March 1 2006

Cover_october011_checklist.indd 84 11/16/2011 4:13:59 PM

From The ediTor

Two weeks ago, a senior infosecurity executive and I debated what might be in store

for Indian organizations if the avian influenza A (H5N1) virus struck roots here. For a casual

conversation, it was remarkably prescient, though, at the time of writing this column, India

still doesn’t have a single ‘official’ case of a human contracting bird flu.

Since my friend, the security expert, is associated with a software services company, he

was also concerned about detailing to clients in the West the various scenarios his business

continuity plan would cover and their net impact on project schedules.

From the tsunami to the flood in Mumbai, organizations and their capabilities to manage

crisis have been severely tested over the past many months. Talking to my friend and other

IT leaders has given me distinct learning about business continuity, risk avoidance and

applying them to a bird flu outbreak.

While any decent business continuity plan begins with assessing risk and identifying

critical operations, it will come through only if the number one asset of the organization—

its people—is the focus. That’s how it definitely will work if you’re taking on avian flu.

What happens if the government decides to

quarantine the city that hosts your backup

facility? What will be the impact of schools

or colleges being shut down, thus leading to

your employees staying at home to take care

of their children? How do you deal with a co-

worker falling sick with the flu?

The best of plans can go awry for the want

of a few details. For starters, you need an updated list of employee addresses (just refer

to the Mumbai floods—I know quite a few BPOs who weren’t able to locate even staffers

living close to office). Next, assess the skill levels of the employees. This will be critical for

your next move—identifying a core team that’ll respond to an incident and will be needed

to maintain basic business continuity. Finally, gear up to feed and house them while the

epidemic burns out.

Organizations and their CIOs will have to go well beyond looking to the government to

tackle situations like bird flu. If there’s one lesson that the Mumbai flood proved, it was that.

Be prepared. Be very prepared.

A business continuity plan will come through only if the number one asset of the organization—its people—is the focus.

Organizations will have to go beyond looking to the government for taking on the avian flu.

Vijay Ramachandran, Editor [email protected]

Do you Have Birds on your Mind?

REAL CIO WORLD | M A R C H 1 , 2 0 0 6 �VOl/1 | ISSUE/8

Content,Editorial,Colophone.indd3 3 2/25/2006 1:55:16 PM

Executive ExpectationsVIEW FROm ThE TOp | 40Neeraj R.S. Kanwar, COO, Apollo Tyres, is putting his company on the road to the top and he’s riding on IT. Interview by Rahul Neel mani

Applied InsightINsIDE ThE sOFTWARE

TEsTINg QuAgmIRE | 25Software testing reveals the human failings behind the code. That’s why it can become a never-ending exercise in denial. Here are five questions that you can ask to help you cut through to testing’s root problems.Column by paul garbaczeski

From the BoardroomYOuR NEW mANDATE: mEET ThE CusTOmER | 20Why it’s up to CIOs to ensure that their companies are focused on external customers—one at a time.Column by Jim Cash with Keri pearlson

SecurityLITTLE hOLEs | 46Sure, you’ve got a mammoth security battleship, but it’s full of little holes.Feature by Thomas Wailgum

more »

Business Intelligence

COVER sTORY | BANKINg ON INTELLIgENCE | 30

ICICI is using business intelligence (BI) tactically to corner more than CRM benefits. The bank is tying together disparate databases and BI tools and is pressing this advantage into use for credit scoring and risk management. Feature by gunjan Trivedi

30

MARCH 1 2006‑|‑Vol/1‑|‑issue/8

� M A R C H 1 , 2 0 0 6 | REAL CIO WORLD VOl/1 | ISSUE/8

CO

VE

r:

Ima

gIn

g b

y b

InE

Sh

Sr

EE

dh

ar

an

I

Ph

Ot

OS

by

bIt

OO

Sh

ar

ma


GovernINsTANT LEAsINg | 52A recent survey ranks Singapore number two on an ease-of-doing-business index. A lot of credit goes to the JTC (Jurong Town Council) that brought down the process of leasing space to 13 questions and a few minutes. CIO brings you a path-breaking government implementation from beyond India.Feature by Balaji Narasimhan

INNOVATE TO susTAIN | 56Some would say Sanjeev Gupta, Secretary IT, Himachal Pradesh, is on the wrong side of the river. Driven by government mandate, he is setting up online services for the state’s citizens–only there aren’t enough of them to make a sustainable business model. But he believes it can be done. Interview by Rahul Neel mani

52

content (cont.)

Trendlines | 13

Compliance | Spending on the RiseTechnology | World Cup Passes on SmartBallBook Review | Shmooze or Losesoft skills | What You Need to Know About Winesecurity | Making Sense of SecurityExecutive movements | Scaling the HeightsBy the Numbers | Taking Expense out of PurchaseEducation | Tech Truck Bridges Digital Divide

Essential Technology | 60

security | New Tech, New Anxieties By Meridith Levinson

pundit | A Really Hard Architecture Strategy By Christopher Koch

From the Editor | 3Do You have Birds on Your mind? | Organisations will have to go well beyond looking to the government. By Vijay Ramachandran

Inbox | 12

20

dEpArTmEnTS

NOW ONLINE

For more opinions, features, analyses and updates, log on to our companion website and discover content designed to help you and your organization deploy It strategically. go to www.cio.in

c o.in

� M A R C H 1 , 2 0 0 6 | REAL CIO WORLD VOl/1 | ISSUE/8


ManageMent

President n. bringi dev

COO louis d’mello

editOrial

editOr Vijay ramachandran

BureauHead-nOrtH rahul neel mani

sPeCialCOrresPOndents balaji narasimhan

seniOrCOrresPOndent gunjan trivedi

COPYeditOr Sunil Shah

www.CiO.in

editOrialdireCtOr-Online r. giridhar

design&PrOduCtiOn

CreativedireCtOr Jayan K narayanan

designers binesh Sreedharan

Vikas Kapoor

anil V.K.

Jinan K. Vijayan

Unnikrishnan a.V.

PHOtOgraPHY Srivatsa Shandilya

PrOduCtiOn t.K. Karunakaran

Marketingandsales

generalManager,sales naveen Chand Singh

BrandManager alok anand

Marketing Siddharth Singh

BangalOre mahantesh godi

Santosh malleswara

ashish Kumar

delHi Sudhir argula

nitin Walia

MuMBai rupesh Sreedharan

nagesh Pai

JaPan tomoko Fujikawa

usa larry arthur

Jo ben-atar

singaPOre michael mullaney

uk Shane hannam

anilnadkarni

head It, thomas Cook, [email protected]

arindaMBOse

head It, lg Electronics India, [email protected]

arunguPta

director – Philips global Infrastructure Services

arvindtawde

VP & CIO, mahindra & mahindra, [email protected]

asHisHkuMarCHauHan

advisor, reliance Industries ltd, [email protected]

M.d.agarwal

Chief manager – It, bPCl, [email protected]

ManiMulki

VP - IS, godrej Consumer Products ltd, [email protected]

ManisHCHOksi

VP - It, asian Paints, [email protected]

neelratan

Executive director – business Solutions,

Pricewaterhouse Coopers, [email protected]

raJesHuPPal

general manager – It, maruti Udyog, [email protected]

PrOf.r.t.krisHnan

Professor, IIm-bangalore, [email protected]

s.B.Patankar

director - IS, bombay Stock Exchange, [email protected]

s.gOPalakrisHnan

COO & head technology, Infosys technologies

s_gopalakrishnan @cio.in

s.r.BalasuBraManian

Sr. VP, ISg novasoft, sr_balasubra [email protected]

PrOf.ssadagOPan

director, IIIt - bangalore. [email protected]

sanJaYsHarMa

Corporate head technology Officer, IdbI, [email protected]

dr.sridHarMitta

managing director & CtO, e4e labs, [email protected]

sunilguJral

Former VP - technologies, Wipro Spectramind

[email protected]

unnikrisHnant.M

CtO, Shopper’s Stop ltd, [email protected]

v.BalakrisHnan

CIO, Polaris Software ltd., [email protected]

advisory board adverTiser index

Avavya 26, 27

Cisco 29

Epson 17

HCL Toshiba 15

HP 2

IBM India 11, 68

Imation 19

Interface Connectronics 21

Kelly 63

Krone 23

Microsoft 5

Molex 43

Oracle 67

SAS 33

Tyco 37

Webex 35

Wipro Infotech 6, 7

Xerox 9

All rights reserved. No part of this publication may be reproduced by any means without prior written permission from the publisher. Address requests for customized reprints to IDG Media Private Limited, 10th Floor, Vayudooth Chambers, 15–16, Mahatma Gandhi Road, Bangalore 560 001, India. IDG Media Private Limited is an IDG (International Data Group) company.

Printed and Published by N Bringi Dev on behalf of IDG Media Private Limited, 10th Floor, Vayudooth Chambers, 15–16, Mahatma Gandhi Road, Bangalore 560 001, India. Editor: Vijay Ramachandran. Printed at Rajhans Enterprises, No. 134, 4th Main Road, Industrial Town, Rajajinagar, Bangalore 560 044, India

1 0 M A R C H 1 , 2 0 0 6 | REAL CIO WORLD VOl/1 | ISSUE/8


reader feedback

Great InterviewMy hearty congratulations to the CIO team for the launch of a daily, one-page news service: CIO Five. (To get your copy log on to www.cio.in) I’ve found this format of disseminating information very useful for its focus. Also, since it captures the very latest developments in the industry. I would like to suggest, if there is space among the five news items, to have one covering on strategy / global trends / risk management and IT governance. At the end of the day, literally and figuratively, a CIO looks for intelligent advice and a solid knowledge-base.

The magazine is also doing a great job by bringing us valuable inputs from the IT-user community. One of the columns I enjoy thoroughly is View from the Top, where CIO interviews a senior CEO. The Azim Premji interview must have been hard to get and was especially interesting because he pointed out that ERP is for boys and business intelligence is (BI) is for men.

M.D. AGArwAlChief Manager–IS, Bharat Petroleum

Detail retailcIO is doing a great job of covering a lot of ground, particularly in topics related to strategic management of technology. Good show.

Walmart, Tesco and Carrefour have already declared their interest in setting up shop in India. Once 100 percent FDI

in retail is cleared they will certainly do so, and will arrive with their technology solutions in place. Indian retailers will then have to catch up with them to try and level the playing field. I request you to cover upcoming technologies for the retail sector to help prepare us to take on MNCs, at least technologically.

N.P. SINGh, VP – IT & E-commerce, Madura Garments

lead the wayI’ve read two issues of CIO and I’d like to read a lot more. Much of the magazine’s appeal lies, I feel, in the choice of articles it decides to cover. The stories walk a fine line between technology and management, and this came out pertinently in the disaster recovery issue (Dec 15). Articles that demonstrate how others have identified potential problems, and have leveraged new or existing technologies to overcome them add value. Some of the more interesting articles also deal with the roles we play and how these are evolving. It becomes more complex when these modifications are put in the context of bigger change s in an organization.

AruN ShAkyAkyAky ,Manager SAP Development, Britannia

In-DepthI am a regular reader of CIO, both of the magazine and of the website. Its contents are very crisp, to-the-point and contemporary. I am also impressed

with the team’s commitment to bringing meaningful stories, a good example of which is when dollar figures are converted into rupees. I would especially like to compliment the issue in which CIOfeatured an interview of the chairman of Wockhardt in View from Top.

On the production side, I must congratulate you for getting the magazine to us on time every 15 days. And also on the look-and-feel of the magazine and on the quality of your printing!

SANjAy MAy MA IttAttAtt lHead of ITNavin Fluorine International Limited

Future Perfectkudos for the excellent magazine; its paper, printing, the organization of topics/articles, etc. reflects an international quality. One is tempted to flip through it immediately on receipt. Some of the features like Trendlines and View from the Topare my favorites.

I would to read more on technological advancements in mobility and wireless technologies. I have a sense that, given time, these technologies will redefine the way we carry out our business. Replacing human interfaces with embedded intelligence on such devices will introduce more agility into our processes.

AvINASh ArorADirector – IS, New Holland Tractors

“I have a sense that mobility and wireless

technologies, given time, will re-define

the way we carry out business.”

What Do You Think?

We welcome your feedback on our articles, apart from your thoughts and suggestions. Write in to [email protected]. Letters may be edited for length or clarity.

editor@c o.in

1 2 M A R C H 1 , 2 0 0 6 | REAL CIO WORLD Vol/1 | ISSUE/8

n e w * h o t * u n e x p e c t e d

C o m p l i a n C e In spite of the current take up of regulatory compliance programmes being low, a MarketShare survey commissioned by Serena Software, covering 148 CIOs across Asia and Australia, has reflected that 75 percent of them ranked compliance as one of the top objectives for this year.

The majority believe that they will gain an advantage over their competitors by complying with regulatory compliance standards and most feel that Singapore is the country leading the change in meeting regulatory compliance standards (31 percent). Japan (20 percent) and Hong Kong (23 percent) rank after it.

“Asia is waking up to the relevance of international compliance requirements such as Sarbanes-Oxley and Basel II to the region,” said KC Yee, Vice President for APAC at Serena Software. “Assurance must be given to

international customers and partners that you can work at the same level that they do.”

The survey also showed that 57 percent of respondents feel that they may be held directly accountable for compliance activities in the future.

About 60 percent say that they currently spend “less than five percent” of their total IT budget on compliance-related activities, with only nine percent of companies saying that they currently spend “more than 15 percent.” But the results show more starting to use their IT budgets on compliance-related activities over the next two years as 27 percent report plans to spend “over 15 percent” of their total IT budgets on compliance-related activities within then.

