January 15 2006

Registered No. RNP/BGS/2113/2009-11. Licensed to Post at Manipal HO on 12th/13th & 27th/28th of every month.Printed and Published By Louis D’Mello On Behalf Of IDG Media Private Limited, Geetha Building, 49, 3rd Cross, Mission Road, Bangalore 560 027, India.

KARENG/2005/16317

RNI_for CIO Indesign.indd 1 11/16/2011 3:09:41 PM

From The ediTor

“He is most free from danger, who, even when safe, is on his guard.”

— Publilius Syrus

information Security. What is the first thing that goes through your mind when you think of it? Firewalls, IDS, single sign-on, biometric devices? Think again. For security is more a question of putting protocols and procedures in place. In fact, a security expert I spoke to a few days ago was vehement that security has nothing much to do with the technology that one uses to achieve a ‘comfort’ level. Technology is the last thing to look at since security is a people issue, he told me.

I guess information security is also about changing behavior. While from the management perspective it’s about handling risk management; from the enforcement perspective it’s about creating awareness within the organization. Satish Das, CSO, Cognizant Technology Solutions and one of the security practitioners we contacted for this issue’s cover story, tells us that the governance structure of a company is a key factor. “If risk management is a part of an organization’s structure, then the security framework will be clearly articulated and defined to meet the governance requirements,” he says.

Does it all then boil down to being a mind-

set issue? It could be. In fact, The Global

State of Information Security Survey by CIO

and PricewaterhouseCoopers (Page 30) has

raised a few curious points. Just 37 percent of

the 8,200 executives covered stated that they

had an information security strategy!

Even more worrying, the response ‘unknown’ showed up as the second most prevalent

attack type, the fourth most common attack method and the third highest attack source. And,

47 percent of the respondents reported damages as ‘unknown,’ as well.

If that doesn’t bother you, analyze this: A full fifth of information executives said they

didn’t know how much money their companies budget for infosecurity.

And despite all the talk of technology (some so futuristic that they could feature in a

Philip K. Dick novel), most companies continue to invest in the fundamental technologies

that strengthen networks and applications. While a few verticals like BFSI, Pharma and

IT / ITeS are quite gung-ho, others like manufacturing and retail are still to go beyond basic

security technologies.

Publilius Syrus writing 2,000 years ago in Rome got his security mindset right, have you?

While security is about handling risk management; enfocing it involves creating awareness within the organization.

Technology is the last thing to look at since security is a people issue.

Vijay Ramachandran, Editor [email protected]

A Security State of Mind

� J A n u A R y 1 5 , 2 0 0 6 | REAL CIO WORLD Vol/1 | ISSUE/5

Content,Editorial,Colophone.indd4 4 2/8/2006 6:43:13 PM

Executive ExpectationsVIEW FROm ThE TOp | 40Azim H. Premji, Chairman, Wipro believes in integrity, customer satisfaction and quality. These drove Wipro to embrace Six Sigma and become the world’s first organization to achieve PCMM Level 5.Interview by Balaji Narasimhan

GovernanceShARE pOWER TO GAIN CONTROL | 28Why CIOs should cede the what of IT to busiwhat of IT to busiwhat -ness executives and focus instead on the how.Column by Susan Cramm

KeynoteThE JOy OF FLEx | 22A loosely coupled approach to business processes and IT makes it much more possible for companies to innovate, both within and across enterprises. Column by John hagel and John Seely Brown

Leadership ThE FOuR (NOT ThREE, NOT FIVE) pRINCIpLES OF mANAGING ExpECTATIONS | 44CIO Joe Eng set new performance standards for his IT department, negotiated technical requirements with demanding business partners, calmed nervous end users and built a multi-million dollar global network by following four simple principles. Feature by Allan holmes

more »

Security

COVER STORy |ThE GLOBAL STATE OF INFORmATION SECuRITy | 30

A worldwide study by CIO and PricewaterhouseCoopers reveals a digital landscape ablaze, with thousands of security leaders fighting the flames. But amid the uncertainty and crisis management, there’s an oasis of strategic thinking.By Gunjan Trivedi and Scott Berinato with

Research Editor Lorraine Cosgrove Ware

content

30

Co

VE

r:

Ima

gIn

g b

y b

InE

Sh

Sr

EE

dh

ar

an

, Ja

ya

n K

na

ra

ya

na

n I

P

ho

To

S b

y S

rIV

aT

Sa

Sh

an

dIl

ya

JANUARY 15 2006‑|‑Vol/1‑|‑issUe/5

� J A n u A R y 1 5 , 2 0 0 6 | REAL CIO WORLD Vol/1 | ISSUE/5

GovernSLEuThING SmARTER | 58Ramavtar Yadav, Director, National Crime Records Bureau, reveals how the bureau’s work in areas such as portrait building and information sharing is arming the cops with speed as they hotfoot it on the trail of crooks Interview by Rahul Neel mani

hAAzIR hO (pRESENT yOuRSELF) | 52Video-conferencing links between courts and prisons have saved state governments crores. But it’s also brought more security, compassion and efficiency to a justice system struggling against a tide of backlogged cases. Feature by Balaji Narasimhan

52

content (cont.)

Trendlines | 13

Outsourcing | Cutting Costs Can Cost CustomersStaffing | IT Departments Are Changin’Work Life Balance | New Year’s Resolutions By The Numbers | The Price of ProcurementChip Technology | Optical Chips Get Golden EdgeLanguage | Most Annoying Workplace ClichésBook Review | Fit In Stand OutLeadership | Gender Gap in the Executive Suite

Essential Technology | 62

Open Source | Open Source Lights Up By Galen Gruman

pundit | Services for Sale By Eric Knorr

From the Editor | 4A Security State of mind | Technology is the last thing to look at since security is a people issue.By Vijay Ramachandran

Inbox | 12

28

dEparTmEnTS

NOW ONLINE

For more opinions, features, analyses and updates, log on to our companion website and discover content designed to help you and your organization deploy IT strategically. go to www.cio.in

c o.in

� J a n u a r y 1 5 , 2 0 0 6 | REAL CIO WORLD Vol/1 | ISSUE/5


Anil nAdkArni

head IT, Thomas Cook, [email protected]

ArindAm Bose

head IT, lg Electronics India, [email protected]

Arun GuptA

Sr. director - business Technology, Pfizer India

[email protected]

Arvind tAwde

VP & CIo, mahindra & mahindra, [email protected]

Ashish kumAr ChAuhAn

advisor, reliance Industries ltd, [email protected]

m. d. AGArwAl

Chief manager – IT, bPCl, [email protected]

mAni mulki

VP - IS, godrej Consumer Products ltd, [email protected]

mAnish Choksi

VP - IT, asian Paints, [email protected]

neel rAtAn

Executive director – business Solutions,

Pricewaterhouse Coopers, [email protected]

rAjesh uppAl

general manager – IT, maruti Udyog, [email protected]

prof. r.t.krishnAn

Professor, IIm-bangalore, [email protected]

s. B. pAtAnkAr

director - IS, bombay Stock Exchange, [email protected]

s. GopAlAkrishnAn

Coo & head Technology, Infosys Technologies

s_gopalakrishnan @cio.in

s. r. BAlAsuBrAmAniAn

Sr. VP, ISg novasoft, sr_balasubra [email protected]

prof. s sAdAGopAn

director, IIIT - bangalore. [email protected]

sAnjAy shArmA

Corporate head Technology officer, IdbI, [email protected]

dr. sridhAr mittA

managing director & CTo, e4e labs, [email protected]

sunil GujrAl

Former VP - Technologies, Wipro Spectramind

[email protected]

unni krishnAn t.m

CTo, Shopper’s Stop ltd, [email protected]

v. BAlAkrishnAn

CIo, Polaris Software ltd., [email protected]

mAnAGement

president n bringi dev

Coo louis d’mello

editoriAl

editor Vijay ramachandran

BureAu heAd-north rahul neel mani

speCiAl Correspondents T radhakrishna

balaji narasimhan

senior Correspondent gunjan Trivedi

Copy editor Sunil Shah

www.Cio.in

editoriAl direCtor-online r giridhar

desiGn & produCtion

CreAtive direCtor Jayan K narayanan

desiGners Shyam S deshpande

binesh Sreedharan

Vikas Kapoor

anil V K

photoGrAphy Srivatsa Shandilya

produCtion TK Karunakaran

mArketinG And sAles

Business mAnAGer naveen Chand Singh

BrAnd mAnAGer alok anand

mArketinG Siddharth Singh

BAnGAlore mahantesh godi

Santosh malleswara

ashish Kumar

delhi Sudhir argula

nitin Walia

mumBAi rupesh Sreedharan

nagesh Pai

jApAn Tomoko Fujikawa

usA larry arthur

Jo ben-atar

sinGApore michael mullaney

uk Shane hannam

adviSory board adverTiSer index

Borland 17

Canon 67

Cubic Computing 39

Epson 23

Hewlett Packard 5

Hitachi 27

IBM India 9, 11, 18-21

Interface Connectronics 25

Kelly IT Services 61

Lenovo 68

Microsoft 7

Molex Premise networks 43

Wipro Infotech 2, 3, 33

All rights reserved. No part of this publication may be reproduced by any means without prior written permission from the publisher. Address requests for customized reprints to IDG Media Private Limited, 10th Floor, Vayudooth Chambers, 15–16, Mahatma Gandhi Road, Bangalore 560 001, India. IDG Media Private Limited is an IDG (International Data Group) company.

Printed and Published by N Bringi Dev on behalf of IDG Media Private Limited, 10th Floor, Vayudooth Chambers, 15–16, Mahatma Gandhi Road, Bangalore 560 001, India. Editor: Vijay Ramachandran. Printed at Rajhans Enterprises, No. 134, 4th Main Road, Industrial Town, Rajajinagar, Bangalore 560 044, India

1 0 J a n u a r y 1 5 , 2 0 0 6 | REAL CIO WORLD Vol/1 | ISSUE/5


reader feedback

Great InspirationOnes to Watch (Jan. 1) will be a great Ones to Watch (Jan. 1) will be a great Ones to Watchinspiration to all those who are waiting in the wings. Maybe you could extend this concept a bit more to actually identify good IT teams doing extraordinary work at various organizations. Covering a very well executed project at a time, you may give the due credit to all those unsung heroes.

I also found the View From The Top of LG Electronics India Managing Director Kwang-Ro Kim quite interesting. Only 0.4 percent of revenue is LGEIL’s IT bud-get. How does it compare with the manu-facturing sector’s average?

If you can make LGEIL share its IT expenditure break-down, it will be very interesting. But what takes the cake is Kim’s statement: “... without the IT department’s approval we don’t open a remote office...” Hope every CEO understands this!

M. S. V. Rao, Consulting Advisor - IDM, Tata Consultancy Services

It was a pleasure to read the Ones to Watch feature. It’s a manifestation of the quality of research and industry inter-action you have been able to achieve in such a short time.

I am impressed by the perseverance and meticulousness of the team at CIO. Keep it up.

aShISh KUMaR ChaUhanAdvisor, Reliance Industries

I found Ones to Watch quite an interesting read. Going forward, I suggest that you recognize young CIOs (probably under the age of 40 or so) in various verticals. Their achievements and their perspective on their sectors can be profiled similar to Ones to Watch. I would rather read the fresh views of these CIOs on their industries than the much-printed perspectives of established CIOs.

While short-listing the young CIOs, I suggest a proper study should be done stressing the extent of their domain knowl-edge and industry experience.

Sanjay ShaRMaCorporate Head – IT, IDBI

Filling the VacuumI have been reading cIO from issue IO from issue IOone. For long, there’s been a vacuum in this space. A magazine for CIOs ought to go beyond networking and infrastructure issues. These days, the major part of our time and effort go into people manage-ment and development.

That has become one of the most critical parts of a CIO’s job. To be able to manage change, a CIO not only needs to enrich him-self through technology, but also people and change management. Towards that end, CIO India is doing justice to this community.

The quality of your magazine, its con-tent, layout, look and feel is extremely good. Great going.

ChInaR DeShpanDeCIO, Pantaloon Retail

encouraging FeatureI must thank you for a very good write up relating to the development of IT in West Bengal (Mindset Manifesto, Jan 1). Thank you so much for your support.

DR. G. D. GaUtaMa

Principal Secretary, West Bengal

The basic reason for the Govern section is to highlight the challenges and successes of senior IT executives in local, state and Central Government agencies. I appeal to government IT leaders to come forward and help us highlight their work in the field of e-governance.— Editor

Dear Arun, Thanks so much for the Dundee cakes. The entire Bangalore team enjoyed them. It was great to see you in the Ones to Watch. By the time we look for the next set of IT leaders with potential, I hope to see you in the ranks of the CIOs. — Editor

“These days, the major part of our time and effort goes into people

management and development.”

What Do You Think?

We welcome your feedback on our articles, apart from your thoughts and suggestions. Write in to [email protected]. Letters may be edited for length or clarity.

editor@c o.in

1 2 J A n u A R y 1 5 , 2 0 0 6 | REAL CIO WORLDVol/1 | ISSUE/5

With compliments fromarun Shakya,

Britannia Industries

n e w * h o t * u n e x p e c t e d

Ill

us

tr

at

Ion

bIn

es

h s

re

ed

ha

ra

n

trendlinesCutting Costs Can Cost CustomersO U T S O U R C I N G Companies that outsource cus-tomer service functions with the goal of reducing costs may risk reducing their client list as well, according to Gartner.

The researcher predicts that through 2007 some 80 percent of organizations that outsource customer service projects with the primary goal of cutting costs will fail in that attempt. One factor is the high staff attrition rates at outsourcing companies, sometimes as much as 80 percent to 100 percent.

“Companies are not looking at processes from a customer point of view, and this is risky,” says Gartner Vice President Alexa Bona. Customer-fac-ing processes, such as call center services and tech support, require specific training and management to prevent client loss, she adds.

Gartner predicts some 60 percent of organizations that outsource customer-facing functions will experi-ence client defections due to service issues, a hidden cost that outweighs any potential cost savings. Indeed, Gartner found that companies employing outsourced

customer service processes could pay more; the aver-age monthly cost per employee is 30 percent higher for outsourced operations than the top 15 percent of companies pay for in-house operations, Bona says.

In spite of the poor outlook, Gartner predicts the market for customer service outsourcing will grow from $8.4 billion in 2004 to $12.2 billion in 2007.

To make outsourcing work, companies should map their customer-facing processes from end to end and dedicate sufficient management to the projects, Bona says, adding that outsourcing con-tracts should contain provisions that allow the outsourcing company to be paid based on non-traditional met-rics such as customer satisfac-tion, first-call resolution and even customer profitability.

—By Scarlet Pruitt

REAL CIO WORLD | J a n u a r y 1 5 , 2 0 0 6 1 3Vol/1 | Issue/5

S T a f f I N G the demand for corporate It special-ists is shifting away from the It worker who special-izes in a certain technology and toward ‘versatilists’ — those capable of inter-acting with people outside of their typical domain, according to research from Gartner.

