new age challenges

new age

DA

TA L

OS

S P

RE

VE

NT

ION

| FO

RM

UL

A O

NE

| HIG

H A

LE

RT

Volume 05 | Issue 12

February | 07 | 2010 | Rs.50Volume 05 | Issue 12

CHALLENGESTOP CIO CHALLENGES IN 2010

Worry lines for CIOs? Of cloudy tangles, shifting heads

and othersPAGE 24

They arewatching us

PAGE 40

TECH FOR GOVERNANCE

Widening Footprint

PAGE 10

A QUESTION OF ANSWERS

Subprime Opportunity

PAGE 14

BEST OF BREED

S P I N E

Technology for Growth and Governance

CT

O

FO

RU

M

A 9.9 Media Publication

EDITORIALRAHUL NEEL MANI | [email protected]

1thectoforum.com 07 FEBRUARY 2010CTO FORUM

CIO with a Heart: It is time to contemplate what we can do to address some of the world’s biggest challenges

Nearly six months ago, while doing a feature on

CIOs of multinational organisa-tions, I met Atifeh Riazi, then Global CIO of Ogilvy World-wide. During the conversation, Riazi revealed that she was quit-ting her job to work with ‘tech-nologically disenfranchised’ communities across the world. I was surprised. Why would a CIO leave a lucrative job to ven-ture into something like that?

In subsequent conversations with Riazi, she revealed that she

undertaken two very unique projects – ‘Project Rwanda’ and ‘Project Vietnam’.

Rwanda has one doctor for every 25,000 citizens. CWB is planning to implement a revo-lutionary computerised medical diagnostic system. This system will help any technician and one nurse quickly figure out what’s wrong with a patient and deter-mine a treatment plan. This is a trusted system in use for the past five years in our own coun-try, India.

The second project that CWB has undertaken is to compile critical information about ‘Agent Orange’ (code name for an herbicide and defoliant, con-taminated with TCDD, a toxic substance that causes DNA damage) which was dropped by the US army during the Viet-nam War. The information is published on a single website in

has formed an international NPO (not-for-profit organisation) called ‘CIOs without Borders’ (CWB). The organisation is dedicated to using technology to alleviate shortages in medicine and medical knowledge. CWB works with international NPOs to provide free or low-cost IT ser-vices to achieve its goals. With an effective team of volunteers and IT professionals from around the world whose services and expertise can be used via online collaboration tools, CWB has

both English and Vietnamese to accelerate the continuing efforts to determine the full scope of the tragedy and develop holistic remedies.

In the 10th Annual CTO Forum conference in Beijing, we organised a session on “CIOs as global corporate leaders: Beyond the comfort zone”. We’d identified Inclusive Growth; Managing Climate Change; Controlling Terror; and Promoting Diversity as four areas where we can make a dif-ference. Are some of us leading the way? Should these issues be on our radar? Are we doing enough, what are we doing and can we do more? I will wait for your response.

EDITOR’S PICK16

Subprime OpportunitySKS Microfinance is rapidly expanding its reach through innovative use of IT.

2 07 FEBRUARY 2010 thectoforum.comCTOFORUM

FEBRUARY10C

OV

ER

DE

SIG

N:

PC A

NO

OP

COVER STORY

24 | New Age Challenges

Budget constraints are squeezing the CIO. An evolving IT landscape is keeping him on his toes. Compliance issues and attrition are giving him sleepless nights. But is it really so bad?

COPYRIGHT, All rights reserved: Reproduction in whole or in part without written permission from Nine Dot Nine Interactive Pvt Ltd. is prohibited. Printed and published by Kanak Ghosh for Nine Dot Nine Interactive Pvt Ltd, C/o K.P.T House, Plot Printed at Silverpoint Press Pvt. Ltd. TTC Ind. Area, Plot No. A-403, MIDC Mahape, Navi Mumbai 400709

COLUMN04 | I BELIEVE:FORMULA ONEMake innovative use of technology to consolidate the processes in the vari-ous companies of the group.BY SUBBARAO HEGDE

52 | VIEW POINT: DATA LOSS PREVENTIONThere will never be a DLP solution that will detect when an insider is seeking profit by leveraging autho-rised access to information.

BY NORBERT NOLIN

FEATURES14 | BEST OF BREED: PASSWORD PERILS The reuse of passwords in computerised systems poses serious vulnerabilities.

CO NTE NT S THECTOFORUM.COM

VOLU

MN

05 |

ISSU

E 12

COVER STORY

24 | New Age ChallengesCOLUMN

04 | I BELIEVE:FORMULA ONE

24


FEBRUARY10


10 |Widening Footprint “Our mission is to help customers achieve cloud-like efficiency and operational improvements across major IT areas,” Andrew Dutton, GM, VMware, APAC & Japan

VOLUME 05 | ISSUE 12 | 07 FEBRUARY 2010

Managing Director: Dr Pramath Raj SinhaPrinter & Publisher: Kanak Ghosh

Publishing Director: Anuradha Das Mathur

EDITORIALEditor: Rahul Neel Mani

Resident Editor (West & South): Ashwani MishraSr. Assistant Editor: Gyana Ranjan Swain

Assistant Editor: Aditya KelekarConsulting Editor: Shubhendu Parth

Principal Correspondent: Vinita GuptaCorrespondent: Sana Khan

DESIGNSr. Creative Director: Jayan K Narayanan

Art Director: Binesh Sreedharan Associate Art Director: Anil VK

Manager Design: Chander Shekhar Sr. Visualisers: PC Anoop, Santosh Kushwaha

Sr. Designers: Prasanth TR & Anil T Photographer: Jiten Gandhi

ADVISORY PANELAjay Kumar Dhir, CIO, JSL Limired

Anil Garg, CIO, DaburDavid Briskman, CIO, Ranbaxy

Mani Mulki, VP-IS, Godrej IndustriesManish Gupta, Director, Enterprise Solutions AMEA, PepsiCo

India Foods & Beverages, PepsiCoRaghu Raman, CEO, National Intelligence Grid, Govt. of India

S R Mallela, Former CTO, AFLSantrupt Misra, Director, Aditya Birla Group

Sushil Prakash, Country Head, Emerging Technology-Business Innovation Group, Tata TeleServices

Vijay Sethi, VP-IS, Hero Honda Vishal Salvi, CSO, HDFC Bank

Deepak B Phatak, Subharao M Nilekani Chair Professor and Head, KReSIT, IIT - Bombay

Vijay Mehra, Executive VP, Global Head-Industry Verticals, Patni

SALES & MARKETINGVP Sales & Marketing: Naveen Chand SinghNational Manager Online Sales: Nitin Walia

National Manager-Events and Special Projects: Mahantesh Godi (09880436623)Product Manager – Rachit Kinger

Asst. Brand Manager: Arpita GanguliCo-ordinator-MIS & Scheduling: Aatish Mohite

Bangalore & Chennai: Vinodh K (09740714817)Delhi: Pranav Saran (09312685289)

Kolkata: Jayanta Bhattacharya (09331829284)Mumbai: Sachin Mhashilkar (09920348755)

PRODUCTION & LOGISTICSSr. GM. Operations: Shivshankar M Hiremath

Production Executive: Vilas MhatreLogistics: MP Singh, Mohd. Ansari,

Shashi Shekhar Singh

OFFICE ADDRESSNine Dot Nine Interactive Pvt Ltd

C/o K.P.T House,Plot 41/13, Sector-30,Vashi, Navi Mumbai-400703 India

Printed and published by Kanak Ghosh forNine Dot Nine Interactive Pvt Ltd

C/o K.P.T House, Plot 41/13, Sector-30,Vashi, Navi Mumbai-400703 India

Editor: Anuradha Das MathurC/o K.P.T House, Plot 41/13, Sector-30,

Vashi, Navi Mumbai-400703 India

Printed at Silverpoint Press Pvt. Ltd.D 107,TTC Industrial Area,

Nerul.Navi Mumbai 400 706

www.thectoforum.com

34 | NEXT HORIZONS: HIGH ALERT Don't just pay lip service to security issues, or you could be the victim of a crime that costs you dearly.

REGULARS

01 | EDITORIAL06 | ENTERPRISE

ROUNDUP48 | BOOK

REVIEW

advertisers’ index

IBM REVERSE GATEFOLD

TATA TELECOM BC

This index is provided as an additional service.The publisher does not assume

any liabilities for errors or omissions.

49 | HIDE TIME: MOTORCYCLE DIARIES The CIO of SCL-TVS Group on why it does not get monotonous working with one company for a long period.

10

34 49

I BELIEVE

CURRENTCHALLENGE

CHANGE MANAGEMENT ISSUES WHILE BUILDING A KNOWLEDGE-ENABLED ENTERPRISE

THE AUTHOR IS a senior IT professional with experience in operational management and

IT services consultancy gained across multiple industries.

BY SUBBARAO HEGDE | CTO, GMR Group

Formula OneMake innovative use of technology to consolidate processes of various group companies into a single system.

OVER THE PAST couple of years, the economic downturn has been a major topic of discussion in the corporate world. I have always viewed the slowdown as an opportunity. In this context, one of the challenges facing GMR was to increase productivity while at the same time reduce costs related to travel and communications.

While the IT team at GMR looked at many options, we were finally convinced that implementing a uni-fied communication solution with live meeting and integrated gNET intranet portal could help us achieve our goal. The implementation result-ed in improving work-life balance. Reaching across cross-functional teams became easier and systematic. This also helped GMR in creating a sound platform for collaboration and knowledge management.

The second biggest challenge fac-ing us was the use of heterogeneous processes by the various divisions of GMR Group which were creating infrastructure in areas as diverse as energy generation, airports, highways and urban infrastructure. Lack of a uniform process across businesses posed a big challenge. The solution came from enhance-ment and stabilisation of SAP with Netweaver and a business intel-ligence dashboard on a scalable consolidated hardware platform. This translated into a seamless flow of information for decision-making across the group and has mitigated operational risks.

The third challenge facing our organisation related to change management. Efforts to build a knowledge-enabled enterprise hit a roadblock when people resist any kind of change. We met this challenge by emphasising ‘hands-on’ and ‘e-Training’ modules that helped bring about a transformation in the group to make its people and partners efficient, productive and knowledgeable.

Deploying a change management strategy is one of our targets this year. We are calling for an ‘e-over-haul’ to stay competitive and create an exemplary work culture across the group. I believe technology will continue to play a vital role in our businesses.


LETTERS

WRITE TO US: The CTOForum values your feedback. We want to know what you think about the magazine and how

to make it a better read for you. Our endeavour continues to be work in progress and your comments will go a long way in making it the preferred publication of the CIO Community.

Send your comments, compliments, complaints or questions about the magazine to [email protected]

ERP – FROM TRANSAC-TION-BASED TO DECI-SION-MAKING TOOLThe article on “ERO 1.0” was very interest-

ing. ERP, as rightly mentioned in the article, is more than a soft-

ware implementation. It is a strategic choice for businesses and

involves cultures, egos, and people. To drive everyone towards a

common objective is a challenging affair. Success of any imple-

mentation is based on the extent to which all the above issues

are addressed.

Today sadly, once implemented, ERP is predominantly used for

transactional processing. Its use as a tool for strategic planning

is very limited. Add-on modules are available for MIS, HR, CRM,

PLM, etc. but are companies really making use of them? These

modules cost a lot and are not affordable for mid-sized enterpris-

es. SaaS is a good option, but it is far from being popular.

Single-instance and single platform are good concepts,

but the degree of sophistication required for individual

departments like quality, R&D, engineering, etc. calls for

usage of best-in-breed software to cater to their needs.

One ERP might not work in all cases. That is why ERP vendors

themselves are offering interoperability and interfacing solutions.

Again, MIS needs to be focused and customised to a company’s

needs. BW/BI software is costly. Even if we manage to implement

it, bringing all relevant people under its fold costs a lot (cost of

licenses and maintenance). We need to think of alternative solu-

tions that interface with ERP and provide the same details. I think

the future challenge lies in making ERP a strategic and decision-

making tool and one that is cost effective.

Vendors also need to significantly bring down the cost of licens-

es and AMC in order to sustain and grow.

ASHOK RV

General Manager (IS) Sundaram Clayton Limited.

18 21 JANUARY 2010 thectoforum.comCTOFORUM

COVE R S TORY E R P 2 . 0 E R P 2 . 0 COVE R S TORY

19thectoforum.com 21 JANUARY 2010CTOFORUM

WHAT’SBy Ashwani Mishra & Gyana Ranjan Swain

It may be too early to write off ERP, but the business software has started showing worrisome signs of fatigueERP 1.0 IS OVER

So if the changes in delivery models turn towards ERP 2.0, the concerns of the CIOs

and thus the changes in how vendors approach the sales of this mammoth

software also indicate a tilt towards the new era of how enterprises will com-

pute and work. Debates like whether there should

be a ‘single-instance’ ERP across the enterprise or it should be specific to

locations and geographies need a prom-inent mention; whether there should

be changes in licensing models or not; will the vendors stop defaulting on both post-implementation and maintenance

contracts are some of the questions which need a serious relook.

Like any other technology, enterprise resource planning (ERP) is being cannibalised by newer technologies. While the Software-as-a-Service (SaaS) model, cloud computing and ERP based on virtual systems are the future, the economic chaos and business uncertainty of the past two ye ars have made CIOs think again and re-examine the investments made into the systems. CIOs today are caught up with

questions they had ignored earlier: What's the cost of deploying and maintaining an ERP? Is there a measurable return on investment (RoI)? Are ERP systems delivering their expected impact?Any investment requires measurable

returns, but ERP grabs special attention because of the amount of money and organisational bandwidth it consumes.

THE ARRIVALOF ERP 2.0The original version of ERP makes way for the newer edition of the business software – one that fits all sizes.Turn to Page 20

BREATHING LIFE INTO THE OLD

WARHORSEERP needs to embrace newer

technologies to retain its old gloryTurn to Page 23

S P ARYAVice-President IT, Amtek Group.

SURYA BHARDWAJ Vice President,

India Applications, Oracle India

NEXT

The article on “ERO 1.0” was very interest-

BREATHING LIFE INTO THE OLD


technologies to retain its old gloryTurn to Page 23


technologies to retain its old gloryTurn to Page 23 NEXT?WHAT’S

ERP 1.0 IS OVER

The Advent ofAndroidsPAGE 15

BEST OF BREED

Stay Hungry,Stay Foolish PAGE 04

I BELIEVE

NEXT?WHAT’S

ERP 1.0IS OVER

The Advent of Advent of AdventAndroidsPAGE 15

BEST OF BREED

StayHungry,StayFoolishStayFoolishStayHungry,Foolish

Hungry,PAGE 04

I BELIEVE

ER

P 1.0 IS

OV

ER

. WH

AT

'S N

EX

T? | T

HE

AD

VE

NT

OF

AN

DR

OID

S | M

AK

ING

GA

ME

TH

EO

RY

WO

RK

FO

R M

AN

AG

ER

S

Volume 05 | Issue 11

January | 21 | 2010 | Rs.50Volume 05 | Issue 11

A 9.9 Media Publication

Drive a Hard Bargain PAGE 12


IT MAY BE TOO EARLY TO WRITE OFF ERP, BUT

THE BUSINESS SOFTWARE HAS STARTED

SHOWING WORRISOME SIGNSOF FATIGUE | PAGE 18

S P I N E

Technology for Growth and Governance

CT

O

FO

RU

M

CTOForum LinkedIn GroupJoin more than 200 CIOs on the CTO Forum LinkedIn

group for latest news and hot enterprise technology

discussions. Share your thoughts, participate in

discussions and win prizes for the most valuable

contribution. You can join The CTOForum group at:

www.linkedin.com/groups?gid=2580450

Some of the hot discussions on the group are:Will the IT Amendment Act that requires

corporates to protect personal information

on computers have an impact on enterprises'

security practices?

The passage of amendments to the IT Act 2000, which

came into effect from October, 2009 has made substantial

difference in the requirements from Indian industry. First,

the cyber law and its amendments need to be carefully

studied and understood by corporate personnel in-charge

of compliance. Secondly, there are more steps to follow-

up. The Indian Cyber Laws are in the right direction.

—Malick Mohamed, Centre Manager at Ikas Technologies Pvt. Ltd.

Which role will die - the CIO or the CTO?

