CIO April 15 2010 Issue

Alert_DEC2011.indd 18 11/18/2011 5:53:08 PM

Vijay [email protected]

From The ediTor-in-ChieF

Just last week, the head of an IT consulting organization asked me how I defined and

qualified the success of CIO Magazine. Was it by the amount of revenue it generated or by the

profit it made or by the number of events it organized, he queried. None of those, I replied,

declaring with more than a little pride that the real victory lay in our influencing you to trust

us enough to tell your stories of triumph and failure without mangling up the facts.

In 2005, we were chartered to provide a platform for peer group experience sharing,

debate, mutual support and assistance for IT leaders in India. Our mission at CIO India

was — and is — to understand the very issues that confront CIOs (and those of people with

similar functions, if not designations), and to help them connect with other real people who

grapple with similar issues.

One of our first acts was to assemble an Advisory Board comprising current and

former CIOs and academics to serve

as our primary sounding board.

Feedback from the board, as well as

its subsequent avatar, the Governing

Board, determine topics and articles

for the magazine; issues that need to be debated at face-to-face events; and, even the way

we design and refine the information architecture of www.cio.in.

Real people; real problems; real solutions. Those three short phrases characterize this

publication and the various means by which we connect and interact with you.

On the eve of our achieving a major milestone in this journey — our hundredth issue — we

still believe that the most important ingredient that goes into making CIO Magazine unique

is the experience that you and your peers have gained through formulating and executing IT

strategies. Of course, we and you take for granted that we package the information we draw

on to help turn data points into the insight that you and your peers can draw on.

So, let me take this opportunity to renew our pledge to you: We will never preach to you

or offer a theoretical solution to a hypothetical problem. We will always qualify our content

with the touchstone of a practitioner’s experience.

A century is special. And, not just one made by Sachin Tendulkar. Thanks a ton for

making ours extra special by sharing your stories, your advice and your guidance.

Here’s looking forward to the next 100 issues. Salud.

CIO Magazine, in all of its avatars always qualifies content with the touchstone of a practioner’s experience.

Thanks for your guidance.

One Hundred Not Out

Vol/5 | ISSUE/062 a p R i l 1 5 , 2 0 1 0 | REAL CIO WORLD

Content,Editorial,Colophone_Page.indd 2 4/14/2010 2:35:09 PM

Deep Dive DAtA LOss PREvEntIOn | 90Data loss prevention has gone from a niche technology to something everyone’s offering. In the process, its definition has got a little murky. We clear that up.

Business ContinuitythE EnD Of YOuR WORLD | 82Power grid hacks, massive DNS rerouting, solar flares — end-times for IT may be more likely than you think.feature by Dan feature by Dan f tynantynant

Outsourcing BRIDgE tO A BEttER tOmORROW | 24We must cast off the temptation to splash out as the economy picks up. Outsourcing is one very good way to do that.Column by Aubrey Christmas

more»

Business Leadership

COvER stORY 100 thIngs tO KnOW | 30In celebration of our 100th issue, we looked high and low and at all the aspects of your life to present you a list of the hundred ways, strategies, approaches, and ideas that makes you who you are — and how you can better fit your shoes. Here they are. feature by feature by f team CIOteam CIOt

CIO Leadership summit season 2 | 112tOWARD InnOvAtIOnIndustry leaders tell you how to tweak your systems and build innovation so that its part of your process — not the exception.

more»

Co

VE

r:

dE

SIg

n b

y J

ITh

ES

h C

C a

nd

MM

Sh

an

ITh


april 15 2010‑|‑Vol/5‑|‑issue/06april 15 2010‑|‑Vol/5‑|‑issue/06

content

Content,Editorial,Colophone_Page.indd 4Content,Editorial,Colophone_Page.indd 4Content,Editorial,Colophone_Page.indd 4Content,Editorial,Colophone_Page.indd 4 4/14/2010 2:35:18 PM4/14/2010 2:35:18 PM

content (cont.)

DepartMents

NOW ONLINE

For more opinions, features, analyses and updates, log on to our companion website and discover content designed to help you and your organization deploy IT strategically. go to www.cio.in

c o.in

executive expectationsvIEW fROm thE tOP | 78Ajai Chowdhry, Founder, HCL and Chairman and CEO, HCL Infosystems, on increasing computer literacy in India and dealing with the competition in the Indian PC market. Interview by varsha Chidambaram

technology InsightfIxIng It uP fOR thE futuRE | 26The cloud is going to change the way you deal with your applications. How to get ready.Column by Bernard golden

trendlines | 11 government It | Smart Catch with a Smartphone Quick take | Guruprasad Murty on Mobile Apps voices | Your Agenda for the New Financial Year It Budget | More Money for Security Enterprise Apps | We’re Not Happy with ERP Opinion Poll | Who They Gonna Call? security | Virtual Servers, Real Threat technology | Wi-fi at the Speed of Light Alternative views | Are Chargebacks a Viable Strategy?

thrive | 122 Communication | Talking Right Column by Maryfran Johnson

Mentor | 124 Business strategy | The Extended Enterprise Column by Rajesh Uppal, Maruti Suzuki

From the editor-in-Chief | 2 One hundred not Out

By Vijay Ramachandran

78

26

6 a p R i l 1 5 , 2 0 1 0 | REAL CIO WORLD

“A CIO’s position is closest-aligned to the CEO of a company. The CEO’s vision is translated by the CIO,” says Ajai Chowdhry, Founder, HCL and Chairman and CEO, HCL Infosystems.

Content,Editorial,Colophone_Page.indd 6 4/14/2010 2:35:26 PM

All rights reserved. No part of this publication may be reproduced by any means without prior written permission from the publisher. Address requests for customized reprints to IDG Media Private Limited, Geetha Building, 49, 3rd Cross, Mission Road, Bangalore - 560 027, India. IDG Media Private Limited is an IDG (International Data Group) company.

Printed and Published by Louis D’Mello on behalf of IDG Media Private Limited, Geetha Building, 49, 3rd Cross, Mission Road, Bangalore - 560 027. Editor: Louis D’Mello Printed at Manipal Press Ltd., Press Corner, Tile Factory Road, Manipal, Udupi, Karnataka - 576 104.

PubLIsHEr louis d’Mello

EdITOrIAL

EdITOr-IN-CHIEF Vijay ramachandranEXECuTIVE EdITOr

(COMPuTErWOrLd) gunjan TrivediAssOCIATE EdITOr (ONLINE) Kanika goswami

FEATurEs EdITOr Sunil ShahCOPy EdITOr Shardha Subramanian

COrrEsPONdENTs anup Varier, Priyanka, Sneha Jha, Varsha Chidambaram

PrOduCT MANAgEr ONLINE Sreekant Sastry

CusTOM PubLIsHINg

AssOCIATE EdITOr arakali a harichandanCOPy EdITOr Kavita Madhusudan

COrrEsPONdENT deepti balani

dEsIgN & PrOduCTION

LEAd dEsIgNErs Jithesh C.C, Vikas Kapoor, Vinoj Kn

sENIOr dEsIgNErs Jinan K V, Sani ManidEsIgNEr M M Shanith

PHOTOgrAPHy Srivatsa ShandilyaPrOduCTION MANAgEr T K Karunakaran

dy. Pr dy. Pr dy OduCTION MANAgEr Jayadeep T K

EVENTs & AudIENCE dEVELOPMENT

VP rupesh SreedharansENIOr MANAgEr Chetan acharya

MANAgErs ajay adhikariPooja Chhabra

MANAgEr PrOjECTs Sachin arora

MArkETINg & sALEs (NATIONAL)

PrEsIdENT sALEs ANd MArkETINg Sudhir Kamath

VP sALEs Sudhir argulagENErAL MANAgEr sALEs Parul Singh

sr. MANAgEr CLIENT MLIENT MLIENT ArkETINg rohan Chandhok

AssT. MssT. MssT ANAgEr MArkETINg Sukanya Saikia AssT. T. T gM brANd Siddharth Singh

AssT. MssT. MssT ANAgEr brANd disha gaurAssOCIATE MArkETINg dinesh P

Ad sALEs CO-OrdINATOrs hema Saravanan C.M. nadira hyder

rEgIONAL sALEs

bANgALOrE ajay S. ChakravarthyKumarjeet bhattacharjee Manoj d

dELHI aveek bhose, Mohit dhingraPrachi gupta, Punit Mishra

MuMbAI dipti Mahendra Modi hafeez Shaikh, Pooja nayak

AdverTiser index

advertiser page No.

3i-infotech 73

accenture Services 115

aDC india Communications 113

adobe Systems india 27

amercian power Conversion india 62 & 63

Bharti airtel 57 & 58

Blue Coat Systems Singapore 89

Check point Software Technologies

india 81

D-link india 65 & 66

Emerson Networks power (i) 15

Fujitsu india 60 & 61

Genesys Telecommunications

laboratories 76 & 77

HiD india 13

Hp Enterprises 55

Hp ipG 3

Hp Server 22 & 23

Hp Storage 49 & 50

Hp Technology Services 20 & 21

iBM india iFC & 1

inspira Enterprise india 7

intel Technologies india 17 & 18

Kaseya 95

lexmark international (india) 85

Mcafee india Sales 109

Oracle iBC

portwise 91

Ramco Systems 87

Rittal india 102 & 103

SaS institute (india) 75

Sigma- Byte Computers 117

Smartlink Network Systems 9 & 10

Socomec UpS india 5

Steria (india) 69

Symantec 41 & 42

Tandberg india 111

Tulip Telecom BC

Wipro infotec 29 & False Cover

This index is provided as an additional service. The publisher does not assume any liabilities for errors or omissions.

GoverninG BoArd

ALOk kuMAr

global head - Internal IT, TCS

ANIL kHOPkAr

gM (MIS) & CIo, bajaj auto

ANjAN CHOudHury

CTo, bSE

AsHIsH CHAuHAN

deputy CEo, bSE

ATATA uL jAyjAyjA AWANTyAWANTy

President Corporate IT & group CIo, aditya birla group

dONALd PATd PATd P rA

CIo, hSbC India

dr. jAI MENON

director Technology & Customer Service, bharti airtel &

group CIo, bharti Enterprises

gOPAL sHukLA

VP - business Systems, hindustan Coca Cola

MANIsH CHOksI

Chief Corporate Strategy & CIo, asian Paints

MANIsH guPTA

director-IT, Pepsi Foods

MurALI krIsHNA k.

head - CCd, Infosys Technologies

NAVIN CHAdHA

CIo, Vodafone

PrAVIr VOHrA

group CTo, ICICI bank

rAjEsH uPPAL

Chief general Manager IT & distribution, Maruti Udyog

sANjAy Ay A jAIN

CIo, WnS global Services

sHrEEkANT MANT MANT OkAsHI

Chief-IT, Tata Steel

suNIL MNIL MNIL EHTA

Sr. VP & area Systems director (Central asia), JWT

T.k. subrAMANIAN

div. VP-IS, Ub group

V. k Mk Mk AgAPu

director, larsen & Toubro

V.V.r bAbu

group CIo, ITC


Corrigendumour March 15, 2010 cover story

inadvertently said that Financial

Technologies runs Sharekhan. It does not.

Srinivasan Iyengar’s designation is not

director-IT and Change Management but

director-IT and operations and religare

is not headquartered in netherlands.

anindya Subhro biswas is head of

Finance for the oxford bookstore not the

apeejay Surrendra group.

The errors are regretted.

Content,Editorial,Colophone_Page.indd 10Content,Editorial,Colophone_Page.indd 10Content,Editorial,Colophone_Page.indd 10Content,Editorial,Colophone_Page.indd 10Content,Editorial,Colophone_Page.indd 10Content,Editorial,Colophone_Page.indd 10Content,Editorial,Colophone_Page.indd 10Content,Editorial,Colophone_Page.indd 10Content,Editorial,Colophone_Page.indd 10 4/14/2010 2:35:27 PM4/14/2010 2:35:27 PM4/14/2010 2:35:27 PM4/14/2010 2:35:27 PM4/14/2010 2:35:27 PM4/14/2010 2:35:27 PM4/14/2010 2:35:27 PM4/14/2010 2:35:27 PM4/14/2010 2:35:27 PM4/14/2010 2:35:27 PM4/14/2010 2:35:27 PM4/14/2010 2:35:27 PM

n e w * h o t * u n e x p e c t e d

G o v e r n m e n t I t Remember when a traffic fine was reason enough not to break the law? No longer. At about Rs 200 a fine, it’s easy to jump a light, pay up, and ride away. Now, Bangalore’s traffic police is fighting back. It’s enforcing a rule that allows the police to confiscate the license of a repeat offender (normally after a third offence, say sub-inspectors

Smart Catch with a Smartphone

m o b I l I t y Enterprises are increasingly equipping their managements with a growing number of mobile devices to access corporate data and applications. Varsha Chidambaram spoke to Guruprasad Murty, VP-Infrastructure Services & IS, Microland, on the role that mobility plays in his company’s overall business strategy.

How do you leverage smartphones and other mobile tools in your enterprise?

We support heterogeneous devices ranging from Blackberries to iPhones. We have used a blend of tools to ensure security policies are enforced and the user’s mobility needs are supported. We have also made investments in UC to enhance productivity. What do you think are some of the challenges that enterprise mobility raises?

With device populism, enterprises now have a

Guruprasad Murty on Mobile Appsscenario where devices may or may not be corporate assets. So ensuring confidentiality and integrity of information is vital. Other than security, managing the apps and expectations of users is a key challenge for CIOs.

What are some of the trends you see emerging in this space? By 2012, 70 percent of the global workforces will be enterprise

mobile users. Also, we are moving away from a Blackberry-only policy to welcoming popular devices. And, across the globe, device OEMs and telcos have taken upon themselves to open more app stores.

What is the future of mobile apps? E-mail was the first enterprise app to be mobilized.

Organizations have made significant investments in enterprise apps like SAP, Oracle, etcetera. Focus is now to mobilize the critical processes like purchase order approvals and HR-related processes.

Quick take

Guruprasad Murty

n e w

Ill

uS

tr

at

Ion

by

MM

Sh

an

Ith

police smartphones to a central database of vehicles, drivers and offenders that dates back to 2001. So, police can check immediately whether someone’s broken the law for the first time or not.

“The purpose of the project was to a keep a track of repeat and habitual offenders,” says Pravin Sood, IGP and additional

commissioner of police (Traffic). “So that we can ask for stricter punishments.”

As part of the project, the police have also been given blue-tooth, handheld printers that can be paired with their smartphones. So, when an offender is caught, his offence is uploaded immediately and the driver is given a printed challan or ticket on the spot. This does away with inefficiencies related

and — although the police won’t open admit it — it also lowers some of the potential for corruption — as long as an offender insists on a challan .

The smartphone project, which started in 2007, and is now fully deployed across the city’s 650 traffic officers, is one part of a larger solution that integrates video surveillance and a website, which will go a long way in helping the city’s traffic police. In the last few years, traffic in the city has risen dramatically and is growing between 7 percent and 10 percent every year.

— Priyanka

REAL CIO WORLD | a p r i l 1 5 , 2 0 1 0 1 1Vol/5 | ISSuE/06

after a third offence, say sub-inspectors unofficially). And they can do that thanks to a unique IT deployment, which links

Quick tatat ke

This does away with inefficiencies related to paper challans and — although the police won’t open admit it — it also lowers some of the potential for corruption — as long as an offender insists on a

The smartphone project, which started in 2007, and is now fully deployed across the city’s 650 traffic officers, is one part of a larger solution that integrates video surveillance and a website, which will go a long way in helping the city’s traffic police. In the last few years, traffic in the city has risen dramatically and is growing between 7 percent and 10 percent every year.

tr

en

dl

Ine

s

Write to [email protected]

Lend Your

Voice

What Tops Your Agenda for the New Financial Year?s t r a t e G y The financial year ushers in new plans and aspirations for the IT industry. With the upturn bringing back more buying power, CIOs are gearing up to invest. Priyanka asked your peers where they are parking their money and here’s what they had to say:

"We want to build a BI framework for the enterprise to help us take more informed decisions. We realized that we already had data from the many systems that were previously implemented. We want to correlate the data to get better analytics.”

Sudhir reddYCIo, Mindtree

SudeSh agarwaL VP-It, lifestyle International

“As always, the prime focus for us will be business-IT alignment. IT

is not a back-bencher and for all the new

initiatives this year IT will act as a

major enabler.”

More Money For Security

Venkat iYerhead-It, Star tV

“We are looking forward to investing in the 3G space because we believe it will significantly alter the way people watch television.”

Vol/5 | ISSuE/061 2 a p r i l 1 5 , 2 0 1 0 | REAL CIO WORLD

I t b u d G e t When an organization’s spine — it’s IT department — is attacked the business gets paralyzed. That’s why CIOs are struggling constantly to ward off threats and ensure that business runs non-stop. And to put effective checks in place, IT leaders are looking to up their security spending.

In an IDC survey conducted in Australia, India, Korea, China, and Singapore, 63 percent indicated that they will spend more money than they did last year on security to address threats and improve compliance. IDC expects greater regulatory intervention from government authorities to drive corporate governance with the introduction of the IT Governance Standard ISO 38500. This is set to increase security software spending among businesses.

A study conducted by Gartner projects that security software and services spending will outpace other IT spending areas this year. Security software budgets are expected to grow by about 4 percent in 2010, outpacing all other areas of infrastructure software. And security services budgets are projected to grow by almost 3 percent, leaving other service areas behind.

The slowdown gave rise to cyber attacks and forced enterprises to look at security with new eyes. The Symantec Enterprise Security Survey 2010 revealed that Rs 60 lakh is the average annual costs incurred by Indian enterprises on account of cyber attacks. A huge majority (81 percent) also incurred direct financial costs in terms of brand reputation and lost revenues.

Sixty-six percent say they have been on the receiving end of cyber attacks in the past 12 months — of which 34 percent say attacks were malicious and external; 23 percent experienced internal malicious attacks; and 31 percent were due to unintentional internal actions. Add to this an increasing sophistication of attacks, small budgets to cover necessary security purchases, lack of IT security experts, etcetera, and you get a list of challenges that hamper security management. "New IT initiatives like Saas, Iaas and virtualization complicate matters and add to the security woes of enterprises making management significantly difficult. So, traditional defensive methods also need to change and proactive approaches like reputation-based services, heuristics and basic behavioral knowledge should be implemented," said Vishal Dhupar, MD, Symantec India.

The bright side is that organizations today are acknowledging that implementing compliance requirements provides an opportunity to revisit their current risk management position and identify opportunities for business efficiency and growth.

— By Anup Varier

Trendlines.indd 12 4/13/2010 8:40:22 PM

tr

en

dl

Ine

s

e n t e r p r I s e a p p s More than half of companies that implement ERP systems end up garnering no more than 30 percent of the business benefits they expected, according to a study released by systems integrator Panorama Consulting Group.

Some 72 percent of the 1,600 organizations surveyed said they were "fairly satisfied" with their ERP package. But this can be misleading, according to the study: "Some executives are just happy to complete projects, protect the company from risk and give little thought to whether or not the company is better off with the new software or whether or not they're getting as much out of the system as possible."

Panorama's report breaks down ERP offerings into three tiers, with large vendors like SAP, Oracle and Microsoft occupying Tier I; companies such as Lawson, Infor and Sage in Tier II; and smaller players including Compiere, NetSuite and Syspro in Tier III.

More than 35 percent of respondents overall said their projects took longer than expected; just 21.5 percent reported shorter-than-anticipated project times. Forty-three percent said the projects were completed on schedule.

Thirty percent of Tier I projects had time overruns, compared to 18 percent for Tier II and 5 percent for Tier III.

About 50 percent of projects overall ended up going over budget, with 40 percent meeting expected costs. Only 8.6 percent came in at a lower price tag than planned.

Fifty-three percent of Tier I implementations had excess costs, compared to 33 percent for Tier II and 59 percent for Tier III.

Overall, the study's findings are likely familiar music to followers of the ERP space, which has long been filled with stories of lawsuits filed by disgruntled customers, wild cost overruns and failed projects. ERP customers can avoid surprises by taking time to pin

down the implementation's true total cost of ownership, much of which has nothing to do with software licenses. Three-quarters of a project's budget tends to go toward implementation, hardware upgrades, customization and other needs, according to Panorama.

Customers should also develop a comprehensive implementation plan, as well as "identify pockets of resistance

within the company and determine the organizational change management needed to make the project successful," Panorama said.

Altimeter Group analyst Ray Wang largely echoed that advice.

"People do not invest enough in change management," he said. The length of ERP projects can exacerbate dissatisfaction, he added. "They put in the system, but people's requirements may have changed so much since they did the vendor selection."

These factors illustrate why SaaS (software as a service) is making inroads into traditional ERP, thanks to quicker implementations and easier upgrades, according to Wang.

"It doesn't mean you go SaaS all the way, but there are things that are much better with SaaS," such as human resources applications, which require frequent updates to reflect legislative and regulatory changes, he said.

—By Chris Kanaracus

More than 35 percent of respondents said their projects took

longer than expected; just 21.5 percent reported shorter-than-anticipated

project times. Forty-three percent said

the projects were completed

on schedule.

Source: Accenture 2009 Global Consumer Satisfaction ReportSource: Accenture 2009 Global Consumer Satisfaction ReportSource: Accenture 2009 Global Consumer Satisfaction Report

We're Not Happy with ERP

8.6 percent came in at a lower price tag

Fifty-three percent of Tier I implementations had excess costs, compared to 33 percent for Tier II and

Overall, the study's findings are likely familiar music to followers of the ERP space, which has long been filled with

Source: Accenture 2009 Global Consumer Satisfaction Report

Technology has improved customer service, but the majority of consumers still aren’t satisfied. What they want:

Source: Accenture 2009 Global Consumer Satisfaction ReportSource: Accenture 2009 Global Consumer Satisfaction ReportSource: Accenture 2009 Global Consumer Satisfaction ReportSource: Accenture 2009 Global Consumer Satisfaction Report

Who They Gonna Call?

Sppecial services for loyoyo al customersrsr

MMore options for obtaining service

FaaFaF ster service

MMore knowledgeable representatives

EEasier/r/r m/m/ ore convenient service

Source: Accenture 2009 Global Consumer Satisfaction ReportSource: Accenture 2009 Global Consumer Satisfaction ReportSource: Accenture 2009 Global Consumer Satisfaction Report39%

64%

66%67%

74%


Trendlines.indd 14Trendlines.indd 14Trendlines.indd 14Trendlines.indd 14Trendlines.indd 14

WI-fI At tAt tA HE Speed of

Light

s e c u r I t y | Sixty percent of virtual servers are less secure than the physical servers they replace, Gartner said in a new piece of research.This state of affairs will remain true until 2012, but security should improve substantially after that point, Gartner said, predicting that by 2015, only 30 percent of virtualized servers will be less secure than the physical machines they replace.

Virtualization itself is not inherently insecure, but "many virtualization deployment projects are being undertaken without involving the information security team in the initial architecture and planning stages," Gartner said.

And the problem will get more acute: by the end of 2012 more than half of eligible workloads will be virtualized, Gartner said. "As more workloads are virtualized, as workloads of different trust levels are combined and as virtualized workloads become more mobile, the security issues associated with virtualization become more critical to address," Gartner said.

Gartner identified six security risks. First is that 40 percent of virtualization projects are undertaken without information security professionals in the planning stages. "Typically, the operations teams will argue that nothing has really changed — they already have skills and processes to secure workloads, operating systems and the hardware underneath," Gartner said. "While true, this argument ignores the new layer of software in the form of a hypervisor and virtual machine monitor (VMM) that is introduced when workloads are virtualized."

Gartner notes that a threat to the virtualization layer can harm all hosted workloads. The hypervisor, as a new platform, contains new vulnerabilities including ones that have not yet been discovered.

Additional risks include the following: Network-based security devices are blind to communications between virtual machines within a single host; workloads of different trust levels are consolidated onto single hosts without sufficient separation; virtualization technologies do not provide adequate control of administrative access to the hypervisor and virtual machine layer; and when physical servers are combined into a single machine, there is risk that system administrators and users could gain access to data they’re not allowed to see.

—By Jon Brodkin

| Sixty percent of virtual servers are less secure than the

Virtual Servers, real threat


tr

en

dl

Ine

s

t e c h n o l o G y light coming from lamps in your home could be used to encode a wireless broadband signal, according to German researchers.

researchers at the Fraunhofer Institute for telecommunications at the elecommunications at the telecommunications at the t heinrich-hertz Institute in berlin experimented with using visible light from erlin experimented with using visible light from commercial light emitting diodes (commercial light emitting diodes (lEDs) to carry data wirelessly at speeds of up to 230Mb/second.data wirelessly at speeds of up to 230Mb/second.

research into wireless data communications using esearch into wireless data communications using lEDs has been going on for years, but the 230Mb/EDs has been going on for years, but the 230Mb/second speed is considered a record when using a second speed is considered a record when using a commercial lED, according to the optical Society of america , an organization for optics professionals.

one of the German researchers on the project, Jelena Vucic, said there would be an advantage in using light to carry data over Wi-Fi or another system because the lights are already in a room.

a signal from an lED is generated by slightly flickering all the lights in unison at a rate millions of times faster than the human eye can detect, the oSastatement said. Commercial lEDs have a limited bandwidth of a few megahertz, but Vucic's team was able to increase the amount ten-fold by filtering out all but the blue part of the lED spectrum. the team built a visible wireless system in their lab to download data at 100Mb/second, and then upgraded the system to get 230 Mb/second. Vucic said the team should be able to double the data rate again with some modulation adjustments.

Sending data over fiber optic cable at enormous speeds has been going on for decades. however, taking data transmission to an open environment such as a living room over light from a lamp would be an enormous step, and a challenging one, said Jack Gold, an analyst at J. Gold associates.

Gold said the German research seems to show data transmission via light only in one direction and only in one room. by comparison, Wi-Fi and other radio transmissions are bi-directional and can pass through walls.

one practical concern in using visible wireless would be getting the data signal to the light itself, Gold said.

