GREEN IT: A STRONG BUSINESS CASE

Technology for Growth and Governance

cT

o

fo

ru

m

BesT of Breed

five security Tips for

the social enterprise

8

Tech for Governance

changing a compliance

culturePage 40

viewpoinT

The Rise of the Cloud

Service BusPage 52

Volume 08 | Issue 02

September | 07 | 2012 | 50Volume 08 | Issue 02

Mo

Bil

e S

eC

uR

iTy

ex

pe

RT

S o

n B

yo

D | iT

ou

TS

ou

RC

ing

De

al

S g

on

e B

aD

A 9.9 Media Publication

A StrongCASeBuSineSS

For a CIO, going green is no more a fad. It promises to yield significant cost benefits Page 28

green it:

Elevate your Core Switch with HP 10500 SwitchLegacy Networks often struggle to provide superior application performance and quicker time-to-service. The HP 10500 Switch allows you to break through these legacy networks giving your business agility and superior performance. HP 10500-enterprise core switch, has set a new benchmark for performance, reliability, and scalability with a next-generation CLOS architecture.next-generation CLOS architecture.

Designed for enterprise campus networks, the HP 10500 enables:• 75% lower latency • 40% higher throughput• 200% higher 10Gbe density

With HP’s IRF technology, the HP 10500 offers scalability & virtualization up to 4-chassis with a single management interface enabling flatter, more agile networks.

Based on HP FlexNetwork architecture, HP 10500 Based on HP FlexNetwork architecture, HP 10500 can be seamlessly managed through a single-pane-of-glass with HP Intelligent Management Center (IMC)

To know more about the HP 10500 Switch, SMS SIMPLIFY to 575758 or Email Us at [email protected]

1 07 september 2012 cto forumThe Chief

TeChnologyoffiCer forum

editorialyashvendra singh | [email protected]

editor’s pick

Go GreenDeploying green IT yields

several benefits and a CIO can make a strong business case

out of them

Green IT: A Strong Business CaseFor a CIO, going green is no more a fad. It promises to yield significant cost benefits

“As more and more people understand what’s at stake,

they become a part of the solution, and share both in the challenges and opportunities presented by the climate crises.” Al Gore.

As enterprise technology deci-sion makers increasingly under-stand the unintentional nega-tive impact of IT deployments, they are gradually moving towards environment-friendly practices. According to indus-try reports, the ICT industry accounts for about three percent

enhance its image in the eyes of its employees and stakeholders.

In the current scenario where the CIO is expected to do more with less, green IT stands to reduce costs to a large extent. According to estimates from IBM, in the US, a typical data centre of 25,000 square feet with electricity costs pegged at 12 cents per kilowatt hour will entail a corporate to shell out $ 2.5 million annually towards cooling and power costs. By deploying energy efficient IT solutions, IBM estimates that a corporate can slash its electricity costs by as much as 50 percent.

The encouraging news is that India’s spend on green is set to rise from the $ 35 billion in 2010 to $70 billion in 2015.

According to Gartner, “India’s ICT industry will be an early adopter of green IT and sustain-ability solutions as India is one

of the global greenhouse gas emissions.

However, for an environ-ment conscious CIO looking to deploy green IT, the more important consideration is to have a strong business case in its favour. This may not be as tough as it seems to be. The return on investment can yield both immediate and long-term benefits for an enterprise. In addition to conserving energy and improving compliance reg-ulations, a corporate stands to

of the fastest-growing markets in terms of IT hardware and communications infrastructure consumption. As enterprises embrace IT to improve pro-ductivity, penetration of ICT infrastructure has been growing rapidly during the past decade, as has the energy consumption and resulting carbon emissions of India’s ICT infrastructure.”

Experts feel, to begin with, the Indian corporates will deploy solutions that have proven their worth in the developed markets. The transformation through which India is progressing (the increasing divide between the urban and the rural) presents our technology leaders with an opportunity to come up with innovative green solutions.

28

2 07 september 2012 cto forum The Chief


52 | View point: the rise of the cloud serVice bus Stay tuned for updates on thisBy ken Oestreich

4 | i belieVe: Managing it integration in bankingBy geOrge tumas

Cover Story

28 | Green IT: A Strong Business Case For a CIO, going green is no more a fad. It promises to yield significant cost benefits

COpyrIGhT, All rights reserved: reproduction in whole or in part without written permission from Nine Dot Nine Interactive pvt Ltd. is prohibited. printed and published by Kanak Ghosh for Nine Dot Nine Interactive pvt Ltd, C/o Kakson house, plot printed at Tara Art printers pvt Ltd. A-46-47, Sector-5, NOIDA (U.p.) 201301

Please Recycle This Magazine And Remove Inserts Before

Recycling

co nte nt s theCtoforum.Comseptember 12

28

Cover & imaging:shigil n

Technology for Growth and Governance

cT

o

fo

ru

m

BesT of Breed

five security Tips for

the social enterprise

Page 18

Tech for Governance

changing a compliance

culture0

viewpoinT

The Rise of the Cloud

Service BusPage 52

Volume 08 | Issue 02

September | 07 | 2012 | 50Volume 08 | Issue 02

Mo

Bil

e S

eC

uR

iTy

ex

pe

RT

S o

n B

yo

D | iT

ou

TS

ou

RC

ing

De

al

S g

on

e B

aD

A 9.9 Media Publication

A StrongCASeBuSineSS

For a CIO, going green is no more a fad. It promises to yield significant cost benefits Page 28

green it:

ColumnS

featureS18 | best of breed:fiVe security tips for the social enterprise Committing to protecting the enterprise while still embracing social collaboration



Managing Director: Dr Pramath Raj SinhaPrinter & Publisher: Kanak Ghosh

Publishing Director: Anuradha Das Mathur

EditorialExecutive Editor: Yashvendra SinghConsulting Editor: Atanu Kumar Das

Assistant Editor: Varun Aggarwal & Akhilesh Shukla

dEsignSr Creative Director: Jayan K Narayanan

Art Director: Anil VK Associate Art Director: Atul Deshmukh

Sr Visualiser: Manav Sachdev Visualisers: Prasanth TR, Anil T & Shokeen Saifi

Sr Designers: Sristi Maurya & NV Baiju Designers: Suneesh K, Shigil N, Charu Dwivedi

Raj Verma, Peterson, Prameesh Purushothaman C & Midhun Mohan

Chief Photographer: Subhojit Paul Sr Photographer: Jiten Gandhi

advisory PanElAnil Garg, CIO, Dabur

David Briskman, CIO, RanbaxyMani Mulki, VP-IT, ICICI Bank

Manish Gupta, Director, Enterprise Solutions AMEA, PepsiCo India Foods & Beverages, PepsiCo

Raghu Raman, CEO, National Intelligence Grid, Govt. of IndiaS R Mallela, Former CTO, AFL

Santrupt Misra, Director, Aditya Birla GroupSushil Prakash, Sr Consultant, NMEICT (National Mission on

Education through Information and Communication Technology)Vijay Sethi, CIO, Hero MotoCorpVishal Salvi, CISO, HDFC Bank

Deepak B Phatak, Subharao M Nilekani Chair Professor and Head, KReSIT, IIT - Bombay

salEs & MarkEtingNational Manager – Events and Special Projects:

Mahantesh Godi (+91 98804 36623)National Sales Manager: Vinodh K (+91 97407 14817)

Assistant General Manager Sales (South):Ashish Kumar Singh (+91 97407 61921)

Senior Sales Manager (North): Aveek Bhose (+91 98998 86986)Product Manager - CSO Forum and Strategic Sales:

Seema Menon (+91 97403 94000)Brand Manager: Jigyasa Kishore (+91 98107 70298)

Production & logisticsSr. GM. Operations: Shivshankar M Hiremath

Manager Operations: Rakesh upadhyay Asst. Manager - Logistics: Vijay Menon Executive Logistics: Nilesh Shiravadekar

Production Executive: Vilas Mhatre Logistics: MP Singh & Mohd. Ansari

oFFicE addrEssPublished, Printed and Owned by Nine Dot Nine Interactive Pvt

Ltd. Published and printed on their behalf by Kanak Ghosh. Published at Office No. B201-B202, Arjun Centre B Wing,

Station Road, Govandi (East), Mumbai-400088. Printed at Tara Art Printers Pvt Ltd., A-46-47, Sector-5, NOIDA (U.P.) 201301

Editor: Anuradha Das MathurFor any customer queries and assistance please contact

[email protected]

www.thectoforum.com

regularS01 | editorial06 | letters08 | enterprise

round-up

advertisers’ indexHP IFC, 7CTRLs 5Datacard 11Riverbed 13SAS Institute 17Gartner 25Airtel IBCIBM BC

This index is provided as an additional service.The publisher does not assume

any liabilities for errors or omissions.

40 | tech for goVernance: assessing risk ManageMent culture encouraging a risk culture throughout the organisation is a priority

40

a QueStion of anSwerS

14 |CIO has to re-plan IT Strategy Marc Alexis remond, Global Director, Enterprise Solutions, polycom, speaks about how video conferencing solutions can be integrated with business

46 | next horizons: business in the age of ‘Massification’ innovation is the key to survive and thrive in a world of entrepreneurs

46

14

I BelIeve

currentchallenge



The auThor has been associated with Wells Fargo since last 12 years. Presently, he is

based out of Hyderabad. Prior to Wells Fargo, Tumas was the MD of Bank of America.

By george Tumas EVP & Head Technology, Wells Fargo India Solutions

Wells Fargo, earlier this year, successfully completed the Wachovia —Wells fargo integration, which was one of the largest financial services integration. it started in late 2008 and took a little over three years to complete. The integration was challenging for the bank as we wanted

to make sure that we executed it in a manner such that it would have little or no impact to our customers.

A detailed plan was drafted after line of businesses (loBs) determined their target operating environments, which would include the applications, features, functions to be offered. Sub-sequently a conversion schedule was created. This entire process engaged many resources in the technology space. An integration this size asked for a lot of co-ordination between business and technology as well as amongst the technology groups to ensure minimal impact to our cus-tomers. one could ask, “Why did the integration take so long?” The answer is simple, we placed our customers first! The decisions and schedules were made keeping the customer on top of the priority list. ‘Customer first’ is a part of our vision and values in everything we do. on the merger front, our loB partners worked hand in glove with their technology part-ners to understand what was needed to ensure a smooth integration. The integration by default was a major rebranding initiative as the Wells fargo name replaced the Wachovia brand in much of the eastern united States. each loB had their respective communication plan to keep custom-ers informed during the integration. Communication took many forms from emails to letters etc. All loBs co-ordinated with each other so as to minimise and/or combine informa-tion conversion from the iT systems of Wells fargo and Wachovia. We solved many challenges by building a detailed conversion plan, testing our conversion processes several times before each conversion event, practicing continuous improvement after each event and communicating with our customers. We wanted no surprises, neither from an internal perspective nor from a customer perspective.

To inTegraTe The iT sysTems of Wells fargo and Wachovia bank

Managing IT Integration in BankingIt was challenging as the bank wanted to ensure that the integration doesn’t impact the customers

LETTERS

WRITE TO US: The CTOForum values your feedback. We want to know what you think about the magazine and how

to make it a better read for you. Our endeavour continues to be work in progress and your comments will go a long way in making it the preferred publication of the CIO Community.

Send your comments, compliments, complaints or questions about the magazine to [email protected]

aRE CTOS mORE InTERESTEd In SaTISfyIng ThE CfO & BOaRd RaThER Than ThE COnSUmER?

If CTO is aligned to the CFO and the Board in that order, the CTO will have to also be good at resume writing as he will not last too long. But then the question arises, is the CFO aligned to the Consumer? If he is not, then even he may be in hot water sooner or later.ARun guptA, CIO, Cipla

Oracle security alert analysis

The best way to protect a system from this vulnerability is to apply the patches released in Oracles Security Alert.To read the full story go to: http://www.thectoforum.com/content/oracle-security-alert-analysis

CTOf Connect Anil Batra, MD, River-bed Technology India talks about how his company is trying to help enterprises utilise their infrastructure betterwww.thectoforum.com/content/wan-optimisation-beyond-bandwidth

OpiniOn

Alex RothAckeR, diRectoR secuRity ReseARch, shAtteR

CTOforum LinkedIn groupJoin over 900 CIOs on the CTO Forum LinkedIn group

for latest news and hot enterprise technology discussions.

Share your thoughts, participate in discussions and win

prizes for the most valuable contribution. You can join The

CTOForum group at:

www.linkedin.com/

groups?mostPopular=&gid=2580450

Some of the hot discussions on the group are:Open Source vs Proprietary SOfTWaRE

Practically how many of you feel OpenSource Free

software are best solutions than any proprietor software's?

I would rather mention that, you call should depends on

the criticality of the application to serve the enterprise

business requirement, as opensource application can

have security breaches and lack of support in worst

come senario

—Vishal Anand Gupta, Interim CIO & Joint Project Director HiMS at The Calcutta Medical Research Institute

here’s an update on the Oracle vulnerability





Enterprise

Round-up

FEATURE InsIdE

60% Firms in India struggle

With digital Info Pg 10

Indian websites hacked in the last five years

Global Server Market Revenue Declines While server shipments grew 1.4% over the 2nd quarter of 2011, revenue declined 2.9% In thE sEcond quarter of 2012, worldwide server shipments grew 1.4 percent over the second quarter of 2011, while revenue declined 2.9 percent year-on-year, according to gartner, inc. The slight unit growth for the second quarter of 2012 was contrasted by a decline in revenue on a global level with geographic variations continuing to be shown based on the ongo-ing differences in economic conditions by region,” said Jeffrey hewitt, research vice president at gartner. “in terms of revenue growth, only Asia/Pacific and the united States produced growth for the quarter—all other regions declined.”