Gartner Vice President diane Morello says the versatilist has a strong base of knowledge in a certain area, which may or may not be technology-related. such an employee might have expertise as a project manager, financial analyst or an application designer but is able to take

on broader responsibilities required by an It group.

With ‘versatilists’ on staff, business and service provid-ers can also stretch their per-sonnel budgets further than they could with specialists. CIo research finds that It departments are hiring now. but according to Morello, by 2010, It organizations in mid-

size and large companies will be 30 percent smaller than they were in 2005. Mean-while, 10 percent to 15 per-cent of It workers today will drop out of the It occupa-tion, Morello says, choosing new fields such as teaching or government service.

—by nancy Gohring

It departments, they Are A-changin’

Trendlines NEW.indd 13 2/8/2006 6:54:39 PM

b y J O N S U R M a C Z

TR

eN

dl

INe

S

The Price Of Procurement

1 4 J a n u a r y 1 5 , 2 0 0 6 | REAL CIO WORLD Vol/1 | Issue/5

Companies that do it right spend more on technology in the short term, but less on overall operations in the long run.

Best practices

Identify operational processes that can be

automated with e-procurement and

e-sourcing tools and invest in them.

educate employees and business partners about

the benefits of new procurement

systems to ensure that they are used.

Christopher sawchuk, senior business

adviser at the hackett Group, says

procurement executives should track

how many transactions are going

through the e-procurement system as

an indicator of usage.

Shift into strategic mode once the return on

automation investments is realized.

this may mean investing in decision-

support technologies, hiring staff with

more sourcing experience. World-

class companies spend 27% more on

procurement technology than average

companies, but they spend 27% less on

overall procurement operations.

World-class procurement organizations invest more of their total operations spending on IT.

world-class: 19%Average: 11%

Elevated IT spending helps drive down costs: World-class companies

spend 42% less than average companies, which means they can focus on strategic operations.

World-class companies allocate

36% more of their overall procurement resources to decision support and risk management activities.

World-class companies

spend 27% more on procurement technology than average companies, but they

spend 27% less on overall procurement operations.

World-class companies rely on 38% fewer staff members than average companies resulting in a price tag for total procurement

operations that’s 27% lower than average.

Wringing efficiency out of the supply chain could be as simple as investing in technology that

will automate operational tasks, such as purchase order processing. that’s because smoother supply chain operations can allow companies to shift resources to more strategic tasks — such as sourcing — where they can find even more value, according to the hackett Group.

In its latest ‘book of numbers’ report, hackett states that companies with world-class procurement operations spend $1.4 million per billion of their overall procurement spend (the goods and services a company buys to do business) on technology, while average companies spend $1.1 million per billion of spend. according to hackett, world-class procurement organizations spend $7.4 million on procurement operations for every $1 billion of goods and services they buy. average companies, on the other hand, spend $10.1 billion on procurement operations for every $1 billion of goods

and services they buy. so even though world-class companies are spending more on procurement technology (in terms of dollars and as a percentage of procurement operations), their overall spending on procurement operations is actually less.

by automating operational processes in the purchase-to-pay cycle (processing of purchase orders, receipts, requests for quote and so on), world-class companies are able to focus resources and savings on strategic business operations, says Christopher sawchuk, senior business adviser at hackett. “the value of these [automation] investments is in cost reduction,” he says. “the savings allow procurement executives to spend a larger percentage of their budget on decision support rather than operational support and focus on aligning procurement with business strategy.”

decision-support tools can help executives determine who their best and worst suppliers are so that they may adjust their procurement plans accordingly.

1]

2]

3]

by the numbers


Fit In, Stand Out: The Key to Leadership Effec-tiveness in Business and LifeBy Blythe J. McGarvieMcGraw-Hill, 2005; Rs 1,197.50

b O O k R e v I e w Blythe McGarvie has done well in the corporate world, first as a CFO for several large companies and now as a corporate director for Accenture and The Pepsi Bot-tling Group, among others. She believes unabashedly in corpora-tions — their moneymaking mis-sion, their ability to do good and the opportunities they afford for career success. Fit In, Stand Out: The Key to Leadership Effectiveness in Business and Life is a career guide to the corporate world.

Business success boils down to two actions, says McGarvie: Fit-ting in and standing out.

Fitting in means finding your way in the culture and structure of a com-pany. People who are new to an orga-nization or a position should focus on showing colleagues that they can conform to com-pany norms and are trustwor-thy and credible.

Standing out means separat-ing yourself from the corporate crowd. Doing outstanding work is not enough — you must seek opportunities to be noticed. While it is important for employ-ees to demonstrate their ability

to fit in at the start of a job, the ambi-tious ones must then

market them-selves to move upward.

The lengthiest part of McGar-vie’s book is devoted to six char-acteristics that people need in order to advance.

These characteristics include financial acuity — the develop-ment of deep financial compre-hension — which McGarvie calls the most important catalyst for gaining a leadership posi-tion; integrity, an attribute that’s

important in an era of public mistrust in corporations; and global citizenship, necessary for success in a global world.

McGarvie dresses up her framework as systems thinking, which is a theoretical approach to analyzing how interactions between parts of an entity affect overall performance. That’s a stretch in this case — and an unnecessary one. The true value of this book is in its practical advice and insights based on McGarvie’s experience.

—By Edward Prewitt

TR

eN

dl

INe

S

How to Climb the Corporate LadderLearn to fit in and still make your mark

Gender Gap in the Executive Suitel e a d e R S h I p Men are better at delegating. Women are bet-ter at rewarding subordinates. tired old stereotypes, perhaps, but both men and women in leadership positions believe them — to the detriment of female leaders, according to a study by the nonprofit research organiza-tion Catalyst.

of 296 senior corporate leaders sur-veyed, a majority of each gender agreed that men are better at take-charge leader-ship behaviors, such as influencing their superiors, while women are better at care-taking behaviors, such as team-building. the most disturbing discovery, according to Jeanine Prime, director of research at Catalyst, is men’s perceptions of women’s problem-solving skills. Male survey respon-dents said that 80 percent of male leaders are effective at solving problems, but only 67 percent of female leaders are. because

men outnumber women in leadership positions, women are less likely to be viewed as good decision-makers.

the implication of this finding, Prime says, is that women are more likely to have their decisions ques-tioned, and thus have to spend more time getting buy-in. that’s time that could be spent on execution. and so, through no fault of their own, many women find their ability to get things done is compromised, which undermines their chances for promotion. Prime says this is one reason why only 16 percent of officers in Fortune 500 compa-nies are women.

Catalyst says one way companies can counter gender stereotypes is by having standard criteria for performance evalua-tions and promotions.

—By Margaret Locher

80% 67%

Ill

us

tr

at

Ion

sh

ya

M s

. de

sh

Pa

nd

e

REAL CIO WORLD | J a n u a r y 1 5 , 2 0 0 6 1 5Vol/1 | Issue/5


TR

TR

eeNN

dl

dl

ININee

SS

C h I p T e C h N O l O G Y Gold is prized in chip manufacture for its excellent electrical conductivity, but it also has unusual properties that could give it a role in new optical chips, scientists have discovered.

In a typical electronic chip, tiny gold wires link microscopic connecting pads on the silicon wafer to the terminals of the chip packaging. The gold wires are about 50 micrometers in diameter, about half as thick as a human hair, and at that thickness the gold still behaves like the shiny metal we know. A micrometer is one millionth of a meter.

If you divide it into rods 2,500 times thinner, though, just 20 nanometers across, the gold glitters in an entirely different way, according to scientists at the US Department of Energy’s laboratory in Argonne, Illinois.

At the nanometer scale, where distances are measured in billionths of a meter, it’s not just optical properties that change: Many materials respond differently to variations in temperature, and to the effects of electric and magnet fields, when divided into such nanoparticles.

The nanoscale gold rods studied at Argonne National Laboratory emit light when electrons in them are stimulated, and the wavelength of the light depends on the length of the rod used, the scientists found. They tested gold rods with lengths between 70 nm and 300 nm.

Being able to control the wavelength of light, and to build light sources of a specific wavelength, is very important in optical commu-nications. The discovery at Argonne could one day allow the fabrica-tion of tuned light sources inside chips, leading to the creation of chips that can switch or route optical signals in fiber networks without having to convert them back to an electronic form first, the scientists said. However, they emphasized that they are only involved in basic research, not the development of products.

Researchers at the Nanotechnology and Optical Instrumenta-tion Laboratory in Troyes, France, also participated in the research, which was published in a paper in Physical Review Letters entitled ‘Surface Plasmon Characteristics of Tunable Photoluminescence in Single Gold Nanorods.’

—By Peter Sayer

the Most Annoying workplace workplace w clichésl a N G U a G e a new, value-added survey conducted by temporary staffing company accountemps now gives heightened visibility to the most annoying phrases and buzzwords peppering mind-share sessions in corporates. according to the 150 senior executives polled, thinking outside the box is not something their peers do well, especially when it comes to using the english language. apparently, the ability to speak in anything but clichés is not a core competency of even Generation X workers.

In an effort to adopt a win-win approach to work, managers and their direct reports alike end up com-municating in what all but consultants and hr people would consider absolute gibberish. Cliché-usage is even rampant among those customer-centric employ-ees who, one would think, would want a paradigm that would get them on the same page with normal humans, or at least achieve some sort of communica-tive synergy. yet, at the end yet, at the end yof the day, it turns out that they value alignment with bad language even more.

as for how to imple-ment a solution to our language-based woes, or even an incremental improvement, accoun-temps chairman Max Messmer says business-people should attempt to deploy a reality-based vocabulary with a heavy emphasis on specific details. While there are few metrics available that

shed light on the roI of descriptive verbiage, the well-chosen word — even when taken offline — goes far on the runway in terms of accountability management.

and as Messmer points out, people who use buzzwords to clarify usually end up confusing everyone.

—By Megan Santosus

1515MOST 15ANNOYING15ANNOYING15CLICHES15CLICHES15As identified by the Accountemps survey:

1. At the end of the day

2. Solution

3. Thinking outside the box

4. Synergy

5. Paradigm

6. Metrics

7. Take it offline

8. Redeployed people

9. Core competency

10. Win-win

11. Value-added

12. Get on the same page

13. Customer-centric

14. Generation

15. Alignment

Gold May Play RMay Play Roleole in in Optical Chips, Scientists Say


New Year’s Resolutions for the Global CIOw O R k - l I f e b a l a N C e having developers around the world may be good for business, but CIos pay a personal toll. because remote operations may be located up to 12 time zones away, the work week can stretch from sunday night (as teams in asia come into their offices) until Friday evening (when the us staff wrap up the work week). this schedule, combined with grueling travel demands, can pull families apart as professional responsibilities bleed into personal and social time.

ashwin rangan managed worldwide technology teams for more than a decade as CIo of Conexant and as a senior manager at ast research. he suggests six new year’s res-olutions for It execs with global responsibilities:

1. Travel with your spouse. If your spouse joins you on an overseas trip at least once a year, he or she will better understand what you’re going through, as well as share in your cross-cultural learning.

2. Get comfortable. If your company pays only for economy class airline travel, use your frequent flier miles to upgrade to business class. If it pays for business class, upgrade to first.

3. Give yourself a break. Jet lag affects your judgment and your attention span, so keep a light schedule on the day you arrive at your destination.

4. Send someone else. your key reports in other coun-tries should also visit each other frequently to build their own connections and sympathy for one another. you don’t always have to be there.

5. Minimize off-hours work. When transcontinental conference calls are necessary, distribute the inconve-nience around the globe. For half of the calls, you can have us teams come in early while the offshore team is at work, and you can schedule the rest during the us work-day, when the offshore team stays late. Families on two continents will thank you.

6. Stay home. limit your sunday evening social engage-ments, and advise your direct reports to consider the same. If no work issues crop up offshore, you can have an evening with your family; if they do, your loved ones will forgive you more easily than your friends.

—By Gunjan Bagla

Vol/1 | Issue/5


John Hagel & John Seely Brown Keynote

The Joy of FlexA loosely coupled approach to business processes and IT makes it much more possiblefor companies to innovate, both within and across enterprises.

Most of you are probably familiar with the concept of loose coupling since it is a key design philosophy underlying new generations of technology platforms. Loose coupling, for example, is necessary to deliver the flexibility

promised by service-oriented architectures (SOAs). But the concept of loose coupling also holds tremendous promise in transforming how executives organize business processes, especially as they extend across global business enterprises. Many businesses today are organized along a very different model using tightly specified, hardwired management approaches. While this strategy has been responsible for delivering a great deal of operating savings to many companies, it makes improvisation difficult because changes in one area will cause unanticipated disruptions in others. As a result, such flexibility in business practices is often discouraged.

Enterprises today are hardwired at two levels: IT platforms generally remain hardwired, and the business processes we manage on top of these IT platforms are also hardwired. Companies now have an opportunity to introduce loose coupling at both levels. The innovation of loose coupling will not only change how companies operate within the enterprise. A loosely coupled approach transforms how they collaborate and innovate across enterprises by enabling the formation of global process networks that can mobilize large numbers of highly specialized business partners to deliver more value to customers.

For example, Cisco has created a global process network consisting of thousands of channel partners who provide everything from basic fulfillment operations to highly specialized consulting or engineering services to adapt Cisco’s networking products to


Column JOHN HAGEL AND JOHN SEEL16 16 2/8/2006 6:18:30 PM

the unique environments of its customers. The partners in this network are loosely coupled and orchestrated by Cisco. This process network works because Cisco has developed standardized ways of specifying capabilities and performance requirements, and it familiarizes all the partners when they join the process network with its standardized vocabulary. This approach to defining standardized ‘interfaces’ for each module of activity makes it possible for Cisco to quickly assemble the right modules and ensure that the best qualified partner is assigned to each module. This is an example of loose coupling at the business process level.

CIOs are especially well positioned to help the rest of the senior management team make the transition toward loosely coupled business processes. They understand both the technology and design principles needed to support such processes, both within and across enterprises.

The Advantage of Interchangeable AppsLoose coupling begins with the notion of modularity, grouping activities into separate modules where the outputs can be clearly specified and where the activities in each module can be performed relatively independently without relying on activities in other parts of the application. For example, at the IT level, it makes sense to create a separate module for currency conversion in an order entry application so that introductions of new currencies can be handled independently without affecting the rest of the order entry procedures. The currency conversion module should be designed from the outset as a service that can be used by a broad range of applications — not only order entry but also procurement, expense report processing, financing and any other application — in a wide range of computing environments distributed around the world.

But modularity is not enough. Loose coupling also seeks to create standardized ways of describing the procedures or information contained within the modules. In the IT domain, this is one of the major advances of Web services technology; through the Web Services Description Language (WSDL), it defines a set of standards for creating documents that describes what a Web service offers, how it communicates and where to find it. Because these standards have been widely adopted throughout the technology community, we are now able to access a much broader range of modules or services. For example, the developer of a new app could quickly make use of the currency conversion module based on the information provided in the interface document and just as easily switch to another currency conversion module if it offered better functionality (say, more frequent updates of conversion rates).

