Alert_DEC2011.indd 18 11/17/2011 5:15:55 PM

Vijay RamachandranEditor-in-Chiefvijay_r@cio.in

From The ediTor-in-ChieF

Burnout (noun) [búrnòut]:

the reduction of a fuel or substance to nothing through use or combustion.

overheating of an electrical device or component.

physical or mental collapse usually as a result of prolonged stress or frustration.

Let me begin with the tale of a senior IT leader who moved about a year ago to this

rather well-respected and diversified organization as group CIO. Once there, he got a fairly

good team, a lot of respect and nothing much more. There just wasn’t too much ‘new’ or

interesting happening. The result, I’ve seen him get increasingly cynical and disenchanted

month-on-month. Burned-out? You bet he is. And, from doing too little (and not your typical

‘damn, I’ve got so much work’ that goes

with the territory).

Whenever I find myself or anyone

I know grappling with burnout or even

a lack of drive, I think of Marvin M.

Johnson. A career spanning almost six decades would be enough to prove his extraordinary

motivation levels. But add close to 250 patents to that, and you’ve got to wonder what kept

him going.

A while back, I asked him how he managed to get back on his feet following a setback or

multiple reverses, this is what he had to say: “I started out life in the arid Southwest and as a

pre-teen herded sheep and watched cattle graze from the back of a horse. If you can suggest

anything more boring or mind-numbing, let me know… When I feel tired, bored or burned

out I consider what the alternative to being a scientist in a large research organization was

for me, what my life could have easily become and rejoice in the choices I made.”

When things got really bad, Marvin returned to his roots and visited old friends of

his youth and cousins who stayed on the ranches and immediately started to feel better,

a lot better.

Everyone suffers from malaise and discontent, he observed, and stressed that “the good

ones get past it and make a success of the decisions they made at an early age.”

His final piece of advice to me has kept me going these many years: “Stay the course,

become the best in your field and take pride in your accomplishments. Do whatever it takes

to have a good family and enjoy their success and progress.”

How do you deal with burnout? Write in and let me know.

Burnout needn’t result from too much work. Sometimes the lack of a challenge can do you in equally well.

Kill the habit of wallowing in cynicism and focus on what makes you the best.

Eliminating Ennui

Vol/3 | ISSUE/102 A P R I L 1 , 2 0 0 8 | REAL CIO WORLD

Content,Editorial,Colophone.indd 2 4/2/2008 4:59:03 PM

Career CounselingThE LOngEsT InTERvIEW | 18Three CIOs on how to make the most of an interim job and turn it into a permanent one. Column by Martha heller

Applied InsightWhAT IT REALLy MEAns | 20What’s IT worth? If end users are to understand, you have to tell them exactly what they get for their money. Column by n. Dean Meyer

VirtualizationREAL RIsks InsIDE vIRTuAL bOxEs | 42 What are the biggest virtualization security risks now and how can you combat them? It’s time to separate fact from fiction and get down to work.Feature by Laurianne McLaughlin

more»

IT Strategy

COvER sTORy | sTRATEgy sTRAIghT up | 24Everyone agrees that having a strategic plan for IT is a good thing but most CIOs approach the process with fear and loathing. In fact, the majority of CIOs (and the enterprises they work for) are faking it when it comes to strategic planning. Isn’t it time we all got real?Feature by stephanie Overbywith balaji narasimhan and kanika goswami

Vol/3 | ISSUE/104 A P R I L 1 , 2 0 0 8 | REAL CIO WORLD

Prasad Dhumal of DHL Express India, Charles Padmakumar of Aricent Technologies and S.N. Roy of Cholamandalam MS General Insurance share their views on dealing

with business, finance and evaluating IT strategies

24

contentapril 1 2008‑|‑Vol/3‑|‑issue/10

Co

VE

r:

dE

SIg

n b

y b

InE

Sh

Sr

EE

dh

ar

an

Ph

ot

o P

ho

to

SS b

y

by

Sr

Sr

IVIVa

ta

tSS

a S

ha

nd

a S

ha

nd

IIly

a, C

ha

nd

ro

o a

nd

Fo

to

lya

, Ch

an

dr

oo

an

d F

ot

oCC

or

or

PP

Vol/3 | ISSUE/106 A P R I L 1 , 2 0 0 8 | REAL CIO WORLD

content (cont.)

Trendlines | 11 study | Widescreens Boost Productivity Quick Take | Rajiv Seoni on Working Hours voices | Migrating to WS 2008 IT Management | Who Moved My Tools? Internet | More Companies Ban Social Networking Opinion poll | Why Employees Misbehave by The numbers | Virtualization: New Rules survey | No Takers for SaaS Reserach | Wanted Best Practices security | Not So Excel-lent storage | The Ever Growing Digital Universe

Essential Technology | 51 vendor Management | Getting Your Vendors to Flock Together Feature by Galen Gruman pundit | Sleeping Laptops Risk Encryption Column by Mario Apicella

From the Editor-in-Chief | 2 Eliminating Ennui By Vijay Ramachandran

dEpArTmEnTS

NOW ONLINE

For more opinions, features, analyses and updates, log on to our companion website and discover content designed to help you and your organization deploy It strategically. go to www.cio.in

c o.in

1 8

Case StudypuTTIng ThE pRICE WAR TO REsT | 32Every company wants to establish its brand as a household name, but few succeed. And they succeed because they follow an age-old, time-tested formula: building credibility. Sometimes IT can do that for you. Feature by balaji narasimhan

Executive ExpectationsvIEW FROM ThE TOp | 36R. Seshasayee, MD, Ashok Leyland, says IT masks the auto major’s mammoth size. It also gives it innovation and agility — allowing it to go places more compact firms typically reach. Interview by kanika goswami

Content,Editorial,Colophone.indd 6 4/2/2008 4:59:18 PM

AdverTiser index

All rights reserved. No part of this publication may be reproduced by any means without prior written permission from the publisher. Address requests for customized reprints to IDG Media Private Limited, 10th Floor, Vayudooth Chambers, 15–16, Mahatma Gandhi Road, Bangalore 560 001, India. IDG Media Private Limited is an IDG (International Data Group) company.

Printed and Published by N Bringi Dev on behalf of IDG Media Private Limited, 10th Floor, Vayudooth Chambers, 15–16, Mahatma Gandhi Road, Bangalore 560 001, India. Editor: N. Bringi Dev. Printed at Rajhans Enterprises, No. 134, 4th Main Road, Industrial Town, Rajajinagar, Bangalore 560 044, India

ADC Krone IBC

AMD 1

APC 7

Emerson BC

HP 5

Intel 8 & 9

Interface 15

Microsoft IFC

SAS 3

Seagate 53

This index is provided as an additional service. The publisher does not assume any liabilities for errors or omissions.

AbNASH SINGH

group CIo, Mphasis

ALAGANANDAN bALARAMAN

Vice President, britannia Industries

ALok kuMAR

global head-Internal It, tata Consultancy Services

ANwER bAGDADI

Senior VP & Cto, CFC International India Services

ARuN GuPTA

Customer Care associate & Cto, Shopper’s Stop

ARvIND TAwDE

VP & CIo, Mahindra & Mahindra

ASHISH k. CHAuHAN

President & CIo — It applications, reliance Industries

C.N. RAM

head–It, hdFC bank

CHINAR S. DESHPANDE

CEo, Creative It India

DR. JAI MENoN

director (It & Innovation) & group CIo, bharti tele-Ventures

MANISH CHokSI

Chief-Corporate Strategy & CIo, asian Paints

M.D. AGRAwAL

dy. gM (IS), bharat Petroleum Corporation limited

RAJEEv SHIRoDkAR

VP-It, raymond

RAJESH uPPAL

Chief gM It & distribution, Maruti Udyog

PRof. R.T. kRISHNAN

Jamuna raghavan Chair Professor of Entrepreneurship,

IIM-bangalore

S. GoPALAkRISHNAN

CEo & Managing director, Infosys technologies

PRof. S. SADAGoPAN

director, IIIt-bangalore

S.R. bALASubRAMNIAN

Exec. VP (It & Corp. development), godfrey Phillips

SATISH DAS

CSo, Cognizant technology Solutions

SIvARAMA kRISHNAN

Executive director, PricewaterhouseCoopers

DR. SRIDHAR MITTA

Md & Cto, e4e

S.S. MATHuR

gM–It, Centre for railway Information Systems

SuNIL MEHTA

Sr. VP & area Systems director (Central asia), JWt

v.v.R. bAbu

group CIo, ItC

AdvisorY BoArd

MANAGEMENT

PubLISHER & EDIToR n. bringi dev

CEo louis d’Mello

EDIToRIAL

EDIToR-IN-CHIEf Vijay ramachandran

ASSISTANT EDIToRS balaji narasimhan

gunjan trivedi

SPECIAL CoRRESPoNDENT Kanika goswami

CHIEf CoPY EDIToR Sunil Shah

CoPY EDIToR Shardha Subramanian

DESIGN & PRoDuCTIoN

CREATIvE DIRECToR Jayan K narayanan

SENIoR DESIGNERS binesh Sreedharan

Vikas Kapoor, anil V.K

Jinan K. Vijayan, Jithesh C.C

Unnikrishnan a.V, Suresh nair

DESIGNERS MM Shanith, anil t

PC anoop, Prasanth t.r

Vinoj K.n, Siju P

MuLTIMEDIA DESIGNERS girish a.V, Sani Mani

PHoToGRAPHY Srivatsa Shandilya

PRoDuCTIoN t.K. Karunakaran

t.K. Jayadeep

MARkETING AND SALES

vP SALES (PRINT) naveen Chand Singh

vP SALES (EvENTS) Sudhir Kamath

bRAND MANAGER alok anand

Sukanya Saikia

MARkETING Siddharth Singh, Priyanka

Patrao, disha gaur

bANGALoRE Mahantesh godi Santosh

Malleswara ashish Kumar,

Chetna Mehta,

b.n raghavendra,

DELHI Pranav Saran, Saurabh

Jain, rajesh Kandari,

gagandeep Kaiser

MuMbAI Parul Singh, rishi

Kapoor,Pradeep nair,

hafeez Shaikh

JAPAN tomoko Fujikawa

uSA larry arthur; Jo ben-atar

EvENTS

vP rupesh Sreedharan

MANAGERS ajay adhikari, Chetan acharya

Pooja Chhabra

Vol/3 | ISSUE/101 0 A P R I L 1 , 2 0 0 8 | REAL CIO WORLD

Content,Editorial,Colophone.indd 10 4/2/2008 4:59:19 PM

n e w * h o t * u n e x p e c t e d

S T U D Y Can you see your way to wasting less time? One new study says yes: organizations that upgrade their employees' standard-format monitors to widescreen displays can realize productivity gains equivalent to 76 extra work days a year per worker. The 'Productivity, Screens and Aspect Ratio,' study, was conducted by the University of Utah and was sponsored by NEC, a maker of computer monitors.

Ninety-six university staffers, faculty and students broken in three different computer aptitude sets — novice, intermediate and advanced — participated in the study, which took into account the time it took to complete set spreadsheet and editing tasks, editing performance and monitor preference, among other factors.

All three groups were significantly more productive using 24-inch-or-

larger widescreen monitors (1920x1200 resolution, or larger) compared to 18-inch displays (1280x1024 resolution), according to the research.

More specifically the study found that upgrading workers' 18-inch, standard format monitors to a 24-inch widescreen display cut the average time it took them to complete such tasks by more than 30 percent.Other findings:

Large widescreen or dual-monitor configurations are better suited for work that involves multiple documents or varied applications.

24-inch widescreen displays are better 24-inch widescreen displays are better suited for text editing than both single standard format (17-inch and 19-inch) and dual standard format (17-inch and 19-inch) monitor configurations.

Dual-widescreen configurations in 22-inches or larger are better for

spreadsheet editing than single widescreen or standard format displays.

Net annual cost savings of using 24-inch widescreen monitors in place of 18-inch monitors is Rs 8.4 crore a year for 250-employee companies and about Rs 17.2 crore for firms with 500 staffers.

—By Al Sacco

Widescreens Boost Product

W o r k - l i f e b a l a n c e A CIO’s job comes with an unsaid prerequisite of being the ‘last man standing’, literally. Be it an ERP implementation or a network glitch, the CIO is expected to be always around, no matter what time it is. Does that mean nine to five is true only on paper? Kanika Goswami spoke to Rajiv Seoni, CTO, Ernst &Young and this is what he had to say:

Do Indian CIOs work too hard?I don’t think so. There are a whole lot of other jobs in the company where people are putting in an equal amount of work, if not more. The CFO, head of HR, head of marketing and sales also put in many hours of work.

So, as long as other CXOs also put in long hours, CIOs should too? It comes with the territory. There is no such time when you can say you are totally switched off. But it also applies to a lot of other roles.

Rajiv Seoni on Working Hours What keeps CIOs so long at work?

IT is very demanding in terms of time. For example, if a network goes down and people can’t access email, there is a huge impact on business. Similarly on the application front, if the ERP system is down, manufacturing totally stops. And with it so does the complete factory. Now in these circumstances, the requirement from the CIO has become that much more critical. That appears to be one reason why

sometimes CIOs spend too much time at work.

How can CIOs get home on time?You need a proper structured organization with clearly defined roles and responsibilities that can be delegated properly. You also need a group to look after all the operational and day-to-day issues. And the CIO himself should look after strategic content and business relationships.

Quick take

Rajiv Seoni

n e w

larger widescreen monitors (1920x1200 resolution, or larger) compared to 18-inch displays (1280x1024 resolution),

More specifically the study found that upgrading workers' 18-inch, standard format monitors to a 24-inch widescreen display cut the average time it took them to complete such tasks by more than

Large widescreen or dual-monitor configurations are better suited for work that involves multiple documents or

tivity

REAL CIO WORLD | A P R I L 1 , 2 0 0 8 1 1Vol/3 | ISSUE/10

Il

lU

St

ra

tIo

n b

y U

nn

Ikr

ISh

na

n aa

V

Tr

en

Dl

ine

S

i T M a n a G e M e n T A lack of IT risk management tools is exposing companies to greater risks than necessary, although help will arrive soon, according to one expert.

The field of IT risk management is far from new, but there are few mature management tools because regulations have only recently forced companies to evaluate which threats will be the biggest, and how best to protect the company from them.

"IT risk is really difficult to quantify, because you don't have the experience today. There is also not enough data to calculate it or even how to do it," said Urs Fischer, vice president and head of IT governance and risk management at SwissLife, who attended the European Computer Audit Control and Security Conference in Stockholm recently.

"Everyone at the conference is saying it's something you have to do," said Fischer, adding that when you ask them how to do it, no one has a good answer.

Instead managers have to rely on their own gut feeling."Because it's a gut feeling, you can make big wrong

assessments,"said Fischer.Good risk management can save money, according to

Fischer. But wrong assessments can lead to increased costs, and quite simply bad security.

IT risk management is also especially challenging because of the very fast paced nature of security.

"It changes quickly. Something that was true one, or two years ago isn't true today. To keep up is very difficult," said Fischer.

But help is on the way. The IT Governance Institute, part of the group that organized the Stockholm conference, is developing a framework to simplify IT risk management.

"It will come out this year, and be freely available. It will show managers and IT people how they could approach IT risk management", said Fischer.

"I think it will be a big success, because people are looking for it. There is a pent up demand," said Fischer.

There are also tools on the way."Vendors SAP, Oracle, and Microsoft are all working on

tools that go in the direction of suits for governance, risk, and compliance," he said.

—By Mikael Ricknäs

Do You Plan to Move to WS 2008? M i G r a T i o n Microsoft recently launched Windows Server 2008. After five years of Windows 2003, this new kid on the block is eliciting strong responses, both positive and negative. Is it time to migrate to WS 2008? Kanika Goswami spoke to a few of your peers and this is what they had to say:

parvinder SinghVP & head-It Service, Max new york life Insurance

Sachin Jainhead It & CISo, eValueserve

“WS 2008 supports more enhancements done to Active Directory, Internet Information Security and Terminal Services. Improved security and ease of management is an advantage. We are planning to migrate in May this year.”

SatYanaraYan. B VP & CIo, DIMEXon DIaMonDS

Write to editor@cio.in

Lend Your

voice

“Until and unless some great features or demand pushes us, we will not migrate to WS 2008. However, we will explore its new features like self-healing etcetera.”

“We will internally test server attributes and wait for the software to stabilize in

the market. If it takes care of auditing, compliance

and is easy to manage then we

might migrate.”

Who Movedmy tools?

Vol/3 | ISSUE/101 2 A P R I L 1 , 2 0 0 8 | REAL CIO WORLD

Trendlines.indd 12 4/3/2008 9:42:59 AM

Tr

en

Dl

ine

S

i n T e r n e T A report released by MessageLabs, a UK-based security vendor, found that nearly 20 percent of organizations blocked social networking and dating sites in February due to concerns about employee productivity and malware. In addition, the number of websites blocked by filters was nearly 47 percent, which, according to MessageLabs, should spur IT departments to update their electronic use policies to reflect newer Web 2.0 technologies.

"Organizations need to raise awareness about the risks of these sites," says Paul Wood, a security analyst with MessageLabs. "Some of the policies are not up to date."

