cio august 1 2007 issue

Alert_DEC2011.indd 18 11/17/2011 11:16:10 AM

From The ediTor

in the fun days of the internet, an office colleague and I would use AOL chat

to play Mastermind, a fascinating board game, from our respective cubicles. We would use

numbers to replace the colors on the regular board. Of course, we used Internet chat for

many other things as well. The point is: we as individuals embraced the new technology and

found creative uses for it, both for work and leisure. Enterprises just don’t seem to do that.

Or least not early enough. It took nearly a decade before companies began to integrate chat

with their suite of communications, and endorsed its use for office work.

Why am I raising this issue now?

It is because CIOs get a bad rap for this kind of a thing. Some of you might have joined a

recent debate after The Wall Street Journal’s venerated technology columnist, Walter Mossberg,

called CIOs “the most regressive and

poisonous force in technology today,”

apparently because they don’t allow

newer technologies in the workplace.

Needless to say, most CIOs reacted

with anger, and saying, predictably, that

Mossberg knew nothing about a CIO’s

responsibilities. Still, the response seemed a little too defensive, as if it had touched a raw

nerve. But one blogger responded thus: “While I see both sides of the issue, it is stunning

to me how many IT people see this as an insult instead of an opportunity to be forward-

looking.”

Close on the heels of Mossberg’s verbal attack, Gartner issued a report saying companies

need to stop viewing consumer-led technology as “unavoidable nuisance,” and begin to look

at it as an “opportunity for additional innovation.”

The message is particularly significant in the context of the emerging Internet landscape

and Web 2.0. Astonishingly, perhaps, e-mail and even chat are passé, as far as the younger

generation is concerned. What’s in are “scraps” and SMS; and what’s popular are Orkut,

FaceBook, YouTube and the like.

To many of us older folks, it might be hard to see how corporates can tap Orkut or why

CIOs should embrace these. That really is the challenge — probably the biggest of all. But

unless IT chiefs respond, ten years from now or sooner, we could be reading about their

failure with Web 2.0 as well. I also believe it is time Indian CIOs, instead of waiting to take

a cue from their Western counterparts, show the way in embracing the newer technologies,

and not play coy.

It is time Indian CIOs, instead of waiting to take a cue from their Western counterparts, show the way in embracing newer technologies.

Companies need to look at consumer-led technology as an opportunity for innovation, not as a nuisance.

Bala Murali KrishnaExecutive [email protected]

Do CIOs DeserveThe Bad Rap?

Vol/2 | ISSUE/18� A U G U S T 1 , 2 0 0 7 | REAL CIO WORLD

contentAUGUST 1 2007‑|‑Vol/2‑|‑iSSUe/18

Executive ExpectationsVIEW FROM THE TOP | 42Karnataka Bank chairman Ananthakrishna says he sees IT as a business enabler, not as a substitute for the human touch.Interview by Sunil Shah

Key to InnovationSAFETy LInE OR GARROTE? | 30As corporate networks adopt collaboration and social networking tools, your network infrastructure could choke you if you don’t adapt quickly.Column by Phil Hochmuth

Enterprise ArchitectureGET SMART AbOuT SaaS | 46Vendors say software-as-a-service will cut costs and increase efficiency. They say it’s enterprise-ready. Does that sound too good to be true? It is.Feature by Galen Gruman

more»

Project Management

COVER STORy | WEATHERInG HEIGHTS | 35Innovative solutions were required for an IT deployment at remote locations amidst extreme climatic conditions.Feature by Gunjan Trivedi

buTTRESSInG THE buSInESS | 22IT executives need to have business as well as technology constituents involved when setting priorities and making choices about new systems.Column by Michael Schrage

35

Vol/2 | ISSUE/18� A U G U S T 1 , 2 0 0 7 | REAL CIO WORLD

Co

VE

r:

Ph

ot

o b

y S

rIV

at

Sa

Sh

an

dIl

ya

IMa

GIn

G b

yb

InE

Sh

Sr

EE

dh

ar

an

Hindustan Construction Company’s CIO Satish Pendse spearheaded Project Sankalp, a venture to enable, link and

track infrastructure actvities in remote parts of the country.

content (cont.)

Trendlines | 15 Security | Bootable Disc for Safer Banking IT Management | ITIL Can Help Retain Your Staff Collaboration | Partnering with Business Security | Together For Online Consumers Outsourcing | Outsourcing Slow in 2007 Privacy | Cookie Crumbles in Two Years Development | Drink Your Own Champagne Mobile | CRM Released for iPhone Vendor Management | Public-sector Debate: One Vendor or Many? Compliance | 90 percent Fail Compliance

Essential Technology | 60 Open Source | GPL3 Sees the Light of Day. By Bernard Golden Information Security | Guard the Exit By Galen Gruman

From the Editor | 2 Do CIOs Deserve the bad Rap? | Companies need to look at consumer-led technology as an opportunity for innovation, not as a nuisance. By Bala Murali Krishna

Inbox | 14

2 4

dEPArTMEnTs

NOW ONLINE

For more opinions, features, analyses and updates, log on to our companion website and discover content designed to help you and your organization deploy It strategically. Go to www.cio.in

c o.in

Govern SWEEPInG CHAnGE | 56MCA-21, one of the largest e-governance projects in the country, has brought a nearly paper-less system of corporate filings, and holds the promise of improved corporate governance. Feature by bala Murali Krishna

STOP SEEKInG buy-In | 26CIOs should stop trying to achieve buy-in for IT initiatives and start helping business colleagues sell the projects themselves.Column by Michael Schrage

Vol/2 | ISSUE/181 0 A U G U S T 1 , 2 0 0 7 | REAL CIO WORLD

Content,Editorial,Colophone - 0110 10 7/27/2007 7:37:43 PM

ManageMent

PublISHer & edItOr n. bringi dev

CeO louis d’Mello

edItOrIal

edItOr-In-CHIeF Vijay ramachandran

exeCutIve edItOr bala Murali Krishna

bureau Head - nOrtH Sanjay Gupta

SPeCIal COrreSPOndentS balaji narasimhan

Kanika Goswami

SenIOr COrreSPOndent Gunjan trivedi

CHIeF COPY edItOr Kunal n. talgeri

SenIOr COPY edItOr Sunil Shah

traInee JOurnalISt Shardha Subramanian

deSIgn & PrOduCtIOn

CreatIve dIreCtOr Jayan K narayanan

deSIgnerS binesh Sreedharan

Vikas Kapoor; anil V.K.

Jinan K. Vijayan; Sani Mani

Unnikrishnan a.V; Girish a.V

MM Shanith; anil t

PC anoop; Jithesh C.C.

Suresh nair, Prasanth t.r

PHOtOgraPHY Srivatsa Shandilya

PrOduCtIOn t.K. Karunakaran

t.K. Jayadeep

MarketIng and SaleS

vP, Intl’ & SPeCIal PrOJeCtS naveen Chand Singh

vP SaleS Sudhir Kamath

brand Manager alok anand

MarketIng Siddharth Singh

Kishore Venkat

bangalOre Mahantesh Godi

Santosh Malleswara

ashish Kumar, Chetna Mehta

delHI nitin Walia; aveek bhose;

neeraj Puri; anandram b;

Muneet Pal Singh;

Gaurav Mehta

MuMbaI Parul Singh, Chetan t. rai,

rishi Kapoor,Pradeep nair

JaPan tomoko Fujikawa

uSa larry arthur; Jo ben-atar

SIngaPOre Michael Mullaney

eventS

general Manager rupesh Sreedharan

ManagerS ajay adhikari, Chetan acharya

Pooja Chhabra

AdverTiser index

All rights reserved. No part of this publication may be reproduced by any means without prior written permission from the publisher. Address requests for customized reprints to IDG Media Private Limited, 10th Floor, Vayudooth Chambers, 15–16, Mahatma Gandhi Road, Bangalore 560 001, India. IDG Media Private Limited is an IDG (International Data Group) company.

Printed and Published by N Bringi Dev on behalf of IDG Media Private Limited, 10th Floor, Vayudooth Chambers, 15–16, Mahatma Gandhi Road, Bangalore 560 001, India. Editor: N. Bringi Dev. Printed at Rajhans Enterprises, No. 134, 4th Main Road, Industrial Town, Rajajinagar, Bangalore 560 044, India

AMD 1

APC 3

Avaya 4 & 5

Emerson BC

Fluke 13

HP 11

IBM 33 & 34

Interface 9

Microsoft IFC

Procurve (HP) IBC

SAS 17

Vishwak 45

Wipro 6 & 7

This index is provided as an additional service. The publisher does not assume any liabilities for errors or omissions.

abnaSH SIngH

Group CIo, Mphasis

alaganandan balaraMan

Vice president, britannia Industries

alOk kuMar

Global head-Internal It, tata Consultancy Services

anwer bagdadI

Senior VP & Cto, CFC International India Services

arun guPta

Customer Care associate & Cto, Shopper’s Stop

arvInd tawde

VP & CIo, Mahindra & Mahindra

aSHISH k. CHauHan

President & CIo — It applications, reliance Industries

C.n. raM

head–It, hdFC bank

CHInar S. deSHPande

CIo, Pantaloon retail

dr. JaI MenOn

director (It & Innovation) & Group CIo, bharti tele-Ventures

ManISH CHOkSI

Chief-Corporate Strategy & CIo, asian Paints

M.d. agrawal

dy. GM (IS), bharat Petroleum Corporation limited

raJeev SHIrOdkar

VP-It, raymond

raJeSH uPPal

Chief GM It & distribution, Maruti Udyog

PrOF. r.t. krISHnan

Professor, Corporate Strategy, IIM-bangalore

S. gOPalakrISHnan

CEo & Managing director, Infosys technologies

PrOF. S. SadagOPan

director, IIIt-bangalore

S.r. balaSubraMnIan

Executive VP (It & Corporate development),

Godfrey Phillips

SatISH daS

CSo, Cognizant technology Solutions

SIvaraMa krISHnan

Executive director, PricewaterhouseCoopers

dr. SrIdHar MItta

Md & Cto, e4e

S.S. MatHur

GM–It, Centre for railway Information Systems

SunIl MeHta

Sr. VP & area Systems director (Central asia), JWt

v.v.r. babu

Group CIo, ItC

AdvisorY BoArd

Vol/2 | ISSUE/181 � A U G U S T 1 , 2 0 0 7 | REAL CIO WORLD

Content,Editorial,Colophone - 0112 12 7/27/2007 7:37:43 PM

Transition to CEOI am quite inspired by the Carrie Mathews column (‘What It takes for a CIO to be a CEO’, July 15) and the feature on agility (‘From Here to Agility’), besides the Michael Schrage columns.

On the subject of Mathews’ column, I feel that to become a CEO, the CIO has to start thinking, performing and behaving like a CEO. Besides IT skills, which certainly give an added advantage, the CIO needs to have strategic leadership skills. These include strong business acumen, corporate governance, a customer-centric attitude, leadership with vision, execution skills — and the ability to get things done and make things happen. In many global organizations, CIOs need to lead and drive global initiatives in line with global governance models and ensure compliance of policies as per global standards.

CIO will then cease to stand for ‘Career is Over’. The CIO’s role has matured in recent years into a strategic leadership role, as your cover story (‘On Higher Ground’) notes. CIO can stand for ‘Career in Overdrive’.V. Subramaniam

CIO, OTIS Elevator (India)

The new CiOReferring to your editorial(‘Threatened Existence’, May 1), consumer

technology is already influencing enterprise technology.

This trend will gain momentum with the convergence of corporate IT use and what we all experience everyday with the various gadgets and Internet-enabled systems. We are already experiencing this, in terms of wikis and blogs which are being seriously considered for deployment within the enterprise.

Peter Sondergaard, Gartner’s senior VP of global research, is correct in his surmise that traditional IT functions will have to focus on efficiency and well-defined levels of service, as that’s what we expect from outsourced service providers. In today’s age, if technology is being chosen on grounds other than relating to business, then the CIO will be relegated to the back office quickly.arun O. GupTa Ta T

Customer care associate & CTO, Shoppers Stop

Of the GovernmentCIO India’s articles, which focus on development in the government/IT space, make for an interesting read. Keep up the good work.SrikanTh nadhamuni

Managing trustee, eGovernments Foundation

One Topic, many ViewsCIO magazine is perhaps becoming a little predictable in its format. Personally, I would like to see newer approaches to your coverage, such as

picking one topic and featuring it in the format of interviews — locally or abroad — and case studies.

The topics and subjects could be on the following lines:1. What can the CIO do to move into the boardroom — not just give a status update but actively participate in moving the business forward?2. Is it time that CIOs move away from reporting to CFOs and CEOs?3. If India is such a great outsourcing hub now, why is it that only a handful of companies in India have resorted to outsourcing to partners/vendors here?4. What do we mean by 'IT is a business enabler'?5. Telecom and IT are coming together. Who is the endangered species here, telecom or IT?Tamal ChakraVOTamal ChakraVOTamal Chakra rTy

CIO, Ericsson India

ReadeR feedbaCk

What Do You Think?

We welcome your feedback on our articles, apart from your thoughts and suggestions. Write in to [email protected]. Letters may be edited for length or clarity.

editor@c o.in

CIOs need to lead and drive global

initiatives in line with global

models and ensure compliance of

policies as per global standards.


Inbox.indd 14Inbox.indd 14Inbox.indd 14Inbox.indd 14

n e w * h o t * u n e x p e c t e d

I T M a n a g e M e n T The road to achieving ITIL certification has not only delivered huge performance gains and substantial savings for the State Revenue Office (SRO) of Victoria in Australia, it has also proven to be a key factor in retaining IT staff.

In 2002, the SRO, a government department that collects taxes and duties, decided to regain control of its IT department from its outsourcing partner.

Retaining most of the staff from the outsource partner, it attempted to create what SRO’s CEO Paul Broderick described as the “best possible IT shop that we could”. One of the paths that it took was the adoption of the Information Technology Infrastructure Library methodology.

As it sought to achieve ITIL certification, the IT department proceeded to align itself with the entire SRO business, reviewed its performance measures and SLAs, and made staff more accountable for their work.

The outcome: the SRO has slashed 20 percent of IT costs, delivered Rs 170 crore in projects on time and on budget, and has boosted operational productivity by over 60 percent in the past five years.

More encouraging is the retention of staff during this period. Of 45 IT staff that began working on the project, only some have left, despite the lure of bigger dollars elsewhere.

“We have found that many IT professionals want to work for an organization that has ITIL certification as it is great to have on a

CV. This seems to be borne out as our staff turnover in IT is very low.”

The best practice policy, which is the cornerstone of ITIL, also applied to the treatment of staff. Each member in the IT department was allocated Rs 2 lakh per year for training of their choice.

“Flexibility in working hours was introduced, people who did outstanding work were acknowledged publicly.”

Although IT staff may be seen as self starters and happy to work as individuals, Broderick said it was important to pay attention to their needs. “Their skills are highly transferable and it is expensive to lose good staff.”

— By Howard Dahdah

O n l I n e s a f e T y A computer science researcher has developed a secure software application intended to bypass the problem of viruses altogether.

“Viruses are a fact of life. Let’s provide a different way of doing certain things which are not affected by viruses,” says Professor Paddy Krishnan of Bond University.