—by Chris Kanaracus

Trendlines.indd 16Trendlines.indd 16Trendlines.indd 16Trendlines.indd 16Trendlines.indd 16Trendlines.indd 16Trendlines.indd 16Trendlines.indd 16

tr

en

dl

Ine

s

B Y a n u p va r I e ralternative viewsARE CHARGEbACkS A VIAbLE buSINESS StRAtEGy?

Suresh Iyer, CSO, Aditya Birla Minacs

“Why should a predominantly technology-driven person get into a business role and charge internal customers?”

Shekar Sivasubramanian, President and CIO, Ocwen Business Solutions

“through charge-backs you are only providing

greater validation and control to the businesses for the

consumption of It resources.”

if businesses are charged based on the utilization of services or products from a technology perspective, then it offers a change from a fixed-cost model to a variable-cost model. Wherever financial control or capital costs are involved, chargebacks provide accountability and helps translate those costs into meaningful terms with respect to the business needs of the organization.

For every new piece of technology that is bought — hardware or software — the cost can be broken down in terms of the business units that will use it. But a smarter way is to charge based on the number of transactions per user per month. That’ll give the businesses the flexibility to decide on the number of users that will have access. In a transactional model investments are also justified because when businesses consume more, I have to invest more.

We can always convert the fundamentals of a technology consumed into tangible terms and that is the basis of chargebacks. Also, to tackle outsourcing vendors you have to be competitive in your pricing — although an internal IT team always has the advantage of a deeper understanding of the business and its functioning.

And if the charges attached to these on-demand services are in line with market standards then they are completely justified. Chargebacks are not a way to distribute the fat or IT costs that aren’t properly aligned to the business. Through charge-backs you are only providing greater validation and control to the businesses for the consumption of IT resources.

unless there is a go-to-market strategy associated with technology or IT is

catering to separate sister concerns, chargebacks are not an effective model.

The attempt to shift IT from a cost center to a profit center using chargebacks will also shift the

responsibility from the CFO to the business heads of the various units. This actually becomes an additional

responsibility for an IT department. Why should a predominantly technology-driven person get into a

business role and charge its internal customers? The arguments in favor of this are not compelling enough.

And I personally feel that in companies where chargebacks have succeeded, it’s because of the

person leading the charge rather than the concept of chargebacks. If it is from a purely internal

consumption point of view I think it has more to do with the personality of the CIO, who is already CEO

material and who can play a leadership role. Only if the IT department extends beyond itself and

serves other entities along with its internal customers, would chargebacks help in a faster integration of the

systems and processes. Considering technology as one composite cost and allocating that across various lines

of business is not a workable model. Even in the case of a new project, accounting for everything that goes into the project and attaching the cost to it will act as

an impediment to the project. If the project has to fund itself then it is a weak model. P

ho

to

S b

y S

rIV

at

Sa

Sh

an

DIl

ya

ayes vs Nays

REAL CIO WORLD | a p r i l 1 5 , 2 0 1 0 1 9Vol/5 | ISSuE/06

Trendlines.indd 19 4/13/2010 8:40:39 PM

At the 2009 CIO Summit I was asked the question, "what strategies did you employ to manage the recession"? I candidly replied: "outsourcing.”

Just as quickly I was asked what strategies I would employ post-recession. Again, I responded rather blank-faced: "outsourcing".

While all the economic indicators point to a steady improvement in economic conditions, it's worthwhile for IT teams to reflect on the lessons learned and keep applying them as we look ahead to the new paradigm we are left to operate in after the economic recession.

This reminds me of one of my first trips to America. I arrived in the country with about US$250 (about Rs 11,000) to my name and the promise of big things to come in my new found employment.

While I knew my new job would soon lend itself to financial prosperity of sorts, in the meantime I had very little to survive on and had to learn to live within my means. That meant having to budget very tightly — eat and live in a measured way — until I was in a better position.

That life lesson has stayed with me throughout my professional career, and it's a philosophy I've carried into my working life as well, and it became pertinent during this current economic recession.

Without the experience of that life lesson at an early age, it might not have been as easy to navigate the recession. Because it taught me that if you manage what you have during the hard times, you can be successful when the good times arrive. But most importantly: whatever the economic conditions, live within your means.

Aubrey Christmas OutsOurCing

A Bridge to a More Sustainable TomorrowWe must cast off the temptation to splash out as the economy picks up. Outsourcing is one very good way to do that.

VOl/5 | ISSUE/062 4 A p r i l 1 5 , 2 0 1 0 | REAL CIO WORLD

Ill

US

tr

at

IOn

by

mm

Sh

an

Ith

Coloumn_Live_Within.indd 16 4/13/2010 3:38:18 PM

Aubrey Christmas OutsOurCing

The LessonThis brings me back to outsourcing. The research firm Forrester estimates worldwide IT-related outsourcing is now about a $120 billion (about Rs 540,000 crore) per year business and that it will continue to grow.

While I suspect the growth in outsourcing is not strictly IT-related — in other words services such as contact centers and mechanical maintenance and engineering have also been thrown into the outsourcing mix — what we can see is that outsourcing offers opportunities for businesses to explore cost savings.

As IT leaders, as well as with the IT strategists, we need to come to terms with the advantages outsourcing offers, rather than frown upon it as some kind of a scourge.

Here at the Employers and Manufacturers Association (Northern), we have successfully managed to integrate

aspects of outsourcing by moving all our main infrastructure hardware along with critical application systems to virtualized datacenters. The benefits are operational cost savings in terms of connectivity costs, greater redundancy, stability and reduced downtime.

Outsourcing gives me a number of options on how best to run my department. I retain a core staff with the skill set to manage the day-to-day operation, along with the flexibility to engage further assistance either on a contracted or casual basis.

I liken it to a pendulum that swings high during the life of a major project and swings back once the project is over. The benefits being the business is not left trying to find work or make up work for employees to do at the conclusion of a project. On the other hand, the contracted help can plan their next move in advance.

Outsourcing is a cautious move tinged with excitement, as we strive not only to make the advantage line, but also to come to terms with what it means to live within our means.

It’s the FutureAccording to outsourcing advisory firm TPI, information technology and business services save on average 15 percent a year, substantially lower than over inflated estimates as high as 60 percent.

However, TPI also suggests outsourcing will continue to grow as corporate takes an axe to operational costs. In its Outlook for the Global Outsourcing Industry for 2009 report TPI stated: "Coming out of the recessionary markets in late 2009, we will find a strong global outsourcing industry with four to

six large, dominant providers that will provide resiliency to the ecosystem that services the needs of major corporations. Ultimately, that ecosystem will service the needs of middle-market buyers as well."

So what the figures are saying is like it or not, outsourcing has staked out some legitimacy in the local marketplace and has produced quantifiable bottom line results that have gained resonance within our industry.

That brings me back to my original point about why I have adopted outsourcing in my IT strategy: it's about living within our means and outsourcing offers the opportunity to do that.

We haven't signed a blank check and handed over all the organization's key functions, but we've selectively sourced the expertise we require to operate an efficient service to our business; while at the same time providing comfort to our key stakeholder — our colleagues — that we have the capability onsite to manage the core functions of the business.

The Failures Aren’t the RuleThe spectacular failure of outsourcing arrangements was highlighted in October 2009 when an IT outage crashed Air New Zealand airport check-in systems, as well as online bookings and call centre systems, affecting more than 10,000 passengers and throwing airports into chaos.

The airline was quick to turn its guns on supplier IBM saying it had fallen "well short of expectations" in this instance.

While the Air New Zealand incident should sound warning bells to those who have invested significantly in outsourcing arrangements — and there is an endless web of literature that forewarns about cozying up to outsourcing as a panacea — outsourcing certainly provides some alternatives and solutions.

While my organization has adopted outsourcing options, first of all we ensured the areas we needed help with were properly functional before handing it over to a third party. It seemed more prudent, than handing over something that was broken.

As IT leaders we must continue to lead. We've endured the hard times, matured significantly as a result and, in some cases, shown restraint.

We've continued to demonstrate efficiency and now we must cast off the temptation to splash out as the economy picks up, but instead live within our means. CIO

Aubrey Christmas is the CIO of Employers' and Manufacturers' Association

(Northern). Send feedback on this column to [email protected]

As it leaders, as well as it strategists, we need to come to terms with the advantages outsourcing offers, rather than frown upon it as some kind of scourge.

REAL CIO WORLD | A p r i l 1 5 , 2 0 1 0 2 5VOl/5 | ISSUE/06

Coloumn_Live_Within.indd 17 4/13/2010 3:38:18 PM

It’s interesting to note how cloud computing affects IT application architectures, specifically the flip side of the coin of data growth: application load. Succinctly put, the assumptions we have traditionally used to design app

architectures are increasingly outmoded due to the changing nature of apps. Application architectures are going to change — just as much as IT operations — over the next five years due to the nature of cloud computing apps.

IDC projections indicate that the average company will experience a seven-fold increase in unstructured data (think click stream capture and video storage, etcetera), accompanied by a doubling of structured data (think database row-and-colum info). I actually think that IDC's projections are understated on the structured data side, because of the constrained assumptions it (very reasonably) brought to its analysis. The remarkable decrease in the cost of IT brought about by cloud computing will — no surprise to economics majors everywhere — lead to much larger amounts of computing being done, which, in its turn, will lead to larger app architectures and topologies.

The Business Use of IT is ChangingIn the past, IT was used to automate repeatable business processes — taking something that already exists and computerizing it. The archetype for this kind of transformation is ERP . That "paving the cow paths" approach to computing is changing. Today, businesses are delivering new services infused and made possible by IT — in other words, creating new offerings that could not exist without IT capabilities.

A dramatic example of this is the way music services have developed. Like the way Pandora delivers customized song

Bernard Golden TechnoloGy InsIGhT

Fixing Up for the Future of App ArchitecturesThe cloud is going to change the way you deal with your applications. How to get ready.

Vol/5 | ISSUE/062 6 A p r i l 1 5 , 2 0 1 0 | REAL CIO WORLD

Ill

US

Tr

aT

Ion

by

mm

SH

an

ITH

Coloumn_App_Architect.indd 26 4/13/2010 3:42:17 PM

Bernard Golden TechnoloGy InsIGhT

streams to its customers. It tracks the preferences and feedback of every one of its listeners to ensure each receives a personalized offering. Pandora's service could not exist without the support of massive amounts of computing power, which forms the core of the business. And, guess what, it's all driven by new apps.

The Nature of Applications is ChangingTill now, most computing has been driven by human action — someone making a purchase, requesting a Web page, and so on. In the future, a growing percentage of computing will be driven by non-human activities from devices like sensors. Take electric meters. Instead of your meter being read by a human walking through your neighborhood, the meter itself will connect to the electric company datacenter and upload billing data. However, one of the other ballyhooed characteristics of these smart meters is their ability to give real-time readouts of load to users. This data about electric usage will be invaluable to electric companies to help understand how usage changes with immediate pricing feedback. This will result in far more data than just a monthly reading being sent to their datacenters. And that data will be transmitted in irregular patterns, leading to highly variable loads, thus affecting the nature of app architectures.

Given how the number, type, and nature of apps are changing, what does this imply for the future of apps and the future architecture of apps? The implications are fourfold:

Application load variability will increase: The driver for the vast changes in resource load variability is app load variability. For hotels, the traditional busy times are early morning (checkout) and late afternoon/early evening (check-in). In the future, personalized attention will mean high app load at other times, it will vary throughout the day — all 24 hours of it — rather than being focused during business hours. Apps will need to be much more able to dynamically scale.

Application interfaces will change: Instead of being human- (and thereby screen-) focused, data will pour into apps from other apps, sensors, file uploads, and, things we haven't even thought of yet. So service interfaces and upload interfaces will join terminal interfaces. Apps will need to be able to gracefully — and dynamically — add new data streams as inputs.

Application characteristics will change: The increasing importance of geo-location in apps will necessitate the rapid ability to shift context and data sets. If I'm driving in a taxi, the ‘nearby’ services change quickly as the car moves. Being able to shunt data in and out of working sets quickly (and being able to blend contexts as apps support multiple people sharing a nearby context) will become vital. This requires high performance.

Application topologies will become more complex: As scale and variability increase, architecture designs must change. Complex apps often incorporate asynchronous processing for compute-intensive tasks; message queues are often used as part of this approach. Therefore, app architectures need to change to incorporate new software components and app design.

What are some practical steps you can take to ensure your cloud-targeted app can support these new requirements? Here are some suggestions:

Review software components that you plan to use in the app. Many software components were designed to be used in a static environment. A common design pattern for these components is the use of a ‘conf’ file which is edited by hand to configure the component context. Once the conf file is complete, the component is started (or restarted), reads the configuration information into memory, and goes into operation. In a cloud world, in which context changes constantly as new connections and integration points join and drop, this model is unsustainable. Look for components that have online interfaces to update context and dynamically add or delete connections.

Plan for load balancing throughout the app. Many apps support load balancing at the Web server layer, but assume constant numbers (and IP addresses) for app components at other layers. With very large load variability, other layers need to be scalable and need to support load balancing to ensure consistent throughput. Don't design an app with the expectation that only two app components will reside at certain layers. Plan for dynamism and load balancing at all layers.

Plan for application scalability. Maybe this is hammering the point home too many times, but double or triple your capacity planning and app architecture assumptions — maybe even factor in a 10X growth possibility. When you plan for much larger scales, you pay attention to bottlenecks and plan to how to relieve them dynamically.

Plan for dynamic application upgrades. Forty years ago, auto manufacturers took two weeks to change over factories to prepare for new model manufacturing. Toyota figured out how to do it in two hours. That meant they had to design for dynamic factory upgrades. Cloud computing, with the 24 hour use cycles, means no downtime for app upgrades. Architecting apps so that the topologies can be changed while users continue to access individual servers requires Toyota-like planning. Likewise, upgrading database schemas (and data sets) to support new app versions necessitates Toyota-like approaches. CIO

Bernard Golden is CEO of consulting firm HyperStratus, which specializes in

virtualization, cloud computing and related issues. Send feedback to [email protected]

Given how the number, type, and nature of apps are changing, cIos need to understand what this implies for the future of applications and the future architecture of applications.

Vol/5 | ISSUE/062 8 a p r i l 1 5 , 2 0 1 0 | REAL CIO WORLD

Coloumn_App_Architect.indd 28 4/13/2010 3:42:18 PM

Trendline_Nov11.indd 19 11/16/2011 11:56:19 AM

By Team CIO with inputs from IDG News Service

To know about what? Just about every aspect of your life as a CIO. We put your lives under a microscope and studied the hardest and the most interesting parts of it. Now we present our list of the 100 things that make you, you — and how, if we may, you could possibly be better.

Cover_Story_Part1.indd 30Cover_Story_Part1.indd 30Cover_Story_Part1.indd 30Cover_Story_Part1.indd 30 4/13/2010 8:04:01 PM4/13/2010 8:04:01 PM4/13/2010 8:04:01 PM4/13/2010 8:04:01 PM4/13/2010 8:04:01 PM4/13/2010 8:04:01 PM4/13/2010 8:04:01 PM4/13/2010 8:04:01 PM4/13/2010 8:04:01 PM

IT Strategy Pg 34Business Strategy Pg 38Negotiation Pg 40Staff Management Pg 46 Technology Pg 48

InsideResource Management Pg 54Security Pg 59Change Management Pg 67 CIO Role Pg 70Personal Skills Pg 72

Inside

Just in case you haven’t already noticed, the world around us has changed. There are new rules, new goals, new opportunities.

In the next few months, you’re going to be driven to keep pace with the needs of the upturn. These tricks will come handy. You’re going to have to refresh your identity and remind yourself what you really bring to the table. Again these tricks will come handy. New challenges will come your way and once again these tricks are going to come handy.

Let the next few pages be a reminder of what it takes to be you and how to tap into your potential.InsideInside

Just in case you haven’t already noticed, the world around us has changed. There are new rules, new goals, new opportunities.

In the next few months, you’re going to be driven to keep pace with the needs of the upturn. These tricks will come handy. You’re going to have to refresh your identity and remind yourself what you really bring to the table. Again these tricks will come handy. New challenges will come your way and once again these tricks are going to come handy.

Let the next few pages be a reminder of what it takes to be you and how to tap into your potential.

To know about what? Just about every aspect of your life as a CIO. We put your lives under a microscope and studied the hardest and the most interesting parts of it. Now we present our list of the 100 things that make you, you — and how, if we may, you could possibly be better.

Cover_Story_Part1.indd 31Cover_Story_Part1.indd 31Cover_Story_Part1.indd 31Cover_Story_Part1.indd 31


Strategies to Leveragethe Upturn

Follow these four and you won’t regret the effort you put into reworking your roadmap during the slump — and it’ll leave your CXO peers smiling.

Reduce IT ComplexityAs a strategic play, cloud computing promises to redefine the way IT is consumed and is among the best long-term ways to simplify enterprise IT. Conceptually, it is capable of removing intrinsic complexities from an IT ecosystem and bring users closer to the real application of technologies with its service model. With management overheads and physical limitations on infrastructure growth out of the picture, businesses can focus more on bettering their time-to-market and increasing their productivity while considerably reducing their costs.

Though it is largely uncharted territory, corporations are increasingly willing to identify and explore the possibilities within cloud computing. Rajeev Seoni, CIO, Ernst & Young, has redirected his efforts to sail in the direction of server consolidation

From the perspective of reduced costs

and infrastructure management overheads, cloud computing makes a lot of sense to us.— Rajeev Seoni, CIO, Ernst & Young

forward to posting robust growth. Not only does it save costs but also enhances the management of IT infrastructure. Srinivasan Iyengar, director IT & change management, Aegon Religare, is looking at virtualizing his servers. Initially, his enterprise automated business processes but because it now expects to double its business growth, server virtualization is one of its priorities. “I have to provide increased scalability of my server at minimum costs. And for that, virtualization is the best thing to do. Initially, we didn’t want to indulge in it because virtualization is not very beneficial when you are a startup. Now that we have started growing, we want to move in this direction,” he says.

Vijay Sethi, VP-IS, Hero Honda, invested heavily in virtualizing his servers last year. And this year he wants to do more. “I will think of virtualizing more because we will save on energy and space. Also, we wouldn’t have to buy more servers. Virtualization remains a high priority,” he says.

Keep Customers HappyThe slowdown demonstrated the survival of the fittest. And those that made their customers happy made it through easier. An in-depth understanding of the customer’s needs has emerged as a key business imperative in the downturn.

That’s why Virender Pal, CTO, SpiceJet, is evolving a strategy that makes him more

and adoption of cloud computing at his enterprise. “Cloud computing is definitely an area that’s drawing our attention, and how! From the perspective of reduced costs and infrastructure management overheads, it makes a lot of sense to us,” he says.

Save, Save, SaveSlowdown or no slowdown, saving money never goes out of fashion. And there’s no better option than virtualization to get those 30 percent savings.

Virtualization makes sound business sense to a lot of businesses as they look

forward to posting robust growth. Not only does it save costs but also enhances the management of IT infrastructure.

and adoption of cloud computing at his enterprise. “Cloud computing is definitely an area that’s drawing our attention, and how! From the perspective of reduced costs and infrastructure management overheads,

into reworking your roadmap during the slump — and it’ll

and adoption of cloud computing at his enterprise. “Cloud computing is definitely an area that’s drawing our attention, and

tegies to Leverage

Cover Story IT Strategy [ 7 Tips ]

Cover_Story_Part1.indd 34Cover_Story_Part1.indd 34Cover_Story_Part1.indd 34Cover_Story_Part1.indd 34Cover_Story_Part1.indd 34Cover_Story_Part1.indd 34 4/13/2010 5:54:14 PM4/13/2010 5:54:14 PM4/13/2010 5:54:14 PM4/13/2010 5:54:14 PM4/13/2010 5:54:14 PM4/13/2010 5:54:14 PM4/13/2010 5:54:14 PM4/13/2010 5:54:14 PM4/13/2010 5:54:14 PM4/13/2010 5:54:14 PM4/13/2010 5:54:14 PM

Cover Story | IT Strategy

REAL CIO WORLD | A p r i l 1 5 , 2 0 1 0 3 5Vol/5 | ISSUE/06

customer-centric. “We want to focus our attention on serving and understanding our customers better. So, BI is the next big thing for us. We want to understand our customers more closely and connect with them in a more definitive way. We want to know their preferences including flight

timings, fares, choice of meals, etcetera.” he says.

Using BI as a tool to respond to customer needs is also a strategy that appeals to Nilesh Sangoi, CTO, Meru Cabs, the fastest-growing player in the space. “After implementing transactional

systems, we are now looking at tapping the potential of BI to be more responsive to the market,” says Sangoi. “We are a three-year-old company now and our business processes are maturing rapidly. And that’s why I think it’s the ripe time to deploy BI.”

Sanjay Malhotra, CIO, Amway India, also firmly believes that a robust customer-facing strategy is critical for his company. As an FMCG giant leveraging the direct selling channel, his company needs a strong system to generate and track potential customer leads. “Our independent business owners send us a lot of customer leads. These leads come through various channels. We need an effective mechanism for tracking them and ensuring their speedy closure. One way of doing this is to put our lead management system on CRM. Currently, we are evaluating CRM to deliver on our strategy of customer-centricity,” he says.

OutsourceAs the global economy is starting to pull out of the recession, companies are increasingly exploring strategies that will allow them to fuel growth and simultaneously curb

costs. On their end, IT decision-makers are leaving no stone unturned to find

ways to cope with mounting cost and growth pressures. That’s why outsourcing is once again garnering the attention of IT leaders because

of it’s inherent ability to spread out costs and retain business agility.

Besides generating significant cost savings, outsourcing promises to deliver greater operational efficiency, better quality, and access to larger talent pool. Little wonder then that CIOs are warming up to the idea of outsourcing strategic IT functions and applications. According to the State of the CIO, 34 percent of Indian CIOs say that the importance of outsourcing as a strategy has increased post the slowdown.

According to Singapore-based IT market research and analyst firm, Springboard Research, 65 percent of IT executives in Indian corporations anticipate an increase in their investment in IT outsourcing in the next two years. CIO

3 Advantages of Being an Early Adopter

Grabbing an upcoming technology in its infancy is a strategy that can give you impressive returns. Don’t shy away.

It’s Easy On the PurseIn 2007, when ICICI Bank, ICICI Prudential and ICICI securities jointly deployed virtualization, the technology was yet to gain mainstream acceptance. Joydeep Dutta, CTO, ICICI Securities swears by the benefits of making the early move. “We were the first company in our sector to make the move. And today, our datacenter expenses incurred on power, cooling and servers has come down significantly,” he says.

Umesh Mehta, VP-IT, Asia MotorWorks, also feels that adopting technologies early provides organizations with strategic value and reduced costs. And he talks from experience. “We adopted business intelligence early on. We are growing at a healthy growth rate of 10 percent. And BI supports our growth. It has helped us reduce costs by 20 percent and has boosted our productivity by 35 percent. So we have seen a distinct advantage of early adoption,” he says.

It Keeps You Ahead of the PackFor most process driven organizations there is a strong business case to explore emerging technologies. “Early adoption can be your key competitive differentiator. In 2004, we came up with a web portal for intermediaries and our agency force for our customer facing applications. This gave us an edge over other players in the industry,” BG Pal, CIO, Tata AIG insurance.

It Eases Your Learning CurveSabyasachi C. Thakur, CIO, AIOCD, feels that early adoption gives him the ease of deploying the technology in small chunks. “When the technology matures you are at a better stage of your learning curve to adopt it for your business critical applications. It’s better to start early so that you are better geared for your future. Adopt early with the non-core applications so your learning curve also rises with the maturity of the technology,” he says.

63% Of early adopter companies

grew faster than their competitors, says A.T.

Kearney.

Cover_Story_Part1.indd 35 4/13/2010 5:54:15 PM


How to Get YourBusiness toEmbraceYoueYouThe buck stops here. Business-IT alignment is your responsibility, not the business’. Follow these three steps to bridge the gap between you and the business.

If your eyes are glazing over at the thought of another business-IT alignment story, it’s time to pay attention. The fact is getting business and IT to align is more than just a nice-to-have. It can make the real difference between the success and failure of an IT project — and sometimes of a company like this example from Sarv Devaraj and Rajiv Kohli’s book The IT Payoff. (edited for brevity)The IT Payoff. (edited for brevity)The IT Payoff

Close Call was in the business of telemarketing and catalog sales. The CEO wanted to implement a data warehouse that would fully integrate various call centers. However, he believed that getting the data warehouse up and running in 3-4 months was just a matter of “getting the right people for the job”. The information system (IS) department was already stretched and therefore outside help was sought. The expectations, with regard to resources and time required, were very unrealistic. The project team spent three times its slated budget and half of Close Call’s IS staff quit after the project. The company’s stock price lost more than two-thirds of its value during the period. The reason for the failure, as stated by a consultant for Close Call, was because they attempted too many technology projects at the same time, a case of biting off more than they could chew. The lesson, in this case, is to

set realistic expectations of IT implementations. If you want to avoid that fate, start with this:

Explain Benefits ClearlyUnrealistic expectations often result when the business hasn’t understood the scales used to measure value. Here’s how that worked for one CIO. “When we implemented an ERP solution the vendor had promised things like inventory and cycle-time reduction and productivity improvements in vague terms such that the CEO expected manpower to be reduced by 10 percent,” recalls H. Krishnan, assistant VP-IT, Indian Rayon (A Unit of Aditya Birla Nuvo). “We had to temper those expectations because although manpower count may not be affected directly, the same manpower can easily scale up production, and consequent transaction by 25- 30 percent without additional costs.”

Make Business Sponsors a Key Driver To ensure that IT projects are run as business projects at Idea Cellular, AVP-IT, Deepak Kulkarni, formed a core team of four people for each project comprising a CXO-level business sponsor, an expert from the business, a vendor project manager and an IT SPOC (single point of contact) who acts as a mediator between the business and technology folks. He tells you why, “The role of this team is to first set the direction to the project, and ensure that milestones are tracked. The business sponsor acts as the primary driver of the project.” But he’s quick to add, “Before the CIO can make such demands from the business, he has to establish his team’s credentials.”