In one example, Wood cited a case where a user visited a fake MySpace page where they were served up a pop-up ad designed to look like a Microsoft software update. When the person clicked on the pop-up, they were taken to an illegitimate site that tried to install malware over JavaScript.

The report, which according to a spokesman polled most of MessageLabs' 16,000 customers, also sheds some light on other consumer technologies, such as Gmail. Spam from Yahoo still leads the way, claiming 90 percent of the spam sent from consumer-based e-mail services, according to MessageLabs.

The report echoes the worries IT leaders expressed in CIO's recent survey-based story, the Nine Consumer

Technologies CIOs Fear. Nearly 10 percent of IT decision makers told CIO that they viewed social networks such as Facebook and MySpace as the biggest consumer technology threat to their organizations.

Approximately 18 percent cited consumer-based e-mail like Hotmail, Yahoo and Gmail as the greatest threat to their organizations, making it second only to USB devices.

IT departments will have to re-evaluate their electronic use policies to include social networks and other new Web 2.0 technologies, Wood says. "It's not just about e-mail anymore," he says. "People need to know how to conduct themselves on blogs, IM and social networks."

If IT institutes better electronic use policies that educate users about the sites that they visit, better security will follow, Wood argues. "It's more of a management issue than a technology issue," he says.

—By C.G. Lynch

More re r CompaniesBaan SSoociacial Neettwoowow rkss

Source: CIo research

Why Employees Misbehave how can companies best promote ethical behavior by employees? according to recent research, your first thought shouldn’t be training. It should be helping your recent research, your first thought shouldn’t be training. It should be helping your staffers strike a good work-life balance.

REAL CIO WORLD | A P R I L 1 , 2 0 0 8 1 3Vol/3 | ISSUE/10

16%Rank ethics training as a

positive influence on promoting ethical behavior.

60%Say that job dissatisfaction is a top

reason why people make unethical work decisions. Compensation and flexible

work schedule are key factors leading to satisfied employees.

91%Of employed adults say that workers will more likely behave ethically when they

have a good work-life balance.

Inf

og

ra

Ph

ICS

by

PC

an

oo

P

Trendlines.indd 13Trendlines.indd 13Trendlines.indd 13Trendlines.indd 13Trendlines.indd 13Trendlines.indd 13

Tr

en

Dl

ine

S

B Y l aU r i a n n e M c l aU G h l i n

think costas you project roI, remember to allocate budget for virtualization management and security tools.

think processIf your enterprise is using ItIl or another framework for managing It process, make your virtual infrastructure part of those plans. Virtualization will only increase as a percentage of your overall It environment in the future.

think StrategyVirtualization will become a high-profile part of It's work rather quickly. business-side demands for improved business continuity and for new applications will mean that for many enterprises, virtualization management will become a strategic project within two years of initial deployment.

You may be doing a terrific job getting your data center You may be doing a terrific job getting your data center virtualized but, virtualized but, as with every IT project, you still need metrics to show the as with every IT project, you still need metrics to show the business how well things are going.business how well things are going.

There is, however, one big problem with that: the discipline of virtualization There is, however, one big problem with that: the discipline of virtualization management is still in its infancy. Many enterprises only rolled out virtualization management is still in its infancy. Many enterprises only rolled out virtualization to production machines (rather than testing and development machines) in 2007. to production machines (rather than testing and development machines) in 2007. And while market leader VMware has offered management tools from the get-go, And while market leader VMware has offered management tools from the get-go, other vendors are just now starting to compete in that arena. A recent study by other vendors are just now starting to compete in that arena. A recent study by IDC (a CIOCIO sister company) urges IT leaders to benchmark their virtualization sister company) urges IT leaders to benchmark their virtualization management efforts and examines some early metrics that may help. And now's management efforts and examines some early metrics that may help. And now's the time to make managing your virtual infrastructure a priority, especially as you allocate IT budget and staff, says IDC research director Stephen Elliot. Otherwise, you won't be able to optimize virtualization results or savings, or develop a strategic plan for the future.

For instance, what does your virtualization management team look like? According to IDC, 15 percent of IT groups are creating a dedicated team to manage the overall virtualization effort, bringing together experts from the various IT disciplines.

However, 85 percent of enterprises are creating their management group inside their server and/or storage teams. This may not be the best approach. Experts say you need to create a team that also includes network and security gurus.

Remember, while virtualization can reduce the number of boxes in your data center, it doesn't eliminate all the associated management challenges. In fact, it can just compress the time that the IT group has to identify and solve performance problems, says IDC's Elliot.

Virtualization Management:New Rules, New BenchmarksVirtualization Management:New Rules, New BenchmarksVirtualization Management:

BestPractices

Vol/3 | ISSUE/101 4 A P R I L 1 , 2 0 0 8 | REAL CIO WORLD

tabudget for virtualization management

There is, however, one big problem with that: the discipline of virtualization management is still in its infancy. Many enterprises only rolled out virtualization to production machines (rather than testing and development machines) in 2007.

1

tIf your enterprise is using I

other vendors are just now starting to compete in that arena. A recent study by sister company) urges IT leaders to benchmark their virtualization

management efforts and examines some early metrics that may help. And now's the time to make managing your virtual infrastructure a priority, especially

2

tVirtualization will become a high-

According to IDC, 15 percent of IT groups are creating a dedicated team to manage the overall virtualization effort, bringing together experts from the 3

Lean Staff Big Savings

Source: IDCSource: IDC

How lean is yourvirtualized data center?

the average VM-to-administrator ratio, or average number of virtual images per

administrator, is:

1:200

How much money are you saving?the average savings for an It group that deploys formal processes and solutions (such as ItIl-based processes)

for managing their virtual infrastructure is:

to

a yEar

rs 40 lakhrs 80 lakh

Tr

en

Dl

ine

S

S U r V e Y Users seem to be ahead of IT when it comes to embracing software-as-a-service. A new Forrester survey of more than 1,000 IT decision-makers in North America and Europe found that 16 percent of enterprises had adopted SaaS as of 2007 — an increase from 12 percent the previous year but still a small minority.

Actual enterprise adoption of SaaS might be much higher, though, because business units often deploy hosted applications on their own, sometimes seeing it as a way to free themselves from relying on IT, says Forrester analyst Liz Herbert.

While 16 percent of Herbert's survey sample were using or piloting at least one SaaS application, another 46 percent were planning a pilot or interested in having one, according to the Forrester report, 'Competing in the Fast-Growing SaaS Market.' About 37 percent had no interest in software-as-a-service.

Executives who aren't interested in SaaS pointed to concerns about integration, total cost, lack of customization and security.

Application performance concerns and vendor lock-in were also preventing some enterprises from using SaaS.

But the number of IT executives who have at least some interest in hosted software indicate to Herbert that IT involvement in SaaS projects is poised for a big increase.

"It's not like that 84 percent [that haven't deployed SaaS] is sitting there and saying 'there's no place for software-as-a-service in our organization,'" she says.

SaaS applications are typically for general business tasks like human resources, there are now hosted applications designed specifically to help IT staffers manage an enterprise's technology, she says.

Nearly half of SaaS users were using HR tools, 38 percent were using collaboration software and 36 percent were using CRM. More findings from Herbert's survey:

North American companies are twice as likely as European ones to adopt SaaS.

Hosted software is most commonly used by the energy, utilities, retail and services industries.

SaaS vendors have improved customization and integration capabilities but haven't caught up to packaged software vendors in this regard.

Pricing is a concern: many buyers of hosted software believe the service-based model is more expensive in the long run.

Security concerns are holding back adoption. Many customers worry about whether a vendor has adequate hosting and backup facilities, or think a hosted application will give untrained business users too much control over roles and access rights.

—By Jon Brodkin

r e S e a r c h the need for best practices knowledge was identified by 16 percent of respondents as the top It security challenge affecting organizations today, according to a recent survey of 322 It security professionals, undertaken by the Canadian advanced technology alliance in partnership with Microsoft. Coming in a close second was data protection, cited by 15 percent of respondents, followed by access management, cited by 13 percent.

"the lack of best practices being one of the primary challenges was certainly one we weren't anticipating when we started this study," said kevin Wennekes, Cata's vice-president of research. "We knew it would be an issue, but for it to be identified at the top as an overarching challenge came as a bit of a surprise to us."

also surprised was francis ho, executive officer at the federation of Security Professionals in toronto, who expected both data protection and access management concerns to rank higher than best practices.

"It's certainly a surprising result because there's so much information out there, with a lot of good server hardening guides

to be found all over the Internet," ho said. "Data protection is one that should definitely be high on the list as everybody is concerned about information leaving the organization today. In the old days, everything used to be paper-based but now you can make a copy of a file and port it off to your iPod nano without a trace."

another finding indicated that It security professionals believe that their organizations don't put enough emphasis on It security challenges and often react after the problem arrives on their doorstep.

"I see a lot of basic processes like simple hardening of servers that still isn't being done as the norm, so while some organizations get it, many others don't," ho said. "larger organizations tend to understand security better and it also depends on the industry."

to address these issues, Cata recommended that the industry develop industrywide best practices, establish a research series of It security professional perspectives reports and undertake a study to determine the value of an It security skills set.

—by rafael ruffolo

no takers for SaaS

wanted: BeSt practiceSSaaS

Ill

US

tr

at

Ion

by

an

Il t

Vol/3 | ISSUE/101 6 A P R I L 1 , 2 0 0 8 | REAL CIO WORLD

Trendlines.indd 16 4/3/2008 9:43:01 AM

Tr

en

Dl

ine

S

S e c U r i T Y Businesses where staff uses Excel spreadsheets to develop applications quickly and cheaply aren't paying enough attention to the operational risks they run — especially when the spreadsheets link to back-end systems.

"Microsoft never intended Excel to be an enterprise application. Users are today placing undue trust in Excel, and errors go undetected for a long time," said Ewen Ferguson, senior manager at risk consultancy Protiviti, in a presentation at the European Computer Audit Control and Security Conference in Stockholm.

Today, companies are even using Excel as an interface to their ERP systems, something that worries Ferguson. "I think it's a misconception that anyone can build well-designed spreadsheets, and that's a part of the problem," he said.

Poor use of spreadsheets can lead to financial losses, directly or indirectly. Ferguson illustrates how easy it is for things to go wrong with an example from real life.

An employee at a company developed a spreadsheet that tagged some cells in pink to indicate they should be included in a particular calculation. He then turned the spreadsheet over to someone else, who after a while came back and said it didn't work. "He didn't like pink so he changed to a different color, which broke the spreadsheet," said Ferguson.

For companies that want to tackle their spreadsheet problems, there are solutions. Protiviti, for example, has developed a framework to simplify the task. It has four stages, starting with the identification of critical spreadsheets, and ending with the implementation of controls.

There are also a number of vendors that sell Excel-specific products, including ClusterSeven and Compassoft.

With Compassoft Enterprise companies can manage and control spreadsheets based on a risk policy, automating the discovery and prioritization of spreadsheets.

ClusterSeven Enterprise Spreadsheet Manager monitors important spreadsheets so that you can trust their integrity.

—By Mikael Ricknäs

S T o r a G e the digital universe in 2007 stood at 281 billion gigabytes and with an annual growth rate of almost 60 percent, it is projected to reach nearly 1.8 zetta bytes in 2011, according to IDC.

a zettabyte is a one, followed by 21 zeroes or ten to the twenty-first power.

the IDC survey the Diverse and Exploding Digital Universe: an Updated forecast of Worldwide Information growth through 2011, highlighted an accelerated growth in hrough 2011, highlighted an accelerated growth in hrough 2011worldwide shipments of digital cameras, digital surveillance cameras, and digital televisions as well as a better understanding of information replication trends.

the digital universe in 2007 was equal to almost 45 gigabytes (gb) of digital information for every person on earth — or the equivalent of over 17 billion 8 gb iPhones. other fast-growing corners of the digital universe include those related to Internet access in emerging countries, sensor-based applications, data centers supporting 'cloud computing' and social networks comprised of digital content created by many millions of online users.

Meanwhile, the survey pointed out that a person's 'digital shadow' — digital information generated about the average person on a daily basis — now surpasses the amount of digital information individuals actively create themselves.

the digital shadow includes names in financial records, names on mailing lists, web surfing histories or images taken by security cameras in airports or urban centers. the digital information created by people includes taking pictures, sending emails, or making digital voice calls.

the study reported that enterprise It organizations that t organizations that tgather the information comprising people's digital shadows have a tremendous responsibility for the security, privacy protection, reliability and legal compliance of this information.

according to IDC, approximately 70 percent of the digital universe is created by individuals, yet enterprises are responsible for the security, privacy, reliability, and compliance of 85 percent.

"the burden is on It departments within organizations to t departments within organizations to taddress the risks and compliance rules around information misuse, data leakage and safeguarding against security breaches," said chairman, president and CIo of EMC Joe tucci.tucci.t

—by Jack loo

the ever growing digital universe

Not Soot SooExcel-lent

Ill

US

tr

at

Ion

by

MM

Sh

an

Ith

REAL CIO WORLD | A P R I L 1 , 2 0 0 8 1 7Vol/3 | ISSUE/10

Trendlines.indd 17Trendlines.indd 17Trendlines.indd 17Trendlines.indd 17Trendlines.indd 17Trendlines.indd 17

Most of us thrive in relatively defined structures where we understand the parameters within which we can act, succeed or fail. As such, we are typically very uncomfortable in liminal

states — when we are neither here nor there, neither in nor out, neither fish nor fowl. CIOs who are in acting or interim roles must exist in this gray area, often for protracted periods of time while performing Herculean feats of turnaround, firefighting and influence.

Whether you're a number two with a shot at the top or a consultant brought in on an ad hoc basis, the odds of getting the full time job are typically not great for interim CIOs. It's relatively easy for an external candidate to convince a hiring committee that he will do great things in the future. An internal candidate has to do great things in the here and now. And while an external candidate can paint a beautiful picture of future alignment and prosperity, an internal candidate has no choice but to expose the current and ugly truth about an IT organization.

So how do you shift from acting to in charge? To find out, I checked in with several CIOs who successfully made this transition. Follow their tips, and you may find yourself happily erasing the 'interim' from your office door.Don't be a baby-sitter. In July 2006, ICG Commerce, a procurement outsourcing provider, hired Rick Bunker for a week-long consulting engagement on IT management strategy.

"I gave my report and figured I was done," he says. About a month later, a new CEO joined the company and asked Bunker to present his findings once again. The CEO liked what he heard and asked Bunker to consult as an interim CIO for a three-month assignment. "Two months into my consulting engagement, when

The Longest Interview Three CIOs on how to make the most of an interim job and turn it into a permanent one.

Martha Heller Career Counseling

VOl/3 | ISSUE/101 8 A P R I L 1 , 2 0 0 8 | REAL CIO WORLD

Ill

US

Tr

aT

IOn

by

MM

Sh

an

ITh

Coloumn The Longest Interview.indd 18 4/2/2008 11:31:36 AM

it was time to finish up or begin a new statement of work, they asked me to take the permanent role," he says.

Interim CIOs are often asked to babysit an organization and leave the major strategic moves to the permanent CIO. Bunker warns against allowing your role to be defined this passively.

"If your CEO tells you to keep things calm before the new person starts, you're in a terrible position," says Bunker. "Your peers will see you as ineffective — and they are the real decision-makers as to whether or not you'll get the job." When Bunker joined ICG, the company was transitioning from a product to a services strategy, and the IT organization was misaligned to the new business model. In his first two months on the job, Bunker restructured the organization, adopted an agile programming methodology and set up a new technical training program.

So how do you react when a CEO tells you to stay in the box? "If your boss tells you that you can't re-organize or fire people, then develop strategies for transformation and present them as what you believe should be done," he says. "Develop a strategy and sell it, even if you can't execute."Put a premium on trust. "When you work as an interim CIO in a consulting capacity, people can be very forthcoming with you because they consider you outside the political fray," says Bunker. "When you make the switch from interim to permanent, it can be a real shock to people who have spoken more openly with you than they would have if you were a full time employee."

If you want your peers to support your permanent appointment, you need to make it clear when you're acting CIO that they will be able to trust you should you wind up in the permanent role.Pay attention to the step below peer-level. Consultant Jim Ward was named acting CIO of logistics company Pacer International in December 2006. He was asked to run IT as the company conducted an external CIO search. Five months later, the company's CEO asked him to take the full-time job.

When Jim took the interim job, he was not planning to work full-time, but he liked the company and the challenges it faced, so he decided to accept. His advice: while it is true that the opinions of your C-level peers are a critical factor in determining whether you are right for the position, you cannot ignore the next level down.

"I spent much less time with senior management than I did with the business getting things done," he says of his interim period. "If you're helping managers run their businesses, they will filter that message all the way up. If the managers are not happy with you, you will probably not get the job."Be prepared to work for a new CIO. When the CIO of Covance left the drug development services company in June 2005, John Repko, then VP of global applications at the company, was named his interim successor and given the permanent role the following January. Not only did Repko need to survive an

external search, he was asked to participate in the selection of the permanent CIO. The situation was unique and challenging for Repko, but he defined an approach for himself and stuck with it.

