cio august 15 2007 issue

Alert_DEC2011.indd 18 11/17/2011 11:29:43 AM

From The ediTor

Today’s war for talent starts at technology and business schools around the

country. That obviously means the IITs and IIMs, apart from many other institutions. The

bidding wars, so to speak, are a good indicator of the levels of demand. Last year, the top offer

at an IIT was a Rs 45-lakh package offered by global oil major Schlumberger.

Sometimes recruiters go a different way, seeking to tap far-flung talent. This not only

helps unearth hitherto unidentified talent, but also offers significantly lower cost. Last year,

TCS ventured to Tamil Nadu’s hinterland to recruit, revealing how far companies would go

in this quest for engineering talent. Eventually, the K.S. Rangaswamy College of Technical

Education in Tiruchengode didn’t quite work out because students at the semi-urban college

— located about 20 km from the town of

Erode — didn’t possess the skills TCS

needs to service its global clients.

Talent, clearly, is in limited supply.

Also, the numbers are fuzzy. Nobody

is quite sure how far or how fast we

can grow. Figures for the number of

engineers graduating each year are

liberally thrown around in the media. It is common to imagine as many as 4 lakh. But

reliable estimates suggest a much lower figure. According to NASSCOM, India produced

about 2.15 lakh engineers in 2004. Of them, only 1.12 lakh were graduates with four-year

degrees — the prime target of many employers. Both NASSCOM and McKinsey believe only

25 percent of the graduating engineers in India possess the skills to work for large companies

or outsourcing firms.

If we consider only the graduate engineers, the number is down to about 28,000 — less than

the number hired annually by the IT majors. If we take the larger pool of 2.15 lakh, a quarter of

that would be almost 54,000, which is closer to the number annually hired by Big IT. Add in

the number of students who go in for higher studies, and those who migrate to other countries

— it seems a miracle that the rest of the Indian companies find any IT workers.

The point is: the situation is dire and likely to get worse with increased outsourcing. In the

circumstances, CIOs across the country are getting smart about hiring, as our cover story by

Special Correspondent Balaji Narasimhan reveals, and are even considering outsourcing.

A decade from now, it could even mean offshoring to lower-cost countries, given the rising

labor costs and the torrid pace of growth of the Indian economy. Smarter CIOs, I suspect,

would soon even begin to pick up valuable offshoring lessons from western companies.

NASSCOM and McKinsey believe that only 25 percent of graduating engineers in India possess the skills to work for large companies.

Even if engineering talent is available, skills required to run modern companies are scarce.

Bala Murali KrishnaExecutive [email protected]

What the Talent Crunch Means

Vol/2 | ISSUE/192 A U G U S T 1 5 , 2 0 0 7 | REAL CIO WORLD

8/13/2007 11:17:51 AM8/13/2007 11:17:51 AM8/13/2007 11:17:51 AM8/13/2007 11:17:51 AM8/13/2007 11:17:51 AM8/13/2007 11:17:51 AM8/13/2007 11:17:51 AM8/13/2007 11:17:51 AM8/13/2007 11:17:51 AM8/13/2007 11:17:51 AM8/13/2007 11:17:51 AM8/13/2007 11:17:51 AM8/13/2007 11:17:51 AM

contentAUGUST 15 2007‑|‑Vol/2‑|‑iSSUe/19

Executive ExpectationsVIEW FROM THE TOP | 48Dinesh Hinduja, executive director of Gokaldas Exports, says that the garment industry is as reliant on IT as auto-makers.Interview by Kanika Goswami

Peer-to-PeerPAy ATTEnTIOn TO yOuR nETWORK | 36The future of your business depends on your network. That’s why CIOs need to oversee it themselves.Column by Moti Vyas

Making IT WorkCOLLABORATIVE CODInG | 24A savvy entrepreneur is exploiting technical innovation to cost-effectively generate technical innovation.Column by Michael Schrage

more»

Project Management

COVER STORy | HIRE POWER | 38CIOs are finding it a formidable challenge to build — and maintain — IT organizations with the right skills. So much so, some of them are beginning to consider outsourcing as an option.Feature by Balaji narasimhan

Feature: Risk ManagementHOW yOu CAn FIGHT CyBER CRIME | 52Online crime is organized, its perpetrators attack deliberately, and the likelihood that they will attack your company is growing. Here’s how to mitigate the risk.Feature by Christopher Koch

Co

VE

r:

dE

SIg

n b

y b

InE

Sh

Sr

EE

dh

ar

an

Il

lU

St

ra

tIo

n b

y U

nn

Ikr

ISh

na

n a

V

38

As CIOs, Vinod Sadavarte (L) of Patni Computer Systems, Amit Kumar of Max New York Life, and David Briskman

of Ranbaxy are constantly exploring ways of maintaining highly-motivated IT organizations.

Vol/2 | ISSUE/198 A U G U S T 1 5 , 2 0 0 7 | REAL CIO WORLD

content (cont.)

Trendlines | 15 Support Services | Microsoft: Want a Hot Fix? Anti-spam | Of Pump-and-dump Scammers Security | Security Vendor: Yes or No? Storage | SAN, NAS: Your Boss Doesn’t Care Research | Swift Action on Security Services | Hacker Scare? Set Alarm Business Intelligence | Beating the BI Blues Mobile | CRM Released for iPhone networking | New Bluetooth Standard Approved Broadband | Mobile Broadband: Post 2008

Essential Technology | 64 IT Architecture | Stuck in the SOA Soup By Bob Violino Open Source | The Prospect of GPL3 Adoption By Bernard Golden

From the Editor | 2 What the Talent Crunch Means | Even if engineering talent is available, skills required to run modern companies are scarce. By Bala Murali Krishna

Inbox | 14

2 8

dEPArTMENTS

NOW ONLINE

For more opinions, features, analyses and updates, log on to our companion website and discover content designed to help you and your organization deploy It strategically. go to www.cio.in

c o.in

Govern PuTTInG PEOPLE FIRST | 60To succeed, e-government projects need to avoid excessive focus on technology and find champions, says Dr. Rajendra Bandi, associate professor of information systems at IIM Bangalore. Interview by Kanika Goswami

Project LeadershipGETTInG TO THE POInT | 32It is easy to shroud the truth about your project behind volumes of reports. Here is how you can get the bad and the good news to rise to the top every week.Column by Mike Hugos

1 0 A U G U S T 1 5 , 2 0 0 7 | REAL CIO WORLD

Content,Editorial,Colophone.indd 10 8/13/2007 11:18:01 AM

MANAgeMeNT

PuBLISheR & eDITOR n. bringi dev

CeO louis d’Mello

eDITORIAL

eDITOR-IN-ChIeF Vijay ramachandran

exeCuTIVe eDITOR bala Murali krishna

BuReAu heAD - NORTh Sanjay gupta

SPeCIAL CORReSPONDeNTS balaji narasimhan

kanika goswami

SeNIOR CORReSPONDeNT gunjan trivedi

ChIeF COPY eDITOR kunal n. talgeri

SeNIOR COPY eDITOR Sunil Shah

TRAINee JOuRNALIST Shardha Subramanian

DeSIgN & PRODuCTION

CReATIVe DIReCTOR Jayan k narayanan

DeSIgNeRS binesh Sreedharan

Vikas kapoor; anil V.k.

Jinan k. Vijayan; Sani Mani

Unnikrishnan a.V; girish a.V

MM Shanith; anil t

PC anoop; Jithesh C.C.

Suresh nair, Prasanth t.r

PhOTOgRAPhY Srivatsa Shandilya

PRODuCTION t.k. karunakaran

t.k. Jayadeep

MARKeTINg AND SALeS

VP, INTL’ & SPeCIAL PROJeCTS naveen Chand Singh

VP SALeS Sudhir kamath

BRAND MANAgeR alok anand

MARKeTINg Siddharth Singh

kishore Venkat

BANgALORe Mahantesh godi

Santosh Malleswara

ashish kumar, Chetna Mehta

DeLhI nitin Walia; anandram b;

Muneet Pal Singh;

gaurav Mehta

MuMBAI Parul Singh, Chetan t. rai,

rishi kapoor,Pradeep nair

JAPAN tomoko Fujikawa

uSA larry arthur; Jo ben-atar

SINgAPORe Michael Mullaney

eVeNTS

geNeRAL MANAgeR rupesh Sreedharan

MANAgeRS ajay adhikari, Chetan acharya

Pooja Chhabra

AdverTiser index

All rights reserved. No part of this publication may be reproduced by any means without prior written permission from the publisher. Address requests for customized reprints to IDG Media Private Limited, 10th Floor, Vayudooth Chambers, 15–16, Mahatma Gandhi Road, Bangalore 560 001, India. IDG Media Private Limited is an IDG (International Data Group) company.

Printed and Published by N Bringi Dev on behalf of IDG Media Private Limited, 10th Floor, Vayudooth Chambers, 15–16, Mahatma Gandhi Road, Bangalore 560 001, India. Editor: N. Bringi Dev. Printed at Rajhans Enterprises, No. 134, 4th Main Road, Industrial Town, Rajajinagar, Bangalore 560 044, India

AMD 3

Avaya 4 & 5

Canon IBC

Emerson 45

Fluke 9

Fujitsu 23

HP 35

Intel 11

Lenovo BC

Microsoft IFC, 20 & 21

Molex 13

Sigma Byte 17

Toshiba e Studio 1

Wipro 6 & 7

This index is provided as an additional service. The publisher does not assume any liabilities for errors or omissions.

ABNASh SINgh

group CIo, Mphasis

ALAgANANDAN BALARAMAN

Vice president, britannia Industries

ALOK KuMAR

global head-Internal It, tata Consultancy Services

ANweR BAgDADI

Senior VP & Cto, CFC International India Services

ARuN guPTA

Customer Care associate & Cto, Shopper’s Stop

ARVIND TAwDe

VP & CIo, Mahindra & Mahindra

AShISh K. ChAuhAN

President & CIo — It applications, reliance Industries

C.N. RAM

head–It, hdFC bank

ChINAR S. DeShPANDe

CIo, Pantaloon retail

DR. JAI MeNON

director (It & Innovation) & group CIo, bharti tele-Ventures

MANISh ChOKSI

Chief-Corporate Strategy & CIo, asian Paints

M.D. AgRAwAL

dy. gM (IS), bharat Petroleum Corporation limited

RAJeeV ShIRODKAR

VP-It, raymond

RAJeSh uPPAL

Chief gM It & distribution, Maruti Udyog

PROF. R.T. KRIShNAN

Professor, Corporate Strategy, IIM-bangalore

S. gOPALAKRIShNAN

CEo & Managing director, Infosys technologies

PROF. S. SADAgOPAN

director, IIIt-bangalore

S.R. BALASuBRAMNIAN

Executive VP (It & Corporate development),

godfrey Phillips

SATISh DAS

CSo, Cognizant technology Solutions

SIVARAMA KRIShNAN

Executive director, PricewaterhouseCoopers

DR. SRIDhAR MITTA

Md & Cto, e4e

S.S. MAThuR

gM–It, Centre for railway Information Systems

SuNIL MehTA

Sr. VP & area Systems director (Central asia), JWt

V.V.R. BABu

group CIo, ItC

AdvisorY BoArd

Vol/2 | ISSUE/191 2 A U G U S T 1 5 , 2 0 0 7 | REAL CIO WORLD

Content,Editorial,Colophone.indd 12 8/13/2007 11:18:02 AM

New Frontiers for CIOsI was immediately drawn to the cover story in CIO India, issue number 17 (June 15, 2007). What better way to pick on a CIO’s mind than the topic of On Higher Ground. The message that a CIO is not just focused on technology or IT infrastructure, but on all larger issues confronting him, was loud and clear with your coverage. My congratulations to the team!

I was particularly pleased to see the CIOs who have comfortably taken on positions outside IT. However, I do not quite agree with the editorial statement that carrying technology’s burden restricts a person’s vision and understanding of larger business issues. In fact, in today’s world, technology is the binding force that connects an organization’s vital operations, production, sales and marketing, distribution and, sometimes, even the end customers. The technology thread running across all functions gives CIOs a unique visibility into all aspects of business in a holistic manner. Combine that with vision, CXO-level mindset and grit — and, wow, you have a potential business leader.

Do CIOs want to get into other C-level jobs? You rightly picked this question. Do CIOs or, for that matter, do I want to get into something outside IT? Not so soon. If and when we do, technology should be the enabler and strength rather than hindrance. The story was very useful. I look forward to reading

more such thought-provoking articles in future.

I also liked the ‘View From The Top’ section (‘Feeding The Acquisition Frenzy’) in the issue featuring Vijay Rekhi, president of United Spirits. I would suggest you cover more leaders from New Age sectors like real estate and BFSI.

NIl PuNjwANIjwANIjw

IT Head, Philips Innovation Campus

Philips Electronics India

Outsourcing the NetworkYour features in the network infrastructure special issue (Network Wonder, July 1, 2007) got me thinking on a number of issues, such as outsourcing. The choices before CIOs today are —doing it yourself completely, outsourcing — and a blend of both.