Cover Story Business Strategy [10 Tips ]

Business must give IT notice

for things they need. IT has external dependencies which business must know. — T. Jaganathan, Director-Technology, Ajuba

Cover_Story_Part1.indd 38Cover_Story_Part1.indd 38Cover_Story_Part1.indd 38Cover_Story_Part1.indd 38Cover_Story_Part1.indd 38Cover_Story_Part1.indd 38

Mergers and AcquisitionsAccording to a new Forrester Research report, A CIO’s Guide to Merger and Acquisition Planning, even in 2010, many CIOs are still Planning, even in 2010, many CIOs are still Planningrelegated to mop-up duties when an M&A deal takes place — instead of being part of the strategic decision making. This is despite IT’s pivotal role in providing many of the synergies companies expect out of an M&A. Fortunately, more CIOs are beginning to view M&As as opportunities to lead both the IT and business teams through the integration process and establishing themselves as a credible and trusted business partner, articulating business strategy well beyond the role of IT cost-center manager.

Sales and Marketing Today, more than ever, marketing is about engaging customers through multiple channels, including the use of social media and Web 2.0 tools to sense and respond to customer and market needs. Which takes a CIO’s responsibility beyond running a CRM system; CIOs should introduce multiple ways their salespeople can connect with customers. They should also look for ways to increase the effectiveness of their sales teams. “CIOs should leverage new-age technology such as business intelligence tools and dashboards to drive new businesses and capture market share,” says Saurabh Verma, senior manager, Software & Services Research, IDC India.

If you are truly one among your CXO peers, you need be in the room when these conversations are being tabled.

3 Strategic DecisionsYou Should Be a Part Of

Business CommunicationThe ability of a CiO to articulate the value proposition of a technology to the business is critical. This is easier said than done since iT concepts are fundamentally complex. it is equally important for a CiO to be able to translate business needs into executable technological terms to his iT team.

Evaluate Riskit is the CiO’s innovative, creative and entrepreneurial spirit that sets him apart from iT managers. Essentially, good CiOs are bold and take risks; they should initiate projects offering creative new solutions to traditional business problems.

Understanding NumbersUnderstanding finance can help CiOs make more effective requests for things their department needs and suggest ways in which the company could improve its performance. CiOs should make decisions based on their companies’ corporate financials. When they have the knowledge and skills to ask questions they can take more informed decisions for the business.

General ManagementCiOs should disassociate themselves with the common misplaced perception of being the ‘tech guy’. Heading a non-iT function will help establish that credibility as a manager and win the confidence of their CEOs as key business strategists.

4 Business Skills You Need to DevelopIf you have to get close to the business, the management needs to notice you. Master these skills to make more business sense.

Financial DecisionsNothing speaks more to the CXO archetype than trading numbers, but it’s a skill few than trading numbers, but it’s a skill few CIOs have mastered. “CEOs often tell me that

their CIOs simply can’t understand what the business direction is. Their CIOs are so technical that they end up relying more on their CFOs,” says Kumar Parkala, exec. director and head of IT Advisory, global head of Sourcing, KPMG. The inclusion of the CIO in important financial decisions such as investment planning or drawing up enterprise budgets is a crucial indicator of his or her role in the company’s overall strategic planning. And being in on the money conversations can benefit CIOs, too: it gives them more say over benefit CIOs, too: it gives them more say over IT budgets. CIO

Keep Business InformedRunning a business is like a dance: it’s nice when it’s synchronized. At healthcare outsourcing services provider Ajuba, T. Jaganathan, director-technology, and his team have a monthly tech-ops meeting. Every second Monday, managers from IT and the business sit together and thrash out issues of concern. Action items arising out of these

meetings are closely tracked. IT then circulates a monthly executive report to every business leader with details of proposed new IT initiatives apart from a performance report in terms of issues faced and support metrics, among others. “Business must give sufficient notice to IT for any requirements. IT has a lot of external dependencies which the business needs to appreciate,” Jaganathan says. CIO

P L U S

Cover Story | Business Strategy


Cover_Story_Part1.indd 39Cover_Story_Part1.indd 39Cover_Story_Part1.indd 39


Ways to Squeeze

Your Vendor

Build Uncertainty What makes vendors really uncomfortable is the unknown: not knowing where they stand and if there are alternative solutions that are undercutting them. An effective negotiating method is to build uncertainty. Tell them you’re considering alternative solutions or partners. This will give you leverage. Avoid giving out too much information, hint at competition or alternatives but don’t threaten. Be as vague as possible and let them imagine the worst.— Martin Ewing, (former CIO) & Founder, Pactoris

Know More Than Your VendorBefore getting into a negotiation, you should have a strategy in mind. You must know exactly what you want to achieve. If you don’t have a price-point strategy, your vendor will definitely get the upper hand. To get there, you have to know more than your vendor. And for that, you need to do your homework: find out the

4We gather four CIOs and let them tell you their negotiating secrets. Master these tricks and you’ll get a better deal the next time.

price of a typical desktop, network or server. See what price his competition is providing. This will help you bargain hard. And you should always negotiate hard. Till the last minute, don’t let the vendor know that you are in his favor. — T.P. Anantheswaran, Senior VP-IT, Arshiya International

Whet His AppetiteHint at potential growth within your group companies if the price is right and the product is excellent. For him, that would mean more business and you’ll get a good price. You must try to get as much as you can from your vendor. After your deal is done, ask him to tell you about his new products. Persuade him to let you be the early bird that gets the beta. Offer to help some of your vendors do testing on new versions of their products. This can help you get a say in the development of the tool, plus an early heads-up to, say, a new functionality.— Jeremy Schnorbus, Director IT, NERA Economic Consulting

Separate the Hype from the TruthKnowledge about the different features of a product is fine, but it’s more important to find out what your vendor is not telling you. Knowing the limitations of the product will give you a lot more bargaining power. You should be able to differentiate between bargaining power. You should be able to differentiate between good-to-have and must-have. For example, if your vendor says his product is virtualization-ready, ask yourself if you are. Pay only for what you are using. Seek discounts on commercial offerings. It will also help you set realistic expectations for the business. — Gopal Rangaraj, VP-IT, Reliance Life Sciences CIO

Rephrase That!Three phrases you should never utter in a negotiation.

“You can’t make changes...” Instead of taking a dictatorial stand with the other party, you should offer to talk it out. When there is a disagreement in the contract, there’s always a way to negotiate without getting unpleasant.

“This wont do...”Starting on a negative note is not a good idea. If you expect more from your opponent, say “I think you’ll have to do better than that.” Don’t be arrogant or aggressive. The fact is few people will walk away from a deal once it’s commenced.

“Let’s Settle for...”Never be the first one to quote a price. Let the other party name a figure, so that you get better leverage.

P L U S

SqueezeYour Vendor

What makes vendors really uncomfortable is the unknown: not knowing where they stand and if there are alternative solutions that are undercutting them. An effective negotiating method is to build uncertainty. Tell them you’re considering alternative solutions or partners. This will give you leverage. Avoid giving out too much information, hint at competition or alternatives but don’t threaten. Be as vague as possible and let them imagine

their negotiating secrets. Master these tricks

Cover Story Negotiation [ 12 Tips ]

4

Cover_Story_Part1.indd 40Cover_Story_Part1.indd 40Cover_Story_Part1.indd 40Cover_Story_Part1.indd 40Cover_Story_Part1.indd 40Cover_Story_Part1.indd 40Cover_Story_Part1.indd 40Cover_Story_Part1.indd 40Cover_Story_Part1.indd 40Cover_Story_Part1.indd 40Cover_Story_Part1.indd 40Cover_Story_Part1.indd 40Cover_Story_Part1.indd 40

REAL CIO WORLD | A p r i l 1 5 , 2 0 1 0 4 3REAL CIO WORLDVol/5 | ISSUE/06

FiveTricks to Win FiveTricks to Win FiveTricksOver Your CFO

Show Me the MoneyThe CIO is like a child who likes to play with new technology. For him, whatever is new is better and hence we should have it. His idea is to ensure that the organization gets all the benefits of the latest technology available in the market. But a CFO believes in numbers. Whatever you invest in has to give a higher return. So if you want to change your ERP, you have to tell me what the organization will get in return. Will it improve productivity or bring in profits? CFOs don’t believe in feel-good factors. I can invest the same money in something that propagates sales, or in the market. I will invest in whatever gives me the highest return. You have to give me a reason why I should invest in your proposal instead.

Keep it FlexibleThere’s something called a variable cost: when sales goes up, cost goes up, when it comes down, costs also come down. But a CIO works with a fixed cost. However, he has to ensure whatever cost he is incurring is matched up to the revenue. If revenue goes up, my server will be used more leading to higher costs. But if my revenue comes down, server will be used less but maintenance will be higher. If the cost is variable then there is a higher probability of the project being approved. CIOs have to give CFOs that flexibility.

Be HonestSuppose a CIO has just upgraded to a new ERP and he realizes that the

implementation is not giving the benefits that it was supposed to. But because he is emotional about the project he wants to go on investing. It’s like good money chasing bad money. But to get your budget approved, you have to determine that at this particular point of time the system might fail and that you will stop loss: which means you will discontinue the project. You have to tell your CFO that you’ve reached stop loss position.

Mix In-house Expertise with Outsourcingwith OutsourcingI would want to ensure that I have the I would want to ensure that I have the right mix of people and resources. A CIO right mix of people and resources. A CIO can get specialized people, whose core can get specialized people, whose core competency is deploying that particular competency is deploying that particular technology. That would be a lot cheaper. technology. That would be a lot cheaper. An ideal scenario would be a 50-50 ratio, An ideal scenario would be a 50-50 ratio, but it would be great if it’s 80-20 ratio for but it would be great if it’s 80-20 ratio for outsourced and in-house talent. For me that outsourced and in-house talent. For me that means specialized services at lower costs. means specialized services at lower costs. He can’t say I’ll do everything on my own. He can’t say I’ll do everything on my own. There’s no way that that’s going to fly. There’s no way that that’s going to fly.

Come with a Back-up PlanCome with a Back-up PlanIf you are telling me X product is the best, I If you are telling me X product is the best, I want to know your criteria for evaluation. want to know your criteria for evaluation. You can’t come to me with a single plan. Any You can’t come to me with a single plan. Any IT implementation impacts the organization. IT implementation impacts the organization. So, if the systems go down you’ve got to have So, if the systems go down you’ve got to have a BCP. CIOs should be able to tell CFOs how a BCP. CIOs should be able to tell CFOs how they plan to mitigate the loss if something they plan to mitigate the loss if something goes wrong. They have to explain why we goes wrong. They have to explain why we aren’t going for a cheaper product. aren’t going for a cheaper product. CIO

Sujit Sircar, Chief Financial Officer, iGATE

Types of NegotiatorsThere are three sort of negotiators according to Tom Hayman, founder of Negotiation Expertise. Find out which type is sitting across you.

Traits: Controlling, driving, dominant Tactics: Broken record, intimidation, take it or leave it Motivation: Taking as much as possible Focus: Own needs Goal: To win and control Trust: Not interested Use of Power: Abuse Primary emotion: Anger

Negotiator Type: Competitive Expect to: Win

Traits: Detail oriented, analytical, conscientious Tactics: Concession giving, problem transfer Motivation: To be liked Focus: Other party’s needs Goal: Avoid conflict and comply Trust: Eager to trust other party Use of Power: Gives it away Primary emotion: Fear Negotiator Type: Compliant Expect to: Lose

Traits: Flamboyant, dynamic, people person, listener Tactics: What if/suppose, concessions, ask why? Motivation: Satisfy both parties, fairness Focus: Needs of both partiesGoal: To influence and persuade Use of Power: Share Trust: Willing to build Primary emotion: Optimism Negotiator Type: Collaborative Expect to : Benefit Mutually

Negotiating with your CFO is like conquering Everest. Sujit Sircar, CFO, iGATE, tells you what you need to know to get the upper hand.

Cover Story | Negotiation



3(Cheap) Tips to WinOver Staffers

Thank ThemMary Kay Ash, Founder of Mary Kay Cosmetics, once famously said, “There are two things people want more than sex and money: Praise and recognition.”

That’s exactly why CIOs need to thank their staffers. Fairly obvious but it bears repetition. The use of praise to retain employees is one of the most important tools in a leader’s arsenal. Sure, staffers are just doing their jobs, but a little praise can get them to go that extra mile, which earns them more praise, and then you have a virtuous cycle.

“People want to make a difference,” says Suzanne Bates in her book Motivate Like a CEO, “When they believe that what they are doing matters, it motivates them and stimulates their passion and energy.”

However, some managers feel praising staffers too often can spoil them. HR experts say that is bunk. Positive reinforcement won’t give employees horns. But there are a few caveats to the praise strategy: don’t praise someone when they don’t deserve it. And be specific. Saying “nice job” can diminish the value of praise compared to “we tested out that idea of yours and I’m glad we asked your opinion!”

What Srinivasan thinks of this idea: Appreciating work that’s done well is a good idea. We are very good at root cause analysis when it comes to failures, but how many times do we do a root cause analysis of our successes? It will allow us to replicate success easily.

These ideas are not only light on your budget, they will also get you results quickly. Vasanthi Srinivasan, Associate Professor, Organizational Behavior & Human Resources Management, IIMB, tells you why they work.

Introduce More AccountabilityMost experts in people management will tell you that there’s nothing like tapping into self-motivation to find that holy grail of HR: employee passion. To get there, CIOs must first build an environment of accountability. Staffers love leaders who communicate their expectations and hold people to their commitments. They also love a good challenge. Believe it or not, giving people more work actually wins them over. And once they have tasted the exhilaration of being accountable and bringing home the results, they are hooked.

“By creating a culture of accountability,” says Bates “you get results, and people feel greater satisfaction, which, in turn, re-energizes and motivates the organization.”

What Srinivasan thinks of this idea: Accountability comes only with responsibility. And assigning people responsibility requires delegation and the heart of delegation is trust. Some of us trust more, some of us trust less, we all need to work on this.

Support Your StaffCIOs work with knowledge workers, not laborers. Because what your staffers bring cannot be quantified easily, it is important to ensure they’re putting in their best. One of the best ways to do that is to listen and support their ideas. This doesn’t only extend to the sympathetic cluck when they’re having a bad day. It means listening to their ideas for real. Yet how many times have you turned down an employee idea saying “that’s not the way things are done here.” Even if you were right, who doesn’t agree that rules shouldn’t come in the way of progress, and possibly, innovation?

What Srinivasan thinks of this idea: I have often found that we assign work to people and review but rarely ask them in between whether they need support. All of us — at every level — need support for anything we are doing for the first time. Even people who are do repeated tasks need support, maybe more psychological than physical or financial.

I’d add another to this list: Be fair and be seen to be fair. As a manager, please remember you are being watched by others. Therefore, it is not enough to be fair, it is important to be seen to be fair. CIO

P L U S

5 Signs Your Retention Efforts Aren’t WorkingYou’ll know an employee is probably leaving if she…

Avoids greeting or making eye contact with you. Stops participating in meetings. Slackens off and performance drops. Is increasingly absent. Demonstrates a sudden change in behavior indicating either

suppressed anger or withdrawal.

SoUrcE: ThE 7 hIddEn rEaSonS EmployEES lEaVE

Cover Story Staff Management [ 14 Tips ]

Cover_Story_Part1.indd 46Cover_Story_Part1.indd 46Cover_Story_Part1.indd 46Cover_Story_Part1.indd 46Cover_Story_Part1.indd 46

REAL CIO WORLD | A p r i l 1 5 , 2 0 1 0 4 7

Cover Story | Staff Management

Retention Strategies: Why Staffers Quit...And Why They Really LeaveBased on multiple studies done at different points in the last 30 years, here is what employees say that actually want from their jobs — and what’s most likely to make resist new offers.

Appreciation Being ‘in’ on thingsSympathy and help with personal challenges Job securityCompensation

Why CIOs Think Their Staffers Leave...Expecting high attrition, we asked about 100 CIOs what they thought were the top-five reasons staffers quit. Here’s what they said

Salary / compensation Monotony of work Dissatisfaction with the management Office politics Dissatisfaction with company’s performance

41 2 3Interviewing Pointers: 4 Personality Types to Watch Out ForHe has a gold-plated resume, is extremely hard-working according to his references, and is articulate. But if he’s one of these types, you’d best think again before hiring him.

Mr Bad Attitude When I’m interviewing, I am looking for the right attitude because I don’t know how to teach that. I learned the attitude versus technical difference the hard way. I hired the absolute best technically qualified individual for a job back in 1988. It was a complete disaster. The individual didn’t have any ability to fit in. He was a one-man band who expected all of us to align to his way of thinking. It was a very painful experience; we wasted time and money and eventually had to let the individual go. For me it was the defining moment that shaped my views on hiring. — Jeff Marshall, CIO, Kohl

Cultural Misfit At a previous employer, we were thinking of moving more apps off the traditional mainframe into more of an open systems environment. I thought it would be a good chance to bring in someone with a different personality who would push the edges and stir things up a bit. What I failed to do was spend enough time up front describing different scenarios the person would face with our company. Later I learned that his solution to every problem was to fire people and start from scratch. Obviously that was not what I had in mind, nor was it going to work in our company. — Jeff Carlson, CIO, AIG American General

Your CloneI think hiring managers tend to hire themselves over and over again so CIOs have to be aware of that. You also have to realize what culture you have as a company as well as what culture you have within your organization. I have two other rules I follow when I’m hiring: Hire people who do what you don’t like to do, and hire people who have passion for what they do. When I look at the good hires or the great hires, they are people that I hired who were smarter than me to start with or people who have surpassed my ability in a specific area. — Alan Etterman, Chief Administrative Officer, JDS Uniphase

SoUrcE: KEn KoVach (1980); ValErIE WIlSon, achIEVErS InTErnaTIonal (1988); BoB nElSon, Blanchard TraInIng & dEVElopmEnT (1991); ShEryl & don grImmE, ghr TraInIng SolUTIonS (1997-2001).

SoUrcE: cIo STaffIng SUrVEy 2009

The High-Beta HireThe beta hire is someone who has a lot of potential and could totally knock things out of the park — or burn out and fail miserably. From experience I can advise CIOs that they need to spend a lot of time with high-beta hires who are management candidates no matter how busy CIOs are. Although in the past, I have been burnt by a high beta-hire, to this day, I still do take them on for manager jobs, but I spend 30 to 90 days in fairly intensive therapy sessions with any new manager in my organization.

— KXelli Crane, SVP and CIO, Thomson Reuters


4 8 A p r i l 1 5 , 2 0 1 0 | REAL CIO WORLD

4TechnologiesWith Hidden

DevilsTechnology is a double-edged sword: it can fix some things, but it can also create more problems. Here are four examples.

SOAAfter being a buzzword a few years ago, it looks like SOA is making a comeback with the increased need for agility. “SOA is very useful if agility is a big issue for an organization,” says Asheesh Raina, principal analyst at Gartner. “Sure, all enterprises today need to be agile, but there are those who need it more, like the ones which have many customer interface points.”

But enterprises drawn to its logical approach must take a step back and ask themselves whether they really need it given the huge changes and the costs it will entail. “SOA helps in using and re-using certain components independently, and if this is not a requirement of an organization, then implementing SOA is going to be an over-kill,” says Raina. There are companies which invest in setting up SOA and develop internal skill sets to support it, but see decreased outputs because their organization type is not suited for a SOA implementation. For them, SOA definitely complicates things, says Raina.

ERPIt’s been said before and it will be said again, ERPs are hard to put in place, are expensive and take too much time. But where it really gets its notorious reputation among CIOs is customization. Most organizations need to customize their ERPs to suit their business requirements. But every time their ERP needs an update, the IT team has to roll back the solution to its original state, update it, and customize it all over again. “There are very few things one can do to avoid this,” says Raina. “However, this is an issue most organizations can foresee. BPM (business process management) can be really helpful here, because it acts as a middleware which will allow two things: it enables interoperability between different applications, and it allows business processes to be changed frequently.”

Virtualization More organizations are turning to server virtualization to help control server utilization and server cost. But the ease and manageability

an IT management and license problem which gets worse with every new VM. “Virtualization is a rather addictive technology and IT organizations are spinning out virtual machines faster then they can manage them. The technology warrants a management investment from the start,” says Stephen Elliot, a research director with IDC in an interview to Network World (a sister publication to CIO).

SaaSThe economic downturn has made SaaS a popular word among even the non-tech, because it’s being sold as a delivery mechanism that brings down IT’s costs — for the short term, anyway. “SaaS could also very well fit into the bill,” says Raina, talking about technologies that could introduce challenges. “Take, for instance the case of seasonal technologies,” he says. “An organization might need them for a few months in a year, say during the end of a financial year, but they are not required for most of the remaining period.” But they still need to pay for it. And experts who have studied SaaS’ total cost of ownership over time find it’s sheen fades. If Saas is implemented just because it is the in-thing, says Raina, “it will be very complex for an enterprise to handle and they will end up making a mockery of themselves.”

Virtualization is addictive and IT is spinning out virtual

machines faster then they can manage them. — Stephen Elliot, Research Director, IDC

Cover Story Technology [ 7 Tips ]

nologiesden

Technology is a double-edged sword: it can fix some things, but it can also create more

After being a buzzword a few years ago, it looks like SOA is making a comeback with the increased need for agility. “SOA is very useful if agility is a big issue for an organization,” says Asheesh Raina, principal analyst at Gartner. “Sure, all enterprises today need to be

that the technology brings could actually work against it. Because it becomes so much easier to deploy a new server, IT departments, under pressure from the business, are doing so in the dozens. This unleashes an IT management and license problem which gets worse with every

Technology [ 7 Tips ]

Vol/5 | ISSUE/06Vol/5 | ISSUE/06Vol/5 | ISSUE/06

Cover_Story_Part1.indd 48Cover_Story_Part1.indd 48Cover_Story_Part1.indd 48 4/13/2010 5:55:19 PM4/13/2010 5:55:19 PM4/13/2010 5:55:19 PM4/13/2010 5:55:19 PM4/13/2010 5:55:19 PM4/13/2010 5:55:19 PM4/13/2010 5:55:19 PM4/13/2010 5:55:19 PM4/13/2010 5:55:19 PM4/13/2010 5:55:19 PM4/13/2010 5:55:19 PM4/13/2010 5:55:19 PM


Countering Consumer IT in 3 Steps

Ten years ago, most people used more advanced technology when they went to work than they did at home. Today, that has been turned on its head. Many employees have newer technology at home than at work, and they expect IT support for many of their favorite devices. Today, new consumer electronics such as e-readers, Netbooks and tablet PCs are beginning to infiltrate the corporate environment. How should IT deal with that? Organizations are pursuing these three approaches.

Play ostrich. The head-in-the-sand approach tolerates but does not encourage unauthorized technology, either through having no explicit policy or by ignoring violations. By sidestepping the fray, IT relinquishes any control over which relinquishes any control over which technologies can be introduced and has no technologies can be introduced and has no ability to coordinate support for new devices ability to coordinate support for new devices or versions. Laissez-faire organizations face a organizations face a big security risk, as was demonstrated when big security risk, as was demonstrated when the first, security-challenged iPhone was the first, security-challenged iPhone was introduced. With no limits to consumer introduced. With no limits to consumer technology enforced, IT had a hard technology enforced, IT had a hard time addressing that situation. time addressing that situation. The ostrich option can also lead The ostrich option can also lead employees to believe that IT does employees to believe that IT does not enforce any standards, which not enforce any standards, which can open the door for all sorts can open the door for all sorts of other policy violations. And of other policy violations. And even if corporate policy states even if corporate policy states that IT will not support specific that IT will not support specific consumer technologies, employees consumer technologies, employees often push IT for assistance on the often push IT for assistance on the grounds that they are using them for grounds that they are using them for corporate purposes.

Burying your head in the sand can Burying your head in the sand can seem like a good way to avoid any big effect seem like a good way to avoid any big effect on expenses and infrastructure. Soon on expenses and infrastructure. Soon enough, though, you’ll find that you’re enough, though, you’ll find that you’re racking up enormous support costs and racking up enormous support costs and significant infrastructure complexity.

Ban it. Some organizations, including the Pentagon, some financial services firms

As IT gears up to employees bringing their own technology to the workplace, it goes through three stages. Knowing at which stage you are will help you take the next step.

and extremely low-margin businesses, have opted for locking down their infrastructure and prohibiting employees from introducing their own technology. They have decided that they can’t afford the security risks that accompany more wide-open policies or that they just can’t afford the cost of all that additional support. Unless security and cost concerns are truly compelling employees are not likely to understand IT’s reluctance to support commonplace consumer electronics. Policies prohibiting employee technology are viewed as unsympathetic to employee needs, and explanations that security, interoperability and reliability concerns are often interpreted as excuses

for laziness. In the worst case, IT can come to be perceived as the ‘technology police’ and a roadblock to productivity. Once that happens, IT risks losing peer support for its initiatives.

Condone it. Some IT organizations publish a list of approved technologies and agree to provide limited support for listed items. This is an excellent approach for organizations whose constituents purchase their own technology such as students, franchisees, consultants, or closely integrated suppliers. Typically, permitted applications and hardware devices adhere to open communications standards. Consumer hardware such as iPads and smartphones is more difficult. Each device must be evaluated to determine standards adherence, support requirements and infrastructure impact before defining appropriate support levels.

This approach enhances IT’s reputation This approach enhances IT’s reputation for being flexible and responsive and for being flexible and responsive and allows for the coordinated introduction allows for the coordinated introduction of new devices or applications. But it has of new devices or applications. But it has its costs. Employees may take advantage its costs. Employees may take advantage of IT’s flexibility and expect support for of IT’s flexibility and expect support for unapproved technology. In addition, IT unapproved technology. In addition, IT

needs a process to monitor the market needs a process to monitor the market and evaluate requests quickly. Finally, and evaluate requests quickly. Finally,

infrastructure costs can be enormous. infrastructure costs can be enormous. IT must support a wide variety of (often IT must support a wide variety of (often redundant) devices and software. redundant) devices and software. This demands an extremely secure, This demands an extremely secure, highly flexible and very expensive highly flexible and very expensive infrastructure.infrastructure.