"I would say both will co-exist. This is purely based on the organisational needs and business

model. Example: If the organisation is headed towards automation and prioritise internal

needs, that might give birth to the role of a CIO if it does not exist. If the organisation is headed towards external focus and product delivery, the

CTO role will be crucial."—Raj DN, Head of Database Operations, Sify

Technologies Ltd.

CTOF Connect Govind Rammurthy, MD and CEO, eScan says banks in India need to instill confidence amongst users when it comes to online banking. He talks to Ashwani Mishra on the areas of concern in the online banking space and other emerging security threats. Excerpts from the interview. To read the full story go to:

thectoforum.com/content/stop-ignoring-basic-norms

BEYOND THE BASICSA CIO has to make an impact and deliver significant value to business.“I believe that just speaking the right language or applying known formulae is not enough to get the CIO home. As a CIO, we have to get around to some basics.” To read the full story go to:

thectoforum.com/resources/opinions

OPINION

S.R. BALA, Exec VP ITGodfrey Philips.



Enterprise

ROUND-UP

STORY INSIDE

Intel steps up efforts to install solar energy

generation equipment at its plants Pg 09

Worldwide semiconductor device revenue reached

billion in 2009, down 11.4 percent from 2008

Social Business Goes Mainstream. Forcing cultural and process shifts from the inside out.RECENT IDC research on the intersection of Web 2.0, Enterprise 2.0, and collaboration shows that we are entering a time of significant cultural and process change for businesses, driven by the emergence of the social Web. According to a new IDC survey, 57% of U.S. workers use social media for business pur-poses at least once per week. Additional findings from IDC’s social business research include: 15% of 4,710 U.S. workers surveyed reported using a consumer social tool instead of corporate-sponsored social tools for business purposes due to the following top three reasons, (1) ease of use, (2) familiarity due to personal use, and (3) low cost.

The number one reason cited by U.S. workers for using social tools for business purposes was to acquire knowledge and ask questions from a community. While marketers are the earliest and largest adopt-ers of social media, these tools are now gaining deeper penetration into the enterprise. Software companies will increase their social soft-ware offerings significantly as customer demand steadily increases and “socialytic” applications will emerge, fusing social/collaboration software and analytics to business logic/workflow and data.

—Source: IDC Research

$226

DATA BRIEFING

ILLU

ST

RA

TIO

N:

SA

NT

OS

H K

US

HW

AH

A

E N T E R PR I S E RO U N D - U P


Large-scale cyber-attacks on critical infra-structure are growing. The study by Centre for Strategic and International Studies found that 60% of those surveyed believed representatives of foreign govern-ments were involved in past infrastructure infiltrations. The US was the biggest source of threat (cited by 36%).

QUICK BYTE ON CYBER ATTACKS

Worldwide IT Spending to Grow 4.6 % in 2010. Emerging Markets to Lead the Way.

A SLOW BUT steady improvement in the macroeconomic environment in 2010 should support a return to modest growth in overall IT spending, according to Gartner, Inc. Worldwide IT spending will reach $3.4 trillion in 2010, a 4.6 percent increase from 2009.

Although modest, this projected growth represents a significant improvement from 2009, when worldwide IT spending declined 4.6 percent. All major segments (computing hardware, software, IT services, telecom, and telecom services) are expected to grow in 2010.

IT spending growth in emerging markets (with the exception of central and eastern Europe and some of the Gulf states) is expected to lead the way, with spending forecast to grow 9.3 percent in Latin America, 7.7 percent in the Middle East and Africa and 7 percent in Asia/Pacific. Recovery in Western Europe, the United States and Japan will start more slowly, with Western Europe increasing 5.2 percent, the U.S. growing 2.5 percent, and Japan increasing 1.8 percent.—Source: Gartner (January 2010)

THEY SAID IT

STEVE JOBS

After months of speculation, Apple finally announced a touch screen tablet computer, the "iPad". Pricing starts at $499, and it should be available in 60 to 90 days. Apple CEO Steve Jobs told a packed audience at the Yerba Buena Centre for the Arts in San Francisco:

—Steve Jobs, CEO , Apple

"We've always tried to be at the intersection of technology and liberal arts—we want to make the best tech, but have them be intuitive. It's the combination of these two things that have let us make the iPad. This is a magical device, at a breakthrough price."—Steve Jobs, CEO , Apple

the iPad. This is a magical device, at a breakthrough price."

PH

OT

O B

Y P

HO

TO

S.C

OM

E NT E R PR I S E RO U N D - U P


Data Centres are Getting Complex. In an interview with CTO Forum, Anand Naik, director, Systems Engineering at Symantec, speaks about the company’s data centre report.WHAT is the data centre scenario in India?

According to IDC, the total data centre capacity in India is expected to reach 5.1 million square feet by 2012, representing 31 % growth from 2007 to 2012. In the long run, India has the potential to become a hub for data centres for the Middle East, East Africa and Southeast Asia.

What was the basis of your ‘State of the Data Centre’ report and how will it help the CIOs?The ‘2010 State of the Data Centre’ report is based on inputs from 1,780 data centre managers in 26 countries out of which around 30% of the respondents were from the Asia Pacific and Japan (APJ) region and mainly from the BFSI/IT/ITES and Telecom

The Springboard Research says that India is the fastest growing SaaS market in Asia Pacific, and is estimated to register a growth of 60% CAGR from 2008 to 2012.

GLOBAL TRACKER

SO

UR

CE

: SP

RIN

GB

OA

RD

RE

SE

AR

CH

US$105 Million(2008)

US$352 Million(2012)

verticals. This study will help the CIOs to find out the data centres challenges and also our recommendation will help them reduce those challenges and create benchmarks against industry standards.

Why are mid-sized enterprises the van-guards of the data centre?For the first time since the report was intro-duced in 2006, Symantec found that mid-sized enterprises, rather than large or small ones, are vanguards of the data centre, lead-ing in new technology adoption, data centre change, and focus on staffing. In fact, the main drivers to data centre aggressiveness are resources and willingness to take risks.

What are the key findings of the report?This year’s report noted that the most important initiatives for 2010 are security, backup and recovery, and continuous data protection. Also, 72% of enterprises in India believe that private cloud is set to grow and 30% of the enterprises consider server virtualisation will help to improve DR preparedness.

What are your recommendations to the data centre managers?They should integrate data protection by providing data availability and manageabil-ity and deploy de-duplication closer to the information source to eliminate redundant data and reduce storage and network costs.

—By Vinita Gupta

of Indian enterprises think private cloud will grow; 30% say server virtualisation will help improve DR preparedness.

72%P

HO

TO

BY

PH

OT

OS

.CO

M

E N T E R PR I S E RO U N D - U P


Android Will Be the No. 2 Mobile OS by 2013. Symbian will retain top slot.

GREEN TALK

SOLAR DRIVE

BUILDING on its existing portfo-

lio of renewable energy site instal-

lations, Intel Corporation has

reported that new contracts are in

place to incorporate approximately

2.5 megawatts worth of new solar

power projects at eight U.S. loca-

tions in Arizona, California, New

Mexico and Oregon. In addition,

Intel announced it has renewed

and increased by 10 percent its

purchase commitments for renew-

able energy credits (REC) to more

than 1.43 billion kilowatt hours —

more than 51 percent of its estimat-

ed 2010 U.S. electricity use.

Intel's new solar installations are

planned to be completed over the

next seven months. Each project

would currently rank as one of the

ten largest solar installations in its

respective region if activated today.

For example, the panels planned

for Intel's Chandler and Ocotillo

campuses in Arizona would each

currently be the fifth largest in SRP

service territory or the second largest

when combined, according to the

utility company.

All of the solar panels will be

installed on the roofs of Intel's facili-

ties, with the major exception of the

largest installation, an approximately

1-megawatt solar field in Folsom,

Calif. All of the installations will use

the power generated at their respec-

tive site, making them an efficient

source of electricity with savings on

grid delivery losses.

—Source: www.intel.com/pressroom

BY 2013, IDC forecasts that

worldwide shipments of con-

verged mobile devices, also

known as smart phones, will

surpass 390 million units,

growing at a compound

annual growth rate (CAGR)

of 20.9% for the 2009–2013

forecast period. Underpinning

the converged mobile device

market is the constantly shift-

ing mobile operating system

(OS) landscape. In a market

that was once dominated by

a handful of pioneers, such

as BlackBerry, Symbian, and

Windows Mobile, newcom-

ers touting open standards

(Android) and intuitive design

and navigation (Mac OS X

and webOS) have garnered

strong end-user and handset

vendor interest.

Key findings from a new

IDC market outlook include

the following:

Symbian will retain its

leadership position world-

wide throughout the forecast

period.

Android will experience the

fastest growth of any mobile

operating system. Starting

from a very small base of just

690,000 units in 2008, total

Android-powered shipments

will reach 68.0 million units

by 2013, making for a CAGR

of 150.4%.

Linux and webOS ship-

ments will struggle through-

out the forecast period.

Shipments of Linux-powered

devices will trend down due

to greater emphasis on the

Android platform.

—Source: IDC Research

GEOJIT and BNP Paribas Financial Services launched FLIP – the new, enhanced online investment plat-form. FLIP is a complete enhanced online investment solution of Geo-jit BNP Paribas Financial Services. The solution incorporates an Order Management System with built-in multi-level security risk manage-ment and real-time streaming market data. It integrates with the Risk Management System to offer a complete array of financial instru-ments such as equities, derivatives

(stock and currency), margin fund-ing, mutual fund units and IPOs for a smooth and rich investment experience. FLIP has been devel-oped by Geojit Technologies, a sub-sidiary of Geojit BNP Paribas.

FLIP uses FIX adapter to con-nect to multiple markets to serve across different client categories including institutions, retail, investors, traders and HNIs. It has enhanced market data systems, FIX engine and risk manage-ment functionalities. Apart from

Indian stock exchanges, the stock exchanges of Saudi Arabia and Oman have already empanelled this solution.

“The new online investment platform FLIP is the outcome of 23 years of experience and domain knowledge gained by Geojit BNP Paribas, the first broker in the country to introduce Online Trading in February 2000. This experience is now fortified by the expertise of BNP Paribas Personal Investors, Europe’s No.1 online broker,” said C. J. George, Manag-ing Director, Geojit BNP Paribas.

FLIP was launched by Ravi Narain, CEO and Managing Director of National Stock Exchange. He feels that investors can enjoy the ease and convenience of online investment in a complete suite of financial products and services through this fast, secure and multi-feature/channel platform.

A. P. Kurian, Chairman, Geojit BNP Paribas is confident that with the launch of FLIP, they will be able to add significant numbers to their expanding online client base comprising of retail domestic and NRI clients. Today, they have over 500,000 plus clients executing over 300,000 trades daily.

—By Vinita Gupta

Geojit BNP Paribas’ Online Investment Platform. Con-nect to multiple markets to serve across different client categories.

Windows Mobile, newcom-

ers touting open standards

(Android) and intuitive design

Symbian will retain its

leadership position world-

wide throughout the forecast

and navigation (Mac OS X

and webOS) have garnered

strong end-user and handset

devices will trend down due

Shipments of Linux-powered

FACT TICKER


A Q U E S T I O N O F AN SWE RS A N D RE W D U T TO N

ANDREW DUTTON | VMware.

WideningFootprint

Andrew Dutton, General Manager for VMware APAC & Japan, in a conversation with Gyana Ranjan Swain, speaks about the company’s

strategy, its collaboration with key players and the impact of virtualisation on the industry. Excerpts:

VMware recently announced a joint venture with Cisco

and EMC to sell a new inte-grated data centre product called V-Block. How is this product going to help VMWare to sustain its leadership position? Organisations today are looking for a more secure, cost-effective and automated platform to deliver cloud-based services. The joint venture on vSphere provides all of these features efficiently. VMware’s vSphere is the cornerstone of this technology colaboration.

VMware’s recent acquisi-tion Zimbra is another shot in the

arm. How do you think will it help VMware assist enterprises in tak-ing complexity out of the data cen-tres, desktop, application develop-ment and core IT services?We expect more organisations, especially small and medium busi-nesses, to increasingly buy core IT solutions (such as email) that deliver cloud-like simplicity to user experience. Our plan is to broaden vCloud portfolio leveraging Zimbra — a leading vendor of email and collaboration software — as an on-premise solution for our medium and smaller customers.

Our mission is to help customers achieve cloud-like efficiency and oper-

ational improvements across major IT areas. With Zimbra, we are going to focus on core infrastructure applica-tions and services, email communica-tions being a universal one. VMware can now address solutions that span from the datacentre to the cloud by optimising infrastructure usage through IAAS, desktops through DAAS, development through PAAS, and core infrastructure and third-party applications through SAAS.

What does your recently launched product VMWare

‘Go’ have in store in terms of IT infrastructure?This initial release of the VMware


Virtualisation's Next:Andrew Dutton, General Manager, VMWare, APAC and Japan, battles fierce competition from newer virtualisation players.


A Q U E S T I O N O F AN SWE RS A N D RE W D U T TO N

‘Go’ platform is targeted at the lower spectrum of the users, but any organisation can use this tech-nology for its advantage. VMware ‘Go’ presents a predefined set of processes targeted towards easy and simple deployments, but that doesn’t mean the platform won’t be tailored to support more enterprise-level features.

The battle between VMWare and Microsoft Hyper-V is

getting fierce. Recently Microsoft and HP entered into a three-year contract for jointly providing ser-vices in the cloud space. How does VMWare plan to counter this move?VMware welcomes collaboration in the virtualisation space between partners and vendors. It helps in two ways. Firstly, collaboration makes adherence to standards such as DMTF.org more stringent, which is good for vendors, customers and partners alike. Secondly, it validates the fact that the vision and direction we have taken is correct. The market is following us and will continue to follow us in the future too. We defend ourself by doing two things — manage our costs and increase productivity in our overall business, which will lead to better quality products.

Analysts feels that VMWare doesn’t have any solid innova-

tive plan to fuel growth in the future. Comment.The facts show quite clearly where we intend to focus on providing the most cost-effective, automated and secure cloud computing platforms in the world. Implementing this plan is a long-term strategy, which we are now just starting to deploy “en-masse” with the cooperation of some of the largest ISPs. Secondly, we have not really exploited the virtual desktop market to its fullest potential. To begin with, we are in a good position to lead in this space. Finally, the key to all of this working well is automation and interoper-

customers do is get away from the ‘plumbing’ aspects of IT and get back to automating business through IT. The new question CIOs will ask is: How can I make my IT integrated processes more efficient? VMware virtualisation management prod-ucts and principles are the only enterprise-level tools that provide this business view. Just as SAP streamlined the isolated application and business processes back in the 1970s, VMware is doing the same to the datacentre.

What’s in store for 2010? We are committed to provide

more automation and collaboration within our core product set. We will work towards increased efficiency across our management stack and a proliferation of our VMware View virtual desktop products and several more such initiatives that solidify our lead in the cloud computing arena.

ability by adhering to pre-defined industry standards. Process automa-tion around chargeback, operations management, disaster recovery, self-service portals and application stan-dardisation regardless of operating system provide us market leadership and future growth.

Virtualisation changes the way a data centre is managed,

administered and operated. It broke the traditional coupling of hardware and software. How does a CIO over-come this challenge?Quite simply, instead of having to walk, email or call up somebody to ask the same question every few days, CIOs will be able to simply go to an operations portal to see for themselves. Simply watching a few blinking lights in the data centre can’t tell you how well that application is helping or costing the business. What VMware is trying to help

“VMware is trying to help customers to get away from the ‘plumbing’ aspects of IT”

That SMBs

would

increasingly

buy core IT

solutions that

deliver cloud-like

simplicity to

users

That the industry

has not really

exploited the

virtual desktop

market to its

fullest potential

THINGS I BELIEVE IN


BEST OF

BREED

PASSWORDS WERE ANALYSED BY IMPERVA. A MAJORITY WERE VERY SIMPLE TO CRACK.

32mn

DATA BRIEFING

Subprime Opportunity How SKS Microfinance turned a problem into a bussiness opportunity. Pg 16

Passing cloud The cloud model will shake things up quite a bit. Pg 19

Shadow of doubt The compliance risks in the cloud ecosystem. Pg 20

FEATURES INSIDE

Password PerilsThe reuse of passwords in computerised systems poses serious vulnerabilities. BY RICHARD GOUGH

For most organisations that have a large user base, the enforcement of password compliance can sometimes seem like a rugged task for the IT security team. The strange thing though is that our lives are

full of secrets like passwords and other such codes.In his excellent book on passwords, Mark Burnett

describes how intricate they are to our modern way of living and doing business. “We need them to withdraw money from an ATM or to connect to our online bank-ing account. We use them to authorise financial trans-

actions and to buy and sell items on the Internet,” he observed. In fact the list could go on and this is indeed one of the biggest challenges, humans are just not that good at carrying around so many passwords and there-fore we tend not to stray from simple variations of a theme. “When it comes to passwords, we just aren’t that clever… superman12, superman23, superman95, wonderwoman.” So just what are the best ways to enforce user compliance with a password policy?