“x86 servers continued to grow but at a moderated rate with 1.8 percent growth in units for the quarter and a 5.6 percent increase in revenue. riSC/itanium unix servers continued to fall globally for the period – a 14.9 percent decline in shipments and a 17.9 per-cent drop in vendor revenue compared to the same quarter last year. The ‘other’ CPu category, which is primarily mainframes, showed a decline of 3.0 per-cent,” hewitt said.

from the regional standpoint, the united States grew the most significantly in shipments with a 8.4 percent increase.

9000dATA BRIEFIng

ph

ot

o B

Y p

ho

to

s.c

om

E n t E r pr i s E ro u n d - u p



The combined desk-based and mobile PC market in India totalled nearly 2.9 million units in the Q2of 2012, a 17% increase over the Q2 of 2011. Mobile PCs, which grew 54% compared to Q2 of 2011, helped drive overall market growth

QUICk ByTE on PCs

Cloud Market in India to Grow by 70% in 2012 Research addresses the purchase behaviours of end-users IntERnatIonal Data Corporation (iDC) has released a cloud research report, india

Cloud market overview, 2011-2016, which provides a reality check and detailed understanding of the adoption in india, future potential and the major trends the market is witnessing. The research also addresses the attitudinal and purchase behaviors of end users and what is influencing them in their choice for adoption.

Business priorities have changed in the recent troubled economic times and are influencing the way iT is being looked as a strategic tool to grow faster. 2012 has been a tough year so far, but it is rapidly starting to get to a point where mature companies with careful planning and focus on business/operational efficiency are fast moving into the leadership spots.

These companies have been proactively looking at various “disruptive technolo-gies” that will ensure the iT is elastic enough to meet the business needs and growth. Cloud models and the flexibility they bring are definitely featuring high there. iDC estimates the indian Cloud market to be in the region of $535m in 2011, with a growth of more than 70 percent expected for 2012 and almost 50 per-cent growth forecasted for the next three years.

The Infosys founder told ET Now that the government indifference to the plight of business has brought deci-sion-making to an unnecessary standstill.

“We have fallen far short of expectations and it’s no longer possible to sell the India story. The world expected a lot from us. And compared to that expectation, we have fallen very very short. And therefore, I would say, this is worse than 1991.”—NR Narayana Murthy, Chairman Emeritus, Infosys

—Source: Yahoo

They SaId IT

NR NaRayaNa MuRThy

ph

ot

o B

Y p

ho

to

s.c

om

ph

ot

o B

Y p

ho

to

s.c

om

E nt E r pr i s E ro u n d - u p



60% Organisations in India Struggle With Digital Info Information sprawl, duplicate data compounding problems for firmssymantEc the india findings of its first-ever State of information Survey. According to the survey, business data in indian organ-isations is expected to grow 67 percent in the next 12 months.

from confidential customer information and intellectual property, to financial trans-actions, organisations in india possess mas-sive amounts of information that not only enable them to be competitive and efficient — but also stay in business.

in fact, the survey revealed that digital information makes up 51 percent of an organization’s total value. however, with

information spiralling rapidly, 60 percent indian businesses are struggling to effec-tively manage and protect their digital infor-mation.

“our survey shows that only 15 percent of businesses in india can confidently use their business information without being either too permissive or too restrictive about its access,” said Anand naik, man-aging director—sales, india and SAArC, Symantec. “Without the ability to properly protect their information assets, this data can become a liability. To counter this, busi-nesses in india need to put in place a plan

to manage their data assets so they can have a true competitive advantage.”

Information is skyrocketing and It’s ExpensiveBusinesses of all sizes are dealing with enormous amounts of data. The total size of information stored today by all busi-nesses globally is 2.2 zettabytes. Small to medium sized businesses (SmBs) on aver-age have 563 terabytes of data, compared with the average enterprise that has 100,000 terabytes. The survey also reveals that information is expected to grow 67 percent over the next year for enterprises and 178 percent for SmBs. globally, on average, enterprises spend $38 million annually on information, while SmBs spend $332,000. however, the yearly cost per employee for SmBs globally is a lot higher at $3,670, versus $3,297 for enterprise. for example, a typical 50-employee small business spends $183,500 on information management, whereas a typical large enterprise with 2,500 employees would spend $8.2 million.

Information loss is high and has significant ImpactThe survey found that a huge 89 percent of indian organisations have lost informa-tion in the past year. These incidents have a significant impact: 31 percent of indian organissations revealed that losing some/all of their information could lead to decreased revenues, apart from loss of customers (34 percent), increased expenses (33 percent) and brand damage (35 percent). further-more, 31 percent of respondents were unable to comply with government regula-tions and 40 percent faced similar challeng-es with external legal requirements around information management in the past year.

protection measuresWith so much at stake, protecting informa-tion should be a top priority, yet businesses are still struggling. in the last year, besides 89 percent of organisations losing infor-mation, 94 percent of businesses in india have had confidential information exposed outside of the company, and 31 percent have experienced compliance failures related to information. Another challenge is the amount of duplicate information businesses are storing.

gloBAl TRACkER

Mobility

so

ur

ce

: g

ar

tn

er

Gartner reported a dip in global sales of mobile phones for the second quarter in a row and will cut its 2012 outlook as consumers hold back on handset upgrades due to economic uncertainty

ph

ot

o B

Y p

ho

to

s.c

om

Datacard and Secure Issuance Anywhere are registered trademarks, trademarks and/or service marks of DataCard Corporation in the United States and/or other countries. ©2012 DataCard Corporation. All rights reserved.

INSTANT ISSUANCE

Datacard, CardWizard and Secure Issuance Anywhere are registered trademarks, trademarks and/or service marks of DataCard Corporation in the United States and/or other countries. EMV is a registered trademark of EMV CO., LLC. ©2012 DataCard Corporation. All rights reserved.

New financial instant issuance portfolio

Datacard Group offers a full range of new innovative printers, CardWizard® software, the

world’s #1 instant issuance software and unmatched global service and support. Our

solutions give you the flexibility to issue permanent embossed, unembossed, magnetic

stripe, EMV®-compliant cards and NFC enabled mobile devices immediately.

Datacard Group makes it easy and affordable to launch a profitable instant issuance

card program. Our Secure Issuance Anywhere™ platform empowers you to manage

your card and mobile payments programs the way you want to – anytime, anywhere.

To schedule an instant issuance demo, visit www.datacard.com/cto

Datacard India Private Ltd B-302,Flexcel park,S.V.Road, Next to 24Karat Multiplex, Jogeshwari (W) Mumbai-400102.India Tel:+91-22-61770300 Email:India_sales @datacard.com

GIVE CARDHOLDERS THE CONVENIENCE AND SERVICE LEVELS THEY DEMAND

E nt E r pr i s E ro u n d - u p



42% decision Makers Believe Cybercrime Will Grow as big a concern as economic instability

aCquISITIoN

accenture has entered into an

agreement to acquire singa-

pore-based newspage, a leading

provider of integrated distributor

management and mobility soft-

ware for the consumer goods

industry in emerging markets.

upon closing, the acquisition

will complement the capabilities

of the accenture cas software

platform. terms of the transaction

were not disclosed. the accenture

cas software platform helps con-

sumer goods companies achieve

greater trade efficiency and sales

by enabling improved prod-

uct availability on the shelf and

increasing their ability to efficient-

ly collaborate with retailers, while

supporting the management of

large, mobile sales and distribu-

tion forces. the combination of

the accenture cas software plat-

form and newspage's products

will offer consumer goods com-

panies the ability to manage all of

their sales processes on a single

global sales platform – from trade

promotion management and opti-

misation to retail execution, and

from distributor management to

direct store delivery. “this acquisi-

tion is important as it will enhance

accenture's ability to help global

consumer goods companies by

supporting all route-to-market

sales and delivery models across

mature and emerging markets,''

said Fabio Vacirca, senior manag-

ing director of accenture's con-

sumer goods & services practice.

cybER-thREats were second

only to worries caused by economic

instability, according to the survey

conducted in July 2012 by B2B

International in cooperation with

Kaspersky Lab. as part of the survey,

3,300 company representatives

from 22 countries across the globe

expressed their opinions on It secu-

rity issues. all the respondents are

thE IndIa application development (AD) software market is expected to reach more than $227 mil-lion in 2012, an increase of 22.6 percent over 2011, according to gartner. growth will be driven by evolving software delivery models, new devel-opment methodologies, emerging mobile applica-tion development and open source software.

“Application modernisation and increasing agility will continue to be a solid driver for AD spending, apart from other emerging dynamics of cloud, mobility and social computing,” said

app development Market to Reach $227 mn in 2012 Cloud is changing the way applications are designed

FACT TICkER

actively involved in making impor-

tant business decisions, including

those related to It security.

In the future, the significance of

cybercrime-related problems is set

to grow – this is the belief of 42 per-

cent of those surveyed. according to

business representatives, in the next

two years cyber-threats will pose the

greatest danger for companies, sur-

passing even the fear of economic

problems. statistics collected by

Kaspersky Lab indicate constantly

growing cybercriminal activity, con-

firming that the apprehensions are

not unfounded.

While in 2011 Kaspersky Lab

detected an average of 70,000 new

malicious programmes daily, this

year the figure has grown to 125,000.

the amount of mobile malware,

specifically targeting the android

mobile operating system, is growing

even faster: the number of malicious

objects grew by a factor of 200 dur-

ing 2011.

Asheesh raina, principal research analyst at gart-ner. “These emerging trends are directing AD demand towards newer architectures, program-ming languages, business model and user skills.”

According to a new gartner report, “market Trends: Application Development Software, Worldwide, 2012-2016”, cloud is changing the way applications are designed, tested and deployed, resulting in a significant shift in AD priorities. Cost is a major driver, but also agility, flexibility and speed to deploy new applications. 90 percent of large, mainstream enterprises and government agencies will use some aspect of cloud computing by 2015. “The trend is compelling enough to force traditional AD vendors to ‘cloud-enable’ their exist-ing offerings and position them as a service to be delivered through the cloud,” said raina. “AD for cloud demands rapid deployment, a high focus on user experience and access to highly elastic resources for software testing, while requiring comparatively less underlying infrastructure for developing applications.”

gartner predicts that mobile AD projects tar-geting smartphones and tablets will outnumber native PC projects by a ratio of 4:1 by 2015. emerg-ing mobile applications, systems and devices are transforming the AD space rapidly, and are one of the top three Cio priorities at the enterprise level. gartner research found that Cios expect more than 20 percent of their employees to use tablets instead of laptops by 2013, hastening the process of change as AD tools and applications evolve to address the requirements of these new devices.

Also driving the AD shift, gartner expects open source software to continue to broaden its pres-ence and create pressure on market leaders during the next three to five years.

ph

ot

o B

Y p

ho

to

s.c

om

With Riverbed, you’ll get breakthrough performance

–whether yours is a private, public or a hybrid cloud

environment. You’ll have greater �exibility to implement

your cloud strategy and business goals. And you’ll have

resilience when you need it the most.

You’ll have your cloud on your terms.

Go to:riverbed.com/hybridcloud

For any queries, please [email protected]

YOUR CLOUDPRIVATE, PUBLIC OR HYBRID. OPTIMIZED FOR PERFORMANCE.

A Q u e s t i o n o f An swe rs M a rc a l e x i s r e Mo n d



Challenge: A CIO is required to integrate process, people and technology

M a rc a l e x i s r e Mo n d A Q u e s t i o n o f An swe rs



Businesses are fast evolving so are technologies. In this

fast paced environment, how are CIOs using various tools for smoother and seamless functioning of an organisation? Collaboration of technologies, business tools and applications are a must for any fast growing enterprise. Today, enterprises are evolving into a more mobile, social and collaborative avatars. A Cio is required to integrate process, people and

technology. he has to re-plan iT strategy because today different executives have different connectivity and communication needs in an organisation. for example, a sales executive, most of the time, is on the field while executives at the back-end are always in the office. Then there are those executives who are both in office and in the field. Thereis therefore, a varied need for mobility and collaboration. further, organisations are collaborating

business tools with social applications as well. Video conferencing (VC) solutions could play an important role in interactions of various technologies and connecting people. They can help to connect people on mobile devices, laptop, tablets and PCs.

Video conferencing solutions were largely used by

enterprise to save travel cost and time. How are CIOs redefining VC

MarC alexis reMond | POlyCOm

CIO has to

Marc Alexis Remond, Global Director, En-terprise Solutions and Market Development, Polycom, spoke to Akhilesh Shukla on how video conference solutions can be integrated with business for seamless work and growth

Re-plan ITstrategy

A Q u e s t i o n o f An swe rs M a rc a l e x i s r e Mo n d



“enterprises in india are excited about high resolution video conferencing solutions”

VC solutions can

help government

in cases of

emergency,

chaos, natural

disaster,

planning and risk

mitigation

adoption of

VC solution is

growing among

enterprises

globally and in

India

VC solutions

helps an

enterprise to

reduce travel

costs by 30

percent

things i Believe in

solutions to help their organisations grow faster?Video conferencing solutions help an enterprise to save travel cost by 30 percent. however, the benefit of video conferencing solutions are way beyond travel cost saving. By integrating video conferencing in hr process, Cios have reduced hir-ing time by 19 percent. Similarly, by smartly using video conferencing solution among various departments, the time to market of a product can be reduced by 24 percent. This reduction in time of various process gives an enterprises an edge over competition by helping business to grow, faster and smarter. The adoption of video conferencing solu-tion is growing among enterprises across all verticals. These solutions are increasingly being deployed at manufacturing sites connecting engineers to keep a close watch on production line. The technology has evolved and is bringing value in vari-ous domain including Crm, supply chain management, quality manage-ment, human capital management, and r&D.