Loose coupling is attractive on many levels. By making it easier to move modules in and out depending on need, it enhances flexibility. For example, a loosely coupled IT environment might make it easier for an insurance company to access a novel, highly

specialized algorithm that allows it to assess risk in certain categories of commerci al buildings in a more rigorous way than a more general algorithm might. Hence, the company no longer has to rely on a single general purpose algorithm to cover all commercial buildings. Instead, it can use best-in-class algorithms for specific insurance categories and thereby manage its risk exposure more effectively.

Loose coupling is likely to be even more attractive in the long-term because of its role in enhancing innovation. To begin with, orchestrators of these systems can re-combine modules in creative ways to deliver distinctive value. For example, online stockbrokers are using loosely coupled IT architectures to bring together a rich array of specialized information in highly tailored ways to serve the needs of high net-worth investors. Investors need detailed information about the performance of their portfolios, as well as access to a variety of specialized third-party information — analyst reports, technical charts, company profiles, macro-economic data and so on — to make better investment decisions. SOAs enable stockbrokers to assemble a much broader array of resources for their investors so that stockbrokers can experiment with new ways of combining data and analytic techniques.

Innovation by re-combining modules is just the beginning. Loose coupling facilitates rapid incremental innovation within modules as well. By reducing interdependencies across modules, loose coupling makes it easier to experiment and improvise within a module without worrying about unanticipated disruptions in other parts of the system. In this respect, loose coupling at the IT level amplifies the potential for rapid incremental innovation through loose coupling at the business process level.

The Li & Fung StoryGiven the limitations of hardwired approaches, it is not surprising that some companies have begun to develop an alternative strategy in designing business processes. One of the companies pioneering this alternative approach at the business process level is a Chinese company, Li & Fung, based in Hong Kong. Li & Fung is very well-known in the apparel industry, but surprisingly little-known outside this industry. Its customers are apparel designers who are located around the world. On their behalf, Li & Fung will orchestrate highly customized end-to-end supply chains starting with the sourcing of yarn or fibers and ending with delivery of assembled goods to specified retailer distribution centers.


CIos are naturally positioned to play a major role in helping companies deploy looselycoupled technology.





This could involve bringing together dozens of specialized participants on a global scale to ensure that appropriate capabilities are brought to bear, for example, to produce high-end wool sweaters targeted at the European market versus synthetic-fiber slacks targeted at the U.S. market where a quite different set of companies might be required. This enormous flexibility is made possible because Li & Fung has assembled a loosely coupled process network of 7,500 business partners around the world.

Li & Fung can orchestrate this complex and highly flexible network because it focuses on defining standardized ways of specifying outputs from each partner and leaves decisions on how to execute against the outputs up to each partner. For example, it provides a standardized way of representing color for the garments, but does not tell its partners how to produce this color.

At the IT level, Li & Fung is now deploying Web services technology and building an SOA extending across its entire process network to support its loosely coupled business processes. This kind of architecture is attractive for Li & Fung

because it does not require its business partners to rip out existing technology and adopt a common set of technology platforms. Instead, each partner can use Web services standards to implement loosely coupled interfaces for their existing applications and databases and automate connections with other business partners in the Li & Fung network.

Using a loosely coupled management approach, Li & Fung has been able to compress cycle times across its global apparel supply chains from months to weeks, exceeding the performance of more hardwired competitors. In highly demanding, fast-moving industries like apparel and consumer electronics, loosely coupled approaches could not possibly succeed without delivering against aggressive cost, performance, quality and cycle time requirements. Li & Fung’s strategy is quite successful. It generates more than Rs 21,000 crore ($5 billion) in revenue and has grown at double-digit rates over many years. With only 5,000 employees of its own, Li & Fung generates about Rs 4.5 crore ($1 million) in revenue per employee. In an industry accustomed to razor-thin margins, Li & Fung is also quite profitable, with 30 percent to 50 percent return on equity.

Trust is ParamountEffective loose coupling requires the formation of long-term relationships among business participants that are far richer

than conventional transaction-based relationships. Loose coupling cannot work without significant investment in building trust-based relationships among participants. These business elements need to be woven together with technology elements to provide the foundation for shared meaning, trust, and orchestration, to develop and evolve.

So far, the loosely coupled approach to business process management has been implemented across the boundaries of enterprises in order to coordinate business processes spanning multiple companies. We expect that, over time, this approach will be applied to business process management within the enterprise as well. Hard wiring within the enterprise has given companies cost savings, but at the expense of flexibility. As companies see the performance benefits of loose coupling, they will want to embrace this approach within the enterprise to enhance flexibility there as well.

CIOs are naturally positioned to play a leadership role in helping companies to adopt and deploy these loosely coupled technology platforms. They would do well to start with business functions that have the greatest interaction with

third parties (for example, sales and marketing, customer support, procurement and supply chain management). This completely flips the historical pattern of IT deployment that started within the centralized ‘glass house’ and eventually reached functions that dealt with external business partners and only in a very limited way touched business partners (for example, through EDI connections and Web-based portals). By tying IT architecture evolution to the most pressing current business needs, CIOs can mobilize support from their business colleagues for more ambitious architectural migration strategies.

More broadly, CIOs can help non-technology line executives to understand the compelling benefits created by a loosely coupled design approach. In focusing on the business applications of loose coupling, CIOs have the potential to become major players in the next wave of innovation. CIO

John Hagel and John Seely Brown are coauthors of a new book called The

Only Sustainable Edge: Why Business Strategy Depends on Productive

Friction and Dynamic Specialization. Hagel is a management consultant

who spent 16 years with McKinsey & Co. Brown, the former chief scientist

at Xerox, is now a visiting scholar at the University of Southern California.

Send feedback on this column to [email protected]

Loose coupling makes it easier to improvise without worryabout disruptions elsewhere in the system.



Share Power To Gain ControlWhy CIOs should cede the what of IT to business executives and focus instead on the how.

Who people work with is more important than who they work for, a Gartner EXP publication asserted recently. This statement is right on. Every time there’s an IT re-organization, too much emphasis is placed on structure and the unworkable

extremes of centralization versus decentralization. Instead, CIOs should let IT’s organizational structure mirror that of the enterprise and focus their time on defining the decision rights — that is, who has the final say about key IT decisions — necessary for collaboration between IT and the business.

When determining IT decision rights, it’s wise to remember the adage: To gain control, you have to give it away. That same adage applies to raising children (“You have two choices,” parents say), and it works when you’re trying to cozy up to business partners while maintaining some semblance of IT order at the enterprise level.

Too often in the past, IT — like a desperate parent — has tried vainly to get its business counterparts to ‘grow up’ without granting the necessary freedom. In many organizations, business executives have little authority over IT funding, priorities, sequencing and resources, and feel forced to establish shadow IT organizations and partner with vendors who have gone around the IT organization. With one hand, CIOs attempt to limit business freedoms, while with the other, they try to finagle business counterparts into accepting accountability for value commitments.

Since business accountability is out of whack with its authority, IT executives are in a constant state of frustration as they try to extract the desired behaviors from the business. CIOs find themselves operating like surrogate users and assuming business partner roles (for instance, developing strategy, selling initiatives,

Susan Cramm ExECutivE CoaCh

2 8 J a n u a r y 1 5 , 2 0 0 6 | REAL CIO WORLD VOl/1 | ISSUE/5

Ill

US

Tr

aT

IOn

by

Sh

ya

m D

ES

hp

an

DE

Column SUSAN CRAMM.indd 20 2/8/2006 6:19:28 PM

Share Power To Gain ControlWhy CIOs should cede the what of IT to business executives and focus instead on the how.

Susan Cramm ExECutivE CoaCh

writing business cases, managing business change and reporting value realization).

You will never achieve the partnership necessary for success unless you arrange decision rights to promote accountability from the business side. If you doubt the importance of this act, ask yourself why you never hear business leaders blaming the quality of their profits on finance or their people on human resources — yet their complaints about IT systems are commonplace. CIOs need to follow the lead of mature financial and HR organizations and delegate authority for the management of certain aspects of IT to the business, in line with competence and a commitment to follow the rules (that is, policies ensuring that the enterprise doesn’t suffer at the hands of individual interests).

A simple but elegant way to responsibly delegate IT authority is to grant the business the authority over the

‘what’ of IT while retaining authority over how IT is delivered (a concept shared with me by Jerry Gregoire when he was leading the Dell IT organization). This means that your business customers determine the IT-enabled business strategies and plans, set priorities and service requirements, allocate funding, approve vendors and people, and define risk postures. Meanwhile, IT retains the final say over architectures, technologies, infrastructure strategies, decision rights, IT initiatives, resource requirements, methods and tools, and the required qualifications for people and vendors. The idea is to transition from a custodial model of IT — that is, doing IT on behalf of the company — to a fiduciary model, in which you ensure that the company does IT right.

The determination of decision rights should be based on the maturity of the organization, within the business as well as the IT department. Although the majority of companies are not mature in their usage or in their management of technology, ‘IT Decision Rights’ above serves as a reference point.

There’s a good reason why business partners often try to go their own way with technology. Since they run the business, they want control over the major factors of production: Money, people and technology. Don’t fight this impulse; the business side should have appropriate control of IT. Delegating authority over the

‘what’ of IT to the lowest level practical provides the means for IT to expand its organizational impact. Once that happens, you can transition from being viewed as a roadblock to an enabler.

Reader Q&A Q: Our government is undertaking a massive centralization, moving virtually all IT staff and management from 20 depart-ments to a centralized, shared-services IT organization. Many of us believe that the individual departments, which conduct the business of government, should retain at least some IT roles and functions to facilitate strategic planning, to steward the business’ IT vision and to ensure that the new, centralized IT organization delivers the maximum value for the funding it receives. Based on the table in the article, what roles should a lean and mean department-based IT group hold? A: You are right on target in your thinking. Assuming that the re-organization will result in few departmental IT resources, your role will become primarily one of planning, coordination and communication. As such, do the best you can to retain as many of the decision rights in the ‘business executive role’ column. It’s a matter of negotiation. CIO

Susan Cramm is founder and president of Valuedance,

an executive coaching firm in San Clemente, Calif. Send

feedback on this column to [email protected]

The Business execuTive’s Role: The ‘What’ of iT The cio’s Role: The ‘hoW’ of iT

it DECiSioN RiGhtSplay the proper roles to Do IT right

IT planning

project prioritiesService prioritiesproject implementationproject managementmoneyVendors/people

TechnologyCompliance/assetprotection

IT business initiatives, value projections,prioritization criteriabusiness initiativesService level objectives (SlOs)Timing: Stop, start, deter(no role)budget authority for business initiatives

Selection from qualified candidatesperformance evaluation over the end result (no role)risk posture

Target architecture, infrastructure strate-gies, sequencing criteria, decision rightsIT initiativesSlO resource requirementsEstimates and approachSkills, staffing, methodsbudget authority for IT initiativesStandards and qualificationperformance evaluation over the meansStandards and guidelinesapproach and resource requirements

REAL CIO WORLD | J a n u a r y 1 5 , 2 0 0 6 2 9VOl/1 | ISSUE/5

Column SUSAN CRAMM.indd 21 2/8/2006 6:19:28 PM

The GlobalSTaTe ofInformatIonSecurIty

A worldwide study by CIO and PricewaterhouseCoopers reveals a digital landscape ablaze, with thousands of security leaders fighting the flames. But amid the uncertainty and crisis management, there’s an oasis of strategic thinking.

3 0 J a n u a r y 1 5 , 2 0 0 6 | reaL cIo WorLD VOl/1 | ISSUE/5

by G u n j a n T r i v e d i a n d S c oT T b e r i n aTo w i T h

r e S e a r c h e d i To r lo r r a i n e c o S G r ov e wa r e

ImA

gIn

g B

y B

InE

Sh

Sr

EE

dh

Ar

An

Cover Story.indd 24 2/8/2006 6:44:18 PM

Every day it’s something else. Millions of personally identifiable records stolen.Intellectual property left on a laptop that’s gone missing.Corporate espionage rings that stretch from the United Kingdom to the Middle East and use IT to infiltrate companies.Phishing scams by the thousands: Puddle phishing, Wi-phish-ing, pharming.

Then there’s spam and spyware, zombie networks, DDoS (distrib-uted denial-of-service) attacks and session hijacking. Online auction fraud. Online extortion. We haven’t even mentioned good old viruses and worms, but those still work too.

To borrow from forestry parlance, information security is an escaped wildfire. And according to The Global State of Information Security, a worldwide study by CIO and PricewaterhouseCoopers (PwC), you are the firefighters, desperately trying to outflank the fireline and prevent flare-ups and firestorms. It’s a thankless, impos-sible business.

In this environment, just holding your ground is a victory, and that’s what you’re doing. This is the largest survey of its kind, with more than 8,200 IT and security executives responding from 63 countries on six continents. The data has shows incre-mental improvement in the tactical battle to react to and fight off security incidents.

At the same time, the data shows a notable lack of focus on actions and strategies that could prevent these incidents in the first place. There’s also a remarkable ambivalence among respondents about compliance with government regulations, a clear lack of risk man-agement discipline, and a continuing inability to create actionable security intelligence out of mountains of security data.

Just 37 percent of respondents reported that they had an information security strategy — and only 24 percent of the rest say that creating one is in the plans for next year. With increasingly serious, complex, targeted and damaging threats continuously emerging, that’s not a good thing.

“When you spend all that time fighting fires, you don’t even have time to come up with the new ways to build things so they don’t burn down,” says Mark Lobel, a security-focused partner with Pricewa-terhouseCoopers, “Right now, there’s hardly a fire code.” Lobel com-pares the global state of information security to Chicago right before the great fire of 1871. “Some folks were well-protected and others weren’t,” he says, but when the ones that weren’t protected began to burn, the ones that were protected caught fire too.

Of course, with the survey’s thousands of pages of data and tens of thousands of data points, the overall security picture is a little more complex than “Everyone’s tactical; no one’s strategic.” Some respondents show signs of embracing a more holistic approach than others. So we’ll delve into one industry sector — financial services — as a best practices group that, while still struggling to put out fires, has devoted more time, resources and strategic thinking to its information security posture than the average respondent. We’ll also highlight some other encouraging numbers that suggest that more companies than ever are laying the groundwork for a more strategic information security department.

In all, we’ll look at eight distinct cuts of the data from The Global State of Information Security. Use the data to benchmark yourself and to glean ways you can start to beat back the flames. Maybe even create a fire code so that if a cow does knock over a lantern, the whole city won’t burn.

The global State of Information Security, a worldwide study by CIO and PricewaterhouseCoopers, was conducted online. readers of CIO and CSO (a CIO sister publication), and clients of PricewaterhouseCoopers were invited via e-mail to take the survey. The results shown here are based on the responses of more than 8,200 CEOs, CFOs, CIOs, CSOs, and vice presidents and directors of IT and information security from 63 countries. Indian organizations had a fair representation in the study with 206 respondents participating. The study’s margin of error is 1%.