Password polices have become harder to enforce as more and more passwords enter our lives. The more


PA S SWO RD S E L E C T I O N B E S T O F BR E E D

CHOOSING A STRONG PASSWORD

YOU CAN ALSO use a line in a song, possibly from the more obscure (and / or embar-rassing) reaches of your musical tastes. After a while you may find the song just pops into your head when you see a site's login or front page. For example: 1c1nm0ydAmp5tf2B&W. I can't light no more of your darkness...! Just don't hum it as you log in!

we depend on computerised systems the more we should expect users to reuse the passwords they are expected to know. This reuse of passwords will expose serious vul-nerabilities. Recognising this problem allows an organisation to move to a managed sys-tem using strong two factor authentication like the RSA SecureID token to authenticate onto protected systems, but is this enough? Well the worrying thing is, probably not. We still have the human factor, most likely the weakest link in the security chain. Managers could still give their SecureID FOB to their assistant and tell them the PIN. Key logging could capture the PIN and then the SecureID fob stolen, in the worst case scenario what if the PIN is written on the reverse of the Secu-reID FOB?

On a return trip from America recently I arrived at the airport and entered the immi-gration hall at Heathrow London. There were long queues as a lot of flights had just arrived. However, I smiled and walked up to the Iris recognition immigration system (IRIS) booth that had no queue. I entered the booth and following instructions had both my eyesscanned and less than ten seconds later I was back in the UK. There was no human involvement, no password presentation just the science of biometric security at work and the quality assurance of the UK immigration service in establishing my identity before allowing me to register. But this is no panacea to our security needs. Rasool Azari highlights in his book, Cur-rent Security Management & Ethical Issues Of Information Technology, "There is a temporal aspect to biometric data." A measurement of a physical characteristic taken at a par-ticular time provides a correspondence between that data and an individual. How-ever, the physical characteristic may quite naturally develop or change over time and future comparisons with that measurement may not match. Future security models will also need policies and procedures to make sure they stay relevant. This has indeed been already built into place by the UK Immigration IRIS service, my eyes are only valid until 2011 and then I need to re-regis-ter myself and my eyes.

No matter what paradigm of security model we operate within, due diligence, enforcement and quality assurance should remain at the top of the agenda for secu-

SIZE MATTERS Some sites put restrictions on pass-word length, but whenever possible

try to choose the longest password you feel comfortable remembering.

1DON'T RELY ON THE DICTIONARYUsing a word may make your pass-word easy to remember, but it also

makes it vulnerable to a dictionary attack. A dictionary attack is one where a hacker attempts to break your password by throw-ing every word in the dictionary at your account. Making up your own word or using a random series of letters and digits are some of the options.

3

HELP FROM THE KEYBOARDWant a random password for opti-mum security, but can't memorize things? Look at your keyboard and

find a pattern. For example, type straight up from the b key: "bgt5," and then back down from the 6: "6yhn." Throw a made up word in the middle, complete with capi-tal letters and a few symbols, and you've got a password no one is likely to guess (unless they've read this article too).

6

USE NUMBERS, CAPITAL LETTERS AND SYMBOLSAgain, the less human readable the password, the greater the chances no one is ever going to

guess it. Throwing a bit of cartoon swear-ing, like @#$@$%#, in your passwords will make them more difficult to guess.

4USE A PASSWORD MANAGER FOR WEBSITESApplications like 1Password for the Mac, or KeePass or Roboform for Win-dows, can create and manage strong passwords for you. One of the key features in both is the ability to generate random passwords for websites. That means you can have a very long, totally random password that you don't need to remember. The only catch is that, if you use multiple PCs, you'll need to sync your password manager. 5

TYPE A SENTENCEIf the keyboard pattern doesn't work for you, try using a short sen-tence. Instead of spaces between

the words, insert symbols and numbers. It's not quite as secure, but it sure beats "password1." Bonus points for typing the sentence backwards.

2

USE THE INITIAL LETTERS FROM A SENTENCEStart with a sentence like: "I don't want to wait for access". Then shorten it to just the first

character of each word and turn "to" into 2, "s" into 5, etc. That makes the above sentence into this garbage looking pass-word: "1dw2wfa" but easily remembered by you.

7

rity engineers and IT managers. What-ever we do, we need to observe these wise words: “Passwords are like toothbrushes; they should never be shared and changed

on a regular basis!”

—Richard Gough is a Charted IT Professional and

a Fellow - BCS, The Chartered Institute For IT.


B E S T O F BR E E D S KS M I CRO F I N A N CE

PRADEEP V KALRACIO, SKS Microfinance

Subprime Opportunity SKS Microfinance is rapidly expanding its reach through innovative use of IT. BY ASHWANI MISHRA


S KS M I CRO F I N A N CE B E S T O F BR E E D

Suryapet, also called the Gateway to Telangana, is located in south eastern part of Hyderabad in Nalgonda district. It is famous for being a dustbin-free, zero-gar-

bage town since 2003, with the local munici-pal council bagging various accolades at both state and central levels. This is also the home of Bandaru Lakshmi. When Lakshmi moved to Suryapet from a nearby village along with her family a few years back, her family was penniless. Her husband was worried about raising their children.

However, things changed when Lakshmi took an income-generating loan of Rs 10,000 from Swayam Krishi Sangam (SKS) Microfinance, a microfinance company.

She started to buy and sell readymade garments in the nearby villages. With her hard work, she managed to repay the loan and again took additional loans of Rs 12,000 and then Rs 14,000 to expand her business. Today, she earns a monthly income of Rs 30,000 and her eldest daughter has secured a job at Infosys.

“People look up to us now. I am grateful to god. With the support SKS extended, I could provide decent education for my children,” says Lakshmi.

Lakshmi is not the only one. Since its inception in 1998, SKS has provided loans to more than 50 lakh women across the country. Its target is to reach 1.5 crore cli-ents by 2012.

“SKS provides credit to the poorest of women who otherwise would never get loans from a bank. Organised institutions do not trust the poor; we do,” says Pradeep V Kalra, CIO, SKS Microfinance.

Building hopeField officers from SKS visit villages and conduct a survey that involves checking the population, the business viability of that particular village, the activities of the locals, and the scope of business activities in the region. The field officers also check for the presence of a bank in the village (for depos-iting the cash collected).

After the survey is conducted, a few villag-es are shortlisted. The team then explains

the SKS team, have the onus of ensuring that they reach out to members, both existing and prospective, to expand the company’s reach. These officers come from the same social segment that the organisation serves.

Empowering the field generalsThe field officers normally reach their office at around six in the morning each day before they visit a village centre. In one village there could be many centres. The officers normal-ly visit four to five centres daily. Each centre has about 30-40 members.

These officers log on to their machines and use the portfolio tracker and accounting system to generate the collection and dis-bursement report for that particular day and take a print out.

Moving forward, SKS plans to roll out usage of mobile devices for its officers. The field officer could directly key in all the details in the mobile (Smartphone or a BlackBerry) so that the information is directly uploaded on the central server.

“This would be a relief for our field force as manual entries would no longer be required and they could utilise their time to visit more members or villages,” says Kalra.

As there are no readymade mobile prod-ucts available for microfinance in the market, SKS developed a product called SKSlite, a

A major problem in microfi-

nance is high transaction costs

because the price escalates

when processing millions of

tiny loans. Use of mobile bank-

ing technology helps reduce

costs in two ways.

Firstly, the data does not need

to be entered manually. This

makes the process becomes

more efficient, more accurate,

and reduces the scope for

fraud. Secondly, mobile banking

helps in cash movements, and

can be used as cash substitute

to either transfer a loan or make

a payment.

However, over the last few

years, many microfinance

institutions have experimented

with mobile technologies to

reduce the cost per transac-

tion, increase safety and reach

remote regions, though with

little success. This has been

true for SKS as well. It did a

pilot for mobile-based loan dis-

bursal and repayment in Nal-

gonda district in central Andhra

Pradesh, but soon abandoned

it. SKS could not go beyond

a pilot given that only banks

could offer mobile payments.

Other reasons for the poor

adoption of technology in

microcredit include unviable

technologies, poor telecom net-

works in rural India, and afford-

ability of mobile phones.

the SKS model to prospective members. After the model is explained, the women have to take an ability test to pass muster.

Once the loan is granted, groups of five women are selected. One of them becomes the group leader. Responsibility is shared across all the women in a group.

“If one of the women is unable to pay for a couple of weeks, the other four contrib-ute and pay the pending amount for her,” explains Kalra.

Initially, each member gets a loan of around Rs 10,000 for a period of fifty weeks. The repayment is done every week. On returning the money with interest, which must be done in fifty weeks, the group becomes eligible for a higher amount. SKS charges 12.5 percent at a flat rate and 26 percent at an effective rate. In Andhra Pradesh, Karnataka and Orissa, loans are extended at flat interest rate of 12.5 percent and at an effective interest rate of 26.69 percent. In the rest of the states where the penetration is low the loans are given at a flat interest rate of 15 percent and at an effective interest rate of 31.41 percent. In comparison, availing a loan from govern-ment schemes or banks attracts a 45 percent interest rate while in case of a money lender the interest rate rises to 50-60 percent.

The field force, who make up 90 percent of

MOBILE TECHNOLOGY: A CHALLENGE FOR MICROFINANCE


B E S T O F BR E E D S KS M I CRO F I N A N CE

“Our business model did not allow having a dedicated computer terminal for each offi-cer,” says Kalra.

To address this issue, SKS went in for a desktop virtualisation solution from Soft-Xpand. The SoftXpand software turns one computer into eight fully independent com-puter workstations using normal hardware.

A computer terminal called as the host machine is chosen and a video card is insert-ed into the CPU of this computer. Another monitor is connected using the video card from the first system. For connecting an additional system another video card is inserted in the host machine and so on.

SKS has tested the solution for four sys-tems i.e. one CPU running four computer terminals and the results have been good. The software aims to reduce the total cost of ownership (TCO) by up to 70 percent. The company has rolled out around 500 of such terminals and over the next month they plan to have another 1,000 such terminals across all their locations.

All the data entered by these officers can be viewed through the Branch Operations Con-sole or BOC. This application was developed in-house to provide a financial and operation-al snapshot across branch networks.

“Earlier this was a pain point for us as it would take several days to get such informa-tion,” recollects Kalra.

The branch support is done in-house. The company has an IT team of 200 people across various regions who provide technology sup-port to all branches. There are 28 regional offices in India, each having a regional IT manager. Every region has 100 plus branches allocated to it, and there is one engineer for every 10 to 12 branches.

Data centre operations are outsourced to a provider in Bangalore. The company is also planning to roll out a disaster recovery (DR) site that will host all the applications.

Beyond financingWith officers getting equipped and IT opera-tions gearing to support business, SKS has already started expanding its microfinance network to empower the poor through other means besides credit. Their partnership with German wholesaler, Metro Cash & Carry, is just one example.

Around six lakh SKS members took loans to open kirana shops as their micro-

data entry application that provides a system-atic view of all transactions at the head office.

The company along with its technology partners is trying to create a mobile access layer over the SKSlite application for mobile devices. This should be completed within the next six to eight months. The application will also replace the portfolio tracker platform.

“For the application to be successful there is a lot of testing required,” says Kalra.

Another area of concern for the officers was getting a computer system to key in the entries when they reached the branch office. Each of these field officers returned to the office at almost the same time and that led to frequent delays in data entry.

What role do you see IT

playing in SKS Microfi-

nance's growth plans?

IT has been a driver for our

business growth right from the

point of information capture to

launching new products.

Using IT we have stan-

dardised and automated micro-

finance processes. From training

field officers using a standard

methodology to streamlined

processes for entering data, we

have created an extremely stan-

dardised operational practice

that can be widely scaled.

What has been your single

biggest challenge so far?

Rural connectivity is one of

the biggest challenges for us.

To manage rural network con-

nectivity across 2000 villages

in which we operate is a big

challenge. The other challenge

is shortage of power in the

remote areas of the country.

What are the challenges

for microfinance in using

mobile banking

technology?

The challenge is with govern-

ment regulations and not with

technology. We did a pilot for

mobile-based loan disbursal and

repayment in central Andhra

Pradesh, but soon abandoned it.

We could not go beyond a pilot

given that only banks can offer

mobile payments.

Here is a chance for us to

show regulators, investors and

others that we are a respon-

sible, credible sector and ready

for new laws. We have made

investments in technology and

governance. The industry has

to grow in an orderly manner

and live up to the expectations

of customers. We need strong

support from the government

and the Reserve Bank of India

(RBI).

How would you rate the

success of SKS over the

last couple of years?

SKS is a big success because of

standardised processes, simpli-

fied documentation, and use of

technology in hiring and train-

ing of our employees. We have

a clear market leadership. By

our own estimates, our share

in the microfinance sector

exceeds 25 percent.

What kind of learnings and

experience do you bring to

SKS?

In banking, understanding

risk management is crucial.

For microfinance, the focus

on risk management has been

limited and this is where my

background as a banker comes

handy. Banks have evolved as a

business model and they can

include risk management, ana-

lytics, service quality etc. within

their systems.

At this juncture, we are still

building our systems to scale

up and match the banking

model. We should be at par

with the banking model in a

couple of years.

SURESH GURUMANI took over the mantle of SKS Microfinance as its CEO and Managing Director in December 2008. This banking veteran with 22 years of experience talks to Ashwani Mishra on the role of IT and the challenges faced by the microfinance sector. Excerpts:

“The industry has to grow in an orderly manner and live up to customer expectations.”

SURESH GURUMANICEO & MD, SKS Microfinance

IT DRIVES SKS MICROFINANCE


S KS M I CRO F I N A N CE B E S T O F BR E E D

enterprise. They normally went to the local market to buy goods for their stores. Because they bought merchandise in smaller quantities, they had to pay a higher price to the distributors.

To address this issue, SKS struck a deal with Metro to supply its products to the SKS-financed kirana stores.

“Metro has created a sepa-rate business model with us as this was a major business seg-ment for them,” says Kalra.

As of date around 2,000 kirana stores have tied up with Metro to purchase products at wholesale prices. SKS gets a two percent com-

mission from Metro.SKS also charges a service fees of Rs 25 for deliveries up to Rs 4,000 while Rs 40 is charged for deliveries between Rs 4000 to Rs 12,500.

When the kirana stores receive the order, the shop-keepers get a credit period of 15 days to return the money to SKS without any interest. The collections are also fed into the mobile application of the field staff.

The company is also in the process of offering its

customers loans for their housing needs. In December last year, it joined hands with the Housing Development Finance Corpo-

ration (HDFC) in its attempt to bridge the critical gap in the housing finance needs of the poor.

The pilot project will be conducted in Andhra Pradesh among credit members who have been with SKS for at least three years.

SKS's mission is to provide financial services to the poor in a sustainable man-ner. Nobel Peace Laureate Muhammad Yunus introduced to the world the concept of a social business and challenged the free market economy. He said, “because of the restrictions placed by capitalism and moti-vation to maximise profit, we have forgotten the social and emotional needs of human beings.” This is what SKS Microfinance is trying to regain.

—[email protected]

Member base:57, 49,639

India presence:19 states

Branches:1,718

Cumulative disbursement:Rs. 11,208 crore

Amount outstanding:Rs. 3,590 crore

Repayment rate:99 percent

IT investment in the last year:Rs 20 crore

(As on 30th November 2009)

SKS MICROFINANCE

Most people within IT fraternity agree that cloud computing does impact the manner in which technology is

used in the industry, and also brings about a change in the way IT operations man-age infrastructure. So I am not surprised when a number of traditional "point-product" IT Service Management (ITSM) products make way for the new cloud computing operational paradigm.

When I read Gartner's report titled Hype Cycle for IT Operations Manage-ment 2009, I was struck by the number of technology categories that may really need to change in a cloud model. In fact, cloud computing was at the peak of Gartner's overall Technology Hype Cycle for 2009.