How are issues of connectivity and cost making

it a challenge for CIOs to adopt high resolution VC solutions?enterprises in india are excited about high resolution video conferencing solutions. healthcare is one such sector which has already started using high-resolution VC solution. fortis healthcare, in new Delhi, for instance, is using high-resolution VC for medical administration purposes. Patients rooms and oPDs are con-nected over a network and VC facility is available on the desktops, tablets and mobile devices of doctors and administrative staff. manufacturing, BfSi, oil and gas are other sectors looking forward for implementing high-resolution VC solution.

it is true that bandwidth is an issue in india. At the same time it is expensive, as well. Keeping in mind the needs of developing countries

like india, we have embedded our VC solution with h.264 high profile. it helps to cut down the bandwidth requirement by half. for example, a 720p resolution VC requires a band-width of 1 megabit/ second. By using Polycom solution, the same resolu-tion VC is possible on a 512 kilobit/second bandwidth.

Governments in other countries are investing in VC

solutions for various means including disaster management and recovery. Do you see such adoption in India?VC solutions can help government in cases of emergency, chaos, natural disaster, planning and risk mitiga-tion. VC solutions can also be used to train people, in a very short dura-tion, for disaster management and prepare them for any risk or disas-ter. The cost of training would be minimal, as no traveling is required. further, it helps in early detection

of emergency, giving an agency to respond in minimum possible time, thereby saving precious human life and infrastructure. VC integration can also help in better management of recovery and rebuilding process. emergency rooms, CCTV cameras can be connected on VC platform and satellite images can be received on a laptop, tablet and PC, though the VC solution. The indian govern-ment is investing in building up network, connecting cities, villages and blocks. it would graduate to such services in the second phase.

What are the global and Indian trends in the VC space?

The adoption of VC solution is grow-ing among enterprises globally and in india. investments are being made in audio/video conferencing, bridging, recording and streaming. Polycom offers video-audio conferencing beyond the internal network of an enterprise to connect to a third party.



Best of

Breed

As a member of an enterprise, several things strike me when i think of the idea of creating a social enterprise, with its promise of new collabora-tion models. The very phrase “social

enterprise” calls to mind the ways an enterprise con-nects with its business partners, and how it might use

five security tips for the social enterpriseCommitting to protecting the enterprise while still embracing the transformative business value social collaboration will deliver By John Thielens

illu

st

ra

tio

n B

Y r

aj

ve

rm

a

social technologies like collaborative documents and instant messaging to strengthen customer, supplier and community relationships. Still, the enterprise itself is a community.

When i look at my desktop, the idea of apply-ing social techniques even within the enterprise is daunting. yet our potential to engage external part-

will be the size of application development market globally in the year 2012

$9bnData Briefing

Mobile Security experts on BYOD Pg 20

it Outsourcing Deals gone Bad Pg 24

featureS inSiDe



s e cu r i t y B E S t o f Br E E D

ners more effectively depends on our ability to engage internal partners effectively first.

This concept of internal social engage-ment is nothing new, of course.

instant-messaging apps that give enter-prise users the ability to internally share their status (“on the phone,” “BrB,” etc.), and create ad hoc Web conferences with ease, have been around for years. Their advocates are passionate about them, and quick to attest to how completely they can transform interactions between colleagues. even so, those advocates are not as numer-ous as you would think.

The truth is that adoption of these tech-nologies is relatively low. everywhere, even internally, where iT and the Cio have the power to exercise unilateral control, push the same software out to everybody's desk-top, create rules for how it’s to be used, con-trol the directory, and ensure that everyone is reasonably secure or well-authenticated.

So why the lousy adoption rate? What’s making us so reluctant to embrace the concepts of internal social interaction, apply them across the enterprise boundary, account for both the B2B context and the internal enterprise context, and make it all so transformative and useful that adoption will be high everywhere?

first, in order to adopt true multi-enter-prise social technologies, we must establish trusted partnerships at a deeper level. Don’t require employees to create another login and password. instead, establish a secure, professional enterprise framework that allows us to trust each other all the time, every time. open standards for authorisa-tion, such as oAuth, look promising.

But for now, it’s enough to say that identi-

ty exchange and tighter integration and col-laboration with our business partners must be built on a foundation of trusted identity, so that we are at least sure who we're talking to. That kind of trust is a necessary prequel to making the leap into sharing content and collaborating across multi-enterprise busi-ness processes in ways that truly add value.

We must also consider supervisory sur-veillance and policy. When employees are instant messaging with business partners, sharing screens and doing much more than simply emailing, you may wonder, “how am i going to monitor all of this? how will i audit it?” This is especially important for organisations in heavily regulated indus-tries, like financial services and healthcare, with specific data security requirements for everything from paper print-outs, to email and file transfers.

We must engage in a range of tough issues, for instance: What sort of retention, discovery, expira-tion and destruction requirements should we create in response to these social enter-prise technologies?

What's my supervisory obligation to inspect, archive and record all that con-nectivity?

What kind of policy frame-work can successfully govern all of this activity, since it involves people with multiple roles and levels of authority, and multiple types of commu-nications?existing policy frameworks in

most organisations are limited to a particular set of customers and roles. That’s something

that will have to change. Policy will have to become both more flexible and more explicit, so that people across job functions can use social technologies more broadly in order to better collaborate with their business partners. Compliance is a hurdle almost every organisation must contend with no matter their industry.

Without the right kind of supervisory surveillance and policy frameworks in place, the transformative potential of social enter-prise technologies will be far outweighed by risk of compliance exposure to the business. here are five ways to address these issues:1. integrate directly with your community

of customers and partners: The social enterprise accelerates speed-to-delivery by establishing data connections that lead real-time business decisions and opportunities.

2. insight into every interaction: end-to-end visibility provides iT teams with the tools to monitor information sharing whenever and however it’s happening.

3. Policy to support the “right” connections: organizations must be able to custom-ise policies and rules to business needs, using automated policy management to save the sanity of iT.

4. Direct connections to critical endpoints: Provide secure, direct lines of communi-cation and information sharing — wheth-er for files, instant messaging or email.

5. meet compliance needs: use reporting capabilities to meet the requirements of industry-specific watchdogs.is it a big challenge for iT, security

and compliance officers to enable social technologies at least internally, while our external compliance and security framework continues to evolve? yes, but these chal-lenges are solvable. let’s commit to protect-ing the enterprise while still enabling and

embracing the transformative business value social collabora-tion will deliver.

— John Thielens is CSO at Axway,

a provider of business transaction

software.

— This article has been reprinted

with permission from CIO Update.

To see more articles regarding IT

management best practices, please

visit cioupdate.com.

policy will have to become both more flexible and more explicit, so that people across job functions can use social technologies more broadly in order to better collaborate with their business partners. compliance is a hurdle almost every organisation must contend with

12%will be the growth

of it spending by

end users in china

in 2012



B E S t o f Br E E D s e cu r i t y

Mobile security experts on BYodWhat can employees do to minimise risk when bringing their own devices to work? By ian Broderick

While all our experts have their unique perspectives, some common themes arose including changing

employees’ view of security. We want to thank all our respondents for participatin.

When security executives overlook team creation as a core component of a security programme, they fail. A well-oiled machine is critical to creating an ever-expanding and improving information security posture.

What can employees do to minimise risk when bringing their own devices to work?even with the move to ByoD, information security is still a core iT responsibility. in other words, regardless of who owns the device, iT and info Sec are still respon-sible for protecting the data on that device. fortunately we have a growing arsenal of tools to help with that from the mobile device management companies like Sybase, mobileiron, Airwatch, good Technologies, and the like.

While those solutions give iT the ability to enforce security policies like requiring strong passwords and file encryption, users are always the weak link in the security chain. mobile devices are all about conve-nience, and unfortunately, security intro-duces some degree of inconvenience. it’s long been known that if we make security too inconvenient, users will resort to the most insecure solutions to avoid it.

The two keys to success are management support and good communications with users. C-level execs are often the worst secu- il

lus

tr

at

ion

BY

ma

na

v s

ac

hd

ev




BYod is here to stay (at least in the near term), so It and Info sec specialists need to think creatively to truly protect all that sensitive information that’s traveling around on smartphones and tablets

rity offenders, but if you can plant the seed that we now have hundreds or thousands of potential security exposures traveling around in people’s pockets or purses, hope-fully you can get them to pay attention. Clearly, that’s a lot easier to accomplish in regulated industries like health care and finance, but every company has information it needs to keep secure.

Security awareness must be part of employ-ee orientation, and we need to explain why even seemingly innocuous information like a salesperson’s calendar could hold a treasure trove of useful information for a competitor. People are far more willing to cooperate if we tell them why it’s important.

however, this can’t simply be a one- shot deal. Security requires an ongoing program of security awareness to create a “culture of security”. i know of one organi-zation that puts tent cards with little security “tips” on the tables in the cafeteria and changes them once a week. To build that ongoing awareness, you have to think like an “advertiser” and what you’re “selling” is a secure organisation.

ByoD is here to stay (at least in the near term), so iT and info Sec specialists need to think creatively to truly protect all that sensi-tive information that’s traveling around on smartphones and tablets. We’re dealing with a whole different type of “perimeter” now, so we need to focus on protecting “data” rather than protecting “devices”.This ByoD movement reminds me of when i was in high school. There was a sign in the study hall which read, “Success is 13 percent aptitude and 87 percent attitude.” i don’t know where they got that ratio from, but in this context, the exact percentages don’t matter. The point is that with a little bit of smarts and a whole lot more positive thinking, you’ll wind up where you need to be.

most employees on a network don’t have the security aptitude to make the right choices when it comes to risk minimisation with their own devices. They tend to choose first what’s free, then software with the most Consumerisation of iT features and then whatever’s available on the sales rack at their local tech store. generally speaking,

their attitude is that risk minimisation is the responsibility of the experts at their com-pany. They will do the minimum required to prevent risk and protect data. Security gets in their way. not a very good attitude.

employees need to work with their secu-rity departments to get better educated on their organisations’ best practices for protec-tion. Protection isn’t fool proof, so they also need to know who to call and how quickly to react when an incident occurs. employees need to change their mindset to embrace that bringing your device to work also means that you need to take ownership of minimising risk and protecting data.

Company leadership are generally early adopters of new technology that is brought to work. While that’s great for being produc-tive (if they work), those devices are also higher risk. They are most targeted 1) for their street value and 2) because corporate executives tend to have the most interesting information stored on their devices. if you are a member of your company’s leader-ship, you need to comply with company ByoD protection rules just as much as your subordinates need to. no exceptions.

Some additional tips on how employees can protect themselves when they bring their own devices to work.

1. get insurance to protect the replacement cost of your high value asset or for yourself from employers redirecting liability. This is especially true if you handle large quantities of gov-ernment-regulated or PCi DSS data on your device.2. your organisation’s ByoD decision provides you with the privilege to bring your own device, but they also have the

right to revoke the programme. if you don’t agree, change your attitude.

3. Work with your iT departments and info-Sec officers to keep your device patched, AV up to date and data protected. you only need to know if your device is current and how to get current, not all the details of what it means to be current.

4. learn to work with security tools rather than around them. This is espe-cially true with encryption. Just because the technology sounds complex, using it shouldn’t be.

5. educate yourself by reading security blogs and listening to podcasts so you are aware of the latest threats. Bringing your own device also means accepting working beyond your scheduled business hours.Devices aren’t the main problem in a

ByoD strategy: employees are. That’s why ByoD is not just a technical issue that can be left to an organisation’s iT department. it needs a holistic approach that includes hr, data security and legal stakeholders. Sensible organisations adopting a ByoD strategy will have put in place a strategy that includes policies and guidelines, as well as technical constraints and parameters. The main thing that employees can do to minimise risk, therefore, is simply to com-ply with the policy approaches that their employers have – presumably for carefully thought-through reasons – put in place. if an organization concludes that, for compli-ance and liability reasons, it wants to use a particular file sharing platform instead of, say, Dropbox, employees should comply with that restriction instead of simply apply-ing their own workaround and using Drop-box because their own clients use it, it’s more convenient and they think that it’s great.

$17bnwill be the worth

of social media

market in the

year 2012



B E S t o f Br E E D s e cu r i t y

it doesn’t help that many of the “approved” platforms to enable ByoD are less sexy and functionally flexible than “unapproved” ones – which encourages employees to go off-piste and use their own workarounds. So i think that the best thing an employee can do to minimise ByoD risk is to comply with whatever policies and technical parameters are in place and not take a ByoD policy as a licensed free-for-all. Pay attention to the forms, declaration or pop-up screens that warn of the scope of your organisation’s ByoD programme and how security applies to it.

And one final thing: just be sensible. There was a reported case over here in the uK just last month of a someone who showed his young son how online spread betting worked and then left his laptop around unsecured. you’d be surprised how short a time it takes for a 5 year old to run up £50,000 in losses! you can’t blame the device or the policy if someone willfully or recklessly ignores the rules.

The first thing employers need to do is to create and maintain an “authorized ByoD device list”. employees wishing to bring new devices should submit a request for addition to this list. it should also be ensured that a remote wipe facility exists and is enabled, especially if company confidential information will be stored on the device.

here are a few other things we encourage customers and our employees to practice: Ask employees to disable mifi access to prevent other office workers from using a co-workers phone as a back-door inter-net gateway.

make sure all employee devices have an auto-lock feature and that it’s enabled. Also, educate against “1111” or “1234” as the unlock code.

remind the employee that while their phone or tablet is at the office, it’s subject to inspect just like any other corporate device.

if you’re like most everyone else, your kids will often play games and make use of your phone, ask employees to educate their children on safe browsing and reit-erate that “this is mommy/daddy’s work phone, be careful!”

Always try to use a secure connection ‘https://’ to favorite sites.

Setup the browser to clear the cache upon closing the web browsers.

regarding strange emails, tell employees “Don’t click on that, this is not your lucky day!”

remote ByoD access should be treated in some ways the same as remote laptop access. for example, Cisco offers AnyConnect a Security mobil-ity Client for ByoD remote access.

use stronger one time password authenti-cation when possible.

relying on employees to deal with security issues is like putting teenagers in driver’s ed classes. it may help make them better driv-ers but it doesn’t make them good drivers.

nonetheless, just like teenagers can use driving tips, employees can use tips on how to minimise risks when bringing their per-sonal devices to work.

first off, no jailbreaking! There’s just too much that can go wrong when someone tries to open up the oS on their smartphone.