"I came up with a way to evaluate candidates where I drew a line and said if the candidate is a full step above me, I'll be big enough to be prepared to work for him or her," he says. "But if I didn't think I could learn something from this person, I would state my concern."Be sensitive to the reaction of your former peers. "You need to understand that not everyone will be happy for you,"

says Repko. Colleagues who feel that they should have been selected for the interim assignment may not be your top supporters. "You cannot alienate your former peers," he says. "Be humble, ask their advice often and show them that you're in learning mode."Be visible. Soon after he was put in the interim position, Repko built a 30-60-90-day plan for the IT organization and hit the road.

"I felt that it was critically important that the top leaders at Covance understood that I was in charge and was no longer the number two guy," he says. "I did that by going on a world tour to meet with all of the major business leaders and building a solid 30-60-90-plan and reviewing it frequently with my CEO and my peers."Think short and long simultaneously. In November 2006, consultant Rick Gehringer was invited to negotiate an outsourcing agreement for the Brookings Institution. By January, the relationship turned into a six-month interim CIO contract while the organization conducted an external CIO search. Two months into the search, which began in May 2007, Rick formally interviewed for the role and received an offer a month later.

His advice? "Remember that you're doing the job they hired you for with one hand and interviewing for the permanent job with the other," he says. "You need to deliver a balance of short term successes, like resolving chronic infrastructure problems, with long term strategic vision."

In other words, act like a CIO and you may just win the job. CIO

Martha Heller is managing director of the IT Leadership Practice at ZRG, an executive

recruiting firm in Boston. Send feedback on this column to editor@cio.in

Martha Heller Career Counseling

as an acting Cio, if you want your peers to support your permanent appointment, make it clear that they will be able to trust you later.

REAL CIO WORLD | A P R I L 1 , 2 0 0 8 1 9VOl/3 | ISSUE/10

Coloumn The Longest Interview.indd 19 4/2/2008 11:31:37 AM

Some of you are sighing with relief that your budget process is over. But all who remember how painful the budget process was understand that a CIO's negotiating power is, to a great extent, determined

by how well clients understand the value they get for the money. There are three components to the concept of value: understanding exactly what IT delivers, believing that the cost is fair and evaluating the contribution of those deliverables to the bottom line.

Here's how you can build clients' understanding of IT's value.

What Do We Get for the Money?In many cases, clients' poor perception of IT value is as basic as not understanding the full bundle of offerings that IT delivers.

Sure, everybody knows that IT delivers essential services like desktop computers, network services, applications engineering and applications hosting. But that sounds simple. Many clients don't understand why IT has to cost so much just for that.

The problem is, many IT departments don't clearly define the specific products and services they deliver for a given level of funding. Typically, there's a lot more in that bundle than clients know. When the specifics are defined, clients come to understand why IT needs the budget that it does.

Explicitly defining IT's products and services also counters the less-honest outsourcing vendors who glibly offer to do 50 percent of what internal staff do for 80 percent of the cost, implying a 20 percent cost savings. One can see the fallacy in that claim only if IT can clearly define all the products and services that it delivers.

There are two steps required to understand the exact list of products and services that the IT budget pays for.

What IT Really Means What's IT worth? If end users are to understand, you have to tell them exactly what they get for their money.

N. Dean Meyer ApplieD iNsight

Vol/3 | ISSUE/102 0 A P R I L 1 , 2 0 0 8 | REAL CIO WORLD

Ill

US

Tr

aT

Ion

by

MM

Sh

an

ITh

Coloumn What It Really Means.indd 20 4/2/2008 12:29:18 PM

First, IT must publish its product and service catalog. The catalog must be comprehensive, and at a level of granularity that portrays specific client purchase decisions. It's not sufficient to define high-level categories, which don't portray all the many things IT does within each category. For example, 'e-mail' is too broad. A fully defined catalog would distinguish a basic e-mail account, extended storage and BlackBerry forwarding as three distinct services.

Second, IT must define exactly what subset of that catalog the budget pays for, and in what quantities. For example, it might forecast the cost of basic e-mail for everybody, extended storage for only the customer service department, and BlackBerry forwarding only for executives. And it might forecast the cost by application for each major project, for necessary repairs and patches, and for discretionary enhancements. Breaking out the budget in such a way makes it clear exactly what IT delivers (and, by implication, what it doesn't).

Said another way, the budget must forecast more than spending by expense code (such as travel, training or licenses) for each manager. It must include the full cost of all clients' purchase decisions. I call this a 'budget by deliverables'.

Is the Price Fair?The next question related to value is: Am I getting a good deal? Is the IT department delivering its products and services at a cost that's competitive?" Answering this question requires benchmarking against the market.

It's not enough to compare the internal IT budget to other companies using statistics like percent of revenues or total cost per desktop. This doesn't take into account the unique configuration of technologies within the company, or the unique needs of the business. For example, your company may be spending more on IT because it's using technology to gain strategic advantage, not because the IT department is more expensive.

The only way to demonstrate that internal IT is a good value is to compare the cost of products and services, like to like. IT must be able to answer the question, "What would this exact bundle cost if bought from vendors rather than staff?"

The easiest, but least accurate way to assess this is to benchmark the entire bundle all at once. This involves adjusting industry average IT expenditures based on the attributes of your bundle that make you unique, such as the number of servers, users and transactions.

N. Dean Meyer N. Dean Meyer ApplieD iNsight

Vol/3 | ISSUE/10 Web

Excl

usive

NE

WS

|

FE

AT

UR

ES

|

CO

LU

MN

S

| T

OP

VIE

W

| G

OV

ER

N

| E

SS

EN

TIA

L T

EC

HN

OL

OG

Y |

R

ES

OU

RC

ES

Log In Now! CIO.in

Features

Your Customer, Your Future For CIOs to truly become businesspeople, they need to start thinking about — and organizing IT for — their business customers.

Law and Order Everyone admits that collaboration for innovation is good. It is also rare. And when it works, it’s beautiful.

Losing Ground Now that e-mail and electronic documents have attained the same evidentiary status as paper, CIOs need to standardize processes for e-discovery.

Read more of such web exclusive features at www.cio.in/features

Resources

Whitepapers:Developing an IT Management Strategy For Success To achieve true IT success, businesses must adopt an IT management strategy that is simple...

Stop Criminals from Using Your Site as a Gateway for FraudThis whitepaper explores the new Web 2.0 cybercrime landscape, examining new techniques and...

Forrester Research Report: Tools that Fill a Critical Gap in... Many organizations invested in multi-channel customer service application suites, but critical....

Download more web exclusive whitepapers at www.cio.in/resource

Coloumn What It Really Means.indd 21Coloumn What It Really Means.indd 21Coloumn What It Really Means.indd 21Coloumn What It Really Means.indd 21Coloumn What It Really Means.indd 21Coloumn What It Really Means.indd 21Coloumn What It Really Means.indd 21Coloumn What It Really Means.indd 21Coloumn What It Really Means.indd 21Coloumn What It Really Means.indd 21Coloumn What It Really Means.indd 21Coloumn What It Really Means.indd 21Coloumn What It Really Means.indd 21Coloumn What It Really Means.indd 21 4/2/2008 12:29:19 PM4/2/2008 12:29:19 PM4/2/2008 12:29:19 PM

N. Dean Meyer ApplieD iNsight

Vol/3 | ISSUE/102 2 A P R I L 1 , 2 0 0 8 | REAL CIO WORLD

There are two problems with this approach. First, it cannot distinguish an inefficient IT department from an efficient one in a complex business. Second, the data does not tell you which IT product lines need cost reductions. A more accurate way to benchmark IT is by product, based on unit costs. To ensure fair comparisons with the market, IT should calculate rates for each item in its catalog ('service costing' as ITIL puts it).

All costs (including all indirect costs) must be amortized into those rates. It's misleading to allocate fixed costs, and claim that rates based on only direct (or marginal) costs are competitive.

But be careful not to amortize into rates any costs that are, in fact, entirely separate from the delivery of those products and services. One example is corporate-good services like policy, standards, oversight and technology advice (like the consumer report for PCs). These are services that have their own price, and should not be amortized into the cost of client products and services. Another is capital for IT-owned infrastructure. These costs should be depreciated, and only the depreciation expense goes into rates.

Value and the Bottom LineThe final question of value is at the higher level: does IT contribute to business value? To optimize its contribution to the bottom line, IT must install processes that ensure two things: that the enterprise is spending the right amount on IT, and that the IT budget is spent on the right things.

What is the right amount to spend on IT? The answer is certainly not found in industry averages of what others are spending, nor in what was spent in prior years.

In technical terms, the optimal amount to spend on IT is determined by funding investments (from best to worst) until the marginal internal rate of return drops down to the weighted-average, risk-adjusted cost of capital. In simple terms, the enterprise should fund all the good investments, and no more.

Obviously, 'keeping the lights on' is a very good investment. Without it, the enterprise would grind to a halt. Beyond that, services and projects alike should be scrutinized to be sure they pay off.

IT, in isolation, cannot calculate the ROI of its products and services. Only clients can vouch for the value they receive from their IT purchases.

What Can IT Do? Two ThingsFirst, IT can ensure that clients are in control of what they buy and are accountable for spending the IT budget wisely. This means implementing a client-driven portfolio-management process.

Note that portfolio management is far more than rank ordering projects on an unrealistically long wish list. Clients must understand how much is in their 'checkbook' (a subset of the IT budget), and what IT's products and services cost, in order to know where to draw the line. That is, they must work within the finite checkbook created by the IT budget as well as understand the deliverables that they will (and won't) get. Thus, true portfolio management is predicated on the above steps of defining IT's catalog, costing it, and presenting a budget in terms of the cost of its deliverables. Once all that is done, an effective portfolio-management process can be implemented.

Second, even if clients know the costs of their purchases and are working within the limits of their checkbook, they'll make better purchase decisions if they understand the returns on technology investments. IT can help clients estimate ROI of their proposed purchases. The cost side of the ROI equation was handled by calculating a budget by deliverables and rates. The remaining challenge is to quantify the benefits. Cost-displacement benefits (which include both cost savings and cost avoidance) are easy to measure. The real challenge is measuring the so-called 'intangible' strategic benefits.

One Step at a TimeIn summary, the question of IT value is fully addressed when:1. IT has defined its product and service catalog in detail, associated all its costs with its products and services, and calculated rates that can be compared with the market.2. Clients understand exactly what they're getting for the money spent on IT, and indeed can control it by deciding what they will and won't buy from IT.3. IT can help clients assess the value of their IT purchases by measuring the benefits.

These three things are presented in order. The catalog must come first, and the costing must come closely on its tail (ideally through an integrated business planning process). This first step alone may settle questions of value in many organizations.

Next, a client-driven portfolio management process can be implemented, one predicated on knowing the costs of all of IT's products and services, and how much of IT's budget is available for clients' purchases (the checkbook).

Finally, as clients grow in their ability to manage the IT checkbook and begin looking for ROI calculations to fine-tune their judgments, IT can offer help with strategic benefits measurement. CIO

Send feedback to this column on editor@cio.in

the only way to demonstrate the value of internal it is to compare the cost of products and services, like to like. it must be able to answer the question: what would this exact bundle cost if bought from vendors rather than staff?

Coloumn What It Really Means.indd 22 4/2/2008 12:29:19 PM

Trendline_Nov11.indd 19 11/16/2011 11:56:19 AM

Places where IT and the business are so tightly aligned you can barely tell the two apart. Where corporate leaders understand that IT is a strategic asset and support it as such. Where the CIO is encouraged to spend the majority of his time on the Big Picture. If one works in that kind of IT Wonderland, getting a good strategic plan down on paper is probably a snap.

But the vast majority of CIOs work in places where the business itself may not have a clearly articulated strategy. Where corporate leaders don't care too much for IT, much less value it strategically. Where the CIO's time is devoured by day-to-day operations and there's little time left to look beyond the next few months. If one lives with that kind of tactical IT reality,

Reader ROI: What to do when business has no plan Why IT strategy can't be made in a vacuum How to manage a relationship with business to create strategy

Vol/3 | ISSUE/102 4 A P R I L 1 , 2 0 0 8 | real cIO wOrlD

and the business are so tightly aligned

and the business are so tightly aligned you can barely tell the two apart. Where corporate leaders understand that IT is a strategic asset and support it as such. Where the CIO is encouraged to spend the majority of his time on the Big Picture. If one works in that kind of IT Wonderland, getting a good strategic plan down on paper

But the vast majority of CIOs work in places where the business itself may not have a clearly articulated strategy. Where corporate leaders don't care too much for IT, much less value it strategically. Where the CIO's time is devoured by day-to-day operations and there's little time left to look beyond the next few months. If one lives with that kind of tactical IT reality,

What to do when business has no planWhy IT strategy can't be made in a vacuumHow to manage a relationship with business

Vol/3 | ISSUE/10Vol/3 | ISSUE/10

“Business processes are like children or parents. You have to manage them. You can't throw them out.”— S.N. Roy, VP-IT, Cholamandalam MS General Insurance

Everyone agrees that having a strategic plan for IT is a good thing but most CIOs approach the process with fear and loathing. In fact, the majority of CIOs (and the enterprises they work for) are faking it when it comes to strategic planning. Isn't it time we all got real?

sTraIghT UPsTraTegy

By STepHanIe OverBy

Cover Story | IT Strategy

real cIO wOrlD | A P R I L 1 , 2 0 0 8 2 5

“Business does not“Business does nottell us what we should

tell us what we should do. They only tell us They only tell us their plans. The IT team

their plans. The IT team decides what should be decides what should be implemented to help the to help the business team to fulfill

business team to fulfill its objectives.”

“If you choose “If you choose not to strategize for want strategize for want of budgets then you

of budgets then you are being reactive, are being reactive, and that appraoch and that appraoch will certainly prove

will certainly prove costly as you costly as you move along."move along."

— Prasad DhumalNational IS Manager, DHL Express India

— Charles PadmakumarDirector-IT, Aricent Technologies

Everyone agrees that having a strategic plan for IT is a good thing but most CIOs approach the process with fear and loathing. In fact, the majority of CIOs (and the enterprises they work for) are faking it when it comes to strategic planning. Isn't it time we all got real?

sTraIghT UPsTraTegy

2 6 A P R I L 1 , 2 0 0 8 | real cIO wOrlD

getting a good strategic plan down on paper is practically impossible.

Which is to say that for most CIOs, putting together an IT strategic plan—that annual road map to guide IT through the next 12 months and beyond—is dauntingly hard.

But while the odds may be stacked against the average CIO, the truth is that those IT leaders who don't master the art of strategic planning won't last long. "The purpose of the IT strategic plan is to improve the business-IT relationship. A CIO needs it to communicate with the business, to tell them that he understands the company's needs and to set expectations," says Alex Cullen, Forrester Research vice president and research director. "A CIO can't succeed without it."

Michael Jones, CIO of the National Marrow Donor Program, calls it "the business case for IT." Here's how you can overcome the four most common obstacles to penning that increasingly critical document.

Business plan?What Business plan?

The cardinal rule in developing an IT strategy is to connect it to the business

strategy. "The business should have desired outcomes—market share gains, higher customer satisfaction levels, shortened cycle times," says independent IT analyst Laurie Orlov. "IT has to figure out where they factor into that."

But for all the whining CIOs have had to endure about how IT needs to be more strategic, the businesses they support are often in even more dire strategic straits. "Businesses very often don't have a strategy. Or they do, but it's very high-level and vague. Or they reserve the right to change it. Or they have some strategies, but they don't apply to all the business activities taking place," says Forrester's Cullen.

So CIOs operating in strategy-free organizations are off the hook, right? Wrong. "It's the ultimate cop-out for CIOs to say they can't do an IT strategy because the business doesn't have an articulated strategy," says Orlov. Fuzzy business goals present a challenge, but smart CIOs should see that as an opportunity. "People in the business are very focused on operations or other minutiae," says Dave Aron, vice president and research director for Gartner Executive Programs. "IT

MakIng an IT

sTraTegy wOrk

working

IT strategy with

business can be a

suffocating relationship,

but not for Prasad

Dhumal,National IS Manager

DHL Express India, two

intertwined but

separate for strands.

khalil gibran said it best when he made his observation on marriage:‘And stand together yet not too near together/For the pillars of the temple stand apart,/ And the oak tree and the cypress grow not in each other's shadow.'

When asked whether the IT department drives IT strategy or if business did, Prasad Dhumal, national IS manager, DHl Express India, says that both parties have strong involvement.

“We are an MNC so the regional IT headquarters and regional business stakeholders like country managers, HR heads, business heads, and others have

a strong say.” Dhumal says that the business give their plans to the IT team and tell give their plans to the IT team and tell

them what they want.So, does this imply that the

business forces the IT organization business forces the IT organization to deliver based on its own plans? to deliver based on its own plans? Not so, asserts Dhumal. “Business Not so, asserts Dhumal. “Business does not tell us what we should do. They only tell us their business plans. The IT team decides what should be implemented to help the business implemented to help the business

team to fulfill its objectives.”The practice of allowing each department to do what it

does best may seem like a no-brainer but

this hands-off approach has one approach has one

requirement: it entails

that both that both parties parties

Cover Story | IT Strategy

Prasad Dhumal

PH

oT

o B

y F

oT

oC

oR

P

Cover Story - Jayan.indd 26Cover Story - Jayan.indd 26Cover Story - Jayan.indd 26

real cIO wOrlD | A P R I L 1 , 2 0 0 8 2 7Vol/3 | ISSUE/10

can help the business articulate what will help it win and how IT fits into that. Then you go from just being an order taker to actually influencing overall strategy."