None of these options is perfect. None of these options is perfect. But IT cannot afford to turn away But IT cannot afford to turn away

from this increasingly important issue. from this increasingly important issue. And, avoiding a decision implicitly And, avoiding a decision implicitly

creates an ostrich strategy, which is creates an ostrich strategy, which is clearly the most problematic.It’s better clearly the most problematic.It’s better to agree on a corporate policy, publicize to agree on a corporate policy, publicize it and start budgeting for the projected it and start budgeting for the projected impact. Do nothing and you risk having impact. Do nothing and you risk having your corporation appear in tomorrow’s your corporation appear in tomorrow’s headlines as the latest entity to have its security breached, its data compromised and its CIO replaced. CIO

So

Ur

cE

: n

po

WE

r n

ET

Wo

rK

Cover Story | Technology

of respondents say user- centric apps are effective at

controllingcosts. Seventy-six percent

say it has helped them improve process efficiency

at their organizations.

65%

Cover_Story_Part1.indd 51Cover_Story_Part1.indd 51Cover_Story_Part1.indd 51Cover_Story_Part1.indd 51

Adopt an Integrated ApproachToday, more and more CIOs are beginning to ask: What are my resources? How effectively am I managing them? How can I reduce my response time? How can I enhance the quality of servicing? The answer lies in adopting an integrated and comprehensive approach while managing IT resources throughout their lifecycle. If you look at it from an investment perspective, business demands are growing and the only way CIOs can cope up is by enhancing the use of existing resources. That’s where infrastructure resource management (IRM) steps in to provide agility and flexibility to respond to the business and market conditions.

Keep It DynamicAnother way CIOs can cope up with increasing business needs is to keep their IRM dynamic. Until a few years back, the creation of a dynamic infrastructure was hindered by a lack of advancement in technology. But today with virtualization and cloud computing, you can keep yourself very dynamic, cost-lean as well as resource-lean. However, when it comes to cost, there has never been a trade-off between business and IT. But post-slowdown, this is changing. In large companies, CIOs are asking themselves: Since my budgets are getting curbed, can I have an alternate management of resources?

Also, CIOs have to focus on cost of servicing and ROI. But more often than not, they tend to ignore ROI. I firmly believe that cost of servicing and chargebacks to business are the two areas they need to focus on while deploying a dynamic IRM. Also, chargeback to business brings in accountability while using the resources.

Join Hands with Other FirmsOne of the best ways to manage your infrastructure is to partner with other technology firms. Bring in their knowledge to keep your your teams abreast of what is current. Most large companies have already moved to shared services and some are moving from distributed resource management to centralized resource management.

CIOs should create a large shared service pool and leverage them to house skills in tune with current market needs. Shared services also help bring in new resources on board and providing value to the business. Exploiting and exploring the skill sets that vendors

are providing to the organizations is a good way of increasing your IT team’s know-how.

Consolidate Your ResourcesConsolidation paves the way for increased manageability and flexibility. Not only does it lower costs but also reduces the complexities of infrastructure management significantly. It provides you with the power to appreciate shared services and distribute them. Also, it is impossible to manage resources manually.

You need to have an integrated technology tool to aggregate and monitor the usage of resources to ensure that it is effectively utilized. It is also critical to bring in specialized agencies to manage your resources rather than doing it all by yourself. CIO


4 Best Practices in Infrastructure ManagementSwamped by the exponential growth of data and new technologies, it’s getting difficult for CIOs to manage their infrastructure. Sivarama Krishnan, executive director, PwC India, tells you how to go about it.

It is impossible to manage resources manually. You need integrated technology tools.— Sivarama Krishnan,Executive Director, PwC India

Cover Story Resource Management [ 10 Tips ]

Cover_Story_Part2.indd 30Cover_Story_Part2.indd 30Cover_Story_Part2.indd 30Cover_Story_Part2.indd 30Cover_Story_Part2.indd 30Cover_Story_Part2.indd 30

ConsolidateV. Balakrishnan, CIO, Polaris Software, has capitalized on his company’s global integrated networks to attempt to consolidate the huge number of people the IT services company has. “Since we have global networks, we make sure that only one or two people deliver functionality across the world. This ensures that we don’t need to keep and maintain people at every location. We use VoIP, virtualization and audio conferencing to limit the use of manpower. If you have 20-30 functions you don’t need separate teams, one team is sufficient,” he says. These strategies have helped him — and his large team — slash opex and improve quality of services.

Yes, extract. Don’t be ashamed of saying it. It’s part of your job as CIO. Here are three ways to use your staff more optimally.

How to Extract More from Your Staff

3 Reasons to Have a Budget for ExperimentsAnwer Bagdadi, executive director, Paraphore BIV, a remote infrastructure management company, allots 5 percent of his budget to innovation. Why you should try it too.

IT-enable Work SharingOften, there are daily tasks that are assigned in an ad hoc manner. We all have them: it could be the one system that needs patching or a new in-house

Cover Story | Resource Management

application that needs a tiny tweaking and can’t wait. And these throw a spanner in your planning, making it a challenge to ensure that some resources are not overloaded while others are idle. That’s’ why Sankarson Banerjee, CIO, India Infoline, has deployed a multiple project management tool on Open Source. “We’ve combined technology and daily meetings (derived from agile practices). Our tool helps us allocate work and track if it was completed or not. It also helps us identify people with too much or too less workload,” he says. Get Them to Multi-taskFor Sriram Naganathan, CTO, Reliance General Insurance, all job roles are rolled into one. “At the lower level, our IT staff acts as a business analyst and a developer. While, at the senior level we have given them business roles. My senior project managers are aligned with claims processing and BI. So, apart from IT they contribute to business functions as well,” he says. This strategy not only saves manpower but also exposes IT staff to business functions. CIO

84% Of employees feel that there is nothing wrong with surfing the Net at

work, says an Assocham survey.

1 2It Leads to Innovationi strongly believe that every CiO must consciously allocate a part of the budget for experiments otherwise you can’t innovate. And some of these experiments could yield great returns for your company. it broadens your horizon because you are not restricted to the budget that has been allocated to fulfill a business need. With money for innovation in your hands, you can experiment as well as live up to the business’ expectations at the same time. And learn in the process.

It De-risks Technologyif i were to go to the management and tell them that we will implement a data warehousing system or a Bi solution they would get daunted by the risk involved. So, i took out about two percent of my budget to do a pOC. We started to educate and convey a variety of scenarios to different departments who’d be the end users. The management could see that there was a small cost involved and a clear cut deliverable. We were able to demonstrate that we could achieve the perceived goals.

3It Keeps Your Team CurrentCiOs are constantly inundated with multiple vendors coming in with new technology changes. They are informed about the possible benefits which these technologies can deliver. Normally, these things are not part of your budget. An organization which has a fairly well entrenched budgeting process does not accept technology for the sake of technology. it would like to see business benefits. An experimental budget lets you do a pilot so that you can articulate like your vendor.



example. Now scammers have graduated from using social networks to mobile phones (using SMS) to elicit personal information.

Consolidation Consolidation was the number one priority of CIO in 2009, says the National Association of State Chief Information Officers. Yet, that strategy comes with its downside: by gathering all their eggs, it becomes crucial to guard the basket. “As more IT resources are centralized, all the systems that were placed remotely are now in-house. It is thus important to have multiple layers of security,” says Singh.

GlobalizationAs more companies imbibe the world-is-flat mantra, the risks to the supply chain increase dramatically. What used to be local threats like natural disasters, deliberate attempts of vandalism, or even malware, now set off alarms at a company’s headquarters. This requires crisis management plans to be expanded, higher monitoring of evolving situations and better IT security. And since the resources available to an enterprise are often limited, CIOs should envision an adequate supply-chain resilience strategy. “This is an absolutely valid security threat. Many people in the supply chain are not internal company employees yet have access to a company’s internal resources,” says Singh. “Hence, safeguarding the supply chain is very important.”

Empower the Employee It’s a well-known fact that insiders are the most dangerous threat

to an organization. According to CIO’s Indian State of Information Security 2009, 87 percent of all security breaches can be traced

back to employees, former employees and contractors. As more companies empower staffers, company secrets are more vulnerable. “Employees, obviously, have lower levels of security barriers to pass to get to company information,”

says Singh, “and they can cause a lot of damage.” Red flags to watch out for: employees who suddenly start working late,

or those trying to access information not directly required for their work. CIO

Cover Story Security [ 9 Tips + 3 Bonus ]

GrowingSecurity ThreatsGrowingSecurity ThreatsGrowingAs the world of business evolves, so do the risks. Here are five trends that need to be on your radar because they will, if they have not already, give rise to new security issues.

The Rise of the Mobile According to a recent Ponemon Institute report, 59 percent of enterprises rated the data employees access over mobile devices as important to very important. Yet only 26 percent said they encrypted data on mobile devices most of the time and 51 percent said they never do. If IT leaders had problems with the loss of laptops, they’d better be prepared for a larger monster with smaller smart phones. “It is then very important that the device one is using is updated with the latest security apps and ensure that proper authorizing technologies are deployed so that only the right person can access information,” says Nareshchandra Singh, a principal research consultant at Gartner. Experts also advice prohibiting the storage of data on client devices and using highly-evolved encryption methods.

Expanding Social NetworksWhen the term social engineering was coined, the world was a simpler place. Today, the risks of social engineering have increased manifold. According to a Sophos Security Threat Report, 70 percent of enterprises say their employees have been sent malware via social networking sites, a sharp rise from 36 percent last year. “All these Internet applications which have a social touch are very popular sources of security threats. And with a new generation workforce you cannot limit someone’s Internet access,” says Singh. Fraudsters are also adding new ways to reach and strike victims. Take Smishing for

As more IT resources are centralized, it is very important to have multiple layers of security.— Nareshchandra Singh, Principal Research

Consultant, Gartner

or those trying to access information not directly required for their work. their work.

[ 9 Tips + 3 Bonus ][ 9 Tips + 3 Bonus ][ 9 Tips + 3 Bonus ][ 9 Tips + 3 Bonus ]

GrowingSecurity ThreatsGrowingSecurity ThreatsGrowingAs the world of business evolves, so do the risks. Here are five trends that need to be on your radar because they will, if they have not already, give rise to new security issues.


Continued on Page 64


4 R’s to Builda Business Case for Security

ReputationThe impact of security breaches on well-established brands has resulted in huge financial losses. Not only are external threats from the hacking community becoming more sophisticated and targeted, the amount of damage done by internal threats has also been steadily increasing. CIOs must underscore the importance of security for the company’s reputation.

One pharmaceutical company started getting complaints of adverse patient reactions from a geography where they had miniscule sales. The security team, working in conjunction with the fraud department, uncovered that a business partner account had accessed manufacturing details and packing specs for the product a few months back. Moreover, this partner was suspiciously monitoring the business and marketing plans from a centralized server. Further investigation showed that counterfeit drugs were being manufactured and sold in that geography under the same brand name. By stopping the activity, the security team protected the brand from further damage.

RegulationAs regulations stack up, requirements seem to increase exponentially. CIOs are not only tasked with managing IT compliance requirements to multiple regulations, but doing it so efficiently that a single audit or assessment can be used multiple times. CIOs should focus on the following areas when articulating the value of regulation: complying with multiple regulations by

Security is like life insurance, everyone wants it, but no one wants to pay for it. Khalid Kark, Principal Analyst, Forrester Research, tells you how to get your management to be less myopic.

developing a common security and audit framework and avoiding fines and penalties for non-compliance.

RevenueAlthough information security does not always contribute directly to the revenue of a company, it’s often instrumental in protecting corporate intellectual property. But savvy CIOs go one step further and bolster their value articulation by pointing out that security helps with protecting IP from being stolen or disclosed and finding new business by marketing better security. In some industries such as financial services information security is part of the corporate marketing. Bank of America, for example, has successfully marketed itself as a bank that values its clients’ privacy and security. As a result, the bank has come up with innovative ways to increase revenue through

consumer security, such as offering two-factor authentication tokens for a small fee.

ResilienceResilience is a top concern due to pandemic scares and natural disasters. Many companies realize during these unfortunate disasters that they had no plans and processes to deal with them effectively. Security can help by ensuring continuity of critical business processes during these times and co-coordinating and responding to threats and incidents efficiently.

A service provider in the Gulf region lost all its business when both its datacenters — 30 miles away from each other — were destroyed in hurricane Katrina. The company did not recover from this loss and had to file for bankruptcy. On the other hand, a financial service company was not only able to switch over to its back-up facility without any major hitch, but they were also able to account for 99 percent of their staff within three hours of a large hurricane hitting. The business continuity efforts were spearheaded by the security team and coordinated with the disaster recovery team from IT. Although the company did suffer a loss, it was able to recover completely in less than 48 hours. CIO

of Indian organizations have

incurred brand or financial losses in 2009 due to cyber attacks.

developing a common security and audit consumer security, such as offering two-

Vendors don’t need to be ahead of the threat, just the buyer No other issue plagues the security industry more than this one. Vendors work with a single-minded agenda; to make money and not provide permanent security solutions to customers.

There is more to risk than weak softwareA majority of the security concerns hover around weak software. bad configurations and poorly-trained staff can be equally threatening to an enterprise.

There is no perimeterIt is easier to put a security net in place if an organization is able to clearly define its perimeter; it could be the endpoint, or the user.

3 Facts that Plague Security

SoUrcE: SymantEc StUdy

81%

Cover Story | Security

P L U S



Get Your Troops to Fall

In LineYou know the drill: Change is the only constant. Now, Janet Gasper Chowdhury, Managing Consultant (People & Change practice), PwC, tells you how to outflank change.

Major Change ChallengesThe big hurdles in managing change according to survey of IT executives and senior managers.

SoUrcE: thE IBm GloBal makInG chanGE Work StUdy

understand their concerns and apprehensions. Leadership needs to be in tune with what is happening at the grassroots and CIOs need to know the truth at those levels.

Tactic 2: Communicate with the TroopsEmployees resist change only when that change is foisted on them without their consent. Conversely, they are open to change when they understand and accept the reasons for it. At far-sighted companies, IT leaders, with the sponsorship of executive management, have a clear vision of what they want to achieve. They nurture alliances with business unit leaders, set an example by being early adapters, and communicate continually using a variety of on- and off-line vehicles.

Specifically to your department: The issue of job loss is one of the many concerns that employees have. But this may not be the case and a CIO re-train and re-deploy staff. But it is poor communication that makes employees think that there will be job loss because their manual tasks will now be done by a system.

Tactic 3: Stick to English Success in IT requires common understanding. Members of the executive management team are able to communicate effectively about finance, for example, because they all speak the same language and agree on a common set of financial metrics. These corporate leaders do the same with most elements of operations, customer service, and marketing. IT is no different. Much of the responsibility for demystifying IT lies with the CIO. Far-sighted CIOs speak the language of business. Instead of confusing non-IT staffers with abstruse technological references, experienced CIOs successfully bridge the business-IT communication gap. The ability to translate the promise of IT into business reality is what allows effective CIOs to transform IT from a legacy-burdened infrastructure to a strategic enabler of corporate performance.

Get Your Troops to Fall

In LineYou know the drill: Change is the only constant. Now, Janet Gasper Chowdhury, Managing Consultant (People & Change practice), PwC, tells you how to outflank change.

understand their concerns and apprehensions. Leadership needs to be in tune with what is happening at the grassroots and CIOs

Lack of transparency

Lack of change know-how

Lack of higher mgt. commitment

Complexity is understimated

Corporate culture

Changing mindsets

18%

20%20%

35%35%

35%35%

49%49%

58%58%

Tactic 1: Build CredibilityEvidence suggests that people are antagonized by the way Evidence suggests that people are antagonized by the way most organizations bring about change. At best, people comply reluctantly and, at worst, actively resist management initiatives. Either outcome amounts to wasted time and resources, because a management that is misaligned with human nature requires expensive controls to police its employees’ behavior.

The problem is that decisions are made by management behind closed doors without input from the very staff who are expected to change their behavior. It is important to involve people to

Cover Story Change Management [ 12 Tips + 3 Bonus ]


Cover_Story_Part2.indd 39Cover_Story_Part2.indd 39Cover_Story_Part2.indd 39Cover_Story_Part2.indd 39Cover_Story_Part2.indd 39Cover_Story_Part2.indd 39 4/13/2010 5:22:13 PM4/13/2010 5:22:13 PM4/13/2010 5:22:13 PM4/13/2010 5:22:13 PM4/13/2010 5:22:13 PM4/13/2010 5:22:13 PM4/13/2010 5:22:13 PM4/13/2010 5:22:13 PM4/13/2010 5:22:13 PM4/13/2010 5:22:13 PM4/13/2010 5:22:13 PM

7 Moves to Make in Your First 100 DaysFirst 100 DaysFirst 100

Tactic 4: Train MoreToday, companies acknowledge that their most important assets are their people. Few, however, actually follow through on this belief. Change projects still typically devote the bulk of their budgets to technology and processes rather than staff issues. They invest minimally in educating people about new systems and processes, which lead to failure of IT initiatives.

More often than not, change management is confused with training. It is not. Change includes understanding people readiness, identifying groups of impacted people, branding a change initiative, involving people in decisions, driving initiatives to help build awareness and change mindsets, measuring the impact of change, etcetera.

Tactic 5: Don’t Block Incoming Traffic Leading companies solicit feedback from employees affected by a new IT program or initiative. They survey employees and

You’ve changed jobs and the first hundred days are crucial to building the right rep You’ve changed jobs and the first hundred days are crucial to building the right rep You’ve changed jobs and the first hundred

among your peers. This is what you need to days are crucial to building the right rep among your peers. This is what you need to days are crucial to building the right rep

focus on to create the right impression.among your peers. This is what you need to focus on to create the right impression.among your peers. This is what you need to

1 Get a heads up on information like who is on the management committee, where the board meets, how the audit committee works, and what is the overall investment strategy of the organization. This will help you network better and also give a clear understanding of their concerns and the best way of approaching them.

2 Establish contacts with people from all rungs of the organizational ladder and try to learn as much as possible about the good and bad of your new organization. These inputs along with a study of existing processes and procedures will help you formulate a clearer go-forward strategy for the organization.

3 Attend meetings you wouldn’t normally attend, work closely with the hands-on folks and equip yourself with internal jargon and acronyms so as not feel left out of the discussions.

4 Go beyond the walls of the IT department and into the field to other departmental meetings, on sales calls, to customer sites. You can boost your credibility by demonstrating your commitment to learn how the organization works, whom IT serves internally and externally, and how users feel about their experience with IT.

5 Differentiate between urgent and important decisions and define an early victory, the size and magnitude of which is clearly not of the essence. This is so that you are seen as being proactive.

6 ‘Don’t fix it if it isn’t broken’ may not always be the best approach. Creating efficiencies or cost effective solutions for things that aren’t broken can contribute as much or even more than fixing broken processes.

7 Get an independent third-to party identify your weaknesses especially if you must eliminate inefficient processes or identify which legacy systems are money-losers. Bringing in outside experts to deliver the unvarnished truth enables you to establish a baseline and develop long-term planning. CIO

Notes to Self: On Change Resistance is a natural reaction to change and the energy

inherent in it can be channeled to support — rather than cripple — technology adoption.

If something is perceived as running against organizational culture then chances are high that it will simply fall through.

‘Anytime’ is not always a good time to bring about change. And there is no ‘one time’ that works best. In short: timing is crucial.

Establish contacts with people from all rungs of the organizational ladder and try to learn as much as possible about the good and bad of your

Get a heads up on information like who is on the management committee, where the board meets, how the audit committee works, and what is the overall investment strategy of CHANGE

AHEAD

P L U S

More often than not, change management is confused with training.

It is not. It’s a lot more and then some. — Janet Gasper Chowdhury, Managing Consultant (People & Change practice), PwC

communicate directly with them. They also offer support to anyone having follow-up questions after an implementation. To maintain momentum, these companies also acknowledge progress with the new programs and initiatives, scheduling meetings during which employees can discuss positive interactions as a result of the changes that took place. CIOs have to offer employees a forum to voice their opinions about IT initiatives. CIO


Cover Story Change Management

Cover_Story_Part2.indd 40Cover_Story_Part2.indd 40Cover_Story_Part2.indd 40 4/13/2010 5:22:23 PM4/13/2010 5:22:23 PM4/13/2010 5:22:23 PM4/13/2010 5:22:23 PM4/13/2010 5:22:23 PM4/13/2010 5:22:23 PM4/13/2010 5:22:23 PM4/13/2010 5:22:23 PM4/13/2010 5:22:23 PM4/13/2010 5:22:23 PM4/13/2010 5:22:23 PM


Cover Story CIO Role [ 10 Tips + 3 Bonus ]

Five Keys to theBoardroom

Why I Switched to a New Job What you too should probably be looking for, because there is more to a new job than more money.

Engage with CustomersCIOs and their IT teams need to create ways to establish meaningful, business-driven, and quantifiable engagements with their customers, both internal and external. Unlike other department heads, CIOs have excellent enterprise wide perspective with access to functional silos. K. Ramsamy, chairman, Roots Group, feels that in order to be a successful director on the board a CIO “needs to possess an exceptional ability to handle people at all levels while strictly adhering to the company’s culture in every move he makes.” So if CIOs identify business model-based opportunities for customer intimacy their perspective will complement those of the CEO and CFO and that will play a crucial role in opening the doors to the boardroom.

According to a CIO-IIMB study only 7 percent CIO-IIMB study only 7 percent CIOof CIOs have been assigned board duties. We spoke to K. Ramsamy, chairman, Roots Group — who promoted his CIO to the board — to find out how you can buck that trend.

Stay Ahead of the Curve Stay ahead with the trend in your own company and your industry instead of being bogged down with internal issues. Keeping abreast with industry movements and having a clear understanding of the company’s operations is important if a CIO is to deliver business value. “He should have the ability to understand where his company is and where he — and his board — wants to take it. He must create a strategic approach to take the company to that place,” says Ramasamy.

Focus on the Big PictureWhile they recognize the importance details, most board members want to focus on the big picture and don’t want to see data that’s not presented in a simple fashion. They want dashboards and report cards — not pages of text. So a CIO’s ability to focus on the larger picture and not get caught up in

“Today, I am in a challenging role where IT is a differentiator and an agent for the diversification of the business rather than being just an enabler.”

“For my new position I was offered partnership at the firm. Today, I am heading the IT advisory practice, which is a revenue generating and client facing unit.”

“I am delighted to work on integrating systems and offering solutions that support a fast growth in M&As, which CG has been a part of in the recent past.”

CIOs should have the ability to understand where their companies

are — where their boards want to take them. — K. Ramsamy, Chairman, Roots Group

What you too should probably be looking for, because there is more to a new job than more money.

Dhiren SavlaFrom Kuoni India To CRISIL

J. rameShFrom MIRC Electronics (Onida)To Crompton Greaves

SureSh KumarFrom KPMGTo Grant Thornton



the intricacies (which is easy, given how part of the CIO role is operational) is key. In his book, The Practical CIO: A Common Sense Guide for Successful IT Leadership, Jose Carlos Eiras says, “CIOs should stop focusing on the specific needs of IT and losing sight of the big picture. Moreover, emerging requirements such as ISO 38500 (international standard created to guide the corporate governance of IT) necessitate that the board is responsible for tracking how IT is being used for governance. At the board level, who can explain it better than the CIO.”

Establish Yourself as an Industry ExpertGet in the sights of your board by being recognized as an established industry expert through published pieces and speaking opportunities at forums. According to Ramasamy, “A director must have the knowledge about the companies overall operation and the vision and the caliber to lead the company to face the future challenges.” And joining industry groups, CIO forums, attending meetings, and taking active part in its activities are great ways for CIOs to find their footing on a larger canvas. They are also a perfect place to showcase IT leadership since they these are attended not just by CIOs but by CEOs and board members of other organizations.

Join the Board — of Another CompanyGet a seat on the board of a small technology firm, or of a non-profit. These organizations are more than willing to welcome the contributions of a CIO at the board level and everyone benefits.

And if your own company is not already a household name, your board activity will broaden your brand across a new network of executives and this will help increase visibility for your company. Sitting on a board can also help expand your circle of potential advisers as you will get to connect with other professionals like academics, researchers, and even venture capitalists. This access could help you address some issues in your own company by learning from experiences in their industry. CIO

K. ramsamy, Chairman, roots Group

“In my new role I can now concentrate more on meeting customers, understanding what they need from the business and running IT with a real P&L mentality other than selling internally.”

“I got an opportunity to work at a business level where I would be strategizing for the IT infrastructure practice from a service as well as a product point of view and deciding on the company’s technology focus.”

Kamal Sharma From SatyamTo Mindlance

ShiriSh GaribaFrom Elbee Express To Cnergyis

Cover Story CIO Role

REAL CIO WORLD | A p r i l 1 5 , 2 0 1 0 7 1

P L U S

Say again?again?aInterview bloopers you want to avoid.

Focusing only on your tech achievements Focusing only on your tech achievements when asked to describe yourself. instead: Take major aspects of your job, like leadership, strategy, execution, and risk aversion, and build a brief story from your experiences around each issue.

Preaching instead of sharing your Preaching instead of sharing your experience when asked to recount the challenges you’ve tackled. instead: Stick with the first person and provide detail to support your response.

Pulling out Power Point presentations of the Pulling out Power Point presentations of the great IT strategies you’ve implemented.instead: be ready with presentations but don’t thrust it down your interviewers’ throats.


7 2 A p r i l 1 5 , 2 0 1 0 | REAL CIO WORLD Vol/5 | ISSUE/06

IT expertise can do only so much. You need to polish your personality to move up the ladder. Start with these.