Krishnan and his team at Bond’s Software Assurance Center in Australia have created a secure platform for computing in the form of a live CD.

The software, tentatively called BOSS (Bank on Secure System), was designed with home-users in mind and is limited to specific applications involving sensitive transactions, such as e-banking.

Krishnan claims the procedure is easy. Users slip the CD into a PC and reboots. BOSS loads first, instead of the usual operating system.

Once loaded a browser opens followed by a graphical keyboard for added security. Normal online banking can be conducted on

this secure platform. When the user is done, the original OS is restored by simply removing the CD and rebooting.

“The technology's advantage is that when you’re doing your banking the viruses that live on your

hard-drive are not active anymore.”Krishnan described the CD as an engineering

achievement, but the idea of a live CD has been around for some years.

“Our system requires no change from the banks and also no real change in the hardware that is commonly found at homes. In security related matters, it is important to identify the vulnerabilities and the ways to protect oneself from the

vulnerabilities. One aspect of our system which is not covered in other systems is the customizability of the security aspect — that

is, we have added PwdHash (but we can easily add other tools) to provide better protection.”

At present, the software is available for evaluation. Krishnan is keen to see the results of initial testing, as well as to make progress with his ongoing research into the formal verification of the software.

“Verification is very hard because you need to mathematize the whole thing and the system is too big for that...but it is the only way to ensure that something works.”

The commercial aspect of the technology is not a high priority, Krishnan said, but he can visualize the government promoting the software for public-good reasons. Banks too may wish to customize the solution to provide an additional protective layer for customers. Interested customers can contact the university for a copy of the disc. Krishnan said it would charge a nominal fee to cover the cost of postage and the CD.

— By Sharon Springell

REAL CIO WORLD | A U G U S T 1 , 2 0 0 7 1 5VOL/2 | ISSUE/18

Bootable Disc for Safer Banking

ILL

US

TR

AT

IOn

By

MM

SH

An

ITH

ITIL Can Help Retain Your Staff

Trendlines.indd 15 7/27/2007 7:40:24 PM

Tr

en

dl

Ine

s

C O l l a b O r a T I O n As CIOs establish IT security controls in their own departments, they need to solidify their relationships with other parts of the business. Because of IT’s increasing involvement in what were formerly HR and legal department matters, “the CIO has a lot to contribute,” says Richard Hunter, a vice president and expert on security and privacy with Gartner.

For example, although the CIO will decide which monitoring and filtering technologies to buy, what those technologies will block and search for and what the impact on employees and processes will be are business decisions that should be made collaboratively. “It’s no different than a travel or hiring policy,” Hunter says.

To ensure that he’s able to manage Credit Suisse’s IT-centric risks, CIO Tom Sanzone created an IT risk department that has forged ties with HR, legal, compliance and internal audit. The head of this department, who reports directly to Sanzone, helps determine compliance policies with the other groups and ensures that Credit Suisse is complying with governmental and financial regulations. In addition, HR is responsible for duties such as shutting down system access and retrieving PCs and BlackBerrys when an employee leaves the company. Sanzone says that by having risk report directly to him, it elevates the department’s status within the company as well as emphasizes to his peers the importance of its mission.

— By Thomas Wailgum

VOL/2 | ISSUE/181 6 A U G U S T 1 , 2 0 0 7 | REAL CIO WORLD

O n l I n e s a f e T y Spurred to find ways to protect consumers as online shopping grows, the 30 countries belonging to the international economic and social-development group Organization for Economic Co-Operation and Development (OECD) announced an accord on dispute resolution.

After two years of wrangling over the policy document, the Paris-based OECD said its 30 members — which include the European countries, Japan, Korea, Mexico, the US and the UK — have signed on a legal framework intended to better policing and resolution of consumer complaints, particularly in cross-border disputes involving e-commerce. But it remains unclear whether concrete change will occur.

Called the OECD Recommendation on Consumer Dispute Resolution and Redress, the 13-page document states principles that include:

Finding ways that monetary remedies may be more easily recognized and enforced by foreign courts in cross-border cases.

Recognizing that consumer-protection enforcement to obtain redress for consumers can be helpful in complex cross-border disputes.

Agreeing that despite the diversity of legal cultures in member countries, a consensus exists on the need for common principles setting out the main characteristics and features of effective consumer dispute resolution and redress systems.

Recognizing that dispute resolution and redress mechanisms for consumers could include out-of-court “dispute resolution services, including online dispute resolution,” for consumers and businesses to settle a dispute through the active intervention of a third party.

Acknowledging a need for simplified court procedures for small claims.

Seeing a need to improve effectiveness of consumer remedies in cross-border disputes and provide clear information to consumers on judicial and extra-judicial dispute-resolution mechanisms.

Participating in international and regional consumer complaint, advice and referral networks.

Taking steps to minimize legal barriers to filing consumer complaints in cross-border disputes.

Establishing protections for payment cardholders in disputes with merchants.

Developing agreements between justice-systems, law enforcement and other government officials as to “the needs of foreign consumers who have been wronged by domestic wrongdoers.”

The OECD’s Committee on Consumer Policy is expected to monitor the progress to around the accord and report to the OECD’s Council within five years.

— By Ellen Messmer

BandingTogeTher

For online Consumers

Partnering with Business for

Security

ILL

US

TR

AT

IOn

By

MM

SH

An

ITH


O u T s O u r C I n g A 25 percent drop in new contracts and a 17 percent decline in restructured contracts indicated 2007 could be a slow year for global outsourcing companies.

Researchers at TPI released the TPI Index analysis of the global outsourcing

market for the second quarter, and the found that deals have dropped considerably compared to the same

time last year. To start, a quarter fewer deals have been signed midway through the

year than in 2006, and the average total contract value (TCV) of deals so far in 2007 is about 34 percent less than deals in the same time last year.

TPI says that the average TCV, about Rs 132 crore, is the smallest first-half award values since 2001. Another metric, the annualized contract value (ACV), at Rs 22,000 crore, is also down 30 percent. Existing deals saw a downturn. According to TPI, restructured contracts — defined as 'renewals, renegotiations and related changes to prior contracts' — accounted for 26 percent of all sourcing agreements last year, but only 17 percent so far in 2007.

“This development pulled down the overall market value of sourcing transactions, especially in the Americas,” a TPI press release says.

Not only are fewer deals being signed, the value of the deals is dropping as well, TPI reports. The TCV of new deals — 56 contracts in the Americas, down from 86 in the first half of 2006 — is Rs 40,000 crore, significantly less than last year’s Rs 96,000 and the lowest first-half TCV value since 1995, the advisory firm says.

The drop could indicate that outsourcing vendors are facing stiff competition from offshoring, TPI says. “This is placing pressure on outsourcing providers to give clients more value-added solutions and innovations,” says Peter Allen, partner and MD of Market Development at TPI.

Despite the slow first half, TPI says it expects outsourcing will grow about 5 percent this year, attributed mostly the lack of large-scale contract terminations. For instance, one bright spot for outsourcers this year came in the form of new contracts.

TPI says the average contract value for the new deals rose 20 percent, while the level of new scope contracts remained flat. Overall, the first half of 2007 saw Rs 112,000 crore in new contracts, “which is a bellwether of where the outsourcing industry is headed,” TPI reports.

—By Denise Dubie

P r I v a C y Google says it will soon start issuing cookies that will automatically expire after two years if users don’t return to the search site.

However, “regular Google users will have their cookies auto-renew, so that their preferences are not lost,” wrote Peter Fleischer, Google’s privacy counsel in the official Google blog.

“And, as always, all users will still be able to control their cookies at any time via their browsers.” He said the new cookie policy will start “in the coming months.”

Fleischer said that Google had made the decision after hearing from users and privacy advocates. But at least one privacy advocate says the search site could do much more.

“Google’s paying attention to the issue of cookie expiration,

but as a practical matter I think this change will have little impact on online privacy,” said Marc Rotenberg, executive director of the Washington-based Electronic Privacy Information Center. “Users still know too little about how Google collects information, what information is collected and what it’s used for. And of course, [for] anyone who returns to the Google site within two years — the cookie will be renewed. I think two days rather than two years is probably a better period for a search cookie.”

In his blog, Fleischer said Google was committed to improving its privacy practices and had recently started taking a closer look at cookie privacy because it is a problem for both servers and clients. Fleischer said all search engines and the majority of Web sites use cookies, small bits of code stored on the user’s computer,

to remember users’ preferences. Fleischer said Google uses its so-called 'PREF cookie' to remember a user’s basic preferences such as whether the user wants search results in English or whether the user has opted for a SafeSearch setting to filter out pornography.

Originally, Google set the PREF cookie to expire in 2038. Last month, the company announced that it was going to make the data it stores about end users anonymous in its server logs after 18 months.

“Together, these steps — logs anonymization and cookie lifetime reduction — are part of our ongoing plan to continue innovating in the area of privacy to protect our users,” Fleischer said.

— By Linda Rosencrance

Cookie Crumblesin Two Years


TTr

en

dl

re

nd

lIIn

es

ne

s

Outsourcing Contracts Slow in 2007

d e v e l O P M e n T At Microsoft, developers will tell you that they 'test their own dog food', using their own software before and after shipping to customers. Jo Hoppe, CIO of Pegasystems, prefers a classier term. “We’re drinking our own champagne,” she says.

“We’ve essentially become a living laboratory,” Hoppe says of her approach to testing Pegasystems’ BPM software, which allows business users to design their own applications without actually coding themselves. With this plan, she’s taking a step toward aligning engineers, as well as her IT department, with business users in her own firm.

Two Pegasystems departments have been testing the software, Hoppe says. Employees in HR have been using it to create an application that links open positions to appropriate resumes. Business users in the training department, meanwhile, have been building an application to help Pegasystems customers register for BPM training sessions.

In each case, Hoppe says, the goal is to have the business users own the project. “We’re letting business users become project managers,” she says. Laurie Orlov, VP and principal analyst with Forrester Research, says that IT groups have used a variety of BPM software for similar purposes of alignment in the past but have generally targeted educated users who are well-versed in technology. “It’s usually a business analyst who is very technical,” she says. “We’re not talking about the person on the street or in the customer service department.”

Now, the question every CIO might wonder about: if software like this takes off, have I marginalized IT’s role?

Hoppe doesn't think so, since IT must handle behind-the-scenes technical elements. For instance, since the applications being built by business users at Pegasystems require reference data existing in other areas of the business, IT is building an SOA repository of reusable services. Frequent check-ins are important as well. “We’re helping provide a level of expertise and guidance,” she says.

In the meantime, Hoppe’s eyeing another benefit. She hopes the project will cut down on rogue users taking matters into their own hands when needs don’t get immediately satisfied by IT.

If her software works, maybe they won’t have to.

— By C.G. Lynch

Tr

en

dl

Ine

sCRM Released for iPhone

Drink Your OwnChampagne

ILL

US

TR

AT

IOn

By

MM

SH

An

ITH

M O b I l e Warnings that the iPhone is not suitable for businesses are not stopping one CRM vendor from porting its product onto Apple’s popular consumer device.

Etelos made its CRM platform available via the iPhone’s Safari Web browser, arguing that sales professionals will buy the iPhone and use it at work, even if their employers don’t supply the devices. Etelos says it also is close to launching a tool kit that will let Web developers create applications for the iPhone easily and sell them through the Etelos store.

“Basically, we’ve got a real [Web] browser on a mobile device. Users in the enterprise have been craving an easier way to develop and deploy their own applications to mobile scenarios,” says Etelos CEO Danny Kolke.

numerous analysts and CIOs have said the iPhone should be kept out of enterprise networks because it lacks security features and Apple has not yet made it compatible with business e-mail programs such as Microsoft Exchange.

Kolke acknowledges that businesses are unlikely to buy iPhones for employees, given that it costs as much as Rs 24,000. But he figures users will buy the devices themselves and enjoy them so much they’ll want to use them at work.

Etelos’ CRM platform previously was available for the BlackBerry, but that device’s limited browser made it difficult for salespeople to launch new projects and view the schedules of colleagues, Kolke says.

“This [iPhone] version is full featured,” he says. “It pretty much has all the same features as our browser version.” Etelos CRM for iPhone uses Asynchronous JavaScript + XML techniques to create interactive Web pages, and includes note-taking, appointment setting, contact management, sales and project management, group messaging and reporting.

Etelos made its CRM program available in Google Apps in April. Converting the product to the iPhone was not difficult because the screen dimensions are similar to those of Google’s Desktop Gadgets, Kolke says.

Etelos CRM for iPhone is available at no additional cost with several versions of the vendor’s CRM product, available both as software-as-a-service and for in-house deployments. The software-as-a-service editions cost between Rs 480 to Rs 1,400 per user, per month. A server-side software version goes for a flat rate starting at Rs 1 lakh.

Any iPhone owner can try out the product for 24 hours at the Etelos iPhone Web site.

— By Jon Brodkin

REAL CIO WORLD | A U G U S T 1 , 2 0 0 7 1 9VOL/2 | ISSUE/18


Tr

en

dl

Ine

sPublic-sector Debate:One Vendor or Many?v e n d O r M a n a g e M e n T Keenly aware of staff and budget constraints, government IT departments wrestle with their mix of applications.

Is it best to take as much ERP and CRM functionality as you can from one software vendor, or opt for a best-of-breed approach? This question came to prominence again recently as mid-market vendor Infor announced it will pay Rs 368 crore to acquire Hansen, a public-sector applications provider.

Infor plans to create an integrated suite for state and local governments, says Jim Schaper, chairman and CEO, in what he hopes will be a differentiator against SAP and Oracle. The suite will marry Hansen’s revenue asset management

software with public-sector functionality from two other Infor acquisitions — Datastream and Workbrain.

While nelson Rivera, CIO for Monroe County, new york, sees a need for an integrated suite, he also wonders whether such software could really handle the demands of local and state governments.

“Integration or simplification of one’s application portfolio is always of interest, but cost is a large factor” he says, “and there’s the question of whether one ‘enterprise’ system is able to meet the needs of every department or area with minimal or no customization.”

Monroe County — which uses SAP for financials, purchasing and HR — did months of customization. Monroe uses

Hansen’s software for workforce and asset management in its public works area. The county has no formal plans to consolidate on either SAP or Hansen, Rivera says.

In the city of Orlando, CSO and Deputy CIO John Matelski has been watching with interest Oracle’s recent acquisitions. (Orlando uses Oracle’s JD Edwards EnterpriseOne 8.10 for ERP but hasn’t chosen enterprisewide CRM.) “If used effectively, integrated applications will enable you to make your business leaner,” he says. “They can streamline wasteful processes and put information in the hands of the right people at the right time.”

— By China Martens

90 Percent Fail ComplianceC O M P l I a n C e An overwhelming percentage of businesses still fall far short in their efforts to comply with industry data-handling regulations, says a new survey.

In a report published by the IT Policy Compliance Group, the consortium of IT compliance and security experts concludes that about 90 percent of all businesses still do not have enough policies to meet data governance regulations.

Of the 475 companies surveyed, a third of whose revenues were over Rs 4,000 crore, the group found that a majority of firms expect to deal with at least six business disruptions related to major data incidents a year with five or more instances of data loss or theft.