Opportunity Knocks

Michael Hites knew the lack of vision at New Mexico State University

(NMSU) would be a challenge. "If you don't have the highest level plan in place, even the best IT strategic plan won't work," explains Hites. "I've seen it; I've lived it." When he became CIO in 2003, NMSU's plan was no different from any other school's. So Hites's first IT strategic plan was standard and risk-averse. IT plodded along doing good work but nothing particularly strategic. In the absence of a more ambitious university plan, there was nothing to anchor a real IT strategy, says Hites. "If you stick your neck out [in that environment], the university may or may not be behind you," he notes.

But then a funny thing happened. After several years of bugging people about the lack of a strategic plan for the university, Hites last year was put in charge of strategic planning for the entire university and named vice president of planning and technology.

Hites and his team have lots of great ideas—about Rs 60 crore worth of them, he says—but his organization is "funded to the tune of half a million a year." The question he's faced with each year is "how to spend that little bit to do something strategic. If the university has the ‘mom-and-apple-pie' strategy of ‘helping students succeed' or ‘increasing research,' anything you do is going to foster those objectives. And you can never be sure you're making the right choices. But if a university steps out on a limb and says, ‘We will have best online education program in criminal justice in world,' then that becomes the strategic focus."

When IT Drives the Bus

It can be appropriate for the CIO to help push business along in terms of

strategy," says Forrester VP and principal analyst Bobby Cameron. And that doesn't necessarily mean taking on a second job. When Kelly Clark joined Exante Financial Services, a financial services provider for the healthcare industry, he wanted to change the IT strategic planning process.

"Generally, it's done at the end of the year," explains Clark. "You look at the budget, see you have X number of dollars and figure out what you can do. It's reactive." Clark wanted a proactive process, a "business overlay that said, here's what the market is looking for, here's what we have, here's what we need." Exante had a business road mapping process but no business and systems strategy, so Clark told his CEO and CFO they needed one. And they bought it. "So off we went," says Clark. "We created an enterprise strategic plan and IT became a piece of that."

Bethesda Lutheran Homes and Services (BLHS), a faith-based provider of services for individuals with developmental disabilities, was a couple years into a five-year organizational strategic plan when Brian Tennant became its CIO. But the plan was strategic in name only. "It was generic: be the best and grow by this amount," recalls Tennant. "But it was unclear why they picked the growth number or how they would measure it. And they hadn't paid much attention to whether it was on track. Nothing was grounded in reality." Frankly, that didn't matter much to Tennant at first. BLHS had acquired Good Shepherd Communities in 2005, which increased its size by two-thirds, and there was a "whole pile of modernization to do," recalls Hites, including adjusting the core ERP system. Even with an overarching business strategy, IT's mission was clear: integrate and upgrade.

Now that all that work is wrapping up, Tennant knows it's time to create a plan to guide his department of 10 through the next three to five years. But Tennant's not waiting for the 105-year-old organization to come up with a new five-year plan specific enough to guide IT; he's helping shape it.

"I see myself as a member of the senior management team who just happens to be in charge of IT," says Tennant. "So I'm taking the opportunity to weigh in early and weigh in on all disciplines, not just my own."

Senior leaders, Tennant included, are vetting the new plan with the board, operating divisions, donors and families of those to whom they provide aid. The goal is to create what they're calling "strategic positioning statements," such as attracting a younger demographic as

regard themselves as equals in a marriage.

It’s a hurdle that DHl has already crossed. And the proof is in the way RoI is justified. At DHl, Dhumal says that the IT team doesn’t have to worry about RoI — this burden falls on the business team.

And it’s a responsibility business is willing to take because projects are a joint exercise between the business team and the IT team — and they both work hand-in-hand to deliver. To Dhumal, the issue of RoI is not very worrying because, as he says, “the IT strategy is based on the needs of the business.”

Expanding on this, Dhumal says that a focus on planning ensures that business value is delivered. “We first start with a business priority, which is the key requirement for initiating any project. This is the stage where we need the highest clarity,” he points out.

once this is fixed, the IT team moves — independently — into tactical territory like a study of the required resources and the timelines that need to be adhered to in order to deliver business value.

The upside to this approach: costs are not high on the priority list. “only if high costs are involved do we require special approvals and sanctions before the project can get rolling,” explains Dhumal.

He adds that meetings help ensure that rollouts stick to timelines. once the system has been delivered, review meetings are held until the system stabilizes. The meeting schedules tend to vary — a project that is to be delivered over a six-month period may necessitate only fortnightly meetings, but weekly meetings may not be uncalled for when delivery has to be made within a month.

—Balaji Narasimhan

Cover Story | IT Strategy

Cover Story - Jayan.indd 27 4/2/2008 4:58:01 PM

Vol/3 | ISSUE/102 8 A P R I L 1 , 2 0 0 8 | real cIO wOrlD

donors or expanding services or creating financial stability.

"I'm already starting to think about how IT will fit into those goals," says Tennant.

Starting from Scratch

Ask Vicki Petit, vice president of information services for KI, a Rs

2,800 crore office furniture manufacturer, what word she associates with IT strategic planning and she doesn't miss a beat: "Work," she answers, with a sigh.

Petit faced a double challenge when she became KI's IT leader eight years ago. KI didn't have a business strategy and no one had ever thought about creating one for IT. Forrester's Cullen gets lots of calls from CIOs every year around springtime, and about half of them are just like Petit, starting from scratch. (The other half are dissatisfied with their current plan.) "[CIOs] all know they need one, but they're not sure what it is or what they want to achieve or where to start," says Cullen.

Petit spent her first few years on the job waiting for the business to decide what its strategic plan was. But what it delivered wasn't a plan; it was a tome. She waded through KI's 200-page "corporate strategy book" searching to find something that IT could align with. "The business strategy was communicated in mostly operational objectives," says Petit. She wanted to create a long-term road map that would guide IT beyond the next year but it was difficult to tie that to the nitty-gritty tactical goals that passed for business strategy.

Still, Petit knew she had to put some kind of stake in the ground, if only to make the following year's strategic plan a little easier. And every year since, she's put an IT strategic plan on paper, updating it and grading the IT department on its progress after six months, improving the process as she goes. And now her boss, the CFO, requires a similar strategic plan each year from all departments.

"Oh they love me," she jokes. But the plan has proven invaluable. "We can use what's in there to help us justify IT's direction or say no to a project instead of just reacting to what users want."

George Lin also had to go from zero to 60 on strategy. When he became CIO of Dolby

what part does financial planning play in the creation of IT strategy? Financial planning is an essential and integral part of any strategy creation and

execution exercise. I say this, because most strategic planning exercises involve an analysis of the current expenditure and will require to be revamped to support a new strategy being rolled out.

Having said that, a strategy should be driven by vision, which some people call their roadmap. It should be aligned to business and its needs.

can strategy be driven by budget? I would say not. on the contrary, your budget should be a support to help

implement your action plan, which is based on your strategy.

But doesn’t getting funds then become a problem? especially if business thinks IT isn’t focused enough on budgets?

This is not easy given the current situation, which demands better management of costs if not cost reduction. But I would also add that it is not as tough as people think — if your strategy is spot on and in line with the needs of business. The strategy should be able to highlight business benefits and what it will bring to the company. It

keePMOney OUT Of IT

Cover Story | IT Strategy

Laboratories, he found a "fairly rudimentary" IT plan in place. But unlike Petit, he benefited from what he characterizes as a very strong business strategic planning process. Dolby has a multiphase 'funnel' approach to strategic business planning. All the good ideas generated by the company's more than 1,000 employees come in and the senior management has a governance process for narrowing them down to a manageable number of initiatives for the year.

Lin plans to introduce a similar process within IT, inviting broad input into the strategic plan and putting in place a "business infrastructure steering committee" to select those with the most promise. "It's what I've done everywhere I've been," says Lin, who previously held IT leadership roles at Advent Software, Documentum and EMC. "The IT strategic planning process should tie into the existing business strategic planning process. That creates buy-in from the business."

Without that, Lin says IT suffers. "Before I became a CIO, I saw the downside of an IT organization whose strategic plan was not aligned," says Lin. "IT was putting a lot of good effort into projects the business didn't want or appreciate. It becomes a morale issue," he says.

Tennant plans to mirror BLHS's new business strategy process when he creates the organization's first-ever IT strategic plan this year. Those "strategic positioning statements" the corporate team was developing? IT will have some, too. "They won't be, ‘We're going to grow our staff 25 percent' or ‘We'll upgrade to Watson version 9.0' like it has been,'" says Tennant. "It could be, ‘We're going to move in the direction of self-service,' which could apply to our staff or the people we serve or our vendors. Or ‘We're going to leverage adaptive technology to improve the lives of the people we serve.'"

Cover Story - Jayan.indd 28 4/2/2008 4:58:01 PM

The Dangers ofGoing It The Dangers ofGoing It The Dangers of

aThe Dangers of

aThe Dangers of

loneThe Dangers of

loneThe Dangers of

KI's Petit was happy to have created her first IT strategic plan in 2003 but she

knew it wasn't ideal. She had come up with her own idea of what IT should focus on, with little business input.

"The first pass was really just internal to IS in order to create some principles for how we wanted to operate and specific objectives," says Petit.

But, as Orlov warns, "IT strategic planning can't be done in a vacuum. The CIO can't just have an offsite and brainstorm what to do." Petit understood that and has been trying to tie IT's strategic plan to business goals, such as they are. "It was a tough transition to make," admits Petit. "But the IT strategic plan is more or less the only vehicle we have to communicate the value we provide to the company so we

don't want to be seen as off there on our own island doing our own thing.

"A better model would be to work with functional leaders and get their take on what we should be doing," Petit acknowledges.

Petit's not involved in crafting business strategy, but she's got a way around that. "We've built a stakeholders' chart and we've starting meeting with them. We ask them: what are you measured on? What affects your business? We're getting more two-way communication going." Contrary to popular belief, a CIO doesn't have to have the proverbial 'seat at the table' to involve the business in IT planning. In fact, says Cullen, involving the business in IT strategic planning "is a way to earn that seat."

"One of the big mistakes made when it comes to creating an IT strategic plan is that people model it after a kid who goes off that people model it after a kid who goes off into his bedroom to do his homework and into his bedroom to do his homework and

then shows it to his teacher the next day," says Gartner's Aron. "You have to engage the business throughout the process of creating the plan."

Lin has created IT-business partner roles at Dolby to get input on strategy year-round. "It happens not just on the executive levels but throughout the company. And not just once a year at budget time," says Lin. This year IT wanted to set IT infrastructure standards for the company as part of the annual plan. "Instead of IT making the decision, we asked the business infrastructure steering committee to delegate people to a standards subcommittee," Lin relates. With that kind of model, Lin no longer has to sell his strategic plan to the business. Now, "The committee we present it to is actually involved in creating it," he says. If the business isn't involved, the most well-intentioned, well-conceived IT most well-intentioned, well-conceived IT strategic plan can go south in a hurry. "You

should also be supported and sponsored by the leadership team. should also be supported and sponsored by the leadership team. There is an urgent need to strategize especially when you are under There is an urgent need to strategize especially when you are under pressure to reduce costs.

why is it important to focus on strategy and not funds?hy is it important to focus on strategy and not funds? Because if you choose not to strategize for want of budgets Because if you choose not to strategize for want of budgets

then you are being reactive, and this will certainly prove costly then you are being reactive, and this will certainly prove costly as you move along. Today's business models are more dynamic, as you move along. Today's business models are more dynamic, your customers and their needs are also changing rapidly. Ask your your customers and their needs are also changing rapidly. Ask your business groups, they will echo this idea that your customers are business groups, they will echo this idea that your customers are increasingly asking for a lot more — for a lot less. This indicates that increasingly asking for a lot more — for a lot less. This indicates that there is a never-ending need for speed, efficiency and productivity — there is a never-ending need for speed, efficiency and productivity — all of which are simply the opposite of being reactive.all of which are simply the opposite of being reactive.

Every company spends money. So why not spend money smartly? Every company spends money. So why not spend money smartly? Aligning your spend, in line with your strategy is definitely a smart move. Aligning your spend, in line with your strategy is definitely a smart move. And remember: not all strategies need more budgets, some may just And remember: not all strategies need more budgets, some may just need a realignment of your expenses.

—Kanika Goswami —Kanika Goswami

Cover Story | IT Strategy

charles Padmakumar,

Director-IT, aricent

Technologies, cautions

CIOs against letting money do

the talking when it’s time to

draw out a strategy.

charles Padmakumar

PH

oT

o

o B

y S

RIV

AT

SA

SH

AN

DIl

yA

Cover Story - Jayan.indd 29Cover Story - Jayan.indd 29Cover Story - Jayan.indd 29Cover Story - Jayan.indd 29Cover Story - Jayan.indd 29Cover Story - Jayan.indd 29Cover Story - Jayan.indd 29Cover Story - Jayan.indd 29Cover Story - Jayan.indd 29Cover Story - Jayan.indd 29Cover Story - Jayan.indd 29Cover Story - Jayan.indd 29Cover Story - Jayan.indd 29Cover Story - Jayan.indd 29Cover Story - Jayan.indd 29Cover Story - Jayan.indd 29Cover Story - Jayan.indd 29Cover Story - Jayan.indd 29Cover Story - Jayan.indd 29Cover Story - Jayan.indd 29Cover Story - Jayan.indd 29Cover Story - Jayan.indd 29Cover Story - Jayan.indd 29Cover Story - Jayan.indd 29Cover Story - Jayan.indd 29Cover Story - Jayan.indd 29 4/2/2008 4:58:04 PM4/2/2008 4:58:04 PM4/2/2008 4:58:04 PM4/2/2008 4:58:04 PM4/2/2008 4:58:04 PM4/2/2008 4:58:04 PM4/2/2008 4:58:04 PM4/2/2008 4:58:04 PM4/2/2008 4:58:04 PM4/2/2008 4:58:04 PM4/2/2008 4:58:04 PM4/2/2008 4:58:04 PM4/2/2008 4:58:04 PM4/2/2008 4:58:04 PM4/2/2008 4:58:04 PM4/2/2008 4:58:04 PM4/2/2008 4:58:04 PM4/2/2008 4:58:04 PM4/2/2008 4:58:04 PM

show the plan to the business, they nod their head, say, ‘Sounds like a good plan you've got there, go do it,'" says Forrester's Cullen. "Meanwhile they're thinking, ‘Why'd you tell me this? It doesn't involve me at all. And don't ask me for money for it because it's not linked to business needs.'" Devoting 10 pages of the strategic plan to IT's goals for Web 2.0 might seem like a good idea within the IT department. Problem is, the CFO you're presenting it to is upset that his e-mail box is restricted to 100 megs and "you end up with the thing CIOs are most afraid of when they present their plan: people scratching their heads," says Cullen.

Hites now holds an annual IT planning conference at New Mexico State every October, meeting with a crowd of about 100 IT and university leaders. Last fall, they spent a lot of time talking about what Facebook and MySpace meant for the school and whether the curriculum should be integrated with such social networking sites. The conferences are something he started at the Illinois Institute of Technology.

"Before that, we did planning only internally," says Hites. But that generated "some tension and was interpreted as, central IT wants us to do this while we want to do this other thing," says Hites. "It was ineffective."

Bringing the business into the strategic planning process doesn't have to be as formal a process as Hites's. Jones of the National Marrow Donor Program does it by having conversations with stakeholders. "I talk to people from the C level on down to the basement. I ask them how things are operating, what works well, what doesn't work well," he says. He then asks people in IT the same questions, which either validates his accumulated information or reveals disconnects that need to be explored.

These conversations help Jones "connect what's in the IT plan to the everyday needs of the business."

"The CIO can go to peers and say, ‘What do you expect from IT?' ‘What's

how do you sit down and evaluate an IT strategy? you don’t. At least according you don’t. At least according yto S.N. Roy, vice president-IT, Cholamandalam MS General Insurance. The straight-shooting, hands-on IT leader says “I have an allergy to such phrases.”

It isn’t strategy that makes Roy break out into a rash — he just believes that the best way to evaluate it is by observing it in action. “The proof of the pudding lies in its eating,” he points out, echoing the words of Susan Cramm (founder and president of Valuedance, an executive coaching firm) in her column The Strategy Acid Test (www.The Strategy Acid Test (www.The Strategy Acid Testcio.in/columns/viewArticle/ARTIClEID=3866636)

True to style, he puts forth an example. Way back in 1992, he says, he started pushing his management to consider SAP. “I made a formal proposal only in 1994,” he recalls. But it was only in 1998 that the management agreed. The customization was started in May 1999, along with activities to fix the y2K problem. After 11 months, in April 2000, it went live, which only goes to show that IT strategies and their implementation take time to mature.

They also take time to evaluate, which is probably why Roy scoffs at attempts to evaluate them academically. His test of an IT strategy? Time. The ERP implementation was a product of a strategy and “it has been running without any hitch for almost eight years now,” he says. To him, anything that stands the test of time, especially in these days of turbulent change, is a success.