—By Victoria Ho

Im

ag

Ing

by

Un

nIK

RIS

Hn

an

aV

S p o R T S i . T . World Cup soccer players should be happy: a new chip-enabled soccer ball won’t be ready for use at the World Cup soccer tournament in germany this June, according to the Fédération Internationale de Football association (FIFassociation (FIFassociation (FIF ).The world soccer body also took a pass on using the ball at the FIFaa pass on using the ball at the FIFaa pass on using the ball at the FIFClub World Championship games in Tokyo this past December. “The technology isn’t perfect yet,” says Jan Runau, a spokesman with sportswear manufacturer adidas-

Salomon, which supplies the official game balls for the tournaments. “We have to be 100 percent certain that it works perfectly before we can deploy it in professional soccer games.” He declined to say when that would be.Engineers working on the smart ball had hoped it would be ready for the World Cup tournament. The technology is based on an application-specific integrated circuit chip (radio frequency identification chips are one example) with a transmitter to send data. The chip, suspended in the middle of the ball to

survive acceleration and hard kicks, sends a radio signal to the referee’s watch when the ball crosses the goal line. Similar chips, but smaller and flatter, have been designed for players’ shin guards.The ball is being developed by adidas, the Fraunhofer Institute and software company Cairos Technologies.

—by John

World Cup Passes on Smart Soccer Ball

Vol/1 | ISSUE/8

smaller and flatter, have been designed for players’

The ball is being didas, the

Fraunhofer Institute and software company Cairos

y John blau

REAL CIO WORLD || M A R C H 1 , 2 0 0 6 1 3

compliance Spending on the RiseSpending on the Rise

Trendlines.indd 13Trendlines.indd 13Trendlines.indd 13Trendlines.indd 13Trendlines.indd 13 2/25/2006 1:47:33 PM2/25/2006 1:47:33 PM2/25/2006 1:47:33 PM2/25/2006 1:47:33 PM

S o F T S K i l l S You can discuss the merits of Java and

.Net with anyone who asks. But do you know what goes better with

grilled salmon or kakori kababs, a merlot or a pinot noir?

Knowing which wine to order at a corporate dinner is one skill that can

help a CIO distinguish himself as a businessperson and save him from

social embarrassment. “When you’re asked to smell the cork, you need to be

able to do that without looking like a geek,” says Jeff Connery, a wine lover

and CIO of two Canadian banks: Envision Financial in Langley,

British Columbia, and First Calgary Savings in Calgary.

Notes Connery, “CIOs are not

just computer people anymore. They are dealing with boards, other executives and clients. Knowing about wine rounds out one’s business character.”

To the rescue comes a new corporate wine studies program offered by the University of California at Irvine Extension. The six courses, each two to four hours long, teach how to pronounce wine names (try saying vino nobile di montepulciano three times fast), wine and food pairings, and wine etiquette (such as how to send a bottle back if the wine has cork in it). Their courses include ‘Wine as a Business Tool,‘ ’Entertaining Your Multicultural Client‘ and ‘CEO/Executive Roundtable Wine Tastings.’

“If yo u and I are sitting down to do a deal and have a lavish dinner, and [aside from] religious or health reasons, I order a Coca-Cola, you would think less of me,” says Marlene Rossman, instructor and creator of the courses. Especially, she adds, in ‘image conscious’ Southern California. You should order pinot noir with your grilled salmon. Now if you can figure out which glass is yours, you’ll have your social graces mastered.

— By ByBy By ��auren aurenauren auren ��apotoapotoapoto�apoto��tototo

b o o K R e v i e w Never Eat Alone is the book to read before you head to your next conference. This roughly 300-page volume will get you pumped and primed for making lasting connections with the new folks you meet. Author Keith Ferrazzi, who became a partner at Deloitte Consulting when he was still in his twenties and who’s now CEO of his own consultancy, attributes his enviable success to the vast network he’s spent years cultivating. Ferrazzi gives

the importance of networking a twist when he says it isn’t effective if it's carried out with desperation or out of blind self-interest. Networking is most effective in helping people achieve their goals when they bring to it a desire to help others and a sincere interest in building meaningful relationships. The book stresses the importance of building relationships before you need them, and the way to do that is by offering yourself as a resource for others.

Never Eat Alone is packed with practical tips on where and how to meet people. There’s information about overcoming the various barriers to networking such as shyness, or the fear of making cold calls and small talk. There’s also advice about getting the most out of conferences and even hosting unforgettable dinner parties. Don’t be misled into thinking that this is a book for junior staff. It contains enough gems to make it worthwhile no matter where

the reader is on the corporate ladder. For instance, practicing random acts of kindness toward the CEO’s executive assistant is guaranteed to get you more face time with the big kahuna.

Ferrazzi’s enthusiasm is communicated through his conversational writing style. This book will provide you with the confidence it takes to view every meeting with new people as the opportunity of a lifetime.

—By Meridith �evin�on

TR

TR

en

dl

ine

en

dl

ine

SS

Shmooze Or LoseShmooze Or Lose

Vol/1 | ISSUE/8

What You Need to Know About WineW

1 4 M A R C H 1 , 2 0 0 6 | REAL CIO WORLD

The author is living proof of his book’s claim—that success is all about relationships

Never Eat Alone: And Other Secrets to Success, One Relationship at a Time

By Keith Ferrazzi

S e C u R i T y Nowadays, we’re seeing an increasing dependence on a company’s network for its operations. In the past, a network might have only handled data exchanges over the company’s intranet, but today the reliance on the network has virtually tripled with it handling heavier Internet traffic, as well as the company’s voice and video exchanges, too.

To cope with the added vulnerability as a result of the network opening itself to all these other uses, many companies have set up intrusion-detection alarm systems, triggered by potential security breaches. This could stem from something as critical as a hacker gaining access to the system successfully, or something as minor as the network being pinged.

About 95 percent of security alarms are false alarms, according to Lloyd Car-ney, Chairman and CEO of Micromuse, a company providing software like Netcool Suite, which performs analytics around such alarms.

The software works to monitor all the events generated by applications as well as security breaches within the network, then consolidates this information so that there is first a distinction made between device-level and service-affecting events. Finally, automated analysis of service-level problems is done and the display of the corresponding relationships between the IT-resources and the critical processes they support is mapped and listed out for the network administrator.

By automating this process of distinguishing between the real and false threats, the administrator in charge of security might save not only a lot of effort manually weeding these out, but also be better positioned to arrest the real problems faster.

Carney warns, “If your network is under threat, the first hour is the critical hour. If you can identify what the problem is and isolate it within that, you can save your network.”

While technological advances have widened network bandwidth many times over in the past five years, the broadened uses of it have meant that it has become more complicated to manage, as well. A phone line over Internet Protocol, for example, may only require a fraction of the bandwidth of a video exchange, but needs a dedicated line, because the bits on the call cannot be dropped and resumed like that of a data download from the World Wide Web, or the conversation gets interrupted.

“Even if your network seems to be fully-functioning, someone could perform a Denial of Service (DoS) attack on the voice gateway,” said Carney. This increases the scope of concern for the network administrator, who would need to look more closely at specific areas of a network’s operations. The need for analytics to assist a network administrator’s speed and efficiency in handling disaster, could therefore make all the difference between a crash successfully averted, or a lengthy—and not to mention, costly—downtime.

—ByVictoria Ho

TR

TR

en

dl

ine

en

dl

ine

SS

Making Sense of Security

D. RAjENDRANSecretary, State Industries

D. Rajendran, Secretary, State Industries, has

been given additional charge of the department

of IT, Tamil Nadu. Rajendran is an IAS officer of the

1985 batch and has been commissioner of small-

scale industries, among other positions. In his new

capacity he will continue to drive IT in the state,

ensuring that current projects continue on course.

S. R. BALASuBRAmANIANExecutive Vice President—Special Projects, ISGN

S. R. Balasubramanian has joined ISG Novasoft

(ISGN) as Executive Vice President—Special

Projects. ISGN is an enterprise application

management and outsourced product

development company and is part of the K. K. Birla

Group. Balasubramanian will build competencies

for ISGN’s AMO (Application Management

Outsourcing) business globally and will help

manage complex deals. He brings to bear 28 years

of experience in IT and will be CIO of the parent

organization. Prior to ISGN, Balasubramanian was

VP-Information Systems, Hero Honda.

ARuN GuPTADirector, Philips Global Infrastructure Services, Philips

Electronics, India.

Arun Gupta, 42, is now Director – Philips Global

Infrastructure Services at Philips Electronics,

India. He will lead Philips' IT function and support

various business units. In his previous position

at Pfizer, he made tremendous and tangible

contributions to field-force automation and SCM.


IT Takes Expense Out of PurchaseSystems lower purchasing costs 20 percent at top companies.

Companies that use IT effectively for procuring goods and services can save big bucks, according to The Hackett group. The consultancy’s study of what it calls world-class organizations finds that increasing spending on procurement technologies, as well as improving the use of existing technology investments, lowers overall procurement costs by as much as 20 percent. Top companies also reap greater returns from their investments in procurement technologies than other companies do—as high as 360 percent more than other companies typically see.

IT automates many of the transactions involved with procuring goods, such as order processing, scheduling and forecasting. automation improves cycle times and reduces errors. as a result, fewer staff need to be dedicated to tasks such as operational support, order placement and forecasting. Instead, they can focus on more high-value activities like analyzing corporate spending patterns and aligning procurement with business strategy, says Christopher S. Sawchuk, Hackett’s procurement practice leader.

Hackett defines world-class organizations as companies that rank in the top 25 percent on various efficiency metrics (such as staff levels, productivity, costs, cycle times) and effectiveness measures, such as RoI. according to the group, staff at world-class procurement organizations use online tools to communicate proposals, quotes or requests for information to suppliers 78 percent more often than their peers, and they are twice as likely to have access to suppliers’ online catalogs.

b y l o R R a i n e C o S G R o v e wa R e

Bestpractices

1] Assess your investments. Review how IT is supporting procurement currently. Find out whether employees are using the existing tools and processes, and whether they are using all or a portion of the functionality.

2]Evaluate processes. Before applying any new technology, examine your procurement processes. Ensure that purchasing procedures in different parts of your company, such as receiving and payment schedules, are aligned.

3]Consult end-users. Work with the chief procurement officer or other procurement executives to learn what their staffers need to do their jobs effectively. Once you find out their priorities—whether it’s visibility into total spending or supplier management tools such as pricing and shipping schedules or electronic ordering tools—you’ll be able to invest time and energy where it’s needed most.


…Have Smaller StaffsStaff per $ 1 billion procurement spending

World-class organization 44.9

Typical organization 89.2

Difference 49.6%

…And Use Fewer Suppliers Average number of suppliers

World-class organization 4,171

Typical organization 7,710

Difference 46%

how It cuts purchasing costsWorld-class procurement organizations…

TR

en

dl

ine

S

Source: Hackett Group

Trendlines.indd 18 2/25/2006 1:47:55 PM

e d u C a T i o n While government departments across countries grapple with ways to promote technology adoption among young people, Western australia’s Department of Industry and Resources (DoIR) has stopped talking and taken IT trucking.Established with a number of sponsors including DoIR, Telstra bigPond, and truck company Scania, the roadshow began visiting regional centers in the state’s South late last year as has been a great success according to the department’s infrastructure division manager, Kevin Russell.“It’s been a huge success because people in the region are crying out for this,” Russell said. “The acceptance is terrific and absolutely amazing.”The truck has so far made its way through farming centers, mining towns, schools, TaFE colleges, and universities. With most of the South finished, the truck will head north in april and complete its journey around September.“The technology roadshow is taking technology to the regions of Wa to bridge the digital divide,” Russell said. “We’re informing people about the use of the Internet and how they can do business. For example, about using a content management system over a standard Web server.”Russell said the feedback from business people has been “excellent”; one person in the process of starting a company discovered about Rs 4.9 lakh (US$11,064) in software savings after visiting the roadshow.The roadshow also aims to heighten awareness of how the Internet can assist with communications for distance-learning, employment, and health. In addition to the demonstrations and advice, the roadshow has given out copies of Ubuntu linux and TheopenCD—a collection of popular, open source applications for Windows.“We’re not aligning to any one vendor; we can demonstrate what you can do with open source,” Russell said.Russell said while the TheopenCD is “really good” it doesn’t have some applications which people need, so the team is looking at creating its own distribution of open source software.“It will be a mixture of business and education applications to cater for the diverse range of people out there,” Russell said.“I was surprised at the number of people in the region already using open source software, [because] the whole roadshow hasn’t been an open source promotion. Some really smart kids out there have been using linux which is really enlightening and it’s good to see them getting involved in a global project. They have a great opportunity to be part of a global system in some way.”

—by Rodney gedda, Computerworld

Vol/1 | ISSUE/8

Tech Truck Bridges Digital Divide

Trendlines.indd 19 2/25/2006 1:47:56 PM

Your New Mandate: Meet the CustomerWhy it’s up to CIOs to ensure that their companies are focused on external customers—one at a time.

How leading companies generate revenue has evolved over the past 20 years: From managing markets to managing market segments to managing customers. This shift creates significant

issues for the board of directors and the entire executive team, including the CIO. If this change in strategy hasn’t affected your company and industry, you are in a distinct minority.

For the average CIO today, external customers are not a primary concern. Yet the CIO is uniquely positioned to help the executive team address customer management, for two reasons. First, the CIO is usually one of the most senior executives with a broad process view of the corporation. It is the role of information systems to span functional, geographical and hierarchical boundaries. Second, the way information is collected, stored and delivered can either help or hinder the corporation in managing customers. The CIO is best placed among executives to understand what these information needs are and to ensure that data systems can deliver the information needed by the company to support this marketing requirement.

The Right Way to Focus on Your CustomersThe traditional belief that simply increasing market share translates directly into higher profitability has been proven false in our current economy. You need look no further than the US airline and automotive industries to note that market share leaders are not the most profitable companies.

Deciding whom to serve is a critical decision for any organization. One of the world’s experts on this topic, Harvard Business School Professor Das Narayandas, says, “Who we are affects who we can serve, and who we serve affects who we


Jim Cash with Keri Pearlson FROM THE BOARDROOM

Coloumn Your New Market.indd 20 2/25/2006 1:39:35 PM


will be.” In today’s business world, a company’s customer set defines what products and services it will offer.

Another of a company’s most important decisions is identifying who should be excluded from the customer list. Serving a specific customer can sometimes preempt your ability to serve others. The most obvious example is working with one large customer on a proprietary component for its product, which may require an agreement to not provide similar technology for its competitors, thereby excluding other potential customers. Sending unprofitable customers to your competitors can sometimes actually contribute to your comparative advantage.