While businesses invest in policy software and other technologies to help meet data-handling rules, most are still struggling to fill all the gaps left in their systems, said James Hurley, MD of IT Policy Compliance Group.

“People are discovering that the controls they had may not be adequate. They need to re-think those controls and find out where the data inventory actually is because in most organizations, it’s not under control,” said Hurley.

The survey also attempted to measure the impact of such an event on the average company. Based on respondents’ replies, businesses that

are forced to report major incidents publicly can expect to experience an 8 percent loss in stock price and an equal 8 percent of their customers.

Companies can also expect an 8 percent fall-off in their quarterly revenue, which clubbed with costs for litigation, customer notification,

and settlements, averages to Rs 4,000 per each record they lose.The report concluded that larger companies are more

likely to have incidents. Organizations with less than 1,000 workers average roughly 8 percent in revenue

and customer losses per event, whereas companies with over 100,000 employees can expect to lose 12 percent of their sales and clientele.

Unsurprisingly, the report found that companies that allocate the highest budgets for compliance automation technologies fare better in their efforts than those who spend less.

In a shift from previous studies by IT Policy Compliance Group, however, it appears that most

organizations are realizing that they need to adjust their budgets to account for the tools, Hurley said.

“There’s a clear linkage between having better controls and experiencing fewer data losses and business disruptions, as

obvious as that may seem,” said Hurley

— By Matt Hines ILL

US

TR

AT

IOn

By

An

IL T



IT executives need to have business as well as technology constituents involved when setting priorities and making choices about new systems.

The BusinessButtressing

Michael Schrage Key to InnovatIon

Ill

us

Tr

aT

Ion

by

un

nIk

rIs

hn

an

av

vol/2 | IssuE/182 2 A U G U S T 1 , 2 0 0 7 | REAL CIO WORLD

Coloumn - Buttressing The Busine22 22 7/27/2007 7:41:52 PM

After a working lunch at a workshop, a senior IT manager at a global telecommunications company approached me with a problem. Over the course of several mergers, acquisitions and

reorgs, his firm now had three work-order processing systems. His boss had told him to get it down to one over the next six months. He wanted advice.

So I asked, which system did the users seem to like best and why? He said he didn’t know. I suggested he organize a meeting between the three user groups to thrash out which one made the most sense for the most people. Make them pick. He hadn’t thought of that. Unfortunately, his firm’s IT culture had IT, not users, “owning” systems consolidation after reorgs. Baby-sitting interdepartmental user meetings was frowned on, he asserted.

I couldn’t help myself: I told him he was setting himself up to fail. If he unilaterally imposed a system, he would tick off the two groups whose systems lost out. Even if he were able to sell his choice internally, he’d have to understand the ins, outs and usage of each system. What’s more, while he might know the IT budget for each system, he probably didn’t know what the real business costs were for the business units. This was neither his decision nor IT’s to make, I argued. The users knew more about what they needed than he did. They should own the choice. Substituting his technical assessment of systems for their business judgment about work-order processes guaranteed infighting.

As we talked, I was shocked to discover this wasn’t some rinky-dink consolidation of a few backwater apps; these systems managed and tracked billions of dollars in equipment and

servicing orders. While the need for enterprise standardization was completely understandable, the notion that IT should set those standards was not. I pleaded with him to go to his boss’s boss—the CIO—and request that he call the users together. “Have the CIO position you as business partner,” I begged. “If you’re seen as the systems dictator, these users have a real incentive to help you fail. Please…CYA.” He said he would.

Recipes for Success and FailureThis story had a happy ending. Unfortunately, too many CIOs set their people up for failure. How so? By allowing their IT

leaders to draw utterly false and dangerously misleading distinctions between their role as technologists and their responsibilities as business partners. They’re allowing their people to make the wrong decisions in the wrong way.

IT accountability doesn’t mean IT monopoly. Yes, there are infrastructure investments that truly are the sole province of IT, but even these can’t be managed by fiat. IT should always be able to articulate how its decisions reflect user needs as much as technical optimization. CIO leadership means making sure that your people know

how to share accountability before they accept it. Is this a cop-out? No! The more important IT’s impact is, the more essential shared accountability becomes.

My favorite story on this theme comes courtesy of JPMorgan Chase CEO Jamie Dimon, one of the savviest executives in America. His grasp of technology’s operational role in banking is superb. Dimon heard two rival IT factions present plans on why their system should be adopted enterprisewide.

Michael Schrage Michael Schrage Key to InnovatIon

MICHAEL SCHRAGE

LIVE!7 SEPTEMBER 2007. NEW DELHI

KEYNOTE SPEAKER

Presents

MICHAEL SCHRAGE

7 SEPTEMBER 2007, NEW DELHI

7 SEPTEMBER 2007. NEW DELHI

THIS PRESENTATION IS BROUGHT TO YOU BY THE GREY MATTER: A THOUGHT LEADERSHIP SERIES BY AIRTEL ENTERPRISE SERVICES

Coloumn - Buttressing The Busine23 23Coloumn - Buttressing The Busine23 23Coloumn - Buttressing The Busine23 23Coloumn - Buttressing The Busine23 23Coloumn - Buttressing The Busine23 23Coloumn - Buttressing The Busine23 23Coloumn - Buttressing The Busine23 23Coloumn - Buttressing The Busine23 23Coloumn - Buttressing The Busine23 23Coloumn - Buttressing The Busine23 23Coloumn - Buttressing The Busine23 23Coloumn - Buttressing The Busine23 23

Because Dimon is not a CEO snowed by IT hyperbole, both presentations were exceptionally well done.

Dimon listened carefully and offered an operational oversight that CIOs all over the world should take to heart and mind. He told his teams, in essence: I’ve heard you; I understand. Now you guys have two weeks to decide what to do and come back here to tell me. If you can’t agree on what choice to make, I’ll make the choice for you—and you won’t like it.

Needless to say, the IT teams came back with an appropriately integrated proposal the fortnight later. As CEO, Dimon inherently brought a broader perspective to the enterprise impact of a systems integration than the typical CIO.

However, Dimon also did something more CIOs need to do: he insisted that people in the best position to make the right recommendation actually agree. He made his IT people accountable for a single recommendation. He made the consequences of their failure to agree crystal clear. Yes. I’ve read the leadership literature celebrating “transformation” and “inspiration” but, frankly, the most inspirational and transformational leadership behavior the majority of CIOs could display would be to insist that their people behave as professionals. Accountability would have greater operational meaning if more C-level executives emulated Dimon’s example.

The essential principle about the link between IT leadership and IT management must be clear: if the right constituents aren’t present when priorities are set and choices are made, then IT is neither leading nor managing. A CIO whose team unilaterally imposes consolidations or apps on a business process the members don’t quite understand should hardly be surprised when “shadow apps” begin sprouting like weeds. Indeed, they should be surprised if “gray market” disintermediation doesn’t take place. IT leadership in the new millennium of software as

a service means CIOs need to ask the right questions well before they start proposing the right answers.

Let me expand that: CIOs need to make sure their people ask the right questions of others before they start offering—and

imposing—the right answers.

It’s Called Leadership, Not FollowshipI don’t believe in consensus—rough or otherwise. I have little but contempt for management gurus and consultants who condescendingly declare that the customer—and the user—is always “right.” That said, I’ve witnessed breathtakingly ill-considered systems implementations by IT shops that have allowed the problem at hand—or their budget—to be defined primarily on technical grounds. I’ve seen smart CIOs organizationally scalded by well-intentioned direct reports who let

their accurate spreadsheet calculations overwhelm their common sense and common courtesy.

This happens for simple reasons: We interpret responsibility and accountability the wrong way. Remember how annoyed we get when HR unilaterally imposes policies that counterproductively constrain our people to do their best work in a timely manner. That’s a microcosm of the frustration people feel when IT has unilaterally made seemingly minor systems changes that everyone now has to live and work with.

My senior IT manager should become a Dimon in the rough. Get those three groups in a room and make them accountable for what they need, so that he can become accountable for delivering it. If they won’t do their job, how on earth can he do his? CIO

Michael Schrage is co-director of the MIT Media Lab’s eMarkets

Initiative. Send feedback on this column to [email protected]


MICHAEL SCHRAGE


KEYNOTE SPEAKER

Presents

MICHAEL SCHRAGE




Coloumn - Buttressing The Busine24 24Coloumn - Buttressing The Busine24 24Coloumn - Buttressing The Busine24 24Coloumn - Buttressing The Busine24 24Coloumn - Buttressing The Busine24 24Coloumn - Buttressing The Busine24 24Coloumn - Buttressing The Busine24 24Coloumn - Buttressing The Busine24 24Coloumn - Buttressing The Busine24 24Coloumn - Buttressing The Busine24 24Coloumn - Buttressing The Busine24 24 7/27/2007 7:41:59 PM7/27/2007 7:41:59 PM7/27/2007 7:41:59 PM7/27/2007 7:41:59 PM7/27/2007 7:41:59 PM7/27/2007 7:41:59 PM7/27/2007 7:41:59 PM7/27/2007 7:41:59 PM7/27/2007 7:41:59 PM7/27/2007 7:41:59 PM7/27/2007 7:41:59 PM

CIOs should stop trying to achieve buy-in for IT initiatives and start helping business colleagues sell the projects themselves.

Michael Schrage Key to InnovatIon

VOl/2 | ISSUE/182 6 A U G U S T 1 , 2 0 0 7 | REAL CIO WORLD

Buy-InStop Seeking

Ill

US

Tr

aT

IOn

by

MM

Sh

an

ITh

Coloumn - Stop Seeking Buy-In - 26 26 7/27/2007 7:43:09 PM

An ambitious CIO came up with an excellent idea for one of the business units. He did some due diligence on the Net, sent out e-mails, made a few calls and built up a pretty

decent business case for his proposal. The executive running the business unit even liked the idea. Alas, he didn’t find it compelling enough. The conversation — and the CIO’s initiative — fizzled out.

“Michael,” said the frustrated CIO, “I just couldn’t persuade him to take the next step. How do I get buy-in?”

“Dude,” I responded, “stop selling buy-in. Your IT shop has to get itself out of the buy-in business and start practicing ’sell with.’” IT should avoid being the organization’s “sales leader” for technology-enabled productivity and change. Persuasion can’t be — and shouldn’t be — your core competence. Salesmanship is not your friend.

Too many CIOs invest too much time and energy trying to get colleagues and peers to buy in to IT initiatives. They’re pitching and wooing and selling with every ounce of charisma they have — which, for IT executives, tends to be on the lighter side.

If you’ve got the charm, loquaciousness and skill to sell iceboxes to Eskimos, what the heck are you doing in IT? You should be raking in commissions on the vendor side. But if you truly happen to be a gifted salesperson for internal IT initiatives, chances are your problem is expectations management. You do such a fine job selling that the actual implementation ends up as either an unhappy anticlimax or a bitter disappointment. Not good.

The most effective IT executives I’ve observed have learned (usually the hard way) that the pursuit of buy-in is a delusion. What works is subtler but demonstrably more powerful: turn the IT client into a sales partner. Get the client to sell with you instead of buying from you.

That means don’t waste time trying to persuade someone to adopt your idea or implement your app. Instead, figure out ways to get people to help sell that idea or implementation to someone else. Former Apple exec and current venture capitalist Guy

Kawasaki has called this “turning customers into evangelists.” I call it “turning customers into VARs” — value-added resellers. IT clients and customers should be viewed — and treated — as resellers of IT’s systems, services and reputation, not just as customers.

Consequently, IT should never be driving a CRM or sales account management system implementation within the enterprise. Never. Instead, IT should be getting the sales and marketing vice presidents to champion those initiatives with IT’s open — but clearly subordinate — support.

The truest test? The CIO shouldn’t be making the CRM case before the CFO and the CEO — that’s marketing’s job; that’s sales’ job. The CIO should be the person most responsible for making it easy for sales and marketing to make that case.

Don’t Lead, EnableWhat does enabling sales look like? A talented webmaster rigged up an internal Salesforce.com account management knockoff for his division’s sales teams. Within six months, the salespeople wanted a bit more support and functionality


MICHAEL SCHRAGE


KEYNOTE SPEAKER

Presents

MICHAEL SCHRAGE




Coloumn - Stop Seeking Buy-In - 27 27Coloumn - Stop Seeking Buy-In - 27 27Coloumn - Stop Seeking Buy-In - 27 27Coloumn - Stop Seeking Buy-In - 27 27Coloumn - Stop Seeking Buy-In - 27 27Coloumn - Stop Seeking Buy-In - 27 27Coloumn - Stop Seeking Buy-In - 27 27Coloumn - Stop Seeking Buy-In - 27 27Coloumn - Stop Seeking Buy-In - 27 27Coloumn - Stop Seeking Buy-In - 27 27Coloumn - Stop Seeking Buy-In - 27 27Coloumn - Stop Seeking Buy-In - 27 27

from the bootlegged ASP. Their boss went to IT for money and manpower. The CIO heard about it.

The creatively opportunistic CIO shrewdly decided to cut a deal. He brought the webmaster, the sales manager and a couple of the salespeople to the attention of the sales VP to demo their working system. The sales VP was impressed. So the CIO suggested that the sales VP go to the COO and CFO and push for a rollout of an enterprise sales ASP. The CIO would say how impressed IT was with sales’ initiative and point to the bootleg ASP as a prototype for a successful system. The sales VP agreed. He did a successful job selling. He didn’t buy in to IT; he sold with IT.

In an ideal world, the only thing the CIO should have to say at that presentation is, “I think they’ve made a terrific business case for scaling the system, and I’m confident we can implement exactly what they’ve proposed in a time frame and a budget that’s doable. They’ve done a superb job defining what they need to make this work. We look forward to making it work with them and for them.”

In an ideal world, the CIO would then sit down and shut up — albeit with a smile, a wink and a nod.

In other words, IT shouldn’t be a change or transformation leader; it should be a change or transformation enabler. What’s the essential difference? For the purpose of this column, leaders are those individuals most responsible and accountable for setting the right objectives and ensuring the right results. Enablers, by contrast, are those individuals most responsible and accountable for providing leaders with the tools, techniques and technologies for achieving those objectives and results. Enablers make effective leadership practical and probable.

Bluntly put, CIOs shouldn’t be leading CRM or supply chain precisely because, in the first and final analysis, they are not accountable for determining and assessing the metrics of

success. What effective CIOs should do is push people in the organization to figure out what IT should best be enabling.

In an ideal world, the CIO’s most valuable influence would be enabling leaders to achieve their enterprise potential in partnership with IT. A number of executives have complained to me about CIOs who insist that a new upgrade or a new app is going to make their lives easier. They feel like they’re being sold.

Are they right? Or are they cynical?What these operating executives

suspect is that IT is pushing these initiatives to make its own business life easier. Bidding for buy-in inherently distorts the perception of IT as a partner. Even worse, having the CIO positioned as a “leader” often creates a sense of rivalry with the other C-level executives. Sometimes rivalry creates a healthy sense of competition. Frequently, however, operating executives feel that “visionary” CIOs view their colleagues as operational extensions for their digital ambitions.