Communicate ClearlyExperience shows that nothing beats open and clear communication. Take Mother Dairy’s example. When the company was migrating to SAP, there was reluctance from some business users to migrate completely. They wanted to continue with some customized legacy modules, recalls Annie Mathew, CIO, Mother Dairy. “We put lot of effort in convincing everybody about the risks that would crop up if we took the easy way out. For instance, achieving just-in-time transactions for fruits and vegetables would be challenging considering their high perishability and the limited window available for transaction entry. We worked with the business to simplify and streamline transactions so that the entries were reflected in the system in real time. But it needed multiple sessions with users to discuss their pain points and arrive at workable solutions. It is very important to keep the communication channels open.”

Listen BetterListening is probably one of the most under-rated skills among most CXOs. Worse, it’s sometimes not even recognized as one, especially

among family-run businesses. But Sebastian Joseph, executive VP and head-technology, Mudra Group, takes listening seriously. He uses what’s called the ‘ladder’approach, which is short for: Look at the person speaking to you, ask questions, do not interrupt, do not change the subject, empathize, respond.

Listening has helped Joseph save money for the advertising group. The company’s printing team observed that if they could decrease the amount of paper used in telephone directory printing, they would be able to save money. The IT team tweaked the pagination system and increased the number of entries per column, which introduced huge savings in paper cost. “When we all looked at the numbers we saw an opportunity,” says Joseph. But that conversation only took place because the IT team listened to what seemed like just another idea.

Know When to Say NoRight-sizing expectations is moving up on the list of must-have skills for CIOs. Sure, technology is breaking new ground everyday but there is a limit to what it can do and how much time it can be done. And that’s something CIOs need to be able to tell their CXO peers. Learning to say no to business’ unending expectations can be difficult but as a business leader CIO need to learn to put their feet down. “Saying no is always hard to do but a great way to get most of your high priority things done,” says CIO columnist and former CIO of Xerox Patricia Wallington. Marketing IT internally is good, over-selling it, not so much. It’s the CIOs responsibility to ensure that business has realistic expectations from IT.

Build ContactsCIOs rely heavily on their peers for skills enhancement well as professional growth. And networking is a great way for the CIO career opportunities. But how can CIOs expand their circle of peers? Events is one way. Another is keeping in touch with former bosses and colleagues and reaching out to new ones can be facilitated by social networking sites like ryze.com, Spoke.com, or ecademy.com encourage real time interaction, helping real contact building.

7 2 A p r i l 1 5 , 2 0 1 0 | REAL CIO WORLD

9 PersonalSkills You Should Hone

Cover Story Personal Skills [ 9 Tips + 3 Bonus ]

Don’t MONOPOLIZe. Spend time with everyone. And instead of saying, “Excuse me, I need to talk to other people,” use, “I’m enjoying talking with you, but I am sure there are many other people who want to speak with you.”

Don’t SeLL. Always start with a casual subject. No pro-motional literature. Remember, networking isn’t advertising.

Don’t FOrGeT. Always follow up. Studies show that you need to reconnect with the potential employer or buyer within three days.

Networking No-no’sThree event networking bloopers to avoid

P L U S

Cover_Story_Part2.indd 44Cover_Story_Part2.indd 44Cover_Story_Part2.indd 44Cover_Story_Part2.indd 44Cover_Story_Part2.indd 44Cover_Story_Part2.indd 44Cover_Story_Part2.indd 44Cover_Story_Part2.indd 44Cover_Story_Part2.indd 44Cover_Story_Part2.indd 44Cover_Story_Part2.indd 44Cover_Story_Part2.indd 44Cover_Story_Part2.indd 44Cover_Story_Part2.indd 44

Evaluate RiskA greater number of IT leaders are moving closer to the CEO’s cabin. But according to CIO Research, only 23 percent of Indian CIOs currently handle P&L responsibilities. This is a clear indication that CIOs need to hone their risk-taking abilities — and their risk-evaluating skills — if they want to be trusted by the management. Taking risks and innovating should be an integral part of any CXO’s personality. But the first step is to be able to evalaute it and not just from the gut. The truth is few are born with the ability to evaluate risk and IT leaders need to learn the skill.

Hone Financial AcumenWith IT no longer a mysterious back-office, CIOs need to not only pay for themselves, but also rake in profits. When talking money, IT leaders need to be fluent in financial jargon. More often than not, business and business people are measured by what they achieve financially — and growth is measured on a YoY or QoQ basis and profitability is gauged by EBIT margins or PAT. “Obviously that’s a lot of jargon, so if a CIO doesn’t understand how those measures are calculated, what factors move these measures in the right direction, and what he can do to improve these metrics, he will be at sea,” says Prateek Agarwal, CFO, Hexaware Technologies.

Control Your EmotionsProfessor of Organizational Behavior and an expert in emotional intelligence, Richard Boyatzis once said: “At its most basic, emotional intelligence is, literally, the intelligent use of emotions.”

If only it was as simple as that. But that’s exactly what Ratnakar Nemani, CIO, VST, did and

won the respect of his team members. When Nemani turned his in-house SAP team into a revenue-generating center, he was confronted with a slew of new challenges, he didn’t have to face as CIO. Among those were irate customers. D. Naren Babu, a SAP consultant who reports to Nemani, remembers one high-pressure, client-facing situation, (which is all he is willing to divulge) in which Nemani’s ability to show restraint came shining

through. “He patiently handled all the accusations thrown at him. I was amazed at how cool and calm he was and how he came out a winner,” he says.

Manage Your TimeWhen they said you can’t negotiate with death and mothers, they forgot to add the number of hours in a day. But smart time management can increase your efficiency significantly. Start by making making to-do lists, prioritizing work, focusing on one thing at a time, and setting deadlines for yourself. Or you could take a leaf out of Ishita Sen’s book. “I believe that you can manage to do a lot of work in a limited time if you organize your day well, sometimes even weeks and months in advance,” says the VP and center-head of Reliance Tech Services. Another piece of advice that works for her? “There should not only be provision for a Plan A, but also a Plan B, so I don’t get flustered at the last minute.”

MentorNow, as it has always been, nurturing and mentoring the best IT talent needs to be near the top of CIO skills. Ensuring a constant dialogue with your team makes sure that high performing resources know they are valued. Identifying the best talent should be a constant endeavor, and singling them out to train them for a leadership role is a good retaining strategy. But mentoring the best talent has to be a gradual process, a structured activity. The mentoring activity should start by introducing the person to management roles, inviting them to strategy meetings and allow them to take independent decisions. CIO

Organizing your day well in advance helps.

It’s good to have a plan but it’s great to have a plan B. — Ishita Sen, VP & Center-head, Reliance Tech Services

aim But not too high

Cover Story Personal Skills

Impressively presentable

Without BeingPolitical

Compromising too much

a dictator

a day dreamer

a dandy

pressure, client-facing situation, (which is all he is willing to divulge) in which Nemani’s ability to show restraint came shining

im highnot too high

Aim to Be Politically-savvy

a decisive leader a decisive leader a


divulge) in which Nemani’s ability to show restraint came shining

Without BeingWithout Being


day dreamer

divulge) in which Nemani’s ability to show restraint came shining

ighnot too high

Aim to Be Politically-savvy

adjustable

decisive leader

a visionary a visionary a


Without BeingWithout BeingPolitical


a dictatora dictatora

a day dreamera day dreamera

a dandya dandya



How competitive is the domestic PC and laptop market? And how are you dealing with it?Ajai Chowdhry Although the PC and laptop market has always been a competitive market, in the last five years, there haven’t been any real new entrants, except for one or two Chinese or Taiwanese companies who don’t really have a brand. On the other hand, because there has been a significant

slowdown elsewhere in the last two years, India has caught everyone’s attention. And that means that there is plenty more competition in India.

We started the IT revolution in India therefore our brand association is very high. Furthermore, we have focused business teams that address each part of the market be it government, the public sector, the private sector, the small and medium industry or the consumer. We have great positioning in the government and PSU market — we

Ajai Chowdhry, Founder, HCL and Chairman and CEO, HCL

Infosystems, on increasing

computer literacy in India and

dealing with the competition in the Indian PC market.

Born out of HCL, among the pioneers of the computer revolution in India, HCL Infosystems began its journey producing micro-computing calculators back in 1976. Since then, from introducing India’s first home PC to developing what’s arguably considered the country’s most impressive mobile distribution strategy in 1996, the company has achieved many a milestone. But it has been a bumpy ride, including when it was forced to change business models to survive in a pre-liberalized environment.

Ajai Chowdhry, founder, HCL and chairman and CEO, HCL Infosystems, shares lessons he and the company have learnt from some of the Stone Age of India’s computing history and insights on tackling the challenges of low PC penetration in India. And more currently, how the company with its deep presence in India, is taking on competition from cheaper PC alternatives.

View from the top is a series of interviews with CEOs and other C-level executives about the role of IT in their companies and what they expect from their CIOs.

VIEWTOPfrom the

By Varsha ChidamBaram

Ph

ot

o b

y S

riv

at

Sa

Sh

an

dil

ya

vol/5 | iSSUE/067 8 a p r i l 1 5 , 2 0 1 0 | REAL CIO WORLD

IT in EveryHome

View from the Top.indd 50 4/13/2010 3:46:42 PM

AjAi Chowdhry expeCts it to:

translate the Ceo’s vision

Create profit

innovate


are located in every taluka of the country. It is that extensive service and sales capability — in every district — that really gives us our competitive advantage.

How do you compete with cheaper, assembled PCs?

The grey market has always existed. Our strategy is to educate consumers on how to buy and what to buy. A lot of the products available in the grey market are assembled in somebody’s garage, taking some new parts and mixing them with some old parts. That’s how their products end up being cheaper.

Why is India still the most under-penetrated PC market among markets its size?

Worldwide, the government has always the largest customer for technology. The government has to be more aggressive in their strategy to increase PC penetration if nothing else but because there is a direct connection between PC penetration and GDP growth. If the country wants to record a 10 percent GDP growth, then PC penetration has to go up. My dream is to provide access for all.

If you make broadband readily available, PC sales will go up. Broadband access should be made available to every city, town, and village in the country. Indian telecoms have paid a lot of attention to voice but they haven’t paid enough attention to data. In the consumer market, financing for PCs is not available and that’s also a big impediment.

You work a lot of the government. Why are so few e-gov projects successful?

First, the e-governance projects that we’ve been a part of have been remarkable successes. The issue with e-governance is that although the plans are fantastic in nature, they are never executed in a time-bound fashion. There should be an expiry date to funds allotted to every e-governance project. Another problem

is a lack of deep partnerships with the front-end users in most cases. Customers of e-governance projects need to be more involved.

What's the secret behind cracking government deals?

We have been doing business with various state governments for over 30 years. We have taken a proactive role and constantly update the government on the latest technologies. That's why we are regarded as trusted advisors. Another reason the government has so much confidence in us is because we are located in every district. Our reach for providing services as well as hardware support is the highest in the country.

What’s the biggest challenge you’ve faced?

The biggest challenge for us came in 1991, prior to the economic liberalization when the country had very little foreign exchange. To make computers we had to import components but we didn’t have LCs (letter of credit) which we could open. That’s when we decided that we have to make a foray into the

export market. Till then we were limited to the domestic market.

What's your view on risk? There is no future without risk. And not

just the risk taken by top management but even others within the organization. Our best innovations happened when people took risks. Back in 1991, a young employee came up with the idea of creating a market for consumer PCs, following which we launched Beanstalk which has been one of our most profitable product lines. We encourage our employees to take risks — the more mistakes you make today the better you become tomorrow.

Can you define the CIO’s role within an organization?

A CIO’s position is closest-aligned to the CEO of a company. The CEO’s vision is translated by the CIO. A CIO’s job is not to benchmark or copy; it is to innovate. CIOs need to take up an entrepreneurial role and create profit through technology. CIOs should no longer involve themselves with the IT part of the business although they should be responsible for making an organization IT savvy. CIOs should involve themselves in new areas where they can make a difference. And that will come only if the CIO works with the business and marketing.

What’s in HCL's future? HCL has always thrived on innovation.

From the beginning we were a product company. We have been constantly developing a range of software products that are integrated within our hardware. Similarly, when we entered the systems integration space, we decided that we would not only provide services but also develop specialized products. Our strategy has always been to give the customer a complete experience — be it in hardware, software or services. And we hope to continue doing so. CIO

Varsha Chidambaram is a correspondent. send

feedback on this interview to varsha_chidambaram@

idgindia.com

View from the Top

"A CIO’s position is closest-aligned to the CEO of a company. The CEO’s vision is translated by the CIO. "

— Ajai Chowdhry

vol/5 | iSSUE/068 0 a p r I l 1 5 , 2 0 1 0 | REAL CIO WORLD



Feature_3_doomsday.indd 82 4/13/2010 6:04:05 PM

Reader ROI:

What happens if iT goes down

How to avoid tech disasters

The risks of depending on iT

Power grid hacks, massive DNS rerouting, solar flares — end-times for IT may be more likely than you think.

By Dan Tynan

Technology drives just about everything we do, and not just at our jobs. From banks to hospitals to the systems that keep the juice flowing to our homes, we

are almost entirely dependent on tech. More and more of these systems are interconnected, and many of them are vulnerable. We see it almost every day.

But what if instead of simply a denial-of-service attack against select Websites, the entire Internet suddenly stopped working — or for that matter, Google could not

be reached. What if instead of a mere data breach, our financial institutions were attacked by a weapon that could instantly neutralize all electronic transactions? Or if

hackers wormed their way into the systems that control the power grid?Heck, what if God decided she’d had enough of us and decided to send a solar

storm our way?

The Endof Your

By Dan Tynan

World

4/13/2010 6:04:09 PM4/13/2010 6:04:09 PM

If you think these things can’t happen, think again. Some already have occurred on a smaller scale. But we thought it might be fun to turn up the volume and see what might happen — how likely a ‘tech doomsday’ scenario might be, how long it would take us to recover, and how we might prevent it from coming to be.

What could possibly go wrong? Try these scenarios for starters.

TecH dOOMSday ScenarIOnO. 1: GooGle is Gone

Google has so insinuated itself into our lives it seems almost unthinkable that we might have to live without it. experts consulted for this story agreed that to take down a company as mighty and well fortified would require someone on the inside — not necessarily a malicious Google employee, just a stupid one (if such beings exist) with the right admin privileges.

It’s not entirely unfeasible. Last december, attackers tricked Google employees to visit a malicious website, which then exploited a vulnerability inside Internet explorer to install an encrypted backdoor into the Google network. From there they accessed the Gmail accounts of chinese dissidents.

In our doomsday scenario, a Google employee merely installs a rogue application on the network that allows external attackers — say, an unfriendly nation state with a grudge — to slip behind the company‘s firewall.

“The main vector for getting inside most organizations today are rogue applications residing on the network,”

says nir Zuk, founder and cTO of Palo alto networks, a network security company. For example: an IT manager installs GoToMyPc on a machine in the datacenter so that he can fix problems in the middle of the night from his home. But it has a weak password and gets hacked.

Or he installs a P2P app to download songs, unwittingly allowing outsiders to download confidential files from the company Lan — including password sets and network configuration maps. Or he sets up Webex to do a presentation, then foolishly tells the program to share his desktop across the Web. Once inside,

attackers could root around the network until they locate the command and control centers for Google’s many datacenters. and then they can turn out the lights, leave behind a logic bomb that corrupts Google’s databases, or simply have their way.

“I’m not familiar with the structure of Google’s network, but they must have a command and control app that lets them shut down their datacenters,” says Zuk. “everyone does.”

What could happen: yahoo and Bing yahoo and Bing ybecome swamped with search traffic, and might collapse under the weight. Organizations that rely on Gmail and Google docs for their day-to-day operations will find themselves unable to get much done (though, given how many outages Gmail

Business Continuity Il

lU

St

ra

tIo

n b

y M

M S

ha

nIt

h

had over the last year, they might be used to it). youTube fans may discover there are youTube fans may discover there are yapproximately 7,834 other free video sites out there. Web entrepreneurs who rely on Google ads will find themselves bereft of income for an unknown period of time.

Other consequences, according to Google Blogoscoped author Philipp Lenssen: “People may not be able to post an update about their life, leading others to believe they’ve disappeared (because Blogspot is down); conspiracy theorists will be able to sell more books on ‘why Google went down (and what the nSa had to do with it)’; and people who want to search for ‘why Google is down’ realize that, well, Google is down so they can’t search for that.”

How long would it take to recover: From hours to days, depending on what measures Google already has in place. aGoogle spokesperson contacted for this story says, “We are always planning for different threat scenarios, but we aren’t going to discuss specific defense measures.”

Likelihood: Zuk says it’s more likely than most big companies are willing to admit.

“In a big company like Google or yahoo, yahoo, ywhich have tens of thousands of employees, there will always be unaware employees who do something stupid like sharing their desktop via Webex,” he says. “It only takes one to do it, and from there the route to the datacenter is a quick one.”

How to avoid this fate: To avoid getting nailed by rogue apps, companies need greater visibility into their networks to expose any apps that are running and what ports they are using, and to map

all of their other dependencies as well, says Steve cotton, ceO of FireScope, a developer of IT service management solutions.

To avoid being compromised by insiders, companies should get real-time notifications of the activities of privileged

News flash: Visitors to Google.com were stunned when it returned a “404 Not Found” error for tens of millions of Web searchers. All Google services — Gmail, Google Docs, AdSense — were inaccessible for periods ranging from hours to days, depending on users’ locations.

Vol/5 | ISSUE/068 4 A p r i l 1 5 , 2 0 1 0 || REAL CIO WORLDREAL CIO WORLD

Feature_3_doomsday.indd 84Feature_3_doomsday.indd 84Feature_3_doomsday.indd 84Feature_3_doomsday.indd 84Feature_3_doomsday.indd 84

users, block specific unauthorized activi-ties, and split the responsibility for moni-toring among multiple users, says Slavik Markovich, cTO at database security firm Sentrigo.

“This last point is critical, as the very privileges needed to properly manage the systems and databases makes it very easy for malicious users to defeat whatever controls may be in place, or to cover their tracks,” he says. “There is a dramatic difference in the likelihood of a breach when it can be accomplished by a single rogue insider, as compared to one that requires co-conspirators across multiple functions.”

TecH dOOMSday ScenarIO nO. 2: The neT Goes down

can the Internet be taken offline? Many experts scoff at the idea, citing too many diverse communications channels, too many redundancies, and an architecture designed to route around failures.

“I think it would be very difficult to take down the whole Internet, unless you had a worldwide eMP event that takes everything else down as well,” says dr. Ken calvert, chair of the University of Kentucky’s department of computer Science. “at all levels you have diversity of technology carrying the bits, whether it’s satellite, fiber, or wireless. There’s a lot of redundancy there.”

yet even if the net can’t be entirely shut off, short of an act of God, attackers can create havoc by attacking it at one of its weakest points: the domain name system.

By hijacking traffic meant for different domains, attackers can drive unsuspecting surfers to malicious sites, effectively take down any site by flooding it with traffic, or simply send everyone looking for Google.com or yahoo.com into the ether — making the net largely useless for a great many people.

“everybody trusts the dnS, but it’s not really trustworthy,” says rod rasmussen, president and cTO for anti-phishing services firm Internet Identity. “The system itself isn’t well protected. and all you need are a name and a password to take out a dnS server or a particular domain.” attackers don’t even need to attack dnS

servers or poison their caches; they can achieve the same effects by taking over large domain registrars.

a successful infiltration of network Solutions, for example, could put attackers in charge of more than half the domains for all US financial institutions, says rasmussen. From there, attackers could redirect surfers to bogus sites and later use their credentials to log in and drain their accounts.

Or they could simply target large domains with huge amounts of traffic, or create havoc by messing with the net’s time servers.

What could happen: The Internet appears to be down, even though it’s not. Millions of Web surfers can’t reach the sites they need, or worse, they’re misdirected to malicious sites that steal their credentials or their identities.

attackers reset the servers that keep time on the net, bringing billions of financial transactions that rely on accurate timestamps to a screeching halt, bringing businesses to a standstill.

News flash: The Internet melted down today as millions of Web surfers found themselves redirected to the wrong sites, thanks to problems with the domain name server system.

How long would it take to recover: It could take anywhere from a couple of days to months, in most cases, says rasmussen.

“Because this is the dnS, it’s not hard to undo anything,” he says. “The problem is how long the bad guys tell the dnS system to maintain the records; 48 hours is pretty typical.”

The other option: after you discover your domain’s been hijacked, get on the speed dial with major ISPs and tell them to update their records. even then, you’ll still miss smaller ISPs or large enterprises that maintain their own dnS tables.

“It usually takes a pretty big disaster to get people to respond,” says rasmussen. “That’s the problem with a distributed system; when it goes bad it stays bad for a while.”

Likelihood: More likely than you think. This has already happened several times on a smaller scale. In december 2008, Ukranian-based attackers used a phishing attack to gain log-on credentials for checkfree, an online bill payment system used by more than 70 percent of US banks.

In april 2009, an SQL injection exploit at registrar domainz.net allowed Turkish attackers to take over the new Zealand sites for Microsoft, Sony, coca-cola, HSBc, and Xerox, among others.

The same hackers also took over all of Puerto rico’s domains. This past January the domain for Baidu, the largest chinese search site, was taken over by a group calling itself the Iranian cyber army.


Business Continuity


surges that knock out the power grid and the Internet at the same time.”

What could happen: everything that would happen in the previous four scenarios, and then some. Forget clean water. Forget health care. Wipe out the last 20 years of recorded history, because most of it was stored digitally. “We’d feel it first in the economy and our financial institutions, where everything is digital.

Markets will collapse,” says Siciliano. “Where’s everything backed up — in

a filing cabinet? The economy would collapse, the banks would lock their doors and keep whatever money they had in the vault, because the rest has evaporated into thin air. Once the money’s gone, we would have to reset the clock. We would have to reset ourselves.”

How long would it take to recover: Unknown. according to a January 2009 report by the national academy of Sciences, the effects of a severe geomagnetic storm would be felt for years, most acutely in societies that are the most dependent on technology. The US could take from four to 10 years to bounce back, according to the naS — if it bounces back at all.

“It will take a tremendous amount of manpower to clean up the mess,” adds Siciliano. “Something that catastrophic,

In that case, Baidu filed suit against its US registrar, register.com, claiming it was slow to respond to the site’s plea for help.

How to avoid this fate: “eternal vigilance?” asks rasmussen. “you want to monitor the hell out of what you and other people are doing with your domains and theirs, so you can turn off the system and anything that connects to it if you or someone you trust has a problem.”

Some registrars are hardening their defenses against hijacking and making it tougher to change dnS records, but mostly it’s up to domain owners themselves to police their own records and, more importantly, respond quickly when they’ve been compromised.

TecH dOOMSday ScenarIO nO. 3: God sTrikes back

Think of it as the mother of all power surges. The sun spits out an enormous cloud of superheated plasma several times larger than the earth, which slams into our atmosphere. Supercharged particles travel through the earth’s crust, frying all the power transformers it touches — instant worldwide blackout.

Sound like a cheesy Hollywood plot? This precise thing happened on a smaller scale in Quebec in 1989, when a solar storm caused 6 million people to lose power. “The chances of the Internet totally crashing are slim to none, but if anything could cause the net to go down it would be a solar flare,” says security consultant robert Siciliano. “a plasma ball hitting the earth’s magnetic fields that it can’t deal with. The step-up and step-down transformers that manage our power grid would fry. It would literally be the perfect storm of cataclysmic power

News flash: This report is being brought to you via word of mouth, because nothing else is working. An enormous solar flare has struck earth, causing a worldwide failure of the electrical power grid and communications systems.

the gas pumps won’t be operating, so a guy who’s supposed to take a part to repair a facility can’t get there because he has no gas. It could literally throw us back to 1840.”

How likely is this to occur: Lord only knows. But consider this, says Irv Schlanger, an assistant professor in drexel University’s computing and Security Technology program.

“We are all familiar with the 11-year solar flare cycle,” says Schlanger. “What most people are not aware of is the 110-year solar flare cycle. The 110-year cycle is massive when compared to the 11-year cycle. The affects of the 110-year cycle would be very similar to that of a nuclear eMP. We are currently due for the 110-year solar flare.”

How to avoid this fate: Silent prayer to the deity of your choice.

“Man-made terrorist activity is bad, but as we’ve seen lately, Mother nature is a b****,” says Siciliano. “She doesn’t give a damn about you or me.” CIO

Send feedback on this feature to [email protected]


Business Continuity


everything you wanted to know and more

Scrutinizing DLPData loss prevention

has gone from a niche technology

to something everyone’s offering.

In the process its definition has

got a little murky. We clear that up.

What’s Inside Deep Dive

FeaturesYour Guide to Unscrambling DLP ��92What Goes Into the Mix ��98Half Price Sale ��100

ColumnOpening Pandora’s Box ��96

test CenterDLP Vs DLP��104

Vol/5 | ISSUE/069 0 a p r i l 1 5 , 2 0 1 0 | real CIo WorlD

Deep Dive_April2010.indd 48 4/13/2010 6:31:59 PM

DLP is all the rage in this era of data security breaches and clever

malware attacks. Naturally, every security vendor wants a piece of the action. But in the vendor stampede for market share, something disturbing is happening: Companies are buying technology that, once installed, doesn’t offer all the ingredients of true DLP, says Rich Mogull, former Gartner analyst and founder of security consultancy Securosis. “The term DLP has essentially become meaningless because of a variety of vendors who wanted to say they were offering it,” says Mogull, a respected voice in the industry.

The true definition of DLP has always been somewhat muddy. Mogull describes the acronym

By Bill Brenner

Deep Dive | Data Loss Prevention


Your Guide to Unscrambling

For those who believe they’ll never get a handle on data loss prevention (DLP), here are some survival stories from security practitioners who found the light.


real CIo WorlD | a p r i l 1 5 , 2 0 1 0 9 3Vol/5 | ISSUE/06

trying to sell so-called ‘DLP out of the box’ products and focused instead on mixing myriad security technologies with training programs to help users defend themselves.