Look at the challenges that a CIO faces today. With the increasing demands from his organization to leverage IT for business, it is imperative to have a reliable partner who can completely design, deploy and manage the organization’s network infrastructure. The outsourcing partner must have a strong network to support you in your endeavor. The outsourcer must also have the vision of high growth and be prepared to address the challenges of customer requirements proactively. Once the decision to outsource is taken, your partner is no more a vendor. He is more than a partner — he is part of your extended team and is totally accountable and responsible for all

deliverables. This outlook leads to a winning team that drives an agile network infrastructure.V. SubrAmANIAm

CIO, Otis Elevator India

IT-enabled CommuteI read the article (‘Stop. Ready. Go.’, June 15, 2007)) about how traffic data are collected by using cell phone traffic and displayed on a website. Though the practical utility of this service is still not clear to me, I hope this is the first of many future versions to emerge with useful features. At the same time, I am amazed how very little IT is used in the IT capital for one of its major problems.

It will be great if your magazine can bring together a panel of experts in traffic management and IT to brainstorm. One simple system that can be introduced is for the traffic police to adjust signal timings. Once the basic system is installed, the switching patterns can be transmitted to a central computer. Traffic experts can then study the traffic patterns and come up with solutions. The data transfer can be done using mobile technology, and mobile companies will be interested in making such a system.SAmPAThgIrI

Director, Bigtec

more such thought-provoking articles in future.

section (‘Feeding The Acquisition Frenzy’) in the issue featuring Vijay Rekhi, president of United Spirits. I would suggest you cover more leaders from New Age sectors like real estate and BFSI.ANI

IT Head, Philips Innovation Campus

Philips Electronics IndiaNew Frontiers for CIOs

reader feedback

What Do You Think?

We welcome your feedback on our articles, apart from your thoughts and suggestions. Write in to [email protected]. Letters may be edited for length or clarity.

editor@c o.in

With increasing demands from

the organization to leverage IT for

business, it is imperative for a cIO

to outsource his networks.


Inbox.indd 14Inbox.indd 14Inbox.indd 14Inbox.indd 14

n e w * h o t * u n e x p e c t e d

A n t i s p A m Pump-and-dump stock scammers have begun using Microsoft Excel spreadsheets to deliver their get-rich-quick schemes, another in a series of moves they've made trying to slip past antispam filters.

E-mail security vendor Commtouch Software Ltd. spotted several spam runs Saturday that feature Excel attachments with file names such as ‘invoice20202.xls’ and ‘stock information-3572.xls.’

The Excel worksheets contain the unsolicited message, which, as in all classic pump-and-dump scams, touts shares of one or more lightly-traded companies as hot and ready to climb. The fraudsters, however, have already bought shares and only spam their shills to get others to buy in. If enough do, the price goes up, and the scammers sell their holdings. The duped recipients of the spam are left holding the bag when the price later plunges.

According to Amir Lev, Commtouch's chief technology officer, the turn to Excel is just the latest twist in the scam. "Excel is a natural progression after the recent spate of PDF spam, which itself is a natural development from basic image spam," said Lev.

"We expect other file formats to follow suit. Think of the spam potential in PowerPoint files or Word documents."

Pump-and-dump spam has been rapidly changing tactics, dropping images and substituting PDF files to evade spam-blocking software. Virtually every security company has set out warnings of recent big spikes in the amount of PDF-based spam. In fact, Commtouch was one of the first. Spammers started using PDF files only a few weeks ago; before that, they relied on embedded images to get their content past filters.

Most users associate danger and Excel files because of the latter's use by hackers to delivery malware. Sporadic attacks, often very narrowly focused, using Excel spreadsheets, as well as other Microsoft Office file formats have been launched since early 2006. For example, in June a Commtouch rival, UK-based MessageLabs Ltd., reported that 95 percent of all targeted attacks, those where one piece of spam was shot at one user, involved Office file attachments.

—By Gregg Keizer

s u p p o r t s e r v i c e s Microsoft customers can now request a hot fix by e-mail, avoiding the hassle of reaching the company's support staff on the phone.

In a blog post, Steve Patrick, who works in a Microsoft group within support services, provided a link to an online form where customers can enter their e-mail address and the desired hot fix by referencing its associated Knowledge Base article number. Microsoft's support will e-mail a download link for the hot fix within eight business hours, the form notes.

Hot fixes are patches that Microsoft writes for specific, documented problems but doesn't release to everyone via one of its update services, such as Microsoft Update. Typically, Microsoft support recommends that only users who have experienced the problem install a hot fix. Most of the

time, Microsoft does not make these fixes available for downloading from its Web site; instead, it demands that users call in and explain their situation to support before it releases the patch.

A Windows Vista bug that locks up a PC when it's brought out of hibernation is a good example. In the May 7 Knowledge Base article, Microsoft said, "It is intended to correct only the problem that is described in this article. Apply it only to systems that are experiencing this specific problem. This hot fix may receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next service pack that contains this hot fix. To resolve this problem immediately, contact Microsoft Customer Support Services to obtain the hot fix."

"Man! This makes life SOOOO much easier for a lot of folks," said Patrick, who credited the change to ‘the Big Brainers’ at Microsoft.

—By Gregg Keizer

Microsoft: Want a Hot Fix?

Pump-and-dump Scammers Turn to Excel

REAL CIO WORLD | A U G U S T 1 5 , 2 0 0 7 1 5VOL/2 | ISSUE/19

ILL

US

Tr

AT

IOn

By

PC

An

OO

P

Trendlines.indd 15 8/10/2007 7:28:40 PM

tr

en

dl

ine

st

re

nd

lin

es

s e c u r i t y When it comes to picking a single ‘strategic security vendor', IT executives are decidedly at odds. Questioned whether they had such a vendor, 50 executives rendered a split decision, with 42.6 percent indicating they do and 57.4 percent saying they don't, according to a report from Nemertes Research.

A ‘strategic security vendor’ is the one an IT executive would turn to, first as a preferred security partner. The in-depth interviews conducted by Nemertes Research for its report, Security and Information Protection: Technology Trends and Vendor Ratings, found Cisco, Microsoft and Juniper Networks fared the best.

Among the respondents who said they did have a strategic security vendor, Cisco was cited most frequently.

"Cisco was mentioned about 20 percent of the time and Microsoft about 10 percent," says Nemertes president Johna Till Johnson. "IBM and Symantec weren't even mentioned."

The results are a remarkable turnaround for Cisco and Microsoft compared to the responses from 2005, when IT executives were asked the same question.

It appears that the reason Cisco is viewed as a strategic security vendor isn't that IT execs buy Cisco gear for its security features, but that the presence of Cisco gear and the importance of security underscore Cisco's importance.

However, when it came to rating security vendors in customer service and support, and strength of technology and value, the top vendor was Juniper. Johnson said Juniper's ratings were significantly higher than anyone else's.

Among IT execs who didn't have a strategic security vendor, about a quarter preferred a best-of-breed approach in selecting security products, and the rest responded that either they didn't need one, or they couldn't have one because of outsourcing or procurement restrictions.

—By Ellen Messmer

s t o r A g e Storage is awash in TLAs (three-letter acronyms). LUn, SAn, nAS, ILM, SWD, SAS, HBA, DAS, CAS and FAn are all acronyms that regularly appear in storage-related literature, publications and columns. But to many IT managers, they provide no meaningful information, and for storage technicians who use them too frequently without context, they may alienate rather than connect them with their manager.

Storage-area network (SAn) and network-attached storage (nAS) are examples of acronyms that can drive a wedge between managers and techs. The acronyms look similar (nAS is SAn spelled backward), they both reference storage networks, and nearly every organization uses both SAn and nAS. yet to say there is no difference in yet to say there is no difference in ythe acronyms is akin to saying oil and water are the same because they are both liquids.

The trouble with trying to explain the meaning of these acronyms is that it requires using language that confuses rather than clarifies the situation. To the individual steeped in storage, it is intuitively obvious that a SAn only carries block-based storage over either an Ethernet or Fibre Channel infrastructure using iSCSI or Fibre Channel protocols, while nAS only carries file-based traffic over an Ethernet network.

Provide that same explanation to your IT manager and he will look at you like you have two heads. Storage techs tend to forget that management lacks the time to learn every storage acronym. Though some managers just don't care, many more are consumed with setting corporate initiatives and meeting quarterly numbers than spending time trying to understand the differences between SAn and nAS.

The use of acronyms is a clever way to appear knowledgeable and smart. But when your use of acronyms confuses the situation and leaves management in the dark, you are probably helping no one and only hurting yourself.

—By Jerome Wendt

Security Vendor:Yes or No?

VOL/2 | ISSUE/191 6 A U G U S T 1 5 , 2 0 0 7 | REAL CIO WORLD

Microsoft Cisco

Most frequently cited companies with

security vendors

10% 20%

Do you have a strategic security

vendor?

Yes No

57.4%42.6%

SAN, NAS, Your BoSS

DoeSN't CAre

B u s i n e s s i n t e l l i g e n c e Many companies approach business intelligence from the wrong angle, leading to a lot of wasted effort by IT. In fact, companies spend more than 70 percent of the time, energy and money they dedicate to business intelligence on people and process issues, according to a recent Gartner study of BI accessibility. That’s a costly sink, says Gartner analyst Betsy Burton. “The mistake a lot of executives make is trying to buy technology in the hope that it will apply to the business objectives, “ Burton says. “ Companies should start any business intelligence effort by defining the business objective and then the people, metrics and processes that support those objectives.”

What are the key obstacles that IT faces in constructing efficient BI systems? A lack of effective support from senior management really hurts. Yet, of 350 global organizations Gartner surveyed, only 10 percent of BI and performance management efforts were sponsored by a C-level executive. Another problem: Many companies come at the BI issue wanting to ‘fix’ or ‘clean-up’ the data. “Cleaning up data is not a business objective,” Burton says. But that’s how many IT executives drive their company’s BI efforts, and as a result, the IT organization spends its time responding to tactical requirements, instead of driving business objectives.

“It’s important to have a team to bridge the divide between IT and business expectations,” she says. Companies that are ahead of the game have formed business intelligence competency centers (BICC) to help their organization master intelligence management, she says.

Smart BI planning will only grow in importance for CIOs. Most organizations are facing an information explosion but don’t yet have a management strategy for it and IT can sometimes be seen as the root of this problem, Burton says. Looking ahead, information management is one area where the CIO will be expected to act as a trusted adviser to the business.

tr

en

dl

ine

s

B Y m A r g r e t l o c h e r

Get an executive to sponsor your information management efforts. Consider the organizational structure, so you are able to adapt to changing business priorities.

Define the objectives necessary to deliver the business strategy. Don’t get mired in cleaning up the data. Construct your BI plan to improve on current processes, with an eye toward technology that plays into achieving the business objectives.

Compare your plan with the current initiatives, tools and technologies. your plan should strike a balance between strategic perspective and tactical requirements. It should be flexible to evolve over the next decade.

Beating the BI BluesBest practices

Only 10% of BI efforts are sponsored by a C-level executive with a direct link to the business.

40% are sponsored by other business executives.

25% are sponsored by an IT manager.

25% have no executive sponsor.

Source: Gartner

Where Are The BI Champions?

Between 2006 and 2012, Global 1000 organizations will experience a threefold

increase in data, content and application quality issues.

This is Why…

2006

2012

You’ll Need BI

1

2

3



s e r v i c e s Your Web mail account is a treasure trove of private and potentially valuable information, and thieves know it. In an online interview, one hacker claimed to make thousands of dollars every day by breaking into e-mail accounts. Normally you can't tell whether you've been hacked in this way. But you can create an electronic trip wire that will trigger whenever someone reads a rigged e-mail.

I came across the idea, which takes advantage of a free Web hit counter, in a blog post by Jeremiah Grossman of WhiteHat Security. The gist of it is to keep an e-mail message in your account that includes the code for the counter. Opening the attachment trips the counter, thereby alerting you that someone was snooping. here's how to set it up:

1Head over to OneStatFree.com and register for a free Web counter account.

You can list anything for the site URL, and use a disposable e-mail address to complete

the registration process (click for tips on the registration process (click for tips on using such e-mail accounts). using such e-mail accounts).

2Look for an e-mail from OneStat sent Look for an e-mail from OneStat sent to the address you used when you to the address you used when you

registered. It will come with an attached file registered. It will come with an attached file named OneStatScript.txt. Save that file, and named OneStatScript.txt. Save that file, and note your account number. Then delete the note your account number. Then delete the e-mail, which has your account details. e-mail, which has your account details.

3Give the .txt file a name that will catch Give the .txt file a name that will catch a spy's eye, like ‘BankPasswords,’ and a spy's eye, like ‘BankPasswords,’ and

make it an .htm file so it opens automatically make it an .htm file so it opens automatically in a Web browser (and trips the counter). in a Web browser (and trips the counter).

4Send the file as an e-mail attachment to Send the file as an e-mail attachment to the Web mail account that you want to the Web mail account that you want to

monitor. Use a similarly baited subject line, monitor. Use a similarly baited subject line, like ‘Account log-ins,’ for the message. Just be sure not to open the file when you send it — you don't want to set off your own alarm.