In my assessment, there are five ways in which an ITSM product could transform in a cloud model: Overall increase in use due to IT operations created by the auto-

mation within a cloud infrastructure. With more dynamic resource

Passing Cloud Five possible ways in which IT tools would transform in a cloud model. BY KEN OESTREICH

requirements, a few ITSM tools may become more valuable than others. For example, take a billing or chargeback application. Clearly any provider of cloud computing will need them to pro-vide the pay-as-you-go economic model, particularly as individual resource needs shift over time. Same holds true for tools such as dynamic workload broker-ing, etc. Overall decrease due to the automa-

tion or virtualisation within a cloud infrastructure. As automation begins to manage resources within the cloud, cer-

tain closely-monitored managed services may simply get obviated. Take for example application-specific capacity planning; no longer will this matter to the degree it used to now that we have "elastic" cloud capacity.

Similarly, things like event correlation might no longer be need-ed by the end-user because automation shields them from need to know about infrastructure-related issues.


B E S T O F BR E E D CLO U D COM PU T I N G

At a Thanksgiving dinner last November, a few of my rela-tives (none of whom are in the IT, information security or privacy industries) asked

what I was writing about. I mentioned that I was looking into the privacy implications of cloud computing. After a brief pause, one of them asked, “Are cumulus more dangerous than cirrus to computers?”

The concept of “cloud computing” is not well known to most folks; not even for the person using a vast number of cloud com-puting applications, often without his being

aware, through his company networks.If they don’t know what they are using, then how can they know the information security and privacy risks involved?

“Cloud computing” emerged over the IT horizon in 2008 to become one of the hot topics of conversation for most IT leaders. For those who may wonder, cloud comput-ing is a nebulous (or should I say cumulous) term used to describe applications that are actually located outside the network perim-eter and on other entities’ servers accessible via the Internet. They are very much like silent business partners.

Shadow of DoubtUnderstanding compliance risks related to cloud computing can mean less trouble later. BY REBECCA HEROLD

Shift in use to the cloud operator will have its own impact. The IT service provider will tend to use certain ITSM tools more. For example, Asset Management, Global Capacity Management and QoS tools necessarily mean nothing to the end-user now, but may still be critically-important to the SP. Shift in use to the cloud end-user i.e. the cloud user may tend to

use certain ITSM tools more because they do not directly 'own' or

manage the infrastructure anymore. They just manage executable images. i.e. end-users using IaaS clouds will need to maintain their application and service portfolio tools to man-age uploadable images, etc. Conversely, users may no longer care about configuration audit-ing tools since that would not be managed by the cloud provider. Transition from being app-specific to envi-

ronment-specific is a shift from tools being used to monitor a limited-scope application stack to a large shared infrastructure. Capacity and consolidation planning tools are no longer of any interest to the end user. But to the cloud operator, knowing global capacity and utilisa-tion is critical.

In retrospect, I can probably concoct excep-tions to almost every example above. So keep in mind the examples are illustrative only! The diagram (see figure, IT Ops Tool Shift and

Cloud Computing) is also mostly conceptual; I am not an ITSM pro-fessional. But while it may be a bit of a 'hack', I'm hoping it provides food for thought on how certain tools may evolve, and where certain tools may be useful in new/different ways. I've selected a number of ITSM tools from Gartner's IT Ops Management Hype Cycle report to populate it with. —[email protected]

IT OPS TOOL SHIFT AND CLOUD COMPUTING

SO

UR

CE

: K

. O

ES

TR

EIC

H

Shift to Service Provider

Shift to End-user

Key:+ growing in importance— losing improtance N/A

+ IT Change Management+ IT Asset Management+ Resource/Capacity Planning+ Workload Brokering Tools+ IT Service Portfolios (for PaaS providers)

+ CMDB (will become real-time)+ Network Monitoring

Shift toward Environment-wide Management

+ IT Chargeback/Billing+ SLA Monitoring/Reporting— Job Scheduling

Shift toward Application- specefic Management

+ IT Service Catalog+ IT Service Portfolio— Configuration Auditing— Server Provisioning Tools— Event Correlation— Capacity Planning


COM PL I A N CE R I S KS B E S T O F BR E E D

What’s to worry about?Are those silent business partners ensuring appropriate privacy protections to the vast amounts of personally identifiable informa-tion (PII) being entrusted to them? Is there any need to worry? And how does data stor-age on cloud impact compliance?

While at a recent CSI Annual conference in National Harbour, Maryland, I asked a few executives on security and privacy issues related to cloud computing.

One very smart security vendor said there were no new issues; just issues that needed to be revisited.

So, he had no worries. Is it really that simple?

Another brilliant IT services vendor said that the more she learned the more con-cerned she became, and that she was sure she still hadn’t heard the worst.

Here are a few of the worries I have with cloud computing as they relate to privacy and information security: Who has the access to information that organisations puts on external cloud appli-cation and systems servers? How does an organisation’s compliance address applicable laws, regulations, and policy change when its information is stored in the clouds? How long does information put into the clouds stay in those clouds? Do the clouds have retention policies? Can information be permanently and completed removed from the clouds once it is put there? Are there any logs generated to show how that cloudy information is accessed, cop-ied, modified and otherwise used?Can all necessary information in clouds

be easily retrieved during e-discovery activities? If so, what are the related costs involved? Consider a couple of popular cloud computing services, Google Docu-ments (Google Docs for short) and Adobe Photoshop Express.

Document of delusion?Last summer I participated in a group proj-ect of globally spread information security experts, and we used Google Docs as the pri-mary repository for our work, none of which was classified as sensitive or confidential.

I sometimes wondered how safe were the documents we put on Google Docs cloud.

The Google Docs site indicates they use

the same privacy policy as the one located at the primary Google site in addition to some other stipulations.

Basically there is very little expectation of tight controls to the files put onto the site; secu-rity is pretty much left up to the site users.

And that amount of security is pretty lim-ited, considering Google Docs indicates that the files you entrust to them may be “read, copied, used and redistributed by people you know or, again if you choose, by people you do not know.

Information you disclose using the chat function of Google Docs may be read, cop-ied, used and redistributed by people par-ticipating in the chat.”

Google Docs gives a nonchalant warning to use care when including sensitive per-sonal information in documents you share or in chat sessions, such as social security numbers, financial account information, home addresses or phone numbers.”

It was good to see Google Docs indicates that you may “permanently delete” files from their systems, but then in the next sentence states that “Because of the way we maintain this service, residual copies of your files and other information associated with your account may remain on our servers for three weeks.”

It appears that Google Docs could be a great way to collab-orate with other organisations on documents that are not sensitive in nature, but prob-ably not a repository to place PII or business sensitive information within.

Shadow of doubtMany of the folks I know, including one of the parents’ groups I belong to, use Adobe Photoshop Express to share photos; hey, it’s quick and easy!

I know some businesses that are also using this site to share files with business part-ners. Does Adobe protect those photos and answer my questions from earlier?

It is important to also consider that some of those photos could be interpreted incor-rectly taken out of context if viewed by unauthorized or unintended individuals.

The privacy policy from the Photoshop Express site is the same one as used from the Adobe home page. It is quite wordy, lengthy, heavy in legalese, and includes sev-eral implied consents.

For example, it states that, “However, if Adobe sells assets (or the assets of a division or subsidiary) to another entity, or Adobe (or a division or subsidiary) is acquired by or merged with another entity, you agree that Adobe may provide to such entity customer information that is related to that part of our business that was sold to or merged with the other entity without obtaining your fur-ther consent.”

Another implied consent states, “By using this Site and the Products and Services, you agree and acknowledge that personal information collected through the Site or in connec-tion with the Products and Services may be transferred across national boundaries and stored and processed in any of the countries around the world in which Adobe maintains offices.....”

It is not clear how long Adobe retains information put on their servers, or how you can completely remove information from the site.

I could find nothing related to removal or retention of the photos on the site. It looks like a great way to share non-sensitive photos, but it would not be wise to use it for business purposes without first doing a

It is good to consider the cloud computing vendor as much more than just a software provider; IT REALLY IS ANOTHER TYPE OF BUSINESS PARTNER.

36%OF IT STAFF FEEL

CLOUD COMPUTING

PRESENTS GREATER

RISK TO INFORMATION

SECURITY THAN IN-

HOUSE COMPUTINGSOURCE: GLOBALSECURITYMAG.COM


B E S T O F BR E E D COM PL I A N CE R I S KS

thorough information security and privacy program and review of the site.

Cloudy laws and regulations issuesIn the past many organisations found them-selves in complicated and sticky situations by addressing compliance issues only after new technologies and tools were widely used throughout the enterprise.

If your organisation hasn’t tried cloud computing yet, act now to prevent compli-ance issues from getting out of hand and to save yourself some headaches.

Before the business commits to cloud computing services, it is good to consider the cloud computing vendor as much more than just a software provider; it really is another type of business partner.

Businesses need to scrutinise the infor-mation security programs, and cloud com-puting tools should be viewed no differently.

If your business is entrusting critical pro-cessing and data to another entity, you should first ensure it is trustworthy, secure and meets your organisation’s compliance obligations.

Most laws and regulations, not only in the U.S., but also in many other countries, require organisations to establish appropri-ate controls and safeguards around PII and related business information.

But how do you know that appropriate controls and safeguards exist within the clouds? Information processed in clouds is not under your organisation’s control.

Do you know what happens to the information? Where it is stored? Who has access to it? Consider this: what breach notice actions will you need to take if your cloud computing service has a security inci-dent involving your organisation’s PII?

Will the cloud computing service that had an incident even notify you? And in organisa-tions that process credit card payments there are also certainly compliance issues for PCI DSS compliance to consider when using cloud services that involve customer PII.

Privacy issues still foggyAs companies start using more cloud com-puting resources for business purposes, business leaders will be wise to identify the sites and services they want to use and then review the information security policies and update them to address these new risks.In addition to usage policies for employee

interaction on public sites, companies must look for new ways to protect data on resources that are not under their direct control. This includes securing data as it is transmitted to and stored in the cloud as well as granting the appropriate access rights regarding who can view the data.

Select cloud computing services carefully, and with your organisation’s legal require-ments and your own information security and privacy policies in mind. Here are issues to address and questions to ask: Where will your organisation’s data be stored? Will your organisation’s data be stored in a way that it intermingles with the data from other companies? Who will have access to your organisa-tion’s data? Are backup and recovery processes in place? What are the availability promises for the cloud service? Are they documented within a Service Level Agreement? What audit trails are generated and main-tained for your data? Does the cloud computing service have established and documented information security policies and supporting procedures?Basically you need to ask all the same

questions that you would during a third-party, vendor or business partner security program review, in addition to knowing some specifics mentioned above that are unique to cloud computing services.

You also need to ensure your policies and procedures are up-to-date with your new cloud computing activities.

Some of the issues to address within your policies and supporting procedures include:

The increased risks of inadvertent disclo-sure of sensitive data and PII by posting to cloud computing sites. The increased exposure to malware that is commonly hiding on and distributed through these sites. The increased risk of unauthorised use of the data used on the cloud computing sites as a result of minimal to no access controls. Determining how data protection require-ments apply to information stored in these computer clouds.

I also recommend organisations do a privacy impact assessment (PIA) whenever considering a move to a cloud computing service. As part of the PIA map your PII data flows to identify the vulnerabilities to determine security and non-compliance risks.

Committing to a cloud computing ser-vice without first considering the legal and compliance risks, and without knowing the security controls that exist, could result in very significant negative business impact from noncompliance and/or security inci-dents, well beyond the savings that using the cloud service brings to the business.

Be sure you provide training and ongo-ing awareness communications to your personnel about how they can, and cannot, use specific cloud computing services, and make sure they know and follow the associ-ated procedures.

—Rebecca Herold is an information pri-

vacy, security and compliance consultant,

author and instructor with her own company,

Rebecca Herold & Associates, LLC. This

aricle is published with permission from www.

information-security-resources.com

COMPANIES MUST LOOK FOR NEW ways to protect data on resources that are not under their direct control.

CHALLENGES


ILLU

ST

RA

TIO

N B

Y P

C A

NO

OP

THE YEAR 2010 brings a lot of hope for enterprise IT leaders. The economy has started looking up. There are new services and technologies being launched to ease out the pressure on user IT organisations. On top of it all, a CIO’s role, as a crusader of transformation, is getting recognised more than before.

But as always, this year too CIOs have to grapple with some pertinent challenges. Interestingly, while talking to the CIOs we found out that technology issues per se are the easiest ones to handle. The ones that bog down a CIO very badly are organisational and management issues and those related to strategic planning. Although these are not life-threatening issues for a CIO, if not dealt seriously, they can pose serious threats to him. Our in-depth study revealed that there are four key issues that may hound CIOs this year. They are:

We looked into each of the above mentioned issues and spoke to the CIOs about their perception of these challenges and their plans to deal with them. Our features have the details.

Top CIO challenges in 2010CHALLENGES

new age

BUDGET CONSTRAINTS ADOPTING NEW COST-EFFECTIVE IT DELIVERY MODELS MAKING ENTERPRISES AWARE OF RISK AND COMPLIANCE PEOPLE RETENTION


industries, IT investment falls under the category of 'discretionary investments' in most verticals.

“The biggest challenge for any IT organisation today is to be considered as a critical enabler of business, and a driver of profit rather than the currently held perceptions of technology being a support function and a cost centre,” says Govind Singh, Director-IT of Levi Strauss India, a global apparel brand.

WHAT'S IN STORE IN 2010According to a Gartner-EXP Worldwide Survey of global chief information officers (CIOs), the IT budgets are expected to witness a marginal increase of 1.3 per cent compared to 2009, which saw IT budgets declining by 8.1 per cent.

This means CIOs are set for a very difficult time ahead, and will be expected to deliver more with less. “Our topmost priority is to deliver maximum output with-out hampering the budget,” says Sanjay Rao, CIO of SRF Ltd.

Many CIOs believe that IT expenses required to keep the current IT engine running are being included in the budget; however, there is a pressure to reduce these too. A few IT investments that can give high payback and immediate results in terms of cost savings are definitely being considered even during these times. However, attempts are being made to consider OPEX models as against CAPEX investments.

"CIOs see 2010 as an opportunity to accelerate the transition of IT from a support function to a strategic contributor focused on innovation and competitive advantages," Marc McDonald, VP of Gartner EXP group, said in a press statement.

The survey also mentions that business process improvement and reducing enterprise costs are top two business priorities for the CIOs, while virtualisation and cloud-computing emerged as the top two technology priorities.

However, not all CIOs feel capex allocation is a challenge. They are of the opin-ion that if the investments required can justify the benefits, then organisations would not hesitate to go that extra mile.

“Like any other organisation, we, too, face budgetary constraints. Having said that I'd say that the budgetary constraints never stop us from investing in projects where we see business value,” says Singh.

He says a CIO needs to convince the business guys about the ROI and its business value in order to get budgets sanctioned. “For example, if I propose to the manage-ment to deploy some technology tools which would increase the cost of the product by Rs 15, then I must convince them that the investment of Rs 15 per product would give returns of at least Rs 17,” he adds.

Innovative methods help CIOs outwit budgetary challenges in 2010 BY GYANA RANJAN SWAIN

he global economic meltdown in the last six quarters resulted in all round cost cuttings, shrink-ing of expenditures, freezing of new investments and compelled enterprises across industries

to give second thoughts to any kind of expansion. Among all the departments in an enterprise, the IT department was the worst hit as it is still being con-sidered as a cost centre. However, in no way did the economic downturn reduce the expectations from the business houses in terms of productivity and profit. Rather, it forced the decision makers to pull up their socks and rationalise their budgets.

Though the severity of the recessionary impact in India is less than the US or other developed markets, experts opine that it did slow down the pace of growth if not completely paralyse it. Enterprises do recognise that availability of funds is a challenge, and that funds obtained are first deployed for core business activities. Barring some

A LOW-BUDGETproducing

show

A CASE IN POINT

PORTFOLIO MODELS COMPANY: Lowe Lintas

CHALLENGE: Determining an effective framework

for returns on IT investment.

SOLUTION: An IT Portfolio Management approach

wherein returns are classified under Strategic

(Higher risk/ higher returns), Informational and

Operational (Low risk /moderate) returns.