Though the people policies are pretty consistent across business sectors, there’s no one-size-fits-all approach to the technology side of things. There are common tools, mind you, but they are not assembled the same way in every enterprise.

Finding What’s RightChuck McGann, manager of corporate IS services for the US Postal Service, has heard many a vendor pitch and found that even though they were pitching DLP, nothing they offered fit his individual needs. “I’ve had too many conversations with vendors telling me how their products work, and they just don’t meet my enterprise needs in terms of how they function in the pattern-matching and false-positive-reduction areas,” he says.

For his part, McGann determined the technological part of his DLP program needed to address the following areas:

Keyword pattern matching Keyword pattern matching Auto quarantine for files that violate Auto quarantine for files that violate

policy The ability to specify and use certain The ability to specify and use certain

combinations of data for matching Exact data matching Exact data matching Detection of specific data at rest and Detection of specific data at rest and

in transit Robust reporting capability Robust reporting capability

concerns in this area. “I haven’t seen every single product out there but so far Symantec seems to be the best for DLP, mainly because of the ease of use,” says Minhas.

Wayne Proctor, CISO at First Data USA, says a major trend he has observed is for the vendors to extend from monitoring content only in outgoing traffic to monitoring other sources of data (primarily data at rest and data on endpoints). “I don’t view this as twisting the meaning of DLP but just leveraging their content evaluation engines to offer additional services,” he says.

Proctor adds that some of DLP vendors offer services that are not leakage related, such as identifying potential disgruntled employees and persons who are downloading software that is not approved for usage on a company network. “These types of additional services are certainly beyond the core focus of DLP but these are also value-added services that are fine to offer as long as the performance of the core DLP offerings are not negatively impacted,” he says.

Going Down the DLP RoadIt’s no easy task implementing a DLP program when there’s so much disagreement in the security community over what DLP entails. But those who’ve been through it have good news: It can be done.

Several IT security practitioners say they achieved a reasonable DLP program once they stopped listening to vendors

as a buzzword created for marketing purposes. But it used to be easier to tell when a company was truly offering it. Mogull’s definition of DLP goes something like this: “products that as a minimum identify, monitor and protect data in motion, at rest and in use through deep content analysis.” The tool identifies the content, monitors its usage and builds defenses around it.

There are a ton of vendors who perform some of these functions. But unless they tackle everything in the above definition, Mogull says it’s not truly DLP. “Encryption and endpoint control vendors call what they do DLP,” he says. “A firewall does some of what the concept entails. All of these tools are helpful in different areas of security, but they are not DLP.”

Of course, when a vendor doesn’t offer a technology that tackles a specific problem, a solution is to buy up a vendor who has what they need and bake it into the product line. Symantec muscled its way into the DLP space by acquiring Vontu, a company Mogull sees as an early leader of true DLP technology. Meanwhile, RSA snatched up Tablus and McAfee bought Reconnex. Then there was the Websense acquisition of PortAuthority Technologies and CA’s buy of Orchestria.

Then there are the vendors who offer important pieces of the DLP puzzle but don’t do everything necessary to call themselves DLP providers. “Many are helpful in their own way, including the portable device control vendors, the USB blockers, and so on,” he says. “But they don’t analyze content so they are not technically DLP.”

There are still a few independent DLP vendors out there, Mogull says, including Vericept and Code Green Networks.

Of course, like any technology, the perception of what is truly DLP depends on who you ask. Imran Minhas, information security officer at the National Bank of Kuwait, says DLP means prevention of confidential, restricted or internal-use data being leaked. User access to public/personal e-mail such as Hotmail and Yahoo are major

DLP’s Implementation ChallengesChallenges in defining confidential content 64

Time-consuming implementation process 40

System capabilities lower than expected 32

Higher solution cost than expected 30

Higher internal costs for solution 25 management than expectedmanagement than expectedHigher internal costs for solution management than expectedHigher internal costs for solution

High inaccuracy rate 19

Other 4

None 2

SoUrcE: GTB TEchnoloGIES

Deep Dive_April2010.indd 50Deep Dive_April2010.indd 50Deep Dive_April2010.indd 50Deep Dive_April2010.indd 50

No Dependence on Users While he agrees user awareness training is important, Career Education CISO Michael Gabriel decided his enterprise can only do so much to save users from themselves. Therefore, he went in search of technology that would address his particular needs. “Explaining everyone’s role to them is much less of an issue if you can let technology minimize their role,” Gabriel says. “Any time you rely on the end user to do something, you’re likely to fail.”

His journey into DLP started with the search for e-mail encryption as a way to accomplish what he described above. He notes that he was the first Vontu customer in Chicago, implementing the vendor’s Prevent product in 2005 as an integration with an Ironport MTA and the PGP Universal encrytion gateway to provide his company with automated e-mail encryption. By finding something that detects confidential information using exact data matching — automatically encrypting it if being sent to an authorized recipient — he was able to meet a major piece of his DLP goals.

“Since then, we have also implemented the Vontu Monitor, Discovery, and Endpoint solutions, and I’m currently working with their product managers on what I consider to be the next big application of DLP technology; using it not only to detect and remediate stray confidential data, but to provide information that will identify which broken business process resulted in that data being there in the first place,” Gabriel says. “This would move DLP from being a reactive technology to a proactive technology.”

Vendors Getting the Hint?Though a frustration with security vendors wrongly pitching products as DLP is common among CIOs, there are signs the vendor community is starting to change. More are beginning to offer products as the solution to part of an enterprise’s DLP needs rather than trying to sell their wares as DLP in a box, says Nick Selby, former research director for enterprise security at The 451 Group and CEO/co-founder of Cambridge Infosec Associates. “There is a growing realization among vendors that they can

go farther by addressing what exactly they can help with,” Selby says. “It is less about ‘we-can-do-everything’ marketing and more about how ‘we can help you with specific pieces of DLP.’”

Ted Heiman, the western regional sales manager for ForeScout Technologies, acknowledges that vendors have done a less-than-admirable job at helping companies address DLP. But, he adds that the difficulty understanding the true definition of DLP goes beyond the vendor community.

“There is no true, single point DLP product on the market. I believe this is where the big misconception is. DLP is a solution not a product,” he says. His opinion is that the best solution

to combating data loss is educating employees. “How many enterprises do you know that have really educated their employees about data security and the steps each employee can take to prevent critical data from getting into the wrong hands?” he asks. “Let’s face it. The biggest threat to enterprise customers and their critical data is their network administrators. These guys have more power and access than most users and they also know how to exploit it. If you want to address DLP I think you need to start there.” CIo



Don’t Let Vendors Set Your StrategyBusinesses should plan a thorough data loss prevention strategy before talking to suppliers, Gartner advises. That’s because vendors are likely to sway discussions to specific aspects of DlP, when a full strategy is required for the technology to be effective, the analyst house says.

“You’ve got to define your strategy first, then talk to the suppliers,” says Paul Proctor, VP at Gartner. “At the moment businesses aren’t labeling data properly, they don’t know where it is, they aren’t handling it properly, and their policies are poorly defined and enforced.”

organizations needed to first define their data types, followed by building a list of possible actions for that data, then defining policy, and finally negotiating with suppliers.

For defining data types, Proctor says, firms should categorize information according to its nature and where it resides. For example, intellectual property could be split into drawings (then divided as cAD, PDF, and GIF), documents (split as structured, unstructured, labeled and unlabeled), and personal data (split by types such as credit cards or ID numbers, or by its application such as order processing or online sales).

For building a list of possible actions that could happen to the data, businesses should “boil the possible uses down to 10 to 15 situations”, Proctor says. These could include data crossing the enterprise boundary; data stored in unauthorized places; the copying, printing, moving, saving, cutting and pasting of data; and business processes that could put the data at risk.

common areas of worry for businesses included sales people stealing client information, and the offshoring of work involving critical intellectual property, he says.

last, for defining policy, firms needed to set different levels of reaction according to how concerned they would be about the incident. The lowest stage could be alerting the business and recording the situation for future analysis.

The next higher stage would be intercepting the data to automatically encrypt it, move it from the risk area, or demand user justification for a particular operation. Above that, the particular operation could be automatically halted.

“A lot of people have deployed a sort of DlP for simple requirements, like protecting credit card data,” he concluded. “But that isn’t enough — they need to protect all data including their valuable intellectual property.”

— leo King


Deep Dive_April2010.indd 51Deep Dive_April2010.indd 51Deep Dive_April2010.indd 51Deep Dive_April2010.indd 51Deep Dive_April2010.indd 51

a. Try before you buy. Have your vendors run the solution for a week prior to your purchase.

b. Compare results.c. Examine false positives.d. Brace them for what they may find.

(I have found pornography, the buying and selling of AK47s, unsavory videos, credit cards flowing with impunity outside of the company along side of intellectual property, salary information,

malware, adulterous activity, plots within plots, plans to subvert something or someone, social security numbers and corporate business plans, businesses being run off corporate servers; you get the idea.)

Establish Policies Ahead of Time Ensure you have air cover. You need to do this to expand your coverage.

a. These policies must be created with legal, compliance, privacy, HR and the CIO.b. What are the corporate policies in place today supporting DLP? Is there an expectation of privacy for your users (employees, vendors, contractors) when using your assets? Or is HR prepared

need to understand is how deep the business wants you to go.

If you go too deep, meaning if you detect too many sensitive things too soon or at all, you may find yourself in an uncomfortable position since you have not prepared the chain of command and the business for what you will find. It’s a cultural issue of significant importance. Personal experience tells me that you will not be seen as the savior you fashion

yourself to be, but potentially an enemy of the state. In fact, the sad truth is that the bodies you discover may eventually lead to your own undoing. But that doesn’t mean you should give up on DLP entirely. Here are some tips on ensuring the proper depth and the structure you need to have in place prior to and during a DLP solution rollout:

Determine the Specific Risk Appetite of Your CompanyLet them know that you are going to enable all filters for a week across all protocols and that you will share this information only with senior members of legal, compliance, privacy, HR, internal audit and IT.

StRateGy | Data Loss Prevention (DLP) tools are great solutions. They detect what’s flowing out of your virtual boundaries examining sex, drugs, rock & roll, intellectual property (IP), personally identifiable information (PII) and anything you wish across any and all Internet protocols. They can crawl your local area network searching unstructured data sources (Word, Excel, PowerPoint, Acrobat, text

files) for credit card information, social security numbers, pornography, salary information and termination lists. DLP can be the greatest thing since sliced bread if and only if you have a plan in place long before you deploy any of the solutions out there.

Most security engineers and even many chief information security officers (CISOs) get that glazed over look in their eyes when they hear about all the wonderful things that a DLP solution can do. Plug it in and all those enterprise security the problems just vanish into thin air. What you are not told during a DLP sales pitch is the Pandora’s Box you not only are about to open but completely unhinge. What you really

Opening Pandora’s BoxOpening Pandora’s BoxOpening Pandora’s BoxOpening Pandora’s BoxOpening Pandora’s Box

by Jeff bardin


If you detect too many sensitive things too soon with your DlP project, you may find yourself in an uncomfortable if you haven’t prepared the business.

Deep Dive_April2010.indd 53Deep Dive_April2010.indd 53Deep Dive_April2010.indd 53Deep Dive_April2010.indd 53Deep Dive_April2010.indd 53Deep Dive_April2010.indd 53Deep Dive_April2010.indd 53Deep Dive_April2010.indd 53Deep Dive_April2010.indd 53Deep Dive_April2010.indd 53Deep Dive_April2010.indd 53Deep Dive_April2010.indd 53Deep Dive_April2010.indd 53Deep Dive_April2010.indd 53


by Jeff bardin

to sanction your users when data is discovered leaking?

Get Your Awareness Plan Updated Prepare to re-execute based upon your new and existing policies.

a. Ensure you have procedures in place to execute the policies.b. Determine what and how you will investigate based upon business requirements (risk appetite).c. What is the communication plan to your user community on the deployment and use of these tools and their understanding of corporate policy and associated sanctions?

Ensure Your Policies are Up-to-date a. Determine how you will consolidate the 20 copies you find of the same file containing intellectual property.b. Determine where you will store the copies.c. Determine who owns the informationd. Determine access rules and rights.e. Determine any regulatory requirements over the discovered information including potential eDiscovery / legal hold issues.f. What data governance requirements and structure should you have in place to ensure success?

Make Sure All Participating Organizations Know Their Roles Organizations will most likely need to define this but HR will need to determine what level of sanctions they may wish to employ.

a. Legal will need to determine what they want to investigate and what they do not (they will also need to determine if they are going to disclose a discovered breach).b. Compliance, privacy, IT and security will need to determine the impact to their controls (or lack thereof) creating a punch list of counter-measures and finding out why the ones they have deployed are not working — and what the impact is to your regulatory, statutory and standards-based compliance programs.c. Internal audit will need to be informed since they may be asked how they have

missed this over the years and they will then refocus their efforts.d. Ensure you have solid investigations protocols, procedures including chain of custody and rules of evidence. Be prepared to present a well defined

governance model for this whole process or enhance the one you already have. Ensure you know how you will pursue who you will pursue without violating any internal codes, statutes or regulations. Be prepared to potentially throttle back on the depth of your discoveries. Sometimes the real truth is not desired. Sometimes a ‘defined’ level of due diligence is required.

Establish a protocol for how you will handle the information that is found; where it will be stored; if it will be destroyed; and who has the authority to do so.

The successful implementation of DLP solutions is not as simple as just implementing a tool. I recommend a phased approach and plan that moves you to the proper level of DLP. Experience tells us that to successfully deploy a DLP solution, you must have the business, HR and legal fully aligned with the program and agree to the need for it based upon the defined risk. CIo

Jeff Bardin is Vp and CSO at iTSolutions. Send

feedback on this column to [email protected]

Seek Answers for a Successful DlP rolloutBefore implementing a Dlp solution, get ready to field these questions.

People Questionsa. Are you trying to get me fired? This question should only occur if you have not included all the appropriate parties in the process.b. how could you allow this to happen? Doesn’t our existing infrastructure prevent this type of activity? Why don’t our employees adhere to our policies?c. how long has this been going on? Why are we just finding out about this now?d. Who has access to this information?e. Who have you told about this?f. Why did you deploy this and did I sign off on this?g. What is our liability?h. What are our competitors doing?

technology Questionsa. What content filters are enabled first and across what protocols?b. What tools do you have that are not fully deployed with all features and functionalities?c. Will data merely be discovered leaking or will it be prevented from leaking and who will make these decisions?d. If I have encryption in place, will my DlP solution be able to interrogate encrypted data to validate it as fitting corporate policy for transmission? If I have this capability, will it be for all encryption solutions?e. What solutions do I have in place today to allow for the secure sending of information to appropriate recipients?f. What new solutions will I need once DlP is put in place and data is prevented from flowing?g. What end-point solutions will I need in addition to DlP to prevent the flow of sensitive data from the boundaries of my organization?

—J.B.



DLPDLPDLP


Companies are clamoring for data loss prevention (DLP) tools to keep their data safe from online predators. But there is much confusion over what the true ingredients are. Most security vendors will tell you they have just the thing for your DLP needs. But some industry experts say enterprises often buy products that, once installed, don’t perform all the functions necessary to keep sensitive information safe.

We talked to several IT security professionals in an effort to zero in on the true elements of an effective DLP program — from the technology to people policies — and how best to fit the pieces together. We focus specifically on five technological approaches that, when used together, offer a solid data defense.

Data Discovery, Classification and Data Discovery, Classification and Data Discovery,

FingerprintingRichard Stiennon, chief research analyst at IT-Harvest, says a complete DLP solution must be able to identify your IP and make it possible to detect when it is ‘leaking’.

William Pfeifer, CISSP and IT security consultant at the Enforcement Support Agency in San Diego, agrees, calling data classification a prerequisite for everything that follows. “You cannot protect everything,” he says. “Therefore methodology, technology, policy and training is involved in this stage to isolate the asset (or assets) that one is protecting and then making that asset the focus of the protection.”

Nick Selby, former research director for enterprise security at The 451 By Bill Brenner

What Goes Into a

DLPDLPDLP

GoesWhat

Into

What

Before embarking on a data loss prevention program, enterprises Before embarking on a data loss prevention program, enterprises Before embarking on a data loss prevention program, enterprises Before embarking on a data loss prevention program, enterprises Before embarking on a data loss prevention program, enterprises Before embarking on a data loss prevention program, enterprises Before embarking on a data loss prevention program, enterprises Before embarking on a data loss prevention program, enterprises Before embarking on a data loss prevention program, enterprises Before embarking on a data loss prevention program, enterprises must first determine what the essential ingredients are. Here are must first determine what the essential ingredients are. Here are must first determine what the essential ingredients are. Here are must first determine what the essential ingredients are. Here are must first determine what the essential ingredients are. Here are must first determine what the essential ingredients are. Here are

five critical items for that perfect solution.five critical items for that perfect solution.five critical items for that perfect solution.five critical items for that perfect solution.five critical items for that perfect solution.five critical items for that perfect solution.five critical items for that perfect solution.five critical items for that perfect solution.five critical items for that perfect solution.five critical items for that perfect solution.five critical items for that perfect solution.five critical items for that perfect solution.five critical items for that perfect solution.five critical items for that perfect solution.five critical items for that perfect solution.five critical items for that perfect solution.five critical items for that perfect solution.five critical items for that perfect solution.five critical items for that perfect solution.five critical items for that perfect solution.five critical items for that perfect solution.


Deep Dive_April2010.indd 55Deep Dive_April2010.indd 55Deep Dive_April2010.indd 55Deep Dive_April2010.indd 55Deep Dive_April2010.indd 55


Group and CEO/co-founder of Cambridge Infosec Associates, says the key is to develop a data classification system that has a fighting chance of working. To that end, lumping data into too few or too many buckets is a recipe for failure.

“The magic number tends to be three or four buckets — public, internal use only, classified, and so on,” he says.

encryptionThis is a tricky one, as some security pros will tell you encryption does not equal DLP. And that’s true to a point.

As former Gartner analyst and Securosis founder Rich Mogull puts it, encryption is often sold as a DLP product, but it doesn’t do the entire job by itself.

Most IT leaders don’t disagree with that statement. But they do believe encryption is a necessary part of DLP. “The only thing [encryption doesn’t cover] is taking screen shots and printing them out or smuggling them out on a thumb drive. Not sure I have a solution to that one. It also leaves out stereography, but then is anyone really worried about that?” Pfeifer asks. Specifically, he cites encryption as a DLP staple for protecting data at rest, in use and in motion. Stiennon says that while all encryption vendors are not DLP

vendors, applying encryption is a critical component to DLP. “It could be as simple as enforcing a policy,” he says. “When you see spreadsheets as attachments, encrypt them.”

Gateway Detection and BlockingThis one would seem obvious, since an IT shop can’t prevent data loss without deploying tools that can detect and block malicious activity.

Sean Steele, senior security consultant at InfoLock Technologies, says the key is to have something in place that provides

real-time (or close to real-time) moni-toring and block-ing capabilities for data that’s headed outbound at the network perimeter, data at rest (“sensi-tive or interesting/frightening data sit-ting on my network file shares, SAN, tier 1/2 storage, etcet-era,” he says); and data being used by human beings at the network’s endpoints and servers.

e-mail integrationSince e-mail is an easy target for data thieves, whether they are sending e-mails with links to computer-hijacking malware or sending out e-mails from the inside with proprietary company data, partnerships between security vendors and e-mail gateway providers are an essential piece of the DLP puzzle. Fortunately, Stiennon says, “Most DLP vendors formed partnerships with e-mail gateways early on.”

Device ManagementGiven the mobility of workers and their computing devices these days — including laptops, smart phones, USB sticks — security tools that help the IT shop control what can and can’t be done with mobile devices is a key ingredient of DLP.

Stiennon is particularly concerned about USB devices that could be used to steal data. “Being able to control the use of USB devices is a key requirement of a DLP solution,” he says. CIo


Target Level of Importance

Protect IP Critical

To protect my company’s reputation Very Important

Avoid litigation Very Important

Meet regulatory compliance Very Important

Protect trade secretsVery Important to Somewhat Important

CIOs Rate the Importance of DLP to Meet These Targets

What CIOs Look Out for When Buying DLP



Critical Very important Somewhatimportant

A reliable product 52% 46% 2%

Proven ability to deliver on promises 42% 52% 4%

Price 34% 50% 13%

Vendor repuatation 15% 63% 20%

Use of leading technology 24% 50% 21%

Third-party recommendation 13% 51% 29%



ata-loss prevention products can potentially save organizations a bundle by preventing the escape of sensitive information. But the six-figure starting price for a typical enterprise deployment of host and gateway-based DLP is

tough for many to swallow. The good news is that prices are expected to fall as more vendors enter the fray and more choices for how to roll out DLP emerge. “If you’re dealing with a couple thousand seats for DLP, expect $250,000 (about Rs 1.1 crore) to half a million (Rs 2.25 crore),” says Forrester Research analyst Andrew Jacquith.

“But we will see price erosion because of competition.”(Of course, vendors are fond of pointing out that even today’s prices aren’t too high when you consider

the cost of responding to a data breach. A Ponemon Institute study has tagged this at more than $6 million (about Rs 27 crore) on average, plus the loss of good reputation and possible lawsuits.)

The market to prevent data leaks got going in the early 2000s and has gained momentum of late, though even successful vendors still tend to

Vol/5 | ISSUE/06

With more players in the market and increasing competition, DlP vendors are slashing prices on their once expensive products.

By ellen messmer

HALFPRICESALE

Data-loss prevention products can potentially save organizations a bundle by preventing the escape of sensitive information. But the six-figure starting price for a typical enterprise deployment of host and gateway-based DLP is

tough for many to swallow. The good news is that prices are expected to fall as more vendors enter the fray and more choices for how to roll out DLP emerge. “If you’re dealing with a couple thousand seats for DLP, expect $250,000 (about Rs 1.1 crore) to half a million (Rs 2.25 crore),” says Forrester Research analyst Andrew Jacquith.

“But we will see price erosion because of competition.”(Of course, vendors are fond of pointing out that even today’s prices aren’t too high when you consider

the cost of responding to a data breach. A Ponemon Institute study has tagged this at more than $6 million (about Rs 27 crore) on average, plus the loss of good reputation and possible lawsuits.)

The market to prevent data leaks got going in the early 2000s and has gained momentum of late, though even successful vendors still tend to

With more players in the market and increasing competition, vendors are slashing pricestheir once expensive products.

HALFPRICESALE


Rs 2,10

0

Rs 1,175

Rs 4,700

Rs 2,020

Rs 2,020

Rs 4,700

boast of customer numbers in the hundreds rather than thousands. The market is dominated by traditional anti-malware vendors that bought out DLP start-ups, though independents such as Verdasys remain in the mix as well. Newcomers will include the likes of anti-malware vendor Sophos, which is expected to introduce a DLP offering of its own making.

Jacquith says when enterprises determine an immediate need for DLP, the usual course has been to first turn to a security vendor they already rely on for other things.

“If it’s a big McAfee shop or a Symantec shop, they’ll look there first,” he says. In Forrester’s analysis, the market leaders are Websense, McAfee, Symantec, CA, EMC security division RSA and Verdasys. In addition to DLP becoming available from more vendors, it will wind up getting embedded in existing software and hardware, including switches, servers and even laptops. It may all lead to the “content-aware enterprise,” a phrase coined by Gartner analyst Eric Ouellet, who says, “It’s about sprinkling DLP everywhere.”

Buying Into DLPFor those investing in DLP today, the need is straightforward. “We need to protect patient information or other business information,” says Larry Whiteside, CISO at New York City-based Visiting Nurses, which has 13,000 employees, with 3,500 nurses providing home assistance and facilitating hospital transition care for some 30,000 patients in the greater New York area.

Visiting Nurses, which had already been making use of the Websense Security Gateway, recently added the vendor’s DLP gateway functionality. Using the DLP discovery tool, Visiting Nurses has determined where sensitive data is located in its 30 file servers for the purpose of detecting and blocking breaches, including inadvertent ones.

Plans are to add DLP data-blocking capability into mobile computers used by nurses. Any alerts would be collected

real CIo WorlD | a p r i l 1 5 , 2 0 1 0 1 0 1Vol/5 | ISSUE/06

into the firm’s Symantec security-event management system, Whiteside says. “If a user attempts to send a file, we would want it stopped at the gateway, with an alert generated and sent to the [management system],” he says.

Support from business managers for DLP has been solid, especially as IT is also under constant pressure to grant more open access, Whiteside says. “From the data stewardship standpoint, it’s on my staff to make sure people are doing what they’re supposed to do,” he notes, adding he does expect it to take up to half a year to deploy DLP widely.

And DLP does nothing if not give an organization a clear picture of how content

gets distributed internally and to the outside. “The visibility you get is incredibly useful,” Jacquith notes. “Some people even talk about using it for chargeback.”

What Misses DLP’s Eye While the accuracy of DLP products is regarded as good, the tools aren’t impervious to being tricked. James Wingate, director of the Steganography Analysis & Research Center in Fairmont, West Virginia, says it’s possible to hide a file inside another using steganography tools and “DLP tools will not detect it.”

Dave Meizlik, director of product marketing at Websense, acknowledges data hidden through steganographic tricks may

Less than $25 (Rs 1,175)

$25-$49 (Rs 1,175 - Rs 2,300)

$50-$100 (Rs 2,350 - Rs 4,700)

Less than $5 (Rs 235)

$5-$9 (Rs 235 - Rs 420)

$10-$20 (Rs 470 - Rs 940)

More than $20 (Rs 940)

Don’t know

Cost of Buying Per User

Cost of Maintaining Per User

Cost of Implementing Per User

8%

15%

6%

4%

21%

21%

21%

24%

22%23%

28%

30%

17%

22%

38%

More than $ 100 (Rs 4,700)

Don’t know

Cost Of DLP Per User

Average price of buying a DlP solution (per user): $45 (rs 2,100)

Average implementaion cost (per user): $43 (rs 2,020)

Average monthly cost of maintaining a DlP solution (per user): $10 (rs 470)


SoUrcE: GTB TEchnoloGIES. ExchAnGE rATE $1 = rS 47 (APPlIcABlE rATE In AUGUST 2009 WhEn ThE SUrVEY WAS conDUcTED)


Vol/5 | ISSUE/06a p r i l 1 5 , 2 0 1 0 | real CIo WorlD

slip through a DLP system. Encryption also is problematic in that a scrambled document would have to be decrypted to have its content inspected. In some cases, that can be set up under an authorized encryption method. Documents that have been encrypted with unauthorized methods could be flagged as suspicious.