5Sit back and wait like the patient spy-catcher you are. If anyone opens your

rigged attachment, the hit counter will reflect that fact and will record information about them, including the IP address of the

accessing computer. To check the counter stats, just log back in to your account at OneStatFree.com.

The excellent, free Stanford Password Hash browser add-on provides additional security by making it easy to use strong, unique passwords for all of your accounts.

—By Erik Larkin

tr

en

dl

ine

s

s u r v e y IT managers are reacting increasingly quickly to security issues, a survey has revealed.

Seven in 10 managers now deploy critical updates within eight hours, which is almost twice as many as last year.

And 29 percent implement patches in only two hours; more than double the number that achieved that response time in 2006.

The results come from a survey of 250 CIOs, CSOs, IT managers and network administrators across Europe, Asia Pacific and the US. The research was conducted by PatchLink, a manufacturer of security software.

Zero day vulnerabilities, where hackers exploit security issues on the day that

they emerge, are the largest security concern, according to the survey, with 54 percent of IT chiefs citing them as their top worry.

Vendors are also tending to act more quickly with their security fixes, in the face of pressure from businesses and from a growing army of unofficial patchers.

In March, security vendor eEye Digital Security issued an unofficial patch to protect users of the Outlook Express email program, covering an area Microsoft had not tackled. Then the Zero Day Emergency response Team unveiled another patch days later. In early April, Microsoft responded with its own patch after it admitted the problem had become too serious to ignore.

Hackers as a whole are the second largest concern, at 35 percent, and malware and spyware stand at 34 percent.

Charles Kolodgy, research director at IDC, said that businesses of all sizes faced zero day threats, and that the problem is worsened by a lack of resources to fight the problem.

He added: "User behavior is difficult to control, and many hackers rely on users' lapses in judgement to carry out their malicious activity."

Two thirds of those surveyed said they spent more than an hour each day monitoring security, and half had over 10 programs installed to counter threats.

— By Leo King

ILL

US

Tr

AT

IOn

By

MM

SH

An

ITH

Swift Action on Security

Hacker Scare? Set Alarm

REAL CIO WORLD | A U G U S T 1 5 , 2 0 0 7 1 9VOL/2 | ISSUE/19

Trendlines.indd 19Trendlines.indd 19Trendlines.indd 19Trendlines.indd 19Trendlines.indd 19 8/10/2007 7:28:48 PM8/10/2007 7:28:48 PM8/10/2007 7:28:48 PM

tr

en

dl

ine

s

n e t w o r k i n g The body tasked with maintaining the Bluetooth standard has agreed its new iteration, Bluetooth 2.1+ EDR (Enhanced Data Rate).

The Bluetooth Special Interest Group (SIG) has announced unanimous approval of the new standard by its 8,000-member strong group.

The new Bluetooth should be more secure, demand less power and be easier to use than before. Pairing devices, for example, should be more consistent and consumer-friendly.

This version of the specification establishes new standards for pairing devices, establishing consistent scanning, pairing, security and authentication when using Bluetooth.

Bluetooth 2.1+ EDR simplifies pairing, improves security and means users can hope that in future Bluetooth devices can be connected together "in a few seconds," promised the Bluetooth SIG.

Battery life in Bluetooth devices such as mice and keyboards should increase 'by up to five times' using the new standard, the organization said.

With 13 million Bluetooth units shipped each week and an installed base of over one billion enabled devices, improvements in the standard are of consequence.

Version 2.1+ EDR also enables an ultra short range technology called Near Field Communication (NFC). This will allow users to pair devices much faster.

Component manufacturers Broadcom, CSR, Infineon and Texas Instruments are expected to make Bluetooth v2.1+ EDR chips available immediately, with the first products that implement the standard expected at retail by the end of the year.

—By Jonny Evans

B r o A d B A n d s e r v i c e s Mobile broadband connections are expected to reach 40 million worldwide by the end of 2008, according to figures released by Wireless Intelligence.

By 2010, WCDMA HSDPA is expected to represent around 45 percent of total WCDMA cellular connections, exceeding GSM connections by the end of this decade.

Wireless Intelligence, which is a joint venture between analyst firm Ovum Ltd. and the GSM Association, a trade body for mobile phone operators, expects a fast adoption cycle for mobile broadband particularly in the Asia Pacific.

Senior analyst at Wireless, Joss Gillet, said WCDMA HSDPA will be commercially present in more than 60 countries by the end of next year.

WCDMA HSDPA is a software upgrade to existing WCDMA networks with the aim of bringing broadband speeds to mobile networks. Gillet said WCDMA HSDPA will go through a slow adoption phase until the end of 2008.

"There is still a lack of affordable devices, WCDMA coverage is still improving and services are only targeted at the mid- to high-end of the market," Gillet said.

WCDMA HSPA is expected to represent around 6 percent of total WCDMA connections by the end of 2007 (11 million connections).

"The fastest early growth is coming from the Asia-Pacific region, with operators such as KTF, Telstra and nTT DoCoMo already very aggressive in migrating their installed base to the new technology," Gillet added.

At an operator group level, Vodafone Group could reach 4.5 million WCDMA HSDPA cellular connections by the end of next year. From 2009, WCDMA HSPA uptake in Western and Eastern European countries will trigger a fast adoption of the technology worldwide.

"In 2010, worldwide WCDMA HSDPA cellular connections are expected to represent around 45 percent of total WCDMA connections, numbering around 278 million cellular connections," Gillet said.

Wireless Intelligence has a database on the global mobile market which contains more than a million individual data points drawn from 670 operators in 221 countries.

GSM Association (GSMA) members serve more than two billion customers, that is 78 percent of the world's mobile phone users.

—By Sandra rossi

Mobile Broadband: Post

New BluetoothStandard Approved

ILL

US

Tr

AT

IOn

By

BIn

ES

H S

rE

ED

HA

rA

n



A savvy entrepreneur is exploiting technical innovation to cost-effectively generate technical innovation.

Michael Schrage Making i.T. Work

CodingCollaborative

Ill

us

tr

At

Ion

by

MM

sh

An

Ith

Vol/2 | IssuE/192 4 A U G U S T 1 5 , 2 0 0 7 | REAL CIO WORLD

Coloumn - Collaborative Coding MS.indd 24 8/10/2007 6:02:51 PM

Over brunch in a cheap Brooklyn restaurant, a longtime MIT friend proudly demonstrated his latest startup’s software. The idea is clever, and its beta implementation is sweet. I liked

it; usually the stuff I see turns my stomach. So I’m pleased that Hans Peter Brondmo’s Web-based personal information organizer has technical chops and global business potential.

Then again, I usually pay close attention to Brondmo’s digital designs. He’s not an uber-geek who’d rather write code than chat up prospects. A reasonably successful entrepreneur, he’s a get-it-done pragmatist who won’t coddle programming prima donnas. He wants to hit the market cheap, fast and hard with products that aren’t hard to upgrade or maintain.

So when Brondmo told me his software, called Plum, was the first time he’d done serious coding in over a decade, I was taken aback. "I couldn’t believe how much things have changed," he confided. "When my development teams wrote code 10 years ago, it took us three days to find and kill a bug. Today, it takes us only three hours."

What’s more, he continued, whenever his (geographically distributed) development team runs into trouble, they can usually instant message their way into a just-in-time partnership that simultaneously solves the problem while alerting everyone to potential conflicts. "We do better real-time collaborative development and review now remotely than we did back at MIT when we were all in the same building," he notes.

Brondmo’s favorite development discovery occurred when he was stuck for a few lines of code. He realized that by Googling he could see if anyone anywhere had posted something he could use.

He and his team found quite a few virtual solutions this way. "But what about context?" I asked. After all, not everyone documents their C++ in English. He dismissively waved his hand: "Code is code. I found something that looked like what I needed in the middle of what looked like a bunch of Chinese. You paste it in and see what happens. It worked."

The ultimate result? He’s never done a startup where the software development has been better, faster or cheaper. "In the past, I’ve had to raise lots of money to support the burn

rate and the licenses necessary to develop real software over a couple of years; the costs are huge," he said. "You had to deal with the venture capitalists. They had the money."

"Development cost is still significant, but it’s now focused on value creation, not infrastructure development," he added. "Open source and the availability of tools reduce our infrastructure cost. We don’t have to pay for expensive software licenses and engineers to implement ’commodity’ functions. So, more money can be focused on innovation, not plumbing. We do more features faster. Development

isn’t really an obstacle."Even allowing for hyperbole — perhaps Brondmo’s ‘three

days to three hours’ time compression is really closer to ‘two days to five hours,’ we’re still describing at least a fourfold productivity leap. That’s impressive. Marry that to the evolving array of development-oriented communication, collaboration and search tools spilling into the global digi-sphere, and the serious CIO might want to delay a Bangalore RFP. The new economics of software development may render India and China yesterday’s fad.

Michael Schrage Michael Schrage Making iT Work

MICHAEL SCHRAGE

LIVE!7 SEPTEMBER 2007. NEW DELHI

KEYNOTE SPEAKER

Presents

MICHAEL SCHRAGE

7 SEPTEMBER 2007, NEW DELHI

7 SEPTEMBER 2007. NEW DELHI

THIS PRESENTATION IS BROUGHT TO YOU BY THE GREY MATTER: A THOUGHT LEADERSHIP SERIES BY AIRTEL ENTERPRISE SERVICES

Plum’s provenance may not be typical, but there’s nothing extraordinary about it either. A savvy entrepreneur is exploiting technical innovation to cost-effectively generate technical innovation. The stuff works. This is where savvy CIOs need to sit up and take notice. The implementation implications are enormous.

I’m the last person to suggest that busy CIOs should immerse — or, God forbid, reimmerse — themselves in code. But any CIO preaching the gospel of productivity better know if his organization’s methodologies discourage — or invite — healthy experimentation with these nascent development platforms. A CIO should know if he can now consistently get a year’s worth of software development in 90 days. A CIO should know if 75 percent of a project portfolio can go to value-added features instead of infrastructure maintenance. This matters.

Transforming the economics of software development completely transforms the economic rationales for outsourcing. Reducing both the cost and time-to-market of new features and functionality completely transforms a company’s economics of innovation. Ideally, CIOs should ‘own’ these transformations. Do you?

Three clear implementation transformation scenarios emerge. The first scenario is the easiest and most obvious: these development economics create a new generation of Salesforce.coms and other ASPs that offer suites of mix-and-match business processes for enterprise consumption. For example, while Brondmo has given little thought to Plum as an enterprise ‘knowledge management’ platform, it could easily be adapted to become one. With a little goosing, it could become an ‘account management’ app too. More choice, less money.

Toward Value-added InnovationScenario two has IT recommit to enterprise software development. These tools and technologies turn the internal

economic equations for IT investment away from outsourcing and toward value-added innovation. IT becomes a better, faster and cheaper innovation partner for both key business units and core enterprise processes. ERP systems are goosed and spruced by customized Web apps instead of extended by packaged procurements like Siebel or PeopleSoft.

The third scenario has IT bypassed by ambitious business unit leaders who can’t — or won’t — wait for the CIO to get his act together. So, they pursue scenario one and scenario two-type behaviors independent of whomever the CIO is and whatever the CIO wants. Like the rise of the software spreadsheets more than 20 years ago, the rise of Plum-like digital platforms and processes proceeds without the need for central approval.

Scenario-three CIOs will have a hard choice: Either be seen as enablers and champions of creative enterprise interoperability or get used to losing a lot of fights.

My personal belief is that the variation IT’s been witnessing since 2000 will accelerate: The ‘IT doesn’t matter’ crowd will continue to manage and invest in IT as a commodity, while the ‘strategic IT’ companies will be exploiting these new development economics for better and faster differentiation, segmentation and innovation. These emerging economics will further fragment the CIO community. The rich will get richer; the smart smarter; and the not-so-rich and not-so-smart will find themselves struggling to remain ‘fast-followers'.

When you look at the core economic dynamics driving software development and business competition, it seems painfully clear: There has never been a better time to be a smart CIO at an organization that wants to win. CIO

Michael Schrage is co-director of the MIT Media Lab’s eMarkets

Initiative. Send feedback on this column to [email protected]

Michael Schrage Michael Schrage Making iT Work

MICHAEL SCHRAGE


KEYNOTE SPEAKER

Presents

MICHAEL SCHRAGE




Trendline_Nov11.indd 19 11/16/2011 11:56:19 AM

Many CIOs increasingly look to certification and accreditation standards as ‘market signals’ indicative of professional quality and reliability.

Hiding BehindCertification

Michael Schrage Making i.T. Work

Ill

us

tr

at

IOn

by

PC

an

OO

P

VOl/2 | IssuE/192 8 A U G U S T 1 5 , 2 0 0 7 | REAL CIO WORLD

Coloumn - Hiding Behind Certification MS.indd 28 8/10/2007 6:05:00 PM

Professional circumstances have twice required me to become an ‘instant expert’ on certification. The first time involved grasping the byzantine ins and outs of healthcare plan accreditation. The second

time required understanding the politics (and economics) of how different universities granted diplomas and certificates for their business, technical and professional extension courses. I learned far more than I bargained for.