Although executives usually acknowledge the importance of customer targeting, in many companies salespeople are left to develop a de facto marketing strategy at the customer level. As Narayandas points out, since a salesperson’s behavior is directly affected by compensation schemes, letting salespeople determine whom to sell to is one sure way to get into trouble. Segmenting and prioritizing customers must be an executive-level decision. Narayandas outlines four steps for customer management:1. Develop a clear vision of the customers to serve and not serve.2. Develop and manage a portfolio of customer relationships—the set of activities that serve the customers.3. Monitor the health of customer relationships—understand whether customers are satisfied with the activities designed for them.4. Link the customer management effort to economic rewards—that is, the benefits to the company and its employees for successful management of customer relationships.

Marketing Information SystemsAs we transition from the Industrial Age to the Service Economy, customer retention and loyalty have become better predictors of profitability than have traditional measures of market share. Scale is still important, but it must be attained with an increased focus on customer selection and management that facilitates the design of an efficient product/service delivery system.

Understanding which customers are profitable is a matter of studying what it costs to serve each customer and the price of the products or services they buy. Surprisingly, in most companies there is little analysis done of the cost-to-serve and prices, and frequently no relationship between them.

Obviously, when prices or the cost-to-serve is too high, the

situation is not sustainable. Success, then, comes from building a portfolio of customer relationships in which customers pay a fair price for goods or services developed at a profitable cost-to-serve for the corporation. This portfolio is built through a delicate combination of product development, service, sales incentives—and information management.

The CIO’s Role in Reaching External CustomersAs a CIO, you have the unique ability, and therefore the responsibility, to ensure that marketplace discussions are focused on the customer at a very granular level. Most organizations have not re-structured to reflect market changes and shifting customer requirements and power. Industrial Age organizational structures still dominate many companies. They were designed to implement mass production and vertical integration strategies, rather than the highly selective customer management strategies that companies need now.

For example, a large computer manufacturing company in the early 1980s was organized by relative size of computer systems: A small systems division (including PCs), a mini-computer division and a mainframe systems division. For many years, this product focus had provided significant efficiency in the development and delivery of the company’s products and related services. As long as customer buying power was low and there was minimal overlap of customers across the business unit boundaries, the product-focused organizational structure was appropriate.

But by the mid-’80s, customers wanted to implement MRP-II solutions that required highly integrated applications, which used systems from all three divisions. Customers were required to navigate through the company’s organizational structure and cross the business unit borders. It took the company six years to understand and respond to these emerging customer needs, since the internal organization (which was initially designed with customer needs in mind) was blind to this evolution. Until executives recognized that the market was requesting integrated solutions, the company continued to be product-focused and to build systems for each siloed business unit.

An organizational structure that isn’t aligned with marketplace requirements causes misinterpretation of important data. When customer requests are viewed through a product lens, a company might respond in a way that actually conflicts with customer needs, as the computer maker did. CIOs must look to the marketplace and customers to ensure

CIOs must apprise executive colleagues of customer activity changes that affect the company’s goods or services.



that information systems are responding to their requirements, regardless of how the company is internally organized.

The CIO’s role is to ensure the data that matches marketplace and customer requirements is brought to light and brought to the attention of the rest of the company. Doing this requires a horizontal view of the business, and the CIO is one of the best C-level executives to have this view. He or she has allies in the organization, such as the supply chain owner and the quality management owner. But the CIO is often the senior-most executive with this view. CIOs are best-positioned on the executive committee to present this horizontal view.

CIOs must keep their executive colleagues apprised of several important areas:

Changes in customer and marketplace activity that could affect the company’s goods or services.

Internal organizational structures that potentially could be at odds with customer needs.

Information systems that target only the present, or are based on an outdated past perspective, and thereby obscure future views of the business.

These responsibilities hold significant ramifications for CIOs. First, you must make sure that your company is fully committed to the shift to customer management. Second, you have to ensure that the information your corporation collects

is parsed and granular enough, down to the customer level, to enable customer management.

This may mean driving a set of activities aimed at changing the sales-force data-collection activities—something the CIO doesn’t typically lead. It may mean driving a change in the marketing and sales processes to ensure availability of customer-level data. It may mean crafting a vision to make sure the company is positioned to appropriately respond to a shift from market segments to customer management. For some business leaders, that is a hard pill to swallow.

It’s essential that you navigate these political hurdles, however. If your company can’t stay close to individual customers and change in the ways that they require, then you will find—as many executives have in the swiftly changing economy of recent years—that your company has lost the ability to sustain itself. CIO

James Cash is the emeritus James E. Robison of Business Administration

at Harvard Business School. He was also chairman of HBS Publishing. Keri

E. Pearlson is a research director with

The Concours Group and co-author

of Managing and Using Information

Systems. Send feedback on this column

to [email protected]



Paul Garbaczeski APPLiED iNSiGHT

There are few things worse than being responsible for a software project mired in testing. To those waiting to use the software, the project seems done. But it isn’t. The software needs to be tested

to ensure it functions properly and is stable and reliable. And the project manager’s frustration mounts as days turn into weeks, weeks turn into months, and—heaven forbid—months turn into years. (For best practices for running your testing organization, see Testing, 1, 2, 3… February 1, 2006)

This process is doubly frustrating for CIOs removed from the action. Testing managers—who may not be skilled at communicating with CIOs—can distract attention from the real problems by being overly detailed or focusing on irrelevancies.

CIOs must assess the situation for themselves, asking the testing manager the following five questions face-to-face and observing how wide his pupils dilate.

Question #1: Is the software’s functionality complete, documented and subject to a formal change process?You’re really asking: Are we trying to hit a moving target?You’re trying to determine: If the problem is that the soft-ware is poorly defined or that the project’s scope has changed.Interpreting the response: If the software’s functionality is not fully documented or is not clear, testers will have difficulty determining whether it meets the project’s goals. When functionality is subject to interpretation, test cases might not reflect what was originally intended. If functionality changes because the organization continually adds, modifies or deletes functions, testers will have difficulty keeping up. Only changes critical to the integrity of the software should be allowed.

Inside the Software Testing Quagmire

Software testing reveals the human failings behind the code. That’s why it can become a never-ending exercise in denial. Here are five questions that you can ask to help you cut through to testing’s root problems...

Ill

uS

Tr

aT

Ion

un

nIK

rIS

Hn

an

aV

REAL CIO WORLD | M A R C H 1 , 2 0 0 6 2 5Vol/1 | ISSuE/8

Coloumn Inside the Software.indd25 25 2/25/2006 1:33:22 PM

A related symptom to check: Intense debate about requirements and test results.

Question #2: Is development complete?You’re really asking: Are the testers essentially starting over with each new release because there are so many changes?You’re trying to determine: If the software has been released for testing prematurely, or if changes are uncontrolled.Interpreting the response: Software released prematurely will differ markedly from the previous release. With all the changes, testing performed on a previous release might no longer be relevant to the new one. If testing of one release is not completed before the next one arrives, there will be no comprehensive understanding of release defects. After each release, the software will change due to user feedback. But problems will occur if developers and testersdo not agree

about which changes will be made. If developers decide to implement sweeping design changes or to improve software already functioning correctly, the testers will be the dubious beneficiaries of releases that behave very differently from previous ones. Again, testing efficiency will be very low.A related symptom to check: Complaints about the frequency of releases, about releases being delivered without notice or about significant changes in a release.

Question #3: Are test cases repeatable; are they executed in a controlled environment?You’re really asking: Is testing ad hoc or disciplined?You’re trying to determine: If testing is effective.Interpreting the response: There should be a set of repeatable test cases and a controlled test environment where the state of the software being tested and the test data are always known. Absent these, it will be difficult to discern true software defects from false alarms caused by flawed test practices.A related symptom to check: If temporary testers are conscripted from other parts of the organization to ‘hammer’ the software without using formal test cases, it means the organization is reacting to poor testing by adding resources to collapse the test time, rather than addressing the problem’s root causes.

Question #4: Is there a process being followed to evaluate each defect and prioritize its resolution?You’re really asking: Are the most severe problems being tackled first and are the contents of the next release agreed on?

You’re trying to determine: If the organization is making good decisions about where to apply its assets.Interpreting the response: Defects vary in severity. For example, a defect in the cosmetics of a screen form is less severe than a defect that stops the software cold. A defect that impacts many users is more severe than one that impacts few users. The order in which the development team resolves defects should be in line with their severity.

Trouble occurs when the development and test teams do not communicate about which defects to remedy and in which order. To ensure improvement of the software and for the test phase to move toward completion, the development and test teams must collaborate.A related symptom to check: The number of highest-severity defects does not diminish over time; friction exists between development and test organizations.

Question #5: Does the organization collect testing metrics at regular intervals? The total number of test cases? The number that passed and failed? The number of defects—by degree of severity—in the process of being fixed? You’re really asking: Can the organization quantify the state of testing? You’re trying to determine: Can the organization measure progress?Interpreting the response: Metrics enable informed test-ing decisions. If metrics are not recorded and published on a regular basis, progress will remain uncertain.

Metrics relating to test cases and defects must be captured, published and tracked. With these metrics you can determine whether defects are climbing, cresting or diminishing, and whether the most severe defects are being attacked first. You will see trends and be able to make corrections.A related symptom to check: There are differing opinions about the state of testing, open defects and trends.

Because software testing ultimately exposes human failure, it’s difficult to know whether the process is achieving its goal of creating the best software. People don’t like to admit mistakes. They can go to extraordinary lengths to hide mistakes or take unilateral steps to try to remedy problems before others can discover them. ‘Busy-ness’ is no guarantee of progress—indeed, it may indicate the worst kind of testing failure. CIOs can provide a critically important perspective on the process to get testing back on track and keep it there. CIO

Paul Garbaczeski has held a variety of systems development,

management and business positions at major enterprises over the past 30

years. Send feedback on this column to [email protected]

2 8 M A R C H 1 , 2 0 0 6 | REAL CIO WORLD Vol/1 | ISSuE/8

Paul Garbaczeski APPLiED iNSiGHT

CiOs must assess the situation for themselves, asking the

testing manager five questions face-to-face and

observing how wide his pupils dilate.

Coloumn Inside the Software.indd28 28 2/25/2006 1:33:22 PM

Trendline_Nov11.indd 19 11/16/2011 11:56:19 AM

IT is banking’s new knight. Its business intelligence gambit has captured ICICI Bank more benefits than mere up-selling and ensures that a growth strategy based on risk is not defined by defensive play.

BY G u n j a n T r i v e d i

Business IntelligenceCover Story | Business Intelligence

3 0 M A R C H 1 , 2 0 0 6 | REAL CIO WORLDREAL CIO WORLD Vol/1 | ISSUE/8

IMA

GIN

G B

INE

SH

SR

EE

DH

AR

AN

Reader ROI

BI brings more than cross and

up-selling

What to watch out for when

defining rules

How to tackle user buy-in

REAL CIO WORLD | M A R C H 1 , 2 0 0 6 3 1Vol/1 | ISSUE/8

In March 2000, ICICI resolved to get on top of that heap. Reaching base camp, however, would take an intensive data aggregation exercise. A new business intelligence unit comprising tech-savvy business analysts was entrusted with the job of

conceptualizing the project and planning a roadmap.The initial purpose was to consolidate business,

customer and event transaction data into a single data-store. The bank started by populating the data from two to three systems to a data warehouse. Today, with significant growth in infrastructure over the past four years, the bank

sends data from as many as thirteen systems to the warehouse. This covers almost

99 percent of its products-related customer transaction data.

Stacking its information in neat piles at its warehouse

also helped provide customers a more seamless experience with the ICICI group, which has multiple c o mp a n i e s o f f e r i n g d i f f e r e nt p r o du c t s .

This also fuelled ICICI’s early move towards data

warehousing and business intelligence. While it gave

the bank the ability to pull out a single file on customers with

accounts in their various business units, it also allowed them to leverage customer data

to cross-sell and up-sell the bank’s products.

And there was ample opportunity to do that. ICICI’s data-vault contains information over 1.55 crore customers. It’s the second largest bank and the largest private sector bank in the country, with assets over Rs 2,00,000 crore. If the financial services giant could use BI to continuously generate new business, it could feed the lines of ambitious marketing people waiting for a chance to score an ace.

Early-mover DisadvantageBut first they were going to have to lay down a court. Adopting data warehousing and BI technologies is still a blip on the horizon of most businesses. When ICICI Bank

started out, it took on one of the problems early-movers face: An inaccurate roadmap. And the people selling them the camels didn’t quite know where the next oasis was.

“When pre-sales meetings (with vendors) go beyond the regular jingle of success stories and ROI calculations, one often runs into a lack of adequate and in-depth knowledge. As technology partners, they are usually unable to convincingly address queries about scenarios that differ from published case studies,” laments Vohra.

Bargaining with people who work with the camels can be a pain as well. As technology partners dangled ROI figures to lure Vohra into buying their products, ICICI’s head IT mandarin steadily became frustrated. The traditional model of ROI, which vendors base their pitch on, is something that is based on plenty of assumptions, he maintains.

“All I need to do is presume that I have a set of X million customers and that I will cross-sell 1.4 products to them. And then I pit this number against the costs for acquiring new customers, warehouse technologies, amortization and running costs. It’s possible then to reduce unknowns to a tangible figure,” says Vohra.

The real problem, however, is that a CIO needs to balance the reasons to innovate against the capital he is willing to write off if a project fails.

Although, Vohra believes that not all risks need to be mitigated. A bank is in the business of taking calculated risks, after all. He feels that CIOs need to mull over every risk and look for countervailing reasons and then come up with a ‘risk balance-sheet’ that they are comfortable with.

Cover Story | Business Intelligence


Business intelligence (BI) wasn’t something Pravir Vohra, Senior General Manager (Head-Technology Management Group & Retail Technology Group), ICICI Bank, invented at the bank. Whip smart bank employees rearing to push the envelope were there before him,

tinkering with their isolated systems, culling out information that could be the next big lead. But, flash-in-the-pan didn’t satisfy Vohra. Neither did the mere cross and up-selling of ICICI products. He wanted BI to do more. He also wanted to spread the BI oil over all ICICI’s disparate departments and calm raucous calls for more intelligent information.