The study represents a broad range of industries including computer-related manufacturing and software (11%), consulting and professional services (11%), financial services/banking

(9%), government (9%), education (7%), health care (5%), telecommunications (5%) and transportation (2%). Thirty-two percent of the executives surveyed reported total annual sales of less than rs 450 crore ($100 million), while 17% reported sales between rs 450 crore and rs 4,499 crore ($999.9 million). 21 percent of the survey base said their organization’s annual sales exceeded rs 4,500 crore ($1 billion), while 17% were nonprofit organizations. (12 percent didn’t answer the question.)

Fifty-four percent of the respondents held IT titles including CIO, CTO, vice president, director and manager while 10% were information security professionals. Twelve percent held CEO, CFO or non-IT director titles, while 24% listed ‘other.’

inside the Study

reaL cIo WorLD | J a n u a r y 1 5 , 2 0 0 6 3 1VOl/1 | ISSUE/5

Cover Story | Global Security


IT’s clear from The daTa that respondents spend most of their time in reactive mode: Responding to incidents, deploying firewalls, and dealing with everyday nuisances like spam and spyware. Ironi-cally, the most common proactive step respond-ents take is to develop business continuity and disaster recovery plans. So even their proactive steps are investments in reactive measures.

Having said that, a few numbers did pop out that suggest that the foundation is being laid for a time when information security may become more stra-tegic. This year, more companies employed security executives and focused on integration between phys-ical and information than in the two previous years.

“Organizations are now moving on from employing remedial measures to become techno-logically proactive to threats,” says Satish Warrier, head-information security, IDBI. “Enterprises are increasingly drafting security strategies to include both physical and information security,” he adds.

Security’s rising profile is most encouraging when you cross-reference the governance num-bers with effectiveness. Those companies where the function resides near the top have a far bet-ter security posture than the average respondent. For example, only 37 percent of respondents said they have an overall security strategy. At compa-nies with CSOs, that number leaps to 62 percent. Likewise, 80 percent of companies with CSOs also employed a CISO or equivalent, compared with about 20 percent overall.

“If risk management is a part of an organization’s structure, then the security framework will be artic-ulated and defined to meet the governance require-ments. With a risk management perspective, security executives look at both operations risks and business risks,” says Satish Das, CSO, Cognizant Technology Solutions.

Companies with an executive security function also reported that their spending and policies are more aligned with the business and that a higher percentage of their employees comply with internal informa-tion security policies. Companies with a security chief also measured and reviewed information security policies more than those without a security executive, and they were far more likely to prioritize infor-mation assets by risk level.

Resources are dialed up at companies with a security executive too. They averaged more full-time employees at their companies and higher

budgets. They were almost twice as likely to have a security budget separate from the IT budget and, while they were equally likely to get additional monies for security from the IT department, companies with executive infosec leaders reported getting more money more often from other lines of business, such as legal, risk, and compliance and regula-

tory groups. Companies that haven’t elevated the role outnumber those that have. But if com-panies that have elevated information security tend to act more strategically (and more com-panies are doing that), then it follows that information security is getting more strategic. It’s early on in the trend, but it’s a positive.


Sowing the Seeds of Strategic SecurityAs information security gains more status in the organization, security improves.

how does your organization fare against these global responses? do you budget separately for security? Please write in to [email protected] to share your thoughts and insights.

The big Picture

c o.in

21%18%

12%8%

5%5%

4%4%4%4%4%

3%3%

2%2%

Legal counsel

Chief privacy officer

Risk managementCSO

Other

Internal audit

Security committeeCOO

CFO

VPCTO

CIO (with security dept. independent of IT dept.)

CIO (with security dept. integrated with IT dept.)

Board of directors

CEO

Where/to whom does your CIO or equivalentinformation security executive report?

2004 2005

20%

15%

10%

5%

0

15 16

20 20

We employ aCSO or CISO.

The Good Newsmore executive attention is being paid to the security function.

60%

50%

40%

30%

20%

10%

0

29

50 53

We have some form ofintegration betweenphysical and IT security

‘03 ‘04 ‘05

35%

30%

25%

20%

15%

10%

5%

0

11

IT and physicalsecurity report to thesame executive leader

‘03 ‘04 ‘05

3126

11



Surveillance World The bigger the company, the more it watches its employees.

Eyes Wide OpenTracking workers’ information accessis the hottest trend.

Monitoring of employee use of Internet/information assets

60%

50%

40%

30%

20%

10%

0

36

59

34 29

In usein 2004

In usein 2005

Deployedlast year

A strategicinitiative this year

88%either monitornow or planto in thecoming year.

2004

2005

010%20%30%40%50%60%70%80%

3252

39

6436

68

44

72

Percentage of companies monitoring workers

1–1K 1K–20K 20K–150K >150KNumber of employees

Defense MechanismCompanies are still investing in technologies that shore up networks and applications.

companIes conTInue To InvesT in the fun-damental technologies that strengthen net-works and applications. Respondents most frequently listed data back-up (84%), network firewalls (82%), user passwords (80%), appli-cation firewalls (70%), and network security tools (61%) as the safeguards they had in place. Newer technologies such as biometrics and advanced access level tools and encryption are gaining popularity.

Indian organizations are a mixed bag when it comes to technology adoption. Technologies in the financial, telecom, pharma and IT/ITeS sectors are on par

with global deployments. Other verticals such as manufacturing or retail are still implementing and stabilizing their enter-prisewide transaction-level applications. These verticals are yet to go beyond basic security technologies, such as AVs, fire-walls and IDS.

“The Indian market is behind mature economies in terms of investment in se-curity technologies, stringent process and creating awareness across the organiza-tion,” says Harish Shetty, Vice President – Information Security, HDFC Bank.

Security Safeguards: TechnologyWhat security safeguards does your organization have in place?

0% 20% 40% 60% 80% 100%

Deploy encryption technology

Deploy reduced or single

sign-on

Deploy network firewalls

Deploy secure

remote access


There’s a sudden and dramaTIc rIse in companies monitor-in companies monitor-ing their employees. The upsurge, part of a trend towards more surveillance both in public and in private, can be attributed to several factors.

First, CISOs want to rein in instant messaging and other appli-cations. Those apps not only sap employee productivity but they’re easy vehicles for intellectual property theft and other information leaks. Second, security execs need to put down rampant spam and malware — feral creatures that often get into networks through unauthorized usage by employees and knock systems offline, slow down overall network performance, spread viruses and open up the network to further attacks. Third, they want to shield the com-pany from liability when employees use peer-to-peer networks to download copyrighted material, such as movies and music. And finally, there’s the evergreen insider threat. Thirty-three percent of all infosecurity attacks originated from employees, with another 28 percent coming from ex-employees and partners. In short, the only way security chiefs believe they can control the technolo-gies that their employees use is to watch what they do with them. That’s why 88 percent of respondents either have monitoring in place or plan to by year’s end. It follows, too, that bigger compa-nies have more to monitor and more resources to do it, and hence will monitor more.

Ironically, PwC’s Lobel points out, it could be the unintended conse-quence of another, positive trend that’s helping nurture the monitoring culture. “With more and more security organizations reporting outside of IT, they really don’t integrate day in and day out with the folks rolling out the systems,” he says. That is the trend. More companies have infor-mation security reporting to the CEO or other departments, and more are integrating it with the physical security function. Currently, the only way to combat that disconnect between who’s deploying the applications and who’s securing them is to monitor. “In fact,” says Lobel, “the less security reports to IT, the more you’ll need this watchdog function.”

North America South America Europe Asia Middle East



Safe DepositsThe financial services industry takes care of security business better than the rest of us. learn from their best practices.

The fInancIal servIces sector has long been presumed to practice superior information security, largely because of the preciousness of its assets (money) and the fact that its business is carried out almost entirely on IT systems. The stakes are higher, the risks are higher, so the information security protection must be higher too.To an extent, the data supports the idea that companies in the money business tend to be more strategic and more secure than the rest of us, and, it turns out, even more confident. Another factor that helps financial companies excel is that they tend to be bigger, and bigger companies usually have more resources. (Then again, bigger companies often have a harder time with governance, and financial services companies, by this data, show strong organization.) But, we chose the financial services sector as a best practices group for several other reasons. The stakes are fiercely high in a business shooting huge sums of money around IT networks. Also, financial services companies already use risk models, rOI and other strategic tools in other parts of the business and have begun to apply those same tools to information security. Finally, the financial community knows regulations and has for a long time. When it comes to information security, the financial services industry is in a position where everyone else is headed.The differences between that place and the place most people

Full-time security employees (mean number)For all respondents: 30For financial services: 46

Overall Financial services

Security budget as a % of IT budget 13% 12%Budget<$50,000 42% 21%Budget<$1 million 10% 21%Budget will increase this year 47% 58%Employ a chief privacy officer 17% 26%Employ a CISO OR CSO 34% 51%Have an overall infosec strategy 37% 57%Less than 50% employee compliance w/policy 30% 17%Policies not aligned w/business 21% 7%



Compliance? What’s That?The majority of information security executives range from ambivalent (at best) to downright dismissive (at worst) about the intentions, effect and pertinence of security regulations.

one pwc analysT called these numbers scary, but which is scariest? Is it the comparatively low number of respondents who are in com-pliance? Or the shockingly high number of respondents who cop to not complying even though they know that they have to? Or could it be the startlingly low number who believe that the regulations apply to them?

These numbers represent the respondents not only in the develop-ing economies but also in countries, such as the US, where regula-tions are stringent and pervasive. Interestingly, just 11 percent of respondents said they needed to be in compliance with California’s SB 1386 law, which mandates that companies report breaches of per-sonal data to consumers. Any company that has even one customer in California (US) must comply with the law. Similarly, more than half said they didn’t need to comply with Sarbanes-Oxley, and four out of ten respondents in the health care industry said that the Health Insurance Portability and Accountability Act (HIPAA) didn’t apply to them, which seems impossible on the face of it. Of the companies reporting from Europe, 45 percent of the respondents said that they

needed to comply with the European Union Data Privacy Directive. Only forty-one percent are in compliance.

Closer home, India has mandatory sector-specific compliance reg-ulations, like RBI’s core banking guidelines for the banking sector, but not pervasive laws mandatory for companies across all verticals to be compliant with. The IT Act, 2000 and other regulations lack teeth. “Unless the regulations are mandatory, organizations will not accord them top priorities,” says Warrier of IDBI. Apart from enter-prises in certain verticals, companies don’t fear any serious reper-cussions for not complying with the regulations, either because the mandates are too vague to really be enforced or the regulatory agen-cies aren’t devoting resources to enforcement.

Supporting the ‘lack of teeth’ theory is the fact that only a third of respondents reported having compliance testing in place, and only a quarter link their security organization to the compliance group.

Nevertheless, organizations are increasingly focusing more on following best practices. If getting compliant to leading industry standards such as ISO or BS standards fuels business growth,


reaL cIo WorLD | D e C e M b e r 1 5 , 2 0 0 5 3 7

are today is pronounced. Start with money. Financial services companies have bigger security budgets, but not necessarily bigger vis-à-vis the overall IT budget. To whatever extent these companies are more secure than the average company, that superiority can be attributed to more efficient spending, and spending on strategic planning, not technology. One simple example of this is investment in network firewalls. It was the fifth most cited strategic priority for this year with all respondents, but it doesn’t even make the top 10 with financial services companies. ditto for data backup, which is number three overall but not on financial services companies’ radar. These companies have these important technologies in place but also seem to have shifted priorities, perhaps understanding that more technology doesn’t mean more security. (The one type of technology financial services companies do seem to be investing in is identity management — not surprising as a reaction to the Id theft epidemic). “Security strategies are no more in silos, and are looked at more comprehensively with well-coordinated efforts across the organizations,” says Shetty. On the other hand, the banks were far more likely to have listed compliance testing as a priority for next year compared with the overall respondent base. The need to get compliant to either mandatory regulations or industry standards also drives information security adoption in financial sector organizations.

“For PSU banks, reserve Bank of India is the final authority. Its guidelines or regulations are mandatory and our security strategies revolve around the same,” points out V. Babu, deputy general manager – IT, Bank of India. And just because the financial companies seem to be more strategic doesn’t mean they shy away from using threats to justify investments. While financial companies are slightly more likely to use rOI and contribution to business objectives as justifications for security investments, they are still far more likely to rely on legal and regulatory requirements, liability and revenue impact to justify their investments. Interestingly, half of all financial services respondents said “common industry practice” was one justification for security investments — suggesting either some level of information sharing amongst companies in the industry, or at least a copycat culture where many security executives try to keep up with the security leaders.One area in which the financial services sector doesn’t seem to outperform the rest of the respondents is integration with physical security practices. Watching the year-over-year numbers this year will be important given the number of high-profile data thefts that used physical security weaknesses — or at least the disconnect between the information security practices and physical security practices — to gain access to personal records.

VOl/1 | ISSUE/5


enterprises are making efforts to get certi-fied to the same. “Figures reveal that a large number of BS7799 certified companies are from India. This means that if business needs it, people will go for it. Government is also try-ing to optimize the laws to fill up the possible gaps in the regulations affecting personal data and information,” say Sivarama Krishnan, Associate Director, PwC.

But the point remains: The negative attitude toward regulation (only half of respondents believe it has increased the effectiveness of information security) indi-cates that they haven’t had the intended effect, at least on information security.

no-compliance Zone

No effect 43%Increased 34%Don’t know 19%Decreased 4%

Fewer companies than expected are following new government rules.

What is your compliance with the following u.S. regulations?

70%

Need to be

60%

50%

40%

30%

20%

10%

0

1832

17 15 17

3847

5944

64

38 38

Need to be and I am Need to be and I am not

California SB 1386 (U.S. respondents)

Sarbanes-Oxley (U.S. respondents)

HIPAA (Health-care respondents)

Gramm-Leach-Bliley (Financial services respondents)

Increased 46%No chance 39%Don’t know 10%Decreased 5%

regulations’ effect:

On spending On effectiveness ofinformation security

2/8/2006 6:44:19 PM2/8/2006 6:44:19 PM2/8/2006 6:44:19 PM2/8/2006 6:44:19 PM2/8/2006 6:44:19 PM2/8/2006 6:44:19 PM2/8/2006 6:44:19 PM2/8/2006 6:44:19 PM


So Many Breaches, So Few InsightsWhen it comes to malicious activity on their network, information security executives have more information than ever, but that doesn’t mean they know what to do with it.

numbers of daTa breach are unsettling. First, 47 percent of respondents report dam-ages as ‘unknown.’ This suggests that respon-dents have neither the time nor the means to truly calculate losses from a breach, or if they considered the attacks minor, they didn’t bother. The increased sophistication of attacks during the past year could also contribute to the rising ‘unknown’ group.

The more complex attacks hit more com-plex targets. Take the hypothetical identity theft of 1,000 customer records. Many experts are concerned about ‘deferred loss identity theft’ wherein thieves sit on stolen identities for months or years until victims believe the danger has passed. It’s hard to put figures on potential outcomes like that.