COVE R S TORY C I O CH A L L E N G E S


INNOVATION IS THE KEYBudgets or no budgets you cannot play around with your bottom-line. Enterprises are pitted with this challenge all the time. And in most cases it is expected that in times of crisis, technology will come as a saviour. CIOs are expected to use IT as an enabler rather than see it as just a business support function. Expectations are shifting from a focus on greater cost-cutting efficiencies to achieving bet-ter results based on enterprise and IT productivity. These productivity gains will come from collabora-tive and innovative solutions that take advantage of the new light-weight, services-based social media technologies, including virtualisation, cloud com-puting and Web 2.0 social computing.

“While technologies are transitioning from 'heavy' owner-operated solutions to a 'lighter-weight' services model, the CIOs are, in turn, changing the role of IT from simply managing resources to taking responsibil-ity for managing results,” says McDonald.

Also, the tough times in the past have taught many a lessons to CIOs and they have started prioritising the most essential technology requirements. “We are considering an IT Portfolio management approach wherein we are classifying returns as strategic (higher risk/higher returns), informational and operational

(low risk /moderate) returns,” says Pravin Savant, CTO, Lowe India.Moreover, the technologies that CIOs are prioritis-ing in 2010 are technologies that can be imple-mented quickly without significant upfront expense. Instead of investments in technologies that will require millions of dollars to get millions in ben-efits, investments are being made in technologies where the upfront investments can be measured in thousands of dollars. However, Savant says that any innovation which might contribute to the business in some way might stand a chance of acceptance.

“We have a robust IT infrastructure, and we do not need any investment in near future; however, even if we consider some investment, our decision will solely be based on its long term benefits,” says Rao.

Technologies like virtualisation, cloud and Web 2.0 are the new tools in the hands of CIOs as these enable companies to get out from under a heavy investment model that limits IT's agility and flexibility.

CIOs see 2010 as an opportunity to accelerate the transition of IT from being a support function to being a strategic contributor to business.

1.3%increase in global average

IT budget in 2010,

compared to the previous

year.

“CIOs are transitioning from merely managing resources to TAKING RESPONSIBILITY FOR MANAGING RESULTS”

—MARC MCDONALD VP, Gartner EXP Group

“The biggest challenge for any IT organisation today is to be considered as a CRITICAL ENABLER OF BUSINESS AND A DRIVER OF PROFIT”

—PRAVIN SAVANTCTO, Lowe India

—GOVIND SINGHDirector-IT, Levi Strauss & Co, India

“We are CONSIDERING AN IT PORTFOLIO MANAGEMENT APPROACH wherein we are classifying the returns as strategic, informational and operational returns”

CI O CH A L L E N G E S COVE R S TORY


Singh, Senior Vice President of Technology Development, Makemytrip.com. Singh is already contemplating a move to SaaS, though in a limited way, mostly

involving non-core business applications. “I would like to try it with any service which is not a customer-facing one, such as storage of data for data mining,” Singh says.

How much time would a CIO give to find out if the model is measuring up to her expectations? Singh says that he would give two-three months for the ROI to be realised and that the period is essential to properly test the solution. “What ven-dors say is one thing, but when you get down to implementation there are always some surprises, which take some time to get used to,” he says.

In reality things are progressing well. The evolution of the cloud computing eco-system to address these issues is well underway. “With time, issues such as lack of reliability and inadequate security will be ironed out,” says Singh. Singh should know, having served as General Manager with Amazon India, the Indian arm of the company that is one of the biggest cloud providers in the world.

The challenges for CIOs then are to know the right time to move to the cloud and which applications to move first.

KNOWING THE RIGHT TIME It's now well established that more and more companies are moving many of their applications onto the cloud. Springboard Research, in its recently released bulletin has said that India is the fastest growing Software-as-a-Service (SaaS) market in Asia Pacific with an estimated CAGR of 60 percent from 2008 to 2012. According to the research organization, the Indian SaaS market which was worth $105 million in 2009, is estimated to be worth $352 million by 2012.

Notwithstanding SaaS's increasing popularity, individual companies must determine for themselves whether the shift from on-premise software to the cloud model will prove beneficial to them. Tom Bittman, a senior Gartner analyst, notes that the cloud computing services needed to deliver the majority of IT services do not yet exist.

“There are limited SaaS offerings today; service-level requirements can’t always be met; glaring security holes exist; compliance requirements haven’t caught up with technological capability, cloud providers tend to be proprietary and mono-lithic,” he said in a recent blog.

he initial hype surrounding cloud computing raised a lot of unrealistic expectations. With the dust settling CIOs are able to see better and find out whether the subscription model delivers

what it promises. The results, perceived or other-wise, are not all favourable: SaaS providers still fall short of providing adequate information security assurances in comparison to licensed software ven-dors. Subscription-based software also fails in terms of reliability.

Security and reliability are big concerns for Make-mytrip.com, a Gurgaon-based online travel agent (OTA). If any customer-facing application goes down, the OTA is badly impacted. “If our application stops servicing, our customers would move to other sites, something we just can't afford,” said Mukesh

SaaS providers still fall short of providing adequate information security assurances in comparison to licensed software vendors BY ADITYA KELEKAR

UNDERthe cloud

A CASE IN POINT

SUPPLIER ENABLEMENTCOMPANY: Maruti Suzuki India

CHALLENGE: To enable suppliers to understand the

company's materials requirements on a real-time basis.

SOLUTION: A SaaS-modelled application, which would

enable suppliers to look up the requirements and carry

out commercial transactions.



Shashank Sathe, CTO and VP of Mumbai-based Rajshri Media, agrees with the premise that security is a big issue, but he also notes that cloud comput-ing model is simply not cut to serve all applications, at least not currently. The company deals in online delivery of professionally shot content streamed on Internet. It has to contend with guidelines from vari-ous types of companies with whom it partners.

Sathe says that it's a highly complex task to man-age these various deliveries via an unmanned system which has to not only function as the com-pany's digital asset management but also serve as an in-house cataloguing, archiving, email tracking and order supply-chain management system. “A SaaS model simply doesn't fit in this kind of a dynami-cally changing scenario since there is way too much at stake and too little time to deliver the final product to the clients,” he says.

To build custom applications and have them oper-ating out of the cloud may be challenging, but it's not impossible. Rajesh Uppal, CGM – IT, Maruti-Suzuki India is trying to do just that. He wants to build an application which would enable suppliers

to check the company’s requirements and carry out commercial transactions using a SaaS application. He's already used the model when the company developed dealer automation software. Designed by a service provider (Wipro) and hosted from a third-party centre (Reliance IDC), the dealer automation application is being used for many functions such as enquiry tracking and customer servicing.

Uppal notes that the cost would have been pro-hibitively high to the dealers if they had to develop the application themselves. In the current scenario, where they use it as a service, they are able to pay for it on a monthly basis. The back-end of the applica-tion is integrated with Maruti-Suzuki's database, helping the company to have access to the data.

However, Uppal still needs to think out-of-the-box while designing the application, as the cost of appli-cation development again poses a challenge. He is trying to work with other automobile companies such as Hero Honda to look at the possibility of joint development of the application.

60%Estimated growth (in

CAGR, from 2008 to

2012) of the SaaS market

in India, according to Springboard

Research

“Our dealers are able to use the application as a service by paying

for it on a monthly basis; this is a WIN-WIN SITUATION FOR

THEM AND FOR US”

—RAJESH UPPALCGM – IT, Maruti-Suzuki India

“A SaaS model DOESN'T FIT IN DYNAMICALLY CHANGING

SCENARIOS since there is too much at stake and too little time to deliver

the final product to the client”

“I would like to try SaaS with any SERVICE WHICH IS NOT A

CUSTOMER-FACING one, such as storage of

data for data mining”

—SHASHANK SATHECTO and VP, Rajshri Media

—MUKESH SINGHSenior Vice President,Technology Development, Makemytrip.com.


s a soccer enthusiast, you would know what it means to do tackle drills. It’s simply getting back to the basics. All the defensive schemes, strategies, expensive coaches or best gears cannot come to your rescue when you simply can’t tackle.

This is what happened at the Bangalore office of FMCG major Hindustan Unilever Limited (HUL). A couple of

months back, a man posing as a visitor entered the HUL office on the pretext of meeting an employee. This person casually loitered around the premises and qui-etly picked sensitive documents. It happened for two consecutive days.

“Had the information got into the hands of our competitors, they would have made a killing from the data,” says Subramaniam Narayanan, Senior VP, IT, HUL.

Luckily, this was a security drill and the mysterious man was an insider. HUL was trying to get its basics right — spot the risks and mitigate them.

PROACTIVE APPROACHAn important challenge for enterprises this year would be to focus on the overall security of business information and not merely secure their computer systems. This would involve developing a holistic approach to risk identification and management.

“No enterprise can completely eliminate risks associated with IT systems and business. What organisations need to do is manage them to an acceptable level so that their impact on business is minimised. More and more CIOs are adopting a proactive approach to managing risks rather than a reactive one; this trend is likely to get more popular this year,” says NSN Pillai, Head Risk Management and Security of Chennai-based Ashok Leyland.

One such approach that gathered momentum last year and would continue to see adoption within enterprises this year as well is enterprise risk management or ERM. According to industry sources, ERM is a process of planning, leading and controlling the activities of an organisation in order to minimise the effects of risk on capital and earnings. Recently, external factors such as prominent data leakage cases and increased regulation in light of the economic crisis have fueled a height-ened interest by organisations in ERM.

According to a recent Ernst & Young (E&Y) study, the number of risk manage-ment functions has grown to the point where most large companies have seven or more separate risk functions — not counting their independent financial auditor.

Identifying information security risks and fixing them would be a key enterprise

priority in 2010 BY ASHWANI MISHRA

A CASE IN POINT

ACT TOUGH TO SAFEGUARD ASSETSCOMPANY: Ashok Leyland

CHALLENGE: To adhere to the risk and compliance

framework and conform to the regulations, both

local and global.

SOLUTION: The company has restricted all

employees from downloading any material from

the Internet. Use of CDs and USB drives has been

restricted. This has been possible through the use

of a common desktop environment.

In every board meeting, compliance audit reports

are presented to the management. They also

include a monthly report on compliance of each

and every individual within the enterprise.

CALCULATEDrisk



This has created inefficiencies in the system.The E&Y study states that “as risk functions

increase, coordination becomes more difficult and results in coverage gaps and overlapping responsi-bilities. The demands and various reporting require-ments placed on the business by these risk func-tions can become significant and burdensome.”

“Our job is to protect information, regardless of its state (electronic, paper, verbal, etc.). The risk gaps need to be filled through proper coordination and individual responsibility,” says K M Asawa, General Manager, Projects and IT, Bank of Baroda.

According to a study conducted by Aberdeen Research last year, there would be three critical drivers for making investments during the coming years — governance, risk and compliance. In the case of governance, the initiatives would be directed towards reducing the total cost of compliance, bring-ing in greater visibility for better decision-making and cutting down on technical and operational risks across enterprise functions.

Many enterprises have already expanded the scope of their risk assessment efforts by scanning a broader business environment to identify emerging risks. Many other enterprises are likely to follow suit this year. Through more comprehensive risk assess-ments these organisations are examining their entire value chain to define emerging risks and find ways to mitigate them.

Many analysts believe that organisations need to

constantly challenge their approach to risk manage-ment. This is especially true in the current scenario when risk function heads are being asked to do more with less or existing resources.

CIOs also want to better understand risks associated with loss, disruption or damage of data and data sources due to disasters, both natural and manmade.

“Lack of a data recovery (DR) and business con-tinuity plan (BCP) can severely affect the survival of an organisation,” says Shailesh Joshi, Associate Vice President - IT, Godrej Properties, who is cur-rently looking at BCP/DR and is planning to adopt a two-pronged strategy to minimise risks within the organisation this year.

The first would be to put in place process controls through IT security management, employee training and awareness. The second would be to deploy technology controls that would cover man-agement of data across its lifecycle, configuration and change management as well as network and physical security.

CIOs have found that it is better to strengthen some basic ideas in a system that is working well than to wait until everything falls apart. Though there is no doubt that risk management has matured, there is still considerable opportunity for improvement. Taking a tackling drill, the way HUL does, is just one example.

7or more.

The number of risk

management functions in large

companies, according to a recent

Ernst & Young study.

“A LACK OF DATA RECOVERY AND BUSINESS CONTINUITY PLAN can severely affect the survival of an organisation”

—SHAILESH JOSHICIO, Godrej Properties

“The cracks in the security framework need to be filled by PROPER COORDINATION AND INDIVIDUAL RESPONSIBILITY”

—K M ASAWAGeneral Manager, Projects and IT, Bank of Baroda



e all saw how in 2009 enterprises across industry verticals witnessed a severe financial crunch affecting profitability, bottom-line and productivity. Companies crashed head-on in the backdrop of skyrocketing crude oil prices and plummeting consumer demand. For those of you who think the worst is over, think again.

The market has started showing signs of recovery and organisations are faced with a big problem of retaining momentum in growth. The only way this can be achieved is by investing in human capital. The increase in investments in human capital has not only increased wages, but also thrown up employee retention challenges.

Employees become exposed to more lucrative offers from competing companies, poaching becomes conspicuous, and retaining talent a grueling task for leaders.

IMPACT ANALYSISWhen a key employee leaves an organisation, productivity and profitability, both are impacted, directly or indirectly. Though it is almost impossible to stop attri-tion, team leaders can make sincere efforts to minimise it. The CIOs who are perceived as the men who look after the IT health of their organisations are also entrusted with the responsibility of looking after the IT team and take necessary measures to retain them.

“Attrition is bound to happen, and we as CIOs have to live with it,” says John Nadar, the IT head of Tata Chemicals.

Though attrition causes an exodus of underperformers, average performers and spoilt brats, the exit of high performers leave CIOs in the lurch as it is sometimes very difficult to find suitable replacements in time.

“In IFFCO, we had faced an acute situation in early 2000 when every month one or two professionals quit without notice,” says S C Mittal, CIO of IFFCO. But CIOs have now mastered the art of adapting to such situations and hence always have a back-up strategy in place.

“We learnt how to overcome the situation by outsourcing our needs in times of crisis. Since the last five years, we have hardly one or two professionals leaving in a year,” adds Mittal.

Moreover, it is also taken for granted that talented high fliers will move on to greener pastures, but while they are with you they will provide returns in exponential proportion.

As the economy shows the first signs of recovery, companies feel the pinch of attrition BY GYANA RANJAN SWAIN

FEWER PEOPLEmore startups,

e all saw how in 2009 enterprises across industry verticals witnessed a severe financial crunch affecting profitability, bottom-line and productivity. Companies crashed head-on in the backdrop of skyrocketing crude oil prices and plummeting consumer demand. For those of you who think the worst is over, think again.

The market has started showing signs of recovery and organisations are faced with a big problem of retaining momentum in growth. The only way this can be achieved is by investing in human capital. The increase in investments in human capital has not only increased wages, but also thrown up employee retention challenges.

Employees become exposed to more lucrative offers from competing companies, poaching becomes conspicuous, and retaining talent a grueling task for leaders.

IMPACT ANALYSISWhen a key employee leaves an organisation, productivity and profitability, both are impacted, directly or indirectly. Though it is almost impossible to stop attri-tion, team leaders can make sincere efforts to minimise it. The CIOs who are perceived as the men who look after the IT health of their organisations are also entrusted with the responsibility of looking after the IT team and take necessary measures to retain them.

“Attrition is bound to happen, and we as CIOs have to live with it,” says John Nadar, the IT head of Tata Chemicals.

Though attrition causes an exodus of underperformers, average performers and spoilt brats, the exit of high performers leave CIOs in the lurch as it is sometimes very difficult to find suitable replacements in time.

“In IFFCO, we had faced an acute situation in early 2000 when every month one or two professionals quit without notice,” says S C Mittal, CIO of IFFCO. But CIOs have now mastered the art of adapting to such situations and hence always have a back-up strategy in place.

“We learnt how to overcome the situation by outsourcing our needs in times of crisis. Since the last five years, we have hardly one or two professionals leaving in a year,” adds Mittal.

Moreover, it is also taken for granted that talented high fliers will move on to greener pastures, but while they are with you they will provide returns in exponential proportion.