Both experiences recalled Bismarck’s famous epigram that one should never see either laws or sausage being made. I was shocked. Professional certification and accreditation turned out to be processes as messy, political, misleading and dysfunctional as most enterprise software development and implementation initiatives. The critical difference, of course, is that testing software quality is easier and less ambiguous than testing the quality of a certification.

That’s why I’ve been struck by the seemingly pathological need so many CIOs have for the certification of skills and accreditation of organizational performance. I find this craving misguided and pathetic. What does it really say when someone is Microsoft certified? Or has a certificate in ‘network engineering’ from a quality university? Or if a development organization has a Capability Maturity Model Level 3 rating? Or is ISO 9000 compliant?

In many respects, these questions are as pointless and silly as asking, what does it mean to graduate summa cum laude from Harvard in English? Or, how good a lawyer will you be if you performed brilliantly on the multistate bar exam? Or, to be a total jerk about it, how superior an executive would you be if you had an MBA from a top-20 school?

Unfortunately, these silly and pointless questions are templates for the questions so many CIOs ask themselves when they seek to outsource development or weigh the quality of their own human capital investments. For reasons I fully understand but totally reject, many CIOs increasingly look to certification and accreditation standards as ‘market signals’ indicative of professional quality and reliability. This represents the laziest and most dangerous kind of cover-your-backside thinking by C-level executives.

The truth as we all so bitterly know is that the IT world is filled with certified, credentialed and accredited idiots. I bet

you’ve hired a few. I know I have. The fact that someone has an aptly named BS from Harvard topped off with a misleadingly named master’s from MIT does not make a good developer (or employee). We have to ask ourselves why we make the assumptions we do about individuals with ‘elite’ credentials. The answer says far more about our personal biases than their professional attitudes, aptitudes and skills. Shame on us.

Similarly, the fact that an organization is CMM Level 3 or even CMM Level 5 may be far less revealing about its development

capabilities than the Software Engineering Institute (SEI) had in mind.

What does this have to do with the challenges of IT implementation? Everything. To put it politely, we look at credentials and certifications as brands and risk management investments. After all, how incompetent could a Harvard or MIT graduate be? How incompetent could a CMM Level 4-rated offshore development shop be?

Michael Schrage Michael Schrage Making i.T. Work

MICHAEL SCHRAGE


KEYNOTE SPEAKER

Presents

MICHAEL SCHRAGE




But regular readers of this column know I’m not polite: The business reality is that credentialed brand names are little more than shortcuts for executives who are either too busy or too lazy to do their homework. Don’t get me wrong, I have nothing against shortcuts. The question should be, is this a good shortcut or a bad shortcut?

A Dangerous DelusionI asked several senior-level IT folks who had overseen significant outsourcing of their operations how much time they actually spent with their new contractor. Slightly over half of these executives said they spent more than a day visiting the actual worksites of their outsourcer and not one spent a cumulative week there before signing the contract. We’re talking tens to hundreds of millions of dollars here.

To a person, these executives waxed on about how these companies were filled with supremely well-educated engineers from the finest schools and CMM Level 3+ ratings, and so on. To be sure, their references were excellent too. But when I asked these IT execs if there had been a lot of communication between the in-house folks and the outside company to assure cultural and organizational compatibility, the answers were shockingly similar: "We’re outsourcing so that we don’t have to worry about cultural compatibility; we just want the best technical systems and the best possible price."

Actions Speak Louder Than Credentials Sorry, folks, but this is a post-industrial recipe for disaster. An over reliance on certification credentials as an IT investment criterion is as professionally dangerous as an over reliance on IQ as a hiring criterion. Frankly, I’m with the school of economic thought that argues that the real value of credentials and certifications like CMMs and MBAs is not that they indicate greater skill, but they signal to the market that these individuals and organizations will

jump through hoops to demonstrate how much they care about being seen as top-notch.

In other words, the willingness to procure credentials can reveal more about attitude than aptitude. That can be critical.

One insurance company IT executive told me about how a development shop itched him long and hard about how much it wanted to do some of his company’s cutting-edge development work. The shop’s credentials were impeccable. The client references said the organization was technically excellent but a bit arrogant. So, the IT exec invited the shop to send three of its developers to a morning ‘code walk-through’ to see what each side might contribute and learn. The development shop CEO immediately tried to talk him out of that invitation. "At that moment," said the insurance IT exec, "I knew I would never hire them."

Actions speak louder than certifications, unless the act of getting that certification (or not getting that certification) truly says something important about the individual or the organization, CIOs are foolish to give them weight in any meaningful decision process. After all, what does certification really buy you in this development and deployment marketplace?

My observation is: not nearly as much as promised. The dubious quality of so many certifications and credentials inherently mismanages expectations. Few things at C-level IT investment management are costlier than mismanaged expectations. I’m comfortable arguing that, on average, the costs associated with credential-driven IT decision-making consistently outweigh the benefits. CIO

Michael Schrage is co-director of the MIT Media Lab’s eMarkets

Initiative. Send feedback on this column to [email protected]

Michael Schrage Michael Schrage Making i.T. Work

MICHAEL SCHRAGE


KEYNOTE SPEAKER

Presents

MICHAEL SCHRAGE




It is easy to shroud the truth about your project behind volumes of reports. Here is how you can get the bad and the good news to rise to the top every week.

Getting tothe Point

Mike Hugos Project LeadersHiP

Ill

us

tr

at

Ion

by

PC

an

oo

P

Vol/2 | IssuE/193 2 A U G U S T 1 5 , 2 0 0 7 | REAL CIO WORLD

Coloumn - Getting to the Point MH.indd 32 8/10/2007 7:46:59 PM

I t is possible to use information to confuse and intimidate. Status reports can tell all and yet reveal very little. They can ramble on for page after trivia filled page, and in the act of telling everything they

bore you to tears and you miss the important information hidden in the data dump.

If you are in charge of a project, you can be lulled into a false sense of security as the weeks go by, yet the status reports become a paper trail that comes back to haunt you. Because important information is in those reports somewhere and because you don’t see it, you will pay the consequences unless you take steps to make sure key issues and potential problems are clearly highlighted.

Signing Off Your Project's FutureSome years ago, I led a team of developers on a big development project. We were subcontracting to a much larger company that was the prime contractor on this multi-million dollar project. Every Friday by lunch time, I had to turn in a report on my doings for that week. I listed tasks completed, tasks that were challenged and obstacles that my team faced. I also listed all sorts of project statistics such as man-hours planned versus man-hours actual that week, earned value credits on my work, and projected critical task man-hours for the coming week.

Then, the prime contractor would take my report and all the other similar reports from the other project team leaders and compile a grand all-encompassing status report that reviewed all aspects of the project. This report was then delivered to the business executives at the client company who were responsible for project oversight and who were approving payments on the project.

After the project had been going on for about a year (and getting nowhere), the client company began to get impatient. Senior managers from this company began to

investigate what was going on; they demanded to know what was happening on the project and where their money was going.

This is typical. On projects like this, team leaders like me spend 20 percent of their time or more each week filling out reports; a large project office organization churns out voluminous status reports filled with words and statistics, and still nobody really knows what is going on.

Vice presidents at the client company had routinely been signing off on the status reports they received each week without ever reading them in detail. Who has time for all those words, all that boring, badly written text that takes forever to get to the point? But therein was their downfall.

When the client company figured out that not much was getting done and demanded a refund of some of the tens of millions of dollars they had spent, the prime contractor brought out the loose leaf binders full of those voluminous weekly status reports.

A weekly status report was typically 35-40 pages long with a few bar charts and line graphs thrown in to illustrate whatever point the report writer wanted to emphasize. At the end of these reports was a spot for several signatures indicating that the report had been read and its information therefore communicated.


team leaders spend 20 percent or more of their time filling out reports. a large project office churns out voluminous status reports, and still nobody really knows what is going on.


The prime contractor showed that several of the client’s vice presidents had signed off on these reports week after week, month after month. Then they began pointing out certain sentences and paragraphs buried here and there in those weekly reports. In those passages were statements about problems and delays and cost overruns on the project.

“We told you there were problems,” the prime contactor said, “and you didn’t say anything, so we assumed you wanted us to just keep going.” I can only imagine the sinking feeling in the pit of their stomachs as the vice presidents whose signatures were on those status reports began to contemplate the mess they were in.

After that meeting, the project went on as if nothing had happened for another couple of months and then the project was quietly wrapped up and shut down. The client company wrote off more than Rs 400 crore and I heard that the vice presidents who had signed those weekly reports had all left the company 'to pursue personal interests'.

To the Bottom of Things in Five StepsI realized I could easily have made the same mistake as those vice presidents. I resolved to learn from their misfortune and thereafter, on my own projects, I instituted a short and simple format for the status reports I requested from by development team leaders. This format is designed to get to the main points right away, to give clear answers, and to quickly flag issues

that could become big problems for the project.My status report is composed of five questions that cover all the major problems that can occur on a system development project. They are yes or no questions, and if you answer yes to any one of them, then I ask for a short description of the problem and suggestions for how to resolve the problem. After the five questions, I then ask for only a few sentences about what was accomplished this week and what will be accomplished next week.

Such a report is never more than two pages long, so it actually gets read by me and everyone else who needs to know what is going on. There is no place to hide the bad news so I quickly find out what is happening. This format has saved me more than once from the fate of those former vice presidents.

Here are the five questions that get to the heart of the matter so effectively:1 Has the scope of any project task changed? (Yes/No) 2 Will any major activity or milestone date be missed? (Yes/

No) 3 Does the project team need any outside skills/expertise?

(Yes/No) 4 Are there any unsolved technical problems? (Yes/No) 5 Are there any unresolved user review/approval problems?

(Yes/No) (For all questions marked Yes, explain the problem and recommend possible solutions.) CIO

Mike Hugos is CIO of Network Services, a distributor of

housekeeping supplies, janitorial products, packaging and

paper goods. He is the author of Building the Real-Time

Enterprise: An Executive Briefing. Send feedback on this

column to [email protected]


a five-point questionnaire about what was accomplished in a week and what will be next week is never more than two pages — so it actually gets read by everyone. there is no place to hide the bad news.


Ill

us

tr

at

Ion

by

un

nIk

rIs

hn

an

av

Ph

ot

os

by

sr

Iva

ts

a s

ha

nd

Ily

a a

nd

Pr

av

ee

nCover Story |Staffing

Reader ROI:

keeping current It staff motivated

Ways of involving your team in challenges of business growth

Why outsourcing has become an option

Vinod Sadavarte (L) of Patni Computer Systems, Amit Kumar of Max New York Life, and David Briskman

of Ranbaxy are using diverse strategies to recruit and keep their IT crews together.

Cover Story - 01.indd 38 8/10/2007 8:27:35 PM

by balaji NarasimhaN

CIOs are finding it a formidable challenge to recruit — and retain —people with the right skills. So much so, some are beginning to consider outsourcing as an option.

In an industry where churn is constant, CIOs are finding that they have to hire In an industry where churn is constant, CIOs are finding that they have to hire the best they can get, and then invest a lot of time and resources in training. Big IT, the best they can get, and then invest a lot of time and resources in training. Big IT, with its big brand-name image and fat paychecks, is getting bigger, attracting the with its big brand-name image and fat paychecks, is getting bigger, attracting the best IT professionals, leaving other companies scrambling for precious talent.best IT professionals, leaving other companies scrambling for precious talent.

In this war for talent, CIOs need to be both aggressive and creative. As WWII US General and war hero Douglas MacArthur, said, “In war, there is no substitute for victory.” CIOs who can keep their ranks full can help redefine the success of their companies, and losers will be one step closer to becoming history.

But how can CIOs recruit faster and better? How can they retain qualified people with better rates of success? Is outsourcing a viable option?

How Do You Size up TalenT?rup Roy, senior research analyst at Gartner, notes the industry-wide staffing crunch and adds that while “There is no dearth of quantity, quality is questionable.”In his hunt for talent, Kumar has learnt that he needs to re-evaluate

what goes into the making of a quality recruit. Today, he puts the ability to learn what goes into the making of a quality recruit. Today, he puts the ability to learn above most criteria. “Two years ago,” he recalls, “we took someone from the automobile industry. She was well-educated, and we were convinced that she was willing to learn. She also had a high sense of responsibility. We trained her in the life insurance domain. Now, she’s the go-to person.”

But is ‘eager to learn’ enough to make the cut? In the age-old debate where industry experience is pitted against natural intelligence combined with the ability to learn, Kumar backs the latter, but with a rider: “While the willingness to learn is important, we also look for the ability to learn.”

Breaking away from the traditional view of a potential employee requires boldness — and the support of the HR department. “HR is an integral partner to the CIO function — not only for hiring people but also for employee and organizational development, says Vinod Sadavarte, CIO of Patni Computer Systems.

Both Kumar and Sadavarte believe the HR department has a strong role to play in ensuring that the right people are hired. In fact, they take HR’s role so seriously that they have one HR resource dedicated to the IT department.