However he was willing to start where everyone else wanted to go. A little less than a half-decade ago, ICICI realized that it was sitting on a huge goldmine of a customer database. Only, the mine was made up of very disparate veins embedded deep in various units and systems.

“We had realized that it was going to be harder and more expensive to acquire new customers than to derive more value from the existing ones,” recalls Vohra.

Cover Story.indd 32 2/25/2006 1:40:58 PM


Profile of a Bad InvestmentThe business intelligence unit at ICICI works some of that risk-taking attitude everyday. They are the new financers, eons away from the archetypal cautious banker. Applying risk scoring algorithms, ICICI uses data warehousing and business intelligence technologies extensively to manage risk. One instance is when they run BI exercises to spotlight specific pin codes in a city where delinquency rates rise above the average. Based on different risk scores, the bank uses different lending patterns to service different locations in a sprawling metropolis like Mumbai.

Since its analyses of delinquent behavior is based on the number of card products it has in certain pockets of a city, risk scoring shoots sharper as data size matures and grows.

“We get more insights because the denominator becomes large enough to make the law of averaging meaningful and we learn to interpret it in a better, faster and smarter way. All the initiatives in the areas of risk are an extension of the risk scoring concept. With all the variables we can build in, such as regions, locations, professions, products etc., we are trying to come up with more accurate models. We are drilling deeper to gain more granularity,” he adds.

The bank also leverages business intelligence to analyze patterns to help spot and control fraud. It has ‘fraud engines’ working outside the BI system because

fraud needs to be controlled almost in real-time, as transactions pour in and can’t wait for analytics. However, once an attempt to commit fraud is detected, the warehouse and BI jump into the picture. BI helps the bank in bringing forth a pattern. “BI may not get you to a result but gives you the what and where of a pattern,” says Vohra.

A Little Less Risky A Little Less Risky “Today, business intelligence helps us not only do marketing and sales related activities, but also enables us to derive relevant inferences, bring in operational intelligence, efficiently manage risk and apply credit scoring,” says Vohra.

Scoring models are not alien to ICICI. The banking giant has used these models to score customers and products. BI helps to take the hocus-pocus out of the system. The evolution and deployment of BI tools at ICICI have given scoring models a face-lift. And now customers’ profiles are cleaner and sharper.

The scoring model helps predict a customer’s credit-worthiness and reduces the risk of the bank being scammed. A number of parameters used to create this score earlier were subjective and depended on the intuitive reasoning of the person behind a desk. With the introduction of an evolved BI, which was piggybacking on an elaborate data warehouse, the scoring models got more statistical, rational and reliable. The bank is applying that intelligence to its own products. “The models are evolving

Ten Secrets for BI Success.

1. Do an inventory and assessment of your technologies, tools and data—what’s valuable, what’s not. 2. Profile your analytic end-users to ease solution mapping and deployment. 3. Make sure the BI solutions you deploy are easy to use, deliver acceptable response times when functioning with large databases, and can handle all the data sources you need. 4. Deal with your data quality problems in both operational and decision-support data. Step one: Admit you have data quality problems.

5. Simplify your underlying BI Simplify your underlying BI Simplifyinfrastructure, including your data infrastructure. 6. Unify business rules enterprisewide with a centralized scheme that can generate, maintain and apply them, thus eliminating duplicate, and sometimes conflicting, departmental business rules. 7. Reuse the business rules and metadata that are already at work in your various BI and operational applications. 8. Realize that cross-departmental BI projects, while more challenging to

implement, typically yield greater value than single-department BI projects. 9. Develop a plan to address the IT operational demands (hardware, software, security) you face in order to support a bigger and more diverse analytic end-user community. 10. Consider bringing in a specialist Consider bringing in a specialist ConsiderBI consulting firm to lead your project. According to The olAP Survey 3, these tend to be the most successful.

From the Trenches


not only in the manner of the actual algorithm used but in how we leverage them across more products. Our dream is to be able to score at both the customer and product level at the same time,” says Vohra.

His team also employs BI to predict other behavior such as customer attrition and product usage. ICICI’s models are aiding the bank to predict customer behavior across segments and products, thereby helping the organization shape or modify products and services.

Demand has increased the number BI models running at the warehouse. “Though not all the queries that are run at the warehouse are BI-related, I believe a fair amount out of the average 200-a-day are BI queries. These help us come up with effective new campaigns to grow product usage,” says Vohra.

More to BI Than Meets the EyeThan Meets the EyeVohra has proved that the bank can extract more from BI than the usual cross-sell and up-sell. Business intelligence has brought sophistication to the marketing of ICICI’s busi-nesses. BI tools now help analysts understand the impact and

reach of campaigns run by the bank by sifting out knowledge of finer granularity from different markets. “BI powers us to reverse-feed the campaign success-rates into the systems to devise intelligent ways to take more marketing initiatives layered on the successful campaigns. This keeps us from wiping our slates clean every time we run a campaign,” says Vohra.

The journey, however, was littered with anxious moments when they could have been wiped out. Like most high-impact technology, business intelligence and data warehousing honed ICICI’s competitive edge and empowered it to tap its potential. Also like most high-impact technology, it also came with is share of bugbears.

A lack of user acceptance could have stopped them cold. User animosity has sunk many a grand IT initiative. Vohra anticipated this challenge early on. In order to draw in users right from the beginning, the technology team and the business intelligence unit polled internal users on the kind of answers they expected from the BI system. “When we first started the warehouse initiative, we asked users questions like ‘What are the ten biggest business questions you want an answer to?’” The exercise not only helped rally support but also assisted the IT team in creating a rich data-model that efficiently services even complex and esoteric queries.



Your BI environment contains pretty sensitive information—it’s called intelligence for a reason. To get a sense of how secure yours is, try answering these questions:

ABOUT YOUR DATA ENVIRONMENT...

Who has access to your data extracting and transformation tools and logic? Can they be modified without authorization? Do you know who accesses your data warehouse, the extent of their access and what kind of access they have? Do you know how your data is distributed in support of BI solutions? What do users do with the data they download? Can they send it to outside parties?

ABOUT YOUR SECURITY POLICY...

Do your policies address BI- related activities and users? What laws and regulations impact the information stored and used in your BI activities? Do you know if current or planned BI activities are sufficiently secure?

ABOUT YOUR BI AND REPORTING SOLUTIONS...

Do you authorize who uses them? Do customers or suppliers have access to your intelligence?

Do you know where your intelligence is? Do users have IDs?

How Secure is your BI Environment?


And with technologies like BI, in which end-deliverables are difficult to define, having your back covered is a good idea. Unlike core banking, card processing, or lending systems, it’s hard to decide when to call a BI implementation a success, Vohra feels, making it vulnerable to a CFO’s red pen.

“This is an unusual project in the sense that it usually needs year-on-year investments, as requirements continue to grow. Unlike other systems that scale up only as more customers and transactions are added, this scales up not only when more customers and transactions are added, but as queries get more integrated and more complex,” says Vohra. It’s an additional challenge when an organization is on a fast track to growth, as in ICICI’s case, because by the time technology-related decisions are taken, a CIO can miss the bus.

Pick-Up-SticksPick-Up-SticksA variety of information formats from different companies in the group and a lack of standardization also poses a major threat to the success of BI implementations, says Vohra. Everyone was playing pick-up-sticks—by themselves and with different sets. ICICI faced design issues while building physical and logical data models.

“Data elements are critical but it is a pain to analyze which elements in the models to retain and which to drop. We had to really concentrate on the nitty-gritty, such as the choice of central coding structure, translation of data formats into the logical models, incorporation of additional systems and de-duplication of information,” states Vohra.

Even once they got a fix on what to keep and what to throw out, the question of how long to keep it became an issue. A blanket policy for data retention would have obstructed the bank’s systems. Vohra had to devise ways to classify data and wrangle over retention periods.

“It’s very easy to say that I’ll keep all my data intact for two years. But, this chokes infrastructure. What we need to ask ourselves is: Do we really require all this data for two years? It’s better to make data retention policies based on differential requirements than clog up systems,” points out Vohra.

Some categories were easy to make a call on, like the decision to store some information in data marts at the product level, which didn’t have to go into the warehouse. Typically this information was processed into reports at the end of each day. ICICI used a time-based cut-off (two months) on some of its information to decide what stayed out of the warehouse.

But rules defining a standard format of what went in the warehouse were tougher to make. While data was being moved to the warehouse or was in transit (whether it was being staged or de-duplicated), ICICI wanted a common reporting framework which would run on these temporary data marts. Along with that, it wanted a common mechanism to deliver data to the users; a mechanism that also addressed security and regulatory issues.This initial struggle was reflected in the confusion surrounding which type of business intelligence would be available at the product level and what would come out

INfORMATION fOCUS: Define reports, data elements and base systems.Identify business functions and relevant existing reports as well as new reporting needs. Identify usage pattern and frequency of the existing reporting system, if any.Differentiate between mandatory and nice-to-have data elements.Identify additional data needed for new reports.Build adequate reference data for BI tool.Isolate seldom-used reports and data elements.Classify and define data retention periods.

REPORTING PROCEDURES:Categorize information based on the requirement of real-time or scheduled analysis.Maintain user friendly display of data and the ability to cross-format exporting.Build in ways to highlight and flag exceptions and variations in reports.

SECURITY PROfILING:Identify data that requires restricted access.Map users to the appropriate access rights.

USER READINESS:Identify potential users who will have direct impact.Encourage participation in the preparatory phases.Identify ‘Business Champions’ for each business function among the users.Delegate responsibilities to Business Champions and key users. Communicate ‘change message’ appropriately.

BI Readiness ChecklistSizeable investments are made in BI implementation. Here is an indicative checklist that will help you avoid the pitfalls in a BI rollout.


“Vendors usually can’t address queries that vary from the norm.”

— Pravir Vohra Sr. GM & Head Retail Technology Group, ICICI Bank

of the warehouse. A critical area since data ownership belonging to different technology and business teams could result in a turf war.

“It becomes a major problem as you grow and evolve. So, we decided to put in simple rules so that people have a common vision for simple queries being addressed by product processing systems and complex, analytic queries being handled by the warehouse,” says Vohra.

Like all re-organizations, this one turned into a bout of spring-cleaning and efficiency-building. Earlier, the technology team ran SQL scripts on specific requests, put it in a staging area, and send its link to the user who had asked for the information. The same procedure every week or fortnight, month after month. Now, the same reports are pre-published. The common reporting framework gives users, (depending on access rights) admission to specific reports that are stored in specific systems for a pre-defined period.

“Our premise was, while we’re creating these reports anyway, why not run them on their own and increase efficiency? It saves us from being dependent on people’s coding ability,” recalls Vohra. “It’s become a part of our hygiene now and its helped change the way people work,” adds Vohra. Pooling in data once a day, from the once a month routine earlier, keeps ICICI clean. Going forward, Vohra envisions the aggregation of data taking place in near real-time for critical systems. The bank is also aggregating all its disparate BI analytic tools into one common business intelligence framework with well-defined subsets. A few months ago, it felt the need for pervasive BI capability for the enterprise and decided that the time was right for it to start consolidating all initiatives.

The Next HillAs the BI deployment settles and stabilizes, Vohra and his team have kept building infrastructure to support the tools, finding solutions to new challenges and coming up with new ways to mitigate risk.

Vohra now faces another challenge. As investments increase, a point will come beyond which returns will diminish. But IT needs to keep up with the bank’s need to retain transactional data for a given period. This will get progressively harder and more expensive as ICICI generates more transactions.

“Though our statistical data is becoming richer, I have already been extracting value for five years. The cost will continue to increase roughly on a straight line, but the success rates will start to fall,” says Vohra. As more complex queries are run, consuming inordinate amounts of technological resources, the risk of these queries not resulting in significant value is much higher. This threatens the business case for further growth of BI. Vohra admits that he doesn’t have an answer to this as yet but says he plans on getting there soon.

ICICI Bank’s Senior General Manager (Head-Technology Management Group & Retail Technology Group) has his

roadmap chalked out for the next couple of years. The process of evolving ICICI’s BI infrastructure into a consolidated framework has just got off the ground and he has a packed pipeline. “I don’t really have the next sea-change in mind because we need to walk our present path before worrying about that. Right now, my main concern is to derive the maximum value from what we’ve invested, and to ensure that every part of the enterprise and every business unit we touch is using IT to the fullest potential,” says Vohra.

Over the next year, ICICI plans to consolidate its BI framework and take it to its international offices. The bank also wants to improve its current scoring models by bringing in third-party databases such as CIBIL’s (Credit Information Bureau (India) Ltd) to its warehouse and BI systems.

For the time being, however, this will have to take a backseat because the IT team already has its plate full for the next 12 months just making sure that BI gets into every nook and corner of ICICI. As Vohra points out, his concern is figuring out how many ‘mechanics’ are not using these tools. “It’s still a work in progress,” he says. CIO

Senior Correspondent Gunjan Trivedi can be reached at

[email protected]



PH

oT

o:

BIT

oo

SH

AR

MA

Cover Story.indd 39 2/25/2006 1:41:09 PM

Passion inMotion

CIO: How did Apollo Tyres evolve into a systems-driven company?

Neeraj R. S. Kanwar: At one time, Apollo, as an IT organization, was scattered over different locations with numerous departments, each of which was an island of excellence. Each office owned disparate software packages and every plant was an isolated system.

Today, Apollo has over 140 offices across the country. These include sales, commercial and technical services departments. We own four plants and source from three others. A 9,000-strong community works for us besides a network of 4,000 exclusive dealers and 2,000 others who stock our tires, making ours the largest network in India.

In the process of getting here, we realized that we needed our key decision-makers, across all our offices, to collaborate more. And if we were to become a 360-degree organization, it was important to implement a software package across Apollo. At that time we looked around the market for someone who could fulfill this function and SAP came the closest to it. We also formalized on IBM as our implementation partner of choice. Within a record seven months, Apollo had mySAP.com up and running.

Neeraj R.S. Kanwar, COO,

Apollo Tyres, says IT will keep Apollo

racing ahead in an automobile

market that’s slick with new

opportunities and newer competition.