Other ‘unknown’ responses get one’s atten-

tion too: ‘Unknown’ showed up in survey responses as the second most prevalent attack type, the fourth most common attack method and the third highest attack source. Plus, data or material damages trail only firewall and IDS logs as the means of discovering attacks. In other words, information security profession-als most often react. They learn of attacks after the damage is done. And often once the

60%

50%

40%

30%

20%

10%

0

3646

23

36

5651

14 10124 5 3 1 2 1

after crore have been spent on security defenses,the number of reported incidents remains steady...

Security executives still have trouble identifying who is attacking them, where the attack is coming from and how it’s being done.The Great Unknown

0 incidents 1–9 10–49 50–499 500+

2003 2004 2005

Percentage who said they had incidents

50%

36

40%

30%

20%

10%

0

2933

29

1713

9 83 2

40 4347

13 82 2 2 1

2003 2004 2005

...and information security executives know lessthan ever about the damage the incidents cause.

Percentage who said they had damages

executives often don’t know howthey have been attacked....

15%Trafficking inillicit data/materials

21%Denial-of-service

25%Unauthorized entry

26%Unknown

59%Malicious code

Top five attack types

16%Known applicationvulnerability

19%Unknown

21%Abused valid account/permissions

26%Known OS vulnerability

68%E-mail virus

...or where they’ve been attacked from...

Top five attack vectors

11%Customers

20%Former employee

25%Other/Don’t know

33%Employee

63%Hackers

...or who’s attacking them.

Top five attack sources

Top five bearers of bad news

11%Managed service provider

14%Alerted by customer

21%Data or material damage

39%Alerted by colleague

50%Firewalls/log files/IDS

how did your organization learn of the attacks?Who do you tell?

12%

14%

Consultants

Partners/Suppliers

16%Customers

55%No one

Contacted as a result of attack:


$0 damages <$10K $10K-$100K $100-$500K >$500K Unknown



events happened, they couldn’t figure out what it was, where it came from, or who did it.CIOs, CISOs and CSOs have gotten quite good at col-lecting and logging events on their networks — orga-nizing their haystacks — but haven’t been able to reli-ably turn all that data into intelligence — efficiently finding the needles before they are pricked by them. A long-term strategic goal of all information security departments should be to reorganize so that they work as an intelligence unit rather than just a data collection unit.

This Year’s To-Do Listrespondents identified their top strategic priorities for this year. here are the 10 most common answers.

Follow The Money...Please!Information security is getting more money, but exactly how much and from where isn’t always clear.

a full fIfTh (22 percent) of information executives who responded said they didn’t know how much their companies budget for infosecurity. More signs of a lack of proactive, strategic focus. Not good.

Good news: The information security function can shake some money out of other departments’ pockets to supplement its own appropriations.

The larger companies are most guilty of not tracking their spend-ing well. About 40 percent of the 1,700 companies with Rs 22,500

crore ($5 billion) in revenue or more said they didn’t know their in-formation security budget. Bigger companies, with more divisions, might have a harder time pinning down all the monies devoted to information security. In fact, the bigger companies reported much higher usage of money from other departments for security than smaller companies did. Many bigger companies also have inte-grated information and physical security, making their information

security budget a less distinct entity. “This is a growing trend. The moment you see a

certain percentage of the operations budget has been earmarked for security, you know that there are cer-tain initiatives that an organization has planned for,” says Das of Cognizant.

“With the process owners taking ownership, se-curity is considered as a necessary value-add to the business and is computed with the TCO and ROI of the initiative,” adds Krishnan of PwC.

However, this kind of departmental-budgeting approach is yet to find major acceptance. “It’s far more common to find the budgeting model of hav-ing charge-backs on business units rather than on departments for necessary usage in Indian enter-prises,” says Unni Krishnan T. M., CTO & Customer Care Associate, Shopper’s Stop. cIo

Send feedback on this feature to [email protected]

Where the Money Comes FromOne–fifth of respondents have no idea.

Where, besides the informationsecurity budget, does money forinformation security come from?security budget, does money forinformation security come from?security budget, does money for Information security budget

as a percentage of IT budget:

58%IT

22%Don’t know

19%FinanceCompliance/

RegulatoryCompliance/

RegulatoryCompliance/

18%Other LOBs

15%Risk dept.

13%Legal

10%HR

Marketing

19%

10%

Is your information security budgetpart of your IT budget or separate?

Part of 84%

Separate 16%Separate

2005 13%2004 11%2003 11%

reaL cIo WorLD | J a n u a r y 1 5 , 2 0 0 6 3 9VOl/1 | ISSUE/5

This list further reinforces the reactive nature of information security. Awareness programs often score high as a strategic priority because they’re relatively low-cost. One should expect number 10 on this list will shoot up in priority next year, given the steady stream of identity thefts and other major information crimes.

1. Disaster recovery/business continuity2. Employee awareness programs3. Data backup4. Overall information security strategy5. Network firewalls6. Centralized security information management system7. Periodic security audits8. Monitoring employees9. Monitoring security reports (log files, vulnerability reports and so on)10. Spending on intellectual property protection

2/8/2006 6:44:20 PM2/8/2006 6:44:20 PM

A Passion for Excellence

CIO: What role has IT playe-das Wipro changes and evolves as an organization?

Azim H. Premji: Wipro has used IT strategically to address the rapid scal-ing-up of the organization. Five years ago, standardization on a single ERP platform was the first step towards this direction. The adoption of an Employee Self-Service portal around the same time was an important milestone for us. It enabled us to handle the issue of the rapid increase in the employee head-count: In one stroke, we were able to eliminate paper-based processes and to crash cycle-times of employee services. I would say that without the strategic

deployment of IT, we would have strug-gled to cope with our pace of growth and to drive operational efficiencies. We have managed change by involving all key business stakeholders in both crucial IT decisions and their implementation.

Did you face mindset is-sues while integrating IT into a brick-and-mortar enterprise?

One factor that works in our favor is that we provide enterprise-scale IT services to our own clients. Hence the orientation to use IT is pretty high. We have not had any major issues of resis-tance to IT systems.

Azim H. Premji, Chairman,

Wipro, says CIOs must combine vision with an

operational drive to translate

strategies into effective solutions.

Under Azim H. Premji’s leadership, Wipro has grown from a fledg-ling Rs 9 crore hydrogenated cooking fat company to a Rs 8,000 crore organization serving customers across the globe. Premji firmly believes that ordinary people are capable of extraordinary things and he’s of the opinion that creating highly charged teams is the key to this.

View from the top is a series of interviews with CEOs and other C-level executives about the role of IT in their companies and what they expect from their CIOs.

VIEWTOPfrom the

BY Balaji NarasimhaN

4 0 j a N u a r Y 1 5 , 2 0 0 6 | REAL CIO WORLD Vol/1 | ISSUE/5

view from the top_Azim_New.indd 36 2/8/2006 6:58:20 PM

Ph

ot

o b

y S

rIV

at

Sa

Sh

an

dIl

ya

, Im

ag

Ing

bIn

ES

h S

rE

Ed

ha

ra

n How has Wipro used IT to build a strong foundation as you pursue excellence?

We use IT in all facets of our business and IT is a key enabler of our strategic objectives. The success of all our major initiatives in excellence like Six Sigma, SEI-CMM and PCMM have depended heavily on corre-sponding automation programs. Starting from ‘Prospect Management’ right down to ‘Accounting and Reporting’, we have IT systems driving all our business processes.

Going forward, our strategies for growth cannot succeed fully without the parallel scaling-up of IT systems.

How do you then define the success of IT projects?

That is ultimately determined by the extent of usage of the application by the users. While formal measures like Schedule and Cost overruns measure project-manage-ment skills, the value of an IT project is real-ized only over a period of time. I would say

that if an IT application is used effectively by the majority of users for a minimum period of three years, it is a success.

Wipro runs on IT. What is your personal level of excellence for CIOs?

CIOs must be as savvy about the key driv-ers of business as they are of IT issues. CIOs must combine long-sightedness and vision with a strong operational drive that translates vision into concrete and effective solutions.

REAL CIO WORLD | j a N u a r Y 1 5 , 2 0 0 6 4 1Vol/1 | ISSUE/5


CIOs must have the wherewithal to engage with key stakeholders in the organization and manage change over sustained periods of time. CIOs must have outstanding people skills.

What is your involvement with CIOs at Wipro?

I personally review the annual plan of the CIO group and thereafter review the progress every quarter and sometimes more frequently. I ensure that all key business pri-orities get addressed by the CIO’s group and step in for decisions related to funding.

Do boards consider CIOs important? Do CIOs get adequately discussed at that level?

The strategic importance of IT has in-creased manifold in the last decade and has moved into the radar screen of most boards. While the dot com boom (and the subsequent bust) had its negatives, it also helped create a widespread awareness of the pervasiveness of IT. It brought IT to boards’ attention and there has been no looking back.

In your mind, is an Indian CIO’s role driven by initiative or by the board?

As of today, the Indian CIO’s role is still initiative-driven but it is just a question of time before it becomes board-driven. What will push this is the increased globalization of Indian companies, more ambitious growth targets and a need to comply with corporate governance norms like Sarbanes-Oxley.

Do you see CTOs moving into a CIO role?

CTOs can move into a CIO role provided they balance their strong technology capabili-ties with a robust understanding of business concerns. A CIO’s impact is much larger as it affects all levels of the organization. A CIO’s

role requires very strong communication and people competencies. CTOs who measure up to this can definitely move in.

Do you see CIOs ascending to the board? What skill-sets would they require for this?

The CIO’s role by default requires him to have a horizontal view of the entire organization. He needs to combine tech-nology-savvy with a robust perspective of how business is run and what its key drivers are. There are many examples of successful CIOs who have a track record in sales, operations or finance and vice versa. A CIO’s role requires him or her to balance a strategic perspective with strong execution skills. This qualifies them to ascend to the board.

Does the Indian industry gives credence to Business Intelligence? Is it the key to CIO ascendance?

The Indian industry has probably just woken up to the potential of Business Intelli-gence (BI), but we are already a few years late. We embarked on a major BI initiative last year and invested in world-class systems. Effective BI or the lack of it can be a crucial differentia-tor and the CIO has to play a central role. The automation of transaction systems is relative-ly easy and the real challenge is in doing BI well. This separates the boys from the men.

Is there place for a supra-CIO in a multi-SBU organiza-tion like Wipro?

There is no standard formula and each or-ganization has to work out its own best solu-tion. A federated structure works well when there is a strong, central IS organization that sets policies, drives standards and runs the governance model but there have to be local execution teams to shorten implementation cycle-times and provide flexibility. A supra-CIO is a good idea but he should be supported by strong SBU-level IS heads — without which he may not be very effective.

How do you choose, at an SBU-level, which technology initiative to fund?

Several of our technology initiatives are common across SBUs — from the point of view of standardization, we try to keep things common across. However, a decision to fund an SBU-specific initiative is made based on a formal ROI or benefit analysis and on whether that initiative’s footprint can be extended to other areas of the organization. We also fund initiatives for solutions that are unique to a particular industry-model. CIO

special Correspondent Balaji Narasimhan can be

reached at [email protected]

View from the Top

“CIOs are required

to balance strategic

perspective with strong

execution skills. This qualifies

them to ascend to the board.”



Trendline_Nov11.indd 19 11/16/2011 11:56:19 AM

The worst day in Joe Eng’s career was the day he told his CEO that his company’s most important IT project — a Rs 2,250 crore ($500 million), state-of-the-art global network that is among this decade’s most important IT initiatives in the finan-cial services industry — would be three months late.

Eng is CIO of the Society for Worldwide Interbank Financial Telecommunication (Swift), a financial industry-owned coop-erative that supplies messaging services and software that most

CIO Joe Eng set new performancestandards for his IT department, negotiated

technical requirements with demandingbusiness partners, calmed nervous end usersand built a multi-million dollar global network

by following four simple principles

Reader ROI:

pectations��hy managing ehy managing ehy managing ehy managing e��pectations pectationspectations pectationsfor an IT project is critical

The differing concerns ofThe differing concerns of The differing concerns ofThe differing concerns of The differing concerns ofsenior e�ecutives, company employees and customers

��rinciples for derinciples for derinciples for de��ning and ning andning and ning andmanaging e�pectations

The Four(Not Three,

Not Five)Principles of

Not Five)Principles of

Not Five)

ManagingPrinciples ofManaging

Principles of

ExpectationsManaging

ExpectationsManaging

BY A L L A N H O L M E S

4 4 J A n u A r y 1 5 , 2 0 0 6 r y 1 5 , 2 0 0 6 | REAL CIO WORLD Vol/1 | ISSUE/5

REAL CIO WORLD | J a n u a r y 1 5 , 2 0 0 6 4 5Vol/1 | ISSUE/5

of the world’s banks use to send trillions of dollars in financial transac-tions daily. In February 2003, Eng and his team were testing the backbone of SwiftNet, the new network. With only a week before the two-year rollout of SwiftNet was scheduled to begin, the net-work monitoring software was not working reliably. Fixing the problem would take a few months. Eng’s boss, Swift CEO Leonard Schrank, had to know.

And so Eng called Schrank at headquarters in Brussels with the bad news. Schrank was incensed. The last time Swift replaced its network, in the 1980s, the project was years late, and Swift’s banking customers hadn’t forgotten. What would they think now?

“The problem had a very visible repercussion,” Schrank says. “This was like delaying a space shuttle launch, with all the political pres-sures.” Eng endured Schrank’s grilling.

But the pain was short-lived. By the end of the 10-minute call, Eng had explained the problem, offered a solution and reset Schrank’s expectations for when SwiftNet would be ready. He would do the same thing a few weeks later, when he was called on to repeat the story to Swift’s board of directors. Three months later, with SwiftNet fixed, the rollout began, just as Eng had promised.

Eng’s encounter with Schrank may have been his most difficult moment, but there were many instances during the six-year project when Eng had to define — and then redefine — what he would deliver

Swift CIo Joe Eng balanced competing demands from company executives and customers through constant communication and negotiation.

Leadership P

ho

to

by

Cl

aU

dIo

Va

zq

UE

z

Feature - Not one Not two...indd41 41 2/8/2006 6:46:35 PM

and when. For many CIOs, their toughest challenge is managing the expectations of senior executives, end users, IT staff and employees across the company, and the failure to address constituents’ expecta-tions undermines CIOs’ credibility. In fact, expectations management can define whether or not your IT department is successful. (‘Managing expectations’ is one of five must-do items identified by CIO’s editors.)

In Eng’s case, Swift IT staff, business leaders and its 7,800 shareholders (who are also Swift’s customers) all had their own ideas about what SwiftNet should be. Eng couldn’t possibly accommodate everyone’s demands, or predict every problem that might crop up.

But he could be prepared to deal with them. Eng knew that managing expectations for SwiftNet would require frank communication, creative planning and deft diplomacy. He devised a strategy that included training internal IT staff and other employees about SwiftNet and its goals, providing choices to customers without compromising standards or efficiencies, and satisfying board members and executive staff within defined parameters.