Second, the age-old recommendation to back up data applies to tablets and smart-phones as well. The complicating factor is that you might not want them to back up their business data via their personal back up methods. Backing up their work emails and documents should be done on the busi-ness network and nowhere else.

As for applications, it’s better to be safe than sorry. Android by default blocks users from installing apps that aren’t in the Android market. And, while there are other legitimate places to get Android apps (such as the Amazon Appstore), do you really want users to enable “unknown Sources?” This is less of an issue for ioS devices, but nonetheless, remind users to be careful what they download. Another hint is for them to check the settings of eVery application they download. Apps have a funny way of sending private information to the net.

now, with all these things said, good security really begins on the network. The move to personal devices at the office is a continuation of a trend that started back in the 1980’s when accountants began buying Personal Computers to run lotus

1-2-3. Since that time, organisa-tions have turned to network security to protect themselves. Since the network handles all the traffic (no matter what the user is doing while at work), the network is the best place to secure that traffic, log it and report on it.An employee bringing their own devices to work is not a new concept; the problem in

today’s world is that they want to connect the devices to corporate networks. Some may want to access wireless networks so that they can bypass web filters, other want to use their device to access business applications and data. Whatever reasons the employee gives for bringing a device to work they should follow these basic tips to minimise the risk they present: firstly inform the information services department that you want to connect your device to the corporate network. They may have some guidelines that you need to follow. many networks will have systems that detect mobile devices so it’s better to inform them directly.

Do not use the device as a storage system for work data. if the device falls into the wrong hands this data can be accessed.

Stop using passwords and start using passphrases. Keyboards on mobile devices can be cumbersome but this is not an excuse for using short and easy to guess passwords.

Do not jailbreak or root the device. if the device has been tampered with then a full factory restore is recommended. most security problems that i have come across were associated with jail broken devices. it also introduces a new risk as applications can gain root access and you may end up exposing your personal data.

Avoid installing unnecessary apps. The more apps that are installed the greater the attack vector. many malware infected apps exist in the mobile market places.

Don’t be reliant on technologies like face unlock. A lot of these features are new and untested in the real world.employees need training before using

their own devices. risk profiles change dramatically as soon as any company allows any form of external device connectivity –

70%could be the

drop in cost of

electric-batteries

by the year 2025




whether via 3g, 4g or Wifi. employees need to understand and share the risk with their employers and this needs careful planning.

in its simplest form, companies should consider using dedicated ‘sandboxed’ applications to allow access to information under the control of proper authentication, encryption, and access control frameworks. ideally, these dedicated applications should automatically enforce security and privacy controls, while providing management tools to enable or disable services remotely.

employees should always lock their devices – and employ a second, different passcode to work-related applications. in this way, the device and its data have a basic level of protection.

Also, every employee should read and understand the company policy on device usage – mobile devices deserve their own category in all policies – and these require regular review. Technology changes rapidly in the “bring your own device” (ByoD) environment, and policies need to reflect changes in technology, platforms and ser-vices. employees, therefore, need to keep themselves up to date with new policies and raise any concerns with appropriately quali-fied technical managers.

employees also need to consider ques-tions such as legal use and liability for use. After all, an employer has permitted an employee to use a personal device. The company has no right of access to personal possessions, therefore, can the employer demand a full audit of a device and all its data? if so, what controls does the com-pany have in place to protect any personal information from abuse? Another reason for implementing sandboxed dedicated applications – the company can then con-trol its own sandbox, without needing to inspect the device as a whole. remote wipe becomes a particular risk in a non-sandboxed environment – the company may need to wipe its data, but leave the employ-ee’s data and applications intact.

mobile devices also require regular software updates to remain current. employees need to check with employers prior to updating devices with the latest operating systems or services. upgrades may

break legacy services and applications then require updates as appropriate. employ-ees need to consider the liability issues of introducing a problem by simply upgrading a device in line with the manufacturer’s recommendations. fundamentally, device owners need to assume that others will have access to their devices. or that work will sometimes come in at a less than opportune moment (in the middle of a party, or during the night) or while the employee travels. in these circumstances, profiles and policies should reflect working hour directives, and consider the implications of an employee having 24 hour communication with the company. in many countries, directors have a legal obligation to protect the well being of their employees and should promote or enforce sensible working hour directives.

employees may also want to consider what happens when things go wrong: what happens if broadband or mobile data ser-vices fail? Who pays for excessive data con-sumption or international roaming charges?

how do you back up, restore, lock or remove data from devic-es – and prevent its loss? Does the company provide adequate controls over encryption poli-cies (so that an employee could move between countries where encryption laws differ, with-out risk of imprisonment, for example)? Who insures what – and who pays for the insurance (does your domestic insurance

cover your equipment for business use, for example)?

Proper policies and training resolve many of these issues. This topic really covers managing risk – in a shared environment. employers and employees need to take responsibility for their own tools and pro-vide adequate assurances (through regular audits) that the chosen device, any applica-tions, data, and the associated management processes all operate correctly.i’ve already accepted the fact that Bring-your-own-Device (ByoD) is a business trend that’s here to stay. According to “ByoD or Bust: Survey results report” by Software Advice, inc. i recently read, just 23 percent of enterprise employees use compa-ny-sanctioned mobile devices only – mean-ing 77 percent of employees are using their own devices in some capacity to do their job. As the Chief information Security officer at Veracode i have experienced this trend first-hand and if it hasn’t hit you yet, the ByoD tidal wave is coming your way!

formulating a ByoD policy is only one side of the equation – employee education is the other. most business users simply aren’t aware of the security threats facing them when they use their favorite mobile device at work. We need to increase that threat aware-ness level and ultimately convert employees into willing participants in a secure mobile computing or ByoD programme.

here are ten tips to help device users protect personal information as well as their company’s data, iP and brand when they use their mobile devices at work. use password protected access controls. Control wireless network and service connectivity.

Control application access and permis-sions.

Keep your oS and firmware current. Back up your data. Wipe data automatically if lost or stolen. never store personal financial data on your device.

Beware of free apps. Try mobile antivirus software or scanning tools.

use mDm software. — This article has been reprinted with permission

from CIO Update. To see more articles regarding

IT management best practices, please visit www.

cioupdate.com.

25%will be the dip in

revenue from

voice services

on fixed line by

the year 2016

Companies should consider using dedicated ‘sandboxed’ apps to allow access to data under the control of proper authentication, encryption and access controls



It outsourcing deals Gone Badthere is a probability that it outsourcing arrangements will not survive the initial term By sTeve MarTin

When deals go bad, the vast majority of customers ultimately decide to at least test the market through the competitive process

Scores of articles and studies have highlighted the statistics around unsuccessful iT out-sourcing deals – many estab-lishing the failure rate at well

above 50 percent. While the concept of iT outsourcing is not inherently flawed, the execution in many cases is – i.e., the classic distinction between “doing the right thing” versus “doing things right.”

Consequently, Cios must thoroughly eval-uate their contingency options to protect the integrity of outsourced iT initiatives should an engagement come off the tracks.

As a first step, Cios need to develop a clearly defined exit strategy prior to execut-ing the agreement, which, needless to say, is a challenging endeavor when in the throes of attempting to build a sustainable partnership with that same provider for the future. This goes well beyond standard termination-transition language and gets into tactical provisions such as: requiring the exiting provider to provide incident management and asset data to the succeeding provider

retaining the rights to configured tools that have been used in the delivery of ser-vices, and

minimising the financial consequences of a termination for convenience event (rec-ognising that proving “cause” is an incred-ibly arduous undertaking even under the most dire circumstances).

B E S t o f Br E E D o u t so u rci n g

Identify the root Cause of outsourcing failurefor engagements already in progress, first ask the question, “What problem are we trying to solve?” The answer generally falls into one or more of the following five categories:1. The provider is failing to meet the agreed

upon service level agreements (SlAs);2. The provider is meeting the SlAs but is

failing to meet the non-documented per-formance requirements;

3. Provider personnel quality is inadequate; 4. Provider costs have become misaligned

with the market; and

5. infrastructure and services have not been maintained at market leading levels.Despite the notion that customers are

generally complicit in each of these sce-narios – either through failing to negotiate adequate protection in the underlying con-tract, enforcing the contract, or implement-ing appropriate governance – the second question becomes: “What is the best path for addressing the problems?”

option 1: restructure or renegotiate the existing Vendor ContractAs this strategy clearly has the potential to be the least operationally disruptive, unless the relationship between the provider and customer has become irreconcilably dysfunctional (or the provider has become financially unstable), this option should always be considered first.

That said, Cios should be vigilant about time-boxing the effort. Allowing nego-tiations to drag on generally results in problems festering. The contract restruc-turing or renegotiation process should squarely address the core offending issues identified above.

for example, if the SlAs are being met but there is dissatisfaction with the overall performance, then redesign the SlAs.

if the quality of the personnel is inad-equate, then (re)identify the key personnel positions, develop minimum qualifications

92What would you dowith an extra 92 hours?

®High-performance analytics from SAS helped a financialservices firm reduce loan default calculation time from 96

Early detection of high-risk accounts is crucial to determiningthe likelihood of defaults, loss forecasting and how to hedgerisks most effectively. Now, SAS can help you speed thattime to decisions from days to literally minutes and seconds– transforming your big data into relevant business value.

hours to just 4

high-performanceanalyticsA real

game changer.

High-Performance Computing

Grid Computing

In-Database Analytics

In-Memory Analytics

Big Data

sas.com/92 to learn more

For more information please contact [email protected]

Each SAS customer’s experience is unique. Actual results vary depending on the customer’s individual conditions. SAS does not guarantee results, and nothing herein should be construed as constituting an additional warranty. SAS and all other SAS Institute Inc. product or service names are registered trademarks or trademarks of SAS Institute Inc. in the USA and other countries. © 2012 SAS Institute Inc. All rights reserved. S90309US.0412



for replacement personnel, and ensure that market-based key personnel terms (e.g., customers’ approval and dismissal rights, limitations on turnover, and financial con-sequences for failure to meet personnel requirements) are incorporated into the future contract. if the rates have become misaligned with the market, give the provid-er the target rates and negotiate benchmark-ing or other terms to protect rates from becoming misaligned going forward.

option 2: time to shop Around for It outsourcing services When deals go bad, the vast majority of customers ultimately decide to at least test the market through the competitive process. But, in the words of george Santayana: "Those who cannot remember the past are condemned to repeat it." Cios need to revert back to the underlying current-state issues when approaching the competitive market, but also understand and control the root causes of those problems.

While it’s relative-ly straightforward to draft an rfP and even negotiate an agreement with a new provider that addresses the problems on paper, a highly disciplined governance framework must be established to ensure that the contract, pro-vider and internal customer stakeholders are tightly managed. for example, the most favorable key personnel language will not result in the delivery of the provider’s “A” team if the customer is reticent about invok-ing its right to cause the provider to replace underperforming personnel.

likewise, best-in-class rate benchmark-ing provisions won’t result in rates being

marked to market each year if the customer doesn’t trigger the benchmarking process. even with a new provider contract and a world-class governance process, transfer-ring services to another outsourcing provid-er is far from trivial. These types of moves are often transformative in nature (i.e., are done in concert with a major change in the underlying service delivery model), are extremely resource intensive, and often result in a near term degradation of service performance, albeit all with an expectation of sustainable performance improvements in the future.

option 3: repatriate some or All of Your outsourced servicesClearly not for the faint of heart, this model presupposes that the only way to control one’s destiny is to own it. While it is unusu-al for companies to do wholesale insourcing or repatriation of outsourced work, compa-nies are increasingly pursuing more surgi-cal initiatives by carving out components of an outsourced service model and managing those services in-house.

repatriation initiatives tend to focus on the high-value iT services, e.g., architecture,

engineering, and level two and three sup-port, rather than resource-intensive com-modity services such as desktop support, level one helpdesk and managed network services. This is often the case as the out-source model for the latter highly routinized services generally offers a more competitive cost structure and absorbs the burden of hiring and retaining resources.

Those contemplating a repatriation model often still issue an rfP for most of the potentially in-sourced services in order to gain market intelligence as well as to create a safety net for an alternative decision.

While many first and even second and third genera-tion iT outsourcing relationships become stale over time, Cios who take the time to analyse all aspects of a deal before it is signed (or renewed) and keep their hands on the wheel throughout the period of perfor-mance can preclude many deals from going bad.

however, if a deal turns sour—due to an underperform-ing provider or oth-erwise—companies should be prepared to move swiftly. Setting in place a well-thought-out

exit strategy—using powerful alternatives such as renegotiating, recompeting, or repatriating the work—safeguards customers and ultimately pro-tects the iT initiatives at hand.

— Steve Martin is a partner at Pace Harmon, a

third-party outsourcing advisory services firm

providing guidance on complex outsourcing and

strategic sourcing transactions, process optimi-

sation, and supplier programme management.

— This opinion was first published in CIO

Insight. For more such stories, please visit www.

cioinsight.com.

illu

st

ra

tio

n B

Y m

an

av

sa

ch

de

v

B E S t o f Br E E D o u t so u rci n g

COVE R S TORY G re e n I T: A S T ro n G B u S I n e S S CA S e

Design by Shokeen Saifi Imaging by Shigil N, Peterson & Prameesh Purushothaman C

For a CIO, going green is no more a fad.

It promises to yield significant cost benefits

A StrongCASe

BuSineSSgreen it:

By Akhilesh Shukla



G re e n I T: A S T ro n G B u S I n e S S CA S e COVE R S TORY

It is worth mentioning that India is the world’s fifth-largest elec-tricity producer. US, China, Japan and Russia are other big produc-ers. However, India’s per capita consumption of electricity is lowest in the world. In the year 2009, Indian’s power consumption was 571 kWh per capita, while every US citizen consumed 12,914 kWh.