200,000 metric tons a year of tires and still rolling. Neeraj R.S. Kanwar, COO, Apollo Tyres, the country’s leading Indian tire company, recalls how in the race to the top they made an important pit stop to re-tread the company with IT. Today, IT allows Apollo’s shop floor to talk to its dealers and its customer’s assembly lines, vulcanizing Apollo’s customer relationships.

View from the top is a series of interviews with CEOs and other C-level executives about the role of IT in their companies and what they expect from their CIOs.

VIEWTOPfrom the

BY Rahul Neel MaNi


View from the Top.indd 40 2/25/2006 1:48:31 PM

How was it done in such a short time?

It was possible because we constituted a core team of 18-20 senior people, who were taken off their assignments and put on this project. I remember having an argument with the SAP head for Asia Pacific over whether a seven-month timeframe was realistic. He said we'd gone crazy.

It became a challenge and in the end we came out on top. But during the

implementation, I remember SAP telling us that they would launch one module after the other, only after the seventh month. We, on the other hand, needed that system as of yesterday and couldn’t wait for a year. I wanted every module up and live in seven months. I wanted to make up for the years we had lost. In a competitive era we couldn’t afford to be laggards.

Our effort paid off and on the first day of the eighth month, we were live with four modules—without any major failures.

SAP’s APAC head called back to show his appreciation. Today, the entire company runs on MySAP.com.

Creating a homogeneous IT environment in a crunch must have produced flashpoints...

Not really! The approach we took and the people chosen to work under the leadership of the IT head found the project astonishingly exciting. During the journey,


“I want IT to enable me to talk to my machines on the shop floor where I see a lot of hidden costs,”

says Neeraj R.S. Kanwar, COO, Apollo Tyres


they got a sense of how the implementation would help take the company to an entirely new horizon. It was something they had been struggling to achieve and the project was seen as major push in that direction.

Wasn’t Apollo behind the times with the project?

We were late, but better late than never. Within the tire industry here, we were the second to run on a certified ERP, the first being Goodyear. It was a big move and now we can boast of it as a hard decision and an achievement. Its success is based on our foresight and the IT team's collaboration.

What were three most important goals the implementation was to achieve?

The first, most tangible, requirement from the system was to generate MIS reports. Second, to capture data on a real-time basis. This information would greatly aid the decision-making process for marketing, technical support and sales. Last, we wanted to bring transparency across the company.

MySAP.com serves only as a takeoff platform on our journey to use IT to drive business. With unconnected, obsolete data flowing in from 140 offices and 4,000 dealers, we were getting a skewed picture. This prevented us from performing many critical functions we do today, like demand forecasting and advance planning. From there, we moved into business intelligence. It has not only enabled us, as users, to take better decisions but has also helped customers and dealers outside Apollo, to stay in sync with us.

How did you champion the project?

I advocated a couple of basic fundamentals. One, that the project and the methodology should be extremely transparent. I wanted an open-ended approach, which would allow various departments to communicate their problems to the head of IT. We asked them to bring up workflow issues and possible solutions. I put my weight behind the project by instructing the function chiefs, who report to me, to support the head of IT. We also constituted a core steering committee of five, who met every fortnight to review the project.

Has IT enabled Apollo to reduce its time-to-market?

What MySAP.com allowed us to do primarily is to get data right-on. I was then able to take that information to my stores, into our supply chain and production planning. It helped me forecast seasonal trends, like the April-June and November-December farm seasons. MySAP.com allows us to tell what’s gone into the market and, more importantly, what else needs to be introduced. Armed with this knowledge, we have been able to enhance the way we track products. As a result, we know when and where to stock products in order to achieve the shortest

delivery time. To shorten that cycle further, we’ve also started bar-coding our products.

Additionally, we put up a dealer portal to give exclusive Apollo dealers the option of linking up with our systems and locating information instantaneously. Although we only have 250 dealers on the platform right now, I soon hope to see many more utilizing this tool. We realize that truck tire dealers might be hesitant to increase their use of computers and we are addressing this. More dealers will figure that the portal offers them the ability to place orders, create invoices, manage stock and do whole bunch of other functions.

The portal also acts as marketing tool and that helps us reach the market faster.

What other benefits does the portal offer?

The site services more than just our dealers. We are talking of alignment with our OEM (Original Equipment Manuf acturer) partners.

View from the Top


“We're on our partners' shop floors and know

their assembly line needs. IT is aligning my production with theirs.”


View from the Top

Already, we are seeing orders coming in from M&M, Tata and Maruti on a weekly basis. Apollo is now on the shop floors of its partners. We know what their assembly-lines require. Instead of constructing warehouses at random, we’re trying to have them near these factories to further reduce delivery time. But it is IT that is aligning my production line with theirs.

How has this impacted on your supply chain and where are the bottlenecks?

Even today, there’s plenty of room to improve the performance of our SCM (supply chain management). We have already graduated to the next level. Take for example our Advance Planning and Optimization (APO) tool, which does both demand and production planning. Before adopting it, we could forecast about 20-30 percent of what was being sold. You can imagine the amount of hidden costs that remained hidden. If I am not planning right, I won’t be able to purchase right. And given that the price of my raw material is 65 percent of my product’s cost, wrong purchases cause cash flow to go haywire. With APO we can now forecast 75 percent, which is incredible and the IT team needs a pat on their back.

SCM now helps me sell the right product, at the right time, to the right person. There’s no dearth of suppliers and getting to know you customer is crucial. The supply chain has also helped us improve after-sales service. We’ve put some of Apollo’s suppliers on the SCM and we’re trying to expand that number. Today, we buy 60 percent of our raw material from the domestic market and have the rest imported. Our international sellers are not yet talking to my systems, but the momentum among the domestic players is picking up. Getting them all will add value. If I am going to make the best use of this system, I have to populate the information highway across the company.

We are here today but we’ve still got a long way to go. I would like SCM to give me the ability to track every single product, whether it's in a warehouse, in production or in transition.

How did you empower field associates?

By giving them access real-time information. On the field, obsolete information is a huge handicap. I personally wanted to equip them with a Palm or a Blackberry, but my CIO suggested that the transfer of data could also be done via SMS.

Apollo has almost 500 people in the field, all of whom once carried heaps of files just to check the status of various dealers, distributors and customers. Today, they have access to that information over their phones. Normally they make requests over SMS straight to SAP.

How has IT helped Apollo map the various demands of its huge customer base?

We make 250 different types of tires today. As we reach the status of an FMCG, IT will continue to help us keep track of every product, its demand forecast and production cycle.

The way the automobile sector is growing, we will need IT to map our production and ensure we don’t lose new or present customers.

My aspiration is for IT to provide a transparent and back-to-back access to my dealers who, in turn, interface with customers. I’d like this to happen as soon as possible.

Do you foresee a smarter use of IT?

I want IT to enable me to talk to my machines on the shop floor. Right now it’s only my customers and sales-force who are talking to me. The shop floor is an area where I see a lot of hidden costs. I need to know which machine is not giving me optimum results because that’s a cost to me. That’s where IT is working on now.

How important is the CIO to Apollo?

We see IT as more than just a support function. IT is totally in line with the company’s vision and is also part of the core team. Our CIO is very much a part of our journey to success. Full

credit for moving away from the problems of decentralized architecture to centralized information architecture goes to the IT team.

Last year we set out on a journey we call ‘Passion in Motion’. It has three pillars: People, technology and quality and is driven by our CIO. Tomorrow, if I envision going global, I trust IT and my CIO to give me a leg-up. CIO

Bureau head North Rahul Neel Mani can be reached

at [email protected]

SNAPSHOT

Apollo Tyres

HEADquARTERS: Gurgaon, Haryana

PRImARy BuSINESS: Tire Manufacturing

REvENuE: Rs 2,800 crore

EmPLOyEES: 9,000

SALES OffICES: 140

NO. Of ExCLuSIvE DEALERS:

4,000

IT STAff: 28

IT HEAD: Dheeraj Sinha



Trendline_Nov11.indd 19 11/16/2011 11:56:19 AM


Sure, y

ou’ve g

ot a m

amm

oth

securit

y batt

leship

, but i

t’s fu

ll of..

.

Sure, y

ou’ve g

ot a m

amm

oth

securit

y batt

leship

, but i

t’s fu

ll of..

.

BY TH

OM

AS WA

ILG

UM

Feature FINAL.indd 46Feature FINAL.indd 46Feature FINAL.indd 46Feature FINAL.indd 46 2/25/2006 1:43:44 PM2/25/2006 1:43:44 PM2/25/2006 1:43:44 PM2/25/2006 1:43:44 PM

From cloned credit cards to lookalike websites used for phishing, common sense security procedures seem in short supply. “Almost without exception we’re living in a world where no one thinks to lock the stable doors until the horses have escaped,” says David Friedlander, a senior analyst at Forrester Research.

CIOs can spend millions on firewalls, intrusion detection systems and whatever else their security vendors are selling, but when that VP of marketing decides to sync his work laptop with his unsecured home PC—and there’s no policy or training to make him think twice—your million-dollar security efforts become worthless.With that in mind, here are 10 common security ailments and 10 practical remedies. They’re

easy and inexpensive, and you can do them right now. All involve some form of user education and training. “How do you stop stupid mistakes?” asks Mark Lobel, a partner in the security practice at PricewaterhouseCoopers. “It’s education and security awareness—basic blocking and tackling—and it does not have to cost a fortune.”

Reader ROI

Common security problems and how to fix them

Steps for preventing

future holes


This is not the best of times for information security.

Security

Feature FINAL.indd 47Feature FINAL.indd 47 2/25/2006 1:43:53 PM2/25/2006 1:43:53 PM2/25/2006 1:43:53 PM

Save As...The Hole | A company familiar to Adam Couture, a principal analyst at Gartner Research, searched its Exchange servers for documents called ‘passwords.doc.’ There were 40 of them.The Problem | Uneducated users. “Some of these [mistakes] are so obvious that you think, ‘Nobody would do that,’” Couture says. “But you give people too much credit.” Any hacker, malcontent employee or grandmother with a minimal amount of computer know-how could unlock those documents and ravage your company’s most sensitive applications (not to mention all of your employees’ personal information).The Solution | First, CIOs need to acknowledge that there might be passwords.doc files on their networks, find them and destroy them. Then, via e-mail or a company-wide meeting, they need to explain to users why keeping a file like this on the network is a really, really bad idea. Ever Heard of “bcc:”?The Hole | On June 13, 2005, the University of Kansas Office of Student Financial Aid sent out an e-mail to 119 students, informing them that their failing grades put them at risk of losing their financial aid. The e-mail included all 119 students’ names within the e-mail address list.The Problem | Besides embarrassing their students, U. Kansas administrators may have violated the Department of Education’s Family Education Rights and Privacy Act, which protects the privacy of students’ grades and financial situations.The Solution | First, companies need a policy that explicitly states what can and cannot be sent out via e-mail or IM. “A lot of companies don’t have good acceptable-use policies for e-mail,” says Michael Osterman, founder of Osterman Research. He suggests that they map out how employees should handle confidential information, offer them training and have them sign a one-page document stating that they have taken the course and understand what to do. University of Kansas officials say they have “undertaken internal measures—such as reviewing e-mail

and privacy policies, and training staff—to ensure it does not happen again.”

Osterman also suggests that CIOs add an outbound scanning system to the existing e-mail system that looks for sensitive content in e-mails (such as 16-digit numbers, which could be credit card numbers). He says these systems are inexpensive and are offered by scores of messaging vendors; some vendors will even do a complimentary scan of a company’s messages to see how bad it might be. One vendor that he’s familiar with started scanning a new customer’s

network and found 10 violations in 10 minutes.

No One Noticed? Really?

The Hole | Orazio Lembo, of Hackensack, N.J., made millions by purchasing account information from eight bank employees who worked at several financial institutions, including Bank of America, Commerce Bank, PNC, Wachovia and others. Lembo paid Rs 450 ($10) for each pilfered account. Most of the felonious employees were high-level, but two bank tellers were also arrested. Lembo had approximately 676,000 accounts in his database, according to Capt. Frank Lomia of the Hackensack Police Department, an official investigating Lembo.

The Problem | Capt. Lomia says that many of Lembo’s contacts usually accessed and sold 100 to 200 accounts a week—but one managed to access 500 in one week. “What surprised me is that someone could look at 500 accounts and have no one notice,” he says.The Solution | CIOs, with the help of the HR, security and audit functions, need to institute a clearly defined policy on who has access to what information, how they can access it and how often. After all, with HIPAA, Sarbanes-Oxley and Gramm-Leach-Bliley looking over CIOs’ shoulders, compliance and controls have to be on the top of the to-do list. “Through all the phases of information creation to maintenance and storage and destruction,” asks PwC’s Lobel, “do you have that data classification and lifecycle process, and do people know what it is?” Lobel says many of his clients have compliance controls, but employees either don’t know such controls exist or aren’t clear where they apply. “User education is not easy, but it is worth the effort,” he says.


Security

Feature FINAL.indd 48 2/25/2006 1:43:54 PM

ChoicePoint’s Bad ChoiceThe Hole | Criminals posing as small-business owners accessed the information—names, addresses and Social Security numbers—of 145,000 ChoicePoint customers.The Problem | Call it what you will—fraud, ‘social engineering,’ the Kevin Mitnick effect—this was one really glaring example of how these kinds of attacks are plaguing companies. Lobel says commercial enterprises could improve when it comes to training users about social engineering—hackers targeting well-meaning users over the phone or Internet to obtain private information such as passwords. “We’re always going to find somebody who doesn’t know what they shouldn’t be doing,” he says.The Solution | CIOs should make sure that both users and customers are adequately trained in how to recognize and respond to phishing and other related attacks—especially before they go out and hire a company such as PwC to audit their user base. “[CIOs] should spend their money on a [training] program rather than on testing,” Lobel says. ChoicePoint claims that it has strengthened its customer-credentialing procedures and is re-credentialing broad segments of its customer base, including its small-business customers.