Gijo Mathew, vice president of security management at CA, says encryption can be regarded as a weak point in DLP today. “If it can’t read it, it can’t analyze it to block it.”

In fact, the role of encryption looms large in DLP, with the more sophisticated systems designed to block and hand off e-mail that should be encrypted to other security products the organization might use. CA DLP, for instance, works with products from Voltage, PGP and BitArmor so data tagged as sensitive can be automatically handed off for encryption before transmission.

Visiting Nurses is considering such interaction between its Websense Security Gateway and Cisco IronPort appliance.

Where to Put Your DLPWhether to install DLP at the gateway or host level — or buy a multipurpose security gateway with DLP or a stand-alone device — is a topic for debate among IT and security leaders.

Buying Into DLP

You must watch and monitor and track a thousand security issues every single day� But remember, the data breach you prevent may be your own� Here are four points to address�

First, explain to your workers why DlP matters and the penalties for mistakes. If workers don’t know which files need protection, they can’t protect them. clip and save a couple of news articles that outline the data breach laws, penalties and costs of customer notification. Emphasize how each employee may have to call customers and apologize for sending their credit card information to the hackers by accident.

Second, move all critical files off individual computers. Enterprise DlP system software runs on every desktop and laptop, and monitors local and networked file activity. Until you can afford that, remove temptation by vigorously tracking all critical files on local computers and moving those files to networked storage of some kind.

Third, upgrade your local shared storage access controls. Management knows how to do this, because they don’t put payroll information in the public file area. Treat all your critical files as if they were payroll files, and you’ll be better off. The better the system, the more granular and secure the access rights controls. Even the cheapest shared storage box allows you to password protect volumes at a minimum, making it easy to put, say, all accounting and payroll files on a separate volume that requires a username and password different from the public file storage areas.

Fourth, talk to your e-mail host about filtering outbound attachments. If you run your own e-mail server, dig into the manuals to figure out how to block all e-mail attachments. Third-party spam and virus protection services usually have these services, so ask them.

however, never underestimate the creativity of idiots, and especially idiot users. Talk to your security consultant and see what you can put in place.

—By James E. Gaskin

Discover, Monitor, and Protect

—By James E. Gaskin



real CIo WorlD | N O V e m B e r 1 5 , 2 0 0 9 6 0Vol/4 | ISSUE/23

Installing a DLP gateway is “a no-brainer,” Forrester’s Jacquith says, noting it’s the least expensive and easiest way to get started.

But some vendors say there’s been too much emphasis on the gateway when you take into account the mobility of employees. TrendMicro’s global product marketing manager, Mark Bloom, voiced some dismay that his company (which acquired Provilla’s LeakProof) is considered a niche player in DLP by Gartner because “we’re focused on the endpoint.”

Trend Micro expects to offer DLP for the gateway in the near future. While LeakProof is a stand-alone DLP agent, the DLP functionality will be moving into Trend Micro’s OfficeScan products in the early 2010 timeframe. “We’re seeing a big push to have a content-aware endpoint,” Bloom says. “We should have a single agent.”

In fact, there’s a broad march underway by IT vendors to integrate DLP functionality into existing security host and gateway products. These include:

McAfee’s host DLP software can be used alone or as an add-on to its flagship anti-malware security software that’s part of its Total Protection for Data Endpoint suite. McAfee is looking at integrating the DLP engine into its Web gateway, e-mail gateway, firewall and intrusion-protection gear.

Microsoft and VMware anticipate integrating RSA DLP technology into future products, though this is still in the early stages. RSA is the security division of EMC, which is the majority owner of VMware.

Symantec, which integrated DLP into its Brightmail e-mail security gateway, has also begun integration with its Altiris management software. Altiris 7 can be used to deploy and troubleshoot endpoint DLP Prevent and Discover agents so that there’s communication between the DLP endpoint and the Symantec Endpoint Protection agent, its flagship security software. Integrating DLP into Symantec storage systems can be expected in the future. Symantec DLP Discover, for instance, has

already been integrated into Backup Exec System Recovery, and Symantec intends to introduce some open APIs for DLP.

HP, which acquired outsourcing giant EDS last year, has a strategic partnership with Symantec on DLP. EDS supports Symantec DLP in outsourcing arrangements with enterprise customers and even manages the DLP system for Symantec itself, which selected EDS as its outsourcing partner. A focus now is integrating some of the Symantec DLP capability into HP ProCurve switches and deploying DLP in HP datacenters, he notes. Whitener points out that sometimes organizations don’t want the company’s CSO or IT support in the middle of handling data-loss issues since this is seen as a possible conflict of interest.

The changing world of DLP is something that Phil Moltzen, senior security architect at the US Department of Energy, is keeping an eye on. He says there’s a growing awareness that attention must be paid to monitoring content that’s leaving the network as well as all the work that’s done to stop attacks related to phishing, hackers and malware from coming in.

The cost of DLP does present a barrier to large-scale adoptions today, but he adds, “DLP is really just starting to take off.” CIo


$6 million (about Rs 27 crore)

Is the average cost of responding to a data

breach, which is a lot more than the cost of a DlP solution.


SoUrcE: PonEMon InSTITUTE



Vol/5 | ISSUE/061 0 4 a p r i l 1 5 , 2 0 1 0 | real CIo WorlD

VSVSVSVSVSVSVSVSVSVSVSVSVSVSVSVSVSVSVSVSVSVSVSVSVSVSVSVSVSVSVSVSVSVSVSVSVSVSVSVS

There are DLP solutions and then there are DLP solutions. Each offers something good — sometimes at the expense of something not so good. To help you figure which is best suited for your organization, we pit four products against each other and test them against four parameters including ease of configuration, performance, fingerprinting, and reporting. Here are the results.

By nate evans and Benjamin Blakely evans and Benjamin Blakely e

Deep Dive_April2010.indd 61Deep Dive_April2010.indd 61Deep Dive_April2010.indd 61Deep Dive_April2010.indd 61Deep Dive_April2010.indd 61Deep Dive_April2010.indd 61Deep Dive_April2010.indd 61Deep Dive_April2010.indd 61


Finding the right perimeter-based data loss prevention tool means striking a balance between speed, accuracy at detecting and blocking sensitive data from exiting the network, and adequate coverage across a broad range of rule-sets and protocols.

DLP products come in three categories: perimeter-based, client-based, and those that take a combined approach. In this test, we evaluated perimeter-based appliances from Fidelis Security Systems, Palisade Systems, Code Green Networks and GTB Technologies.

The DLPs were set up inline (except for Code Green’s Content Inspector, which doesn’t support in-line mode) between a simulated WAN and LAN and were configured with a set of 10 rules. We then ran about 1,100 files through each device, waiting about a minute between each file, to determine how accurately the device detected and blocked a total of 276 ‘bad’ files and to what degree network performance was affected by the inline DLP.

Code Green’s Content Inspector scored highest when it came to detection. Code Green also scored high on ease of configuration. But Code Green was limited in the range of protocols it could block.

Our Clear Choice winner is Fidelis’ XPS because of its easy-to-use interface, flexible rule-set, amazing reporting, and better-than-average detection and blocking ability.

Palisade’s Packetsure and GTB’s Inspector were somewhat unrefined by comparison, requiring more work to understand the rule structure and adding unneeded complexity to the overall process. But they were still very competitive when it came to detecting harmful files.

installationGenerally DLP vendors deploy engineers to the customer site to set up and configure the device, but we decided to do it ourselves to get a hands-on understanding of how the product works from installation through reporting.

For Packetsure and Content Inspector, the basic installation was fairly straightforward and the products were setup with little to no trouble. For the other two products, basic installation was a little more difficult,

requiring numerous contacts — via e-mail and phone. But they eventually all were set up without the need for a technician to show up on-site.

After each product was set up and could pass data between the simulated LAN and WAN, we configured the device to our filtering specifications. This included a sample set of 10 rules chosen to test some of the basic features and blocking potential.

The DLPs were set up to look for Social Security and credit card numbers, certain pieces of source code, and five words in a row from a short story, which would be used to prevent any part of a specific report from leaving the network.

We also set up rules to check for maximum file sizes or .mp3 files. And we fingerprinted a data set containing a list of customer names, addresses and Social Security numbers and set up a rule blocking any combination of the three.

Configuration ease: Code Green is TopsCode Green’s Content Inspector was the easiest product to configure and write rules for. The rule language is simple and the graphical interface is very usable. Code Green breaks rule creation down into two categories: data and policy. One defines data to be blocked using a variety of tools, and then configures a policy to check for it. This was very straightforward and easy to change, with no need to restart the device or reload the settings. In the configuration simplicity arena, Code Green goes above and beyond all the other products.

Fidelis’ XPS sensor has a ‘Command Post’ server to handle management and configuration, a mail sensor server (provided via built-in Postfix SMTP proxy), and a Web sensor (implemented via a third-party BlueCoat Web proxy appliance).

Rule creation is straightforward and simple using a Web GUI. XPS is the only product that allows you to submit sample files in order to test each rule before you make it live.

If you ever have a question about a specific rule or a page you are on, Fidelis has built in wonderful help links on each page that explain each check box or button. This is a life-saver and allowed us to create the majority of the rules without any technical support contacts.

Palisade’s Packetsure provided a simple wizard to help with setup and was the only product to have such a helpful starting point. However, if one wants to add or change a rule outside of the wizard, the sailing is not quite so smooth.

Part of the problem may be that Packetsure is really two products trying to work together as one: there is a content analysis engine and a protocol analysis engine. The Palisade protocol analyzer only inspects the packet payload (instead of re-assembling the data stream as the content analysis does). This two-pronged approach helps isolate each rule, but it makes managing the product difficult.

Also, in our testing the rules did not always work as expected. For example, one ‘content analysis checkbox’ means packet analysis and another content analysis

All of the products did an effective job at detecting harmful files that were sent over the specific protocols that the product supports. But not all products support a wide range of protocols.

Some of the products that did well at detecting harmful files were less adept at blocking.

none of the products were able to analyze or block encrypted traffic.

There’s a network performance hit that needs to be taken into account when running these products in-line.

— nate Evans and Benjamin Blakely

test Center: Key Findings

Deep Dive_April2010.indd 62Deep Dive_April2010.indd 62Deep Dive_April2010.indd 62Deep Dive_April2010.indd 62 4/13/2010 6:32:25 PM4/13/2010 6:32:25 PM4/13/2010 6:32:25 PM4/13/2010 6:32:25 PM4/13/2010 6:32:25 PM4/13/2010 6:32:25 PM4/13/2010 6:32:25 PM4/13/2010 6:32:25 PM4/13/2010 6:32:25 PM4/13/2010 6:32:25 PM4/13/2010 6:32:25 PM


checkbox actually re-assembles the data stream before it analyzes it (similar to all the other products).

Packetsure has a ‘connect to home’ functionality which the user can enable right out of the box. This feature can be very useful when calling tech support or even with the initial setup as it allows Palisade to assist using a secure VPN.

GTB’s Inspector has the most difficult configuration process of the four products. In order to write a rule, one must edit a text configuration file, add some regular expressions and format each line very specifically. For example, in order to write a rule to check for the words ‘Top Secret’ in a file, a regular expression had to be written in a large text box on the Web management interface.

There is no wizard and no graphical interface. The other limiting factor with GTB’s Inspector is the fact that its rule-set functionality is very limited. In our test it could only implement about half of the desired rules. Even a simple rule such as looking for specific filenames or maximum file size was not supported.

Performance: Fidelis is Fastest; Code Green Wins the Detection TestWe tested how accurately the product blocked a total of 276 harmful files that we sent, or roughly 30 files for each of the nine protocols (including HTTP, SMTP, POP, IMAP, FTP and Telnet) in our test bed. We also measured how fast the product could pass data through the device, starting with a baseline of 581Mbps, which is the capacity of our network without any device present.

The best performance from a detection perspective was Code Green’s Content Inspector, which detected 90 percent of the data we threw at it. And the 10 percent Content Inspector missed was because of the lack of support for encrypted traffic streams (SSH sessions), which no product supports.

However it can only block files on four of the tested protocols: HTTP, Secure-HTTP, FTP and SMTP. The first three are done using a third-party BlueCoat Proxy device and the SMTP is done using a built-in mail relay.

This lack of blocking ability across a wide variety of protocols was the major drawback

in Code Green’s Content Inspector. But if your company is only worried about those four protocols, this product would be recommended.

Fidelis’ XPS had an 84 percent success rate in detecting and blocking across all protocols and streams of data. The marketing line for this company states that they can block data on all 65,535 ports and we would have to agree. This product blocked virtually everything it could detect, only failing on one file type: an archived Web site.

The product handled obfuscated data very well — catching four of five files. POP and IMAP provided a little bit of trouble, but after a few custom patches from the engineers, it worked as expected.

The choice faced by all these products is a tradeoff between performance and blocking effectiveness. When data moves through a DLP device, the product can choose to either cache it, determine that it’s good and then let it out, or try to do analysis on the fly, and suffer some data leakage.

Fidelis chose performance and won our speed test, passing traffic at 90 percent of

Fidelis XPs: overall winnerFidelis xPS was the most developed DP

product among those that we tested in overall features, general flexibility and its ability to block.

It has a ‘command Post’ server to handle management and configuration,

a mail sensor server (provided via built-in Postfix SMTP proxy), and a Web sensor

(implemented via a third-party Bluecoat Web proxy appliance).

Installation isn’t simple, but it didn’t take more than a few hours to get xPS set up and running. The built-in help links are very useful when writing rules and the xPS includes the ability to test rules that you write. The xPS does a great job of remaining flexible across all protocols yet still maintaining the ability to block on these protocols. The management interface allows you to easily create rules and see reports.

What’s this DLP Product Good For?

This product was the fastest we tested, blocking 80 percent of harmful files, while only taking a 10 percent performance hit. If you are looking for a product to block a variety of protocols and applications, in addition to the standard hTTP and SMTP, look no further.

Palisade’s Packetsure: two Products in two Products in t onePalisade’s Packetsure product seems to contain two products in one: a protocol analyzer and a content analyzer. Packetsure had a high detection rate, but the slowest speed, performing at 50 percent of maximum bandwidth. This product has some interesting features such as the ability to help set up the product via a VPn and a useful graph showing data passing in and out of the network.

Installation was simple and straightforward, accomplished in less then an hour. The initial setup was assisted greatly by the use of a wizard. however, altering rules after using the wizard is bothersome and reporting is more difficult and clunky than it could be.

Find out the strengths of each product across four parameters — and what it traded off to excel in that area.

Fidelis XPFidelis

product among those that we tested in overall features, general flexibility and its ability to block.

handle management and configuration, a mail sensor server (provided via built-in

Postfix SMTP proxy), and a Web sensor (implemented via a third-party Blue

proxy appliance).Installation isn’t simple, but it didn’t take more

than a few hours to get

Deep Dive Deep Dive Deep Dive Deep Dive |||| Data Loss Prevention Data Loss Prevention Data Loss Prevention Data Loss Prevention


Deep Dive_April2010.indd 63Deep Dive_April2010.indd 63Deep Dive_April2010.indd 63Deep Dive_April2010.indd 63Deep Dive_April2010.indd 63 4/13/2010 6:32:25 PM4/13/2010 6:32:25 PM

network capacity. However, occasionally pieces of sensitive data leaked from the network. All the other products chose to prioritize blocking over speed.

Palisade’s Packetsure is targeted at the basic protocols of HTTP, SMTP and FTP, and showed a high blocking rate on those specific protocols. But Packetsure, possibly because it seems to contain two products in one, was the slowest product, performing at only 55 percent of the allowable bandwidth.

Furthermore, blocking a specific protocol and scanning based on content analysis work as expected, but when you combine the two, problems emerge, creating unexpected results. For example when you try to limit content analysis to a certain protocol, you have to choose between using a weaker content analysis system (which won’t re-assemble the stream) or not limit your blocking based on protocols. The latter is the best way to handle this problem, but doing so reduces the flexibility and blocking capability of the product.

GTB’s Inspector was the most consistent product. What it detected and blocked on

one protocol it detected and blocked on every protocol with no extra work. The problem with this product was it only could check based on certain rules and those rules were limited. About half of our detection tests failed on this product because the rule types are not supported. However, even with its lack of rule support, it still caught 62 percent of the illegal files.

Across supported protocols, Inspector was the only product to score a 100 percent

catching every single file we could send through the machine at 80 percent of the allowed bandwidth.

Fingerprinting: GTB Inspector Gets High MarksFingerprinting is a concept that is implemented fairly well in these DLP products. Fingerprinting will hash a file and look for parts of that file leaving the network.

Code Green’s Content Inspector: tops tops tin Detectioncontent Inspector was the best product tested when it comes to detecting data leakage. however because it can only block a few protocols, the detection is not well used.

Installation was very simple and configuration was easy to understand without reading any manuals. This is the only product that allowed every rule to be implemented. This product was able to detect 90 percent of the data we threw at it, which is almost double some of the other competitors. The 10 percent they missed was because of lack of support for encrypted traffic streams (SSh sessions), which no product supports.

however it can only block files on four of the tested protocols: hTTP, hTTPS, FTP and SMTP, three of which are done using a third-party Bluecoat Proxy device and the last is done using a built in mail relay. When blocking using one of these methods, this product was flawless, blocking every file it could detect. however this lack of blocking ability across a wide variety of protocols was the largest drawback in code Green’s content Inspector.

GtB Inspector: Consistently solidGTB’s Inspector was a very consistent product but is limited in rule generation. Installation was a headache, taking nearly eight hours to set up. however after the product was set up and configured it was extremely consistent. What it detected and blocked on one protocol it detected and blocked on every protocol it supported.

The problem was that it was only able to check based on certain rules and those rules were limited. About half of our detection tests failed on this product because the rule types are not supported. however, even with its lack of rule support, it still caught 62 percent of the illegal files. Across supported protocols, this was the only product to score a 100 percent catching every single file we could send through the machine at the 80 percent network bandwidth it allowed.

Another redeeming quality is that GTB’s Inspector has a very powerful and robust fingerprinting ability allowing all sorts of customization.

— nate Evans and Benjamin Blakely

Product Fidelis’ XPS Packetsure Content Inspector GTB Inspector

Price* Rs 132,800 Rs 30,000 Rs 31,000 Rs 20,000

Pros Fast in-line device, useful management interfaces.

Helpful wizard, excellen real-time reporting graph.

Highest detection rate,flexible and easy interface for writing rules.

Consistent product able to block all protocols.

Cons Some protocols are not fully implemented; blocking occurs after data is detected so there is some leakage.

Slowest in-line device; reporting is tedious and not very flexible.

Does not support any blocking except SMTP (e-mail) unless an external proxy is used.

Limited in rule generation and protocol scanning; complex configuration.

Score 3.9 3.1 3.4 3ScorE BASED on A WEIGhTED AVErAGE oF FoUr PArAMETErS: EASE oF USE, FEATUrES, PErForMAncE, InSTAllATIon

* PrIcES ArE AProxIMATES onlY


Deep Dive_April2010.indd 64Deep Dive_April2010.indd 64Deep Dive_April2010.indd 64Deep Dive_April2010.indd 64Deep Dive_April2010.indd 64 4/13/2010 6:32:26 PM4/13/2010 6:32:26 PM4/13/2010 6:32:26 PM4/13/2010 6:32:26 PM4/13/2010 6:32:26 PM4/13/2010 6:32:26 PM4/13/2010 6:32:26 PM4/13/2010 6:32:26 PM4/13/2010 6:32:26 PM4/13/2010 6:32:26 PM4/13/2010 6:32:26 PM4/13/2010 6:32:26 PM



Fingerprinting is used to prevent sensitive data from leaving a network and at the same time to reduce false positives. For example, most organizations want to prevent Social Security numbers from leaving local networks. But a lot of things can look like a Social Security number (e.g., a mistyped phone number or an online order number).

Fingerprinting takes any sensitive information you may have on your network and looks for a number of pieces that specifically correspond with it, to make it a piece of information that you don’t want erroneously leaving your network.

One could fingerprint a list of names, addresses and Social Security numbers and, instead of triggering on any nine-digit number, the DLP will only trigger when a

Social Security number is sent out with the associated full name. Or, instead of looking for a specific word phrase, it can look for a few sentences from a report.

All of the tested products support this feature, but GTB Inspector is the most powerful and flexible — customers can fingerprint data from a variety of flat files, databases or spreadsheets.

That power and flexibility, however, comes at the cost of simplicity. GTB has its own program which one must use to fingerprint data, as opposed to other products that allow an administrator to upload and fingerprint a file from the main management interface.

While Palisade’s Packetsure can scan and hash the usual range of files that most of the others support, when it comes to database

fingerprinting — linking two fields in a relational database — it requires the files to be exported into a flat file for analysis. Fidelis’ XPS included the ability to test your fingerprints once you created them.

Code Green’s Content Inspector could fingerprint data of all sorts and allowed you to set up scenarios on when this data would trigger an alert. For example, if you fingerprinted names, addresses and Social Security numbers, you could say alert me when you see two Social Security numbers and one has a matching name. No other product had as much granularity and yet remained simple to use.

reporting: Code Green, Fidelis Are TopsOne of the most useful parts of a DLP product is its reporting feature. For an administrator, knowing what a product is seeing and blocking is extremely useful.

Code Green’s Content Inspector and Fidelis’ XPS have the best reporting systems. Both do a great job of allowing flexibility, ease of use, exporting capabilities and beautiful (and meaningful) graphs to help make this data easy to digest. Plus, Code Green’s product allows for simple integration into many alert software applications (such as Crystal Reports) or even custom applications, as it uses a simple Postgres database.

Palisade’s Packetsure tries to implement the functionality needed in report generation, but doesn’t quite get there. The interface seems very clunky and there is an annoying wait of 3 to 5 seconds whenever you want to generate a report. However, Packetsure has a very useful protocol graphing tool that allows you to see, in real time, what kind of traffic is moving across your perimeter (even allowing an administrator to drill down to specific applications). It would be nice if this was tied to the blocking feature in some way, but it’s not.

GTB’s Inspector lagged behind the competition in terms of reporting. It provided acceptable, straightforward reports and even included the ability to generate graphs to help interpret the data. It doesn’t miss the mark on reporting; it just wasn’t nearly as impressive as the other three products.CIo


A small network containing a router and a server was set up containing some of the services one would commonly expect to see running on an enterprise network including: FTP, hTTP, Secure-hTTP, Mail (PoP, IMAP, & Exchange) and SSh.

Each vendor was required to ship its product and all required components to the lab. no vendor was permitted to do an on-site

installation. Support for the DlPs was obtained on an ‘as-needed’ basis, and vendors provided standard documentation. Towards the end another test was run with the vendor on-site.

The DlPs were set up in-line between a simulated WAn and n and were configured with a set of 10 rules. To connect these

products in-line, we used a network critical V-line (Bypass) Tap. This device allows the DlP to be placed “virtually” in-line -- if the DlP

should fail, traffic continues to flow. If you plan to hook your product up inline, this is a recommended method.

Some of the products also required a separate proxy product to assist with the blocking. We did not take into account the configuration of the proxy when testing the products, but it will be reflected in the cost.

We also tested the speed at which we could pass data through the device. We started with a baseline of 581MBps, which is what we could get out of the network without any device present. Then we activated a rule, which we knew worked, and sent a flood of e-mails of a variety of sizes from 1KB to 1GB through the device. We measured how quickly these e-mails made it out.

Using a machine sitting out on the simulated WAn, we attempted to access a variety of files via each protocol and a variety of ports on lAn services and pull data out of the protected network.

We tested each product by running about 1,000 files through it, waiting about a minute between each file. Some of these files contained blacklisted data (about a quarter of them) and some contained harmless data. We recorded which files made it out, which files were blocked, and which files where flagged (but not blocked).

—nate Evans and Benjamin Blakely

test Parameters

Each vendor was required to ship its product and all required components to the lab.

installation. Support for the Dbasis, and vendors provided standard documentation. Towards the end another test was run with the vendor on-site.

lAnproducts in-line, we used a

This device allows the Dshould fail, traffic continues to flow. If you plan to hook your product up

Deep Dive_April2010.indd 65Deep Dive_April2010.indd 65Deep Dive_April2010.indd 65Deep Dive_April2010.indd 65Deep Dive_April2010.indd 65Deep Dive_April2010.indd 65Deep Dive_April2010.indd 65Deep Dive_April2010.indd 65

Snapshots from the second season of CIO's Leadership Summit.

TowardSnapshots from the second season of Snapshots from the second season of CIOCIO's CIO's CIO

Innovation

Long DistanceUnified CommunicationPage 119

Road to AgilityInfrastructure Page 121

Workload BalanceWorkload ManagementPage 118

Security Vs AccessRisk ManagementPage 120

Marketing the Value of ITVijay Ramachandran,IDG Media Page 117

Survival TacticsAnil Dua, Hero HondaPage 114

Systematic InnovationProf. Rishikesha T. Krishnan,IIM-B and Vinay Dabholkar, Catalign Innovation Consulting Page 116

‘Let's get innovative.’ How many times have you heard that said in a meeting with your peers? With people whose resumes are packed with knowledge and whose faces are lined with experience. You would think they better. The problem is, as nice as the phrase is to say, it's a label that people use to close a subject on a difficult conversation.

But how many of our enterprises can really pull off honest-to-god innovation? And how many can do it on a regular basis?