At Ranbaxy, CIO David Briskman says HR goes even further to help ensure that the right people are hired. “HR is crucial to hiring people and our employee retention and satisfaction programs. HR participates in all aspects of hiring from job description, development, recruitment and career planning. They also

Amit Kumar, Group CIO, Max New York Life and Max Healthcare, Amit Kumar, Group CIO, Max New York Life and Max Healthcare, recalls a time when he had to hire somebody with no knowledge of the life insurance industry. recalls a time when he had to hire somebody with no knowledge of the life insurance industry.

He did it because the recruit was technically competent and — crucially — had the ability He did it because the recruit was technically competent and — crucially — had the ability

and the willingness to learn. To Kumar, that was enough in the tough market for IT talent.and the willingness to learn. To Kumar, that was enough in the tough market for IT talent.

participate in all IT senior staff meetings,” says Briskman. As important as HR’s participation is, it is the CIO’s job to ensure that the right parameters for recruiting are set.

Kumar is quite clear about what he wants: “What we look for are people with the right attitude, who are willing to take up responsibilities, are customer focused, and are willing to learn,” he declares.

Patni has encoded their needs in a process called LEAP (Leadership Excellence at Patni). Sadavarte says Patni pushes processes strongly and describes a system that has spelt out the skill requirements for each job role in the HR framework. “We follow a rigorous recruitment process in line with this standard, and hire candidates that conform to the competency requisites or have the potential for it,” he adds.

But, setting the recruitment parameters can only be a first step, especially in a marketplace that is hungry for talent. Getting talent at the right cost is important.

Talented hands, Roy says, are expensive, and this raises the cost of operations. Sadavarte is aware of this and says: “Dearth of talent is a very serious issue that the entire industry is facing. Getting the right skill at the right time and most importantly at the right cost poses a challenge.”

Kumar believes that problem results in a lack of organizational stability. “With the IT industry in the country growing so rapidly, there are a lot of opportunities available. We are interested in a person's stability. Is he looking at the job for the long term? Obviously, we want people who are looking for a growth path in the company.” And this, he says, is not always easy to get.


Cover Story Cover Story |Staffing

people,” he puts it bluntly. He insists that employees can be kept happier — and longer — by other means.

“I’ve recently had a case where somebody wanted to move from Chandigarh to Delhi to be with his parents. I ensured that this could be done, because it would make him happy,” says Briskman. He says that, in his team, some people want a change of roles, some want to move from one department to another, or even move from a support function to a project role. And Briskman merely takes advantage of Ranbaxy’s appetite to acquire new companies. (In March last year, Ranbaxy bought out three European companies in a week.) Accommodating employees, he says, also increases their motivation.

It’s an approach that seems to work. At Max New York Life, Kumar says that they have put processes in place to cash in on that insight. “We post all internal jobs publicly, and have transparent criteria for applying for these jobs. If somebody from IT wants to move to operations or to sales, they can at least apply. This way, they know that there is a career path other than IT.” He claims that Max New York Life has among the most ‘clear’ career-paths for its employees.

But there is still no getting away from the fact that it is much harder for enterprises to retain talent because of fierce competition from IT companies. enterprises to retain talent because of fierce competition from IT companies. “There is a continuous movement from user companies to IT companies for

And if getting talent that will stay with you, at the right cost, isn’t hard enough, CIOs who work for smaller brand-name companies have it harder. “Fewer young people are pursuing careers in IT, and many of those who do are more interested in working for a Google than an enterprise IT organization,” says Samuel Bright, IT staffing & careers analyst with Forrester.

Nonetheless, at Ranbaxy, Briskman leverages his company’s brand image extensively for recruitments. “I believe that many people join Ranbaxy to be a part of an organization that provides high quality pharmaceutical products to the world. It is a very dynamic and exciting environment to join,” he says. “With over eight acquisitions in the past year, and a portfolio of global solutions, there are always interesting challenges for the IT team,” he says.

Another option is to look for less demanding recruits. Both Roy and Bright feel that colleges are an ideal place to start. “IT should draw talent from three audiences — college students, current IT professionals, and business professionals,” Bright points out. Roy also says that CIO should take a strategic approach. He says that the CIO should first draw up a roadmap for the IT department and answer a crucial question: will it be a highly automated environment, a technology-based setup, or will it be based on people? Only when this is answered, feels Roy, will the CIO be able to proceed on his staffing issues. Roy also believes that people from tier II and tier III cities tend to stay longer if they are groomed well. He believes that CIOs should focus on these cities and towns.

are emploYmploYmplo eeSGolD DiGGerS?

here are those who believe that the best way to retain talented people is to keep adding to their pay packets. Briskman begs to

differ. “If you only address money, you will lose differ. “If you only address money, you will lose

Cover Story | Staffing

At Patni, says CIO Vinod Sadavarte, they use a methodology called SPARK (Systematic Pooling, Analyzing and Researching

Knowledge) to evaluate and reward employee ideas. It also helps to retain employees longer and build a greater sense of ownership.

Cover Story |Staffing

various reasons, like wider experience, onsite opportunities, and the ability to earn in dollars,” says Roy.

Roy has come to terms with this state of affairs. He’s taken a ‘when you can’t beat them, join them’ approach. He has a simple mantra: since most employees are bound to leave in two or three years, the best thing to do is to get excellent work out of them while they are with you.

But CIOs still need to stretch the time that an employee spends in their companies by looking for ways to motivate them. Sadavarte wards off dollar pay checks and wider experience with "opportunity to work with cutting-edge technology, multiple career tracks to choose from, rotation possibilities across projects, a cultural environment, monetary gains, and training." He reiterates Briskman’s feeling about remuneration not playing a dominant role in hiring or retaining people.

This doesn’t mean that CIOs can get away with offering poor pay packages. Briskman’s company evaluates compensation plans and job descriptions annually through market surveys. Max New York Life, where Kumar is CIO, also uses annual appraisals but says that some positions are evaluated semi-annually. Sadavarte says Patni has special incentive schemes associated with particular projects. The problem with all these companies throwing money at employees

is that there’s always going to be some company out there who can match your offer.

Another tactic CIOs can use is creating self-worth. “IT leaders must quit treating employment in IT as a great honor that others should instinctively understand,” points out Forrester’s Bright. Kumar agrees. “One important thing that keeps the IT team motivated in a non-IT company is communication. It is important to let your people know how important their job is to the organization.” Kumar also stresses that communication should run two ways: CIOs need to tell the teams how important they are to the organization, and tell the organization how crucial the IT team is to its overall success.

At Patni, they practise this. Using the SPARK (Systematic Pooling, Analyzing and Researching Knowledge) methodology, Sadavarte says Patni not only gets employees to stay longer but also secures greater employee buy-in and ownership. SPARK, says Sadavarte, is used to evaluate employee ideas transparently.

“One of our employees,” he recalls “came up with an application portfolio rationalization system, while another employee came up with a service offering based on SOA. Both ideas were evaluated by SPARK, and those who suggested the ideas worked with SPARK to generate a concept and substantiate it in an iterative manner.” It helps that Patni backs the self-worth SPARK brings with monetary rewards. The amount, Sadavarte says, is based on the quantum of benefits realized from the idea.

praYraYra , How Do Y, How Do Y i Train?ccording to a November 2006 Forrester survey of 281 IT decision-makers, IT professionals with project management, security,

and architecture skills will be in higher demand and architecture skills will be in higher demand in 2007. Gartner’s Roy believes that there is a

To keep an IT team motivated in a non-IT company, Amit Kumar, CIO of Max New York Life says it is important to let your

people know how important their jobs are to the organization.

Four tips to attract college graduates and student interns.

CaTCH ’em YounGCaTCH ’em YounG

Start young(er). once a student is in college, it may be too late. Spend time at local high schools; reach out to guidance counselors, and offer summer camps and internships to promising teenagers.

Create a college relationship manager. This person can develop relationships with key faculty, coordinate on-campus evangelizing and even follow up with new, young hires.

Bring back the interns. They’re cheap, they’re eager and they may eventually want a full-time job. Invest in a robust program and it will pay big dividends. Solicit advice from your former interns about what worked and what didn’t.

Take advantage of your vendors. They share your interest in attracting students to IT. Make the most of existing vendor programs in this area and look for win-win opportunities.

— By Stephanie overby

serious shortage of skills in areas like high-end consulting, project management, core applications, and mainframes.

With the shortage of skills covering such large parts of IT, it should come as no surprise that CIOs have taken to experimenting with people in their quest for employees who have the right skills. Kumar, who believes that cross-industry talent is less important in a potential employee who has the ability to learn, substantiates his philosophy with an example of a staffer who has been with Max New York Life for over four years.

“This person has a management degree and worked in the IT industry doing a pre-sales job,” he recalls. “He had absolutely no idea of the life insurance industry. Today, he’s known to have a lot of knowledge in his domain.”

Briskman has another approach. He prefers to look at a potential recruit as a ‘whole’ before hiring him or her. “We have a variety of skills that we look for. But the primary role of the IT team is to understand the business, know how to apply technology to improve productivity, and create competitive advantage,” he points out. He prefers people with varied experience, like knowledge of SAP modules and exposure to research & development solutions or pharmaceutical solutions.

Does the attitude of an employee count? Kumar is emphatic about its importance, posing key questions about the potential recruit: “Can he take up responsibilities in areas that are new for him? When confronted by a problem, does he step forward to take up the challenge, or does he step back?”

You can tell if a recruit will step up to the plate by carefully studying the responsibilities that he or she took up in the past, says Kumar. If a person has the ability to take up challenges, and possesses skills required by his company — like business analysis, technical management, IT services, and project management, to name a few — then Kumar is confident of hiring him.

This works fine in theory, but as Roy points out, there is a serious lack of connect between technical knowledge and business knowledge. “Someone could know all the latest technologies like .Net and Java programming, but may not be very good with business knowledge,” he says. But what with the current shortage of IT talent, can someone with expertise in just the technical domain be ignored? Roy doesn’t think so. “Companies should invest in getting such people into the groove,” he says. If you need people with plenty of business knowledge, he advices, then hire people with at least four years of experience.

Kumar is not alone. Sadavarte also puts a lot of weight on business skills. “Our overall IT strategy is aligned with our business goals. This is why I need people who understand the business,” he says. Since Patni works with multiple domains and platforms, he faces some difficulty in getting people with all the right skills.

Bright has a word of advice for CIOs: as hard as it is to avoid, don’t confuse buzzwords with skills. In a report titled, Recruiting IT Talent: Adjusting to a Hot Market, he wrote in July for Forrester, Bright says: “CIOs have trouble finding people with the specialized skills they need. When they place job ads on boards or in newspapers, they receive resumes from candidates with the right buzzwords but not the corresponding skill sets. Recruiting firms and HR departments without sufficient IT knowledge fall for this ruse. It lengthens the time and cost it takes to find truly qualified candidates. One CIO experienced this phenomenon firsthand, albeit as an employee. His resume included Lotus Notes and he kept receiving calls for Lotus Notes administrator positions.”

iS ouTSourCinGriGHT for GHT for GHT me?

iven how hard it is to round up and retain the right people, are CIOs considering outsourcing as an option?

Kumar of Max New York says he recently faced Kumar of Max New York says he recently faced some attrition with business analysts and as a result, that function was temporarily outsourced to two different companies.

“Our staffing strategy is a mix of outsourcing of services and turnkey projects,” he says. Some services like data center operations are completely outsourced and turnkey projects are only outsourced because his company doesn’t


Cover Story |Staffing

always have the domain expertise, he says. However, with core aspects of the system, Kumar believes in a mix of outsourcing and in-sourcing.While a job may be outsourced, responsibility cannot, points out Kumar. “Take data center operations. These are completely outsourced but we still have our own employee as the data center manager,” he says.

Sadavarte says that he has to optimally use all the resources at his disposal in order to reduce costs and enhance value. To do this, he says he has to balance between in-house resources and outsourcing. “Outsourcing also helps to balance the peaks,” he says. As far as using outsourcing as a tactic to tackle a staffing problem, he says. “We outsource, but for different considerations. Not to address the attrition issue. Being an IT company, we internalize critical processes and outsource for volume and niche skills.”

Is this a route more CIOs should take? Should they outsource something temporarily if they face a staffing crunch? Gartner’s Roy finds this untenable. “Outsourcing can never be used for the short term,” he states. “It has to be well thought out and has to be a well carved-out strategy.”

Briskman agrees with Roy. “We believe that partnering with other organizations to take care of certain day-to-day support helps leave IT staff

Market, market, market. When you think you’ve just about overdone it marketing opportunities in IT, at company presentations, in department newsletters and at technology fairs or road shows, do it again. Some large IT organizations employ full-time marketers.

Create IT ambassadors in the business. The best ones are IT employees who used to work in business functions.

Start business-IT rotations. Yes, they should go both ways. If that seems like a leap, start by meeting with counterparts in the business to discuss the business users you’d like to bring to IT. This may lead to further discussions of rotation programs to benefit the business and IT.

Keep on top of the business candidate pool. layoff in another department? That may mean there are IT-savvy business professionals looking for a new opportunity. ERP project winding down? That project lead in the business may be receptive to a job offer in IT.