Loose LaptopsThe Hole | On April 5, MCI said that an MCI financial analyst’s laptop had been stolen from his car, which was parked in his home garage. That laptop contained the names and Social Security numbers of 16,500 current and former employees.The Problem | In many recent cases involving laptops, the computer’s security was handled by a Windows log-on password. “It’s getting easier for even the more casual criminal to find out how to break into the laptop,” says Forrester’s Friedlander. “There’s more awareness that the information is valuable.” Plus, the data in many of these recent incidents wasn’t encrypted. (MCI won’t say whether the stolen laptop was encrypted, just that it had password protection). According to Friedlander, encryption adoption is much lower than firewall adoption because encryption historically has had performance issues (it slows the computer down) as well as usability issues (users are often confused about how to encrypt the right data). In a recent Forrester survey, 38 percent of respondents said they have no plans to deploy encryption tools. Ouch. The Solution | CIOs need to do some classic risk management, says Friedlander, and ask themselves: What is the information on the system that I care about the most? Who’s connected to a network where I might be exposed? And then they should create or revise their security policies based on that assessment. For example, if a laptop has customer information on it that would kill the company if it got into a competitor’s hands, then the

CIO should ensure that encryption was turned on. Users need to understand “why these policies and technologies are in place that may seem inconvenient, but why they do matter,” says Friedlander. “If they realize the implications, most people will want to act.” If the information on another laptop is less critical, then more basic security measures, such as strong passwords, can be used, he says.

Tales of the TapesThe Hole | Let’s not forget the good ole data tape—in particular, CitiFinancial’s now-infamous UPS shipment of unencrypted computer tapes that were lost in transit to a credit bureau. A whopping 3.9 million CitiFinancial customers’ data was on those tapes, including their names, Social Security numbers, account numbers and payment histories.The Problem | CitiFinancial has stated it “[has] no reason to believe that this information has been used inappropriately.” But on the other hand, there’s no reason to believe that it won’t be.

There are companies that specialize in handling data tapes, Iron Mountain for one. But even Iron Mountain is not impervious to security snafus. In May, Time Warner announced that Iron Mountain had lost 40 backup tapes that had the names and Social Security numbers for 600,000 of its current and former US-based employees and for some of their dependents and beneficiaries. Iron Mountain says it has recently suffered three other ‘events of human error’ that resulted in the loss of customers’ backup tapes—and these are the guys who supposedly are all about security and nothing else. The Solution | In July, Citigroup said it will start shipping customer information via direct, encrypted electronic transmissions. Though “you can squeeze a lot more


Security


Security

data into a truck than you can over the wire,” Couture of Gartner Research says, “[sending data electronically] could be cost-effective for smaller companies with small amounts of data.” Citigroup’s new shipping method will also take much of the people part out of the equation. “Any time you have to touch that tape and add a human element in the process, there’s the potential [for] incompetence, malfeasance, and pure and simple stupidity,” Couture says.

How Much for a BlackBerry?The Hole | This tale has been told so often that it is teetering on the brink of urban legend status: Back in 2003, a former Morgan Stanley executive, apparently with no more use for his BlackBerry, sold the device on eBay for a whopping Rs 697.5 ($15.50.) The Problem | The surprised buyer soon found out that the BlackBerry still contained hundreds of confidential Morgan Stanley e-mails, according to a Forrester report.The Solution | First, users with handhelds, laptops and other devices need to be made to understand what’s really at stake. “It’s not the laptops that are the issue; it’s what’s on them,” says For-rester’s Friedlander. Second, CIOs need to institute a repeatable and enforceable policy for device and access management—even for high-powered executives. When someone leaves the company, he should have to turn in all of his corporate-issued devices, and IS should lock him out of all applications to which he had access. “If you have 1,000 users, there should be 1,000 accounts,” says the CISO of a large Midwestern financial services company. “So why are there 1,400? Because people who have left still have authority to log in.” According to the Forrester report, Morgan Stanley did have a policy that stated that mobile devices should be returned to IS for ‘data cleansing,’ but this exec must have slipped through the front door.

Another huge problem is those longtime employees who move around the company and retain access to data associated with their previous jobs even though it’s unrelated to their new position, says Jeffrey Margolies, lead for Accenture’s security services and identity management practice. “They accumulate access over time, and they are an audit nightmare.”

A solution is to set up one place (whether it’s a website or paper form) where employees can request access to applications, Margolies says. CIOs need a policy that states who has access to what systems and why, with IT, HR and

security getting to make the decisions. “Over the last 10

years, we have built hundreds of applications, and every

single application has its own way of [determining] access and

managing that access,” he says. “But just [giving people] one place

to go and [saying] just fill out this form—even if it’s paper—the level

of confusion is reduced.”

IM Not OKThe Hole | One of your top sales guys

is a huge believer in instant messaging. In fact, he’s been using a consumer-grade

IM client (probably AOL Instant Messenger) to communicate with his customers for years.

And this hypothetical salesman’s IM name fits his personality perfectly: Big Bad Texan. The Problem | There are three, says Osterman of Osterman Research. First, security: A consumer-grade IM client used on a corporate system will bypass all antivirus and spam software. Second, compliance: Consumer-grade IM clients don’t have auditing and logging capabilities for regulatory compliance. And third, name-space control: If Big Bad Texan takes a job at your competitor, rest assured he’s taking his IM name—and your key customers—with him. “There’s no clue to the outside world that he left,” Osterman says.The Solution | The first step is for CIOs to admit to themselves that consumer-grade IM could be running rampant in their organizations. Osterman estimates that 30 percent of all e-mail users are instant messaging these days. Like e-mail, CIOs need to develop an acceptable-use policy and make sure everyone understands it. Then CIOs have two options: Allow consumer-grade IM to remain in place and deploy a system that will provide any number of security functions, such as blocking file transfers or mapping IM screen names to corporate identities, says Osterman. Alternatively, CIOs can replace consumer-grade IM tools with an enterprise-grade system. “This can be a more expensive and disruptive option, but it’s one that many organizations are choosing,” Osterman says.

Unwired and Unsafe WorkersThe Hole | The CISO (chief information security officer) of the Midwestern financial services company shares this nightmare: An executive decides she wants to put a wireless access point in her house so she can work at home from anywhere in her house. Her son gets her up and running. She wirelessly logs into the network, and she uses the default password for the connection that came straight out of the box.The Problem | “Go to every single hacker site, and you can find every default password and user ID [for


wireless routers],” says the CISO. “Home PCs are one of the greatest vulnerabilities.” And once this executive authenticates, others can see how she did it, “then people are in,” the CISO says. The Solution | Back to the basics with this one. CIOs need to make sure all employees who work from home know that they have to change all the default settings, and they can’t forget about firewall, VPN, antivirus patching and authentication tools. That all takes an omnipresent security education program, but to this CISO, it’s the cost of doing business today. “The struggle with security education is getting it so it becomes like breathing,” the CISO says. “Users have to become smarter about how they do things.”

40 Million ‘Served’The Hole | In June, MasterCard announced that CardSystems Solutions, a third-party processor of credit card transactions for MasterCard, Visa, American Express and Discover, allowed an unauthorized individual to infiltrate its network and access cardholder data.The Problem | Up to 40 million cardholders’ information could have been exposed. It turns out CardSystems had violated its agreement with the credit card companies: It was not allowed to store cardholders’ account information on its systems, and yet it did just that.

The Solution | If a company has an agreement not to store another company’s data on its systems, it shouldn’t. And if for some strange reason it becomes necessary, the company had better ensure that it has the necessary controls. “All of those cases of breaches speak to the need for a good, old-fashioned defense, in-depth, with multiple layers of control,” says PwC’s Lobel. For example, he says, instead of just having a firewall, companies should have multiple layers of controls on their network. Or rather than just using SSL, companies need to use authentication too. “You get into the security versus ease-of-use trade-off and cost,” he says. “That’s the decision that businesses have to make with their eyes wide open.”

In the end, how a company views security and protects its customers’ and employees’ data will have a direct correlation to its longevity. In the case of CardSystems, in July both Visa and American Express said they no longer wanted to do business with the company. CIO

Editorial Intern C.G. Lynch also contributed to this report. Send feedback

on this column to [email protected]

Security


INSTANT


INSTANTLEASING

Govern Main.indd 52Govern Main.indd 52Govern Main.indd 52 2/25/2006 1:44:58 PM2/25/2006 1:44:58 PM2/25/2006 1:44:58 PM2/25/2006 1:44:58 PM

Today, we live in an ‘instant’ age—instant money , we live in an ‘instant’ age—instant money transfers and instant messaging. But, in many parts of transfers and instant messaging. But, in many parts of the world, if you’re a business owner who wants to set the world, if you’re a business owner who wants to set up a factory or pick up office space, you can forget the up a factory or pick up office space, you can forget the instant experience. Unless, of course, you are in Singainstant experience. Unless, of course, you are in Singa-pore and have access to the eCREAM system.pore and have access to the eCREAM system.

eCREAM (which stands for Customer, Real Estate eCREAM (which stands for Customer, Real Estate And Marketing) is a state-of-the-art system that JTC And Marketing) is a state-of-the-art system that JTC (formerly Jurong Town Council)—a government agency (formerly Jurong Town Council)—a government agency that provides tenancy and lease management services that provides tenancy and lease management services to more than 7,000 companies in Singapore—uses to to more than 7,000 companies in Singapore—uses to manage its online activities. Thanks to eCREAM, JTC manage its online activities. Thanks to eCREAM, JTC has cut down the process time to lease land from 14 has cut down the process time to lease land from 14 days under the manual system to an instant approval. days under the manual system to an instant approval. And that’s not all—customers, now only have to answer And that’s not all—customers, now only have to answer 13 questions online, a far cry from the days of a ten-page 13 questions online, a far cry from the days of a ten-page paper form. Sweet.

Like all good e-governance projects, eCREAM started not with technology, but with people. JTC wanted to re-invent itself into a customer-centric organization, which, in a government setup, requires shedding layers of bureaucracy. It also needed a robust IT infrastructure; one built on tough framework, which would leverage a set of databases and infrastructure

components. In the words of Yap Chee Yuen, Group CIO and CKO, JTC, “The corporation is committed to helping customers stay competitive, to be responsive to their needs and to be creative in continually providing solutions that exceed customer expectations.”

e-governance projects, people-oriented as they are, make buy-in very critical. The responsibility of selling eCREAM fell squarely on JTC’s lap. Tan Soo Cheow, Deputy Director, JTC, says, “Buy-in was secured via road shows that exhibited an exciting, relevant proto-type and demonstrated the usefulness of the system.”

Conviction, however, cannot be built in a day. Persuading stakeholders was going to require a mindset change and senior management was brought into the loop and was closely involved in the implementation process. To ensure that everything fell into place

and worked with homogenous coherence, JTC also hired from the top drawer. They asked consultants Authur D’Little to run a complete Business Process Re-engineering (BPR) exercise. Workflows were scrutinized and efficiency bottlenecks flagged. Value-chains were also studied to determine the best way JTC could make things easier for its clients.

IMA

GIN

G B

INE

SH

SR

EE

DH

AR

AN

e-governance

The judicious use of technology has helped Singapore’s JTC (Jurong Town Council) improve transparency, increase user convenience, and reduce the time it takes to process a request for rented space from 14 days to almost zero.

Reader ROI:Reader ROI:

WhyWhy embedding people ina projectproject is a smart way ofside-steppingside-stepping implementationproblemsproblems

HowHow to combine functionalitywithwith ease-of-use

WhatWhat to watch out for whenemployingemploying vendors in ane-governancee-governance project

By Ba l a j i N a r as i m h a N

INSTANT


LEASING

Govern Main.indd 53Govern Main.indd 53Govern Main.indd 53Govern Main.indd 53Govern Main.indd 53Govern Main.indd 53Govern Main.indd 53

e-governance

Once their strategy was set, JTC moved to issues on the ground. Questions of whether to use Microsoft .NET or Sun’s J2EE and whether they should use customized development or settle for existing packages were tabled. To answer these questions, JTC hired Accenture for business and technical expertise, and Avanade for technical implementation. It was agreed that JTC would construct on Microsoft .NET architecture, and rely on Microsoft for the OS and the database. The workflow would be managed with Tibco, while CA’s Aion business rules package was to be deployed as part of the three-tiered, clustered Web architecture. Surrounding these deployments was one key criteria: Data integrity, accuracy and security needed to be by design and not by chance.

When all the pieces had fallen into place, JTC moved into implementation. The company took a four-phased approach to ensure manageability, and also because this enabled them to chart a course that gave their employees several morale-boosting milestones. Despite planning ahead, JTC was forced to contend with issues like managing vendor commitment. The final issue was

getting knowledge transferred from the external suppliers and vendors. Fortunately, three JTC employees been committed to work with the vendors from the project’s start and the transfer was handled with ease.

Deploying its manpower intelligently was one of JTC’s strengths; one which ensured a smooth rollout. This sensitivity was reflected in the way they communicated job security to their people. An important issue with any computerization effort is that employees get the feeling that a computer is replacing them. JTC was committed to redeploying manpower saved by the eCREAM project to perform other duties. In one stroke JTC removed employee fears of being sacked and secured buy-in. This helped

JTC employees embrace the project wholeheartedly. JTC, which has a staff strength of around 820, has witnessed an attrition rate of a mere five percent.

It’s no wonder fewer employees wanted to leave. Information sharing and processing became simpler with the elimination of manual processes, and this improved operational efficiency, boosting staff morale. JTC had won over its staff and eCREAM pressed that advantage by proving to be a great tool.

From its slow start, India is catching up with the likes of Singapore in the race to increase efficiency in land-leasing processes. one government entity that is taking steps to speed up land leasing is the Maharashtra Industrial Development Corporation (MIDC), India’s largest industrial infrastructure and water supply provider. According to Sanjay Khandare, Joint CEo (IT), MIDC, once a project’s requirements have been submitted and the land

premium cost has been paid, land possession can be given in seven days. The land-lease process could take another 7 days.While MIDC doesn’t have an online leasing system in place right now, they are working on it. Currently, entrepreneurs who want to lease land from MIDC have to fill up a two-page form containing 12 questions.Gujarat Industrial Development Corporation (GIDC) isn’t online either, but many of the application forms are available online.

one government entity that has made greater progress than MIDC and GIDC is Delhi State Industrial Development Corporation (DSIDC), which has a variety of forms online. DSIDC’s advantage over other government offices is that it has online registration forms for small scale industries, societies and partnerships. It also gives companies reference numbers to track the status of their applications.