To meet today's increased need to think beyond the obvious and give customers something to wow about, CIO put together a set of people who live and breathe innovation. Here they are. Learn from the pros. Time to get innovative.

Vol/5 | ISSUE/061 1 0 A p r i l 1 5 , 2 0 1 0 | REAL CIO WORLD

Event_Report_Roundtable.indd 110Event_Report_Roundtable.indd 110Event_Report_Roundtable.indd 110Event_Report_Roundtable.indd 110Event_Report_Roundtable.indd 110Event_Report_Roundtable.indd 110Event_Report_Roundtable.indd 110Event_Report_Roundtable.indd 110Event_Report_Roundtable.indd 110Event_Report_Roundtable.indd 110Event_Report_Roundtable.indd 110Event_Report_Roundtable.indd 110 4/13/2010 7:49:38 PM4/13/2010 7:49:38 PM4/13/2010 7:49:38 PM4/13/2010 7:49:38 PM4/13/2010 7:49:38 PM4/13/2010 7:49:38 PM4/13/2010 7:49:38 PM4/13/2010 7:49:38 PM4/13/2010 7:49:38 PM4/13/2010 7:49:38 PM4/13/2010 7:49:38 PM4/13/2010 7:49:38 PM

Leadership Summit I CXO VisionLeadership Summit I CXO Vision

A lot of people ask me that at a time when every industry was feeling the crunch as America declared a ‘global recession’, how did Hero Honda manage to continue to post good figures and beat the industry’s top line growth? Call me philosophical, but I believe optimism and a positive attitude are the key pillars of Hero Honda’s phenomenal success story.

Believe in the Fundamentals: In the slowdown, we re-learnt the basics. In India, we are fortunate that the fundamentals of all our industries are very strong. According to the IRS (Indian Revenue Service) report of 2009, less than 17 percent of households in the country have two wheelers. And this is true for most of the popular consumer items like TV, refrigerators, and telephones etcetera.

There is a huge untapped market there waiting to be explored. After all, the Indian economy has been growing rapidly and there is — and was — a lot of disposable income in the hands of our consumers. We didn’t let the doomsayers shatter our faith in the market’s potential.

Not All Spends Equal Investments: Therefore, we pursued an aggressive marketing strategy introducing new products and investing in existing campaigns. At a time when most people were cutting down on infrastructure costs, we doubled our investments on ground. Three years back, we had 2,000 service-backed dealer touch points, we expanded them to 4,000. Why did we do that? Because we believe that people had not stopped buying; they had just postponed their plans for better times. By increasing our presence, we built a strong sense of optimism and created aspiration value for our customers. We remodeled all our showrooms across the country so that they bore a festive look. We knew that our objective would be achieved if a person traveling

Anil Dua, Sr VP, Marketing and Sales, Hero Honda, shares success mantras that helped his company zoom profit during the slowdown.

Survival TacTicS

in a bus gets attracted enough to step inside our showroom that has opened newly in his locality.

Challenge the Norm: When every brand is jumping to associate their name with cricket being the real money spinner in India, we took the road less traveled and put our money in hockey. It may not have made immediate business sense, but the kind of ownership and pride it created in our customers was incredible. And we wanted to associate our brand with those sentiments. Not many watched the semi-final of the hockey World Cup after India was knocked out, but almost everybody saw the advertisement. A bike is not just a product; it is the extension of your personality.

In a slowdown, enterprises tend to concentrate on the few top brands that bring in the maximum cash. But then you run the risk of ignoring the individual. Traditionally, bike advertisements have been very similar, but we have broken the barrier. Our advertisements speak to the target group whether it is the adventure bike category or the utility rider. For example, we have several outlets in the country, which are ‘manned’ by an all-women staff called “just for hers”. It might contribute to less than 15 percent or so to total sales but it adds up to a lot in the long run.

When most were cutting down on infrastructure costs, we doubled

our investments. Why? Because we believed that people had not stopped buying; they had just postponed their plans for better times.


Event_Report_Roundtable.indd 112 4/13/2010 7:49:44 PM

The Building Blocks of Systematic InnovationRather than being a standalone entity, innovation should be a process which includes:

Identifying problems that need to be solved or pain areas which need some improvement.

Coming up with ideas which need not necessarily be unique from all the ideas in the past.

Taking concrete steps to implement and bringing those ideas into action.

Measuring the benefits derived from the implementation of the idea.

Creating an Environment for InnovationIn order to have an environment that is favorable to innovation the following needs to be taken care of:

Recognize the constraints within which an organization exists. Not all ideas can be applicable across all organizations.

Make an active effort to award and motivate people to come up with new ideas even if some of their ideas have flopped in the past.

Rishikesha T. Krishnan, Prof. Corporate Strategy & Policy, IIMB and Vinay Dabholkar, President, Catalign Innovation Consulting, tell you how to introduce systematic innovation into your enterprise.

Prof. Rishikesha T. Krishnan and Vinay Dabholkar explaining the intricacies of innovation.

SySTemaTic innovaTion Study ideas that are offered seriously to check if they are visibly

aligned to the targets, goals, and aspirations of the organization as a whole — and not only in tangible terms but also in the qualitative aspects.

Create an idea management system that pools together innovative thoughts so that they can be preserved. A seemingly irrelevant suggestion today may have significant value in the future.

Going About Systematic InnovationStep One: One way of going about this is by first establishing ‘use’ cases. This can be achieved through keen observations of similar problems being tackled in different segments of the industry and coming up with ideas that can be transferred to your specific scenario. Step two: Develop a portfolio and focus only on the task at hand. Any unrelated ideas should be discarded for the time being and all energies should be focused on developing a practicable design for the idea.Step three: Draw practical experiments on these designs. This will give rise to a working model and once a demo gains acceptance a commercial model can be developed to monetize the idea.

Another more modern way of setting out on innovation is: gauging the scope of a possible solution by looking at a problem or a possible problem your enterprise might have. This is different from the first way of approaching innovation because it doesn’t look for almost-constructed, existing solutions in a certain industry. The benefit of this approach is that the idea will almost certainly hold commercial interest. And it can be worked upon to bring out a product with targeted or mass appeal.



The pros and cons of creating an annual report from the IT department.

markeTing The value of i.T.

There is no doubt in anybody’s mind that businesses need to be told about the value that IT brings. How best to go about this, however, is open to debate. One way of going about it is similar to how the IT leaders at Intel and CA articulate the value of their departments. They bring out an annual report for IT from the chief information office.

These reports include various details, chief among which is accounting for the budgets allocated and investments made. It’s an idea that finds resonance with S. Srinivasan, Sr. GM-Business Strategy and Systems, TVS Sundaram Fasteners, but he adds that a mere expense sheet is not enough. “A comparative performance analysis both internal and external maybe of greater interest rather than merely an in-house performance review,” he says. “A key data point could be the percentage of IT spend compared to the competition. If it is low, then one definitely stands to gain favor with the other senior executives.”

The value addition that can be brought about by a report is strongly supported by Gopal Rangaraj, VP-IT at Reliance Life Sciences. “A report should focus more on the value addition that IT brings to the organization rather than just giving a list of expenditures and details on where money is spent,” he says. This should be backed by feedback from senior management and end users to establish credibility, he says. Also, a clear understanding of the benchmarks and industry trends is a must along with a clear view of the competition’s progress.

Not everyone agrees that even if IT leaders could get the numbers needed for such a report, that it would be received well. Ravishankar

IDG's editor-in-chief talks about the different benefits of an annual IT report and fields questions on how it can be done.

Subramaniam, director-IT, ING Life, for example, unequivocally states that it is difficult. “Numbers are viewed skeptically and hence one needs to have robust systems in the back-end which will stand up to scrutiny. Computing the tangible benefits derived out of IT is also not so easy. Explaining these can be even more difficult,” he says. Keshav Samant, VP & head-IT, Financial Technologies, seconds that point of view. “The CMO and CFO know their numbers much better than a CIO. So it is better to present the value that IT provides in a simple and easily understandable language rather than trying to impress them with calculations. Simple stories that convey the model are the need of the hour.”

Some even feel that such an attempt falls outside the general purview of IT. “CIOs generally lack the marketing and presentation skills hence it is advisable to outsource these to professionals who are good at it. Moreover, a third-party view of IT’s affairs will be considered impartial and more likely to get greater acceptance. Honestly, when I get into my office and am handed my to-do list, report generation and selling IT to the senior management takes a back seat,” says V. Balakrishnan, CIO, Polaris Software Lab.

That said, the general consensus among CIOs is that an annual report is a good idea and if generated with quality, it could serve to showcase transparency and enable easier access to funds. CIOs would however need to budget for a comprehensive — but not expansive — report at the very start.



REAL CIO WORLD | m A r c h 1 5 , 2 0 1 0 1 1 8

Leadership Summit I CIO Discussions

Intelligent Workload Management, which promises enterprises increased flexibility of their virtual applications with it’s ability to share the workload of a

failing server, is receiving mixed responses from IT leaders. There are takers from the likes of Suresh Kumar, CIO and Partner, Grant Thornton. “The biggest attraction in IWM is that it seems like DR in a box,” he says.

That's a point of view K.R. Bhatt, GM-IT, NABARD shares. “IT management generally works like a fire service. Pre-emptive measures to tackle a problem that might arise in the future are not given much importance. If there is a fire, we rush to the scene and douse it. But a DR running automatically instead of running it manually may be a good idea.”

But others see less merit in the idea. “My primary requirement is to ensure that my applications run with zero downtime and an application like IWM only introduces more complexity. We have very little expertise in this domain and are just taking the first step towards virtualization, which seems to be the

prerequisite for IWM,” says Ravishankar Subramanian, director IT, ING Life Insurance.

There are other apprehensions surrounding the technology. “Heterogeneity of IT infrastructure is a disturbing factor and if IWM does not run on a particular hardware then none of our business critical systems can be managed using this,” says Manoj Srivastava, VP- Group IT, Reliance ADA Group.

Despite their position, CIOs have interested — if the price is right. “I have major concerns and anxiety with respect to losing control to an automated process and we are not ready to do it unless we are completely sure of what it is and what is being done through it,” says Srinivasan, Sr. GM- Business Strategy and Systems, TVS Sundaram Fasteners. But he adds “The real catch is: what’s in it for me in terms of money. The economics of the model and the investment in it should make business sense to the organization in terms of returns.”P

ho

to

S b

y S

rIV

at

Sa

Sh

an

dIl

ya

More intelligent avatars of workload management solutions are being created. but will the concept catch on with CIos?

Workload Balance

Making IT work as one. It’s what sets us apart. At Novell, we’re taking interoperability to a whole new level. We believe every person, every partner and every piece of your mixed IT world should work as one. Our Enterprise-wide Linux, Identity and Security Management, Systems Management, and Collaboration solutions easily integrate with almost any IT infrastructure. That way, you can lower cost, complexity and risk on virtually any platform and make your IT work as one.

Making IT Work As One™www.novell.comwww.novell.comwww.novell.comwww.novell.comwww.novell.comwww.novell.comwww.novell.comwww.novell.comwww.novell.comwww.novell.comwww.novell.comwww.novell.comwww.novell.comwww.novell.comwww.novell.comwww.novell.com

Copyright © 2009 Novell, Inc. All rights reserved. Novell and the Novell logo are registered trademarks and Making IT Work As One is a trademark of Novell, Inc. in the United States and other countries.

For more information please contact [email protected] or call us at 080 - 40022300

Making IT work as one. It’s what sets us apart. At Novell, we’re taking interoperability to a whole new level. We believe every person, every partner and every piece of your mixed IT world should work as one. Our Enterprise-wide Linux, Identity and Security Management, Systems Management, and Collaboration solutions easily integrate with almost any IT infrastructure. That way, you can lower cost, complexity and risk on virtually any platform and make your IT work as one.

Copyright © 2009 Novell, Inc. All rights reserved. Novell and the Novell logo are registered trademarks and Making IT Work As One is a trademark of Novell, Inc. in the United States and other countries.

Event_Report_Roundtable.indd 118Event_Report_Roundtable.indd 118Event_Report_Roundtable.indd 118Event_Report_Roundtable.indd 118Event_Report_Roundtable.indd 118Event_Report_Roundtable.indd 118Event_Report_Roundtable.indd 118Event_Report_Roundtable.indd 118Event_Report_Roundtable.indd 118Event_Report_Roundtable.indd 118Event_Report_Roundtable.indd 118


The arguments in favor of traditional wired communication have waned through the years, simply because advancements in technology have

forced organizations to move beyond the conventional. What makes its case weaker is the fact that employees, especially senior management, spent a bulk of their time getting to places, not to mention the money spent on tickets and phone bills.

But today, technologies like unified communication (UC) have helped erase the distance making communication cheaper, faster and more efficient. “Unified communication, with automatic re-routing has brought in agility in the enterprise space. But it still warrants a huge cultural shift from the users end,” says V.Balakrishnan, CIO, Polaris Software. Despite its benefits, adoption of UC hasn’t really taken off. And Vizak Badhniwalla, head-technology, Everstone Investment Advisors, feels that one of the main reasons is the fact that, “Management still prefers to travel,” he says.

The problem is mindsets haven’t kept pace with the evolving technologies. Sudhir Reddy, CIO, MindTree, points out that apart from a mindset change users aren’t educated about the nuances that accompany UC. MindTree has been conducting their global annual team leaders’ meets completely on web conference. “The success of any web conference depends on many small factors: the camera's positioning, availability of sufficient lighting, behavioral etiquette, etcetera. In the beginning, people would keep their screens switched off; sometimes two people would talk at the

same time,” he says.The other big factor hindering adoption of UC is data

security. Regulatory compliance for high risk industries like BFSI does not allow data to be transmitted over the Internet.

UC is oft marketed as a cost saver, but Tarun Pandey, VP-IT, Aditya Birla Financial Services, doesn’t agree. He says traditional networks do not have the bandwidth to support high data intensive applications like UC. This is where organizations need to make a calculated decision. UC is a good idea when the cost saving potential and resultant increase in productivity and efficiency for the organization is higher than the infrastructure investment it requires.

After all, the success of any collaboration tool depends on how enterprises mature and adapt it to leverage the best possible benefit from it.P

ho

to

S b

y S

rIV

at

Sa

Sh

an

dIl

ya

brought to you by:

last year saw a resurgence of UC in enterprises, primarily because of the clamp down on travel. but only a cultural shift can connect UC with enterprises, say CIos.

Long Distance

REAL CIO WORLD | A p r i l 1 5 , 2 0 1 0 1 1 9Vol/5 | ISSUE/06

4/13/2010 7:50:31 PM4/13/2010 7:50:31 PM4/13/2010 7:50:31 PM4/13/2010 7:50:31 PM4/13/2010 7:50:31 PM4/13/2010 7:50:31 PM4/13/2010 7:50:31 PM4/13/2010 7:50:31 PM4/13/2010 7:50:31 PM4/13/2010 7:50:31 PM4/13/2010 7:50:31 PM4/13/2010 7:50:31 PM

The old challenge of balancing security with access to information is rearing its ugly head again with the renewed push to leverage the upturn. As employees

are given more decision-making power — and access to data including client lists and sales information — the need to ensure they don’t misuse that access grows. In some organizations that balance tends towards security taking a hard stance.

But V. Balakrishnan, CIO, Polaris Software Lab, warns that, “Hard implementations will only lead to hard repercussions. What we need is a way to compartmentalize information and provide separate access to different user groups; something like an automated flagging mechanism based on the study of behavioral patterns especially when there is a very thin line that separates personal and official data.”

This approach makes even more sense for IT leaders in certain verticals like Sriram Naganathan, CTO & COO of Reliance General Insurance.“It is very important for us to share data,” he says. “While implementing DLP measures and rights management, the cultural factor of the organization kicks in. While we agree that security is integral to IT infrastructure we also believe that draconian measures will only be counter-productive.”

Despite this, few CIOs will agree to anything but a zero-tolerance policy to the non-compliance of policies. Some are

even willing to make public examples of offenders. “Rather than having a negative effect this helps improve the brand value of the organization among its partners and clients as they see the honesty and transparency,” says Tarun Pandey, VP-IT, Aditya Birla Financial Services.

The technology answer to the problem is an effective information security system which has a range of policies, security products, technologies, and procedures. That said people at different levels react differently to restrictions and generally one size doesn’t fit all as Manoj Srivastava, VP-Group IT, Reliance ADA Group, points out. “It is generally accepted that not all people in an organization need access to everything. Information should be available on a need to know basis. Yet, it largely depends on who formulates the information policy: whether it’s the owners or whether the decision is governed by a common policy.”

bullish businesses want to decentralize decision making — putting data security on the back burner. It’s up to CIos to maintain a balance.

Security Vs Access

Ph

ot

oS

by

Sr

IVa

tS

a S

ha

nd

Ily

a

brought to you by:



Event_Report_Roundtable.indd 120Event_Report_Roundtable.indd 120Event_Report_Roundtable.indd 120Event_Report_Roundtable.indd 120Event_Report_Roundtable.indd 120Event_Report_Roundtable.indd 120Event_Report_Roundtable.indd 120Event_Report_Roundtable.indd 120Event_Report_Roundtable.indd 120Event_Report_Roundtable.indd 120Event_Report_Roundtable.indd 120Event_Report_Roundtable.indd 120 4/13/2010 7:50:48 PM4/13/2010 7:50:48 PM4/13/2010 7:50:48 PM4/13/2010 7:50:48 PM4/13/2010 7:50:48 PM4/13/2010 7:50:48 PM4/13/2010 7:50:48 PM4/13/2010 7:50:48 PM4/13/2010 7:50:48 PM4/13/2010 7:50:48 PM4/13/2010 7:50:48 PM

CIOs have long been battling the strain of dealing with an inflexible IT architecture. But technologies like virtualization and thin provisioning have made their

enterprises more agile and their jobs a lot easier. However, the rapid growth we are witnessing today and changing user habits demand that IT infrastructure embrace agility even more.

And in an agile world, Dhiren Savla, director-technology, CRISIL, pointed out that even ‘long-term’ means “not more than 18 months.” And that’s because business demands efficiency, delivered with speed. That’s when, T.G. Dhandapani, CIO, TVS Motors, introduced the concept of ‘shelf engineering’ which struck a cord with many CIOs. He defined agility as the ability to reduce the time from conceptualization to final execution.

But how you get to agility depends on which route you want to take. For example, for Gopal Rangaraj, VP-IT, Reliance Life Sciences, the standardization of processes across his IT infrastructure helped in bringing much needed flexibility. “Post-standardization, we realized that we were sitting on tons of storage. We were able to free it up and allocate it to different business units. Now we urge users to demand storage,” he said.

Another path to follow is to merge different apps to build a tighter infrastructure. “We have tried building our disaster recovery application on to a completely different system. This has allowed us to aggregate the systems and build more value in the same infrastructure,” said Ishita Sen, VP, center-

head, Reliance Tech Services. But apart from the infrastructure, agility also means catering to changing user needs. In the age of Web 2.0, user behavior is also rapidly changing and CIOs have to deal with the tricky issue of tackling access while retaining control.

“Most of our users have more sophisticated notebooks than what we can provide. Some of them prefer smartphones over computers. Today, when the concept of ‘work from home’ is becoming popular, tackling end points and ensuring they are updated and compliant with company policies is proving to be a big problem,” said Sebastian Joseph, executive VP and head-IT, Mudra Group.

We live in a fast world. and if organizations don’t create fleet-footed infrastructure and cater to changing user needs, they won’t fit in.

Road to AgilityP

ho

to

S b

y S

rIV

at

Sa

Sh

an

dIl

ya

brought to you by:


REAL CIO WORLD | A p r i l 1 5 , 2 0 1 0 1 2 1Vol/5 | ISSUE/06

Event_Report_Roundtable.indd 121Event_Report_Roundtable.indd 121Event_Report_Roundtable.indd 121Event_Report_Roundtable.indd 121Event_Report_Roundtable.indd 121Event_Report_Roundtable.indd 121Event_Report_Roundtable.indd 121Event_Report_Roundtable.indd 121Event_Report_Roundtable.indd 121Event_Report_Roundtable.indd 121Event_Report_Roundtable.indd 121Event_Report_Roundtable.indd 121 4/13/2010 7:51:00 PM4/13/2010 7:51:00 PM4/13/2010 7:51:00 PM4/13/2010 7:51:00 PM4/13/2010 7:51:00 PM4/13/2010 7:51:00 PM4/13/2010 7:51:00 PM4/13/2010 7:51:00 PM4/13/2010 7:51:00 PM4/13/2010 7:51:00 PM4/13/2010 7:51:00 PM

Talking Right By Maryfran Johnson

c o m m u n i c a t i o n A few minutes into the speech, you notice it. Maybe it's a phrase the speaker keeps repeating, or a podium death-grip making the microphone wobble. Maybe it's a swiveling chair that never stops moving, or the constant twirling of a lock of hair.

These 'speaker ticks' are unfortunately the best-kept secrets in public speaking — a secret only the hapless presenter is unaware of. Everybody in the audience probably noticed the distracting tick. But honest feedback is the most endangered species on the speaker frontier.

"Even if you did a terrible job, the host or the moderator won't tell you it was bad. It's rare for them to feel it's their role to give that insight," says Scott Berkun, author of Confessions of a Public Speaker, a behind-the scenes look at his own successful speaking career. "It's especially difficult for executives to get good feedback. Nobody wants to tell them, 'Hey, Joe, you didn't do this or that so well.'"

One way to fill the feedback vacuum, Berkun suggests, is to make your own 'Things Not To Do' list of speaker ticks while you're watching someone else's presentation. "Maybe it's someone reading their slides, or never making eye contact," he says. "Use the things you find annoying to make your own checklist."

Speakers crave useful critiques of

their talks yet most people shy away

from offering helpful feedback. But good

speakers are always looking to fine-tune

their craft.

yo u r l i f e & c a r e e r pat h

th

riv

e

Vol/5 | ISSUE/061 2 2 a p r i l 1 5 , 2 0 1 0 | REAL CIO WORLD

Il

lU

St

ra

tIo

n b

y M

M S

ha

nIt

h

Thrive_April_2010.indd 88Thrive_April_2010.indd 88Thrive_April_2010.indd 88Thrive_April_2010.indd 88Thrive_April_2010.indd 88Thrive_April_2010.indd 88Thrive_April_2010.indd 88Thrive_April_2010.indd 88Thrive_April_2010.indd 88Thrive_April_2010.indd 88

I moderate about a dozen CIO events every year, which puts me happily in proximity with dozens of good-to-great speakers — most of them CIOs, but many industry experts, consultants and authors, as well. I've found that the best speakers really probe for feedback afterward, so I've eased my way into offering very direct, specific suggestions.

For example, one CIO friend who is outstanding on stage was unwittingly using the phrase "At the end of the day..." multiple times during his talk. Once I pointed it out, he asked me to keep a count during his speech. Afterward he proudly noted only using it twice. Nope, I had to tell him, he actually said it six times. Our speaker ticks are sometimes more ingrained than we realize, but still, this was progress.

Professional speech coaches will often use a video recording of their clients to demonstrate whatever needs improvement. That same technique is highly recommended for a do-it-yourself critique, but the experience can be unnerving if you're not sure how to fix what you see going wrong.

CIO Ramon Baez of Kimberly Clark (KMB), had that experience last year when he watched a recording of one of his talks. "I had this tendency to hum on stage when it was quiet, and I had way too much nervous energy going on," he recalls. "It was like watching that Purina Cat Chow commercial, with my legs doing this Tango back and forth."

With his company's support, this already accomplished speaker sought additional training with ExecComm, a New York-based executive coaching firm, where

he learned to use ‘the Arc of Silence’ to eliminate nervous humming. "See it, save it, say it" is the mantra for this technique of glancing at your next talking point, taking a second to absorb it and then saying it to the audience. "It's much higher impact, doing it this way," Baez says. "I learned to be purposeful about my pauses."

This kind of fine-tuning is what good-to-great speakers are always willing — actually eager — to do. Keep that in mind the next time you have a chance to offer some helpful, honest feedback. I guarantee you, it will be welcomed. CIO

Send feedback on this column to [email protected]

Professional speech coaches use a video recording to demonstrate whatever needs improvement. The same is recommended for a do-it-yourself critique.

three-minutecoach

Help ! I’m having a hard time playing referee between my team and business users, whose constantly changing needs are driving my team up the wall.

Ashok PAnikkAr is the founder and executive director of Meta-culture, india’s first specialized conflict and relationship ManageMent consulting business.

ALWAYS: Remember that there are at least two sides

to a story, if not more. Be curious about where the pain

points are for your department and try to understand

what is “driving them up the wall”. Have a constructive

conversation with your business users about their

own challenges and concerns. Identify the gaps in

expectations and interests between your team and the

business user. Help both parties move from blaming

each other to negotiating agreements to deal with these

converging interests and needs.

SOMETIMES: When either your team or the business

user is stuck within their own story, ask them what they

would do if the shoe was on the other foot. Help them

see how the other’s experience and perspective can be

as frustrating and legitimate. You may have to advocate

strongly with your own team about being sensitive to the

business user’s needs. If the business user is unbending

you may have to show them what the costs might be to

the project, of being inflexible and not meeting some of

your team’s genuine interests.

NEVER: See only your own team’s point of view,

likewise, never bend backwards to meet only the

customer’s demands, particularly if they seriously

compromise your team’s needs. Successful projects are

a result of cooperation between customers and delivery

teams. Do not hesitate to bring difficult issues to the table

and don’t shy away from difficult conversations. Just

make sure you have heard all sides and dug out enough

relevant information before you move into problem

solving. Never leave someone feeling that their story has

not been heard. CIO

Send queries you might have to [email protected]

th

riv

e

REAL CIO WORLD | a p r i l 1 5 , 2 0 1 0 1 2 3Vol/5 | ISSUE/06

Thrive_April_2010.indd 89 4/13/2010 7:59:49 PM

CIO April 15 2010 Issue

Documents

Transcript of CIO April 15 2010 Issue