“I understood that the project had to do with understanding the stakeholders and what their needs were and being flexible enough to meet them without straying too far off course,” Eng says. “It’s a sensi-tive balancing act.”

A High-Stakes ProjectSwiftNet was no minor upgrade. It represented a multi-generational advance in telecommunications technology that the global financial industry required in order to operate in the future. Global competition means banks need to close financial transactions in near real-time (rather than waiting days sometimes) and to offer new network-based services. Swift provides the primary messaging and transaction net-work that makes international finance possible.

Swift’s 7,800 customers in 200 countries generate millions of messages daily in order to conduct trillions of dollars in transactions. These transactions range from the simple, such as exchanging foreign currencies, to the complex, such as clearing securities trades.

Swift’s legacy network, built on 1980s X.25 technology, was an aging, albeit dependable, workhorse. But manufacturers who supplied hard-ware for the network were closing out production of their old products. Furthermore, the cost of maintaining the network, at nearly Rs 270 crore ($60 million) a year, was increasing — costs that were passed on to cus-tomers. Most importantly, financial institutions wanted new messaging services that would allow them to offer Web-based products to their customers, decrease financial risks and lower their operating costs. One service the banks wanted was instant messaging that would alert them when a transaction was completed. Other customers, including John Galante, CTO with JPMorgan Worldwide Securities Services, needed more bandwidth to deal with a growing volume of securities trades.

The project had numerous risks, not the least of which was that any malfunction of SwiftNet during the migration would disrupt transac-tions and cost customers money. “The biggest challenge was how do we do this conversion while we support the ongoing business,” says Galante. Mistakes held the potential to bring international finance to a halt. “If SwiftNet were down a day, we would have a worldwide crisis,” says Mike Fish, deputy CIO for Swift. Swift executives worried that any major failure would encourage customers to abandon SwiftNet for Internet services offered by telecommunications vendors.

Eng knew, however, that conflicts and problems were inevitable. “I knew [managing expectations] was going to be my number one job, and I needed help,” Eng says. He found it in a set of four principles for ensuring that everyone understood what they had to do, what IT would deliver, and when.

Principle #1 Define Expectations Internally Eng set as his first task making sure his staff understood why new messaging technology was needed and how they would approach designing, building and deploying it. Previous proj-ects, including the last network upgrade, had fallen short because the IT staff spent too much time debating technologies and approaches to development.

Eng assembled a cadre of senior and middle managers from throughout the company whom he thought employees admired and trusted. If these managers bought into a common approach to the project, the staff would take their cues from them. The debates about technology and deployment strategies would be minimized.

“I needed these vanguards out there in the company selling the idea of change because I spent a lot of my time working with executive management, the board and customers,” Eng says. “[And] I just didn’t have the time.”

Eng is an Apollo mission buff and an avid reader about the subject. The astronauts in the Apollo program, as portrayed in Tom Wolfe’s 1979 book, The Right Stuff, had developed strong communication skills, along with an ethic of teamwork and trust. Eng sought to replicate their camaraderie, and so, working with Swift’s human resources director, he devised a leadership training program (which he called The Right Stuff) to impart the necessary skills to his management team.

In keeping with The Right Stuff theme, Eng borrowed the famous line, “Failure is not an option,” from the 1995 movie Apollo 13. The IT shop adopted the line as its motto, and it soon became a guiding principle within Swift. The expectation was set: When problems cropped up, the IT team would manage them and learn from them without letting the project get derailed.

4 6 J A n u A r y 1 5 , 2 0 0 6 | REAL CIO WORLD Vol/1 | ISSUE/5

Leadership


On past projects, there had been little collaboration within the IT department or across Swift’s business functions, so Eng sent his first class of trainees (mostly those decision-makers involved in the design, architecture and operations of SwiftNet) to NASA to learn teamwork. At the US Space and Rocket Center in Huntsville, Ala., they rode in a space shuttle simulator for a team-building exercise, and NASA staff taught Swift managers how to make decisions quickly. Astronauts Wally Schirra, Dave Scott and Alan Bean told the group about trusting their colleagues.

The class returned to work with a plan for building a cohe-sive project management group by creating flexible teams for design, operations and testing. The managers also reworked the way Swift’s IT department measured performance. Rather than measuring the amount of time spent on specific tasks, managers would measure the results of the work.

The Right Stuff group also instituted town hall meetings twice a year at locations worldwide, where speakers from across the company helped allay fears that SwiftNet would not deliver the services users needed or that the IT staff was out of touch with those needs. “What this did was narrow and align people’s expec-tations to a common set,” says Eng.

Principle #2 Establish Rules of EngagementEng knew that if he tried to satisfy too many stakeholder requirements for SwiftNet he would end up with a mess.

Most customers felt strongly that they needed everything they wanted, and they expected Swift to accommodate them. Rather than debating every idea with every customer, Eng decided to develop SwiftNet through pilots with a subset of representative customers. Whatever functionality was built into the pilots became the basis for SwiftNet’s requirements. The pilot customers understood what to expect from the system because they had been involved in deciding what they would get. They could then effectively manage the expecta-tions of other customers by becoming public supporters of the system they helped build.

For example, Eng and his team used the pilots to determine which platforms SwiftNet would support. They settled on three platforms that would accommodate the largest percentage of customers while keeping the system cost-effective: Sun Solaris, IBM AIX and Windows (for smaller banks). By standardizing on these platforms, Swift was able to oblige 80 percent to 90 percent of its customer base.

While Eng had never promised to support everyone’s legacy sys-tems, that didn’t stop customers from lobbying for their unique plat-forms. “They came in waves,” Fish recalls. “At meetings, there were

people pulling board members and our people aside to say, ‘Hey, I know you can’t include everything, but we have a VAX. You have to make it work with that too.’” Pressure to add requirements also came from within Swift, as the marketing and sales staff pushed for services they could sell to customers.

Eng managed all of these requests by using a standard process for determining ROI. The litmus test for a requirement was whether it had a positive ROI for the customer. If it didn’t, Eng’s staff would point out the requirement’s downsides, and most customers would agree that the consequences were not worth the effort. Another argument Eng and his staff employed was to explain that the requirement could not be done technically or within the given time frame (he might agree to put off the requirement for a later release).

The bottom line was that the new messaging services had to benefit the vast majority of the banks. “I would say: If you can show me how to justify it, then we’ll do it,” says Eng. Using this approach, Eng and the IT staff settled on the services and messaging capabilities the new SwiftNet would offer.

Principle #3 Deal with DoubtersThe CLS Group, a foreign exchange service based in London and one of Swift’s bigger customers, was one of the participants in a SwiftNet pilot. As the day approached to launch the pilot, CLS executives were getting nervous. Testing of SwiftNet had pro-duced the inevitable bugs and glitches, and CLS began to sec-ond-guess whether the network would be as reliable as Eng had

Pilot customers understood what to expect from the system because they had helped decide what they

would get.

Leadership



promised. They weren’t even sure who exactly was responsible for setting up interfaces between CLS’s platform and SwiftNet — Swift or CLS’ operating systems vendor, IBM.

CLS executives wanted to clarify responsibilities for the project, so they asked Eng to meet with them and IBM. “There would have been no second chance if it could not be shown that the end-to-end system worked effectively,” says Rob Close, group CEO at CLS (he was then the chief operating officer).

To prepare for the meeting, Eng asked the project manager and tech-nical director to find out whatever they could about how IBM viewed its role in the project. He also made himself aware of the source of the

confusion (a disagreement about what was causing the problems dur-ing testing — IBM’s application or SwiftNet’s difficulties interfacing with IBM). “I didn’t want to be surprised, and I wanted to be honest and stick to the facts,” Eng says. After numerous meetings, Eng clari-fied Swift’s and IBM’s responsibilities for the deployment.

CLS executives were satisfied. “Joe showed a sense of pragmatism and goodwill to find the way forward in what otherwise could have been a difficult circumstance,” Close says.

Principle #4 Not Everything is Negotiable Finally, in the summer of 2003, SwiftNet was ready to roll out, and Eng came face-to-face with an expectation from customers that was non-negotiable. He had to meet the deadline for deployment.

Eng had wanted to recapture the time he lost earlier in the year, when he was sidetracked by the network management glitches, as well as build in time to deal with complications. To compensate, he wanted to move the completion date for the rollout from December 2004 to mid-2005. He was concerned that Swift’s largest users would need 18 months to migrate to the new system. Banks had to follow a complicated process to migrate to SwiftNet that included deploying a pilot before they would be ready for full operation.

But slowing down the rollout wasn’t an option, according to Y.B. Yeung, head of information technology in the Asia-Pacific region for Hong Kong & Shanghai Banking and a member of Swift’s board of directors. “Any delay would be a sign that Swift was not meeting customer demand,” says Yeung, who chairs the board’s technol-

ogy and policy committee. Galante adds, “Holidays, planning for disaster recovery, regular system upgrades, took time. If anything, we wanted to go faster.” Eng went back to his staff with the message that the deadline was not moving.

Within two months, Eng presented a new deployment plan that both met the deadline and addressed his concerns that banks have enough time to get the migration right.

Eng’s original plan was to assign countries to “windows,” in which Swift’s smaller customers in each country or region had a set time to migrate to SwiftNet. Large customers had their own migration schedules. To make up for lost time, Eng devoted addi-

tional resources to quality assurance before the migration began. In addition, his staff found ways to add the large customers to each country window or overlap the beginning and end of each window so that more banks were migrating at a time. To simplify the pro-cess for ordering services, Eng’s team created an online application for customers to place their orders.

The migration was completed on time, with no notable problems, according to Yeung. Yeung gives Eng high marks for his respon-siveness to customers. “He says, ‘I hear what you are saying,’ and then he goes back and sees if there are ways to meet your needs. That way he [is] innovative in identifying solutions.”

In other words, Eng and the IT department succeeded and earned credibility by effectively managing stakeholder expectations. CIO

allan Holmes is �ashington Bureau Chief. Send feedback on this column to

[email protected]

Pressure to add requirements was managed usinga standard process for determining ROI.

Share Your Opinion

how tough do you find managing the expectations of senior executives, end users, It staff and employees ? Please write in to [email protected] to share your thoughts and insights.

editor@c o.in

Leadership



Trendline_Nov11.indd 19 11/16/2011 11:56:19 AM

Ill

us

tr

at

Ion

by

sh

ya

m D

es

hp

an

De


Several courts in India are video conferencing Several courts in India are video conferencing with prisons to ensure quicker and safer trials. with prisons to ensure quicker and safer trials. The technology, while also saving the exchequer The technology, while also saving the exchequer crores of rupees, has revealed more benefits than meets the eye.

By Ba l a j i N a r as i m h a N

Justice delayed is Justice DeniedAccording to the National Human Rights Commission (NHRC), as on June 30, 2004, 336,152 prisoners were crowded into jails across India. An overwhelming 239,146 of them — accounting for over 70 percent — occupy the shadowy world of the undertrial. Undertrials find themselves between a rock and a hard place. Not yet sentenced, they cannot start the process of getting out of jail and most are too poor to make bail. While only about two percent of those processed through the criminal justice system are finally convicted, undertrials face incarceration while they wait for a hearing. As a consequence, India’s jails are now overcrowded to almost thrice their capacity, which means inmates in some jails sleep in shifts.

Haazir Ho

Reader ROI:

How a straight-forward technologylike video conferencing can deliverquicker justice

Why undertrials are among thosewho benefit the most from videoconferencing

Why video conferencing can savea government more than travelcosts

Present yourself

Govern Main.indd 44Govern Main.indd 44Govern Main.indd 44Govern Main.indd 44Govern Main.indd 44Govern Main.indd 44Govern Main.indd 44Govern Main.indd 44 2/8/2006 6:47:15 PM2/8/2006 6:47:15 PM

Many undertrials continue to languish in jail only because the justice system, burdened with logistical problems, is unable to give them a hearing. The only way out was to radically change the way that under-trials got a hearing.

Employing video conferencing to link prisons and courts was a brilliant idea. But the presumption of failure could have been overwhelming since e-gov-ernance projects are associated with high costs. And unless departmental buy-in is secured, a project is normally destined to be categorized, tagged, bubble-wrapped and shelved — to remain a file forever.

Fortunately, none of these affected video conferencing adversely.

Video conferencing is a not-so-high-cost and rela-tively simple solution to facilitating people’s appear-ance in court. Its first implementation, in Andhra Pradesh in 2000, cost a mere Rs 1.5 lakh. Karnataka soon followed suit.

The road to video conferencing in courts was paved by the Supreme Court in 2001, when it authorized the technology’s use. The judgment settled matters: Any resistance to buy-in from lower courts or prison departments was quickly banished.

The step, which pleasantly surprised many given the normally conservative approach of the law, wasn’t a sudden decision. The Supreme Court, the Department of Information Technology (DIT) and the National Informatics Centre (NIC) had been working with the ministries of Home and Law since the early 1990s to create a video conferencing system. It was part of a larger movement driven by the NIC to computerize the Supreme Court. They worked in collaboration with Singapore, which had utilized IT effectively in the judicial process since 1996.

Changes in national government leadership, how-ever, caused delays. The NHRC stepped in and made a committed push to implement the technology. Once it got the Supreme Court on its side, the project over-came inter-departmental conflicts.

A project as successful as video conferencing has differing versions of who pioneered it. According to many accounts, Bihar was the first state in the coun-try to adopt video conferencing in courts. However, Andhra Pradesh may have been the first to lead the way. Way back in December 2000, then State Gov-ernor C. Rangarajan amended the law to enable a

defendant to stand before a magistrate “either in person or through the medium of video linkage.” Andhra Pradesh’s first video link was operated between the Chanchalguda central jail and the Nampally City Criminal Courts. And, it cost a mere Rs 1.5 lakh to set up.

In early April 2003, the Supreme Court permitted trial judges to record evidence from witnesses living abroad via video con-ferencing. Within a week, a court in Mysore conducted India’s first long-distance case, involving a copyright violation against Los Angeles-based 20th Century Fox.

It’s Cheaper, Sue UsVideo conferencing is that rare solution that works to every-one’s convenience. State governments in India, which fun-nel large amounts of funds towards prison upkeep, have been able to save considerably using video confer-encing. At last count, the state of Andhra Pradesh employed 1,000 police constable everyday to ferry inmates between jails and courts. While video conferencing has not entirely seen the end of this practice, it has made impressive inroads in pruning transportation costs.

Figures provided by Karnataka alone are proof. Between June 2003 and November 2005, 68,191

e-courts

Vol/1 | Issue/5

Telgi, a criminal whose blood many want spilt for crimes that implicate people in the highest rungs of the government.