— B. N.

“To ensure minimal disruption to our customers when we rolled out the project, we set a very tight timeline for ourselves and our vendors.” – Yap Chee Yeun, Group CIO and CKO, JTC

The Indian Angle


From its slow start, India is catching up with the likes of Singapore in the race to increase efficiency in land-leasing processes. osteps to speed up land leasing is the Maharashtra Industrial Development Corporation (MIDC), India’s largest industrial infrastructure and water supply provider. According to Sanjay Khandare, Joint CEonce a project’s requirements have been submitted and the land

The Indian Angle

Govern Main.indd 54Govern Main.indd 54Govern Main.indd 54Govern Main.indd 54Govern Main.indd 54Govern Main.indd 54Govern Main.indd 54Govern Main.indd 54Govern Main.indd 54

e-governance

eCREAM’s benefits to JTC’s external customers were also so immense that they adopted it with gusto. “Our customers have been receptive to trying out our e-applications. On our end, we smoothened the change by going onsite to teach our customers the use of online applications, by setting up self-help kiosks at our counter, and by providing publicity booths during our customer events,” says Yap.

Another advantage to eCREAM is centralization. Earlier, JTC had four zonal offices to handle all the manual work, but thanks to the new system, all these activities have been moved back to the head office. This is one reason why the system, which cost Rs 12.2 crore (S$4.5 million), managed to deliver savings of Rs 10.3 crore (S$3.8 million) within the first year.

eCREAM didn’t only save money, it also brought more in. In 2005, JTC allocated 332,600 sqm (gross) of ready-built factories as opposed to 262,100 sqm in 2004, a clear 26 percent jump. It also delivered in other areas. In 2005, JTC allocated 199,600 hectares of prepared industrial land, compared to 117,900 hectares in 2004. Apart from translating to a 69 percent leap, this figure is important because it marks the highest net allocation for prepared industrial land over a 10-year period between 1995-2005.

But customer benefits are not measured merely in figures. eCREAM—and Krypton, its public interface—ensured that customer-service levels saw a marked rise. Ease-of-use was backed by solid savings as costs per transaction came down. Eliminating the cost of processing paper meant administrative fees could be slashed from Rs 13,600 (S$500) for hardcopy applica-tions to Rs 5,400 (S$200).

Getting feedback is the lifeblood of a system like eCREAM. JTC setup a corporate data warehouse called OASIS, which it stacked with customer queries, complaints and suggestions. Using OASIS to drive customer strategy ensured that technology did not alienate the customer. As Yap puts it, “JTC officers must be able to retrieve key information at the click of a mouse so that they can enhance their customer-response time.”

The results of this effort are beginning to show. Tan says, “Customer feedback shows that eCREAM affords them convenience and that its online applications are easy to use. Some have even commended us, saying that this is what every corporation should strive for.”

Another way customers benefited from the system was because eCREAM enabled them to find the right facilities, which is possibly one of the reasons why gross allocations increased dramatically.

eCREAM has also enhanced system integrity, including accuracy, security and traceability. Speed and timeliness of information have been bettered, along with

ease-of-use. Thanks to eCREAM and other initiatives, JTC has won the Singapore Quality Class award and Singapore’s National Infocomm Award in 2004 for the ‘Most innovative use of infocomm technology.’

JTC isn’t resting on its laurels. It is moving ahead at full steam with new ideas for eCREAM. On the anvil are plans to integrate a module to track leads and opportunities, apart from facilitating the litigation process. Krypton is also being enhanced with a flexi-pay e-payment module. Simultaneously, JTC is busy integrating Titanium, its portal for partners’ access, with eCREAM. The company is also working on incorporating 3G wireless access into eCREAM so that employees can use their PDAs to query the system. Meanwhile, the original system is being constantly upgraded to meet newer corporate objectives.

But, all said and done, the chief success of eCREAM can perhaps be traced to one important fact—eCREAM was envisaged as a module to ensure better customer satisfaction, and this focus has been retained two years after the application was first rolled out.

Here’s a lesson all e-government initiatives can benefit from—start with the customer, and end with them. CIO

Special Correspondent Balaji Narasimhan can be reached at

[email protected]

Measurable Benefits


Item 2004 2005 %

Ready BuiltFacilities 98,300 sqm 180,400 sqm 83%

BusinessPark Space 102,400 sqm 226,400 sqm 121%

SpecializedParks 45.1 ha 101.3 ha 125%

PreparedIndustrialLand 68.9 ha 174.1 ha 152%

2/25/2006 1:45:03 PM2/25/2006 1:45:03 PM

By R a h u l N e e l M a N i

Sanjeev Gupta, Secretary IT, Himachal Pradesh, finds himself on rocky ground. He’s got the funds to take e-governance to the state’s most remote valleys, but he’s short on users, making project ROI hard. A cold breeze blows on him: How is he to make essential but non-earning citizen projects financially viable in the long-run, given Himachal’s small population?

sustain

CIO : Himachal Pradesh has the unique problem of creating mass services for relatively few citizens. How do you ensure ROI and the continued viability of e-governance projects?Sanjeev Gupta: Himachal Pradesh is one of the few Indian states where community service centers (CSC) have percolated down to the tehsil (administrative sub tehsil (administrative sub tehsildivision) level. So, e-governance initiatives have already met success here.

The challenge that we face is the sustained viability of future projects, given that the state only has a population of 65 lakh and low per capita income.

But even now, services are available and there are many people using them. Out of 110 tehsils, 58 offer to register land records online. Our land record software has a pedigree table, which tracks a family’s history with ownership rights. We have a family’s history with ownership rights. We have

both village and irrigation census register modules. both village and irrigation census register modules. New Jamabandis (entries in a register of tenants) are (entries in a register of tenants) are Jamabandis (entries in a register of tenants) are Jamabandiscreated virtually everyday, every minute.

Thirty-one centers at the sub-divisional level have Thirty-one centers at the sub-divisional level have generated Rs 2.5 crore in just a year. I think this is a generated Rs 2.5 crore in just a year. I think this is a phenomenal success given our small population.

During the days of the manual system, people were During the days of the manual system, people were forced to wait for an eternity and bribe government forced to wait for an eternity and bribe government officers for a license worth Rs 1,000. Citizens are officers for a license worth Rs 1,000. Citizens are much happier spending Rs 100 at the center where, much happier spending Rs 100 at the center where, at least, their work is done quickly. The flip-side at least, their work is done quickly. The flip-side is that people could ask us why the government is that people could ask us why the government should demand an additional fee to deliver services should demand an additional fee to deliver services efficiently, when that’s our job in the first place.

In our defense, we have tried to keep user charges In our defense, we have tried to keep user charges to a bare minimum—in order to encourage citizens to a bare minimum—in order to encourage citizens to keep using the CSCs. The citizens’ faith in these to keep using the CSCs. The citizens’ faith in these

5 6 M A R C H 1 , 2 0 0 6 M A R C H 1 , 2 0 0 6 | REAL CIO WORLDREAL CIO WORLD VOl/1 | ISSUE/8l/1 | ISSUE/8

sustainsustainsustainsustainsustainsustainsustainsustainsustainsustaininnovate to

Interview | Sanjeev Gupta

services is bound to deepen—after all he’s getting updated information.

The challenge is in creating continued feasibility, not in creating credibility.

What else have you tried to sustain these projects? The approach is important. In our case, the front-end The approach is important. In our case, the front-end

is managed by private entrepreneurs who charge every transaction. The rest is taken care of by the government.

Soon, we’re going to have integrated CSCs in three districts. The government will put up the capital and provide basic infrastructure, but the recurring costs need to be borne by a private partner. The government will determine the cost of a service and the private partner will take home a fixed share. But, honestly, I am wary of the nation’s plans of sustaining 100,000 CSCs when we’re struggling with the current state of affairs. Some of the tehsils reflect a tehsils reflect a tehsilsmeager five property registrations a day. Numbers like

sustain

The challenge is in creating continued feasibility,

not in creating credibility, says sanjeev Gupta, secretary it, it, it

Himachal Pradesh, focusing on the state’s unique problem.

REAL CIO WORLDREAL CIO WORLD | M A R C H 1 , 2 0 0 6 5 7VVOl/1 | ISSUE/8

PH

Ot

O b

y S

RIV

At

SA

SH

An

dIl

yA

innovate to

that make me worry about the viability of these projects. How will we cope when we open more centers?

Since the small population is a given parameter, how do you see the way ahead?

We have already raised this issue with Union Government, and they have agreed to share the burden of this project with us. The government has agreed to provide us with a cross-subsidy. That’s how we plan to get past this problem for now. Without this support, it will be difficult to sustain these massive e-governance projects.

How have you reached the more inaccessible tehsils? tehsils? tehsils Few people are aware that Himachal Pradesh, despite Few people are aware that Himachal Pradesh, despite

its difficult terrain, has deep optical-fiber penetration. The state has 24,000 km of roads (out of which 13,000 km is metalled) of which 8,500 km has optical fiber laid into it. When we ran an analysis for a State-Wide-Area-Network (SWAN), we discovered that out of 131 Points

of Presence (POPs), 101 have fiber connectivity. The other locations will be connected via microwave. We’re in a good position compared to other states that plan to lay optical fiber only now and are going to have to pay for it. Infrastructure is already a non-issue here, it’s the number of people using the services that we are short of. Strangely, it’s one state where low population has become a hindrance to progress.

In view of the difficult terrain, what innovations have you introduced during project implementation?

As elsewhere, our SWAN was completed on a PPP (Public-Private-Partnership) model. But our model differs slightly from the BOOT (Build-Own-Operate-Transfer.) This model demands private players to invest their money and recover it through user charges, which

can be an unreliable source of income. So, in some cases, warranty costs reach inordinately high levels as private partners inflate their prices to ensure they recover their any which way. We found that Supply-Operate-Manage (SOM) was a better alternative. What works for us is that since goods are procured with a certain level of warranty, operational expenses are reduced considerably.

Our specific needs demand that we resort to wireless solutions at many locations, which means that we need to watch our warranty costs. In any case, I advocate that SWAN implementation should not be vendor-driven. I’ve had a vendor ask me for individual leased lines for 25 horizontal offices that each POP connects. At Rs 60,000 per pair of modems, that’s a good deal the vendor has cornered. A vendor shouldn’t dictate how many leased lines I need to buy. So I toyed with the idea of an E3 or STM switch which can replace a number of modems. There’s no point in stacking that many modems, it only adds complexity.

Now, my total bandwidth charges for horizontal connectivity down to the tehsil level is Rs 40 lakh. Beyond tehsil level is Rs 40 lakh. Beyond tehsilto exchange to the POPs the cost is nearly Rs 10 crore. In my view, instead of using the leased line modem, we can physically terminate the optical fiber into the LAN switch of that office. This reduces our spend to a few thousands from millions. We have to think unconventionally and be very careful while spending taxpayer money. If not spent carefully, generations hence will curse us.

Did other projects share this approach? Our land records system has. No other state’s system

has come close to the functionality that the software developed by NIC Himachal Pradesh has achieved.

As I’ve described, every land owner in the state has a unique code assigned to him. This replaces all the

“We have to think unconventionally and be very careful while spending taxpayer money. If not spent carefully, generations hence will curse us.”

5 8 M A R C H 1 , 2 0 0 6 | REAL CIO WORLDREAL CIO WORLD VOl/1 | ISSUE/8


various documents that a citizen would have to carry to register land. And there are plenty: Land records, Himachal Pradesh citizenship, a caste certificate, if he or she is an agriculturalist then a certificate stating so, for instance.

We created a database, which is updated every time a registration takes place. The codification process has minimized a number of workflows. Citizens no longer have to go to a Patwari (an officer of the revenue Patwari (an officer of the revenue Patwaridepartment) just to know the value of a piece of land.

We’ve also started something rudimentary but innovative to improve tax collection. There was a need to network and computerize inter-state barriers to evaluate the value of cargo each truck carried. There have been cases of people declaring that the goods they were transporting to New Delhi were worth as little as Rs 20,000. The fact is that freight from Delhi to Shimla costs between Rs 5,000-8,000. Only someone with no financial sense would pay that much to ship goods worth Rs 20,000

But at that time we didn’t have a Wide Area Network so we decided to place dial-Area Network so we decided to place dial-in modems at the barriers to trap trucks declaring suspiciously low amounts.

We stared with the Parwanoo barrier. We were not surprised to find that in many cases goods were undervalued up to five times. This has also kept excise and taxation inspectors on their toes because they know someone is watching. The result is a 20 to 25 percent growth in revenue.

The Reference Monitoring System (Refnet) is another unique project, which is also a personal favorite. Refnet monitors the journey of a file in a government office—online. The document is computerized at the beginning of its journey and is called a Paper under Consideration (PUC). The PUC is tracked throughout its lifecycle and this inject transparency into the system. Officials who have a tendency to hold on to files are pulled up.

Himachal also implemented a tele-medicine project, hasn’t it?

The project is a C-DAC and Himachal government initiative funded by the department of IT.

It brings medical expertise available in larger cities to the more remote areas of Simla, Chamba and Kinnaur. The project will have dual benefits. Doctors will soon have access to the services of world-class hospitals like

PGI in Chandigarh or AIIMS in Delhi. PGI in Chandigarh or AIIMS in Delhi. The project will also facilitate online diagnosis from remote locations.

Once we have finished with these three districts, we will replicate the project at 20 other locations over the next three months. We will use ISDN connections where optical fiber is not available. It is one of the most ambitious and beneficial projects we have undertaken so far. Its benefits to citizens who don’t have access to hospitals is incalculable.

Finally, what are your plans for the current fiscal?

Our biggest project, the Hospital Information Management System (HMIS), will kick off. We are starting it with the Indira Gandhi Medical Collegeand will soon take it to hospitals across the state.

SWAN, too, is on high priority and we are determined to finish it by the year end. We also need to set up about 530 CSCs and populate them with data.