—By Stephanie overby

super users, business project leads, members of the “shadow” Itdepartment: they may all be great additions to your It organizationt organizationt

HirinG ‘SHaDow’

iT

HirinG ‘SHaDow’

iT

Ranbaxy CIO David Briskman says he believes in outsourcing to take care of some areas in day-to-day support. Thsi helps

leave IT staff to manage more strategic challenges, thereby increasing staff satisfaction and retention.

Cover Story - 01.indd 46Cover Story - 01.indd 46Cover Story - 01.indd 46

REAL CIO WORLD | a u G u s t 1 5 , 2 0 0 7 4 7Vol/2 | ISSUE/19

Cover Story | Staffing

Indian companies will increasingly go offshore in their sourcing strategies, which will result in outsourcing deals offered by some Indian companies that include higher end parts of service (for example, design and architecture, and business consulting) delivered from other parts of the world.

Strategies used for recruiting and retaining the people with the right skills are a little like buying wine — tastes vary from CIO to CIO. But research conducted by Forrester and Gartner seem to indicate that CIOs should try innovative ways to recruit and retain the people with the right skills, and outsource when required. But what is sauce to the goose is not sauce to the gander, and CIOs will have to evolve their own strategies based upon the requirements of their company. CIO

special correspondent balaji narasimhan can be reached at [email protected]

to manage more strategic challenges,” he feels. This, he believes, helps enhance satisfaction of the in-house IT team, and impacts retention positively. But Briskman agrees with Kumar on the tactical reasons behind outsourcing, and says that outsourcing should be need-based and can take place at any level depending on organizational context.

Forrester’s Bright adds that outsourcing ultimately depends on the skill being outsourced. “Some skills cannot be outsourced,” he says firmly, because they require an underlying knowledge of business processes. Other areas where he feels outsourcing is not suitable are for processes that are inherently client-facing.

Gartner, however, is very gung-ho about outsourcing. According to a recent Gartner survey of more than 1,400 CIOs worldwide, IT budgets in India had the highest growth of 16.19 percent, compared with an average of 3.16 percent for the rest of the world. Gartner predicts

Online Exclusives

Signing up the Pros: the pool of talent is bigger than you think The Talent Is Out There: how Indian CIos can find them Narrowing IT Down: so you’ve got a pool, now what?

Go to www.cio.in cio.in

Comm.Decision Making

Team WorkPlanning, prioritizing,

goal settingSystematic

Problem SolvingMulti-tasking

Project management

EA and design

Security

Business process skills

Network management

Legacy programming

Infrastructure architecture

Vendor/sourcing management

Change management

Emerging tech and R&D

Service management

Risk management

Packaged app support

Apps maintenance management

Financial management

IT HR management

Account management

inTerperSonal SkillS SouGHT for i.T jobSinTerperSonal SkillS SouGHT for i.T jobS

Ranked 3rd in importance I Ranked 2nd in importance I Ranked 1st in importanceBase: 281 IT decision-makersNote: Forrester included analysis, respecting diversity, tolerance of ambiguity, and negotiating in the survey but none was ranked as a top three interpersonal skill. Source: Forrester Research

Cover Story - 01.indd 47 8/10/2007 8:27:54 PM

Fabric of Design

Weaving IT Into the

CIO: Gokaldas is India’s largest exporter of apparel. Can you describe the journey?

Dinesh Hinduja: Before the Partition, my father moved to Bangalore from Pakistan, and set up a silk scarves and stoles business. The late 1960s saw a sudden glut in the market, and the business had to change. In 1971, while in Copenhagen, someone gave him two shirts to copy. Those two cheesecloth shirts became the cornerstone of our business.

There was nearly no mechanization in our manufacturing back then. I entered the

industry in 1979, with $5,000 (Rs 50,000 then) and 40 leg machines in a 1,000-sq-ft.rented space. We worked in shifts, making garments in the morning and packing them towards the evening in the same area. We started directly with exports.

That year, with no knowledge of IT except for a friend from HP, Ravi Thambuchetty, I brought a computer into the company. I started with the (HCL) Workhorse, which we have preserved as an antique piece. This was the beginning of technology for us. It was largely used for accounting, and my first experience was making the company run like a horse. However, my father, who was responsible for accounting in those

Dinesh Hinduja, executive director

of Gokaldas Exports, asserts that the garment

industry can benefit from IT,

in much the same way the auto

industry has. Dinesh Hinduja, executive director for production & marketing at Gokaldas Exports, has tapped IT to augment manufacturing and processes at the Rs 1,144-crore company, which is also India’s largest garment exporter. In 1979, he bought Gokaldas’ first desktop computer to maintain accounts. Today, the organization has developed a specialized accounting system that it plans to sell in countries like China.

By KANIKA GOSWAMI

View from the top is a series of interviews with CEOs and other C-level executives about the role of IT in their companies and what they expect from their CIOs. P

ho

to

by

Sr

iva

tS

a S

ha

nd

ily

a

vol/2 | iSSUE/194 8 A U G U S T 1 5 , 2 0 0 7 | REAL CIO WORLD

View from the Top-02.indd 48 8/10/2007 7:11:30 PM

View from the Top

Dinesh hinDuja expects i.t. to:

help grow his business by 15-20 percent

increase operational efficiency

Run his assembly line remotely

track workers across various factories


days, was very skeptical about computers. Even after we had the Workhorse, he would keep manual records, anticipating the day the machine would let us down.

Garment design is not traditionally associated with high-end technology. How does Gokaldas Exports use IT to enable business?

When we used computer tools in manufacturing for the first time, it was a design software imported from France called Prima Vision. It was expensive; we could hardly afford one license. This software is still being used across the company.

In the 1980s, IT support came to us in the form of Ravindhran, a techie who owned Vedha Automation. He helped develop software systems for Gokaldas. We designed a system for all our operations encompassing the entire process, manufacturing, order writing, the invoice generation, fabric design orders, and accessory orders. This was probably the first software application in the apparel export sector in India. It ensured greater efficiency since it replaced at least 40-50 people, all of whom would otherwise create manual orders to instruct factories about manufacturing plans.

Then, a friend came back from the U.S. and set up the World Fashion Exchange. I was impressed by his system and started working with him for an e-business gateway, a net-based software linking us with our vendors. Today, we also have software that lets us look into our customers’ systems and know exactly which styles are selling.

How does Gokaldas Exports use technology as a manufacturing aid?

Everybody thinks garment manufacturing is a dignified tailoring shop. But, you'd be amazed at the kind of IT that goes into a manufacturing setup of our size. We are more like Toyota's assembly line — we have

the systems they have. On the production line, all mechanical systems are controlled by computers. You can operate the entire assembly virtually.

At the manufacturing level, pattern-making constitutes an important area. We used to have pattern-makers whose patterns caused problems at the production line, and we paid through our nose. CAD systems replaced these inefficiencies. And instead of having 70-80 manual pattern-makers, we could do with five to six systems generating patterns effortlessly.

Our need for devices enabling bulk cutting production grew with time. Our tremendous growth in volumes triggered greater automation needs. Today, we have reached the level of technical expertise where cutting instructions are sent by e-mail.

We started using different types of computerized sewing machinery, which had

inbuilt pattern programs manufactured by Gerber. We are its largest client with more than 120 systems, and almost 20 automatic cutters. Apart from that, all factories have cameras. There’s no need to travel across 48 factories within a 15-kilometer radius.

Another big saving has been virtual fit — it’s called Browse Wear. With it, we can virtually fit the style on the system since speed–to-market is the essence of this business. People want to buy according to the season and sellers don’t want inventories held for a long time.

Do you plan to become an application service provider to your domain?

In India, no one provides this software, even though these applications have a fantastic market. Maybe someday, the domain knowledge we have can be put to good use by a technocrat and Gokaldas may start selling software applications too.

What role does your CIO play in your strategic planning?

We have a very well-qualified CIO. We do our line plans with the help of systems, so IT and the CIO are an integral part of our planning. The CIO is an enabler. He can suggest the way forward, but he is not a businessman. Even though he is very thorough with his knowledge and very efficient, that’s the only line I would want him to stay in. I don’t want him to interfere in the business.

What would be the best approach for your CIO to justify a technology strategy for Gokaldas?

I am very open to new ideas. Ours was the first company to bring the barcode to India. When The Wearhouse (Gokaldas’ retail store) opened in 1986, I had seen

View from the Top

“I am thinking of marketing garment export accounting packages to China and other places. I want to be the Tally of garment business.”

— Dinesh Hinduja

vol/2 | iSSUE/195 0 A U G U S T 1 5 , 2 0 0 7 | REAL CIO WORLD


barcoding in Hong Kong, and I got Ravi to develop it here. Till today, his systems are the ones that are running in retail outlets across India. All the shops have barcoding software that originated here. A technology that will give an impetus to my business will always convince me.

One of the suggestions that my CIO made, and which turned out to be very useful, was to do with labor movement around the factories. We often had people leaving our factories and joining factories in our own group. We needed to keep track of them. My CIO came up with thumb impression ID software. Every new recruit will have one and we can catch them if they move into another factory. They can give a fake name, but cannot fake these prints.

What new technology is Gokaldas trying now?

We are studying the applicability of RFID, but at the moment it is too expensive for garments. Putting a Rs-40 RFID tag on 1 lakh garments per day, I would have nothing left. But maybe, we could consider RFID for machinery and for inventory since we move it around so much.

Our embroidery machines, washing machines and dyeing machines are computer-operated — all developed in-house. Our latest initiatives are also a part of the same process.

Are your export processes EDI compliant? What insights have you got from your overseas counterparts?

Yes, we are EDI (Electronic Data Interchange) compliant with all our

buyers. We have been trying to go paperless but not all international trade is paperless; you still need documents. Payment systems have become faster and easier with IT applications in payment gateways and banking procedures.

Comparing ourselves with foreign counterparts in technical skills, I would say that we are technically superior. I remember the first e-mail there (in Hong Kong) was called CompuServe. You could purchase it in Hong Kong, and I made those packages and sent it out to my clients. No one was comfortable with

it. Everybody sent the packages back to me saying it was Greek and Latin to them. The only one who understood and used is the the boss of WFX (World Fashion Exchange) today.

Is IT changing the face of manufacturing/design in the Indian apparel industry?

Yes, it is. There is a lot of IT in the pipeline today and many companies are getting into this kind of technology. Everybody is following the trend.

Could you compare the Indian and Chinese industries with regard to technological progress?

China doesn’t have process systems at all; they are nowhere near us even though they are bigger manufacturers. They have very average IT skills. They can do much better if they have the IT knowledge that we do. India is very advanced in this field.

In fact, I am thinking of marketing garment export accounting packages to China and other places. I want to be the Tally of garment business.

Do you think the entry of new retail giants will affect your market?

That is why I am moving out of retail. At the moment, it is not our core business and we don’t have time to study it. That is also why I am in the process of withdrawing my last two Wearhouse shops from the market. But I would definitely be interested in coming back sometime, maybe in a partnership with some big international brand that we have been working with.

The best brands — Gap, Nike, Adidas, Decathlon, Puma, Polo and Esprit — are all my clients. Even brands like Tommy Hilfiger. In fact, Hilfiger himself was here in Bangalore in 1979. We started with him and he never forgets to mention it. We make Abercrombie (and Fitch) jackets as well. So maybe, someday we can partner with them in India.

In the absence of quotas and restrictions, do you think your market can grow bigger?

Till 2004, the entire market was controlled by quotas. Post 2004, we jumped from Rs 250 crore to Rs 1,000 crore in two years, that speaks for itself. I used to make a 1 lakh trousers in the old days. Now, we are free. I make a million trousers a month. It’s growth all the way. I would also like to increase the brand basket and grow by at least 15-20 percent. We have technology to help us along. CIO

Special correspondent Kanika Goswami can be

reached at [email protected]

View from the Top

SNAPSHOT

Gokaldas Exports PRImARy BuSINESS: Manufacturer and exporter of apparel

REvENuE: rs. 1,144 crore

WORkfORCE: 39,000

fACTORIES: 48

IT TEAm: 40

ANNuAL IT BuDGET: rs 1 crore

CIO: b.Jaychandran

REAL CIO WORLD | A U G U S T 1 5 , 2 0 0 7 5 1vol/2 | iSSUE/19


Cyber CrimeCyCyC ber How you Can FigHt

Cyber Crime

Kevin Dougherty has seen his share of spam and phishing scams,as has any IT leader in the financial services industry. But the sender’s name on this particular e-mail sent a shudder down his spine: it was from one of his board members at the Central Florida Educators’ Federal Credit Union (CFEFCU).

The e-mail claimed in convincing detail that there was a problem with the migration to a new Visa credit card that the board member was promoting to the credit union’s customers. The fraudulent message urged customers to click on a link — to a phony website set up by criminals — and enter their account information to fix the problem.

But what happened later that Friday afternoon — after Dougherty, who is senior vice president of IT and marketing, had wiped the credit card migration information off the website and put up an alert warning customers of the scam — really scared him. Around 2 p.m., the site suddenly went dark, like someone had hit it with a baseball bat.