As the economy shows the first signs of recovery, companies feel the pinch of attrition BY GYANA RANJAN SWAIN

FFFEEEFEFFEF WWWEWEEWEEWE EEEWEWWEW R R R R ER E PPPEEEPEPPEP OOOEOEEOE PPPPOPOOPO LLLPLP EEEELELLELmore startups,more startups,more startups,R more startups,R R more startups,R R more startups,R R more startups,R Emore startups,

EEmore startups,

EEmore startups,

E Pmore startups,

PPmore startups,

PPmore startups,

PPmore startups,

P Emore startups,

EEmore startups,

EEmore startups,

E

A CASE IN POINT

IMPACT OF ATTRITIONDIRECT IMPACT: High attrition indicates the

failure on the company’s ability to set effective HR

priorities. Clients and business get affected and

the company’s internal strengths and weaknesses

get highlighted. The challenges are: new hires need

to be constantly added; training costs need to be

allocated; and new hires need to be aligned with

the corporate culture.

INDIRECT IMPACT: Typically, high attrition also

leads to a chronic or systemic cycle. Attrition brings

decreased productivity, people leave causing

others to work harder and this contributes to

more attrition. All this has a significant impact on

the company’s ability to manage its business in a

competitive environment.

Source: Redileon executive search


MANAGING ATTRITIONThere is no magic formula to deal with attrition as this phenomenon varies from industry to industry and company to company. However, CIOs can always try to glue the team together by various means like regular engagements with the team, taking care of the team and ensuring that the team is rewarded.

“Instill a value system that each employee should strive for excellence and that the output should always be of the highest quality,” suggests Nadar.

"Also, staying abreast with the times helps the CIOs immensely as the team members then look up to you for advice," he said. “Your team members should feel that under your leadership they will learn something new all the time,” says Nadar, add-ing that a CIO should not be bothered by under per-formers leaving the organisation.

Mittal of IFFCO has a slightly different view on handling the situation. He says a CIO can deal with most of these issues by being truthful and giving his team parental treatment. “Consider your employees as your own team, and involve them in the day-to-day decision making,” he says.

He cites the example of the attrition bug that bit IFFCO in 2000. The company had to then complete-ly change its hiring strategy. "IT stream was seeing a lot of attrition, so we inducted many non-IT people into the IT department," he says.

“We started inducting qualified engineers from other streams into IT and trained them rather them inducting only MCAs,” he recalls. "These profes-sionals have become quite productive and are now the backbone of IT in IFFCO," he said.

“It does not mean that we altogether stopped inducting qualified computer science engineers; we

continued with that too,” he clarifies. The change in the strategy did change the atmosphere and the organisation is able to better resolve its attrition problems today.

GO PEOPLE SOFTMany HR experts feel that the belief that people movement in organisations is largely associated with remuneration is not true. They are of the opin-ion that pay package is only one of several factors.

Govind Singh, Director-IT of Levi Strauss India, a global apparel brand, agrees with this view. “You need to provide recognition to your team members and keep them engaged,” he says, while adding that assigning challenging projects to employees is a sure-shot strategy against attrition.

“We have an open work culture and individuals are encouraged to express themselves freely,” he says. He says that this makes the team members feel important as they feel that the organisation is listen-ing to their ideas too.

SC Mittal of IFFCO is of the opinion that men-toring is the best way to retain the most valued performers. “If you can show your employees the path of growth in your organisation then they would think twice before leaving you,” he adds.

“We learnt a lot on how to overcome manpower challenges by OUTSOURCING OUR NEEDS in times of crisis”

“Attrition is BOUND TO HAPPEN, and we, as CIOs, have to live with it”

—SC MITTALCIO, IFFCO

—JOHN NADARHead - IT, Tata Chemicals

The belief that people

movement in organisations

is largely associated

with remuneration is not true, say

HR experts



MANAGING ATTRITIONThere is no magic formula to deal with attrition as this phenomenon varies from industry to industry and company to company. However, CIOs can always try to glue the team together by various means like regular engagements with the team, taking care of the team and ensuring that the team is rewarded.

“Instill a value system that each employee should strive for excellence and that the output should always be of the highest quality,” suggests Nadar.

"Also, staying abreast with the times helps the CIOs immensely as the team members then look up to you for advice," he said. “Your team members should feel that under your leadership they will learn something new all the time,” says Nadar, add-ing that a CIO should not be bothered by under per-formers leaving the organisation.

Mittal of IFFCO has a slightly different view on handling the situation. He says a CIO can deal with most of these issues by being truthful and giving his team parental treatment. “Consider your employees as your own team, and involve them in the day-to-day decision making,” he says.

He cites the example of the attrition bug that bit IFFCO in 2000. The company had to then complete-ly change its hiring strategy. "IT stream was seeing a lot of attrition, so we inducted many non-IT people into the IT department," he says.

“We started inducting qualified engineers from other streams into IT and trained them rather them inducting only MCAs,” he recalls. "These profes-sionals have become quite productive and are now the backbone of IT in IFFCO," he said.

“It does not mean that we altogether stopped inducting qualified computer science engineers; we

continued with that too,” he clarifies. The change in the strategy did change the atmosphere and the organisation is able to better resolve its attrition problems today.

GO PEOPLE SOFTMany HR experts feel that the belief that people movement in organisations is largely associated with remuneration is not true. They are of the opin-ion that pay package is only one of several factors.

Govind Singh, Director-IT of Levi Strauss India, a global apparel brand, agrees with this view. “You need to provide recognition to your team members and keep them engaged,” he says, while adding that assigning challenging projects to employees is a sure-shot strategy against attrition.

“We have an open work culture and individuals are encouraged to express themselves freely,” he says. He says that this makes the team members feel important as they feel that the organisation is listen-ing to their ideas too.

SC Mittal of IFFCO is of the opinion that men-toring is the best way to retain the most valued performers. “If you can show your employees the path of growth in your organisation then they would think twice before leaving you,” he adds.

“We learnt a lot on how to overcome manpower challenges by OUTSOURCING OUR NEEDS in times of crisis”

“Attrition is BOUND TO HAPPEN,and we, as CIOs, have to live with it”

—SC MITTALCIO, IFFCO

—JOHN NADARHead - IT, Tata Chemicals

The belief that people

movement in organisations

is largely associated

with remuneration is not true, say

HR experts


33thectoforum.com 07 FEBRUARY 2010CTOFORUM

NEXTHORIZONS

Yes, you heard me correctly. We still think about personal and corporate security only as an afterthought.

Despite all the regulatory and industry compliance that has been created and updated in the past 15 years, we are hardly any closer to proactively applying security guidelines in our personal or professional lives. Certainly, we don’t apply them ahead of convenience or functionality, in any event. We still leave our keys under our welcome mats, inside our flower pots, or inside our garden gnomes. We still hate using passwords, still use feeble ones, and still write them down on sticky pads pasted to our monitor or the bottom of our keyboards. We still share the same password(s) across all our corporate accounts and our Internet accounts. We still don’t lock our workstations when we leave our desks, or password protect our sensitive PDAs and smart phones. We still disclose sensitive information on websites that are not using SSL and are only “protected” by feeble passwords. We don’t pay for preventative information security solutions or apply best practices unless we think we may have been compromised. We prioritise new functionality over operational security, even though new

High AlertDon't just pay lip service to security issues, or you could be the victim of a crime that costs you dearly. BY ANDREW BAKER


ANDREW BAKER SAYS

“Now is the time for prudent business owners to make true information security a priority”

ILLU

ST

RA

TIO

N B

Y B

INE

SH

SR

EE

DH

AR

AN

I N F O R M AT I O N S E CU R I T Y N E X T H OR I ZO N S

features are a common source of security issues in the first place. As consumers, we are willing to pay for

products if they have the right features, but rarely will we inquire about how safe or secure they are and even less commonly are we willing to pay extra for safety or security. This gives the vendors no incentive to prioritise security until something goes wrong. We’ve got to get past the acknowledgement that vulnerabilities are a given, and get to the place where we hold people accountable for issues that could have been foreseen and mitigated in advance.

We cannot expect to hold vendors account-able for security failures if we continue to value non-security features ourselves. They’re only going to produce what we’re willing to pay for, and so far security is not what people clamour for.

Having said all that, however, I predict that the next 15-24 months will bring more penal-ties for organisations small and large that fail to be proactive in their management of infor-mation security and privacy concerns. There will be embarrassing disclosures of personal

data, and many more small-to-midsize firms will find themselves having to deal with the aftermath of data security breaches.

Expect the 2010 list of data breaches to be even larger than the 2009 list. It’s definitely going to get worse, before it gets better, and the consumer response to such negligence will be debilitating for the offending compa-nies. There are lots of vulnerabilities floating around in the wild, in addition to targeted attacks by an increasingly sophisticated mal-ware underground.

Now is the time for prudent business owners to make true information security a priority, recognise that a secure enterprise is actually a business driver, and lower the costs associated with attaining regulatory and industry compliance. Those who continue to

approach security in a reactive way will spend more money, and use more resources, and generate less revenue than those who make information security an underlying part of their business operations. Security is a way of life, not a periodic event, and it’s about time we started behaving this way.

No matter how expensive we think security is, the costs are always less when paid upfront rather than after an incident. The question we should be asking ourselves isn’t “can I afford this security?” but rather “can I afford not to have this security?”

Collectively, we can hold organisations accountable for inadequate security and privacy practices and functionality, but we have to start with our own personal security. Don’t just pay lip service to security issues, or you could find yourself paying real dollars to rectify a huge mess in your personal or professional life.

Let’s start this new decade on the right foot, and not perpetuate the information security sins of the past. —Andrew Baker is Solutions Architect and CTO

at BrainWave Consulting Company

There are lots of vulnerabilities floating around in the wild, in addition to attacks by a malware underground.

CLO U D PU N CH CO S T A N A LYS I S


Cloud computing is about a pay-per-use service that enhances the existing capabilities for users

Will clouds replace the data centre in an enterprise? BY CTO FORUM

TheBeginning OF THE END

Cloud computing has gained acceptability as a means to increase infrastructure capacity ‘on demand’ without investing or licensing fresh software. Precisely it is about a pay-per-use service that enhances the existing capabilities for users. The concept is at an early stage of adoption with a vast spectrum of service providers – small to medium to large – delivering various kinds of services.

Here’s some food for thought. Mer-rill Lynch recently released a research note titled ‘The Cloud Wars: $100+ billion at stake’ noting that by 2011 the cloud computing market would amount to $US160 billion, including $95bn in business and productiv-ity apps (email, office, CRM, etc.)

Cloud computing has become a familiar cliché today. The topic is increasingly discussed in technology forums, but the definition is still fuzzy. Some experts say that it is just old wine in new bottle – a new name given to the old concept of ‘utility computing’. Others argue that anything you consume outside the firewall is from the cloud, including normal outsourcing.

ILLU

ST

RA

TIO

N B

Y B

INE

SH

SR

EE

DH

AR

AN

CO S T A N A LYS I S CLO U D PU N CH


and $65bn in online advertising. A 2010 ‘Cloud Development Survey’ conducted with over 500 developers by Evans Data Corp reported that 61 percent of the developers believe that a portion of their IT resources will move to the public cloud within the next year. Three quarters are planning to migrate at least some of their IT resources to the public cloud in the next 12 months; 17 per-cent expect to migrate half their IT resources to the cloud.

It is clear that cloud computing represents a paradigm shift that will redefine the relationship between buyers and sellers of IT-related products and services. According to Gartner, cloud computing is a product of the convergence of three major trends – service orientation, virtualisation, and standardisation of computing through the Internet. Users need to understand the avail-able options in the cloud ecosystem.

Types of clouds by visibility Public Cloud: Public cloud (external cloud) describes cloud computing in the traditional sense, whereby resources are dynamically provi-sioned on a self-service basis over the Internet, via web applications, from an off-site third-party provider who bills the clients.

Private cloud: Private cloud (internal cloud) is an offering that emulates cloud computing on private networks. These type of clouds claim to deliver some benefits of computing without the pitfalls, capitalising on data security, corporate governance, and reliability concerns. Private clouds don’t benefit much in terms of up-front capital costs because they still require investment and management.

Hybrid cloud: A hybrid cloud environment is a mix of both public and private clouds consisting of multiple internal and external providers. This will be typical for most enterprises.

While it is predicted that private cloud networks would be the future

of corporate IT, there is some conten-tion as to whether they are a reality. Analysts also say that within the next few years a large percentage of SME users will get most of their computing resources from public cloud providers, as they would like to save on capital expenditure and make IT affordable.

What are the basic types of services that users can avail on the cloud? The notion of “Everything-as-a-Service” encompasses the cloud computing distributed entity model in which there are three popular types of cloud platforms.

Infrastructure as a Service (IaaS): This provides virtualised servers, networks, storage and software designed to augment or replace the functions of a data centre. The most appropriate examples of IaaS offering is Amazon's Elastic Compute Cloud and Simple Storage Service. Other IT solution providers like Oracle, IBM, etc. also offer similar services.

Software as a Service (SaaS): This is the most widely known and used form of cloud computing. Also, it is one of the fastest growing segments of the IT industry because it provides a cost-effective alternative for enterprises to achieve their business objectives. Salesforce.com, Google's Gmail and Apps and VoIP from Skype are examples.

Platform as a Service (PaaS): It is a paradigm for delivering operating systems and associated services over the Internet without the need for downloads or installation. It is also called cloudware because it moves resources from privately owned computers into the Internet cloud. Interestingly, PaaS is an outgrowth of SaaS. Microsoft's Azure and Salesforce's Force.com are two very popular models of PaaS currently being evaluated by users.

Pros and cons Commercial offerings generally meet the quality of service (QoS) require-ments of the users and typically offer stringent SLAs, but opinion is divided as to whether cloud comput-

ing is a better option when compared to in-house data centres.

On the cloud mode, users can assure a quick deployment and add capacity or applications almost without notice. These services are charged on the basis of their usage, which translates into more cautious and prudent IT spending. Cloud services don’t require much capital investment. Also, users have to incur little or no maintenance cost if they use cloud services.

But there is a flip side to the cloud as well. Despite tall claims made by various vendors, the management of cloud remains a big concern. There are not many standard monitoring and maintenance tools yet, and this limits the visibility into the cloud. The standards have not yet matured to the acceptable level. The Cloud Security Alliance, Open Cloud Con-sortium and a few more independent organisations are in the middle of developing standards for interoper-ability, data migration, security, etc. Most cloud service providers make a lot of assurances about privacy, but with management tools still in their infancy, a customer's ability to know who's looking at what data is limited.

In just one year, the move to the cloud by many businesses has been phenomenal. No matter what your organisational requirements are today, you might find cloud services making sense for your organisation in the near future. Even if it is not a complete switch to cloud services, possibly a partial hybrid switch might work for you until the security and management issues are fully resolved.

There are not many standard monitoring and maintenance tools yet, and this limits the visibility into the cloud.


N O H O LDS BARR E D X X X X X X X

Thin clients may have many followers but Raz Rafaeli, CEO of

MiniFrame, is not one of them. In a discussion

with Rahul Neel Mani, Rafaeli talks about thin clients' limitations and

MiniFrame's strategy for India.

Clients?What Ails Thin

Thin-client technology is gaining ground everywhere in the world. How can an enterprise gain through this technology as

opposed to using bulky, age-old expensive mainframes or PCs? SoftXpand is in fact not a thin-client solution; it is a high performance, software-only product that utilises non-proprietary hardware to create multiple virtual desktops.

It offers organisations the full performance of a PC for a fraction of the hardware cost and additional long-term savings on power consumption and lower maintenance requirements.

Through the 1990s, thin-clients have evolved in functionality and adoption, yet it failed to gather a strong following. Why do you

think the technology failed? Why are enterprises not adopting it in bulk?The main hurdle for thin-client solutions is its poor performance, as the


R A Z R A FA E L I N O H O LDS BARR E D

entire processing requirements of multiple users is handled by a single server. The units themselves do not contribute to the processing, and they are in fact a bridge between the server and the user desktop.

While companies in the 90’s were mostly using less intensive applica-tions for everyday business (office and Internet), today any modern company uses heavy graphic display, streaming video, presentations and other high performance applications on a daily basis. Thin-client hardware has sim-ply not kept pace with the rapid devel-opment and demand of software.

Being impossible to upgrade, an enterprise is forced to replace thin-clients every couple of years to accommodate additional processing requirements. Moreover, thin-clients require operational knowledge and expertise not necessarily found with-in the organisation and is commonly outsourced. As a mission critical part of the infrastructure, this is a risk fac-tor that cannot be ignored.