Apart from this, we already have almost all senior secondary schools computerized. The challenge we are

up against is acquiring software. I am making it a priority to get software packages from the Azim Premji Foundation and distribute them to the schools. Premji Foundation and distribute them to the schools. We will also impart multimedia education and computer-aided learning to empower people. CIO

Bureau Head North Rahul Neel Mani can be reached at

[email protected]

SNAPSHOT

POPuLATION: 65 lakh

TOTAL POINTS OF PRESENCE: 131

OPTICAL FIbER: 8,500 km

POINTS OF PRESENCE WITH OPTICAL FIbER: 101

PROjECTS uNDER ImPLEmENTATION: SWAn, Hospital Management Information System, Integrated Community Service Centers, tele-medicine

REAL CIO WORLDREAL CIO WORLD | M A R C H 1 , 2 0 0 6 5 9VOl/1 | ISSUE/8


New Tech, New Anxieties BY CHRIStopHeR LINDQUISt

SECURITY | Internal data theft. The problem was bad enough 10 years ago, when remote connections to your office were limited by modem speeds, and the most anyone was going to take was a couple of floppies or a briefcase-load of printouts. It could be damaging, sure, but it was mostly petty theft—the equivalent of a stolen lipstick dropped in a handbag.

But the same modern technologies that have made your users’ lives more convenient and entertaining—USB thumb drives, portable media players, DVD burners, peer-to-peer file-sharing tools—have also created a situation where something no bigger than a lipstick might just contain gigabytes of your corporate data.

Worse, such tools can make data thieves out of even well-intentioned users with goals no more insidious than getting out of the office early enough to pick up their kids from school. Where these unwitting burglars once might have tried to sneak a single file onto a floppy to work on later at home, now it can be just as easy to download an entire directory to a thumb drive or to open an assortment of files to remote synchronization using an inexpensive online service such as BeInSync.com.

Unfortunately, traditional security tools are often completely ineffective against these new threats. And locking down USB ports with Windows Group Policy or by tweaking

The tools that are making your users’

lives easier—USB thumb drives, DVD

burners, peer-to-peer file-sharing

tools—are making your lives harder.

Here’s how to ease the strain.

technologyeSSeNtIaL From InceptIon to ImplementatIon — I.t. that matters

eSSenTial technology

ill

US

Tr

aT

ion

By

Un

niK

riS

Hn

an

aV

6 0 M a R C H 1 , 2 0 0 6 | REAL CIO WORLD Vol/1 | iSSUe/8

Essentisl Tec.indd 60 2/25/2006 1:42:08 PM

technology PC BIOS settings is kludgy at best—if not downright unmanageable for large, dispersed corporations.

A recent CIO-conducted poll of more than 200 IT professionals showed that 62 percent were at least very worried about the loss of critical data via USB drives and other portable devices—outpacing concern over e-mail by 12 percent.

It’s easy to understand the fear. Every day new devices and services appear, forcing IT managers to play a never-ending game of catch-up.

So what are you going to do?Here’s an escalating plan for securing your

company’s data.

TAKE A STANDThere is no magic bullet for the problems these latest threats present to your data. Policies, procedures and technology must work together to create a proper balance of security and convenience. “I think these

measures—technical or otherwise—need to be part of a healthy balanced diet,” says Andrew Jaquith, senior analyst for security solutions and services at Yankee Group. “The pendulum can’t swing so far that you’re hampering productivity.”

Jaquith gives the example of a financial services firm he knows that went so far as to actually solder shut the USB ports on a number of its workstations in order to safeguard critical financial information.

Instead, a good place to start is with simple, well-defined and well-distributed policies regarding the use of removable mass storage devices, service providers and peer-to-peer software. The goal is to guarantee that no one on your staff can truthfully say that they didn’t know they shouldn’t attach their MP3 player, PDA or other device to their PC, or that signing up for that remote access service wasn’t a serious mistake. Publicizing your policy should make people think twice about doing these things in the first place,

and it also will provide a firmer footing for disciplinary action later on, should that become necessary.

Fabi Gower, IT director at medical staffing and recruitment company Martin, Fletcher, is a firm believer in policy. She oversees two days of IT orientation training during the 30-day


There is no magic bullet for these threats. Procedures and technology will create a balance of security and convenience.


training period for all new employees at the company, and she makes it crystal clear what is and what isn’t OK. And that policy is pretty simple: If the company didn’t give it to you, it’s not allowed.

John Loyd, director of information technology for engineering consultant Patton, Harris, Rust and Associates (PHR&A), also makes sure that company policies—no webmail, no webpages unrelated to the business during business hours, no software installed by anyone but IT—are made clear on the company intranet and to new employees during orientation.

But in an effort to bring security home for PHR&A users, Lloyd’s department sends out regular e-mails concerning

various security issues, pointing users to additional resources, and even giving advice on protecting their home PCs. And, he notes, the bulletins have a side benefit. “It makes our IT department look knowledgeable and competent.”

KEEP YOUR EYES OPENHaving and communicating a security policy isn’t enough. Some kind of monitoring is the next step. But monitoring doesn’t mean buying new software. Eric Ahlm, VP of emerging technologies at security consultant Vigilar, says monitoring can be as simple as having IT personnel make a visual audit of what types of devices people are using, especially at smaller companies. “Just walk around the premises and see how widespread personal devices are,” Ahlm says.

Even if you do decide to invest in tools, you shouldn’t feel obligated to go for full lockdown from the get-go. Letting users know you’re

monitoring is sufficient. “Monitor rather than block is the best policy,” says Yankee’s Jaquith, noting a personal experience with a former employer who didn’t block employee Web browsing, but who made it very clear that they were logging it—and that they would review those logs regularly. Even then, some employees wandered to sites that violated company policy. But, Jaquith says, “it only takes a couple publicized examples to get users to straighten up and fly right.”

BLOCK IF YOU MUSTIf policy and monitoring don’t seem sufficient to address the threat, next come tools for restricting access. For Gower, the equation was simple: Martin, Fletcher’s

value is contained in its database of job-seeking health-care professionals; anything that could expose that database to theft or loss would be unacceptable. Coming to the company six years ago, Gower quickly recognized that personal mass storage devices and other tools—including locally attached USB printers—could present a serious threat. So she began looking for a solution.

It wasn’t easy. After two years of examining Windows Group Policy hacks and PC BIOS settings and even mulling over the ‘epoxy the ports shut’ option, Gower finally found her solution with SecureWave’s Sanctuary Device Control, a remotely managed tool that shuts off USB and FireWire ports, disc drives of all types, Bluetooth connections and more. IT can then selectively activate devices as needed—even to the point of letting individual users have time-limited access to specific ports

on an ad hoc basis. “We have a couple of VPs and maybe our COO who have USB printers,” Gower says. “I can allow each of these people USB printer access.”

PHR&A’s Loyd—also a SecureWave customer—notes that implementing the company’s product can take a few months (largely from building the whitelist of allowable activities and having to scan every executable file to determine which are permitted). But, he says, the result is a much safer, more controlled environment.

DON’T STOP THINKING ABOUT TOMORROWAddressing current problems is also a good first step toward dealing with upcoming issues. For instance, recently released USB drives based on the U3 standard allow users not only to transfer data in a frighteningly efficient manner but also to carry USB-stored applications and desktop settings. A user simply pops a U3 driver into an available port, and the applications automatically install—regardless of whether the user has administrator privileges.

While the drive is installed, users can copy files, run U3 compatible applications (for a list of such apps, visit Software.U3.com and take advantage of all their customized Windows settings, such as Web bookmarks.) When they remove the drive, all traces of its presence vanish. But tools that can block USB ports (and sometimes other types of connections, such as FireWire and Bluetooth)—including SecureWave’s Device Control, SmartLine’s DeviceLock, Ardence’s Port Blocker, Reflex Magnetics’ DiskNet Pro, Safend’s Protec-tor and myriad others—can prevent U3 and other device usage.

Unfortunately, no product provides a complete solution for the latest security problems. Port blockers can sometimes be defeated by using bootable CD or DVD-ROMs (or the latest geeky toy — bootable USB drives), giving dedicated attackers free access to local hard drives. Modifying and password-protecting the BIOS on every machine to support hard-drive-only booting solves that problem, but only at the price of tedious

a security policy isn’t enough. Monitoring is needed, but that doesn’t mean buying new software. Monitoring could be iT personnel making visual audits of the devices people are using.

6 2 M a R C H 1 , 2 0 0 6 | REAL CIO WORLD Vol/1 | iSSUe/8



Under

REAL CIO WORLD | M a R C H 1 , 2 0 0 6 6 4Vol/1 | iSSUe/8

configuration processes—especially if you have thousands of machines with which to deal.

And there seems to be no all-encompassing solution coming down the road anytime soon to such end-user-induced threats. Attempts at enterprisewide digital rights management, for instance, are in their infancy. For his part, Yankee’s Jaquith says that they’re also in the world of fantasy. “I don’t think we’ll ever get to a place where we can track every piece of data we create,” he says. Instead, companies might want to take a cue from the open-source world and services such as photo-posting site Flickr, which allows users to apply simple tags to their photos, such as ‘San Francisco’ or ‘wedding,’ making it easy to locate and control access to various pictures. “That kind of semantic tagging is a lot flatter and simpler and easier to use,” he says. “That’s where we really need to be. Label

it as product plans. Strategy. Pricing.” And then use those tags as keys to which you can attach security policies.

Jaquith also points to security vendor Verdasys as having an interesting alternative solution. Rather than blocking connections, Verdasys tools begin monitoring when something happens that’s worth watching. For instance, noticing when a spreadsheet is attached to an e-mail message. According to the company, the Verdasys software can simply log such events for later review. It can also block the attachment. But a third option provides the opportunity for some social engineering; the software can pop up a message window warning users about the hazards of attaching spreadsheets to e-mail, but still allow the user to do so if he types a reason into a text field explaining why he needs to do it.

“Just warning people is enough to get them to stop doing what they’re doing,”

says Dan Geer, vice president and chief scientist at Verdasys and a widely acknowledged security expert. “Nine times out of ten, people are doing things against policy because they forget policy,” Geer says. And tools such as those from Verdasys act as very potent reminders.

“The best proving ground for this is the sales guy,” says Jaquith. “[Think about] Joey the sales manager. How frustrated would he be if you put some of these measures in place?” If your answer is ‘extremely frustrated,’ Jaquith says, you’re probably better off finding a different solution or combination of solutions. “Monitoring and blocking mixed with some good old-fashioned human deterrents is the right way to do this.” CIO

Send feedback on this feature to [email protected]



SOA | “I’m not saying it’s impossible, but it’ll be really, really hard to be successful.” That’s how a Forrester Research analyst described the task Oracle faces in integrating all its recent enterprise software acquisitions.

It got me thinking about how the traditional vendor strategy for enterprise applications—big, integrated suites as a bulwark to assert dominance over customers’ software buying patterns—is increasingly at odds with the emerging thinking on enterprise architectural strategy: SOA.

In the last century, vendor strategy pretty much lined up with thinking on architecture: Standardize as much as possible to reduce integration headaches. That was great for vendors. If you owned the major chunk of a customer’s enterprise software architecture, you got two big advantages: First, the suite was so big and complex that the customer had little incentive to get rid of it over the long term, which guaranteed streams of revenue in the form of maintenance fees, which could be raised incrementally over time; second, you got a critical advantage in selling them new software: Fear of integration problems and management complexity if they bought stuff from someone else.

But today, the dominant architectural trend, SOA, is diverging from the vendor strategy. SOA says the enterprise application infrastructure is almost irrelevant. Technology is constructed according to services specified by the business. In this scenario, enterprise applications become

just a piece of the service, yet another component of a larger business process. The vendor of the applications doesn’t matter anymore; the linkages between them become the important thing.

In this sense, the vendors’ integration strategies become more important than the features of their software suites. Of course, both the dominant enterprise software vendors, Oracle and SAP have begun offering integration middleware to go along with their big software suites. Yet both are sticking with the big, integrated software suite vision. Indeed, Oracle has pledged to meld all the best of all its different acquisitions together into something greater: Fusion.

But that begs the question: Why? Why try to integrate or build something that serves all the diverse interests of all the customers that bought Peoplesoft, Oracle and J.D. Edwards when the emerging SOA strategy is telling your customers that it’s okay to have diversity in your software portfolio?

And SOA isn’t just popular with CIOs. In many companies, business people are pushing the SOA strategy pitch. They want linked business services and flexible new workflows and processes—software architectures and infrastructures are less important to them than ever.

Which gets us back to that word that the Forrester analyst used: ‘Impossible.’

I’ve heard that word used before: Oracle’s attempt to integrate software from four different vendors together into a seamless

ERP package called Oracle CPG in the late 90s. Granted, integration tools and techniques have improved since then, and Oracle now owns the software it is trying to integrate, which eliminates the organizational boundaries that hampered the CPG effort. But, getting software written by different developers at different companies to integrate at a really foundational level is, well—here’s what an ERP analyst told me for the Oracle CPG story: “It’s impossible to try to integrate four pieces like that from different vendors into a single product.”

Of course, Oracle doesn’t have to integrate all the acquisitions in the technical sense. It has other options. It has an anxious herd of CIOs all paying maintenance fees on different enterprise software packages who could be coaxed into upgrading to something entirely new, or buying middleware so they can keep what they have.

But if SOA really takes over, how anxious will those CIOs be for upgraded versions of software they already own? SOA bodes for keeping old software infrastructure around longer.

It seems that if SOA really takes over, the software that links applications together, rather than the applications themselves, will become the most important strategic decision that CIOs make. What do you think? CIO

Christopher Koch is CIO’s Executive Editor

(Investigations).Send feedback about this column

to [email protected]

A Really Hard Architecture StrategySOA says enterprise application infrastructure is almost irrelevant and it’s backed by business.

By ChrIStOphEr KOCh

eSSentiAl technology PunditSOA isn’t just popular with

CiOs. in many companies,

business people are pushing the

SOA strategy pitch.

6 6 M A R C H 1 , 2 0 0 6 | REAL CIO WORLD VOl/1 | iSSUe/8

ET-Pundit - 01 Final.indd 66 2/25/2006 1:42:58 PM

March 1 2006

Documents

Transcript of March 1 2006