That’s when Dougherty realized that he was dealing with something he hadn’t seen before. And he couldn’t describe it with conventional terms like phishing or spamming. This was an organized criminal conspiracy targeting his bank. “This wasn’t random,” he says. “They saw what we were doing with the credit card and came at us hard.”doing with the credit card and came at us hard.”

Dougherty’s website lay in a coma from a devastating distributed denial-of-service (DDoS) attack that, at its peak, shot more than 600,000 packets per second of bogus service requests at his servers from a coordinated firing squad of compromised computers around the globe. That the criminals had the skill and foresight to launch a two-pronged attack against Dougherty and his customers was a clear

risk management

By Christopher KoCh

r How you Can FigHt

Reader ROI:

How cyber criminals are becoming more sophisticated

Steps companies can take to combat the threat

How CIOs can gain top-level business support for security investments

REAL CIO WORLD | A U G U S T 1 5 , 2 0 0 7 5 3Vol/2 | ISSUE/19

Online crime is organized, its perpetrators attack

deliberately, and the likelihood that they will

attack your company — even shut it down — is

growing. Here’s how to mitigate the risk.

indication of how far online crime, which is now a Rs 11,200 crore business according to research company Gartner, has come in the past few years.

Though this dark business largely targets financial services companies, there are signs that criminals are beginning to covet new victims. Since January, phishers have been documented going after “many types of websites not typically targeted,” such as social networking and gambling sites, according to the Anti-Phishing Working Group, a research group.

As cybercrime enters this second wave, criminals with no programming experience can buy illegal packaged software to carry out sophisticated attacks, and information security can no longer be addressed merely with a firewall. It has become not just an IT risk, but a business risk. The threat extends beyond systems,

affecting everything from marketing and the customer relationship to government compliance, insurance costs and legal liability. Beyond IT and a trusted cadre of security vendors and consultants, information security requires understanding, involvement and consensus from all parts of the business at all levels, right up to the board, before problems occur. Security to combat cybercrime needs to be part of a company’s disaster and business continuity plans, with security-spend based on the overall threat that cybercrime poses.

If security is viewed simply as an IT cost and responsibility, companies will never be truly ready for the risks they face. “If you do have an attack, it’s never just the data that you lose or the

customers who are victimized, it’s [also] the larger effects that the attack has on everything else,” says Ian Patterson, CIO at online brokerage Scottrade. “It’s the marketing effects, the customer service effects, the business effects.”

How CyberCrime is CHangingThe crooks are still after the money, but they are developing more sophisticated ways of getting at it. They’re willing to hang around longer and in places where the money isn’t immediately available. For example, the breach disclosed earlier this year at retailer TJX unfolded during more than a year, as criminals accessed the system multiple times to extract customer credit card numbers, using technology that has, “to date, made it impossible for us to determine the contents of most of the files we believe were stolen in 2006,” according to TJX’s annual report filed with the Securities and Exchange Commission. “The new paradigm is to not make big, noisy attacks,” says Chris Painter, principal deputy chief of the Computer Crime and Intellectual Property Division at the US Department of Justice.

Phishing attacks increasingly use subtle ways of gleaning information that are not apparent to even the most educated computer users. As the sophistication of the attacks continues to improve, the percentage of consumers who click where they shouldn’t has risen from 18.6 percent in 2004 to 24.9 percent last year, according to Gartner. Online crime “will spread from financial services as the use of indirect attacking grows,” says Markus Jakobsson, a security consultant and associate professor of informatics at Indiana University. “For example, perhaps you go to a funny cartoon website where it asks for information that mimics what’s needed to impersonate you on eBay.”

That threat is mounting every day. The number of people who believe or know they received phishing attacks doubled between 2004 and 2006, from 57 million to 109 million, according to Gartner. Although fewer victims are losing money, the losses per victim have more than quadrupled since 2005 and the percentage of that money recovered has dropped from 80 percent in 2005 to 54 percent in 2006. Even if victims don’t lose money, there is a cost. The Federal Trade Commission estimates that it takes consumers an average of 30 to 60 hours to clean up a credit history damaged by identity theft.

For businesses, the unseen costs are even higher. For 56 organizations studied by the Ponemon Institute that experienced the loss or theft of customers’ personal data, the loss of business resulting from the breach eclipsed by nearly Rs 160 lakh the combined cost of detecting an attack, notifying customers and helping them work through any resulting problems (on average, Rs 5,120 per compromised record and Rs 10.4 crore in total).

Meanwhile, the administrative savings that make the online channel so attractive for businesses are being eaten up by consumer fear and avoidance. A recent Gartner survey found that 23 percent of online banking consumers have fled the channel because of security concerns. Nearly 24 million people won’t even consider online banking because of them. “That means you have people doing transactions at the bank that cost Rs 600 each when they could

After a cyber attack disabled the website of the Central Florida Educators’ Federal Credit Union, Senior VP of IT and Marketing Kevin Dougherty convinced his CEO and board to consider security as a critical business issue.

risk management


Feature.indd 56 8/10/2007 6:16:41 PM

be doing it online for pennies,” says Tim Renshaw, vice president of product solutions for TriCipher, a security software company. In addition, plummeting trust in e-mail has made it a dicey customer communications vehicle. More than 85 percent of respondents to the Gartner survey said they delete suspect e-mail without opening it. Dougherty says CFEFCU has abandoned e-mail altogether. “We have had to go back to snail mail,” he says, noting that it’s about 90 percent more expensive and much slower and less flexible than e-mail.

wHat Happens wHen you’re unpreparedDougherty faced these broad risks on that awful Friday afternoon last August, when a criminal website intent on stealing the identities of Dougherty’s members was his only operating face to the world on the Web.

Obviously, the first thing Dougherty had to do was stop the attack. He had to hurriedly assemble a coalition of vendors and consultants to help him, and then he had to convince his CEO that drastic steps were needed — steps that would temporarily cut off customers from any possibility of getting to their accounts online until the problems were completely eradicated.

Dougherty wanted to have the site temporarily blacklisted with his telecom provider, BellSouth, to deflect the attack, thereby reducing pressure on the site and giving him the time and flexibility to make protective changes. But his CEO resisted — as might anyone who has not experienced an attack. “He wanted to keep it up so we could service the members,” says Dougherty.

At 11 p.m., after a long night of battling the attackers and plotting strategy, Dougherty finally convinced his CEO to have the site blacklisted and to take a break until morning. Continuing in a tired and emotional state would have played into the attackers’ hands. “It’s a mind game,” says Dougherty.

By Saturday morning, Dougherty had RSA, a security vendor he called in when the attacks began, working to set up a ‘take-down’ service that seeks out and dispatches criminal websites (in this case, more than 30) with its own cyber baseball bat. Meanwhile, BellSouth began beefing up security around the credit union site to try to thwart attacks. Dougherty also began planning with RSA to build multifactor authentication into the website. As these solutions emerged, the CEO became comfortable with Dougherty’s blacklisting decision. “We built heightened awareness with the board and the executive management team,” says Dougherty. The site was back up by Saturday evening. In the end, 22 customers gave up their information to the thieves and the total losses were “less than five figures,” says Dougherty. Though the credit union had averted disaster, “it was a rude awakening,” he says.


When cybercriminals strike, law enforcement agencies are often overwhelmed. So, CIos are

looking elsewhere for help.

wHo you gonna Call?Call?C

When the website of the Central Florida Educators’ Federal Credit Union was attacked by phishers last August, CIo and VP of Marketing Kevin Dougherty’s first instinct wasn’t to call the police. Though he did eventually contact the FBI, “unless you can say you were hit with some very large dollar amounts, I don’t think they have enough people to deal with this,” he says.

And so CIos like Dougherty are assembling crime-fighting coalitions from among consultants, vendors and telecom providers. There’s a historical parallel, says Peter Cassidy, secretary general of the Anti-Phishing Working Group. When banks opened up 150 years ago, there wasn’t an FBI, “so banks hired private law enforcement like the Pinkertons,” he says. one day, there will be routine cyber-investigations, “but for now, we are still in the Wild West.”

law enforcement faces several challenges. First is the nature of cybercrime: global and independent of geography. Hackers in Russia can steal money from a bank in the United States using a computer in France quickly, cheaply and with no human intervention required. And their fingerprints — the IP addresses of the computers that initiate the attacks — can be made to disappear before investigators can track them, according to Ron Plesco, director of the Privacy and Special Projects Group for consultancy SRA International. Internet service providers keep logs of every connection but can’t afford to hang on to the piles of data for more than a few days without overwhelming their storage systems.

There’s also a shortage of computer expertise among the FBI and Secret Service, which investigate cybercrime, and the US Department of Justice, which prosecutes it. Given the manpower shortages, investigators need to limit themselves to cases with big losses. Unfortunately, the majority of cybercrimes are committed by small operators, says Uriel Maimon, senior researcher in the office of the CTo of security provider RSA.“There aren’t many Rs 1-crore frauds,” he says, but there are a lot of Rs Rs 80,000 cases — a big-enough haul for a criminal in an impoverished country.

Finally, there is the complexity of fighting crime across different countries, many of which lack laws that specifically target cybercriminals. Experts speculate that we could someday see the rise of a new global organization specifically targeted at cybercrime, much as the FBI was created to take on the automobile-fueled rise of interstate crime in the 1920s and ’30s. Chris Painter, principal deputy chief of the Computer Crime and Intellectual Property Division at the US Department of Justice, is skeptical. “What we need to do is connect the dots rather than create a new über-organization,” he says. Painter chairs a G8 committee that has agreements with 48 countries, which have identified cyber-investigators whom they make available to the network 24/7, he says.

— C.K

Firewalls aren’t enougHDougherty also woke up to the fact that he needed to communicate more with his executives and the board about IT security and its link with the bank’s risk and security strategies. Now, he scans banking conference agendas for security content and encourages his executives and board members to attend. Sometimes, he accompanies them. “I was with our chairman at a conference and there was a security presentation, and I said, 'Why don’t you come down and we’ll go to this together?' Then, when he had questions, I was there to answer them. Sometimes, the technology scares them and you have to get them comfortable with it.”

Every month, Dougherty also sends three or four security articles to executives and the board that he encourages them to read. He has subscribed to a fraud intelligence information service from RSA that gives updates on the latest threats and suggested responses, and he passes that information along too. “It’s vital to have data to relay to my management team,” he says.

Dougherty is also in charge of all training for employees and has broadened that educational effort to include security. He now demands that at least one security article go in each edition of the bank’s quarterly newsletter.

He doesn’t think he has a choice because the auditors have become tougher. In the wake of the attack, the bank strengthened its audits that tested for vulnerabilities, both online and off. One of those tests inside branches found that crooks didn’t need the Internet to gain access to data. “We had guys sling monitors over their backs and tell the tellers they needed to fix the computers. They got past our tellers in three branches,” Dougherty sighs. “But, I would rather have the auditors find these things than someone else.”

With so much at stake, however, CIOs have to move beyond such traditional defensive strategies. They need a protection strategy for the data too. The threat of security breaches by rogue employees or contractors has always been higher than the threat from criminals outside. But now, the outsider threat is increased due to the greater portability of data via mobile devices, says Joe Nackashi, CTO of Fidelity Information Services, which hosts data not just for Fidelity but for other financial services companies as well.

In 2004, Fidelity began encrypting all of its financial data, not just on its internal systems, but on any device that enters or exits the data center, including laptops, thumb drives and magnetic tapes for mainframes. This way, “even if you lose the data, it will be scrambled when someone tries to recover it,” says Nackashi.

But encryption is expensive (because of the effort involved to dress data in extra scrambling code) and complex, requiring processes for deciding what to encrypt when, where, why and by whom. Furthermore, encryption is only as strong as its weakest link. If business partners and contractors don’t follow the same processes and use the same encryption methods, all that scrambling is for naught. These difficulties probably account for why only 16 percent of organizations surveyed by the Ponemon Institute said they had an enterprisewide encryption strategy.

Yet more companies, including those outside of financial services, will need to consider encryption for their most sensitive

data. The growth in mobile devices and the ability of employees to install and run their own software gives data legs to run around the firewall — what Nackashi calls “data in flight.”

Though Nackashi won’t say how much Fidelity spends on its encryption effort, it is evident in the amount of management time he has devoted to it. “Two years ago, it probably consumed 100 percent of my time because we were planning the strategy,” he says. “Today, we’re in implementation mode, so it is probably 30 percent.” This despite the fact that Fidelity has a full-time chief information security officer who is Nackashi’s peer. Overall, Fidelity’s security staff has grown 30 percent over the past two years, he estimates. “This isn’t something you can compromise on from our perspective,” he says. “The nature of the business we operate in leaves us no luxury to play fast follower.”

get C-level buy-inSuch dramatic increases in security staffing and spending are a barometer of cybercrime’s evolution from IT nuisance to business risk. Scottrade’s Patterson has quadrupled his security staff from two to eight since 2004, and he estimates it will more than double next year.

Anyone who resists this growth in security spending needs to consider the bigger picture, says Patterson. “What if a breach among a small number of customers caused us to lose 170,000 or 300,000 customers overall, what would be the business ramifications of that? Everyone has to be in agreement that whatever that number is, you build your ROI from that.”

risk management


The proliferation of mobile devices means companies need to protect their data, not just their networks, says Joe Nackashi, CTO of Fidelity Information Systems.