The best way to confront this issue is to rebrand the CIO as a process enabler rather than a business leader. CIOs can do this by helping seed scalable initiatives throughout the enterprise that can be harvested as future partnership opportunities. Explicitly restructuring the IT budget and deployment process around the notion of CIO as junior partner rather than primus inter pares (first among equals) would also help.

The greatest virtue of ending buy-in as a business driver is: it requires executive leadership to take more responsibility for shaping digital initiative implementations. The CIO succeeds not because he’s good at persuading colleagues about the value of IT but because he’s good at getting colleagues to persuade each other of IT’s potential. CIO

Michael Schrage is co-director of the MIT Media Lab’s eMarkets

Initiative. Send feedback on this column to [email protected]


MICHAEL SCHRAGE


KEYNOTE SPEAKER

Presents

MICHAEL SCHRAGE




Coloumn - Stop Seeking Buy-In - 28 28Coloumn - Stop Seeking Buy-In - 28 28Coloumn - Stop Seeking Buy-In - 28 28Coloumn - Stop Seeking Buy-In - 28 28Coloumn - Stop Seeking Buy-In - 28 28Coloumn - Stop Seeking Buy-In - 28 28Coloumn - Stop Seeking Buy-In - 28 28Coloumn - Stop Seeking Buy-In - 28 28Coloumn - Stop Seeking Buy-In - 28 28Coloumn - Stop Seeking Buy-In - 28 28 7/27/2007 7:43:17 PM7/27/2007 7:43:17 PM7/27/2007 7:43:17 PM7/27/2007 7:43:17 PM7/27/2007 7:43:17 PM7/27/2007 7:43:17 PM7/27/2007 7:43:17 PM7/27/2007 7:43:17 PM7/27/2007 7:43:17 PM7/27/2007 7:43:17 PM7/27/2007 7:43:17 PM

Safety Line or Garrote?As corporate networks adopt collaboration and social networking tools, your network infrastructure could choke you if you don't adapt quickly.

T he 'Web 2.0 creep' going on inside the corporate firewall is challenging enterprise networks to handle the real-time demands and bursty nature of the latest collaboration and social networking

software. This was a unanimous opinion among the IT executives attending Interop, an IT conference and exposition that showcases the interoperability of the converged network.

Others at the conference say they don’t deny the popularity of social networking software, but question its role in the workplace and value to the bottom line.

Cisco CEO John Chambers set the tone at Interop in his keynote address, when he said that Web 2.0 software such as blogs, chat, Web video and other tools, have “been a way that people communicated in spite of the IT department” inside large organizations. “Now the IT department has to lead,” he added.

Much of the network gear on display from Interop’s 475 exhibitors focused on squeezing latency out of network traffic or boosting bandwidth for corporate applications. Foundry introduced a switch and switch software it claims can provide millisecond failover and protect Web-based applications from latency. Nortel also entered the market for speeding up Web traffic with new acceleration gear. Cisco and Force10 each showed their switch gear announced earlier this month aimed at handling more peer-to-peer user traffic, instead of the traditional client/server flows from LAN edge to the core and data center.

“Web 2.0, collaboration, and so forth — we’ve been pushing it hugely inside our company since 2000,” said Dave Manser, network director for Boeing’s LabNet network.

Phil HochmuthPhil HochmuthPhil Hochmuth Making i.t. work

Ill

us

tr

At

Ion

by

bIn

es

h s

re

ed

hA

rA

n

Vol/2 | Issue/183 0 A U G U S T 1 , 2 0 0 7 | REAL CIO WORLD

Coloumn Safety line or Garrote.i30 30Coloumn Safety line or Garrote.i30 30Coloumn Safety line or Garrote.i30 30Coloumn Safety line or Garrote.i30 30Coloumn Safety line or Garrote.i30 30Coloumn Safety line or Garrote.i30 30Coloumn Safety line or Garrote.i30 30Coloumn Safety line or Garrote.i30 30Coloumn Safety line or Garrote.i30 30Coloumn Safety line or Garrote.i30 30Coloumn Safety line or Garrote.i30 30Coloumn Safety line or Garrote.i30 30

LabNet, a subset of the larger Boeing corporate IT/network group, connects more than 700 of the aerospace company’s laboratories worldwide using an array of real-time technologies. VoIP, instant messaging (IM), real-time video and digital whiteboarding are some of the tools engineers use to collaborate on projects. One example is testing of the company’s 787 aircraft, which involved a wind tunnel facility in England, streaming video, real-time telemetry, voice and two-way text chat to Boeing sites in Seattle and other locations.

The challenge, Manser said, is tuning the network to deliver real-time voice, video and data to the point where users feel comfortable with the technology and are more productive using it. Manser says it comes down to latency: “How do you wring those last tenths of a second of delay out of the environment and do it in real time?”

Overbuilding the network is one tactic, he said. Boeing’s LabNet — which spans campus LANs, metropolitan Ethernet and an MPLS WAN — is built so that no link exceeds 50 percent utilization. Manser also uses technologies such as forward error correction and advanced traffic-buffering schemes. But most important is not letting in-house software developers take the network for granted.

“My team and I are perfect examples of the Layer 2-4 guys who are looking up at the whole stack, and we’re engaging the software engineering community at a real close range. We’re saying, 'Your applications will be tested early on in the alpha stage, not even the beta stage'.”

The productivity value of Web 2.0 technology is being examined by chemical giant DuPont, where the network team is finding itself taking on new roles beyond managing LAN ports, and managing quality of service and service-level agreements.

“Network people no longer just have to worry about building a LAN to connect printers and servers,” says Tom Marcin, director of global telecommunications at DuPont, who spoke at an Interop panel on convergence. “We’re now being asked to build social networks and self-forming networks to solve business problems. We’re expected to transform businesses. But guess what, we’re expected to reduce costs.”

Younger employees may enjoy collaboration software and tools, but the bottom-line payback of such technology trumps any feel-good factor it may bring.

“Collaboration tools are of value to us. But we can’t sell a project on migrating 60,000 employees, based upon the soft benefits associated with it,” Marcin says. “I need to show demonstrable savings directly linked to the solution we put in. One month of data on a pilot would not cut it.”

Financial services company T. Rowe Price is embracing Web 2.0-style applications, from wikis to blogs and widespread

use of IM and chat applications. But the enterprise points to measurable productivity gains these tools give its customer call center.

“If a call comes in and you get a question on an IRA (individual retirement account), that info has to be accurate and findable in a few seconds,” said Kirk Kness, vice president of innovation at T. Rowe Price, during a presentation on his company’s Web 2.0 initiatives. He said valuable data was stored in an intranet portal in the past, but the system was hard to use and difficult to search.

The company uses Confluence enterprise wiki software from Atlassian, which allows users at all levels of expertise to

add searchable tags and comments to the complex library of documentation and policies associates use to give information to customers. Kness said the platform lets 1,500 call center employees shave an average of two minutes off of customer calls. Wiki-based content in the system can be changed in a half-hour, as opposed to 24 hours, which is how long it took to update the company’s old portal software. The company says it is expanding the platform to include RSS aggregation, persistent instant messaging, as well as a blogging feature inside the platform.

“We’re going to start making it more part of the fabric of the way we do things,” said Kness. “I’m not going to say that the entire enterprise is embracing it…but the people using it are enjoying it and they find a lot of value in it.”

As to how the new Web 2.0 applications will affect the network, “it’s a great question,” Kness said. “We have a really good network staff, but the effects these applications have on the network could be something to look at down the road.”

Growth of XML-based traffic, RSS streams and IM are issues Kness said he is watching. “If someone creates some kind of mashup application that keeps passing through a firewall, we’ll have to think more about that from a network perspective. ” CIO

All contents copyright 1995-2007 Network World, Inc. Send feedback on this

column to [email protected]

overbuilding the network is one way to meet the new traffic demands of web 2.0. But it's important not to let in-house software developers take the network for granted.

Phil Hochmuth Making i.t. work

Vol/2 | Issue/183 2 A U G U S T 1 , 2 0 0 7 | REAL CIO WORLD

Coloumn Safety line or Garrote.i32 32 7/27/2007 8:20:23 PM

By Gunjan Trivedi

The Nimoo-Bazgo region, situated in Jammu & Kashmir, combines the climatic conditions of the Arctic and a desert. A largely uninhabitable and quiet region, the mountainous terrain off a tributary of the River Indus is abuzz today with about 3,000 men hard at work building a 45-megawatt hydroelectric power plant.

This run-on-river dam project is one of six mammoth infrastructure projects that the Rs 2,357-crore Hindustan Construction Company (HCC) has taken up in Jammu and Kashmir. It is also one of over 20 project sites across India in which CIO Satish Pendse and his team have painstakingly carried out an ERP implementation, seamlessly connecting remote locations with the HCC headquarters in Mumbai.

Things looked very different a year ago, as Pendse raced against time in a geographically hostile environment. It was mid-September and sixty days was all he had before a team of 150 engineers and 2,500 construction workers would arrive at the project site — as would winter. The IT team had hardly begun work on the arduous implementation when Pendse was told that heavy snowfall had been predicted for the 60th Im

ag

Ing

by

bIn

es

h s

re

ed

ha

ra

n

Ph

ot

os

by

sr

Iva

ts

a s

ha

nd

Ily

a

Reader ROI:

geographic customization

Consolidating remote locations

value of modular Itinfrastructure


Innovative solutions were required for an IT deployment in extreme climatic conditions and remote locations.

Weatheringheightshhheeeeeeeightghtghtghtghtghthh iie sssssss

WeWeW atheringeatheringh ightghth i

Cover Story.indd 34Cover Story.indd 34Cover Story.indd 34Cover Story.indd 34Cover Story.indd 34Cover Story.indd 34Cover Story.indd 34Cover Story.indd 34 7/27/2007 8:33:36 PM7/27/2007 8:33:36 PM7/27/2007 8:33:36 PM

Banner left | Banner right

3 5 a u g u s t 1 5 , 2 0 0 5 | www.cio.com

Weatheringheights

With six projects worth Rs 3,000 crore in J&K, Hindustan Construction CIO Satish

Pendse's first challenge was to build a team that was ready for the tough locations.

Cover Story.indd 35Cover Story.indd 35Cover Story.indd 35Cover Story.indd 35Cover Story.indd 35Cover Story.indd 35Cover Story.indd 35Cover Story.indd 35Cover Story.indd 35

Cover Story | Project Management

day, threatening his schedule. The snowfall could lead to the road being closed for the next four months, effectively stalling his implementation. That is when Pendse and his team put themselves on a new schedule, advancing their deadline by a full week.

Nimoo-Bazgo, situated 10,000 feet above sea level, is about 70 kilometers east of Leh, the capital of Ladakh. Pendse and his team not only stationed themselves at the high-altitude desert but also worked at a furious pace. The last phase of the ERP implementation involved the deployment of VSAT (very small aperture terminal) before the roads would have to be closed for the winter.

As it turned out, three of the potential four VSAT connections were possible. The fourth couldn’t be deployed at the site before the snowfall began, but Pendse and his team had managed an incredible feat: they had gone live with the ERP in an incredible 45 days.

The 81-year-old Hindustan Construction had not only become one of the first engineering construction companies in the country to deploy ERP across all its locations and project sites, it also created a world record. The earlier record for a high-altitude SAP implementation was at a 6,800-foot location in the Rocky Mountains in the US.

Scaling the Demand PeakHindustan Construction has a rich history of engineering expertise. It has built most of India’s largest nuclear and hydel power projects. Currently, HCC is building the country’s first over-sea link between Bandra and Worli in Mumbai. Its culture of innovation led it to adopt IT early within the enterprise — over 20 years ago.

Still, its IT infrastructure consisted of islands of databases and home-grown solutions and was some way behind other fast-growing sectors. This continued until the sector witnessed radical changes over the last decade. Market factors pushed Hindustan Construction to not just revamp its conventional means of doing business, but also review the role and power of IT in the organization.The infrastructure sector has never seen greater demand in the country. The past eight years have seen a phenomenal rise in government investment on infrastructure. In earlier periods, the total investment in infrastructure amounted to 2 percent of the country’s GDP. Now, it has doubled to 4 percent and is still on the rise as India plays catch-up with China, which invests close to nine percent of its GDP in infrastructure.

The growing business has attracted foreign companies and creatd domestic players. The resultant competition has brought radically different thought-processes and business approaches, challenging the legacy mindset of established players in the sector including HCC. “In such a competitive scenario, if one has to survive and

win, one has to look at things with a different mindset. This is where IT comes into the picture,” asserts Pendse. “Changing business dynamics have forced IT to take a strategic position in HCC.”

The change at HCC is best symbolized by Project Sankalp, which Pendse has headed for the past three years. The SAP rollouts at the hydro-electric plant sites in the Nimoo-Bazgo region and Chutak, in the Kargil district of Jammu & Kashmir, have been an integral part of this project. Project Sankalp sought to elevate the organization to advanced levels of an enterprise-wide integrated IT platform.

Leap in Innovation StandardsOver several years of steady growth in the 1990s, HCC hosted an environment of distributed systems for various departments and locations. It led to islands of databases and overnight batch-processing to collate data. Function-specific software applications fulfilled engineering needs but questions remained about reliability, timeliness and the exhaustiveness of data.

“Though the pull and need for an integrated system with an integrated database was always felt, the management was not sure whether a readymade software would handle the requirements of the organization,” recalls Pendse. “Moreover, there were no reference points. No other known infrastructure company had successfully chosen such an integrated system and database. There were no examples to follow. And we never wanted to get our hands dirty trying to develop our own software because we did not have the time and resources to accomplish that,” he explains.

In 2004, the organization decided on an integrated software platform. Pendse came on board when the debate on the choice of the platform was in progress. A cross-functional team was formed to define Hindustan

This is where IT comes into the picture.”

“If one has to survive and win in a competitive scenario, one has to look at

things with a different mindset.

This is where IT comes into the picture.”

REAL CIO WORLD | A U G U S T 1 , 2 0 0 7 3 7Vol/2 | ISSUE/18

Cover Story.indd 36Cover Story.indd 36Cover Story.indd 36Cover Story.indd 36Cover Story.indd 36Cover Story.indd 36Cover Story.indd 36Cover Story.indd 36 7/27/2007 8:33:42 PM7/27/2007 8:33:42 PM7/27/2007 8:33:42 PM

Construction’s requirements. “We based our processes on this team’s inputs in order to choose infrastructure and application, and went for SAP. We decided to introduce ERP and data warehousing across all our sites,” he says.

“The objective was to achieve competitive advantage. Our corporate credo says that we should always strive to migrate ourselves to the next practices of business excellence,” says Pendse. “We were sure that SAP would be the tool to allow us to do that.”

During the first phase of implementation in 2006, Pendse’s group rolled out some modules at the HCC headquarters, an engineering workshop and two of its 25 active project sites. This rollout took seven months to complete, followed by a three-month stabilization period, which gave Pendse and his team adequate ERP experience to customize and prepare for the rollout across the remaining locations. “When we went live in August 2006, we were told by SAP that within

the construction industry worldwide, this has been the fastest implementation ever,” he says.

Funnily, though, Project Sankalp is a mountain that just keeps growing for Pendse. This is because while a typical CIO rolls out ERP across an enterprise once in his organizational lifetime, he has the daunting task of continuously rolling out ERP within a time frame of 60 days for every new project his organization undertakes. In his three years at HCC, he has headed rollouts at more than 20 locations, spread across the country.