And the other test? It meets business needs. “In the eight years that the SAP implementation has been running, the group has tripled its turnover and quintupled its profits,” he asserts.

like all IT strategies, formal or not, Roy’s required constant tweaks to stay relevant to the business and the times. It’s a truism that is reflected in Roy's SAP implementation. He says he made it (both SAP and the strategy) work by basing himself on a few parameters and narrowing down. This decreased customization to make the ERP behave in a manner similar to the existing legacy system and increased business-IT alignment. “Business processes are like children or parents,” says Roy philosophically, “you have you have yto manage them. you you ycan't throw them out.”

—Balaji Narasimhan

TesT yOUrsTraTegy

Cover Story | IT Strategyevaluating

how good an IT strategy

is can be impossible with the

number of criteria it has to

meet and the way a variety of

consumers view it. S.N. Roy,

VP-IT, Cholamandalam MS

General Insurance has

his own gauge.

years now,” he says. To him, anything that stands the test of time, especially in these days of turbulent change, is a success.

And the other test? It meets business needs. “In the eight years that the SAP implementation has been running, the group has tripled its turnover and quintupled its profits,” he asserts.

ike all IT strategies, formal or not, Roy’s required constant tweaks to stay relevant to the business and the times. It’s a truism that is reflected in Roy's SAP implementation. He says he made it (both SAP and the strategy) work by basing himself on a few parameters and narrowing down. This decreased customization to make the ERP behave in a manner similar to the existing legacy system and increased business-IT

processes are like children

ou have

—Balaji Narasimhan

s.n. roy3 0 A P R I L 1 , 2 0 0 8 | real ccIO wOrlD

PH

oT

o B

y C

HA

ND

Ro

o

Cover Story - Jayan.indd 30Cover Story - Jayan.indd 30Cover Story - Jayan.indd 30 4/2/2008 4:58:08 PM4/2/2008 4:58:08 PM

the importance of technology?'" says Cullen. "If the answer is, ‘I don't know what I want because I don't know what you're capable of,' then that may be the focus on the IT strategic plan this year: defining the role of IT."

"If you walk in with a blank sheet of paper, you may walk out with a blank sheet of paper," says Aron. "Instead say, ‘We think you're in this kind of business, this is what it will take for you to win and this is what IT can do to help you. Is that right?'

"It's not bad to get it wrong," Aron adds. "Sometimes a wrong or controversial hypothesis will get them talking." For example, a bank CIO could walk in to the VP of customer service and say, "From what I understand, the bank is going to succeed based on its superior understanding of the customer so we think IT should focus on analytical customer relationship management." That VP may say, "No, we're going to win those customers by being low-cost." Now the CIO has something solid around which to build an IT strategic plan.

excuses, excuses

Given the choice between creating an IT strategic plan and having a

root canal, many CIOs would choose the endodontist. "No one would say they love doing it," says Orlov. "[But] it's a pause for thinking and a divergence from reacting and responding."

However, many CIOs find it impossible to pause. "I hear that a lot: ‘I'm too busy with the day-to-day.' ‘I spent time on that last year and it was pointless,'" says Forrester's Cameron. And with the increasing complexity in IT, the dread surrounding strategic planning has grown. "At the moment, you have these three tectonic plates converging in IT: the need for growth and innovation, continued cost discipline as a result of the credit crunch and IT's changing role in the business," says Aron. "With those three things pushing against each other, strategic planning can get very complicated."

But if strategic planning is like getting a root canal, remember: you endure the pain now in order to prevent a greater agony later on.

"[Strategic planning is] the one tool CIOs can use to communicate the value of IT," says Orlov. "It's something that can shore them up and arm them when people challenge them about what IT is doing. So you have to set aside some quality time for that." During her last six-month evaluation of IT's progress, Petit gave her department an A for being a lost-cost, high-value provider of IT services but a D on working with the product development team to incorporate technology into KI's furniture products. "We had a goal

to have an innovation group within the IT department and that hasn't happened," says Petit. "We spend a lot of time operationally and less time looking into the future."

Not surprisingly, Petit has trouble making time for planning. "It's a struggle," she says. "It's so easy to get dragged back into daily operations because we're staffed so lean and mean."

To fight that pull, Petit keeps a bar chart taped to her computer screen tracking how much time she's spending with other managers, talking to external peers, meeting with vendors. Anything not project- or operations-related counts. The goal is to hit 32 hours a month, or 20 percent of her time (although she tracks it in minutes, 1,920 of them) spent planning. "In bigger companies, where the CIO role is more strategically focused and people wear one hat, strategic planning is probably a lot easier," she guesses. "But in

small to mid-sized companies, we have to wear a lot of hats."

Her boss, in theory, supports her efforts to spend more time thinking strategically. "But when it comes down to whether you're going to do something about strategic planning or the network is down," she says, "you're going to take care of the network."

Exante's Kelly says that if strategic planning is important, IT needs to put its money where its mouth is. "Often the problem is financial," Kelly says. "Everything is focused on capital expenses."

Kelly says he has invested in people and processes to make sure the IT strategic plan remains a priority. "You need a dedicated team," he says. "Most organizations don't assign IT strategic planning to someone as a full-time job. Hence it doesn't become a discipline; it becomes a burden." But Kelly made strategic planning the full-time responsibility of his directors. "Once the positions were open," he says, "we found people were itching to do it."

"Someone in IT should be thinking about IT strategy most of the time," agrees Orlov. "And their job the rest of the time should be making sure they're connected to everything that's going on in the business."

If an IT leader (or his reports) can set aside extra time for strategic planning now, the theory is that it will become an organic part of their lives and interactions, less like a series of appointments that you'd just as soon cancel.

and It Will Get easier

If you did a strategic plan for the first time last year, you'll find that this year it takes

less time. And next year will be even better," says Cullen. "You can focus more time on discussions with people and less time on the mechanics of putting it together.

"It could even become the part you like best about your job because that's where you can talk about what you want to do and why it matters to the organization."

And that's fun. Which is why strategic planning isn't really like a root canal. Root canals have no fun parts. cIO

Send feedback to editor@cio.in

real cIO wOrlD | A P R I L 1 , 2 0 0 8 3 1Vol/3 | ISSUE/10

2ndOn the list

of skills most pivotal to being a successful CIO is strategy say CIOs.

Source: State of the CIO 2007

Cover Story | IT Strategy

Cover Story - Jayan.indd 31Cover Story - Jayan.indd 31Cover Story - Jayan.indd 31Cover Story - Jayan.indd 31Cover Story - Jayan.indd 31Cover Story - Jayan.indd 31Cover Story - Jayan.indd 31Cover Story - Jayan.indd 31

Every company wants to establish its brand as a household name, but few succeed. And they

succeed becAuse they follow An Age-old, time-tested formulA: building credibility.

Sometimes IT can do that for you.

By Balaji NarasimhaN

Vol/3 | ISSUE/103 2 A P r i l 1 , 2 0 0 8 | REAL CIO WORLD

to REStPrice War

PUttIng thE

Case Study.indd 32 4/2/2008 3:04:43 PM

Establishing a brand name is a task that few companies do well. And, according to those that have, if there’s one thing that’s harder it’s sustaining a brand.

That is because it takes more than just wisdom to understand what’s needed to

stay on top of the brand game. And more often than not, it isn’t about building another fantastic product, but knowing the pulse of the customer.

With competition at its peak and demand on the rise, companies are trying to push each other out of the way to reach where it matters — promising to deliver time and again. Promising to be different, promising the world to the consumer.

But some companies promise to deliver just a good night’s sleep.

And that’s what Sheela Foam — the company that owns the Sleepwell brand of mattresses — is known for. Founded in 1972, it has over 10 manufacturing units, 50 exclusive distributors and over 1,700 dealers across the country.

But over the past few years, heavy discounting among channel partners attempting to sell volumes had become a serious problem. This price war wasn’t doing very much good to consumer confidence in the product. A standard price is among the most basic requirements associated with a brand.

And worse, all the discounting among the channel partners was hitting authorized dealers who were now unable to retain their margins because customers, being customers, went to the lowest seller. Thus, selling the brand was becoming difficult for authorized dealers.

“Selling mattresses depends on referrals from customers and the dealer’s word,” says Rakesh Chahar, CEO, Sheela Foam. Since referrals from customers are not very high, the company had to depend on its dealers. “To make a dealer recommend Sleepwell, it is important that he retains a reasonable margin in selling the product,” he points out.

The company needed to enforce the MRP of its product. This is what led Sheela Foam to explore options in IT, and thus the project to control MOP (market operating price) was born. And the man responsible for its implementation was Pertisth Mankotia, head-IT, Sheela Foam.

KEEPIng thE BED- Bugs AWAy“The most important challenge was to enable our dealers to retain their margins,” says Mankotia. But, in addition, the IT team also had to track sales up to the customer level and build a customer database.

This was the only way it could revive customer confidence in the brand.

One of the things that stood in the way of the IT team was the fact that they had to manage with a home-grown ERP system, and this meant that they had to customize it themselves without much help from the vendor.

Mankotia says, “There is no off-the-shelf product that caters to our requirement. Right from the order placement up to the stage when it is sold to the end customer, all business transactions are recorded in the system. We have been using this system for almost seven years.”

With the homegrown ERP — which they call Greatplus — they have not only automated their entire production process right from procurement to production, but have also successfully integrated it with their external channel partners.

A ShoRt sIEstA Mankotia’s team also decided to use a simple mechanism for data management: SMS. “This is the most simple and innovative way for controlling MOP and for tracking and maintaining stock at the location of the distributors and the dealers without spending too much,” he says.

Mankotia goes on to explain that the system tracks product movement all the way from the factory to the customer. “It maintains data on the stock at our factories, at the distributors’ godown and the dealers’ godown”.

Tagging is done with the aid of a unique product serial number, which is bar coded. With each dispatch, an SMS is sent to the distributor about the material that is dispatched to him. “The stock of finished goods at our factory is reduced and stock with the distributor is updated. When the distributor

sells a product to a dealer, then the distributor’s stock is reduced and dealer’s stock increases. All this is recorded by our ERP system,” he says.

So what’s new? The innovation of using SMS comes into play when the dealer makes a sale to an end customer. When the dealer sells a mattress to a customer, he uses his own mobile phone to SMS the product serial number

Reader ROI:

how to win customer confidence

how it delivers margins

why simplicity mattersIl

lU

St

RA

tIo

n b

y A

nIl

tCase File

REAL CIO WORLD | A P r i l 1 , 2 0 0 8 3 3Vol/3 | ISSUE/10

Case Study.indd 33 4/2/2008 3:04:44 PM

along with the customer’s mobile number to a number belonging to Sheela Foam. “This SMS is fetched by our database, where the system checks the entire transaction. Within two minutes of the SMS being received, the system automatically informs the dealer and the customer, through SMS, about the ‘Successful Guarantee Validation’ and the MRP of the product,” says Mankotia.

Thanks to the rapid proliferation of mobiles in remote and rural areas, the system can be implemented in any place where a mobile phone can work.

According to Mankotia, the biggest advantage of using SMS as a means to transfer data is that the dealers are not forced to install computers — it is more than sufficient if the distributors get their hands on a phone. All that the dealers have to do is use SMS to complete transactions from their side.

Since the system has a bird’s eye view of the entire transaction of the mattress — moving all the way from the factory to the distributor to the dealer — it is able to authenticate the genuineness of the dealer. The dealer gets

five points for each transaction made, and this can be redeemed by him after a period of time.

FIghtIng InsOmnIASheela Foam spent about Rs 2 crore on Greatplus, and it went live in January 2007.

But the rollout was not as smooth as expected. Distributors and dealers resisted the new system because they felt that Sheela Foam would have full control over their stocks. They also feared that if the company tried to rigorously monitor the MOP, then the dealers would not be able to sell the product properly because the customer price would go up.

In order to address these fears, Mankotia says that Sheela Foam conducted several workshops, group meetings and one-to-one discussions with various distributors and

dealers to explain to them the long-term benefits of the entire system. In order to show the seriousness of the initiative, the CEO and the head of sales and marketing personally attended all meetings and workshops in order to strengthen confidence among distributors and dealers.

Case File

snAPsHOt

Sheela FoamEmPLOyEEs > 2,000

tuRnOvER (2006 — 07) Rs 500 crore

DIstRIButORs 50

DEALERs > 1,700

HEAD – It Pertisth Mankotia

Vol/3 | ISSUE/103 4 A P r i l 1 , 2 0 0 8 | REAL CIO WORLD

how Sheela Foam uses SMS to verify the authenticity of a dealer.

Bridging The Yawning gap

Customergoes to a Sheela Foam

dealer but he is uncertain about the authenticity of

the dealer.

Sensing theuncertainty, the dealer

messages the product’s serial number alongwith customer’s

mobile number toSheela Foam.

Withinminutes, both

customer and dealerreceive the product’s MRP

and the ‘successful guarantee validation’ on their

mobiles.

Winning customer confidence is one of the reasons

behind SleepWell’s 40% growth.

InF

og

RA

Ph

IcS

by

bIn

ES

h S

RE

Ed

hA

RA

n

Case Study.indd 34 4/2/2008 3:04:47 PM

Thankfully, their efforts paid off and the project became a success. Before the project, registring for a guarantee could take many months and the company paid approximately Rs 15 per guarantee registration. “Now, the guarantee is registered in just two minutes and we are spending only 40 paisa on the SMS,” says Mankotia. This difference in cost has been passed on to the dealers, and naturally they are happy — especially since the number of guarantees has gone up from around 500 per month before implementation to around 10,000 per month.

FoR A gOOD nIgHtThe dealers are happy and Sheela Foam is pleased. But the IT team is more than glad. Mankotia says, “Discounting is the biggest problem in the consumer durable industry in India. No one has gone to this extent to control MOP. We have controlled sales through unauthorized dealers, stopped infiltration, controlled selling to non-dealers, controlled inter-dealer competition by giving heavy discounts, and also built a strong customer database for the future.”

Mankotia is also pleased to point out that “guarantee registration through SMS is an unique and innovative method that no one as per our knowledge has ever done in the country.” Mankotia takes pride in the fact that the company has got a competitive edge in the market, as they are able to track stocks and can replenish them within a shorter timeframe.

But ultimately, all IT projects need to reflect on the bottom-line.

Mankotia says that the sales of Sleepwell mattresses have shown a growth of approximately 40 percent during the financial year. While the full credit for this cannot be taken by the IT team, “The project has made a significant contribution towards this growth,” he says.

Anupam Srivastava, the head of sales, is thrilled by the impact that the SMS system has had on the customer. “We are able to win the confidence of customers in our product because, immediately after the purchase of a Sleepwell product, the guarantee is registered through SMS,” he says.

A bEd tImE stORyThe system has been in operation for over a year now, and Mankotia says that Sheela Foam has not made any major changes in the application. “But our major concern is connectivity uptime. Initially, distributors were operating through the Internet, and many times connectivity was a constraint. However, the problem has been resolved. We have now brought them into our MPLS network,” points out Mankotia.

In 2008, Mankotia has some ambitious plans for his project. Right now, Sheela Foam has extended Greatplus partially to its distributors. “As a step forward, we are in the process of launching our Greatplus Distributor’s Lounge to almost all our distributors. This will record all their business transactions and provide all our

distributors a business advantage that is similar to what is enjoyed by us today,” he says.

Using this system, Sheela Foam hopes to reach out to all its dealers and allow them to place orders online with distributors. “These will get translated into distributor orders and will appear as outstanding orders in our books,” says Mankotia, who goes on to add that, “dealers will be able to know their online order position and they will be able to track materials movement and get more market insight.”

Another advantage of the improvements being made, says Mankotia, is that, with the information on materials movement, Sheela Foam will also be in a position to efficiently monitor the delivery of goods from the distributors to the dealers.

“In short, with the Greatplus Distributor’s Lounge, we are creating a totally synchronized environment, right from the order placement by our dealers all the way up to the sale of the product to the end customer,” says Mankotia. The Greatplus Distributor’s Lounge will become operational from April, 2008.

Look who’s getting a good night’s sleep at Sheela Foam. CIO

Assistant editor balaji narasimhan can be reached at balaji_n@cio.in

Case File

REAL CIO WORLD | A P r i l 1 , 2 0 0 8 3 5Vol/3 | ISSUE/10

Ph

ot

o b

y S

RIV

At

SA

Sh

An

dIl

yA

“Discounting is a huge problem in the consumer durable industry in India. No one has gone to this extent to control market operating price.”

— Pertisth mankotiaHead – IT, Sheela Foam

Case Study.indd 35 4/2/2008 3:04:52 PM

The WheelThe Hand Behind

CIO: What is IT’s place at Ashok Leyland?

R. Seshasayee: Obviously, IT is very important to us. To use an automotive metaphor, I’d say that if people were the main engine for movement and growth, IT is the transmission. IT is the system through which the power of people is transmitted into movement — the

organization’s movement. IT has been pretty important to our set up. Over the last several years, we have evolved our IT architecture from a purely transaction-based architecture — which was our starting point — to a stage where IT is integral to product development and our marketing strategies. IT is totally interwoven into the DNA of the company.