Ample supply of electricity, petrol and diesel are must for eco-nomic development of a country. Some of the small states, including Himachal Pradesh and Uttarakhand, had flourished in the last few years because of ample electricity supply. Uttar Pradesh and Bihar, two of the most populous state, on the other hand, never attracted much of investment from private sector. One of the prime reasons was lack of proper electricity supply.

Combustion of fuel and usage of electricity, on the other hand, contributes to carbon emission, having negative effect on environ-ment and health. After the Indian economy was opened to the world, consumption of fuel has increased and so has the carbon emission. As per a World Bank report India’s per capita emission of carbon dioxide in the year 1984 was 0.6 tonnes. It increased to 1.53 tonnes in the year 2008. The report attributed growth of carbon diox-ide to burning of fossil fuel and manufacturing of cement.

As part of environmental concern, large enterprises had also started taking initiatives to control carbon emissions and using elec-tricity smartly. Investments were made in development of products that consume lesser power. Adoption of “Green Practices”, as they are often called, became a new phenomenon among enterprises.

Baskar Raj, CIO, FIS Global

“Just by saving energy cost we got back the investment on green practices in a year and seven months”

Power outage is not an uncommon thing in a developing country like India. Recently, the country had witnessed the biggest power outage on July 30 and 31. It had affected over 620 million people of country, spilling over 22 states. In other words nine percent of the world population remained without power. Some of the modern infrastructure, running on power, came to a halt. State-of-the-art Delhi Metro, to remain functional, had to get electricity supply from Himalyan nation of Bhutan.


30 07 september 2012 CTO fORum THe CHIef

TeCHnOlOGyOffICeR fORUm

This practice has dual impact, first it cut the power bill, at the same time reduces the carbon emission. The commendable part of these technologies is that functionality remains at par.

Information and communication technologies (ICT) has always been at the forefront of adoption of latest initiatives. CIOs, today, are taking greater initiatives in the promotion of green practices, among enterprises. This is despite the fact that government has not issued any strict guidelines to control emission form ICT infrastructure.

Interestingly, ICT infrastructure, as per industry estimates, con-tributes three percent of the total carbon emission worldwide. One of the major contributors of carbon emission are datacenters, con-tributing to 14 percent of the total carbon emission of ICT industry. The US environmental Protection Agency estimates that datacen-ters are responsible for around 1.5 percent of the total US electricity consumption or 5 percent of US green house gas emissions. The agency estimates that given the business scenario green house gas emissions from data centers is projected to more than double from 2007 level by 2020.

Keeping the finding in mind, CIOs started contemplating solu-tions to reduce power consumption of datacenters. During the second half of the last decade, CIOs started the implementation of virtualisation to consolidate their datacenters. Some of the large enterprises initiated desktop virtualisation as well.

fIS Global, a provider of banking and payments technologies, is one such enterprise which adopted virtualisation for its huge ICT infrastructure and took green practices to the next level. Three years down the line, the company is reaping benefits of its green practice adoption by significantly reducing the operational costs.

The company has 32,000 employees world wide and have 25 stra-tegic operation centers housing 13 datacenters. It caters to more than 14,000 clients, spread across 100 countries and has a revenue of $5.7 billion, with cash flow of more than $1 billion.

ICT infrastructure of fIS in India comprises of 200 servers and 4000 desktops. The cost of the running the huge infrastructure was immense. As fIS has plans to build a new facility in manila, as a part of its expansion and growth plans, the cost was expected to grow further. The new infrastructure required a seating for 1200 employees. Besides, the infrastructure had to be robust for faster delivery of services to newer market. It had to be flexible, scalable and highly reliable, with lower IT maintenance and operational cost.

The mounting operational cost of existing IT infrastructure and the requirements of a new IT infrastructyure has lead Baskar Raj, CIO, fIS Global to look for solutions, which can reduce the cost of operations. Virtualisation was one such solution that perfectly fit the needs of fIS Global.

In the second half of 2008 the company started its virtulisation journey. “The concept of virtulisation was altogether new and there were no trained manpower available. The team had to depend on the documentation provided by the vendor and content available on the internet. It was very difficult to anticipate problems which would

crop up very often. We had to find solutions through trial and error,” said Bhaskar Raj, CIO, fIS Global.

Raj constituted a core team of four members including one each from network and technology and two from systems engineering. The team was supposed to do all the research and training required for implementation of virtualisation solution. It was the core team that had completed the first phase of virtulisation of 40 desktops and 10 servers at manila in January 2009. Success of manila’s virtulisa-tion implementation led to a similar initiative in India.

fIS has migrated around 3000 physical desktops and 150 serv-ers to a virtual environment. The team is migrating another 1000

“A CIO needs to have a good reputation and understanding with management otherwise

it becomes difficult to take up green initiatives”

Umesh Mehta, CIO, Jubilant Life Sciences




desktops and is expected to complete it by the end of this financial year. As many as 100 severs were virtualised to 10 blades, freeing up around 90 percent space in the datacenter.

Calculation shows that the company was saving 5559.60 KWs per day on running desktops and servers. Another 6671 KWs per day were saved on cooling requirements. The total saving stands at 4,464,359 KWs per year. The monthly saving was equivalent to more than 1400 tree plants. The saving translates to more than 2700 tons of carbon dioxide emission avoided. The efforts had a monitory impact as well. The company saved a huge cost, which was earlier required to run ICT infrastructure. The saving stood at a stag-gering $842,814 per year on running the ICT infrastructure in India and Philippines.

“Our total investment for the infrastructure on the virtulisation efforts was worth about $1,500,000. Just by the cost saving from energy alone, we got back the investment in an year and seven months” said Raj.

After virtulisation deployment, fIS' datacenter space require-ment was reduced by almost 80 percent. The entire IT environment become flexible to login from any terminal.

One of the biggest challenges the organisation faced was convinc-ing its own employees, to move to virtual desktops. employees were feeling a loss of control on their personal data, in absence of the tra-ditional desktop with independent hard drive and CPU. The compa-ny conducted educational sessions to convince employees. Security compliance was another issue fIS had to deal with. It was hard for fIS to convince some of its clients. However, slowly and gradually the organisation overcame all the challenges.

One of the major challenges faced by CIOs in adopting green prac-tices, is to convince the management, especially in today’s tough time when economic growth has hit an all time low. most of the enterprises are sitting on money and are not making any investments.

“To add to the problem, these technologies demand a premium,” said Umesh mehta, CIO, Jubilant life Sciences. “Though you have all the numbers and ROI to show to the management, but a CIO has to have a good reputation and understanding with the management, otherwise it becomes difficult to take up such projects,” mehta said.

Jubilant life Sciences (JBS) is a pharmaceutical and life sciences company headquartered in noida. It is a part of $4 billion Jubilant group and has presence north America, europe and China, as well. JBS is into custom research and manufacturing services (CRAmS) and also know as drug discovery and development solution provider.

In the start of the 2012, as a part of its green practices adoption JBS has replaced CRT monitors of more than 6000 employees, with TfT. It helped JBS to save a huge cost in terms of power sav-ing, cooling and added more space to the work stations. Power consumption by the IT facility came down by around 25-30 percent. The company recovered the cost of investment in a short period of six months.

Another major investment that the organisation had made in green practices was virtualisation of servers. The Vmware virtualisa-tion solution has helped JBS to consolidate 50 servers into five. JBS is now planning to move its desktops to virtualised platform. mehta was exploring solutions and expected to migrate the company's

desktop infrastructure to the virtualisation platform by the end of the ongoing fiscal year.

“One of the best parts of our organisation is that the management is always open to invest in newer technologies leading to green prac-tices. There is no cap on the budget,” he added.

major industry trends for green practices for ICT infrastructure includes cloud computing and virtualisation. Besides, organisations are moving some of its eRP application on cloud platform. Cloud services are becoming popular among SmBs, start up and even among large corporate who could not or are not willing to invest in ICT infrastructure.

Amod Malviya, VP Engineering, Flipkart

“Most of the green solutions available in the ICT industry are based on software and applications”




The company is yet to adopt any green practices for its ICT infra-structure, but it regularly monitors the power usage of its datacenter based out of Chennai.

Interestingly, most of the CIOs are themselves driving these initia-tives in their organisation. They are the ones selecting technologies and convincing their organisations to adopt green practices. man-agement hardly initiate such efforts.

Besides, in the absence of proper certifications for good green practices in India, CIOs were getting their organisation certified by global agencies. JBS’s manufacturing units based out of Ban-galore and Roorkee received Good manufacturing Practices (GmP) certification from the US food and Drug Administration Services (USfDA). Its facilities based out of the US are already certified by USfDA.

CIOs are following global green metrics for their ICT infrastruc-ture, as well. One of the common metrics adopted by the Indian CIOs to determine energy efficiency of data center is Power Usage effectiveness (PUe). It is a ratio of the total power consumed by data center divided by the power used by the IT equipments. The average data center in the US has a PUe of 2.0.

US environmental Protection Agency has a energy Star ratings for large or standalone centers. european Union also has similar ini-tiative know as eU code of conduct for Datacenters. However, India has a rating system for consumer durable products given by Bureau of energy efficiency (Bee). The country does not have any such rat-ings for datacenters.

leadership in energy and environmental Design (leeD) is another popular standard the CIOs are following. leeD consists of a suite of rating systems for the design, construction and operation of high performance green building including homes. Its is developed by US Green Building Council in the year 1998. Till the last count, leeD has certified some 7000 projects in US and 30 other countries covering 1.501 billion square feet.

“We are focusing on getting all our facilities “Green” certified. Our new building in Gurgaon is expected to be fully leeD certified, and older facilities will also be targeted in phases. We have recently undertook a green audit of our server footprint also,” said Sankar-son Banerjee, CIO, India Infoline.

India Infoline provides financial services. Its offer advice and execution platform for range of financial services including equities and derivatives, commodities, wealth management, asset manage-ment, insurance, fixed deposits, loans, investment banking, gold bonds etc. It cater to 2500 families in India and have presence in over 3,000 business locations spreading across 500. The company has presence in key global markets including Colombo, Dubai, new york, mauritius, london, Singapore and Hong Kong.

Cost saving, of course, is one of the major driving force for the green practices. But the role of CIOs in driving these practices are commendable. These CIOs are single handedly driving such initia-tives. Pushed by CIOs, green practices have come a long way. Gov-ernment needs to further promote green practices and needs to take some major initiatives, announce some incentives or subsidies for green practices and technologies. This could impact the adoption of green practices in a positive and bigger way.

“most of the green solutions available in the ICT industry are based on software and applications. However, we are yet to see innovations happening on the hardware front. Still, we cannot run ICT infrastructure on alternate source of energy including solar and wind power,” said Amod malviya, VP engineering, flipkart.

flipkart, an online shopping portal present across various catego-ries including movies, music, games, mobiles, cameras, computers, healthcare and personal products, home appliances and electron-ics, stationery, perfumes, toys etc. has more than three million registered users and claims to have a sale of 30,000 items per day.

“We are focusing on getting all our facilities green certified and have undertaken a green audit of our server footprints”

Sankarson Banerjee, CIO, India Infoline




much excitement around many of these technologies, it is important to recognise their relative maturity or immaturity and how apt they are for your organisation’s critical business issues.

We believe, IT organisations will specifi-cally need to pay attention to eHS applica-tions, sustainability/CSR performance man-agement systems, enterprise wide carbon and energy management software applica-tions, e-waste, ROHS/Weee, lCA tools and sustainable design and product lifecycle management tools, and sustainability busi-ness operations and consulting services.

How significant are the environment norms laid by the

Indian government for the ICT sector? India has laid out significant emission reduction norms. The government has set a target to increase energy efficiency by 20 percent by 2016, and to achieve a 20 percent

How is IT contributing to carbon emissions worldwide and in India?

India is the second fastest growing economy in the world today. In a couple of years, it will be the fastest growing economy in the world. Projections from the Indian government, global financial institutions and international economic bodies indicate that India’s GDP will double in the next twenty years from the current levels. And so will the demand for energy, to fuel this growth, and the consequent per capita car-bon emission levels. The need of the hour for India therefore, undoubtedly, is to embark on a path of sustainable growth that will maintain the economic growth momentum while addressing the need for reducing carbon emissions through the use of green technologies.

Over the next five years, we therefore expect to see a flurry of sustainability ini-tiative and programmes being introduced that will lay the foundation for sustainable growth in the future. This as a result, will lead to India’s spending on sustainabil-ity initiatives that impact various spheres of economy, industries and the society at large, doubling from the current levels through 2015.

What are the major trends in green technologies adoption in India?

India’s information and communication technology (ICT) industry is definitely an early adopter of green IT and sustainability solutions. India is one of the fastest-growing markets in terms of IT hardware and com-munications infrastructure consumption. As enterprises embrace IT to improve pro-ductivity and drive growth, penetration of ICT infrastructure has been growing rapidly during the past decade, as has the energy consumption and resulting carbon emis-sions of India’s ICT infrastructure. While awareness of green IT and sustain-ability issues is very low in Indian organisa-tions, the increasing global focus on energy efficiency, energy security, green IT and sustainability issues is now causing the executive leadership in the technology sec-tor to track, report and manage sustainable and resource-efficient business practices.

Simultaneously, the operational costs of IT are putting pressure on CIOs in Indian companies to develop strategies to optimise ICT utilisation — including company-built urban areas and gated communities.

Which are the top technologies being adopted by enterprises

in India? There are many existing technologies and applications that can be applied to improv-ing the sustainable performance of Indian enterprises — technologies that are mature and simply need repurposing. But we also see the emergence of a plethora of new exciting and interesting technologies and applications that will help enterprises to make both incremental and substantial improvements in sustainable performance.