Weathering the ChallengeEach construction project came with a set of challenges and requirements, not to mention a diversity of geographical locations. Each project is typically worth Rs 500 crore, and run like a small company with a project manager effectively playing the role of a managing director of that 'company'.

The project is a big set-up in itself and typically located in remote areas. As a result, residential colonies come up

September 24, 2006

A two-member team reaches A two-member team reaches locations in Leh to collect facts

and footage of the terrain. This primary

data helps in preparations for the project.

Infrastructure equipment is Infrastructure equipment is brought to site. Work on VSAT

and other hardware begins, and cables are laid. The

in-house project team lands at Nimoo-Bazgo.

Configurations are set and Configurations are set and fortnight-long testing of scenarios at the project

sites are carried out. The IT infrastructure works conclude

by the month-end.

Training program begins for Training program begins for 150 engineers at the location. Master data is created in line with the processes. The ERP

goes live on November 6, 2006.

September 30, 2006 October 15, 2006 October 30, 2006

Project Sankalp

The terrain in ladakh doesn't facilitate line-of-sight beyond 2 km. The Hindustan Construction IT team

overcame this hurdle by deploying three VSATs.



where people are stationed for 4-5 years, depending on the project's timeframe. HCC headquarters in Mumbai directly controls the project at such remote locations.

Centralized functions such as material procurement and equipment expertise reside in Mumbai. The interconnectivity riding on the integrated IT platform enables the headquarters to effectively manage the supply chain across the enterprise. “After the SAP rollout at such locations, and once the project is complete, the IT infrastructure is migrated from there to the new location,” says Pendse. “This is one major difference between other businesses and us. By the time, one project is complete, another project comes up and we need to demobilize the ERP infrastructure from one place to deploy at another. It’s like a strategy game,” he says with a smile.

Each project comes with challenges related to three factors: people, infrastructure and location. Pendse explains: “Since we have more than six projects worth Rs 3,000 crore in J&K alone and our team had to go to these locations to figure out the terrain, the first impediment we encountered was to get people ready to go to these tough locations. People would rather work for 24 hours at the corporate office and solve problems rather than go to Kashmir to train people stationed there. The challenge is to motivate people to go to such locations.”

During the rollouts at Nimoo-Bazgo region and Chutak, he and his senior colleague decided to go to these locations to lead from the front as it was critical to motivate people. Oxygen levels tend to drop at altitudes of over 10,000 feet, and cause low-grade headache, drowsiness, lethargy and even nausea.

“We were instructed not to speak for more than 30 minutes at a stretch,” recalls Pendse. “We had to reschedule our training program to take a 10-minute break every 30 minutes. Strenuous activities, such as climbing the stairs were prohibited, and we had to get our blood pressure checked every day.” But only one person was sent sent back because his blood pressure was unusually high, Pendse added.

HCC’s specialists in materials, equipment, project planning and execution, finance, costing and quality need to periodically visit project locations across the country. “We have to be careful as we don’t want to pick the same set of people continuously, or there will be resentment among those experts,” he says. The management has to judiciously juggle around and ensure that specialists get sufficient time to be stationed in Mumbai as well.

The second challenge relates to infrastructure. Owing to remote locations, leased line connectivity are unavailable for the most part. Second, if the project is a road in Bihar, for example, a flat terrain of 50-70 kilometers makes for unimpeded line-of-sight. This makes radio communication possible. However, for a dam project in Jammu & Kashmir or Himachal Pradesh, getting line-of-sight for as little as

two kilometers is not possible. In such situations, Pendse has deployed multiple VSATs for networking within the project. IT infrastructure has to be designed for each instance based on the nature of the project, and the geography. Only then can an ERP solution be customized.

“We need to have modular and plug-and-play infrastructure,” says Pendse. “To the extent possible, we need to ensure ROI for 4-5 years so that after the life of the project is complete, we can junk it. If we can’t, then we need to demobilize infrastructure and do all the jugglery needed to pull it from one place and plug it into another,” he adds.

Each project is a mini-implementation in itself. No two construction projects are similar. Once the work commencement certificate of a project is received by HCC, within 60 days, SAP India must be present at the site. Pendse’s team has to go to the location, survey the terrain, start configuring the infrastructure, place orders for materials and set up implementation teams. “We have to study the project contract, and decide about the project structure in SAP with respect to various elements such as project work spread-out,” Pendse explains. “We have to sit with the project manager to figure out what the project is all about and accordingly map it into the ERP,” he adds.

Owing to the nature of the HCC locations, VSAT is invariably the most effective means of communication. A major problem thereof, especially in the Himalayan terrain, is that the roads to these locations are closed for at least four months during the winter. “If something goes wrong with the VSAT, we can’t even send our engineer unless we request the army to help us out,” says Pendse. “You cannot afford to keep the VSAT down for even half an hour; so, four months becomes a long time. Hence, we have built redundancies at multiple levels.”

temperature swings,which range

A major impedimentunique to high-altitude sites is the temperature swings,temperature swings,temperature

which rangeswings,which rangeswings,from 20 degrees which rangefrom 20 degrees which rangeCelsius in the day to a low of -5 degrees at night — in a day!



Cover Story.indd 39Cover Story.indd 39Cover Story.indd 39Cover Story.indd 39Cover Story.indd 39Cover Story.indd 39Cover Story.indd 39Cover Story.indd 39

Each location is installed with a VSAT running on two technologies: KU-band and extended C-band. The mechanical and electrical engineers stationed at the site are trained to take basic care of the VSAT system. For instance, it constantly needs to be in line-of-sight with the satellite. Strong winds can easily dislodge the VSAT. Deviation of even five degrees will throw the VSAT out of sight. “We paint the markings for perfect alignment and train the engineers at a site to align the VSAT properly whenever required. We also deploy one IT person permanently over there as an IT coordinator,” says Pendse.

Another impediment unique to high-altitude locations are temperature swings. On any day, the temperature can range from 20 degrees Celsius in the day to a low of -5

degrees at night — a swing of 25 degrees since this could severely damage common networking cables. Plastic and copper have different rates of contraction and expansion. “We took special types of industrial-strength cables and other IT infrastructure elements that can withstand such a large temperature gradient,” says Pendse.

Getting proper earthing (earth neutral voltage) can also be a major problem at some locations. At Nimoo-Bazgo and Chutak, for example, the normal earth neutral voltage was -5 volts. This was significantly higher than -1 volt, which is normally required by VSAT and other hardware to function efficiently. “Fortunately, we had ex-civil engineers working there. They knew what kind of sand is required to get that voltage. Instead of setting up ERP one day, they went

scouting around for that particular kind of sand,” says Pendse. A special earth pit was created with the sand, charcoal dust and salt. Such pits are regularly watered to maintain the earth neutral at -1 volt to keep hardware from blowing up.

Once the VSAT network is up and running, and the initial rounds of training and handholding are complete, Pendse and his team rely on IM, Web conferencing and remote management to conduct training and remote support at the far-flung locations.

“We have prepared a detailed manual with multimedia CDs for self-learning. We chat with them or have Web conferences,” he says. “We have also prepared some trainers over there, so that training percolates down the order of users. Since it is not at all viable for us to go [there] often to train, we have to create mechanisms to ensure that users get self-trained. This is where we use technology extensively,” he adds.

The Modular ImpactIn order to address the requirements and mitigate the challenges unique to the projects on the IT platform, Pendse ensures that modularity — or the ability to plug-and-play — is core to Project Sankalp. Building modularity in the ERP was done right from the beginning. Enormous planning went in during the first implementation phase itself, and the entire architecture of the SAP was created accordingly.

“Fortunately, we have been in this business for 80 years. We have a



Satish Pendse, CIO, Hindustan Construction Company, says that they need to create modular infrastructure whose ROI can be reaped in 4 to 5 years so that they can “junk it” before moving on to the next project.

Cover Story.indd 40 7/27/2007 8:33:49 PM

legacy of hundreds of projects and we have domain experts available with us who have worked on those projects,” Pendse points out. “We brainstormed with domain experts and asked them to share different scenarios they have experienced. We gathered this domain knowledge in the blueprint stage of SAP,” he explains.

The blueprint helped HCC identify benchmarked solutions. The industry solution available to the enterprise was called Engineering Construction Operations (ECO), which gave HCC industry templates. Building on the templates, Pendse’s team and IBM jointly customized the software platform to HCC's requirements. “We were sure that we didn’t want to do too much development. Once you do too much development, maintaining the system becomes an issue. We decided to keep the platform as modular as possible, and introduce tweaks and workarounds wherever required,” he says.

After the successful ERP implementation across its locations and the stabilization period allowed by management, the goal is to derive value. There are certain straightforward benefits offered by an ERP application: visibility, transparency, stability and real-time connectivity. “We feel that we can get significant value by impacting several areas, such as inventory, equipment and productivity,” says Pendse. “For instance, equipment is a high-cost area. In our company, equipment base assets are worth Rs 1,000 crore. We need to stringently look at productivity and utilization of equipment,” he adds. (See Tracking the Building Blocks)

Similarly, Pendse plans to use customized pieces of the application to impact HCC’s equipment utilization and productivity. “This is where we will get a much larger impact and value. We have just begun to use it in equipment area, and the results are startling,” he explains. “Management has issued a diktat that if utilization falls below a certain mark, the equipment will be declared as spare, and will be reallocated. There is a lot of value if we can avoid unnecessary procurement and increase productivity.”

Further, Pendse has implemented a document management system in some HCC departments. With the system in place, document flow has been streamlined, and intellectual property is under control. With the modular ERP platform and robust infrastructure, the overall cycle time of various processes has also been shortened. With its vendor, Hindustan Construction now tracks the actual cycle time and plan based on the time frame and other parameters laid out by management. As the enterprise easily identifies the control points, management can take corrective actions in time.

“Overall we have started to see benefits coming in,” says Pendse. “The management directive is to derive value from the implementation in this year. Earlier, we trained people to use the ERP effectively. We are now supposed to

train people to derive more value from the platform. We have already identified areas from where value is going to come from, how it is going to be measured and how it has to be accounted for. Now, we have to actually make it all happen.” CIO

senior correspondent gunjan trivedi can be contacted at trivedi can be contacted at t

[email protected]



Construction companies monitor a number of material aids that can be used more than once. Good examples are steel rods, which are erected before concrete is poured,

and steel plates — broadly classified under CoNA (construction aid). Typically, the cost of CoNA alone adds up to 5 percent of the total project cost and any savings would be significant to business. If the CoNA, instead of being reused four times, could be reused eight times, huge savings would accrue.

Hindustan Construction Company CIo Sunil Pendse realized that SAP could also be leveraged to extract value from these construction aids. The difficulty was: in remote project locations, it was difficult to estimate the availability and productivity status of such materials in real-time. Pendse, along with the software maker, tried to address this problem by tracking CoNA’s usage in SAP.

“The provision with SAP is that once the material is issued to you, the value gets issued to you as a project expense. Conventionally, in SAP, either everything is treated as fixed asset or an expense. What we wanted was that the value should be debited for the first few uses, but the quantity to be tracked further,” he says.

In a conventional SAP system, segregating value and quantity for a material is not possible. It also is not possible to keep quantity constant, and debit value from a project. The value and quantity will either be issued together, or both will remain as assets.

Pendse’s team developed a program to generate a corresponding, alternate CoNA material entry for every original entry in the system. The original and alternate material coding convention established a one-to-one link. The value of this alternate material in the system was kept at zero. once the system shows the original material was issued and consumed, the project is debited with the value. In the amended system, only the alternate material entry keeps moving across the projects.

“Using this innovative workaround to mitigate the application limitation, we were able to do quantity tracking and value debiting,” says Pendse. “As we can now track the material, we have increased its reuse.” The innovation, he said, realized savings of over 4 percent for HCC.

– G.T.

Tracking theBuilding Blocks

Cover Story.indd 41Cover Story.indd 41Cover Story.indd 41Cover Story.indd 41Cover Story.indd 41Cover Story.indd 41Cover Story.indd 41Cover Story.indd 41

Trendline_Nov11.indd 19 11/16/2011 11:56:19 AM

BlendingTradition with Modernity

CIO: What role do you see IT playing in Karnataka Bank's growth plan?

Ananthakrishna: IT certainly helps. This year’s (turnover) target is higher than last year by Rs 5,000 crore. This increase comprises Rs 3,000 crore in deposits and Rs 2,000 crore in advances (lending). Our strategy is to use our human resources to reach out to more people and canvas for business. The automation of all our 411

branches will free up time for our people. And having all branches on a core banking solution will create procedures, which will enable our people to access data easily.

Given Karnataka Bank’s mission to serve its rural base, how much does it focus on microcredit?

These are new names for old finance ideas. We’ve been giving microcredit for

Karnataka Bank Chairman

Ananthakrishna says he sees IT

as a business enabler, not as

a substitute for the human

touch.

Eighty-three years after it opened its doors, Karnataka Bank still serves the needs of its rural base, but also keeps pace with the advancements made by its urban cousins in a dynamic market. This is best exemplified by the fact that Karnataka Bank was among the first in the country to implement a core banking solution in 2000 but simultaneously disburses over 30 percent of its loans to SC/ST.

In this interview, Chairman Ananthakrishna shares with CIO India the bank’s growth pains, his expectation of the IT organization, and how the bank is dealing with the risky business of microcredit.

By Sunil Shah

View from the top is a series of interviews with CEOs and other C-level executives about the role of IT in their companies and what they expect from their CIOs.


Ph

ot

o b

y S

rIV

at

Sa

Sh

an

dIl

ya

I

Im

ag

Ing

by

Un

nIk

rIS

hn

an

aV

View from the Top.indd 42 7/27/2007 7:51:12 PM

View from the Top

REAL CIO WORLD | J U LY 1 , 2 0 0 6 4 3Vol/1 | ISSUE/16

ANANTHAKRISHNA expecTS I.T. To:

Facilitate customer service

put in place systems that will ensure compliance

enable business processes


some time. We have people who borrow between Rs 5,000 and Rs 10,000, though we don’t call it microcredit. Today, there are many organizations which, in the name of micro-finance, make money as intermediaries. We lend to these organizations, which lend but at higher charges. I believe in reaching the customer directly and we have been doing this.

Are you planning to increase the scope of such lending?

Yes. As a bank, we started and developed with that focus. And today the focus is still on farmers and rural areas.

What about the bank’s retail operations?

Retail has different definitions. Another term for it is SME (small and medium enterprises) finance. Let me say that we started retail banking. About 75 percent of our business used to come from retail. Today, if you look at our portfolio, we have 50 percent from retail and 50 percent from other advances. We would like to maintain this balance, and grow in both.

Won’t the focus on both dilute the bank’s USP?

Today, every bank has IT facilities. With IT, I’ve found that work cultures have changed. The human element is minimized. We are trying to offer IT-related products with a human touch. That is our USP.

As a bank with a rural focus, can you describe how Karnataka Bank chose to implement core banking?

We started the core banking implementation in 2000. We were among the first to deploy the solution with a lease-line from BSNL. Between 2000 and 2001, we faced hiccups in areas where communications and power

supply were problems. We realized that in rural areas, especially in north Karnataka, electricity and communication were ‘casualties’. So, we tried VSAT and solar power to get around these problems. Today, our branches are covered 100 percent.