R. Seshasayee, MD, Ashok

Leyland, says IT masks the auto major’s

mammoth size. It also gives

it innovation and agility — allowing it to

go places more compact firms

typically reach.

In a country with one of the largest and busiest rail systems in the world, Ashok Leyland’s buses carry more people than the entire Indian rail network. It’s a statistic that proves the auto giant’s leadership, but it also says a lot about its dedication to staying a leader and its resistance to resting on its laurels.

And in the last few years, it has had more reason than ever to sit back and let the market drive in the profits. With the buoyant economy, the robust growth of freight carriers and the Supreme Court’s strict enforcement of payload restrictions, the enterprise could have gone with the flow and still kept investors happy. It didn’t. While the commercial vehicle industry grew at 33 percent, Ashok Leyland grew 37 percent.

How does it do it? In an industry rife with competition, Ashok Leyland has to imitate the reaction time of smaller, more agile companies. R. Seshasayee says that it stays ahead with innovation. And IT makes that possible. Ashok Leyland stands by five values: being international, speedy, innovative, ethical and value creating. Seshasayee elaborates how IT helps the company meet these needs.

By kANIkA GOSWAMI

View from the top is a series of interviews with CEOs and other C-level executives about the role of IT in their companies and what they expect from their CIOs.

Vol/3 | ISSUE/103 6 A P R I L 1 , 2 0 0 8 | REAL CIO WORLD

View from the Top.indd 36 4/2/2008 11:51:38 AM

View from the Top

How have you optimized your processes and has this had an impact on costs?

Yes, of course. If you look at the last nine years, there is no doubt that we have achieved cost optimization. We started this journey about 10 years ago when we put together a long-term IT strategy. That roadmap has become integral to the profit plan of the company. Since then, we have had 30 percent growth in production and sales. Return on

investments has also moved steadily upwards during this period — without a single year of backtracking. We’ve had steady improvements year after year on all parameters related to asset and inventory turnaround. This progress has also shown up in manpower productivity analysis. None of this would have been possible without making IT an integral part of our growth strategy.

At a sublime level, the results are evident. And, at more specific levels, the use of IT has certainly enabled us to take

critical action with regard to inventory — and with fairly impressive results. It has also improved our efficiency in terms of logistics since we have a hundred thousand vehicles moving around the country.

What about innovation? How has it contributed to the organization?

One of the interesting things we have today is a huge program that connects

View from the Top

R. SeShaSayee expectS I.t. to:

help the organization reach out to a much larger universe of customers

Bring what customers think is valuable to the R&D team

help create a more energy-efficient plant

Integrate the organization into a tighter unit

create efficiencies for clients – and goodwill for the organization

REAL CIO WORLD | A P R I L 1 , 2 0 0 8 3 73 7Vol/3 | ISSUE/10

thousands of mechanics directly to us. We are looking at state-of-art-technology using voice recognition, etcetera. With this, we will be able to reach out to a much larger universe of customers — not necessarily direct customers — but indirect ones like mechanics and retailers. That’s a part of our innovation, and while we are still studying it, it is most likely to be Web-based technology.

Also, we were one of the first few in the industry to have supply chain automation. We have an active portal, which enables all our suppliers to appraise vendor quality for themselves. It allows complete transparency; everybody can access information on the transactions of the company and so on. It’s an active portal.

Does IT help with product innovation?

For product innovation, customer connect is very important. We have an initiative that we are currently de ploying, which tracks various customer segments by mapping the use of our vehicles across them. We identify various value drivers and capture it on a Data Management Service (DMS). We want to ensure that this data is part of the value delivery process. It’s a fairly ambitious project but right now we have completed the first module of the DMS rollout. Eventually, it will morph into a tool for marketing to assess our value delivery.

Ashok Leyland's unit in Ennore, Tamil Nadu is a model of energy-efficiency. How did the CIO contribute?

We have a fairly elaborate process. Most of the manufacturing units have installed networking units for energy meters with an automated system to track and monitor energy consumption. The result is that data is delivered at the shop floor and energy monitoring is interwoven into shop

management practices. This is only possible because of instantaneous information.

Do tech investments at Ashok Leyland need to prove ROI?

Obviously, every investment has to have ROI. Before we embark on major initiatives like CRM (customer relationship management) or PLM (product lifecycle management), we assess these investments and forecast their benefits. But I would like to point out that there are quite a few initiatives that — although are subject to ROI assessment today — become mandatory later. For example, today, I don’t think anyone can even question whether ERP should be assessed. We don’t look at accounting and finance from an ROI perspective. These are the foundations of business. This is

part of an evolution, so what was subject to an ROI test 10 years ago is now a pre-condition for any business strategy.

How does your CIO reinforce your market strategy? Or product development?

Broadly, there are three roles that our CIO performs. One is to be integral to the process of integration development. For example, take product development. He is so closely involved in the PLM implementation that I can’t think of the product development function being carried out without his involvement. He is pretty much a part of that kind of functional process improvement. In the same vein, there’s also what we call customer connect — the CRM. It’s not your standard CRM package. It’s a tailor-made program and it is another project where the CIO is involved.

Another role the CIO plays is bringing industry-specific IT innovations to the organization’s notice. He is like a window; a source through which knowledge comes into the organization. Of course, he is not necessarily the only person to introduce new ideas, but the CIO has a big role here.

The third function the CIO serves is providing and managing our huge IT infrastructure. We are hugely dependent on the entire IT infrastructure. It’s a truism that you only remember the IT team when there’s a 10-minute connectivity problem. The fact that our CIO is running our huge infrastructure without breakdowns — and making sure that IT isn’t only noticed by its failures — is, I think, the biggest challenge that he meets successfully.

What is ADES and how does it complement your capabilities?

ADES (Ashley Design and Engineering Services) is a testing and engineering

View from the Top

“Initiatives like ERP should not be assessed. We don’t look at accounting from an ROI perspective. These are the foundations of the business. ”

— R. Seshasayee

Vol/3 | ISSUE/103 8 A P R I L 1 , 2 0 0 8 | REAL CIO WORLD

View from the Top.indd 38 4/2/2008 11:51:42 AM

outfit focused on the automotive side. It’s a part of Ashok Leyland but serves third parties also. Ashok Leyland has its own dedicated product development and ADES is a separate outfit which takes work from outside. We have developed some critical competencies in ADES and when Ashok Leyland requires those critical competencies, we go to ADES.

Ashok Leyland is a leader in defence vehicles. How important is IT to this product line?

We have a lot of new product development related to the defence business. One important part of defence is developing a fairly large number of variants and doing it quickly. Today, we have a large number of design, testing and validation tools, which are all IT-based. This means that we can simulate a lot of testing. I’d like to think our product development is pretty contemporary in terms of simulation — particularly with defence vehicles because quite often we have to predict behavior.

Where does the Indian auto industry rank against its global peers?

In the last 10 years, there has been tremendous growth in India’s auto industry and it has been pretty much exposed to all contemporary technologies. Some of this is being used, others not. But, the Indian industry knows what is contemporary and useful.

What’s being used is partly driven by what the customer wants. If you look at some of the comfort or safety issues, these are driven in part by legislation, in part by market needs. The Indian industry knows what is available on the shelf and, therefore, is in a position to employ a technology appropriately according to a market and a customer’s requirements.

That said, there are a lot of technologies which an Indian customer may not want, even if it is offered, for reasons of cost or because they are not relevant. There will always be a difference between the technology requirement between a customer in the US or Japan and a customer in India. For instance, night vision technology could be made ready for all bus operators in India, it could easily be made immediately available, but would there be demand?

If you ask whether we are providing the right choices to the customer for good value, the Indian customer will definitely say yes. The Indian customer has as much choice as any other customer globally and he has all the technologies at his command. The Indian customer is not being denied.

How will new industry-specific technologies make a difference to your processes and products over the next few years?

I think there are two types of innovations that are happening in the IT industry. There is a broad spectrum of technology improvements coming around, which could be exploited with varying levels of success by various industries. RFID is an example. That technology could be used in some industries more productively than in others. We have used RFID to ensure that the right components are being issued to the assembly. When a technology is available, we push new frontiers to see how we can develop our own applications and capabilities.

Second, there are specific information technologies for the automotive industry. Let’s take the automation of vehicles, for instance — the electronic management

of brakes. There is a chip sitting in there that gets various systems to talk to each other and passes information from one system to another in order to make the vehicle more efficient. That’s a key element of competitive product building and competitive business. In my view, even with respect to automotive electronics, which is based on an information technology platform, there

are specific requirements in each market that are related to each customer group. Therefore, it is important that we look at what is being developed, how it needs to be customized and how we can derive competitive advantage.

There’s another dimension IT specific technologies. We also use IT for a different type of experiment: the transport exchange, for example. The business objective this exchange is to bring shippers — those who want to send goods — and the transport operators together on an electronic platform. We’ve got kiosks all over the country. There is a data transaction taking place between the shipper and the transporter and there are new price discoveries on freight, for example, which benefit both. So, in effect, we are using IT to eliminate middlemen, and thus benefit our customers. That is a very different use of IT in that it doesn’t directly impact the business that we run— but has ‘adjacent’ benefits. CIO

kanika Goswami is special correspondent. Send

feedback to this interview at kanika_g@cio.in

View from the Top

Ashok Leyland REvENuE: Rs 83 billion (2006-2007)

NumbER Of EmpLOyEES: 12,125

NumbER Of OffICES: 75, including five manufacturing units

Gm-IT: N. Chandrashekharan

REAL CIO WORLD | A P R I L 1 , 2 0 0 8 3 9Vol/3 | ISSUE/10

View from the Top.indd 39 4/2/2008 11:51:42 AM

"How much money and time will this save us?" This year, the big question will be "How secure are we?"It's a very tough question to answer. A slew of vendors and consultants trying to sell security

products and services have conflicting opinions about the risks and how to prevent them. Simultaneously, security researchers are hyping theoretical risks such as the possible emergence of malware targeted at hypervisors (a threat that has yet to appear in the real world).

"There's a lot of noise out there on virtualization," says Chris Wolf, senior analyst for market research firm Burton Group. "It can be distracting."

Adding fuel to the hype is the fact that many IT organizations say they prioritized operational speed over most other factors, including security planning, when they started creating hundreds of new VMs in 2007. (That's not surprising, when you consider that most enterprises started with virtualization on their testing and application development boxes, not their servers running core business apps.)

By Laurianne McLaughLin RealRisksinsideeveRy

BOX

eveRyRyR

BOXOXO

VM Sprawl. Hypervisor holes. Rogue virtual

machines. Network traffic gone bad. What are the

biggest virtualization security risks now and

how can you combat them? It's time to separate

fact from fiction and get down to work.

Reader ROI:

Tools for managing security in virtual environments

The problem with rogue VMs

Network risks explained

Last year, the big question about virtualization in data centers Last year, the big question about virtualization in data centers was:was:

Virtualization

Vol/3 | ISSUE/104 2 A P R I L 1 , 2 0 0 8 | Real CiO WORld

Virtualization

RealRisksinsideeveRy

"We're finding security is the forgotten stepchild in the virtualization build out," stepchild in the virtualization build out," says Stephen Elliott, IDC's research director says Stephen Elliott, IDC's research director for enterprise systems management for enterprise systems management software. "That's scary when you think software. "That's scary when you think about the number of production-level about the number of production-level VMs." According to IDC, 75 percent of VMs." According to IDC, 75 percent of companies with 1,000 or more employees companies with 1,000 or more employees are employing virtualization today.are employing virtualization today.

And through 2009, 60 percent of And through 2009, 60 percent of production VMs will be less secure than production VMs will be less secure than their physical counterparts, predicts their physical counterparts, predicts Gartner’s VP Neil MacDonald.Gartner’s VP Neil MacDonald.

But much of the discussion about But much of the discussion about virtualization security has been flawed virtualization security has been flawed to date, says security expert Chris Hoff, to date, says security expert Chris Hoff, because people often frame the discussion because people often frame the discussion by asking whether virtual servers are more by asking whether virtual servers are more or less secure than physical ones.or less secure than physical ones.

That's the wrong question, says Hoff, who That's the wrong question, says Hoff, who blogs frequently on this topic and serves as blogs frequently on this topic and serves as chief architect for security innovation at chief architect for security innovation at Unisys. The right question, he says, is "Are Unisys. The right question, he says, is "Are you applying what you already know about you applying what you already know about security to your virtualized environment?"

viRtual PROBlems, Real sOlutiOns"People get wound up about theoreticals…when in reality there's a clear set of things you can do today," Hoff says. Certainly, virtualization does introduce some new security concerns, but first things first, he says: "We have to be pragmatic. Let's make sure we architect the virtual network as well as we architect the physical networking."

As an example, he points to a virtualization management tool such as VMware's VMotion, which is helpful for moving VMs around in times of machine trouble, but which can also allow someone with admin rights to combine two VMs that, in the physical world, would have been carefully separated in terms of network traffic for security reasons.

Some IT organizations are making a fundamental mistake right now: they're letting the server group run the virtualization effort almost single-handedly — leaving the IT team's security, storage and networking experts out of the loop.

This can create security problems that have nothing to do with inherent weaknesses of the virtualization technology or products. "This is a perfect opportunity to bring the teams together," Hoff says.

"Virtualization is 90 percent planning," says Burton Group's Wolf. "The planning has to include the whole team, including the network, security and storage teams."

But the fact is, most IT teams ran fast with virtualization and now must play catch-up. What if you missed that opportunity to plan with all your experts, and you're starting to worry more as you expand your number of VMs and put higher-profile apps on those VMs?

Luckily for you, no."To catch up, start with a good audit of

your virtual infrastructure," using tools or consultants, Wolf says. "Then you really have to work backwards." (Wolf suggests checking out audit tools from CiRBA and PlateSpin for this purpose.)

Here are 10 positive steps enterprises can take now to tighten virtualization security:

Get vm sprawl under ControlCIOs such as Michael Abbene, who CIOs such as Michael Abbene, who

runs IT for Arch Coal, understand the runs IT for Arch Coal, understand the problem of VM sprawl full well: VMs take minutes to create. They're great for isolating certain computing jobs. But the more VMs you have, the more security risk you have. And you'd better be able to keep track of all those VMs.

"We started by virtualizing very low-profile test and development boxes," Abbene says. "Then we moved some low-profile application servers. We've been moving up as we've been successful. We understand we're increasing our risk profile as we do that." The company currently has about 45 production VMs, he notes, including Active Directory servers, and some application and web servers.

How do you control server sprawl? One approach: make creating virtualized servers and VMs as disciplined as creating physical ones. At Arch Coal, the IT team is rigorous about allowing new VMs: "People have to

go through the same process to get a server, whether it's physical or virtual," says Tom Carter, Arch Coal's Microsoft Systems Administrator, who works for Abbene.

For this purpose, Arch Coal IT uses a change control board (made up of a cross-section of IT staffers from disciplines like servers and storage, serving on a rotating basis) to say yes or no to new virtualized server requests. This means, for example, that people in the applications group can't just build a VMware server and start creating VMs, Abbene says — though he's had developers ask to do just that.

VMware's VirtualCenter management tools as well as tools from Vizioncore can also help manage VM sprawl.

Ignore VM sprawl at your own peril, says IDC's Elliott: "VM sprawl is a huge problem, causing lag times in the ability to manage, maintain performance and provision," he says. Also, unexpected management costs will arise if your number of VMs gets out of hand, he adds.

apply existing Processes to virtual machines

Perhaps the sexiest aspect of virtualization Perhaps the sexiest aspect of virtualization is its speed: you can create VMs in minutes, move them around easily, and deliver new computing power to the business side in a day instead of weeks. It's fun to drive fast. But slow down long enough to think about making virtualization part of your existing IT processes, and you will prevent security problems in the first place, says IDC's Elliott. You will also save some management headaches later.

"Process is important," he says. "Think about virtualization not just from a technology standpoint but from a process one." If you're using ITIL to guide your IT processes, for example, think about how virtualization fits into that process framework, Elliott advises. If you're using other IT best practices, look at how virtualization fits into those processes.

One example: "If you have a server-hardening document (prescribing a standard set of security and setup rules for

Real CiO WORld | A P R I L 1 , 2 0 0 8 4 3Vol/3 | ISSUE/10

a new server)," Hoff says, "you should do the same set of things to a virtual server as to a physical one."

At Arch Coal, Abbene's IT team does just that: "We take our best practices for securing a physical server and apply those to every VM on the box," Abbene says. Steps like hardening the OS, running anti-virus on every VM and patch management, keep those virtual boxes in tune with the same procedures used on physical ones, he says.

start With your existing security tools, But Be Critical

Do you need a whole new suite of Do you need a whole new suite of security and management tools for your virtualized environment? No. Starting with your existing set of security tools for the physical server and network world and applying them to the virtual environment makes sense, says Hoff. But

do press your vendors to tell you how they're keeping up with virtualization risks, and how they'll integrate with other products going forward.

"There's a false sense of security in relation to adopting physical tools for the virtual environment," IDC's Elliott says. At the same time, he adds: "It's very early in the market," for new security tools designed with virtualization in mind. That means you must press your legacy and potential startup vendors a little harder than usual.

"Don't assume the platform-level tools (such as VMware's tools) are good enough for you," Elliott says. "Look at the startups and the legacy management vendors.