But the key here is IT organisations should identify the right technologies for incubation and piloting. While there is

Ganesh Ramamoorthy India should embark on the path of sustainable growth



In an interview with Akhilesh Shukla, Ganesh Ramamoorthy, Research Director, Gartner talks about the latest trends and technologies in adoption of green technologies in India

to 25 percent reduction (from 2005 levels) in emission intensity by 2020.

moreover, most importantly, for the first time, a chapter on Sustainable Develop-ment and Climate Change was introduced in the government’s annual Indian eco-nomic Survey, 2011-2012. The survey has suggested making lower-carbon sustain-able growth a central element of India's 12th five year plan, which commenced in April 2012.

How true is the statement — 'Green technologies are driven by business

not environmental considerations'? It is one 100 percent true. Unless the top management is convinced and has the vis-ibility on the returns in green technology investments, I see no reason why there will be any organisation will commit any investments. The short-term drivers for green investments may be compliance to

local environmental regulations but the real motivation ultimately will be either cost sav-ings or revenue generation.

US has a US Environmental Protection Agency putting an

Energy Star rating for standalone or large data centers. Similarly, there is an EU Code of Conduct for data centres. What are the popular metrics that Indian CIOs are following to keep a tab on the energy consumption? yes, India too has a whole lot regulations starting from energy ratings standards by Bureau of energy efficiency for all kinds of IT hardware equipments and consumer electronic equipments to the mandatory reporting and spending on corporate social responsibility for Indian organisations.

What are the other green practices/technologies that enterprises

are adopting, apart from those related to IT? Technologies such as advanced metering infrastructure, carbon capture and seques-tration, intelligent transportation system, solar energy technology, building integrated PV systems, ecolabels and footprints, com-bined heat and power technology, e-waste, distributed power generation, and water management are very essential to usher in low-carbon sustainable growth, and a variety of pilot projects funded by private organizations and government bodies are underway in many of these technology areas currently.

Do you see a change in role of CIOs for adoption of green technologies?

Today, for CIOs, green IT is a tactical move, and that needs to change, into a strategic move. Just as the enterprise will need to track its overall carbon and energy footprint, and where relevant track the reductions it is able to achieve, the IT organisation needs to do the same thing. This will help the CIO to communicate the environmental value add of IT, which will become an increasingly important part of IT value proposition.

What is your advice to CIOs planning green initiatives?

my recommendations to CIOs are as follows: Understand what “sustainability” means

to your organisation Initiate internal communications to estab-

lish sustainable business and information systems.

Think holistically — make green IT initia-tives a part of your overall sustainability programmes

Identify and prioritise areas where IT-enabled interventions will deliver signifi-cant value

Develop capabilities in energy and carbon management now

Identify suppliers and partners with whom you want to innovate solutions

Develop an innovation center to incubate technologies to achieve sustainability goals

Appoint an enterprise architect to build sustainable business systems

Start tracking the net value-add of IT in terms of energy and carbon

green it: A tACtiCAl Move for CioS




What are the technological innovations happening on the front of green practices?

Innovation are happening on two fronts. first on the front of ICT infrastructure, making them to consume lesser power and cooling requirements. These technolo-gies including virtulisation, Cloud computing etc are very popular among CIOs. Adoption of these technology help to save power and reduce carbon emission.

Similarly, technologies are being developed which can monitor and manage power consumption. These smart and intelligent technologies help an organisation to map power consumption of each and every device. Such tech-nologies could help industry verticals such as telecom, hospitality etc for whom electricity bills constitute a large part of their operational cost.

We are working with one of the big fast food joints in the United States of America. energy contributes 17 per-cent of their operational costs. Similarly, few of the large telecom operators are using our technology to reduce power cosumption of telecom towers. These towers are power guzzlers and contribute to 20 percent of the opera-tional cost of a telecom operator. By using these energy mointoring and management devices, these companies have successfully reduced the electricity bill by 3-4 per-centage points.

What green initiatives are you taking to reduce carbon footprint in your IT infrastructure?

As a part of our Wiproeco programme, we have and will continue to look for opportunities in reducing energy footprint through virtual computing, travel substitution technologies, transport and logistics optimisation. We will

have focused targets for each of these levers and we'll benchmark ourselves with peers and industry lead-ers. As far as ICT technologies are concerned, we have consolidated our seven datacentres into three. We operate laboratories for carrying out various Research and Development (R&D) initiatives. As a part of our green initiative, we have also consolidated 120 labs of these labs into just 50 labs. Both these developments have helped cut the electricity budget by few million dollars. Bring your Own Device (ByOD) is another trend that helps in reducing power consumption. Smart phones and tablets, which employees are using after the policy adop-tion, consume 10 times lesser power than destops or lap-tops. Similarly, we have moved some of the R&D activities on virtual infrastructure.

What are the major challenges in green adoption?

IT infrastructure is rapidly moving towards lower energy consumption and lesser cooling cost. However, one of the major challenges against green practice adoption is the old ICT infrastructure. for a CIO it is like deciding between the devil and the deep blue sea. A huge capital investment is required to completely change old infra-structure. On the other hand, the operational costs are high due to the old infrastructure.

Power Usage effectiveness (PUe) is popular among Indian CIOs who monitor their datacenter power usage. PUe is a ratio of the total power entering the data center devided by the power used by IT eqipments. Besides, CII has developed a datacenter handbook last year. leeD is another popular metric that Indian CIOs are following.

“BYOD is another trend that is helping

organisations in reducing power consumption”

T K Padmanabhan, CIO, Wipro




T K Padmanabhan — CTO, Wipro, talks to Akhilesh Shukla on how innovative technologies are helping enterprises to adopt green practices

“We Will Continue to look At reduCing energy footprint”



godrej Consumer Products (GCPl) is a fast moving Consumer Goods (fmCG) company based in mumbai. As a part of its increasing global footprint, GCPl had recently acquired a few companies in emerging markets including 51 percent rights in the Darling group in Africa. The ambitious plans of the

company has lead to acquisition in West Africa, Indonesia, Argentina, United Kingdom, South Africa and middle east. GCPl owns international brands and trademarks in latam, europe, Australia, Canada, Africa and the middle east.

About a year ago, GCPl faced numerous challenges with the physical infrastructure at their datacenter in mumbai. Its datacenter houses some 39 physical servers with each server hosting one database or an application. This had resulted in very low server utilisation and had added to maintenance, power and cooling costs for these servers.

GCPl's entire business of manufacturing, sales, and distribution is served by the SAP R3 applications running on these physical servers. load on these servers wase increasing following the increase in the company's expan-sion drive. further, GCPl also needed a robust ICT infra-structure to support facilities in the new countries where they were acquiring new businesses. Two other develop-ments were also putting pressure of the ICT facility of GCPl. The first was upgradation from SAP R3 to SAP

eCC6.0. The other was roll out of SAP landscape for Argentina entity. The IT team realised that it would be difficult as well as time consuming to deploy the new roll outs and upgrade on the physical infrastructure. It was the time when IT team started exploring a solution of their problem. GCPl evaluated virtualisation to help them mitigate these challenges in a short span of time. One of the primary objectives to move to virtualisation was reduce server sprawl and improve the utilisation of server resources.

“We were aware of the benefits of virtualisation. Our concern was requirement of key parameters including high availability, flexibility, and scalability of the virtu-alisation solution. These requirements was assured by Vmware vSphere,” said Dinesh Chandra Gupta — DGm IT GCPl.

The IT team at GCPl set up a test and development SAP environment for the Argentina entity. It took them only a week to complete this setup in a virtual environment. A similar set up on physical infrastructure would have taken four to five weeks. The success of the SAP environment in the test environment gave GCPl the confidence to deploy SAP roll out in a virtualised environment for the Argentina business. The biggest benefit that the IT team realised with the virtualised infrastructure was the ability to roll out new virtual servers within a negligible time, which was not pos-



sible with the physical infrastructure. Interestingly, GCPl had planned to host only four SAP virtual machines on two physical servers, but later it was realised that they could configure eight virtual machines on the same infrastruc-ture within a month’s time.

for the deployment, GCPl worked with HP and Galaxy project as the implementation partner, having expertise in implementing virtualisation solutions. most of the business critical applications including various modules of SAP such as Document management System (DmS), Warehouse management System(WmS), mDO, SAP GRC servers, and XI servers for production, QA and develop-ment environment were virtualised. The GCPl IT team consolidated the physical servers at the mumbai datacen-ter using Vmware vSphere.

The implementation eliminated server sprawl, reduced power, cooling, and maintenance costs while improving server utilisation. Vmware vCenter helped GCPl eas-ily manage servers from a central point. GCPl imple-mented a “Virtualisation first” policy for their entire IT infrastructure.

“We started reaping benefits from the very moment we deployed virtulisation at our facility. A budget of Rs 60 lakh was allocated for the first phase and we had com-pleted the entire project in just Rs 12 lakh, thus saving Rs 48 lakh unfront,” said Gupta.

Moving to the ‘virtuAl’ World

By moving to a virtualised infrastructure, GCPl has reduced the operating cost by a huge margin. GCPl’s new servers needed only 1200 watts of power per hour. earlier the consumption rate was 4800 watts per hour for the eight old servers. As a result, the operational cost of the ICT infrastructure was reduced by 75 percent. The organisation automated the daily operations of IT environment and reduced the depen-dence on people, which further improved the operational cost.

from being people dependent organisation, GCPl is now more policy dependent. GCPl, at present, runs 16 business critical applications on two virtulised servers, instead of earlier requirement of one server per applica-tion. GCPl head office in Vikhroli, mumbai houses these servers.

“earlier, as per the process, if we required test servers with 4GB RAm and a 250 GB hard disk, we had to seek various approvals. And it was a lengthy and time consum-ing process. now an administrator can easily allocate CPU and server space without any hassle and in no time,” said a delighted Gupta.

GCPl is currently in the process of implementing DR for the complete group on Vmware vSphere enterprise Plus platform. The company also plans to setup a virtual private cloud with auto-provisioning.

Godrej Consumer Products' global acquisition spree had put its ICT infrastructure under strain. The FMCG firm implemented virtualisation to fulfill its growing ICT needs in a fast and cost-effective way






A company’s values must start with tone-at-the-top and need to be communicated again and again By Thomas Fox

POINTS5

culture describes the

way human beings

behave together

regulator should not be enforcing

culture because it is a

contradiction

many ceos want

to create the type of

company at which

they wish to work

a strong corporate

culture will not on

its own protect a

company that has a

bad strategy, poor

governance or a weak

business idea

poorer performing companies often

have strong cultures,

too, but dysfunctional

ones

changing a compliance culture

t E cH f or G oVE r NAN cE com pl i a n ceIl

lus

tr

at

Ion

BY

ra

j v

er

ma



i had also thought that you could measure whether a baseball team had a healthy cul-ture with a fairly easy-to-understand metric; that being wins and losses. for example: the more wins that your team has the better it should be, conversely the more losses your team has the worse it should be viewed.

Based upon this fairly straightforward metric, i would have said that the Houston Astros did not play baseball very well in 2011, when they lost 106 games and won 56 games. i would have also said that they are an even worse team this year as they are on track to have an even shoddier season; their current trajectory is for 109 losses vs. 53 wins. All-in-all a pretty unhealthy baseball culture. however, it turns out that my straightforward analysis of baseball culture is in fact too simple. As reported in the Houston Chronicle, team owner Jim Crane said “he believes sophisticated base-ball fans are in tune with the team’s plans.”

i would have thought that having not only the worst record in baseball and indeed the worst record in the history of the houston franchise showed that the culture of base-ball is not particularly good right now in houston. however, it turns out that i simply have an “unsophisticated” view of how to approach the Astros culture and losing for the past three years and up to the next five years is the team’s culture plan.

on a more positive note, in the same interview Crane said that the redesign of the Astros uniform that he has been so diligent-ly working on has been submitted to major league Baseball (mlB) for approval. So, if a winning baseball culture includes rede-signed uniforms, it sounds like the Astros are the team for you.

i thought about the Astros culture of los-ing, my “unsophisticated” view of baseball and the Astros redesigned uniforms when

reading a recent article by Andrew hill in the Financial Times (FT), entitled “lofty Aspirations”. hill quoted roger Steare, an expert on corporate leadership, values and ethics, who said that culture “describes the way human beings behave together – what they value and what they celebrate.”

hill posed the question of whether it is possible for government policy makers or regulators to shift the behaviors and values of scandal hit sectors of the business and if it is even desirable. hill looked at the ongo-ing crisis in the financial services sector and found that it is so deep that regulators in the uK have “explored whether to intervene to influence corporate culture.”

hill cited a speech from 2010 by hector Sants, then head of the financial Services Authority (fSA) where he said that regula-tors can ask a Boards of Directors to provide agencies with “evidence of healthy culture, such as functional whistleblowing regimes, positive customer and employee engage-ment surveys, and a system for challenging “group think” at board level.”

however, Sants also cautioned that “i don’t believe the regulator should be enforc-ing culture because it’s a contradiction in terms: if you enforce culture, you get a police state with compliance on the surface and subversion underneath.”

hill argues that the best way to effect culture “is to combine strong leadership with the existing internal elements of a healthy corporate culture.” further, for businesses which are “assailed by allegations of bad behaviour is that, while it may take as long to create a good culture as it does to estab-lish a good reputation, a strong set of values is usually harder

to destroy unless the company is itself dis-mantled or taken over.”

hill went on to cite one example where a company Chief executive officer (Ceo) had a strong “lutheran philosophy” and the Chairman of the Board had a more creative tone. They certainly had a tension but this tension played out as constructive discus-sions at the highest levels of the company and did not allow for a shift too much in one direction or the other.

hill recognises that many Ceos want to create the type of company at which they wish to work. however, if they desire to make such changes they must communi-cate “from the start the values staff were expected to follow.” nevertheless, hill con-tinued, “the message needs to be constantly reiterated, in person.”

he also noted a “that a strong corporate culture will not on its own protect a compa-ny that has a bad strategy, poor governance or a weak business idea, let alone one that takes the wrong operational decisions.”

hill cited from the book “in Search of excellence” where authors Tom Peters and robert Waterman pointed out that “poorer-performing companies often have strong cultures, too, but dysfunctional ones. They are usually focused on internal politics rather than on the customer, or they focus on ‘the numbers’ rather than on the product and the people who make and sell it.”