The choice of a core banking solution in 2000 must have been a bold move…

Yes, it was. We had seen the outside world, so to say. We knew that in future, this was going to be the order of the day. Our former director, the late Mr K.K. Rao, encouraged me to move in this direction. It was his vision.

What is the bank’s IT team focusing on now?

Since we have a core banking facility, we should now use this information for

analytical purposes. Today, we are storing and analyzing data in a data warehouse. This project has been on for a year now. And then, there is the BASEL II implementation, centralized processing for uniformity of data and compliance. Compliance with AML (anti-money laundering) rules is another issue. Today, we have to know our customer from an AML perspective. These are some of the areas where IT is being used.

Is this focus on compliance taking away anything from other IT initiatives?

No, transactions continue without any hindrance. Earlier, data pooling was an issue because no machine was available and we received handwritten information via post. Today, data pooling is very easy. It is available online.

Has banking become too IT-intensive?

I do think that we’ve become too IT-oriented at Karnataka Bank. I believe that IT is an enabler and not a substitute for the human touch. This is our philosophy.

For an early mover into IT, how much time do you spend on IT-related matters?

I don’t really spend that much time on IT. But then, I have technically-qualified and competent people. Whenever we have issues, I call them and we thrash out these problems. These issues are mainly communication and upgrade problems.

What about your disaster recovery preparedness?

This program started in July last year. By September, we had the systems in place. Until then, we did not measure and analyze risk. We had a gut feeling of what the risk was, but it was never measured. Today, we

View from the Top

“With IT, I’ve found that human touch is on the wane. We are trying to offer IT-related products with a human touch. That is our USP. ”

— Ananthakrishna



are documenting this for external analysis. Our disaster recovery (DR) setup, which was put together three years ago, was also meant to mitigate risk. We segregated disaster recovery into two geographical areas. The main center runs in Bangalore, and the DR division is situated in Mangalore. We have not outsourced this project.

How much of a role does the CIO play in formulating Karnataka Bank's policies?

Traditional banking works on a department basis, so we call our CFO, CIO and general managers of different departments. Our CIO-equivalent does play a large role in formulating policy. Any decision at Karnataka Bank is taken collectively. We involve all the operating

people at the GM level. We sit together, and a final decision is taken.

In the short term, what do you seek from your CIO?

Number one: IT should facilitate customer service. We should be able to give customers whatever they require immediately. Number two: IT should help us to put in place systems so that we comply with all regulations.

You started your career as a junior

programmer at HAL. How did this exposure to IT help you in your career?

From junior programmer, I joined the bank in 1971 as a scale-1 officer. I became CEO after 28 years of service. My analytical ability, which was honed by mathematics and an exposure to IT, helped me to understand banking in a different way. In a more analytical sense, it was also my initiation into computerization. CIO

Senior copy editor Sunil Shah can be

contacted at [email protected]

View from the Top

SNAPSHOTKarnataka Bank BRANCHES: 411*

ATMS: 106*

EMPLOYEES: 4,456*

TURNOvER: rs 23,590 crore*

TOTAL ASSETS: rs 16,222.52 crore*

GM I.T.: Prasanna kumar

*as on march 31, 2007

Source: annual report


Reader ROI:

WhereSaaSdoesanddoesnotmakesense

HowSaaScantransferrisk

TheinevitabilityofSaaSsuites

Feature.indd 46 7/27/2007 8:31:35 PM

“What if we created a utility for enterprise automation? Then you don’t have to create a data center! Then you don’t have to have a CIO!”

That was Salesforce.com CEO Marc Benioff in June 2003, selling the benefits of the then-new concept of software-as-a-service (SaaS).

Fast-forward four years, and Salesforce.com and dozens of other companies are inundating business users and CIOs alike with pitches for all sorts of SaaS applications. Right now, SaaS seems to be everywhere.

Of course, today, SaaS vendors want to work with CIOs, not replace them, but do CIOs need to work with SaaS vendors?

Maybe. Sometimes.“Software-as-a-Service is just a means to an end. It’s part of

a mosaic of solutions,” says Peter Young, vice president of IT at pharmaceutical company MedImmune.

“I view SaaS as another arrow in my quiver,” concurs Frank Modruson, CIO of the Accenture consultancy.

“SaaS is just another option,” says Rick Milazzo, CIO of clothing retailer American Eagle Outfitters.

But despite their tempered enthusiasm for SaaS, all three of these CIOs use SaaS applications...judiciously. So far, the SaaS phenomenon has been largely confined to smaller companies. “For CIOs in the mid-market, SaaS may be the only way to get enterprise-class functionality,” notes Rob Bois, a research director at AMR Research. But as valuable as SaaS may be to smaller companies, that value may not translate to the needs of larger enterprises. CIOs at larger enterprises agree that SaaS can play a role in their software portfolio, but even its fans say that role may be limited.Il

lu

st

ra

tIo

n b

y a

nIl

t

REAL CIO WORLD | A U G U S T 1 , 2 0 0 7 4 7Vol/2 | IssuE/18

Enterprise Architecture

By GALEN GRUMAN

GEtsmartabout

Vendors say software-as-a-service will cut costs and increase efficiency. They say it’s enterprise-ready.

Does that sound too good to be true? It is.

smartabout

Feature.indd 47Feature.indd 47Feature.indd 47Feature.indd 47

SaaSandTHeenTerpriSeThere are many questions a CIO must ask when considering the use of a SaaS application. But perhaps the most critical question is whether your company wants to rely on software designed for use by hundreds of other companies.

“Don’t expect something unique. If you need everything customized, you won’t have success with SaaS,” says Lloyd Hohenstein, VP for finance, human resources, real estate and corporate communications at Schwab Technology, the financial services provider’s IT division.

But SaaS does make sense if the process “is not complex and is vanilla,” Hohenstein says. Unless there’s a reason to build technology internally — such as assuring service levels that a vendor can’t guarantee, SaaS is a good option, he adds. Assuming the software does the job well, of course.

WHaTSaaSiSandiSn’TThe term SaaS is often abused by vendors who use it to refer to any hosted application that can be accessed over via the Internet, notes Ben Pring, a Gartner research VP. “Some vendors are re-labeling as SaaS more traditional application outsourcing approaches, and that runs the risk of confusing and antagonizing buyers,” he says.

SaaS has a distinct meaning that’s essential to understanding its role in your application portfolio. With SaaS, there’s just one code base for the software, used by all customers, in what’s called a multitenant architecture. While the software might be configurable by users to their individual needs, the code itself is the same for all and is not customizable for any individual customer. Any enhancements made based on one customer’s requests immediately

become available to all customers. So forget competitive advantage or differentiation based on the software itself.

The underlying data model and system architecture of SaaS is also not customizable. The advantage in this for the vendor is that it spends less time managing compatibility and upgrades across several versions of the software. It also spends less to support customers, as they all use the same version and they don’t run it on their own equipment. That’s one reason that venture capitalists have taken hold of SaaS. The VCs also like the fact that SaaS can reduce startup costs, promising faster time to market, notes Warren Weiss, a general partner at Foundation Capital, which has invested in SaaS startups since 1996.

For CIOs, this all translates to several advantages: faster implementation (because there’s no on-premise deployment), easier access to current technology (because changes are made just to the one code base) and fewer bugs (because having one code base reduces the complexity that can lead to errors), says Michael Mankowski, a senior vice president at Tier1 Research.

It can also translate to lower costs for the enterprise if the SaaS vendor passes on the savings. SaaS is thus a new wrinkle in long-available, on-demand, outsourced IT models, such as the application service provider (ASP), business process outsourcer

(BPO) and managed service provider (MSP). (See Awash in Acronyms ) “It’s the next step in the evolution of software development,” says Gartner’s Pring. Examples include Salesforce.com CRM; Everdream help desk management; SuccessFactors employee performance management; and Ketera spend management software.

WHereSaaSMakeSSenSeThe prime reasons for a CIO to consider SaaS are its faster deployment times, its lack of up-front license and infrastructure costs, and its ability to address vanilla business processes so you can focus your resources on custom processes that make a real difference, says Accenture’s Modruson.

“Your startup costs are not as large, and you have the ability to get up and running quickly and change direction if needed. I don’t have as much flexibility with packaged applications,” he says. Equally as important, says Modruson, SaaS “gets us to having standard processes and a standard system across all units.” But none of these

advantages matter if the application area is highly integrated with or dependent upon other applications and processes.

A SaaS application must address a fairly isolated function, says Ken Harris, CIO of Shaklee, a manufacturer of health and cleaning products. “That’s when SaaS is easy to do for the larger enterprise,” Modruson adds. Accenture deployed a recruiting management application via SaaS because it doesn’t interact to any great degree

Lloyd Hohenstein, VP of Schwab Technology, warns CIOs who need everything customized about SaaS. "Don't expect something unique," he says.


Vol/2 | IssuE/185 0 A U G U S T 1 , 2 0 0 7 | REAL CIO WORLD

with other systems. Only after someone is hired is the data on that new employee sent to Accenture’s in-house ERP system, which manages the employee’s permissions and other attributes from then on.

Another key criterion for choosing SaaS is that the application isn’t one that differentiates the company competitively, such as improving customer service or enabling higher margins relative to competitors. Thinking about SaaS makes a company ponder these issues, which in itself is helpful in determining an IT investment strategy. “Companies have an inflated view of how unique their processes are. You always think you need more customization than you really do,” says AMR’s Bois. “No one’s going to care who you’re using for payroll or Web conferencing, or even office productivity applications,” adds Martin Perry, CIO of IT staffing firm Sapphire Technologies, which uses Bullhorn’s SaaS software for front-office staffing and recruiting.

Accenture’s Modruson notes that SaaS applications are less configurable (not simply uncustomizable) than the packaged applications most enterprises run in-house. That’s often a blessing in disguise because it forces the business to use standard processes rather than invest resources in customizations that have no real value.

But using a standard SaaS tool does not necessarily mean that every enterprise gets the same results from it, says Modruson. “The tool is the enabler of your processes. The business processes are what you control,” he argues. Several CRM tools, such as Salesforce.com, are praised for enabling enterprises’ individual processes while delivering them through a standard but highly configurable code base. “The configuration and how you use it is the secret sauce. Your process differentiations then come into play,” says Sapphire’s Perry. SaaS is best known in the CRM space, thanks to Salesforce.com’s aggressive marketing and its ease of use for salespeople compared to CRM offerings from companies such as Oracle and SAP, aided by the fact that sales groups often have discretion as to the applications they use, notes AMR’s Bois. But SaaS is also widely used in the human resources and procurement spaces, both of which have a history of being served by outside firms in a service bureau model. Examples include Concur Technologies’ expense and travel management software, SuccessFactor’s employee performance management

software, ADP’s benefits management software and Ariba’s procurement software. SaaS applications also can be found in a wide variety of specialty areas, such as Web analytics, container allocation analysis for shippers and help desk management — all of which have histories of being handled by outside service bureaus. Applications in these spaces typically rely on batched data exchange and widely deployed, standard interfaces to internal applications, making SaaS an easy fit, notes Tier1 analyst Mankowski.

A third area that has seen broad SaaS adoption is Web conferencing, offered by WebEx, Citrix Online and Adobe. Applications such as Web conferencing and surveying work well with a SaaS approach because they let IT offer users functionality without having to invest in expertise and operations. “It’s a scale

play. I wouldn’t build a survey tool myself because I don’t do that many surveys,” says Accenture’s Modruson.

WHereSaaSdoeSn’TMakeSenSeIf applications touch upon the core of the enterprise — typically ERP, financial, business intelligence and manufacturing systems — then SaaS should be approached cautiously, if at all. The main reason is that these applications are usually highly customized as they reflect the fundamental processes that differentiate a company from its competitors, says Shaklee’s Harris.

For example, equipment distributor Zones wanted to add a series of custom BI applications to analyze sales and distribution, but CIO and Senior VP Anwar Jiwani didn’t want to build the system in-house or dedicate staff to managing it. He considered SaaS-provisioned BI tools but realized their reports would be too generic to be useful. So he hired SeaTab Software to design and host custom BI apps. The idea

was to keep Zones’s internal resource investments to a minimum while still getting the desired technology. “My goal was to outsource the BI development,” Jiwani says.

Another reason to avoid SaaS applications is that the functions you’re looking for are so key to your operations that you must own them. “We have extremely high standards in terms of availability, and we run things on a global basis from one instance,” says Dan Murphree, vice president of enterprise business applications at chipmaker Texas Instruments. “If a SaaS application weren’t available even for an hour, it would cause a major business


Frank Modruson, CIO of Accenture, says that software-as-a-service has enabled his organization to have standard processes across all units.

Vol/2 | IssuE/185 2 A U G U S T 1 , 2 0 0 7 | REAL CIO WORLD

disruption,” he says. “I’m not saying there aren’t service providers that could do it, but if we do it at our level of stability and control, we know what we’ve got.” Thus, Murphree reserves SaaS applications for non-critical functions, such as the IQNavigator, a tool for managing contractors, where downtime doesn’t halt operations.

A third issue that typically rules out SaaS is integration. When Mark Brewer, CIO of disk drive maker Seagate Technology, was pitched on-demand ERP by Oracle, he said no. “It would be wonderful if I didn’t have to manage the software patches, but the number of integration points to the rest of my environment is very high. Managing that would be a big problem,” he says. But he had no problem deploying several SaaS-delivered HR applications, because the integration effort was simple.

Some application domains are gray areas for SaaS, including CRM. One high-tech vendor ended up choosing Oracle’s CRM software over Salesforce.com because its use of CRM extended from order to cash, bringing the application into the heart of the ERP transaction system. The salespeople preferred Salesforce.com, but the CIO couldn’t make it work at the ERP transaction level necessary for the company’s sales processes. Not all companies need that level of integration, since they’re not constantly recalibrating their sales forecasts or inventories, but for those that do, it’s a complex integration task, agrees Schwab’s Hohenstein. “If someone is taking orders in the field, they need that integration. If not, the data can be sent in a batch mode,” notes Tina Phillips, a principal at Deloitte Consulting’s SaaS practice.

THeinTegraTionCHallengeThe convenience of using SaaS applications — especially when adoption is driven by business users — can mask a significant IT challenge, notes Gartner’s Pring. That challenge is integration, both with other enterprise applications and with data sources.In some respects, integrating SaaS can be easier than integrating in-house or ASP-provided applications. That’s because SaaS’s multitenant nature requires vendors to pay more attention to the data exchange and application programming interface (API) connections to other applications so that a broad variety of customers can use the SaaS application without any customization or significant hand-holding — both of

which would defeat the SaaS vendors’ business model. “Integration is a little bit easier because someone has already given some thought to it,” says Sapphire’s Perry.

Another factor, says MedImmune’s Young, is how separate the SaaS application is from other enterprise applications. “In a loosely coupled application space, it may be easier to bolt on SaaS apps if they use common APIs like XML,” he says.