The police arrest him in 1999 but he jumps bail and vanishes. The law finally catches up with him in a surprise raid at his hideouts at Ajmer

REAL CIO WORLD | J a n u a r y 1 5 , 2 0 0 6 5 3

Govern Main.indd 45 2/8/2006 6:47:24 PM

e-courts


people from five jails across Karnataka (Bangalore, Mysore, Belgaum, Bijapur, and Dharwad) were pro-duced before a magistrate using video conferencing. It saved the government over Rs 1.26 crore in trans-portation costs alone. It’s the sort of money that goes a long way in a prison, which would explain why almost every state capital now video conferences between its city court and jails.

Dharam Pal Negi, Additional Director General of Police and Inspector General of Prisons, Karnataka State Police, says that what they saved directly from transportation is the least of it.

Depending on whose version one believes, Sayyed Khwaja Yunus, accused in the Ghatkopar bombing incident, either escaped from a police vehicle in January 2003 while being transferred from Mum-bai to Aurangabad or was done to death. In another incident, Manoj Kumar Singh, a notorious undertrial criminal escaped from Patna in May 2004 under similar circumstances.

Curiously, undertrial escapes, and the inquiries that follow had been a fairly routine affair. While putting a figure to the cost of re-capturing an inmate is tough, there is no taking away from the fact that it is a cost both in material resources and scare man-power. And transfers, made sometimes on public transport, are an ideal time for criminals to make a quick getaway. Though, human rights activists

allege that in some cases ‘escapes’ were a means to ‘silencing’ certain undertrials.

Thanks largely to video conferencing, Negi says, there have been no undertrial escapes from national prisons in the last two years. “There can’t be a better system,” says Negi adding that “its intrinsic value cannot be measured.”

Courting Unseen BenefitsThere’s more to video conferencing than merely bridging the physical distance between the jail and the courtroom, echoes Dr. V. Vijayakumar, Regis-trar and Professor of Law, National Law School of India University, Bangalore. Dr. Vijayakumar says that video conferencing is really useful in child molestation cases where victims are shielded from the trauma of facing their assailants via a one-way video link.

Dr. Vijayakumar also says that video conferenc-ing has a ripple effect that has “curbed corruption, enhanced accountability, and reduced the number of adjournments in a case.”

Under law, remand can be given in 15-day units, a right that is flagrantly ignored by the current sys-tem due to logistical barriers in prisons. Getting to the head of a line to see a judge has given occasion for corruption to bloom. Video conferencing by dint of lending better access to judges cut through the

Don’t even think

of making a break for it on

the way to court!

I got my eyes on you.


Vol/1 | Issue/5

mass of corruption that surrounds the undertrial and ensures a speedier trial.

Video conferencing works two-ways. The court’s ability to look into prisons has reduced the harassment of inmates and given them a better chance to access medical aid. Video conferencing has made it possible for judges to view inmates directly. This in turn has made jail authorities more accountable.

The system has also proved its effectiveness in high-profile cases where witness protection is man-dated. Pappu Yadav, who is being tried in Patna from Tihar jail, and Abdul Kareem Telgi, who allegedly features in varied hit lists and is being tried simulta-neously in over five cities, are among those who have experienced video conferencing.

Forward MotionThe benefits of video conferencing in courts have

ensured that its usage has spread. “Almost every state capital has got video-conferencing between its city court and jail,” points out C. L. M. Reddy, Head of Department, Courts Division, National Informat-ics Center, New Delhi.

The NIC, taking the process one step further, has proposed that lawyers should be allowed to video conference between their offices and the court, sav-ing them travel costs and discomfort too. This request is still pending with the judiciary.

This, however, may only be a matter of time, as judges come to realize the immense potential of video conferencing. Talwant Singh, Additional District and Sessions Judge, New Delhi, and Chairman of the District Courts Website Committee, says, “There is

a strategy behind video conferencing usage and it is not being used only for remand cases.” According to Singh all the three courts in New Delhi — Tis Haz-ari, Patiala House, and Karkardooma — have video conferencing studios. It has condensed trial time and has served justice better, he stresses.

In the June 2002 edition of its bi-annual analysis of prisoner population and undertrial prisoners, the NHRC found that the undertrial prisoner population was at 75 percent of the country’s total prison population. This figure came down to 71 percent by June 2004, a difference of about 100,000 people. Some of this change is attributed to video conferencing. In September 2005, NHRC Chairperson Justice A.S. Anand lauded various measures being used to uphold human dignity in jails, including video-conferencing.

Video conferencing is being greeted so enthusias-tically by those connected with the law that newer uses are being found continually. Tihar Jail now uses

Qualified Witnessesone of the first uses of video conferenc-ing in a court setup occurred in singapore in 1996 and involved the las Vegas hilton Corp. and a singapore businessman. singapore began actively using comput-ers in the judiciary when yong pung how became Chief Justice in 1990. From Feb-ruary 2002, singapore’s supreme Court and several law firms started trials to use Ip video conferencing for matters heard in court chambers before a registrar.

today, singapore uses the best in tech-

nology and judges, lawyers, and others use advanced software to ‘mark’ locations of crime and other details on a screen, according to Dr. V. Vijayakumar, registrar and professor of law, national law school of India university.

the us is also a key player, and leading the fray is the new Jersey Judiciary, which installed one of the largest video con-ferencing networks for court systems in april 2000. It has 29 remote sites located throughout the state. Video conferencing

saved West Virginia rs 135 crore ($30 mil-lion) in the first year of operation.

scotland is among the countries that have recently implemented video confer-encing. the scottish Court service, as part of its ongoing commitment to improve the efficiency of court proceedings, brought video-conferencing to a total of 26 court-rooms in June 2005.

— b.n.

My lord, I strongly recommend we put him on a video conference link from prison.

REAL CIO WORLD | J a n u a r y 1 5 , 2 0 0 6 5 5


e-courts


video conferencing between inmates and visitors to curb the smuggling of money, narcotics, cell phones and weapons.

Yet another innovative usage of video conferencing was implemented by the Court Dispute Resolution International (CDRI) in Singapore. CDRI is a settlement program co-conducted by a Singapore judge with judges from Australia and Europe. A similar system employed between the Portuguese and Indian courts during Abu Salem’s deportation might have expedited his extradition .

The system, as any that brings about change, has its share of detractors as well. One among these is Byatha N. Jagadeesh, Advocate, Alternative Law Forum, an NGO which works for the rights of under-trials. “Video conferencing is detrimental to the rights of the accused, since they will never feel free to talk, surrounded by the police,” he points out. The court is also a meeting ground where undertrials can interact with family members. Video conferencing, he observes, prevents this.

While a few such valid issues remain, some lawyers,

who have been known to rely on adjournments to delay cases, do not like video conferencing. The technology makes it much harder for them to prolong cases indefinitely.

Now that’s something that we can all live with.CIO

Special Correspondent Balaji narasimhan can be reached at

[email protected]

Bailing OutVideo conferencing is only as effective as its enforcement as militant cleric, abu bakar bashir, demonstrated in Jakarta, in June 2003.For bashir’s trial, five television monitors were installed in the courtroom to enable three suspects in singapore to testify. authorities in Jakarta also planned to video conference with other detainees in malaysia.

although Jakarta had used video con-ferencing twice before, bashir’s advo-cates, led by senior lawyer mohamad asegaf, walked out in protest, cheered on by hundreds of bashir loyalists.

bashir, who was not allowed to leave the courtroom, called the trial unfair and refused to cooperate. he read a book for six hours while his own trial progressed, and even refused to raise his head to face the camera for a close-up so that a wit-ness could identify him.

—b.n

Telgi is tried from the security of his prison. Revelations from the case incriminate 67 people and

continue to make national headlines.

Justice will be served because Telgi cannot get out of jail.


Interview.indd 1 2/8/2006 6:51:17 PM

Ramavtar Yadav, Director, National Crime Records Bureau, is equipping

cops with technology to beat crime.

SleuthingSmarter


CIO: How is NCRB changing the way that the police functions?

RamavtaR Yadav: Our approach arises from the police’s needs. For any police system, the record of a criminal’s activities is a vital source of information. They detail a criminal’s modus operandi, which aids a police officer attach a crime to a criminal. All police forces gather and exchange information on criminals. Until digitization happened, the Indian police used physical records. The absence of digital records hampered the police from sharing information across states and analyzing the modus operandi of criminals. The absence of digital records hampered the police from sharing information across states and analyzing it. That’s why the Ministry Of Home Affairs began a major computerization drive in police depart-ments across the country, and made the National Crime Records Bureau (NCRB) the nodal agency for this.

NCRB’s responsibility extends to training all important police officers in both systems and applications. This is how the Crime and Crimi-nal Information System (CCIS) was introduced in police departments.

What is the size of the network that uses CCIS?

When we set out, the NCRB focused on providing hardware to all 740 district and state police headquarters. These sys-

tems are connected to a server and those servers are then connected to the central server at NCRB.

Under the current modernization drive, which will cost an estimated Rs 600 crore, we are doing the groundwork of supply-ing hardware to all 12,400 police stations in the country. Thus far, we’ve covered 40 percent and the rest will fall in place over the next three to four years. While we were responsible for supplying the hardware in the first phase, the Government of India is now equipping states with machines. There are also a lot of agencies, other than police stations, which need computerization.

How has this helped better policing?

It is difficult to quantify the gains police departments have made due to CCIS. What is certain is that the data now available has helped the police to catch criminals quicker.

A criminal on the run does not recognize state borders. In fact, police departments have to work in coordination to nab criminals.

To facilitate the sharing of information, the CCIS application has been Web-enabled. Police officers can now access a national database to track crimes and suspects. There are close to 15,000 such police officers who are autho-rized to log to the system. Without this kind of a centralized database, even two neighbor-ing districts can’t help each other — interstate information exchange is a far cry. The system is also useful for civil verification such as pass-ports, domestic help, and insurance.

Currently, the database has 18 million records and the NCRB has asked state police departments to digitaize records of crimes committed over the past ten years. Karna-taka, Gujarat and Maharashtra have par-tially captured this data. This has brought a perceptible change in the police depart-ment’s crime-solving techniques.

The application initially ran on a UNIX platform but from 2000 we decided to put it on the Windows platform to make it easier for police officers.

How does IT usage by the Indian police compare with those in developed countries?

The Indian police is in the initial stages of IT usage. But our target is to put IT usage on par with the most developed systems over the next few years. The police system in the UK serves as a pointer. Their approach of making records and their database accessi-ble nationally down to nodal police officers is excellent. In the next three to four years,

we would like to have all First Information Reports (FIRs) and crime reports available online. We also want to be able to mine that data. Various socio-economic issues will count as some of the parameters.

Police work is not limited to the control of crime and criminals. There are other issues such as government legislation, internal budgeting and civic construction, which impact policing. With IT, we will also be able to coordinate with the other civic

By R a h u l N e e l M a N i

REAL CIO WORLD | J a n u a r y 1 5 , 2 0 0 6 5 9Vol/1 | ISSUE/5

FOR yEARS, THE pOLICE, BuRDENED WITH A SySTEm that stymied quick exchange of information, found themselves on the back foot in the fight against crime. Ramavtar Yadav, Director, National Crime Records Bureau of India, has one agenda: Use IT to keep the cops ahead of the robbers.

Interview | Ramavtar Yadav


bodies such as electricity, water and munici-pal bodies. IT can bring cohesion between multiple government bodies. That’s where we want to see the Indian police system and we are working towards it.

How is the NCRB ensuring the long-term success of the project?

The NCRB is tackling the project on three fronts: Providing hardware, creating applica-tions and training officers. The third is cru-cial and so far we’ve trained 35,000 police officers across the country. We are also work-ing with various state police departments to upgrade both their systems and applications, because state governments don’t have that kind of expertise. The bureau is also playing the role of network and systems planners for these states. We provide them with training for sophisticated data management and net-work security. Training for data and crime trend analysis is next.

The NCRB has also initiated a ‘Train the Trainer’ program so that state police departments can keep their staff abreast of the latest technology and its usage. All state governments have also agreed to train new recruits like sub-inspectors and constables to use computers. Already, training depart-ments and computer labs have been set up to impart training to officers.

IT also powers the fingerprint identi-fication system, doesn’t it?

Fingerprints form crucial evidence. In India, digitization has taken fingerprint clas-sification technology into a new era. When fingerprints were maintained as paper records, it was almost impossible to share them between states. Now we have over 700,000 fingerprints that are digitally avail-able through a single repository. A criminal’s history is also available against a fingerprint, which helps the police nab a criminal wanted in more than one case.

Has the ‘property coordination appli-cation’ been of substantial help?

The application provides records of sto-len or recovered vehicles. This information is available to the public through 33 infor-mation counters across the country. On an average about 150-200 people visit these counters every day to verify whether a sec-

ondhand vehicle is legitimate. If the vehicle they want to buy is listed on our system, it means that it was either stolen or recovered from thieves.

The NCRB has also set up information collection centers on routes that see large numbers of vehicles. The Punjab-Kashmir border and West Bengal-Assam border are two that were targeted based on analysis that

identifies them as the most frequently used to carry away stolen vehicles. The informa-tion collection centers compare registration numbers of each passing vehicle to those of stolen vehicles.

Where does the portrait building app score over the older method?

Portrait Building Software (PBS) has changed the way the criminals are identified. Till now the only way to identify a criminal was through a portrait based on an eyewit-ness’ description. Manually made portraits, however, have a high margin of error. PBS has helped shorten the process and drasti-cally reduce the margin of error.

Does the NCRB train police personnel from other nations?

So far the NCRB has trained over 1,200 police personnel from 60 countries. We have a fixed three-month training program. The training addresses two major areas – IT for police and fingerprinting. Training requests normally come from developing nations in Africa and Southeast and Central Asia. These training sessions also serve to teach us how effectively or innovatively other nations are using IT in their police systems.

What new IT initiatives is the NCRB planning?

So far policing has been conventional, with limited use of intelligence on crimi-nals. With the help of information systems and digitization, our aim is to create better crime analysis. With this we see the police force building crime intelligence just as pri-vate enterprises build business intelligence. What is the use of IT if we don’t use data to be more proactive?

New age crime is nothing short of tech-nological warfare. It is our duty at NCRB to keep up with this change and update ourselves on the technologies that crimi-nals use. Simultaneously, we are initiating a full-fledged program on cyber crime and forensics to empower the police. NCRB’s IT initiatives will keep the police at the fore-front of this fight. CIO

Bureau Head North Rahul Neel Mani can be reached

at [email protected].

Interview | Ramavtar Yadav

In the next few years we would like all FIRs and crime reports available online. We also want to be able to mine that data for trends that will help crack cases faster.”




Open Source Lights UpBY GALEN GRUMAN

Open SOurce | The odds are good that the LAMP stack is running somewhere inside your company. The acronym refers to the foundational foursome of the open-source movement: The Linux operating system, Apache Web server, MySQL database and, collectively, the Perl, PHP and Python programming languages. Development tools such as Eclipse and application servers such as JBoss have also gained popularity — and trust — especially now that major vendors such as IBM, BEA Systems and Borland have adopted or supported them commercially. But what about the next step up the software ladder? Is open source ready for ERP, business intelligence or CRM?