All of this would seem to point, again and again, that a company’s values not only starts with tone-at-the-top but those values must be communicated again and again. hill closed his article with a quote from roger Steare, who said that he always asks the Directors that he consults with what is the purpose of their entity. “if they respond ‘To make a profit’, i know we’ve got a prob-lem?” So how about the Astros and their

culture? Do they have strong culture but are simply dysfunc-tional? or do they need an inter-vention or structural change? maybe all three...

— This article is printed with prior

permission from infosecisland.com.

For more features and opinions on

information security and risk man-

agement, please refer to Infosec

Island.

What is a healthy culture and how do you change an unhealthy culture? i have always thought that baseball was a simple game: you throw the ball; you hit the ball; you catch the ball.

com pl i a n ce tE cH f or G oVE r NAN cE

23%will be the

growth of app

dev market in

india in 2012



t E cH f or G oVE r NAN cE m a n ag e m e n t

Assessing Risk Management CultureEncouraging a risk culture throughout the organisation is a priority By diana graham

2-3, 2012 in Toronto, Canada. Within her role at resmor Trust, she has built a successful internal risk culture involving individuals from every level of the organisation. Key to this success is developing transparency across these risk buckets to enhance com-munication and minimise potential gap risk

The past 24 months have seen a number of man-made and natural disasters bring risk management demands to the forefront of execu-

tives and board directors. Whether these have been natural disas-

ters, such as the Japanese Tsunami or man-made disasters, such as the gulf of mexico oil spill, fat-tail disasters have created a renewed interest in enterprise risk manage-ment (erm) practices.

Although demand for these practices and the discussion level for their use is high inside the C-suite of many corporations and private enterprises, studies have shown that there is a discontinuity of both talent and practice in Western economies.

So, how can organisations ensure a cul-ture of risk awareness is put into place?

“get a commitment from senior man-agement that encouraging a risk culture throughout the organisation is a priority. Put together a communication strategy that can include newsletters, lunch-and-learns, speaking at head office and regional business meetings. look at the gaps or challenges in your risk Appetite and mate-rial risks for ideas on where to focus your efforts,” says Diana l. graham, Chief risk officer at resmor Trust Company.

marcus evans spoke to ms. graham, before the forthcoming 2nd Annual enterprise risk management Canada Conference, october

from falling through the cracks.“ideally, risk management would be

included as a business stakeholder in bud-geting decisions when areas seek to stream-line operations resulting in the elimination or weakening of controls” says graham.

“risk management should be an influenc-

Illu

st

ra

tIo

n B

Y s

hIg

Il n



clo u d tE cH f or G oVE r NAN cE

Recently the world went wild when Amazon web services suffered

an extended service outage. i’m not going to make a song and dance about AWS’ woes – suffice it to say that every provider, cloud or otherwise, has outages.

i will say that with cloud computing outages are more obvious than with traditional on-premise infrastructure.

i will also say that on a net basis, cloud providers are more likely to have better availability and uptime than traditional providers. rather i’d like to reflect upon out-ages generally, and see what we can learn from them. looking at the bigger issues, the outage reminded me of a roundtable that i took part in just over a year ago. i was joined by a number of cloud thought leaders, amongst the men Stratus co-founder george

ing stakeholder regarding certain compen-sation decisions, i.e., risk management tar-gets in areas outside risk management and weighting of the risk management segment in balanced scorecards. Additionally, risk management should sign-off on all new product/new business decisions” says graham. Companies in Canada are in a unique position because they are in vari-ous levels of implementing enterprise risk strategies within their organisations. The key to the success of establishing an enter-prise risk management (erm) framework

lies within the creation of risk appetite and tolerance levels across risk buckets.

“Canadian companies tend to be more conservative than those in the uS, so there may be more of a foundation in place across the organisation. generally, i have found that there is a 'healthy tension' among stakeholders in Canada as opposed to that found in the uS in building a risk culture” says graham. While the need to incorporate the Board of Directors within the erm framework is a global challenge, Canadian companies’ cultures are more open to

implementing risk structures and processes at every level of the organisation.

— Diana Graham has been Chief Risk Officer at

ResMor Trust Company since January, 2010.

Prior to this, she worked on behalf of the FDIC in

the closure of US banks, and in senior risk man-

agement positions in large US and Canadian

financial institutions.

— This article is printed with prior permission from

infosecisland.com. For more features and opinions

on information security and risk management,

please refer to Infosec Island.

On Cloud Outages (Yeah, They Happen)But they’re unavoidable. Smart firms will think about ways to lessen the impacts of any outages

reese and Bechtel Cloud Architect, Christian reilly. Despite the particular event we were discussing being over a year ago, the round-table is well worth revisiting and listening to for a summary of issues relating to out-ages, and some best practices to avoid being dragged down in a post-outage flow on —

feel free to have a listen here. When talking about outages generally i’m reminded of a post i wrote after last year’s AWS outage, i was reflecting on the naysayers who use any outage to pronounce the end of cloud — last year it was the turn of networkWorld who claimed that the “Amazon out-age set Cloud Computing back years”. As i said then; “yes the AWS event means people will think long and hard about their architecture. yes, some enterprises that were toying with the idea of public cloud might pull back for awhile.”

So let’s instead focus on the learnings from an outage. What are the components and solutions needed to build a service that would avoid issues were an outage like the one we saw recently to occur? As i stated in my post from last year — smart organisations will learn from Il

lus

tr

at

Ion

BY

sh

IgIl

n



t E cH f or G oVE r NAN cE m a n ag e m e n t

Illu

st

ra

tIo

n B

Y m

an

av

sa

ch

de

v

this and other outages and look to the following:

Multi siteAll cloud vendors are quick to point out just how reliable their data centers are with their redundant communication channels, power supply structures and the like. Any applica-tion running on the clouds needs to consid-er the same issues — it is unrealistic to rely completely on one single data center — a chain is only as strong as its weakest link ad by relying on one DC only the idea of mul-tiple redundancies is rendered a fiction.

Multi providerThis one is a little more contentious, and difficult to effect right now. But with the advent of more open standards, cloud users have the ability to obtain service across mul-tiple providers. more and more third party solutions are helping with this process.

AutomaticityThe real opportunity here is for providers that offer infrastructure-vendor agnostic orchestration and automation services. Case in point layer7 who came out quickly with a post that explains why their own rules based

cloud broker product would have avoided downstream issues from the AWS event.

Summaryoutages happen – they’re not fun but they’re often unavoidable. Smart organisa-tions will think about ways to lessen the impacts of any outages – simply running a mile from cloud because AWS went down really misses the point.— This article is printed with prior permission from

infosecisland.com. For more features and opinions

on information security and risk management,

please refer to Infosec Island.

Shared Ownership for SuccessMilitary models tend to work in the military but they do not work so well in business world. By Thomas Fox

Business section, entitled “Tell me your idea (and Don’t mind the Silly Putty)”, in which reporter Adam Bryant wrote about an interview with laurel J. richie, the President

Not many com-pliance prac-titioners will think of Silly

Putty as an aid to their com-pliance programmes.

This is particular in companies where the hierarchy is very military in discipline. orders were pronounced from on high and they were expected to be followed. military models tend to work in the military but they often do not work so well in the business world.

in these types of organ-isations, creative thinking is usually not rewarded or even appreciated. i have certainly worked for such organisations. i was reminded of this example when reading this week’s Corner office in the Sunday new york Times (nyT)

of the Women’s national Basketball Association (WnBA). Prior to her assuming the Presidency of the WnBA, richie was a Vice President of ogilvy & mather, an international advertising, marketing and public relations agency.

After returning to work from a vacation, she found that her entire team had gone to hr and said “We can’t do it anymore. it’s a great account, but we don’t like working for laurel because working for her feels like it’s all about her and not about us. So we want to work

on another piece of business.” in the more military based organisations where i work, the employer would have simply fired all the employees who dared to go to hr. however,

m a n ag e m e n t tE cH f or G oVE r NAN cE

such was not the case at o&m where richie used this opportunity to learn a insightful les-son, which she said was “i learned very pro-foundly in that moment that if there is not shared ownership of the work, both our suc-cesses and our failures, people aren’t going to have a satisfying experience.” recognising that she need to make a significant change, richie redefined her job as a leader to “to create an environment where good things happen, and where people feel good about their role on the team, and they feel acknowl-edged, they feel empowered, and they feel visible.” To help facilitate and accomplish this goal, richie said to her team “i got the feedback. Thank you for doing that. i had no idea. Can i have another chance and can we work together on this?” She then initiated a programme where she sought from the team the things they wanted to be involved in. She asked them to identify situations where they felt that their input had been marginalised by her and she then asked them “to talk to me in the moment when i was heading down that path again.” The next thing she did was

to bring out Silly Putty. it was not to copy the Sunday Comics. richie brought out the “little pink egg” to play with while her team members were talking to remind her that she needed to let her team members present their “points of view or share work that may have been not exactly the way i would have done it.” from this exercise she learned that there can be “many ways to get to the end point.” i found richie’s leadership lesson to be applicable to the compliance arena. i came into compli-ance from the corporate legal department, where things were not only top down in terms of a command structure but where pronouncements where made from the law department on high: Do it this way. This is not the problem where the legal department or compliance department is viewed as the land of no, inhabited by only Dr. no. it is, instead, the perception that legal or compli-ance simply institutes requirements without

even talking to the people they affect the most, the business unit employees. This is cer-tainly the tradition that i have observed where an outside law firm drafts an initial compliance programme which is written by lawyers for lawyers, with little to no relevance about how busi-ness is actually accomplished by the company. This leads to great frustration by business unit

folks who are trying to do the right thing but probably cannot get through the legal-ese in which the compliance programme is written. A firm will then have to bring in someone like me to actually rewrite the compliance programme, policy and proce-dures. richie’s experience in leadership re-emphasised to me the collaborative nature of compliance. — This article is printed with prior permission

from infosecisland.com. For more features and

opinions on information security and risk man-

agement, please refer to Infosec Island.

79%business school

pass-outs are

unemployable,

states a survey



NEXTHORIZONS Feature InsIde

Always innovating and bringing the best customer experience possible, new businesses in europe have unleashed the Web and

social media as powerful business tools with far more finesse than the uS.

China’s bright burgeoning english speak-ing middle class is bursting with small business owners who are going global with government backing. india’s technically talented middle class is replacing America’s skilled white collar workers.

innovation is key to survive and thrive in a world of entrepreneurs who typically speak english well and understand technol-ogy better than their uS counterparts. yet SmB owners constantly struggle to juggle management, sales, marketing, customer service, distribution and finance. Along that path to success, small business own-ers are swiftly approaching a cliff they can’t glimpse. A growing number have stopped growing. They got left behind as their landscape transformed and their niche was replaced or reinvented. As the risk takers made a leap ahead, many small businesses

Innovation is the key to survive and thrive in a world of entrepreneurs By Faisal Hoque

Business in the Age of ‘Massification’

ph

ot

o b

y p

ho

to

s.c

om

tackling Modern Malware? Pg 48

Being Your Own Worst enemy Pg 50



m a n ag e m e n t N E X t H or I Zo N S

lost their once loyal customer bases (sounds like an enterprise story, as well). Therefore, they needed to rethink the way they ran their business; including who they depend-ed on for their revenue streams, how they reached them, and how they could ensure once reached, they could keep them coming back for more.

The answer?The solution was (and is) a 360-degree view that tethers everyone in your business to clear goals met daily at each point of cus-tomer contact; from incoming calls and emails to point-of-purchase and follow-up offers. At the core of this view is building and maintaining customer affinity.

most businesses are born from curiosity, or even frustration, that fosters innovation. An entrepreneur is always seeking a bet-ter way to do something new, or improve upon something that’s essential but could become obsolete. it’s that kind of thinking that compelled a blacksmith in illinois to create a smooth-sided steel plow to replace the wooden and iron ones that were getting stuck and dirty in the rich midwestern sod.

John Deere’s 1836 innovation boosted migration into the American great Plains in the 19th and early 20th century, transform-ing the region into America’s breadbasket and setting the foundation for what has become the world’s leading manufacturer of agricultural machinery. Today’s farmers, can communicate across the plains with Beck Ag, a virtual company of employees and contractors working out of their homes. its facebook-like network allows American and Canadian farmers to share ideas on reduc-ing production costs, increasing profits and improving marketing. Beck Ag also connects large agribusiness suppliers and vendors with farmers to alert them to the latest research, news and products, and to exchange opinions on those products.

The current economic downturn has led many SmBs to become cautious, retrench and even slash their staffs as risk aversion stifles incentive and banks deny credit. Such downturns can spark new opportunities, which can be seized any-where in the world by competitors you don’t even know. As an owner, you can retrench and hit a wall, or walk through a new door hidden in plain sight.

New tech equals new opportunitiesnew developments constantly change the way customers think and act. easier access comes in many forms, including Skype video conferencing, which has eliminated the need for costly, frequent air travel, for example. Changing habits have made it easy for a customer to shift loyalty and shop else-where. Affinity as a brand requires leverag-ing customer experiences. Small business owners and entrepreneurs who switch to a 360-degree view will analyse the strengths and weaknesses, opportunities and threats and evolve from their antiquated 20th Century business practices to a more agile 21st Century blueprint. Shifting to an expe-rience-based economy means customers’ memories of an event become the real prod-uct they buy from you. Starbucks doesn’t sell coffee they sell the experience of a euro-pean café where maybe you can chat with an attractive person in line every morning. Customer affinity motivates them to return to your business. your brand is the memory your customers take from the experience you offer. Conjuring positive emotional memories is vital for business owners.