Thin-client technology couldn’t make inroads into

India. Why? Do you think the cur-rent technological challenges have become a deterrent to the growth of these server based thin clients? India is a very cost conscious market. IT managers are reluctant to adopt solutions with limited life span. There is also high availability of low-cost hardware in India that can offer higher performance for the same price as thin-clients.

SoftXpand, in that respect, is a perfect solution as it significantly reduces the infrastructure TCO with-out compromising on performance. Unlike a thin client solution, SoftX-pand is a software only solution that runs on your standard hardware.

How does MiniFrame – Soft-Xpand plan to penetrate the

market? Our strategy revolves around our three major strengths: performance, flexibility and Green IT.

We firmly believe that our customers should not compromise on perfor-mance while making a decision as important as their infrastructure architecture. The solution should be simple, cost effective, offer faster ROI, but also allow for easy system upgrades and future compatibility.

Our India distributor, NewTecSol, has successfully leveraged these advantages when the solution was offered to SKS Microfinance.

The SKS project had to accom-modate not only multiple installa-tions in over 1,600 sites, but also the company’s rapid growth and future expansion plans. Being software only, SoftXpand does not require ship-ping or proprietary hardware and the number of workstations can be upgraded simply by using a different activation code.

Our approach has always been focussed on creating value both in terms of ROI / cost benefit and a truly

green solution that actually reduces the carbon footprint & ewaste.

How does your technology work (differently from other

providers)? SoftXpand utilises the built-in multi user capability of Microsoft OS and enables users to work simultaneously with standard off-the-shelf hardware peripherals. Unlike competitive products, we deliver the full process-ing power of the PC to each user with near zero degradation. The system optimises the CPU & GPU usage and divides the PC resources intel-ligently between the users according to their needs. By doing so we are able to offer compatibility to heavy graphic applications and provide a working environment identical to standard desktops. We do not influ-ence changing the existing customer working methods and deliver the same user experience in an economi-cal and green way.

Can you explain how your technology can help enterpris-

es in saving capital expenditure and cutting maintenance costs? Reducing hardware cost is a goal for any company. By turning a single PC into multiple workstations we cut initial costs by at least 50 percent. Same applies to maintenance, as by using virtualisation there are far less PC’s to update, upgrade and fix. This accumulates to annual savings of hundreds of dollars per PC.

Other major long term saving are generated by reducing power consump-tion. Every 100 PCs tuned to virtual workstations with SoftXpand provide savings of over 250KWh per day!

Also, the hardware is fully upgrade-able as no proprietary equipment is required. For example, the system administrator can add RAM to the host PC as per requirement. Any such investment is enjoyed by all users of the PC. You can also decide to upgrade some of the PC’s for specific users as each PC is totally independent.

“Thin-clients require operational knowledge and expertise not necessarily found within the organisation.”

NAME: Raz Rafaeli

DESIGNATION:CEO

ORGANIZATION:Miniframe

PRESENT JOB ROLE:

Builds strategic

relationships with

investors and initiates

joint ventures with

other vendors

PREVIOUS JOB ROLE: Managed the global

licensing activities of

Spansion Inc

DOSSIER


Companies may now combine device fingerprinting information data with their own customer data to read consumer psyche. BY MICHAEL O’CONNOR

WATCHING USTHEY ARE

POINTS3

THE CDI SCENE: CONSUMERS DON'T

WANT PERSONAL

INFORMATION TIED

TO A DEVICE ID

CONSUMER FEAR

OF FINGERPRINTING

DECREASING

CDI EMERGING

AS A POWERFUL

TOOL TO PREVENT

ONLINE ABUSE

TE CH F OR G OVE R NAN CE D E V I CE I D E N T I F I CAT I O NIL

LUS

TR

AT

ION

BY

PH

OT

OS

.CO

M


D E V I CE I D E N T I F I CAT I O N T E CH F OR G OVE R NAN CE

Eventually, in April of 2000, the company announced that they would not include the PSN in the forthcoming 1.5GHz Willamette chip.

An anonymous Intel engineer was quoted telling Wired magazine, “The gains that it could give us for the proposed line of secu-rity features were not sufficient to overcome the bad rep it would give us.”

Nine years later I noticed an announce-ment by ThreatMetrix touting an opposite reaction to the idea of tracking a device.

Evidently, a study done by Ponemon Insti-tute found positive consumer reaction to the concept of Client Device Identification (CDI) or device ID or device fingerprinting as part of a consumer protection strategy.

The article stated that a significant per-centage of surveyed individuals were more amicable to having their computer profiled than to remember a password or submit to other security standards.

If the attitude expressed by the respon-dents in the Ponemon study is representa-tive of the popular sentiments, could it mean the idea of device identification is no longer a scare to consumers?

The key may rest upon the question of whether or not Personally Identifiable Infor-mation (PII) is associated with the device IDs being created.

The Ponemon study revealed that con-sumers were comfortable with a device ID concept as long as personal information was not tied to it.

This is pretty much what today’s device identification vendors are marketing.

The technology is intended to create a unique identifier surrounding a device,

without the need to collect any PII.A few of the device ID elements may be

used to tell the technology vendors specific information that is critical to judge the threat level of a transaction.

This information can be stored in some way or forwarded directly to a client com-pany to assist them with filtering suspicious transactions.

Since the client company often has individual account information of its visi-tors, it may combine device fingerprinting information with its own customer data to provide an even deeper profile.

Critics of device ID complain that a unique fingerprint is not always attainable,

and savvy users can spoof, change, or sub-stitute a device ID.

In response to the first concern, how many fraud prevention technologies are 100 percent accurate? And wouldn’t the absence of a device ID be cause for concern in itself, depending on the application? As far as the second concern goes, which fraud preven-tion technologies are immune to user tam-pering of any kind?

Add to this the fact that most CDI vendors have the ability to tell when a device ID has been tampered with in some way and the confidence level is not degraded significantly.

As is frequently stated by fraud prevention professionals, “there is no silver bullet.” The same holds true for CDI. As always, the winning solution is the combination of vari-ous technologies in a layering effect.

Despite the fact that CDI has inherent weaknesses, as do all of the prior fraud prevention technologies, it is providing tre-mendous benefit to many companies, rang-ing from credit and loan issuers to social networking sites to online retailers.

This is especially true when layering it with other effective technologies.

As online business continues to expand, it is heartening to see consumer fear of new technologies, including device fingerprint-ing, beginning to diminish.

I believe that CDI, and other related technologies that tie into the actual devices being used, will become one of the most effective, powerful tools in preventing online fraud and abuse.

As long as CDI is used responsibly, including maintaining concern for where and how, PII elements fit in to the picture, consumers and businesses alike will see sig-nificant benefits from this technology.

—Michael O’Connor has been working in vari-

ous operational management positions since

1994, and with online payment in particular

since 2000. Michael was also fortunate enough

to have served on the advisory board of the

Merchant Risk Council and assist in the train-

ing of an FBI CyberCrimes unit. This article is

published with prior permission from www.

information-security-resources.com.

DESPITE THE FACT THAT CDI HAS IN-HERENT WEAK-NESSES, AS DO ALL OF THE PRIOR FRAUD PREVENTION TECHNOLOGIES, it is providing tremen-dous benefit to many companies, ranging from credit and loan issuers to social net-working sites to on-line retailers.

How many people remember the Big Brother scare surrounding the Processor Serial Number (PSN) embedded in Pentium 3s way back in 1999-2000? Despite the technical community stating that the PSN was not a solid identifier, as it could be easily masked, Intel created quite a scare among large groups of people.


TE CH F OR G OVE R NAN CE COM PL I A N CE

Complacent About Compliance?Most conmpanies have a compliance system in place. Here's how to make it effective. BY THOMAS R. FOX

In his excellent blog on Federal Cor-rupt Practices Act (http://www.fcpablog.com/blog/), Richard Cas-sin has written about an effective

compliance programme. He notes that the purpose of an “effective compliance programme” is to prevent and detect criminal conduct.

In his suggestions on what constitutes an effective compliance programme, Cassin based his guidance on the United States Federal Sentencing Guidelines. He suggested the following:�A Written Programme: A company must have standards and procedures in place to prevent and detect criminal conduct.�Board Oversight: A public company’s Board of Directors must be knowledgeable about the content and operation of the compliance programme and must exercise reasonable oversight of its imple-mentation and effectiveness.�Responsible Persons: One or more individuals among a com-pany’s top management must be assigned the overall responsibility for the compliance programme.�Operating and Reporting: One or more individuals must be delegated day-to-day operational responsibility for compliance pro-gramme. They must report periodically to top management on the effectiveness of the compliance programme. The individuals must have adequate resources, appropriate authority, and direct access to the Board or Audit Committee.�Management’s Record of Compliance: A company must use rea-sonable efforts not to hire or retain personnel who have substantial authority and whom a company knows or should know through the exercise of due diligence have engaged in illegal activities or other conduct inconsistent with an effective compliance programme.�Communicating and Training: A company must take reasonable steps to communicate periodically about its standards and proce-dures to the stakeholders — by conducting effective training pro-

grammes or disseminating information appropriate to the individuals’ respective roles and responsibilities.�Monitoring and Evaluating; Anony-mous Reporting: A company must take reasonable steps (a) to ensure that its compliance programme is followed, including monitoring and auditing to detect criminal conduct, (b) to evaluate periodically the effectiveness of the com-pliance programme and (c) to have and publicise a system, which may include mechanisms that allow for anonymity or confidentiality, whereby a company’s employees and agents may report or seek guidance regarding potential or actual

criminal conduct without fear of retaliation.�Consistent Enforcement — Incentives and Discipline: A compa-ny’s compliance programme must be promoted and enforced con-sistently throughout a company through appropriate (a) incentives to perform in accordance with the compliance programme and (b) disciplinary measures for engaging in criminal conduct and for fail-ing to take reasonable steps to prevent or detect criminal conduct.�The Right Response: After criminal conduct has been detected, a company must take reasonable steps to respond appropriately and to prevent further similar criminal conduct, including making any nec-essary modifications to a company’s compliance programme.�Assessing the Risk: A company must periodically assess the risk of criminal conduct and take appropriate steps to design, imple-ment, or modify its compliance programme to reduce the risk of criminal conduct identified through this process.

—Thomas Fox has practiced law in Houston for 25 years. He is now assist-

ing companies with FCPA compliance, Risk Management and international

transactions.This article is published with prior permission from www.

information-security-resources.com.PH

OT

OS

BY

PH

OT

OS

.CO

M


R I S K M A N AG E M E N T T E CH F OR G OVE R NAN CE

Moving TargetDDoS protection is like a moving target; tracking the best ways of dealing with it changes as the attack types change. BY SEAN WILKINS

Technological shifts are changing the way organisations view their information security risk man-agement approach. With increas-

ing use of large bandwidth networks, Denial of Service (DoS) attacks is emerging as one of the most potent threats to corporations. What can be done to mitigate such attacks?

A DOS attach is simply a server-level attack done through the use of malicious Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and Internet Control Message Protocol (ICMP) traffic.

As the name suggests, a DDoS attack is distributed over a number of different physical locations. These types of attacks are typically launched through computer robots or bots which are exploited computers with Internet connection. These bots are directed by central controllers to execute the tasks assigned, which often include initiating a DDoS attack on a specified target.

You could make your systems robust, but it ultimately lies in the hands of users. Because the traffic originators can’t be eas-ily controlled, a method must be used to mitigate the effect of the attack and gather as much information as possible from it in order to locate the exploited machines and their controllers.

Typically, the methods used to mitigate the attack are black hole routing and Access Control Lists (ACL).

What happens with black hole routing is that the Internet Service Provider (ISP) routes the entire traffic from a given source to a non-existing network, which effectively drops the entire traffic leading to or from the source or destination.

In case of a DDoS attack, blocking one source cannot really fix the problem, as there can be thousands of sources on the destination address or network.

The problem with this technique is that it essentially does what the attacker is trying to do by bringing down the target network.

ACLS are configured on the routing equipment which can be used to control traffic movement of a given network ele-ment, be it a router or switch (layer-3 enabled) or both.

Now the main problem with these is they are typically static and must be configured during an attack to be successful, but even then the sheer number of sources to be blocked makes them ineffective.

There are a number of solutions out there which have been introduced in order to deal with DDoS attacks.

The two that seem the most popular are

DDoS mitigation through anomaly detec-tion and Border Gateway Protocol (BGP) traffic flow filtering.

Anomaly protection looks for signs of a specific attack not just DDoS attacks.

If the system gets a hint that an attack can happen, it automatically reroutes the traf-fic to a secondary appliance which is used to verify the findings and screen the attack traffic before allowing the valid traffic into the network.

BGP traffic flow filtering is essentially an extension of the black hole and ACL, but with additional intelligence. When a provider notic-es an attack, it is able to track the attack down to the specific source and destination address or network as well as the specific protocols and ports which are being used. This informa-tion is then relayed to the provider of BGP routers, which in turn black holes the traffic with these specific characteristics.

TE CH F OR G OVE R NAN CE A S S E T VA LUAT I O N


This technology does rely on a large BGP infrastructure which supports traffic flow filtering. The standard developed for this is written in RFC 5575 - Dissemination of Flow Specification Rules.

Ultimately, DDoS protection is a moving

Assessing Information Assets ValuationQuestion the right people for a correct valuation of the company's information assets BY DANNY LIEBERMAN

One of my clients recently asked me: “How do I assign a dollar value to information assets? Should I use the pur-chase value of the asset, replacement value or expected damage to the company if the assets were stolen or

exploited?"Estimating asset value is the most frequent question when it

comes to calculating data security risk in monetary terms. Here are a few practical guidelines for measuring information assets value:

Use the right metricA common mistake made by marketers who work for data security vendors is to estimate the cost of a data security breach as the num-ber of records multiplied by some plug number. The cost of a data security breach to a company is not the same as the cost of a cus-tomer data record breach to a customer.

A customer may not even know that her credit card number is breached, considering that 250 million credit card numbers have been stolen in the past few years. It is a reasonable assumption that your credit card number is known to someone who stole, but your cost is zero, isn’t it?

Ask an expertUsually ask the CFO. The expert can and should provide confidence levels for his estimates. He is best equipped to decide if replacement value, purchase value or depre-ciated or opportunity cost is the relevant metric to measure the value of an asset. For a practical threat modelling exercise, you can test sensitivity of your threat model to the confidence boundaries.

Use test equipmentFor example, if the cost of acquiring a customer is $50, you can write a SQL query to find out the number of customers you have and then multiply by $50.

Looking at the fixed assets and GL modules is an example of using test equipment. If you have to measure the number of credit cards in clear text circulating on your network, I suggest network surveillance.

Use random sampling from a population of asset value estima-tors. The ‘Rule of Five’ says that there is a 93 percent chance that the median of a population is between the smallest and largest values in any random sample of the population.

Measure in small increments and iterate.In other words, when you do a threat model exercise, take small steps: measure 5-10 asset values and move on from there.

Most of the information value is gained at the beginning of a mea-surement exercise, and most companies

measure things that have zero information value to the business because they are easy to measure, while the assets that are really valuable are left out. So you would have a company that will check on how many SSH password attacks were made on company web servers instead of finding what is the value of a field service engineer diagnostic database that is distributed to notebook computers.

—Danny Lieberman is a serial technology inno-

vator and data security consultant. This article

is published with prior permission from www.

information-security-resources.com.

target and tracking the best ways of dealing with it will change as the attack types change.

To sum up, these present-day solutions should be able to mitigate a large number of attacks doing rounds today. —Sean Wilkins is a regular contributor at CIOZone.

com which is the first of its kind online meet-

ing place for CIOs. This article is published with

prior permission from www.information-security-

resources.com.


Cost of being indifferent. Organisations should stress on security audits for detecting incidents at an early stage.

MOST organisations have docu-mented Information Security (IS) policies to comply with international standards. However, when it comes to implementation effectiveness, the human factor and attitude play a crucial role.

Two most important areas for effective IS implementation are inci-dent management and responsive-ness to non-compliances identified in IS audits. Most of the time the incidents are logged by those who are managing SQA (Service Quality Assurance), as an outcome of secu-rity audits as non compliances. The real incidents have to be logged by the person who has seen them first — immediately after they happen — but it seldom happens that way. Most of the time people think that it is somebody else’s job and this indifference proves costly for the organisation while compromising on information security.

