna tells you how he donned the CIO mantle after being in a business role for 23 years.

Photos by Srivatsa Shandilya

CIO role Undertaking a job transition exercise is a tough call to make. Challenges abound, apprehensions are raised and a protracted period of uncertainty doesn’t really help. Fortunately, such a situation did not occur when I moved to head IT after spending 23 years as the head of a business unit at Infosys Technologies. But then that wasn’t the first time that I was jumping departments; a change in job profile has been a constant in my career. I joined Infosys in December 1984. After two years, I moved to the software development stream. From there, I moved on to become an account manager. Then in 2001, a big opportunity came my way: Establishing Infosys' Systems Integration practice, a strategic business unit focused on delivering a portfolio of technology services. And this was slated to be one of the company's fastest growing units. I was transacting business in a very dynamic environment. However, I was intrigued to see what it takes to be on the other side of the equation. When I spotted the opportunity of making this lateral move, I gave myself one year to take a decision. With this move to IT, I would complete the circle. But that decision was difficult to take. I was managing a flourishing business unit and I had built the Systems Integration Practice from scratch and nurtured it for seven years. With concerted effort and painstaking research, I had developed a portfolio of services and solutions and aligned them with the market trends. The market 114

a u g u s t 1 5 , 2 0 1 0 | REAL CIO WORLD

Mentor_August2010.indd 90

was poised to grow at 60-80 percent year-on-year for the business unit. And the business unit was at the inflection point of its growth cycle. Handing over the reins of a thriving business unit required meticulous planning and deliberation. Amid all this, I had to prepare myself for the transition. After working in Chicago for 23 years and handling the business side of things, this move was going to be different. I was working directly with the customer, driving business metrics, managing a large number of people and projects. In such a situation, I was the first line of defense. Moving to an internal business enabling function was like moving to a new orbit. This was a gnawing worry at the back of my head. But the senior leadership evinced trust in my people skills and laid my apprehensions to rest. Today, in my new role, I am a hybrid CIO not just a migrant from a business function. And my business background helped me immensely, in terms of people management,

In my new role, I am a hybrid CIO, not just a migrant from a business function. expectation management, understanding the various department interactions and collaborations. My ability to manage large complex projects and sensitivity to end-customer deliverables has ensured that the role of internal users is better understood. So, when the business demands something from IT, I am able to comprehend the requirements better and meet them. I’ve replaced clients with technology partners. And I ensure that I adopt a project-oriented approach to internal IT projects. Today, I am driving tighter IT-business alignment which is more proactive, egalitarian, participative and inclusive. And all of these best practices I have adopted from my experience on the business side. This has been my winning strategy. CIO

As told to Sneha Jha Send feedback on this column to

Vol/5 | ISSUE/10

8/10/2010 5:29:43 PM

CIO August 15 2010 Issue  

Technology, Business, Leadership

Read more
Read more
Similar to
Popular now
Just for you