Integration with enterprise data is a more straightforward issue, says Rob Desisto, a Gartner research vice president. Most SaaS applications are designed to export and import standard data formats for their application domains — vendors really had no choice if they wanted to be taken seriously, he notes.Typically, SaaS works best when data is exchanged in periodic batches, not in real-time transactional environments, says Calvin Do, CIO at digital imaging vendor EFI. At EFI, salespeople use Salesforce.com to manage leads, but after the lead gets past the quotation stage, the data is passed to the ERP system for deal analysis and order management. Similarly, performance reviews and résumé analysis happens in SuccessFactors, but salary and title changes, as well as new hires, are transferred to the ERP system. This approach requires duplication of data between the ERP and SaaS applications,


ASP: an application service provider, handles the deployment of a typically non-critical It function because the CIo doesn’t want the overhead of owning it. Integration and compatibility issues are no different than for internally deployed software. any cost savings are usually due to the asP’s use of cheaper labor offshore, not to a fundamental efficiency advantage conferred by the asP strategy itself.

Examples: oracle on-Demand ErP software, Workday Hr software and any Web host.BPO: a business process outsourcer, handles an entire process for you, such as sending

out paychecks or getting credit scores, and it makes sense when how the vendor delivers the function doesn’t matter to the CIo; it’s the result that you’re buying.

Examples: aDP payroll, accel medical transcription and claims processing, and Fair Isaac credit scoring services.

MSP: a management service provider handles a set of services on behalf of a company. these can be It services (such as e-mail security and management), business services (such as dealing with telecom expenses) or both (such as managing a call center). unlike with a bPo, with an msP, the CIo may care what technologies are in place, as what the msP handles may interact with the CIo’s other It systems and certainly with the enterprise’s processes. msPs typically make sense for processes that require intensive oversight because of frequent change (such as virus blocking and telecom expense management) that the enterprise is not good at handling.

Examples: scansafe virus detection, Vercuity telecom expense management and Echopass call-center operation services. In some cases, msPs offer customers a choice of self-management (through a saas offering) and vendor management (through an msP offering).

– G.G.

an annotated glossary to three types of on-demand computing models

Awash in Acronyms

REAL CIO WORLD | A U G U S T 1 , 2 0 0 7 5 3Vol/2 | IssuE/18

Feature.indd 53 7/27/2007 8:31:49 PM

Vol/2 | IssuE/185 4 a U g U S T 1 , 2 0 0 7 | REAL CIO WORLD

Do notes, as well as some custom integration work to reconcile the data when it is brought into the ERP system, but he figures the effort took half as much resources as doing a similar integration between in-house apps, which are not as well-designed for interoperability.

In many respects, adoption of multiple SaaS applications mirrors what happened in the 1990s as companies brought in so-called best-of-breed applications and then had to figure out how to integrate them to execute business processes that transcended any one application. “This is eerily reminiscent of 10 years ago,” says Pring, although he acknowledges that SaaS vendors typically are much better at connecting to other applications and better at using standards than vendors were a decade ago.

Back then, most enterprises decided the integration effort for best-of-breed wasn’t worth the cost, so they began adopting suites instead. The same is likely to become true for SaaS, where the first such suites are already emerging — and CIOs need to understand that adopting a specific SaaS application may put them on the road to bringing in additional SaaS applications, ones that may compete with existing suites they’re heavily invested in, says Gartner’s Desisto.For example, Salesforce.com is intent on creating a suite based on

its CRM software and its AppExchange platform through which other companies can develop plug-in applications for Salesforce.com that use the same architecture and data model, thereby eliminating the need for customization that could cause breakage when Salesforce.com is upgraded. ERP provider NetSuite has a similar strategy, though largely limited to the mid-market, notes Tier1’s Mankowski.

HoWToproTeCTSTandardSOther issues arise when choosing to deploy SaaS applications, but these issues are familiar to enterprises with a history of outsourcing IT. They may not, however, be familiar to all SaaS providers, especially to those that have focused mainly on small business customers. Service levels. Because an outside entity is running the software, there’s always the fear that your enterprise won’t get the uptime levels and other services you need. Salesforce.com had several widely reported service outages late last year, confirming some CIO’s worst fears about SaaS.

“But there have been no major issues since then,” says AMR analyst Bois, with Salesforce.com or other providers. “Reliability is not as much a question as it used to be,” he adds, because SaaS providers typically deliver the same availability as most

enterprises do, with uptimes of 99.999 percent. Bois does recommend that any SaaS contract include a service-level agreement (SLA) of at least 99.5 percent availability, which Bois says is the common minimum.But don’t expect most SaaS vendors to have anticipated the need for SLAs, warns Gartner analyst Pring. Reflecting the vendors’ focus on mid-market customers, “85 percent of SaaS apps have no SLAs,” he says. Vendors targeting larger enterprises are more likely to have SLAs in place.

Security. Security concerns have diminished in many CIOs’ minds. There have been no reported breaches at SaaS providers. “I used to be concerned about sending sensitive information out,” says EFI’s Do, “but then I realized I already send out payroll information, so I realized I could trust outside providers.”

He verifies the vendors’ security plans, though, before granting that trust. Schwab prefers that its SaaS providers segregate its data onto separate storage hardware when critical information is involved, notes Hohenstein, although it will allow combined storage in some cases. “Either way, we have stringent requirements on security,” he says. But not everyone is so trusting. “We

SaaS applications are typically rented on a per-user-per-month basis. there are no up-front licensing costs, and no need for up-front equipment and development resources. the subscription fee covers software maintenance and operational costs as well as any upgrades.

CIos like that model. In fact, “I would like to convert traditional applications to pay-as-you-go,” says Peter young, vice president of It at pharmaceutical firm medImmune — something he’s begun to discuss with his traditional vendors come upgrading time. (“there’s no requirement to link subscription pricing to on-demand,” notes rebecca Wettemann, an analyst at nucleus research.)

Perhaps the toughest aspect of saas pricing is figuring out whether the subscription pricing leads to a higher total cost of ownership (tCo) than deploying the software internally. While enterprises know how much the licenses cost and what the annual maintenance fees are, most don’t know the operational costs — those for the operations and support staff, the hardware, the network resources and so on — so they can’t compare in-house tCos to saas costs. those that can make the calculations also have to estimate how often they expect to upgrade and what the upgrade would actually cost — not just the new licenses, but also the integration, training and operations, notes rick milazzo, CIo of retailer american Eagle outfitters.

similarly, predicting usage of saas applications is inexact. “the costs are not perfectly predictable either way,” says amr research analyst rob bois.

but for many, it doesn’t matter what the tCo is for saas. Enterprises make a rough calculation that if a saas application costs no more than a traditional license amortized over five years, plus the maintenance costs, it’s worth buying. Even if it costs a little more up front, not having to manage the software is often worth the price.

– G.G.

The True Cost of SaaS


Feature.indd 54 7/27/2007 8:31:49 PM

REAL CIO WORLD | a U g U S T 1 , 2 0 0 7 5 5Vol/2 | IssuE/18

have not gone to a SaaS provider for applications that use sensitive information,” says TI’s Murphree. “We don’t want to give up control.”Risk management. CIOs should make sure that they demand the same auditing and control requirements from SaaS providers that they would of any outsourcer, including safe harbor provisions for ensuring data privacy, rights to the software and all data in case the vendor goes out of business, and the ability to audit the vendor’s controls (including the use of SAS-70 self-audits), says Gartner’s Desisto. “Certification processes are now standard, so it’s easier to work with a reputable company for external certification,” says Accenture’s Modruson. The trick, says EFI’s Do, is to find SaaS providers who understand this need. “The light bulb is not on as much as it should be, since most are smaller companies,” he says. Another precaution to take is to get the rights to the software should the vendor fail, so you can run it in-house until you find a new option, says Sapphire’s Perry. As part of that, make sure to get backups of the data stored by the SaaS provider.

The use of SaaS can also help reduce risk. For example, “there’s less risk in trying to deploy SaaS quickly than there is in investing a lot of money on internal resources, which are the scarcest resources I have,” notes MedImmune’s Young.

In some industries, SaaS providers can assume their customers’ risk. Many U.S. small banks, for example, use SaaS providers, such as Intuit’s Digital Insight division, for their Internet banking and wealth management platforms, notes Basil Blume, CIO of Colorado Capital Bank. Small banks don’t have the resources to meet all the regulatory and security needs for such software, so it makes sense for them to use firms that do, are audited by regulators and assume financial accountability in case of failures, he says. “We transfer the risk. There is a bit of premium to pay, but then I don’t need to keep those developers on staff either,” Blume notes.

THeFUTUre:oneSaaSSTepaTaTiMeAs the industry matures, enterprises may find that they can depend on SaaS for more mission-critical needs, perhaps even one day running their ERP applications in that model. “I would consider ERP via SaaS,” says Scientific Games’ CTO Steve Beason, “but I would need to get protected financially, not just feel comfortable about failure recovery.”

But there’s a lot more work to be done before that can happen, notes Gartner’s Pring. SaaS is possible today because there’s less custom enterprise code than in the past. “Twenty-five years ago, it was all custom code; 15 years ago, ERP applications were packaged and reduced custom code,” Pring recalls. But custom code today still accounts for about 60 percent of enterprise software, meaning there are a lot of areas that SaaS just can’t handle. CIO

galengrumanisafrequentcontributortoCio.Sendyourfeedbackonthis

[email protected]

SaaS Usage Todaythe usage of applications delivered as a service fall mainly in three areas: Crm, Hr and procurement.

by aPPlICatIon

CRM

HR

Procurement

Document management

Finance

Compliance

Collaboration

Other

0 5% 10% 15% 20%

Technology

Financial services

Utilities

Media

Manufacturing

Government

Retail

Other

0 5% 10% 15% 20%

Percentage of applications delivered in a saas model

Percentage of applications delivered in a saas model

technology companies are the biggest users of the saas model, followed by financial services and utilities

by VErtICal markEt

In 2005, Gartner estimated that 5% of all business software spend was for applications delivered on the saas model, a figure it expected to grow to 25% by 2011.

source: Gartner


Feature.indd 55 7/27/2007 8:31:49 PM

Trendline_Nov11.indd 19 11/16/2011 11:56:19 AM

Reader ROI:

Birthofapaperlesssystemofgovernance

Howtheprocessoffilingofe-formstakesplace

TheMinistry’sagendaofoptimization

SweepingChange

By BALA MURALI KRISHNA

Govern Main - 01.indd 56 7/27/2007 7:54:38 PM

Corporate governance is, by no means, an easy task, and probably many times more difficult with a system based on millions and millions of

paper documents.

Raising the StandardsThe MCA-21 project, so-called by the Ministry of Corporate Affairs, to reflect India’s corporate governance goals for the 21st century has begun to address the complex issue. Last year, it rolled out the nearly paperless system across the country, starting with Coimbatore in Tamil Nadu. Today, almost 6 lakh companies in the country make their filings online. Public online access to corporate filings is available for a mere Rs 50. These and other features of the new electronic system have raised the standards of corporate governance, and set the stage for better compliance and enforcement, says Y.S. Malik, a joint secretary in the Ministry of Corporate Affairs, who oversees the project.

Quoted as one of the principal e-governance projects in the country, MCA-21 was spawned, coincidentally perhaps, months after the fall of Enron, one of the world’s largest corporate collapses. Since the stock market scam of 1992, the MCA had begun to use electronic databases, thanks to the National Informatics Center, but it was

piecemeal computerization and failed to address most issues. There was a need for a “holistic program with service delivery concept,” says Malik. In 2002, the MCA, along with the Hyderabad-based National Institute of Smart Governance and a team of financial professionals and bureaucrats, began a year-long study of the process of regulatory filings. The study resulted in an exhaustive, four-volume compendium that laid out a roadmap for the MCA-21 program, and recommended far-reaching business process re-engineering, Malik says.

Digital TransitionThousands of processes were redefined, hundreds of paper forms proposed to be redesigned to fit the electronic format and regulatory requirements, millions of paper documents were to be scanned and digitized, security

e-Filing


MCA-21, one of the largest e-governance projects in the country, has brought anearly paperless system of corporate

filings, and holds the promise of improved corporate governance.

Sweeping

Incorporation of companies Filing of forms/returns, balance sheets Access to public documents omnibus database repository of all companies

Investor grievances

The MCA-21 UniverseWhat the program’s e-Menu offers

IMA

gIn

g b

y U

nn

Ikr

ISh

nA

n A

V

Govern Main - 01.indd 57Govern Main - 01.indd 57Govern Main - 01.indd 57Govern Main - 01.indd 57Govern Main - 01.indd 57Govern Main - 01.indd 57Govern Main - 01.indd 57Govern Main - 01.indd 57Govern Main - 01.indd 57Govern Main - 01.indd 57Govern Main - 01.indd 57Govern Main - 01.indd 57Govern Main - 01.indd 57 7/27/2007 7:54:50 PM7/27/2007 7:54:50 PM

had to be built into every online document, and the documents needed to be accessible to the public. Having laid out rigorous requirements, MCA was required to choose a technological partner with the skills and experience to implement its plan, and negotiate a wide range of service-level agreements to ensure a successful rollout. Still, says Malik, “change management was a massive exercise, both for internal and external stakeholders,” a reference to the thousands of employees, chartered accountants and company secretaries, and entrepreneurs who would use the system on a regular basis.

The Success StoryThe NISG conducted the technological evaluation and picked Tata Consultancy Services, the nation’s largest software services company, to implement the project across the MCA’s 40 field offices, four regional directorates and 20 Registrar of Companies. Being a ‘Mission Mode’ project — the highest priority rating assigned by the Indian government

— TCS and all other agencies “took it up as a challenge and delivered reasonably well,” says Malik. Under the agreement, TCS will run it on a BOOT — build, own, operate and transfer — basis before handing it to the ministry after six years.

Tanmoy Chakrabarty, a vice president at TCS who oversaw the technological deployment and training, says the

company took only 77 weeks to develop and implement the program in its entirety. This included digitization of about 45 million paper documents in MCA’s archives, setting up a main data center in New Delhi and a disaster recovery center in Chennai. Apart from that, building the computing infrastructure, setting up 52 facilitation centers, designing the application software and setting up secure electronic payment gateways, were part of the list. TCS is also the sole issuer of digital signatures that authenticate all filings, adding integrity to the whole process. Under the program, all company directors and finance professionals are required to acquire digital signatures and use them to sign off on electronic documents.

“The implementation of such a large-scale transformation project, in the shortest possible time, is a landmark and has established a benchmark for such a program not only in India but across the world,” says Chakrabarty.

Today, the MCA-21 program is a year old and the Department of Information Technology has ordered a review. If responses from stakeholders are any indication, the project can be counted as a significant success. In a recent survey of

CFOs by the accounting firm KPMG, a high 70 percent said they were satisfied with the program’s rollout. TCS’ Chakrabarty points out that the program has already exceeded its initial goals. A total of 2.3 million e-filings — 80-90 percent of the total — have been made, compared with the modest target of 25 percent for the first year. TCS has issued 3 lakh digital signature certificates, “the largest planned deployment of DSCs for (an) e-governance project in India and possibly

the world,” according to Chakrabarty. Over 211,000 companies have e-filed their balance sheets, and over 350,000 have e-filed their annual reports, according to MCA’s Malik.