Some of the examples of human indifference in IS areas are as follows: Not having a realistic Business Continuity Plan (BCP) Not conducting Disaster Recovery

incidents Not reviewing maintenance logs of physical environment and assets Not reviewing non-compliances and CAPA Unauthorised rights given for internet usage Unauthorised usage of software Printouts/copying of sensitive information without authorisation Root cause for the above mentioned issues is that these are left to SQA department to find and manage information security — mainly to take care of certification management.

To address the issues regarding the human factor, one needs to follow certain strict guiding principles.

Guiding principlesTop management of an enterprise should lead and promote risk management across the organisation. Risk management should be integrated into all decision-making and planning processes. To have a well controlled information security implementation, everybody needs

(DR) exercise at regular intervals Not reviewing and updating BCPs based on DRs, even if it is conducted Not taking backups of project data at regular intervals; failure in restoring and verifying the same Not raising incidents as soon as they occur, and not analysing them properly

(For example: In case of access control, entries related to failed attempts should be in the incident category and are not to be identi-fied as non-compliance. If this is identified as non compliance during formal security audits, it will indi-cate that regular review of logs was not being done, which points to the indifference by authorised persons assigned to the job. Similarly, allow-ing people to enter restricted areas without proper access control cards is yet another example of human indifference.) Not doing enough vulnerability testing while acquiring systems Not reviewing systems, access control and admin logs daily, all of which are crucial inputs to

“Top man-agement of an enter-prise should lead and promote risk manage-ment across the organi-sation”

BY INVITATIONVENKIDESAN NARAYANAN | [email protected]

THE AUTHOR IS Consultant - Programme

Management, Efficacy Auditing, Delivery

Management (Software Development )

BY I NV I TAT I O N S E CU R I T Y AU D I T S

to be aware of risks and therefore should take the responsibility for managing the same. This proactive management of risk will help reduce the consequence and likelihood of adverse incidents. Without genuine support from the top, information security implementation has always been a failure. Similarly, without proper implementation, it is a burden.

The approach needs to move away from a compliance environment, where the output was a risk register, to an approach that focuses on the processes which work around the identification, mitigation and management of risks within an organisation.

The measures of effectivenessThe critical success factors focus on improving accountability, risk awareness and communication. For

this, everyone within an organisa-tion should know their risk manage-ment responsibilities, which need to be continuously reviewed and improved. Organisations should stress on the need to analyse inci-dents at an early stage rather than allowing the same to become non-compliances, which are identified during formal security audits.

While strategising, the above points should be considered. Each functional unit should be responsi-ble for managing its own risk. Man-agement and staff should have spe-cific accountability requirements in the risk management approach. The responsibilities can be identified as a mandatory KRA to emphasise the seriousness of the issue.

It is crucial for the leadership to involve in the risks management activities by reviewing and measur-ing effectiveness at regular intervals. In lesser successful IS implementa-

tions, it is seen that top manage-ment doesn’t show the required commitment to do their job. Even though individuals are accountable for compliance, the indifference from higher leadership has a greater adverse impact on the effectiveness of IS implementations.

How to measure?To ensure that the risk management practice is effective, comprehensive, documented and visible across all business units, the review needs to be done more frequently and quantitatively (at least quarterly), instead of the mundane annual audit cycles followed by most organ-isations. The review should also focus on get-ting deviations from targets, which are measurable, and accountability should be strictly enforced in case of any deviation.

advts.indd 56 12/22/2009 3:02:47 PM


B U S I N E S S C O N T I N U I T Y C TO F CU S TOM S E R I E S

Time Objective (RTO) of 10 minutes for its DR solution. Wipro designed a DR solu-tion maintaining the main data centre at Kochi and locating a DR site in Chennai. It deployed Sun boxes in a virtualized manner to enable use of legacy storage systems. Wipro installed Hitachi Universal Replicator for data replication and script-ed the DR process and automated the switchover and switchback processes.

Near 100% Data RecoveryIt’almost a year since the DR solution was put into place at Geojit. Replication of data to the DR site is now real-time. When a disaster is declared, Geojit’s DR team maps the exchange interfaces to the DR site which takes some time. The trans-actions happening in this duration are backed up on a corporate terminal at the company’s regional office in Anna Nagar, Chennai. “So we have near 100% data recovery process in place,” he adds.

“We see an RPO of less than two min-utes. And since exchange mapping takes some time, our RTO is 5-10 minutes,” says Balakrishnan. Geojit sees its RTO and RPO well within the prescribed limits.

Comfort of Availability“Today we have the comfort of availability. We can confidently approach customers knowing that transactions will happen, and every aspect of the transaction is backed up,” says Balakrishnan. For the high-risk business that Geojit is in, high availability ensures that the business can

continue without any blips, even when the main data centre goes down for any reason.

Investment ProtectionA new storage setup for Geojit did not mean that the company had to let go of its old boxes. With the new stor-age setup virtualized, the old boxes were brought into the environment as well. This has helped Geojit in invest-ment protection as well.

to be highly available. “Reach, availability and performance are critical attributes of the systems for a brokerage company,” says A Balakrishna, CTO, Geojit BNP Paribas. So the company wanted to have a robust disaster recovery (DR) solution in place.

The DR solution would need to take into account the following complexities:

Hybrid business environment Collaborative platform requiring inter-

facing with stock exchanges and banks Different types of connectivity to over

500 branches across India

SolutionWipro has been associated with Geojit BNP Paribas since 2004 in the procure-ment and maintenance of production systems for the company. “Wipro understood the business very well and was able to tailor a solution that was apt for Geojit,” says Balakrishnan.

Geojit prescribed a Recov-ery Point Objective (RPO) of two minutes and a Recovery

CompanyGeojit BNP Paribas is a leading retail financial services company in India offer-ing products and services such as equi-ties, derivatives, mutual funds, life and general insurance and third party fixed deposits. The company has over 500,000 customers who are serviced through a countrywide network of over 500 offices, phone lines, dedicated Customer Care centres and the Internet.

Geojit BNP Paribas was the first stock broker in the country to offer Internet trad-ing in the year 2000. This was followed by integrating the first bank payment gateway in the country for Internet trading. Custom-ers can trade online in equities, derivatives, currency futures, mutual funds and IPOs, and select from multiple bank payment gateways for online transfer of funds. The company also has strategic B2B agree-ments with Axis Bank and Federal Bank which enables the bank customers to open integrated accounts to seamlessly trade via an online trading platform.

ChallengesThe company provides online trading on a custom-made application, which requires

DELIVERINGBUSINESS CONTINUITY

“Wipro understood the business very well and was able to tailor a solution that

was apt for Geojit.”

A BALAKRISHNANCTO, Geojit BNP Paribas

HIDE TIME | BOOK REVIEW


“We are trying to start a conversation,

not have the last word”

ABOUT THE REVIEWER

Ranjani Iyer

Mohanty is

a writer and

business editor,

based in Delhi.

She has also

contributed to

the International

Herald Tribune

(IHT/NYT), the

Wall Street

Journal, and

The Mint. Details

are available on

LinkedIn: http://

in.linkedin.com/

pub/ranjani-

iyer-mohanty/

a/51a/48b

Auth

or: L

evitt

&

Dubn

er

Freaky but Fun. Global cooling may not yet happen but what's the harm in checking it out?

ado about nothing – has caused an uproar among serious minded scien-tists and environmentalists, result-ing in responses from no less that Nobel economist Paul Krugman and climate expert Joseph Romm. The thrust of the criticism aimed at Levitt and Dubner is that they’ve traded in science for sensationalism.

However, their work serves a purpose just the same. Like Freako-nomics, SuperFreakonomics uses interesting stories with intriguing characters and hair-raising plots to inspire us to analyse conventional wisdom, question accepted cause and effect, and to be curious about the world around us. Freakonomics and SuperFreakonomics are doing for eco-nomics what Desmond Morris’ book The Naked Ape did for zoology and what Ian Fleming’s character James Bond did for the MI5: it takes the subject of economics, adds a touch of pizzazz, and brings it into the popu-lar public arena. As Levitt and Dub-ner say themselves, “We are trying to start a conversation, not have the last word.” And indeed they have.

—Ranjani Iyer Mohanty

IF ALL you’ve read for a long time are arid academic abstracts and boring business briefs, you may be ready for a good story book, SuperFreakonomics: global cooling, patriotic prostitutes, and why suicide bombers should buy life insurance, by Stephen Levitt and Stephen Dubner.

You’ll no doubt have heard of the authors. Levitt is professor of eco-nomics at the University of Chicago, director of the Becker Center on Chicago Price Theory, co-editor of the Journal of Political Economy, and was recognized as one of the most influential economists under the age of forty. Dubner is a New-York based journalist, former writer and editor at New York Times magazine, and author of mostly non-fiction books. Five years ago they wrote their mas-sively popular work Freakonomics: a rogue economist explores the hid-den side of everything, in which they discussed the economic causes and effects of social issues like crime and abortion, teachers cheating, drug dealing, and good parenting.

In SuperFreakonomics, they contin-ue to examine the economic perspec-tive of more social issues, like the

profitability of freelance prostitution, drunk driving versus drunk walking, horse versus automobile transport, good doctors versus bad ones, and endangered species. Much of the discussion is based on studies done by economists in the US over the past decade, but includes references to stories from the press and discus-sions from their New York Times’ Freakonomics blog.

In their quest for the counter-intuitive and their desire to reveal the fascinating, Levitt and Dubner sometimes blur the line between fact and fiction, between economics and just plain eccentric. The title of their introductory chapter, ‘Putting the Freak in Economics’, may well say it all. They include a study of monkeys’ understanding of micro-economics, and how these critters quickly learn to exchange coins for not only food but sex. They also take on global warming, and say that there are rela-tively simple solutions like spraying sulphur dioxide into the stratosphere from a giant garden hose in the sky. In fact, their seemingly cavalier atti-tude towards global warming – the implication that it’s all really much

49thectoforum.com 07 FEBRUARY 2010 CTO FORUM

TG DHANDAPANICorporate CIO, SCL-TVS Group.

HIDE TIME | CIO PROFILE

PH

OT

OS

BY

CH

AN

DR

U

PASSION OF COLLECTING GANESHA’S IDOLS: Dhandapani has a collection of about 400 idols of Lord Ganesha. “Ganesha is my favorite God. I have a collection of different kinds of idols in different postures and materials like in brass, gold, silver, stone,” he says.

ENJOY EATING AND COOKING: He is fond of food.

“I like south Indian dishes, and I can prepare idli, dosa, sambar and different kinds of south Indian curries,” he says.

LOVE WATCHING HUMOUR: He recently watched 3 Idiots and enjoyed it. “Humor makes me feel light and tension free and that's the reason I see a lot of comedy serials and movies on TV,”he says.

“ENSURE that the process is right, and put your best foot ahead: success will follow,” said TG Dhandapani, Corporate CIO at leading two-wheeler group, SCL-TVS Group.

A chartered accountant by qualification, T G Dhandapani is a veteran with the TVS group. He has devoted 28 years in TVS in different areas such as finance, business planning, operations, projects and IT. Dhandapani has been heading IT for Sundaram Clayton for the last nine years.

Didn't it ever get monotonous sticking to one place? Dhandapani says he never felt the need to change simply because he constantly pursued newer roles and functions.

“There has been a lot to learn in each of the roles I took,” he says.Coming from a non-IT background, Dhandapani had to initially find his

feet in the tech shop. “It took a lot of time and efforts to handle IT without having the necessary

knowhow,” he says.

Motorcycle Diaries

Help came in the form of guidance from the company's president late PJ Thomas in whom Dhandapani had immense faith. Thomas encouraged him to take assign-ments outside finance, including business planning and shop-floor management.

“That gave me a lot of confidence to prove myself as an able manager,” he says.

50 07 FEBRUARY 2010 thectoforum.comCTO FORUM

HIDE TIME | CIO PROFILE

Being born in a family where most of his siblings chose to study engineering and medical, it was difficult to go anti-stream. Dhandapani sought inspiration from his father who taught him the first lessons of management.

Like many others, Dhandapani also got into IT by sheer chance. It was in 1999-2000 when TVS Motors decided to implement a company-wide Enterprise Resource Planning (ERP). The consultants strongly recommended that a senior person from business (and not from IT) should head the task force.

At that time Dhandapani was looking after a business portfolio in the com-pany and was willing to take on a few challenging IT projects. There were many contenders, but Dhandapani's conviction towards his work and his diligence in handling the ERP project made him the winner.

“The company management was quite satisfied with my work. After success-ful implementation of ERP in TVS, the company decided to rollout ERP in other group companies as well. It was yet another challenge for me. But successful rollout of ERP in TVS gave me the required confidence,” said Dhandapani.

He is now responsible for maintenance of IT in seven group companies including TVS Motor and Sundaram Clayton. Ten successful SAP implementa-tions were carried out under his leadership. He has also facilitated in-house developed Dealer Management System — an ERP for TVS Motor Dealers. So far 600 dealers have adopted the system across India and abroad.

Like Dhandapani’s mother, his wife is a homemaker; a dynamic woman committed to family work and providing him much-needed support, given his frequent travel plans. He has a daughter and a son, pursuing MBA in HR and a degree in commerce respectively. —By Vinita Gupta

Visit archaeological places: Dhandapani

is a deeply religious person who likes visiting

temples and giving charity to religious institutions.

“I am interested in visiting places of archaeological

importance like monuments, ruins and religious

places. At least once in a year I travel with my

family,” he says.

Close to nature: He is fond of trees and

beaches and looks forward to spend his time in

nature. “I try not to miss my daily walk, and I prefer

walking on a beach, garden or park. Our TVS

Motor factory at Hosur has planted plenty of trees,

and it is even named as Haritha (means green).

Whenever I am free from work I go for a walk.”

Confident and proud of his team: As a

leader he sets realistic targets and provides

resources and motivation to his team to achieve

success. This has helped him keep attrition levels

down, besides successfully completing many

IT projects.

Snap Shot

VIEWPOINT

Data Loss Prevention: CIO’s

need or vendor’s push?

FOR A DLP solution to be effective there are two scenarios to consider. One is voluntary exposure, the other is involuntary.

To address the voluntary disclosure issue there needs to be a pervasive culture where everyone understands that if they compromise the organi-zation by allowing confidential infor-mation to leak then they are sabotag-ing their own interests and hurting people they care about.

To mitigate voluntary data loss the topic should be elevated to a business leadership issue. True lead-ers gain a following by leading by example, not by assuming that every employee is a spy.

To sell security products vendors have chanted that the insider threat is greater than the outsider threat. There will never be a DLP solution that will detect when an insider is seeking profit by leveraging autho-rized access to information.

Taking the DLP concept down a notch to preventing accidental dis-closure, the CIO challenge will be to provide solutions to assist users and not to put up poorly planned, imma-ture barriers that will impede people

would need to be integrated, easy to use, globally available and assure the creators of information that they can effectively use it for all their storage needs. The solution should also not be something its users would loose access to when employment termi-nates. Users should trust and value the solution and not be motivated to attempt to archive their work via other methods. This would require that an effective solution transcends the scope of an organization and can be managed by an organiza-tion or individual but would require a trusted "cloud" provider. Aside from cultural issues there would be hurdles for the organization to accept a third party as the holder of jewels but motivation would come in the form of reduced storage admin, ease of e-discovery and reduced regulatory compliance costs, etc.

If unintended DLP is scoped nar-rowly and is only concerned with confidential information, the chal-lenges to secure that is not a DLP issue. It goes to the architects of sys-tems and vendors of POS credit card systems etc. who have created the opportunities for criminals.

from working effectively. CIOs currently don't have good choices because it all gets back to informa-tion originators.

Current IRM (Information Rights Management) would be draconian to be effective and requires exten-sive employee training, lockdowns, enforcement, scanning of all media and communication channels and is expensive to maintain. The lines of personal vs. company devices and personal vs. company communica-tions will also continue to blur so draconian implementations will con-tinue to fail at that level, especially as newer generations loose touch with the concept of private information.

IRM information creators must currently decide when they want a 200-page masterpiece presentation to self-destruct and how to limit its viewership. It is human nature to not want to destroy something one works hard on. It is also desirable to have as many people see the work as possible. A document may not be considered confidential when it is created but it may be so in the future, so classifica-tion is not a trivial user issue.

An effective IRM vaulting solution


NORBERT NOLIN | [email protected]

ABOUT NORBERT NOLIN: Nolin is a Senior

Manager,

Information Security

with Starwood

new age challenges

Documents

borders cwb

challengestop cio challenges

project vietnam

atifeh riazi

medical diagnostic system

trusted system

unique projects project

international npos