Press those legacy vendors to do more, and provide guidance for them."

Jim DiMarzio, CIO at Mazda North America, follows this strategy in his enterprise. Like Arch Coal, Mazda NA runs VMware's ESX Server 3 software at the core of its virtualized servers and has been ramping up its number of VMs recently. DiMarzio says he expects to have about 150 production VMs running by March 2008. He's using the virtualized servers for Active Directory servers, print servers, CRM application servers and Web servers — the last being a mission-critical app since Mazda uses these Web apps to serve information to all its dealers, DiMarzio says.To secure these VMs, DiMarzio decided to continue with his existing firewall and security products, including IBM'sTivoli Access Manager, Cisco firewall tools, and Symantec's IDS monitoring tools.

At Arch Coal, Abbene and his team are sticking with the security tools they're already using, while also investigating tools from startups BlueLane and Reflex Security. "The [legacy] security and change vendors are trying to work hard to catch up and they're behind," Abbene says.

BlueLane's VirtualShield product for VMware, for instance, claims that it can protect virtual machines even in cases where certain patches are out of date, as well as automatically scanning for possible problems, updating problem areas, and protecting against some remote threats.

Reflex Security's Virtual Security Appliance (VSA), which Hoff describes

along with BlueLane's software as one of the few emerging products worth attention right now, essentially serves a virtual intrusion detection system (IDS), adding a layer of security policies inside the physical boxes where the VMs live. It could help block a hypervisor attack, among other possible future troubles, Abbene's team figures.

Abbene says his IT group has also discussed adding a second internal firewall to further isolate the VMs, but he's concerned there might be a performance impact on the virtualized applications.

IDC's Elliott cites a few other virtualization security tools worth examining: PlateSpin, known for physical-to-virtual workload conversion tools and workload management tools; Vizioncore, known for file-level backup tools; Akorri, known for performance management and workload balancing tools; and storage firm EqualLogic, recently acquired by Dell and known for iSCSI storage-area network (SAN) products optimized for virtualization.

love your embedded HypervisorMaybe you've read about Maybe you've read about

'embedded' hypervisors already, but if you 'embedded' hypervisors already, but if you haven't, it's a term that IT leaders should understand. The hypervisor layer on a server serves as a foundation for housing the VMs. VMware's recently-announced ESX Server 3i hypervisor, designed to be very slim (32MB) for security reasons, uniquely does not include a general purpose OS. (And no OS means no OS maintenance chores.)

Some hardware vendors such as Dell and HP have recently said that they'll ship embedded versions of this VMware hypervisor on their physical servers. In basic terms, an embedded hypervisor is safer because it's smaller, says IDC's Elliott. "The larger the code base, the larger the opportunity for breaches," he says. "This becomes part of your architecture decision."

Embedded hypervisors will be a big trend going forward, Elliott says, and you can expect to see them from most server vendors, as well as some companies that haven't played in this space before. Phoenix Technologies, a market leader in the BIOS

Virtualization

Vol/3 | ISSUE/104 4 A P R I L 1 , 2 0 0 8 | Real CiO WORld

IT organIzaTIons are makIng a fundamenTal mIsTake: they are letting the server group run the virtualization effort single-handedly.

software field, recently announced that it's getting into the hypervisor game, starting with a product called HyperCore: it's a hypervisor for desktop and laptop PCs that will let users turn on the machine and use a basic Web browser and e-mail client without waiting to boot Windows. (HyperCore will be embedded in the machine BIOS.)

Competition and innovation in the hypervisor market would be good for enterprises, Hoff says. The end result could be companies slugging it out to deliver the slimmest, smartest hypervisor software.

"Whether it's Phoenix or someone else, there's a very interesting battle of these hypervisors becoming the next great OS," Hoff says.

A smaller attack surface isn't the only benefit of an embedded hypervisor. Mazda's IT group is looking forward to upcoming Dell servers with embedded hypervisors for VMware ESX server, says Kai Sookwongse, IT systems manager, LAN/Server for DiMarzio at Mazda. "One of the features we're waiting for with Dell's embedded ESX is all the VM images can be on the SAN," Sookwongse says. "When we start up the server, it can boot up from the image on the SAN." This centralizes administration and security and also means Mazda could order a server without a disk if it wants, for physical security concerns, he notes.

don't Over-assign Rights to vmsRemember that when you give Remember that when you give

admin-level access to a VM, you give admin-level access to a VM, you give access to all the data on that VM. Think critically about what kind of accounts and access your staffers in charge of backup tasks need, Burton Group's Wolf advises. Compounding the problem, some third-party vendors will actually give outdated advice with regards to VM security around storage and backup issues, Wolf adds. "Some vendors are not even following VMware's best practices for VMware Consolidated Backup themselves," he says.

Arch Coal makes it a point to limit admin access to its VMs overall, says Paul Telle, information security administrator, noting that his security colleague Tom Carter and

Carter's boss are among a very small group with those rights.

Application developers get minimal access. "Our application people have access to a share, or the minimum access…not access to the OS," Carter says. This helps control VM sprawl while increasing security.

Watch How you Provision storageSome enterprises are over-Some enterprises are over-

provisioning storage on SANs today, says provisioning storage on SANs today, says Wolf. It's not that you're provisioning too much storage overall; it's that you may be letting the wrong VM's share a part of the SAN, he says.

If you're working with VMotion, VMware's tool for moving VMs around, you're assigning some zoned storage in

SANs. But you may want to make that storage assignment more granular, as you would in the physical world, Wolf advises. Looking forward, N-port ID virtualization — a technique that lets IT assign storage to just one VM — is an option worth investigating, Wolf says.

ensure Good isolation across network segments

As enterprises go virtual, they shouldn't As enterprises go virtual, they shouldn't ignore security-related network traffic risks. But some of these risks can inadvertently be overlooked, especially if IT leaders fail to bring networking and security staffers to the table while doing virtualization planning. "A lot of organizations simply use performance as the metric of how to

Real CiO WORld | A P R I L 1 , 2 0 0 8 4 5Vol/3 | ISSUE/10

"There hasn’t been a significant security breach in virtualization, not a public one," says IDC analyst Stephen Elliott. "At some point, you have to figure it's a matter of time."

IT leaders must deal with virtualization security the same way they've dealt with numerous other threats: budgeting, planning, tools, process and vigilance. But those IT leaders must also be able to separate the real threats from the theoretical ones, and that's not always easy right now.

So what’s real and what’s not?For starters, there's been a lot of talk online and at some conferences regarding

the possibility of hypervisor malware and hypervisor weaknesses. last summer, a security consulting firm called Intelguardians Network Intelligence argued that it may be possible for a hacker to "break out" of a VM's guest operating system and into the host oS of a server. This invites the possibility of installing rootkits and other malware, Intelguardians argues.

other researchers discuss the possibility of a 'Blue Pill' attack, which uses a virtual rootkit to hide in the hypervisor, cloaked by today's security tools. But Blue Pill “never really materialized," says Chris Wolf, a senior analyst at Burton Group. He says the hypervisor threat is 'exaggerated.'

More troubling perhaps, says Chris Hoff chief architect for security innovation at Unisys, is that IT has real trouble seeing into the traffic running between VMs.

A more immediate problem is figuring out the division of duties among IT personnel as access to more VMs gets loaded into management consoles. That's the kind of security issue a CIo should worry about before worrying about Blue Pill, he says.

of course, the more high-profile and mission-critical the apps that you virtualize are, the greater the risk. "We've recognized that the risk is expanding," Abbene says. "What we could live with one year ago we won’t be able to live with six months from now."

—l.M.

CIos must learn to distinguish real from theoretical risk.os must learn to distinguish real from theoretical risk.

on the VirtualThreat Horizon

consolidate," Wolf says. (When evaluating which application servers to co-locate as VMs on one physical box, IT teams tend to first focus on how performance-hungry those application servers will be, since you want to avoid asking any one physical box to bear too much load.) "They forget because of security restrictions on network traffic that they shouldn't locate these VMs together," Wolf says.

For example, some CIOs are deciding not to allow any virtualized servers in the DMZ (also known as demilitarized zone, the subnetwork that houses external services to the Internet, like e-commerce servers, adding a buffer between the Net and the LAN).

If you do have some VMs in the DMZ, you may want them on physically separate network segments from some of your other systems, say a critical Oracle database server, Wolf says.

At Arch Coal, the IT team thought about the DMZ from the start, Abbene says.

They've deployed virtual servers on the internal LAN but nowhere public facing. "That was a key early decision," Abbene says. For example, the company has some secure FTP servers and some servers doing lightweight electronic commerce in the DMZ; it has no plans to introduce VMs there, he says.

Worry about switchesWhen is a switch not a switch? When is a switch not a switch?

"Some virtual switches behave like a hub "Some virtual switches behave like a hub today: every port is mirrored to all the other ports on the virtual switch," Burton Group's Wolf says. Microsoft Virtual Server, in particular today, presents this problem, Wolf says. VMware's ESX Sserver does not, nor does Citrix XenServer. "People hear the term 'switch' and think isolation exists. It really varies by vendor," Wolf says.

Microsoft has said the switch issue will be addressed in Microsoft's upcoming

Viridian server virtualization software product, Wolf adds.

monitor for 'Rogue' vms on desktops and laptops

Servers are not your only worry. "The Servers are not your only worry. "The greatest threat is on the client side — rogue VMs," Burton Group's Wolf says. What's a rogue VM? Remember, Wolf says, your users can download and use a free program like VMware Player, which lets a desktop or

laptop PC user run any VM created by VMware Workstation, Server or ESX Server.

Many users now like to use VMs on a desktop or laptop to separate pieces of work, or work and home-related activities. Some people use VMware Player to run multiple OSes on the machine; say using Linux as a base OS but creating a VM for running Windows apps. (IT teams also

can also use VM Player to evaluate virtual appliances — software products shipping configured as a VM.)

"Often, those VMs are not even at the right patch level," Wolf says. "Those systems get exposed to your network. And now all of these unmanaged OSes can float around."

"There's a lot of risk you're adding there," Wolf says, noting that the machines running rogue VMs could spread viruses — or worse — to your physical network. For example, he says, it would be very easy for someone to load up a DHCP server to give out fake IP addresses. That's effectively a denial of service attack, he notes. At the very least, you're going to waste IT resources trying to track down the problem, he says. "It may even be simple user error introducing services to the production network."

How can you prevent against rogue VMs? You should have controls around who gets VMware Workstation, for starters (since it's needed to create the VMs). IT can also use a group security policy to prevent

certain executables from running, such as those needed to install VM player, Wolf notes. Another option: do periodic auditing of user hard drives. "You want to look for machines with VMs and flag them for follow up by IT," he says.

Has this become yet another point of contention between users and IT, where savvy users want to use VMs at work the same as they're doing at home? Not yet, Wolf says. "IT departments for the most part have ignored it," Wolf says.

If you do want to allow VMs on user machines, tools such as VMware's Lab Manager and other management tools can help IT control and monitor those VMs, he notes.

Remember virtualization security at

Budget Planning time"Make sure to allocate budget for virtualization security and management," IDC's Elliott says. You may not need to break it out in your security budget, Arch Coal's Abbene notes, but your security budget overall had better have enough funds for it.

Also, be careful of security costs as you do virtualization ROI calculations. "You may not see a reduced spend in security," just by virtualizing more and more servers, Hoff notes, because you will need to apply some of your existing security tools to every VM that you create. If you don't anticipate this expense, it could eat into your ROI.

According to Gartner, it's a common mistake right now. Through 2009, some 90 percent of virtualization deployments will have unanticipated costs, such as security costs, affecting ROI, according to MacDonald.

The benefits of virtualization are easy to see and easy to calculate. But unless you understand virtualization’s risks, and those attendant costs, those easy calculations may be dead wrong. CiO

Laurianne McLaughlin is technology editor. Send

feedback on this feature to editor@cio.in

Virtualization

Vol/3 | ISSUE/104 6 A P R I L 1 , 2 0 0 8 | Real CiO WORld

75%The percentage of companies with

1,000 or more employees who are employing virtualization today.

Source IDC

A telepresence system, said Dietmar Wendt, president, Nortel Global Services, is not just about productivity — it is also about going green. While going green is good for the environment, it is also excellent for companies because it means higher productivity, higher employee

satisfaction, and most importantly, higher customer satisfaction.“When employees no longer have to congregate into an auditorium

for a large meeting, but instead can view the meeting on their desktop, this increases productivity and reduces the need to travel to an office,” he said, Therefore he said that this is one of the best opportunities to reduce both business cost and environmental cost.

Going green is something that is very close to Wendt’s heart. He pointed out that every computer in the enterprise that is left on for 15 months emits a ton of carbon dioxide and said that this is one good reason why enterprises sho uld share these computers through a hosted or managed services model. “The IT staff

Telepresence: Making Geography HistoryIs telepresence the new way enterprises can go green? What are the issues that CIOs need to address before their companies embrace video conferencing? As the CIO panel ponders this, what emerges is the fact that there is more to telepresence than the cost of travel — or the cost on the environment, for that matter.

4 7 A P R I L 1 , 2 0 0 8 | CIO CUSTOM PUBLISHING

Executive Sponsor

Event Report.indd 47 4/2/2008 4:41:53 PM

required to support these computers also add to your cost, both financial and environmental,” he said.

Outsourcing your network allows for more focus on your core business, said Wendt. “By outsourcing your network and operations to a managed services provider, you reduce the hardware footprint at your office and reduce the need to have staff in the office to support it,” he pointed out.

Wendt was also gung-ho about application services offered by telepresence solutions. He felt that an excellent example of how telepresence can add value to an enterprise is in the area of new e-learning technologies that allow for immersive, collaborative online learning experiences that — previously — could only be had by traveling to a common location.

“And as a fantastic by-product, we can also unleash the powerful productivity and potential that comes with being more aligned with natural forces rather than unnatural cumbersome work-arounds,” he said.

Some companies believe that a telepresence system cuts only the cost of travel, but Wendt begged to differ. “While

the evolving capabilities of telepresence enables immersive, real-time virtual face-to-face meetings, without the high costs of travel, the financial savings of traveling is not only found in the cost of the plane ticket, but also the opportunity cost of resource travel time,” he said. He went on to add that, these savings apart, “the true-to-life telepresence experience also encourages more frequent

meetings, which increases teamwork and collaboration.”

In this case, why aren’t companies falling over themselves trying to implement a telepresence system? Wendt said that there are a total of four barriers for this, the first being cost, which stems from the misperception that telepresence must be a ‘rip-and-replace’ activity.

“In fact, many companies can substantially reduce the cost of telepresence by simple upgrades to their existing videoconferencing systems. Teleconferencing must be sold as a solution rather than a product,” said Wendt.

What's in the Way?The second is the amount of bandwidth required to transport video. The fact is that the bandwidth only needs to be as high as the desired quality of the experience, observed Wendt. This is followed by complexity. “Most businesses don't know much about videoconferencing technologies and don't want to have to invest in this skill set — and this is why turnkey solutions are becoming so popular,” he said.

From leFt: Chandrashekar Nene,VP-It, Kingfisher Airlines; titus Gunaseelan, VP-It, India Infoline; Satish Joshi, executive VP, Patni Computer Systems; Sanjay Prasad, Head-technology Services, Citigroup Services

“The telepresence experience encourages more frequent meetings, which then increases collaboration.”

— Dietmar Wendt President, Global Services, Nortel

4 8 A P R I L 1 , 2 0 0 8 | CIO CUSTOM PUBLISHING

Events

Event Report.indd 48 4/2/2008 4:41:59 PM

Finally, Wendt said that businesses don't want to invest in a proprietary technology that will not work outside of their network. Therefore, he felt that many businesses are looking for standards-based solutions.

“Out of all of these perceived barriers, I believe the complexity barrier is the one that is most vexing to businesses and the one that is largely impeding the adoption of telepresence solutions,” said Wendt.

Wendt said that he believed that vendors should make telepresence systems turnkey and plug-and-play if they wanted to ensure that its true potential was realized quickly. Standards are also critical, he said, because standards-based solutions will ensure that organizations can quickly achieve the critical mass required for inter-business interactions as well.

Spelling out his ultimate vision, Wendt said: “The challenge that we put forth to ourselves and others in the industry is to make using telepresence as simple as using a whiteboard marker.”

Focusing on the Wrong GreenAfter Wendt finished with his presentation, Vijay Ramachandran, editor-in-chief, CIO, said that the chief focus of telepresence was not the technology, but what business expects to get out of it.

To this V. Subramaniam Manikkam, AGM-IT, Henkel CAC, replied that he was not very sure about the business benefits and the priority with which telepresence needed to be addressed.

To that, Wendt reiterated that it was indeed a wise decision to invest in telepresence, but conceded that there could be a need to change some business processes in order to make telepresence work for an organization.

As an example, he said that, just as companies have rules for travel that dictate who can travel, similarly, they should also come up with rules that deal with who can use telepresence and who cannot. He also stressed on how telepresence can help organizations go green.