Still, the transition, predictably perhaps, hasn’t been easy. Balaji Kuncham, a chartered accountant in Bangalore, called the process a “nightmare.” In the early stages, the e-forms kept taking new avatars, he says. In many instances the automated ‘pre-scrutiny’ kept rejecting some filings, frustrating users. Such issues could be resolved only by visiting the RoC. In one case, Kuncham had to hire a fellow professional in Delhi, pay him Rs 15,000 to visit the ROC and get the approval for

e-Filing

SNAPSHOT MCA 21BUDgET: rs. 345 crore

OffICES COvERED: 64

DOCUMENTS DIgITIzED: 45 million

EMPLOyEES TRAINED: 1,200


InF

og

rA

ph

IcS

: p

c A

no

op

Digital signatures bring authenticity and integrity to the corporate filings.

Electronic payment gateways, as well as old-fashioned bank payments, are permissible.

a foreign client to open a branch office in Bangalore. Similarly, even though Malik says a new company can be incorporated online in a single day, Kuncham says there is hair-splitting over names and it is next to impossible to resolve it online.

TCS’ Chakrabarty says he experienced “unpredictable load patterns” that caused

a lot of difficulties. He attributes it to early learning, since this was an e-governance project with “no past references.” Besides, it had a “very short stabilization time,” he observes.

G.V. Srinivasa Murthy, head of the Bangalore chapter of the Institute of Company Secretaries of India, prefers to call issues such as these “teething problems.” Considering its magnitude, he says, the program is both “well implemented,” and is a “truly wonderful initiative.” Except for Singapore and Malaysia, few countries have such an electronic system, not even the United States.

Malik says the Rs 345 crore MCA-21 program has been, by-and-large, “very successful.” Revenues have grown from Rs 728 crore in 2006 to Rs 1,038 crore this year, though part of it is on account of robust economic growth. Still, if one needs to justify the investment, a big payoff has been the easy access provided to online documents. Under the earlier regime, people who needed to review corporate filings needed to spend days in long queues before they could gain access.

Today, from all across India and even abroad, people can access any filing by paying Rs 50 for a period of three hours. In fact, this has become such a popular feature that 225,000 people have availed the facility, and some have built a business around downloading, printing and selling some documents, Malik says. He added that on the basis of this single feature alone, investment on the MCA-21 project has yielded ROI because companies spent thousands of rupees on accessing the ministry’s archives.

Agenda of OptimizationMalik has his own “agenda of optimization” for the program. He says the ministry has received a tremendous amount of feedback from users and will begin to implement a number of changes, notably to enhance the user interface. One of the bigger challenges, Malik says, is trying to resolve the issue of stamp papers — a pesky state subject outside the realm of the central government.

Despite MCA-21’s significant progress, companies need to submit documents requiring stamp duty to file scanned versions as also the physical ones. This, to Malik, is annoying and unacceptable in the overall scheme of things.

Now that most documentation has been brought online, the MCA-21 program needs to concentrate on a range of things that will improve corporate governance, Malik says. This means the ministry should improve compliance management

— be able to quickly swoop down on companies and bring them to book whenever necessary. That is probably when the full benefits of the MCA-21 program will be revealed. CIO

ExecutiveeditorBalaMuraliKrishnacanbe

[email protected]

e-Filing


E-filing is mandatorysince September 2006

“Change management was a massive exercise, both for internal and external stakeholders”

—y.S. Maliky.S. MalikyJoint secretary, McA

ph

ot

o b

y S

rIV

At

SA

Sh

An

dIl

yA

Guard the Exit By Galen Gruman

INFORMATION SecuRITy | When BCD Travel began investigating what it would take to get Payment Card Industry (PCI) certification for the handling of customer credit card data, senior VP of Technology Brian Flynn realized that he didn’t really know how his employees were handling such information. That meant not only could PCI certification be denied but also the travel agency’s reputation and business could be harmed. At the National Football League’s Houston Texans, IT Director Nick Ignatiev came to the same realization as he investigated PCI certification.

In both cases, vendors they’d been working with suggested a new technology: outbound content management tools that look for proprietary information that might be leaving the company via e-mail, instant messaging or other avenues.

Flynn started using Reconnex’s iGuard network appliance, with vivid results. “It was a shock to see what was going out, and that gave us the insight to take action,” he says.

After Ignatiev examined his message flow using Palisade Systems’ PacketSure appliance, he too realized that his employees needed to do a better job protecting critical data, including customer credit cards, scouting reports and team rosters.

Sensitive data slide out of your

company’s door every day.

Outbound content management

tools can help you identify problem

spots and bolster security.

technologyEssEntial From InceptIon to ImplementatIon — I.t. that matters

Ill

uS

tr

at

IOn

by

PC

an

OO

P

VOl/2 | ISSuE/186 0 a U G U s t 1 , 2 0 0 7 | REAL CIO WORLD

Essentisl Tec.indd 60 7/27/2007 7:57:28 PM

A key point: many CIOs and CSOs already have information security methods in place, such as identifying, restricting access to and even encrypting sensitive data within their companies. Some also configure PCs so users can’t copy data onto USB thumb drives or recordable CDs. Flynn and Ignatiev were already using some of these techniques — but their tests of outbound content management tools exposed a set of wide-open exit points for sensitive information, including e-mail, instant messaging, Web-based applications and file transfer protocol (FTP).

The traditional security methods may restrict sensitive data to legitimate users, but Flynn and Ignatiev found that even legitimate users were putting the data, and their companies, at risk. At BCD Travel, a corporate travel service, nearly 80 percent of its 10,000 employees work in call centers and thus have legitimate access to sensitive customer information. What BCD and the Texans found was not malicious activity but people who were unaware of security risks, such as in sending a customer’s credit card number by e-mail to book a flight or room from a vendor that didn’t have an online reservations system.

“Employees are just trying to get their jobs done,” Flynn notes. Flynn and his peers must craft comprehensive strategies to help them get that job done more safely.

Zero In on TroubleVendors typically pitch outbound content management tools as automatic “reverse firewalls” to keep information in, via automated identification and blocking. But early adopters are usually wary of the automatic blocking pitch and have taken a much more nuanced strategy — primarily using these tools to identify risks, so that IT security staff and business managers can decide how to handle them on a case-by-case basis. Often, these tools can also identify areas for further user education and help investigate past breaches.

How does the technology work? Basically, the tools filter outgoing communication across a variety of channels, such as e-mail

and IM, to identify sensitive information. They’re based on some of the same technologies — like pattern matching and contextual text search — that help antivirus and antispam tools block incoming threats.

Tools typically come with basic patterns already defined for personally identifiable information such as Social Security and credit card numbers, as well as templates for commonly private information such as legal filings, personnel data and product testing results.

You can also have the tools analyze servers and other data stores to determine the patterns for anything a company considers important to safeguard, then set the rules for how the tools should react when such information is leaving the company. (For example, you could choose to silently block some outbound messages and warn users regarding others.)

Companies typically look for three types of information using these tools, notes Paul Kocher, president of the Cryptography

Research consultancy. The first — and easiest — type is personally identifiable information, such as Social Security numbers and credit card information. The second type is confidential company information, say product specifications, payroll information, legal files or supplier contracts. While this information is harder to identify, most tools can uncover patterns of language and presentation when given enough samples, Kocher notes. The third category is inappropriate use of company resources, such as potentially offensive communications involving race.

“You don’t really know what’s going out of your network until you have a tool that can help you zero in,” says BCD’s Flynn.With a real understanding of what information is flowing, you can develop an appropriate security strategy, Flynn says.

Educate UsersSecurity consultants advocate a multitiered strategy to protect sensitive information. In all cases, they recommend starting with

No one should treat outbound content management as a panacea. “but it is a good first-

line defense,” says richi Jennings, lead analyst for e-mail security at Ferris research. Where

do these tools fit into your overall security strategy? a comprehensive plan includes these five

steps:

Identify confidential information, whether confidential for legal compliance reasons or because

it involves company trade secrets.

Manage access to sensitive information, reducing the pool of users to those who need it and can

be trusted to guard it, says Jennings. this requires knowing what information you have, what

protection it merits and who should have access to it — something many large companies do

not have a good handle on because they have so many offices and data stores, notes Security

Constructs consultant tom bowers.

Educate employees about desired behaviors regarding sensitive data. this involves creating

policies, communicating them and reinforcing them.

lock down information when possible. Encryption is an important aspect of security for data at

rest, says bowers. blocking potential physical exits for data — from locking down uSb ports to

blocking file-transfer ports on the network — also reduces risk.

use outbound content management as a supplement. It provides a potential safety net if other

steps aren’t sufficient, says Jennings.

— G.G.

5 Steps to a Smart Outbound Content Management Strategy

ESSEntIal technology

VOl/2 | ISSuE/186 2 a U G U s t 1 , 2 0 0 7 | REAL CIO WORLD


basic user education so people know what behavior to avoid and what secure practices to follow — and they agree that content management tools can help identify where the risks are.

The First National Bank of Bosque County in Texas has its employees sign an information-security policy every year. “We remind them that if they send out customer information, they can go to jail. That’s a pretty good reinforcement,” says Brent Rickels, the bank’s senior vice president.

The bank uses SecureWave’s Sanctuary software to monitor e-mail and Web traffic, as well as block instant messaging completely. When a user violates a policy set in the software, the employee’s manager is notified and talks privately with any first-time offenders. The company tells the staff at large about the incident (without taking names) to reinforce the need for self-vigilance. Also, employees often tell other employees of their mistakes, to help others not make them, Rickels notes. If the behavior continues, the bank does take names, as well as begin disciplinary or termination actions.

Similarly, at the Texans, Ignatiev uses the Sanctuary tool to identify potentially dangerous behavior, such as employees entering clients’ or personal credit card numbers at e-commerce sites. He uses Palisade Systems’ technology to identify behavior like sending e-mails containing scouting reports to unauthorized recipients. Security staff notify managers, who then talk to the employee to explain why the behavior was risky, Ignatiev says.

Telling employees that you’re monitoring their communications — and why — helps reinforce desired behavior, Kocher says: “People tend to behave much better if they think they’re going to be observed.”

Block JudiciouslyLike many CIOs, Flynn and Ignatiev are approaching automatic blocking of e-mail, instant messaging and other outbound communications cautiously. The concern: false positives could block legitimate communications and hurt customer service. Flynn, for example, would not want automatic blocking of, say, messages containing credit card numbers to cause a stranded airline customer to miss out on a quick rebooking.

Some industries, such as banking, may decide it’s better to block false positives than risk the fines and publicity for releasing customer information. “A lot depends on the risk to your business,” says First National’s Rickels.

Another risk: “Blocking can breed lack of trust,” says Mark Rizzo, vice president of operations and platform engineering at

game developer Perpetual Entertainment. “I would quarantine rather than block, but then you need a large staff to look at the messages so the delay is not noticeable,” he says.

As companies get a better handle on what is actually occurring in outbound communications, some do foresee blocking some communication automatically. Perpetual’s Rizzo expects to use Tablus’s Content Alarm NW software to block

outbound communications containing business secrets, namely the code for software games that Perpetual produces. Developers job-hop frequently, sometimes taking the code they developed by sending it out before they leave, Rizzo notes.

Understand Tool LimitsWith outbound content management tools, “you can build very sophisticated concept filters,” says Cliff Shnier, vice president for the financial advisory and litigation practice at Aon Consulting. Typically, the tools come with templates for types of data that most enterprises want to filter, and they can analyze contents of servers and databases to derive filters for company-specific information, he says. (Consultancies can improve these filters using linguists and subject matter experts.)

But as any user of an antispam tool knows, no filter is perfect.

“A big mistake is to have too much faith in the tools. They can’t replace trust and education,” says consultant Kocher. And they won’t stop a determined thief, he says. Even when appropriately deployed, these tools don’t create an ironclad perimeter around the enterprise. For example, they can’t detect information that flows through Skype voice-over-IP service or SSL connections, Kocher notes. They can also flood logs with false positives, making it hard for IT security staff to identify real problems.

That’s why CIOs should look at outbound content management as a supplemental tool to limit accidental or unknowing communication of sensitive data, not as the primary defense, he says. CIO

Galen Gruman is a regular contributor to CIO. Send your

feedback on this feature to [email protected]

ESSEntIal technology

as companies get a better handle on what is occurring in outbound communications, some do foresee blocking some communication automatically. this is a better alternative than de facto blocking.

REAL CIO WORLD | a U G U s t 1 , 2 0 0 7 6 3VOl/2 | ISSuE/18


GPL3 Sees the Light of DayAnd now it is time to call your lawyers.By Bernard Golden

Pundit

open source | After an extended gestation, the Free Software Foundation (FSF) released its update to the GPL Version 3 license.

And, contrary to what I expected, it represents significantly less change than what might have been expected from earlier drafts. Richard Stallman, the founder of FSF and the GNU Project, is a stringent ideologue, but it appears that he concluded that he would rather lead a movement than move forward at the head of a one-person parade.

First, the good news. If you’re an end user of GPL3-licensed code, you won’t see much difference in terms of how you have to handle code.

Next, the bad news. The 18-month comment period has allowed a large number of lawyers to submit comments. The resulting license has much more legalese than GPL2. This means you’ll need to get attorneys involved much more than in the past to understand just what in the heck the license means in a particular situation.

Now to the specifics. The DRM conditions have been loosened. What

originally read like a a long tirade now reads like a government report, complete with reference to the WIPO copyright treaty. Stallman’s idee fixe with ‘Tivo-ization’ resulted in earlier versions effectively negating any protection against user modifications, which, in the case of medical devices (for example) was clearly not desirable. (For more on Tivo-ization, read Bernard Golden’s column www.cio.in/esntech/viewArticle/ARTICLEID=2463). This version explicitly focuses its

restrictions on consumer devices, using language like “normally used for personal, family, or household purposes.” It is easy to predict that this effort will result in plenty of billable time for lawyers, since attempting to explicitly define something offers the opportunity for smart lawyers to figure out how to circumvent the definition.

The patent provisions have kept the original intent, which was to ensure that contributors who put code out under a GPL license explicitly renounce asserting patent rights, which is, I think, is exactly the right thing to do.

The license also responds to the Novell/Microsoft deal by prohibiting discriminatory patent licenses by third parties; on the other hand, it grandfathers in the Novell/Microsoft deal.

Overall, I applaud the prohibition of discriminatory patent protection, because as Eben Moglen (he is a professor of law at Columbia University, and is chairman of Software Freedom Law Center) pointed out, the Novell/Microsoft agreement protected users but didn’t extend protection to developers — clearly not a

desirable end. (It must be said, however, that the GPL3 patent resolution is but one skirmish in the war regarding software patents, which is a much more troubling contest that still threatens to disrupt the technology industry). CIO

To know how the license affects end users, read Golden’s column next fortnight. (To be concluded)

Bernard Golden is Ceo of navica, an open source

consultancy, and the author of Succeeding With open

Source (addision-Wesley, 2004). Send feedback on

this column to [email protected]

Because many lawyers have submitted comments, the license has more legalese than GPL2. This means you’ll need to get attorneys involved much more than in the past.

essenTiAL technology

VoL/2 | issUe/186 4 a U G U S T 1 , 2 0 0 7 | REAL CIO WORLD

ET-Pundit.indd 64 7/27/2007 7:58:27 PM

cio august 1 2007 issue

Documents