Who are your real customers?There are many key concerns for SmBs who want to stay competitive, including demographics. you must identify not only your existing customers, but the ones who abandoned you and figure out what com-pelled them to choose another business. impact analysis is important, as you must be prepared for the worst-case scenario. geography is no longer an impediment, as technology allows access to trump location. you cannot lose sight of your competitors. you must remain focused on customer loy-alty and affinity at all times.

Analyse, measure, and adjust every cus-tomer touch point you have, from telephone

messages to the website. find ways to build the customer’s buying experience to make the relationship sticky — in other words, keep them coming back to you. Amazon’s "suggestions to buy" are perceived as enhanced service — not like untargeted junk mail. Virgin and Southwest may be at opposing ends of the airline industry, but both have developed branded affinity with customers. Apple’s fierce customer affinity draws crowds who camp out ahead of a new product hitting the shelves.

Affinity wins new customers.Amanda hocking, an new york Times best-selling author of young adult novels, was rejected by countless publishers, so at 26, she self-published her novels and promoted them using facebook, Twitter and blogs. Within two years of diligent self-promotion from her minnesota home, she’s earned $2 million. in January 2011, she sold $417,152 worth of e-books just from the Amazon and Barnes & noble websites. Suddenly several traditional publishers took notice. St. mar-tin’s Press presented her with a $2 million advance and a four-book contract.

you can create a new blueprint for rebuilding your small business. A new examination of your business ecosystem requires more than a 360-degree view. it requires an end to short-term reactive think-ing and tunnel vision. use both sides of your brain, the right side to see nuance and to think creatively and the left side for logi-cal and mathematical thinking. Small busi-nesses must see an ecosystem that is global and individual. We do business in a world of "massification", but we stay in business through personalisation. —This article has been reprinted with permission

from CIO Update. To see more articles regard-

ing IT management best practices, please visit

www.cioupdate.com.

Analyse, measure, and adjust every customer touch point you have. Find ways to build the customer’s buying experience to make the relationship sticky



N E X t H or I Zo N S s e cu r i t y

users need to connect to the internet to do anything useful By simon Heron

Tackling Modern Malware

With new unique pieces of malware emerg-ing daily and ever-increasing access requirements from a

host of new endpoints, the challenge posed by malware detection has changed.

Zero-day threats pose an increasing risk as, by definition, nobody has a signature for this and in many cases heuristics can be bypassed. user habits are changing too; the vast majority of applications are now downloaded and installed over the internet. users need to connect to the internet to do anything useful; time off-line is usually brief and increasingly rare and unproductive.

This, though, provides a new way of deliv-ering security that can keep users safe and up to date instantly. Webroot have used this in their Secure Anywhere (WSA) product to provide a new concept that changes the anti-malware game. WSA doesn’t download vast databases of signatures onto an end user’s device, which is a boon for the increasing army of endpoints that are being used. This also saves bandwidth and it saves time, the installation times drop dramatically and make it very easy to install. Some anti-mal-ware solutions are downloading vast quanti-ties of data everyday in updates.

instead, Webroot’s system stores a vast database in the cloud (over 400TBytes and

growing), which is updated all the time with new solutions (around 200gBytes a day). Any file that can be executed is first ‘hashed’ and then sent up to this vast store and cat-egorised as: Known good software – the hash uniquely identifies the code as a known piece of software that has been tested and known to be safe to run.

Known bad software – the hash uniquely identifies the files as a known piece of malware that will be blocked from run-

ning and either quarantined or removed from the endpoint.

Unknown – this is where the clever stuff happens and the fact that Webroot’s data-base defines known as well as unknown makes this category very useful:

The graphic below illustrates the commu-nication flow between the agent and cloud. if the Webroot intelligence network (Win) responds with an unknown classifi-cation, the file is executed in a virtual sand-box environment. This allows the behaviour of the file to be monitored. This behaviour is then packaged and sent up to the Webroot intelligence network where it’s compared to thousands of behavioural rules. in the diagram, you can see the behaviour is classified as good. This means that Web-root haven’t observed any malicious behav-iour at this stage. Because the behaviour is good (so far), the file is allowed to execute on the endpoint but it’s placed in monitor mode. While in monitor mode, the behaviour is watched to see if changes. As soon as it starts to behave maliciously, or as soon as Webroot’s Threat research team identify the threat, the mal-ware is quarantined or removed and, more importantly, it is remediated. While in monitor mode, every single change the file makes to the endpoint is recorded in a local change-journal data-

When a brand- new infection emerges, the infection simply roams freely across all endpoints, deleting, modifying, and moving files at will



s e cu r i t y N E X t H or I Zo N S

base. So if a file is found to be malicious, remediation means not just quarantining or deleting the malware, it means that all changes that the file made to the endpoint can be reversed, providing a perfect clean-up routine.

in addition to the monitor-ing functionality, there is also a powerful identity & Privacy shield to protect data from information stealing malware which means that even if the initial infection tries to make changes, the endpoint and user’s data will still be protected. The other major benefit this solution brings to companies is that it can be run from an interface in the cloud allowing the administrator to manage the system from wherever they are without the time and expense of maintaining a locally sourced server. Added to which this administra-tion interface provides a wide range of features that will even allow administrators to do all the usual administration tasks as well as white and black listing applications right down to executing commands on end users’ systems if required.

The other thing to consider is what hap-pens when the endpoint is not connected to the internet. if a brand-new piece of software is introduced when the endpoint is completely offline, and it has no relation-ship with any existing software on the end-point, then WSA automatically applies spe-cial offline heuristics blocking many threats automatically. if a threat gets past this logic, it is run in moni-toring mode which ensures any threats that do execute cannot do lasting damage. The suspicious programme is monitored to see precisely what files, registry keys, and memory locations are changed by the software pro-gramme, while remembering the “before and after” picture of each change. if the software is

subsequently found to be malicious, WSA proceeds to clean up the threat when it is online again. The important thing here is that WSA doesn’t just simply delete the main file—it removes every change that the threat made and returns the endpoint to its previously known good state. if at any point a suspicious program tries to modify the system in such a way that WSA cannot auto-matically undo it, the user is notified and that change is automatically blocked.

With conventional antivirus products, their signature bases are never completely up to date. When a brand-new infection emerges, and the antivirus software hasn’t applied the latest update or there isn’t a signature written for that specific threat, the infection simply roams freely across all endpoints, deleting, modifying, and moving files at will. As a result, it doesn’t really matter if a device is online or offline—the

malware infection has succeeded in com-promising the endpoint. When a traditional AV product comes back online, it applies any updates and if configured to do so, runs a time-consuming scan—it might then be able to remove the infection. But it will not be able to completely reverse the changes the infection made, so the user or admin-istrator will have to activate the System restore function. more likely, the endpoint will need to be re-imaged because it’s so unstable—a major further drain on time and productivity. Conversely, WSA leverages behavioural monitoring to pick up infec-tions when the internet is inactive or the endpoint is offline and it isn’t sure whether a file is malicious or not. This process pro-vides uniformly strong protection against the damaging effects of malware.

— This article is printed with prior permission

from infosecisland.com. For more features and

opinions on information security and risk man-

agement, please refer to Infosec Island.

54%was the

growth of

mobile Pcs in q2

2012

ph

ot

o b

y p

ho

to

s.c

om



N E X t H or I Zo N S s e cu r i t y

security as a fear-based sale is quickly fading into something that is having an adverse reaction By raFal los

Being Your Own Worst Enemy

having had the pleasure of 14 of Wellington, new Zealand's top corporate technology executives for lunch, i've managed to

confirm something interesting.even in the land of the Kiwi, enterprise

security is (and has been) its own worst enemy. i recognise this won't be a very popu-lar post amongst security practitioners, but you'll have to take my word for it that it's true according to your management.

There's no denying that enterprise secu-rity has largely been sold (whether internally or externally) to the enterprise on the basis of fear for the vast majority of the last 15 years.

Sure, i readily acknowledge people like Jon in our luncheon who have long given up on pushing fear for business reality but by and large, we’re in the business of fear.

Think of the years of pushing fear-based security as over, with corporate senior man-agement. While there are still those boards and business executives that can be swayed based on fear, that population is quickly shrinking faster than ever before. There are a number of reasons for this...

Breach overload - i've written about it before as applied to Software Security Assur-ance (SSA), but data breach overload in the media and every other medium is at an all-time high and it's long lost its shock value.

hierarchical detachment — if you look at the corporate structure of many organisations, the ‘security guy’ is so far removed from the busi-ness decision makes (from a strategic perspective) it's not even realistic

for them to interact. The business is so insulated from the secu-rity function it isn't realistic for them to understand each other.

Chasing shiny things — related to #2 above, the folks in the room today reminded me how reliant on technology their security manag-

Dependence on technology teaches security managers to chase the next big shiny thing

illu

st

ra

tio

n b

y p

ra

me

es

h p

ur

us

ho

th

am

an

c

cto forum

s e cu r i t y N E X t H or I Zo N S

ers are...and how far from the basics they’ve moved. A dependence on technology is dangerous because it teach-es security managers (or those responsible for security) to chase the next big shiny thing, rather than focusing strategically on supporting the business.

The sky hasn’t fallen, or it has — There are two out-comes to selling fear to pad your security budget. either you get more money to ‘secure’ the company, and you still get breached... or you don't get a penny and you don't get breached. neither of those are good outcomes... because they both vastly undercut the value of real security. imag-ine if the “the company will go out of business if i don't get more money to secure it” CiSo gets nothing ...and the company doesn’t get hacked. The business just learned that they can get away with doing nothing and skating by — a dangerous (and largely untrue) lesson... which will end badly, guaranteed.

And so enterprise security firms find themselves to be their own worst enemies. from what i heard confirmed today security is large-ly disconnected from the business, largely dependent on technology, and unable to be anything more than a cost center... and it seems like the more we rant and wave our arms the deeper the hole gets. Security’s inability to go back to the roots of why iT is around, is what's hurting. The inability to enable the business to move faster, like brakes on a high performance car, make things worse.

every time the security group is given a chance and a seat at the table we seem to squander it being irrational and overly dramatic and this is leading security to be marginalised. Sure, this isn’t true for 100 percent of the organisations out there, but many of the director-level folks in the room of 15 today confirmed it for me... it’s true by and large, and it’s not getting better.

So it seems the chickens are coming home to roost, if you fancy that phrasing. Pushing fear has made our enterpris-es largely apathetic to our cause, and now we have to work twice as hard to be taken seriously and gain acceptance. i believe that we have a chance, right now, to make a positive

impact. if you want to learn how to do security right you should be looking to people like eric Cowperthwaite, for example, who has a pragmatic and no-bull approach to security... but unfortunately there aren't enough security practitioners getting on the bus.

Bottom line — security as a fear-based sale is quickly fading into something that is having an adverse reaction. rather than scaring executives into throwing bags of money to "be secure", the fear-based approach is pushing executives further away from sound security strategy. how this story moves forward is entirely up to you. —The article is printed with prior permission from www.infosecisland.com.

For more features and opinions on information security and risk management,

please visit Infosec Island.

advts.indd 56 12/22/2009 3:02:47 PM

3mnunits of

Personal

comPuters

sold in q2 2012

VIEWPOINT



About the Author: Ken Oestreich

is a marketing

and product

management

veteran in the

enterprise IT and

data centre space,

with a career

spanning start-ups

to established

vendors.

I hAve posIted thAt the advent of hosted cloud services (particularly PaaS and SaaS) will slowly morph the role of the Cio into that of an iT Supply Chain manager.

Technologically, i believe this move to a “Buy-and-integrate” mentality (vs. a “Build-everything” mentality) will open the door to a new class of products to assist with services integration. And, if you agree that the importance of leveraging external services will be elevated for the Cio, then i believe a significant enabling technology will be a rebirth of the need for a robust “service integration bus”.

Why? As i mention in my blog, enterprises integrating external ser-vices require: identity and access management for each provider

Data compliance, legal and regulatory audit access across each provider

Security compliance systems Provisioning, including capacity forecasting

Performance (e.g. SlA) monitoring

a great overview of eSBs — albeit BizTalk centric - here on mSDn).

i believe that the “2.0” integra-tion Bus will be one which brokers higher-level services generated from external, public cloud provid-ers — not just internal component services. And it will use more gener-alised interactions than SoAP, since the providers and their environ-ments will be less standardised.

To this end, there are some great current/upcoming thoughts sug-gested by mike Ponta of the notion of a “Cloud eSB”, and can’t wait to hear more. A quick survey of the market also yielded what looks to be potentially promising integration technology coming out of mule-soft called their Cloudhub.

Conceptually, the “mashed-up” service was the 1.0 version of this integration concept. But as enter-prise iT begins to regularly tap and integrate multiple external services, the 2.x integration busses will need a more structured, standardised and rapid approach to integration.

i can’t wait to see what else the market will generate. Stay tuned.

Cost and budget tracking (i.e. for billing, showback and/or chargeback)

Disaster recovery/redundant ser-vice sources where neededSome would call the above

integration functions “glue logic.” indeed in the past, many of these functions were hand-integrated across the few external services that were leveraged, and custom-engineered into each internally engineered stack. But time is chang-ing the model. With more turnkey services sourced from cloud (iaaS/PaaS/SaaS) providers, the need for a more efficient integration function will escalate. integration will need to be standardised and replicable, scalable and responsive to the busi-ness’ needs.

you may recall one component integration approach has been theenterprise Service Bus, primar-ily associated with SoA leveraging SoAP protocols. This integration Bus was originally to orchestrate access and workflow between com-ponent services within the enter-prise. (By the way, microsoft offers

The Rise of the Cloud Service

Bus Let’s see what else the market will generate

ken oestreich

illu

st

ra

tio

n B

Y P

ra

me

es

h P

ur

us

ho

th

am

an

C

GREEN IT: A STRONG BUSINESS CASE

Documents

Transcript of GREEN IT: A STRONG BUSINESS CASE