Vijay then wondered if CIOs are looking at telepresence from a green angle or not. In response, G. Rajagopalan, CIO, Tata Power, said that for over two years his company has been looking for a sustainable platform that can enable telepresence. He said that the first problem was defining telepresence. “Is it about just two people communicating,” he asked. “Or, do you want to say that in your organization, you must setup a system that will allow six people to communicate?” Detailing his experience with videoconferencing, he said, “Whenever I have tried to organize a communication interaction, it’s a nightmare for my infrastructure.”

P.A. Kalyansundar, GM-IT, Bank Of India said that the issue boiled down to the fact that technology is changing very fast. While agreeing with Rajagopal’s assertion that it is a nightmare for the infrastructure people, Kalyansundar was also worried about how one could get users to adopt videoconferencing.

“People need to have the right mindset,” he observed. “By the time people have adopted, you find that the technology has changed and something new has come,” he said.

What the Business WantsSitting beside Rajagopal, Dipak Sahoo, VP-IT, Bharti Axa Life Insurance Company, said that one had to consider the business need first.

“The business need is to communicate with partners and customers. Next, you have to look at the pain point —

From toP: G.N. Nagaraj, Sr. VP & Cto, reliance money; m.D. Agarwal, DY. Gm-IS (refinery), Bharat Petroleum Corporation; r. muralidharan, CIo, Syntel; Prasad Dhumal,

Head - It, DHl express India

Event Report.indd 49 4/2/2008 4:42:02 PM

Events

and the pain point, most of the time, is that the video conference system doesn’t work.”

Giving an example, he said, “Sometime back, when I was setting up a conference between Paris, Hong Kong, Australia, and India, it didn’t work — Murphy’s Law at its best.” The lesson he has learnt from this is that, irrespective of the technology — audio conferencing, video conferencing or telepresence — the critical issue that CIOs need to consider is, does it work? “People are not going to use these technologies if they don’t work,” he said flatly.

Pankaj Sindhu Director-IT, Fulford (India) wanted to approach the problem differently. “I want to see how it will be used by my business first, and then, once this is clear, I want to see how to make it work technically,” he said. He also added that two reasons why he was interested in video conferencing were the environmental impact and business drivers like collaboration, travel time, efficiencies, and others. “It would be good to have

quantifiable measures on both these points,” he said.

Getting Buy-inGiving the example of telemedicine, he said that it could enable somebody in a remote location to consult a physician in another part of the globe for, say, an eye problem. “How to ensure efficiencies in such a setup is of great importance for me,” he said.

G.N. Nagaraj, Sr. VP & CTO, Reliance Money, felt that, from the perspective of

business requirement, the expectation issue was also critical. He said that his CEO was an avid follower of technology, and so, the moment telepresence came, his CEO started using it. “But eventually, I think that it is not an issue of technology adoption, it is the implementation that poses the challenge,” he said.

The take of Chandrashekar Nene, VP-IT, Kingfisher Airlines, on telepresence was that one should pay attention to the telepresence room and the technology that revolves around it.

“You still need to talk to the external world using the bandwidth of the external world,” he pointed out. “This means that you have to pay attention to such problems.” He felt that this is because, if the user were to see any problems — like blurred images — then the user will feel that videoconferencing may be affecting performance. “If they feel that there is a danger that poor videoconferencing will affect their productivity, they would rather take a flight,” he concluded.

CIO CUSTOM PUBLISHING | a p r i l 1 , 2 0 0 8 5 0

From leFt: Dipak Sahoo, VP-It, Bharti Axa life Insurance Company; V.Subramaniam manikkam, AGm - It, Henkel CAC; Sanjay mittal, Head-It, Navin Fluorine International; Pankaj Sindhu Director-It, Fulford (India)

From leFt: P.A. Kalyansundar, Gm-It, Bank of India; G. rajagopalan, CIo, tata Power

Event Report.indd 50 4/2/2008 4:42:27 PM

Getting Your Vendors to Flock TogetherBy Galen Gruman

Vendor ManageMent | Keeping track of bids, vendor performance, previous contract terms, alternative providers and technology differences was taking too much time for Bernard 'Bud' Mathaisel as he settled in as CIO of electronics manufacturer Solectron in 1999. Many of Solectron’s vendors were also customers, which just complicated the job politically. Seeking a more disciplined approach, Mathaisel partnered with Solectron’s assistant procurement officer, Jeff Dixon, to create a virtual vendor management office (VMO) staffed by IT and procurement employees. “The result is that the CIO could be a decision maker without having to run the process,” Mathaisel says. Now CIO of manufacturing outsourcer Achievo, Mathaisel brought that discipline with him.

Likewise, Dixon has brought it to Cisco Systems, where he is now director of enterprise software and outside services for IT vendor management services. “We take care of the trees and let the CIO focus on the forest,” Dixon says.

Dixon estimates a tenfold return in the staffing investments of a vendor management entity — from better deals through consolidated purchasing, and from avoiding the costs

For better deals and stronger

relationships, combine IT, legal

and procurement experts in a vendor

management office.

technologyessential From InceptIon to ImplementatIon — I.t. that matters

REAL CIO WORLD | a P r i l 1 , 2 0 0 8 5 1Vol/3 | ISSUE/10

Essentisl Tec.indd 51 4/2/2008 11:19:53 AM

of straightening out piecemeal or short-term deals later. “That doesn’t even count the intangible benefits, such as having a flexible contract or reducing supplier risk,” Dixon adds. Following a similar approach, Accenture CIO Frank Modruson says that his company has experienced significant savings.

Creating a formal vendor management office is smart, says Marc Cecere, a VP at Forrester Research, yet many enterprises have not done so. A July 2006 Forrester survey showed that 47 percent had some sort of formal vendor management groups — but 90 percent of the rest had no intention of doing so. Such enterprises risk being at the mercy of savvier vendors, he warns.

Most enterprises underestimate the need to actively manage their vendors, concurs Judith Hurwitz, president of consultancy Hurwitz & Associates. Their IT staffs often lose the perspective needed to ensure they’re getting the best value from the relationship, as the emotional connections nurtured by the vendor take

hold. “That’s why the vendors’ salespeople are paid so much,” she notes.

Why Bother With a VMO?With a vendor management office, your goal should not be to create a firewall between IT and the vendor, using a procurement group as a proxy, but to be smart and consistent within the enterprise about managing multiple aspects of any vendor relationship. That’s why a formalized approach that combines IT, procurement and legal people makes sense, says Joe Pucciarelli, program

director for technology financing and management strategies at IDC.

At many enterprises, the CIO has de facto responsibility for managing IT vendors, but the day-to-day reality is that individual departments, technology platform owners and project offices manage vendors for their local needs, perhaps tapping into corporate procurement and legal staff for some of the tactical contracts and pricing analysis. That can work in smaller companies with a small number of vendors, where the CIO or a few IT execs can keep the information in their heads, Cecere says.

CIO Dan Demeter doesn’t want a vendor management organization outside the CIO’s domain at talent management firm Korn/Ferry International. “They tend to treat IT sourcing as they do buying toilet paper,” focusing on price and not understanding the underlying technology issues. If you give [vendor management] away, you really take away a lot of the control, not just over prices and contract terms but over the relationship and support.”

But Demeter says that CIOs of large organizations need vendor management because of their scale. “It’s essential because of all the technical details,” he says, citing his previous experience at Citibank.

The changing nature of technology procurement — from hardware and packaged software to provisioning of infrastructure, software and business processes as services — also supports the use of a more formal vendor management approach that crosses departmental boundaries, says Rob Watkins, CIO of food

management company Compass Group, The Americas Division. “As you have more outsourcing providers that cross departments, there’s an opportunity to manage these relationships strategically,” he says.

Integrated Vendor ManagementYou don’t want to make IT vendor management only an IT function or only a separate corporate function, says Dan McNicholl, chief strategy officer for General Motors’ IT organization. “You need to balance the competing goals, specialty skills and the broad relationship,” he says.

Among several ways to institute a formal vendor management organization, the most common choice is a virtual approach: here, you assign procurement and legal staff to IT vendor management, and use IT 'account managers' to coordinate all aspects of specific vendor relationships and IT 'scouts' to assess technology and market trends that may change needs later.

With this arrangement, you maintain the typical client relationships with the vendor, such as having engineers work with vendor support staff. “The vendor management needs to be ingrained at all levels,” says GM’s McNicholl, and then coordinated.

Most enterprises underestimate the need to actively manage their vendors. Their IT staffs often lose the perspective needed to ensure they’re getting the best value from the relationship.

38% of large

enterprises have a vendor management

group.source: Forrester research

Vol/3 | ISSUE/105 2 a P r i l 1 , 2 0 0 8 | REAL CIO WORLD

ESSEnTIal technology

Essentisl Tec.indd 52 4/2/2008 11:19:53 AM

Although some CIOs worry that procurement staff only want to squeeze the last nickel from a vendor, Achievo’s Mathaisel believes they bring real value to the vendor management process. “You gain a rigor and a discipline that financial people naturally have,” he says.

It makes more sense to create a virtual office than to establish a VMO as its own department, Mathaisel says. For one thing, financial and legal staff can rotate through the virtual group as part of their career development while maintaining a career path in their departments, he notes. These staffers often end up learning new skills that help them move into compliance activities when they return to finance, Mathaisel says. IT staff often have the same concerns. But when it’s safe to take on vendor management roles, the IT staffers often find new, unexpected opportunities, he says.

Not every vendor or deal gets the attention of a vendor management office — nor should it, says Gary Plotkin, CIO of The Hartford’s financial services property and casualty division. The goal is not to build a bureaucracy but to devote management resources to those relationships that have the most impact or potential impact on enterprise strategy, he says.

At The Hartford, Plotkin has a threshold of several hundred thousand dollars to determine what vendor relationships are managed through the formal vendor management process. There’s good reason to set thresholds of spend, says Accenture’s Modruson: “The rigor costs money, so you want to be proportional to the spend.”

The Hartford assigns an IT manager to each vendor that surpasses the threshold. “That’s the go-to person,” Plotkin says. Some vendors whose business volume is very large get a senior vendor relationship manager, such as Plotkin or one of his deputies, assigned to them as well. A CIO or CTO can work directly with a vendor’s CEO or CTO in a way that, say, a network

ESSEnTIal technology

Vol/3 | ISSUE/10

Essentisl Tec.indd 53 4/2/2008 11:19:57 AM

operations manager can’t, so having multiple relationship levels is important, Plotkin says.

Achievo’s Mathaisel, GM’s McNicholl, Cisco’s Dixon, Compass’s Watkins and Accenture’s Modruson follow the same basic model as The Hartford’s Plotkin.

More Benefit to ComeAlthough enterprises that have a formal vendor management group clearly gain both monetary and strategic advantages, IDC’s Pucciarelli believes there’s still more value to be had — from better management tools. “The biggest procurement analysis infrastructure in IT is Excel,” he says. Some useful technologies in place for supply chain management are now being adopted for IT vendor management, Pucciarelli says. He expects more offerings in the next five years.

But technology can only support your people and process, he adds. “You need a team that steps back and understands the business value,” concurs consultant Hurwitz.

Why haven’t more enterprises formalized their vendor management practices? Some fear that top-down control will lead to excesses, such as confusing initial price savings with long-term value, says Forrester’s Cecere. And some companies are too small or have too few vendors to need more than a CIO’s focus on the issue, he says.

Others don’t see vendors as entities to manage strategically, says Achievo’s Mathaisel: “If you want a master/slave relationship with your vendor, this is a waste of time.” The remaining enterprises should reconsider their opposition to the idea of formal vendor management, he says; “it is very much worth the effort.” CIO

Galen Gruman is a frequent contributor to CiO. send

feedback on this feature to editor@cio.in

Vol/3 | ISSUE/105 4 a P r i l 1 , 2 0 0 8 | REAL CIO WORLD

Service-level agreements and key performance indicators are are the

most common ways to measure a vendor's performance. While they are

quantitative, they're flawed because they measure only a limited perspective

of the overall value expected from a vendor. To measure real value, IT must

develop appropriate metrics that quantitatively measure the more intangible

aspects of vendor performance.

To holistically measure overall vendor performance and value, a ‘balanced

scorecard’ is an ideally structured methodology. It looks at a number of

weighted metrics both collectively and individually.

From overall vendor performance measurement and value-for-money

attributes, the balanced scorecard methodology examines four elements of

performance: relationship, cost management, quality and delivery. Depending

on the organization's needs and concerns, each of these elements will likely

have multiple different measurements.

In attempting to ‘measure the immeasurable’ through value-for-money

metrics, each customer must seek out attributes that represent the most

important considerations relating to commitment, flexibility and innovation.

The following attributes can quantitatively measure value-for-money metrics.

Commitment number of account management visits

Special access to new developments within the vendor's R&D activities

Tours of vendor facilities

access to vendor's sensitive information

access to vendor subject-matter experts

Quality of vendor-customer executive relationships

Trust ratio = promises made by vendor + promises kept by vendor

Flexibility Willingness or ability to respond to unanticipated demand

Willingness to modify order entry systems or other vendor systems

Flexibility of contract terms and conditions

Ease of negotiation

Willingness to change products or services to meet changing needs of

customer

number of contract disputes

Innovation Joint research, design and development

Sharing by the vendor of business improvement strategies

Customer ability to participate on vendor's customer advisory board

Progress of vendor in achieving relevant industry certifications

Continuous improvement ratio = ideas implemented by vendor / ideas

suggested by vendor

—By Stephen Guth

Getting Bang For Your Buck

ESSEnTIal technology

Essentisl Tec.indd 54 4/2/2008 11:19:57 AM

essential technology Pundit

Security | Just when you thought you could sleep easy with disk encryption, the Center for Information Technology Policy at Princeton University has proven that disk encryption is easy to defeat if your attacker is skilled and determined enough.

When the laptop is in sleep mode, whatever is stored in memory remains in memory, including encryption keys. So what? The laptop asks for a password when anyone tries to use it. That’s where many people, including me, are wrong. As the Center for Information Technology Policy researchers explain, a bad guy can get to the encryption keys, bypassing the password as if it wasn’t even there:

"The attacker will insert a special thumb drive into the laptop, yank out the laptop’s battery, quickly replace the battery, and push the power button to reboot the laptop. The encryption keys will still be in memory — the memory will not have lost its contents because the laptop was without power only momentarily while the battery was out."

How can the encryption keys be still in memory after yanking the battery out? Some memory cards maintain 50 percent or more of their content intact for a minute after powering down, the researchers found. The study shows that using an air-duster upside down can lower the temperature of a memory card to -50 C.

At that temperature, the cards they tested maintained a perfect or near-perfect image of their content for a minute or longer — long enough to copy the data in memory to another medium. At even lower temperatures, such as

what you can attain by using liquid nitrogen, the researchers saw very little RAM reading errors after 60 minutes.

Once memory content has been frozen, the attacker can boot from a thumb drive that contains a small OS kernel plus an app that will quickly copy whatever RAM content has not overlapped to the same USB drive. Stage three: using a data-sniffing app, the attacker is able to rebuild or retrieve the encryption keys and can now copy the content of your drive, in the clear, to another device.

If you doubt any of what I just described, I urge you to read the report in its entirety.

For example, the research team had no trouble building an app that could find or recreate keys from bits of data in memory:

"To reconstruct an AES key, we treat the decayed key schedule as an error correcting code and find the most likely values for the original key. Applying this method to keys with 10 percent of bits decayed, we can reconstruct nearly any 128-bit AES key within a few seconds. We have devised reconstruction techniques for AES, DES, and RSA keys, and we expect similar approaches will be possible for other cryptosys."

Mind boggling? I agree. The good news is that the techniques the researchers used are way over the head of the average crook. The bad news is that if you carry desirable enough data, your opponents will have a sufficient incentive to come after your laptop.

So what now? The first, obvious, remedy is to always power off your laptop. Another suggestion is to evaluate carefully the

encryption tools you use. By definition, software encryption tools will keep — and possibly leave for a long time — keys in memory in some shape or form. By contrast, a quick check with Seagate — which offers the Momentus FDE family of laptop drives with hardware encryption — triggered a response, from which I highlight this:

"DRAM attacks to hardware-based full disk encryption (FDE) drives (this powers the Seagate Momentus 5400 FDE.2 drives for laptops) are not possible, because the cryptographic key never leaves the hard drive. The key is not stored in DRAM, but in the ASIC chip that implements the encryption algorithm, which is built into the drive."

That's what Larry Swezey, consumer and commercial HDD director for Hitachi GST had to say. Hitachi offers optional hardware encryption on all Travelstar 2.5" drives:

"When used together with the ATA HDD locking feature, encryption can prevent an attacker from gaining access to data. Even if the attacker were to physically remove the disks and read them on some specialized equipment such as that used by data recovery services, the data itself would be encrypted and hence not understandable."

However, Swezey offered a note of caution about attacks to the DRAM content:

"It is conceivable that the software will indeed have the drive password present in the system DRAM so the attacker can gain access to that password." CIO

Send feedback on this column to editor@cio.in

Sleeping Laptops Risk Encryptiona can of liquid nitrogen and sophisticated data hunting techniques, allow attackers to rebuild disk encryption keys. By Mario apicella

Memory cards keep 50 % of

their data intact for a minute after powering down.

Vol/3 | issUe/105 6 a p r i l 1 , 2 0 0 8 | REAL CIO WORLD

ET-Pundit - 01.indd 56 4/2/2008 11:15:50 AM