Ready or not, it’s happening; the first industrial-grade applications in these areas are now emerging. And CIOs will soon need to decide how to approach these fresh options in their enterprise software catalog. As with the adoption of the LAMP players, these new open-source enterprise applications will find their way into the enterprise at a departmen-tal or small-project level. As a result, “we don’t see [these applications] on CIOs’ agenda at all,” notes Michael Goulde, an open-source senior analyst with Forrester Research. But, he warns, “CIOs should sync up with their development teams to see [where such applications] might have payback to the organization.”

CRM and businessintelligence from

open source?You bet.

technologyEssEntial From InceptIon to ImplementatIon — I.t. that matters

essential technology

6 2 J a n u a r y 1 5 , 2 0 0 6 | REAL CIO WORLD Vol/1 | issUe/5

Essentisl Tec.indd 54 2/8/2006 6:44:59 PM

technology However, CIOs should tread carefully on such open-source applications, advises Mark Lobel, a partner at PricewaterhouseCoopers who focuses on information security, includ-ing security for financial applications. One key concern is that applications tend to reflect and embed business processes and logic, which often are key strategic assets you don’t want to share with others — and open-source licenses can require such sharing if compa-nies aren’t careful. Another issue is the long-term viability of open-source applications

for specific functions. Open source depends upon volunteer developers for success, but the more niche a product, the smaller the potential pool of interested contributors. As such, grassroots support for specific apps such as ERP or CRM tools may look more like brigades than the armies now support-ing broad open-source infrastructure such as Linux, Apache and MySQL.

Still, properly managed open-source applications can save enterprises money and time — as well as reduce dependency on specific vendors.

Finding a FitFinancial-services giant Fidelity Investments has used open-source technology for about

four years to reduce costs and dependence on vendors. “We started with Linux like everyone else did, but our intent all along was to see how far up the stack we could go,” says Charlie Brenner, Senior Vice President

of the Fidelity Center for Applied Technology, Fidelity’s technology incubation group. After Linux, Fidelity adopted Apache and Perl, and then the Struts Web application framework and the Eclipse Foundation’s development


open source depends upon volunteer developers for success, but the more niche a product, the smaller the potential pool of interested contributors.

open-source applications typically provide

free use of the software and access to its

source code. But if you plan to distribute the

modified application outside your company,

open-source licenses usually require you

to return any enhancements to the user

community, says Michael Goulde, a senior

analyst at Forrester Research. But as the

open-source model moves up the stack to

applications, the term open source is morphing

to accommodate corporate needs.

More restrictive licenses are emerging with

the new class of open-source CRM applications.

For example, a version of sugarCRM is available

under a variation on the standard General

Public license (GPl). But users of sugarCRM

Pro, available under a separate license from

sugarCRM, get a different deal. the sugarCRM

license works much like a proprietary software

vendor’s license, with the exception that sugar

provides the source code and lets companies

modify it for internal use only. and that modified

code belongs to the user company, not to

sugarCRM.

this model is becoming common as more

companies build businesses around open-

source software for which they offer both a

‘pro’ version and for-pay support services,

says Goulde.

"their free version is really a marketing tool,”

says Bob Gatewood, Cto of athenahealth, a

service provider to doctors and a sugarCRM

Pro customer. that suits Gatewood just

fine, since the sugarCRM license still lets

athenahealth customize its CRM code easily,

without requiring expensive professional

services that, for example, a siebel CRM

deployment might require.

another example is the Veteran

administration’s Vista electronic records

software, which is available free as public-

domain software. although the Va has

integrated enhancements made by some users

in later releases, it still manages the core code

development. Private companies have created

proprietary extensions and add-ons that they

sell to Vista users. they’ve also customized the

Vista code for their clients, but none of these

efforts belong to the Va or the Vista community

as they would in traditional open-source efforts

such as linux, apache or BsD Unix.

the avalanche Corporate technology

Cooperative is taking a private open-source

approach: enterprises and consultants can

join, which provides them access to software

developed by the avalanche members. (the

cooperative is just starting its first efforts,

including a sarbanes-oxley compliance

project.) as with open source, the members

all contribute technology to various avalanche

efforts, and avalanche members provide

mutual support. Unlike open source, however,

only avalanche members have access to this

technology, which its founders believe will

ensure development efforts stay focused on

members’ business priorities.

For Cios, this means that some open-

source tools might in fact be just partially open

source, requiring a careful understanding

of the license and the program’s contents.

You really need to read the license,” advises

athenahealth’s Gatewood. – G.G.

it pays to read the fine print on open-source licenses.

But, is it Really Free?

REAL CIO WORLD | J a n u a r y 1 5 , 2 0 0 6 6 3Vol/1 | issUe/5


environment. Fidelity is now looking at open-source database management systems and assessing what applications might make sense. The advantages of open source include widespread component reuse, better access to underlying code to customize interfaces across applications, and less complex systems to manage. “We’re heavy users of proprietary [software], and that won’t change, but there are times you need a motor scooter, not a truck,” Brenner says.

Others are less interested in picking the proper vehicle than they are in creating a uniform, inexpensive core on which to hang their IT business. At Midland Memorial Hos-pital in Texas, “we’re trying to get a complete open-source or public-domain stack rather than be proprietary,” says IS Director David Whiles. His organization already uses the LAMP stack and is now deploying a pub-lic-domain electronic records system, the Veteran Administration’s Vista, for less than half of what a proprietary system would cost (even with the cost of hiring a consultancy to add features such as billing). Medical indus-try service provider Athenahealth, mean-while, is using SugarCRM — an open-source CRM package. CTO Bob Gatewood says he had several reasons to switch from his cur-rent CRM provider, Salesforce.com. But he notes that making the change will save about

Rs 4.5 crore ($1 million) over three years in per-user licensing fees, even after the cost of development and integration is subtracted. He expects to complete the migration in early 2006.

Easy MixingBeyond spending less, Gatewood plans to more closely integrate the SugarCRM code — which he can access directly — into his

call-center and other support applications, something not possible with proprietary software where code is tightly held by the vendors. Other IT execs seek the same benefit. “We can take the pieces we need [with open source],” says Bob Hecht, Vice President of Content Strategy at specialized data provider Informa, which is investigating the Alfresco open-source knowledge-management application as an alternative to commercial enterprise content-management tools.

Informa is exploring Alfresco because a license for a commercial enterprise content management application for a company of its size would cost millions of dollars and would impose a single content-management model on the company’s array of publish-ing, training and events businesses. “We just won’t do that,” Hecht says. (It also helps that Alfresco was developed in part by former Documentum technologists, giving Hecht more confidence that the application will be enterprise-class.)

Starting SmallOpen-source applications can make espe-cially good sense for non-strategic, fairly generic applications like reporting or sales-force automation. Departments that have unique technology needs and smaller compa-nies with limited budgets are also more likely

to consider open-source applications, says Forrester’s Goulde. “Larger companies are not about to rip out SAP. Plus the functional-ity and the integration are both more complex for a large company than open-source apps currently can handle,” he adds.

For example, open-source tools “are not going to take the business-intelligence mar-ket because they are not yet competitive with commercial software,” says Eric Rogge,

Research Director for BI and performance management at Ventana. For example, open-source BI applications don’t yet offer a com-prehensive platform with reporting, ad-hoc analysis, online analytical processing (OLAP) connectivity, alerting, dashboards and work-flow. Nor do they offer aids for developing user-interface controls, ad-hoc analysis against relational data sources or score-card functionality with strategy maps, metrics management and collaboration features, he says. But Rogge does expect open-source applications to eventually make inroads in the BI reporting tool segment, since there are a variety of uses for basic reporting tools in an organization where a costly, complex BI tool isn’t needed.

Furthermore, increased adoption of open-source databases should encourage the devel-opment of open-source reporting tools that


open-source applications makes good sense for non-strategic, fairly generic applications like reporting or sales-force automation.

sOurCE: Evans Data, 2005

61%of developersin europe,West asiaand africahave used open-source softwarefor development,but only a thirdhave contributedto the open-sourcecommunity.




take advantage of them, says Don DePalma, an analyst at the consultancy Common Sense Advisory. “Most database activity is about reporting, analyzing and crunch-ing the data, so [open-source reporting tools] would seem a natural development. Companies, universities or governments using open-source operating systems and databases would be a great audience for such software,” he says. DePalma doesn’t expect a popular reporting tool like Busi-nessObjects’ Crystal Reports, for example, to support open-source databases because of the vendor’s relationships with propri-etary database developers such as IBM,

Microsoft and Oracle. That provides an opportunity for the open-source com-munity to create a Crystal Reports-like reporting tool, he says.

Open-source applications also make sense when there are regulations or other requirements common to an industry, where having a mutually supported tool would benefit everyone and not put any-one in the position of losing a competitive advantage, Goulde says. Analysts most often cite the health-care and financial-services industries as candidates for these kinds of tools, though liability concerns surrounding legal requirements make it critical that potential users understand the possible risks, notes Fidelity’s Brenner. It is also possible to imagine a large player in a specific industry making an open-source application viable, perhaps for some sup-ply-chain management functions, much as

Wal-Mart has done for RFID, notes For-rester Research ERP Analyst Ray Wang.

Gauging Open Source’s RisksBut using open-source applications does carry risks. One is that staff developers unfamiliar with the competitive value of various components might accidentally embed strategic business logic or processes into code that is then provided back to the open-source community, neutralizing a competitive advantage.

But CIOs should be able to manage their strategic assets while still choosing open-source applications, says Eric

Link, Diabetech’s CTO. Business logic, for example, should not reside in modified open-source code but in your internal rules base or in-house applications that call the open-source tools, as is common in commercial ERP systems, he says. “It does require careful thought to know what is strategic,” but any IT development effort should make such an assessment, whether it involves commercial, home-grown or open-source code, Link says.

CIOs should also be able to distinguish between applications and platforms and the issues that surround each, Brenner adds. Reporting tools and CRM are two examples of platforms that are often marketed as appli-cations, he notes. The difference is that plat-forms typically don’t encapsulate specific business processes or logic, making them well-suited for open-source efforts — and less risky for the companies that use them, as companies using such tools will be less

tempted to insert their own business logic into the products and unwittingly release it to the world. A reporting tool, for instance, might act on a company’s data, but it would never incorporate that data into its own code — and thus a company would never be required by the license to release the data as open source. (Another alternative is to go pseudo open source as in the Avalanche Corporate Technology Cooperative, which openly shares code on a variety of projects, but only among subscribed members.

Beyond intellectual property concerns, another significant risk is an application’s long-term viability. Open source has worked well for widely distributed tools such as those in the LAMP stack that are typically run as-is and don’t need to be customized at each location. But for niche applications, the community of developers is necessarily smaller than for a piece of infrastructure, reducing the resources that contribute to the application’s development, maintenance and support. This could make it difficult for many projects to muster sufficient developer support to stay viable. The diversity of applications will be a difficult issue for the open-source community, says PricewaterhouseCoopers’ Lobel.

This limitation is exacerbated if companies don’t share their developments with the community for fear of releasing competitive business logic. “I can’t see it going very long if companies aren’t contributing back. An open system works only when it’s open,” Lobel says. Diabetech’s Link, however, believes that argument is overstated, since companies are typically happy to share infrastructure code with others, thus moving the application forward even while keeping their business-specific code to themselves.

Despite these issues, even cautious observ-ers concede that open-source applications can make sense beyond the LAMP stack: And sen-sible CIOs should start paying attention. CIO

Galen Gruman is a freelance writer based in San Fran-

cisco. Send feedback on this feature to [email protected]

staff developers unfamiliar with the competitive value of various components might accidentally embed strategic business logic or processes into code that is then provided back to the open-source community.

REAL CIO WORLD | J a n u a r y 1 5 , 2 0 0 6 6 5Vol/1 | issUe/5


essential technology Pundit

SOFTWARE | Nearly four years ago, I sat at the back of a packed conference on something new and exciting called Web services.

Web services was going to be bigger than the Web itself. Any machine would be able to talk to any machine, and eventually most apps would be built from components strung together across the Internet. As part of the revolution, why shouldn’t enterprise customers become Web services vendors?

But IT had other priorities, like slashing costs. And Web services mainly became a cheap integration method. But recently those giddy early days came rushing back when I spoke with Infravio CEO Jeff Tonkel about his X-registry product, an enterprise registry and repository for publishing and even selling Web services.

Before Tonkel’s tenure, Infravio’s foray into the Web services market included both development and migration tools. Tonkel then moved the company to the broker space, where Web services is an EAI replacement with performance man-agement and measurement capabilities. But ultimately, BEA, Cisco, Microsoft and the other big infrastructure players are going to own this space. Now Web ser-vices/service-oriented architecture asset management is the center of Tonkel’s stra-tegic vision for Infravio.

As luck would have it, travel giant Sabre needed just such an application. Infravio beat out its competitors because its X-reg-istry is similar to a searchable e-commerce catalog that holds detailed descriptions of

services and, more importantly, provides con-trol and approval mechanisms. Sabre decided it was easier to set up shop using X-registry than to build a similar app itself.

Those who know a little about Web services may wonder: Why not just use Universal Description, Discovery and Integration (UDDI)? Mainly because UDDI as it stands is really a spec for a relatively simple directory and (unique among the basic Web services standards) has lost traction rather than gained it. And the ebXML registry spec, once championed by IBM and Sun, never really got off the ground.

Infravio has no direct competition as yet, but I imagine a few companies may want to enter the space. The great thing about Web services is that it’s been a grassroots effort and has lowered the cost of integra-tion. The problem with it is that develop-ers tend to use it as an ad hoc solution and document it poorly — the key exceptions being the public-facing Web services, such as those offered by Google or Amazon.com. True, what Google and Amazon.com offer is pretty simple, but it’s easy to underestimate the effort involved in making Web services reliable, self-service, scalable entities that pretty much anybody can use.

Throw in the proper rights and permis-sions mechanisms, and that philosophy should also underlie Web services inside the firewall. It’s going to take years before the swirl of draft Web services specs set-tles down, if ever, and even if it does I can’t imagine a day when Web services will

run around connecting with each other dynamically, without human interven-tion. In human-readable form, registries and repositories must capture all the rel-evant information needed to contract with a Web service, or much of the Herculean effort involved in creating a service-ori-ented architecture — which expands organizations’ integration possibilities by a magnitude — will go to waste. And these registries should include descrip-tions understandable by business types, not just technologists.

Who knows? Once you’ve established that sort of repository inside your organiza-tion, it’s not that big a step to consider sell-ing a few select services over the Internet. At the very least, if you pitch it right, the prospect might score a few points with the business guys. CIO

Eric Knorr is executive editor at large for InfoWorld.

Send feedback on this column to [email protected]

Services For Saleit may finally get its chance to sellWeb services.

BY ERIC KNORR

the problem with Web services

technology is that

developers tend to use it as an ad hoc solution and document it

poorly.


Et-Pundit.indd 58 2/8/2006 6:45:34 PM

Date post:	22-Mar-2016
Category:	Documents
Upload:	sreekanth-sastry
View:	225 times
Download:	4 times

January 15 2006

Documents