Feature.indd 58 8/10/2007 6:16:49 PM

As a way to give information security the billing it deserves, Patterson has pushed Scottrade to link it with the company’s disaster recovery and business continuity strategies. “We lost some of our branches in [Hurricane] Katrina,” says Patterson. “If you have a DDoS attack you have to do some of the same things. You have to reroute people and phones and make sure the communications about the situation are clear and concise.” Meanwhile, at CFEFCU, Dougherty has consultants to do a data breach business impact analysis that links to the organization’s disaster recovery strategies.

But CIOs can’t be left as the sole advocates of a broader risk strategy, or it will never happen. Executive committees and boards have to be involved in the decision making. “I put up a picture of the Kremlin when I present to the executive committee. Whatever it takes,” laughs Scottrade’s Patterson. The picture is a reference to Russia as a hotbed of cybercrime. “The business has to be just as aware of this as I am.”

One way he builds awareness is to present a set of security key performance indicators to his executive committee every month.

For example, he gives an overall report on internal and external vulnerabilities by tracking intrusion alerts and monitoring the security patching efforts, broken down by data center and hardware at Scottrade’s corporate facilities as well as at its branches. Eighteen months ago, he says, “we were not tracking this information.”

Dougherty’s CEO and board now also are vested in security as a critical business metric. Perhaps the best evidence of this was when his site was attacked again later in the summer. The attack was neutralized within a few hours, says Dougherty, because of the new strategies he had in place, but also because there was no need to argue any of them with the CEO or the board. “They just need to understand what’s going on,” he says. “They need to know that responses are being made.” CIO

Send feedback on this feature to [email protected]

Educating users won’t prevent them from giving up info to fraudsters. Take them out of the loop.


You may need to wait a minute for another sucker to be born, but you can find one anytime you want online.

In a recent MIT-Harvard study to determine online gullibility, 36 percent of test subjects logged in to their online bank accounts despite being presented with a strong warning page saying that their bank site’s security certificate was not valid. Not one person noticed when HTTPS, the secure form of HTTP, was stripped away — they offered up their passwords anyway.

Although our instincts tell us that better education might have saved these users from themselves, there is a growing consensus among researchers that education will never stop many people from clicking when they shouldn’t. The problem, says Markus Jakobsson, a security consultant and associate professor of informatics at Indiana University, is one of focus. “When people

go online, they are focused on other things besides security,” he says. “They want to pay their bills online or talk to their friends. People don’t pay attention to security clues online.” Even when, as in the MIT-Harvard study, they are reminded to pay attention to warnings.

Meanwhile, the kind of information that lulls victims into a false sense of security is still widely available online. In a 2005 study, Jakobsson was easily able to find the Social Security numbers and mothers’ maiden names of millions of Texans online. “When the e-mail comes with your mother’s maiden name already in there, it’s a lot easier to click,” he says.

So what to do? Some suggest issuing new passwords through small electronic fobs called tokens each time someone logs in to a site, or requiring account holders to verify withdrawals via a cell phone call. But both solutions are costly, complex and potentially inconvenient

to customers. The best answer may be to relieve home computer users of responsibility for computer security.

Already, some ISPs are offering security software as part of their subscription pricing, judging that the extra cost is more than balanced out by reducing the risks they face from the pipe-clogging spam and malware. With 2.4 million unsecured broadband connections in the United States today, according to Consumer Reports, it may be time for the IT industry to face that consumers will never close the security gap by themselves. To the extent that end-user companies could be liable for their customers’ inaction, they need to weigh the risk of leaving the responsibility for managing security in the hands of customers who may never do it adequately.

— C.K.

stop tHem beFore tHey CliCk — againagaina

Rajendra Bandi, associate professor of information systems at IIM, reiterates the need to involve government officers in the development phase of IT projects.

Interview.indd 60 8/10/2007 7:38:33 PM

To succeed, e-government projects need to avoid excessive

focus on technology and find champions, says Prof. Rajendra

Bandi of IIM, Bangalore.

Ph

oT

o B

y S

RIv

aT

Sa

Sh

an

dIl

ya

I

IM

ag

Ing

By

un

nIk

RIS

hn

an

av

REAL CIO WORLD | A U G U S T 1 5 , 2 0 0 7 6 1vol/2 | ISSuE/19

Interview | Prof. Rajendra Bandi

First

Putting

First

Putting

First

PuttingPeoplePeopleBy KANIKA GOSWAMI

Peoplebroader phenomenon. Technology is but one component. broader phenomenon. Technology is but one component. broader phenomenon. Technology is but one component. But unfortunately, in most governance applications, more But unfortunately, in most governance applications, more But unfortunately, in most governance applications, more importance is given to technology than to other components. importance is given to technology than to other components. importance is given to technology than to other components. In that sense, it has been more than adequately utilized, In that sense, it has been more than adequately utilized, In that sense, it has been more than adequately utilized, and it’s not really good.and it’s not really good.

In e-governance the ‘e’ should simply precede the In e-governance the ‘e’ should simply precede the hyphen and governance should be core; ‘e’ should not hyphen and governance should be core; ‘e’ should not hyphen and governance should be core; ‘e’ should not drive the entire project. Far too often, we see projects which drive the entire project. Far too often, we see projects which drive the entire project. Far too often, we see projects which are pushed so aggressively by technology; governance are pushed so aggressively by technology; governance are pushed so aggressively by technology; governance objectives should take priority. objectives should take priority.

What is more important in a govern project — technology What is more important in a govern project — technology What is more important in a govern project — technology or people?or people?

I would attach more importance to people-ware, then I would attach more importance to people-ware, then software, and then hardware. In the government, I have software, and then hardware. In the government, I have software, and then hardware. In the government, I have seen that a good number of projects are run the other way seen that a good number of projects are run the other way seen that a good number of projects are run the other way round. In a broader sense, it is nothing but an information round. In a broader sense, it is nothing but an information round. In a broader sense, it is nothing but an information systems implementation. Where you see projects that are systems implementation. Where you see projects that are systems implementation. Where you see projects that are successful, it’s because they have got the priority right.successful, it’s because they have got the priority right.successful, it’s because they have got the priority right.

Rajendra Bandi,Rajendra Bandi,Rajendra Bandi, associate professor of information systems at IIM, Bangalore, has varied interests in academia. He has studied the social impact of computing, computing ethics, knowledge management, and IT in government, ethics, knowledge management, and IT in government, among others. among others.

As a member of the technical advisory panel established by Karnataka’s Department of IT, Bandi has guided several by Karnataka’s Department of IT, Bandi has guided several e-governance initiatives. Further, he has made comparative e-governance initiatives. Further, he has made comparative studies on some of these e-government projects. In an interview to interview to CIO India, Bandi talked about the state of , Bandi talked about the state of e-government projects across the country, and suggested e-government projects across the country, and suggested ways to improve them. Excerpts: ways to improve them. Excerpts:

CIO: Do you think technology has been adequately utilized in e-governance projects across the country?RajendRa BandI: I would use the word ‘appropriately’ utilized. I would also say that most e-govern initiatives undertaken in the country, with a few exceptions, initiatives undertaken in the country, with a few exceptions, are technology-obsessed. To me, e-governance is a much are technology-obsessed. To me, e-governance is a much are technology-obsessed. To me, e-governance is a much


vol/2 | ISSuE/196 2 A U G U S T 1 5 , 2 0 0 7 | REAL CIO WORLD

In e-governance the ‘e’ should simply precede the hyphen, and governance should be core; ‘e’ should not drive projects. Governance objectives should take priority.

How do you think technologies like GIS (geographical information How do you think technologies like GIS (geographical information How do you think technologies like GIS (geographical information systems) help in real-time planning? Do you feel GIS has got the systems) help in real-time planning? Do you feel GIS has got the systems) help in real-time planning? Do you feel GIS has got the place it deserves in planning?place it deserves in planning?

You bet it has. I think GIS technology is mature today. In fact, I You bet it has. I think GIS technology is mature today. In fact, I would say that it is one of the most underutilized things, particularly would say that it is one of the most underutilized things, particularly would say that it is one of the most underutilized things, particularly in government projects. Wherever there are spatial issues involved, in government projects. Wherever there are spatial issues involved, in government projects. Wherever there are spatial issues involved, there is scope for GIS. I cannot visualize a government project where there is scope for GIS. I cannot visualize a government project where there is scope for GIS. I cannot visualize a government project where GIS cannot be used. I see it being core, as databases are core to most GIS cannot be used. I see it being core, as databases are core to most GIS cannot be used. I see it being core, as databases are core to most systems. Given the kind of maturity we have reached in today’s systems. Given the kind of maturity we have reached in today’s systems. Given the kind of maturity we have reached in today’s ecosystems, the tools of GIS are affordable, extremely easy to use, and ecosystems, the tools of GIS are affordable, extremely easy to use, and ecosystems, the tools of GIS are affordable, extremely easy to use, and nicely integrated. So, I would expect to see more and more of GIS.nicely integrated. So, I would expect to see more and more of GIS.

You have been associated with a number of e-govern projects in You have been associated with a number of e-govern projects in You have been associated with a number of e-govern projects in Karnataka. Which of them do you think have succeeded in meeting Karnataka. Which of them do you think have succeeded in meeting their objectives?their objectives?

I can’t comment on which ones (have been successful). For those I can’t comment on which ones (have been successful). For those that were successful, I can point out a couple of factors responsible for that were successful, I can point out a couple of factors responsible for that were successful, I can point out a couple of factors responsible for the success. One is the tenure of the champion of the project. In fact, the success. One is the tenure of the champion of the project. In fact, the success. One is the tenure of the champion of the project. In fact, preceding that is the presence of a champion for a particular project. preceding that is the presence of a champion for a particular project. preceding that is the presence of a champion for a particular project. But once there is a champion, his continuing presence helps. Most But once there is a champion, his continuing presence helps. Most But once there is a champion, his continuing presence helps. Most often, ownership is associated with a high rank, where the officer often, ownership is associated with a high rank, where the officer often, ownership is associated with a high rank, where the officer doesn’t have a sense of security about his permanence. Very often, by doesn’t have a sense of security about his permanence. Very often, by doesn’t have a sense of security about his permanence. Very often, by the time the project reaches its climax, the champion is shunted out the time the project reaches its climax, the champion is shunted out the time the project reaches its climax, the champion is shunted out and the next person either has no incentive to see it through or the and the next person either has no incentive to see it through or the and the next person either has no incentive to see it through or the sense of ownership doesn’t exist.sense of ownership doesn’t exist.

In your experience, how does a developer’s approach to IT make a In your experience, how does a developer’s approach to IT make a difference to a project?difference to a project?

I categorize the project heads’ approach to IT into one of four ‘I’s: Ignore: Ignore: Ignore: Those who say, ‘My department is unique’, ‘our focus is Those who say, ‘My department is unique’, ‘our focus is Those who say, ‘My department is unique’, ‘our focus is

much more on people interface’, and ‘we cannot spend time and money much more on people interface’, and ‘we cannot spend time and money much more on people interface’, and ‘we cannot spend time and money on technology.’ Today, most departments don’t do this.

Isolated: Isolated: Those who say, ‘Yes, technology may be important but that’s Those who say, ‘Yes, technology may be important but that’s not my job.’ A good number of organizations in the government in not my job.’ A good number of organizations in the government in today’s context think this way — a substantial majority. They usually today’s context think this way — a substantial majority. They usually pass the buck to a more technologically inclined department.

Idolize: Idolize: Project heads who take IT to the other extreme. Those Project heads who take IT to the other extreme. Those officers who think technology is the beginning and end of everything, officers who think technology is the beginning and end of everything, and can solve any problem. Unfortunately, there is an emerging trend and can solve any problem. Unfortunately, there is an emerging trend with a significant number of instances where this approach is taken.with a significant number of instances where this approach is taken.

Integrate: Integrate: where officers understand that technology is just one where officers understand that technology is just one component in e-governance. If I introduce IT, it is only a new change component in e-governance. If I introduce IT, it is only a new change introduction. Technology is one of the change factors. This exists in introduction. Technology is one of the change factors. This exists in very few departments. The departments that can take this perspective very few departments. The departments that can take this perspective very few departments. The departments that can take this perspective are the ones that have been successful. They use the right mix of are the ones that have been successful. They use the right mix of technology and governance. These are departments that will continue technology and governance. These are departments that will continue to survive even after the officer has moved away. Fortunately, there are to survive even after the officer has moved away. Fortunately, there are more and more people who are coming into this category.

Do you think there is adequate training and education before Do you think there is adequate training and education before governance projects?governance projects?

IT usage and applicability vary drastically from project to project. IT usage and applicability vary drastically from project to project. There are two different issues. One is the extent the officials are There are two different issues. One is the extent the officials are involved in the development process. Training is the second part.

Training is not merely showing the features of a software — Training is not merely showing the features of a software — it’s also about making it usable. In some cases, training given to it’s also about making it usable. In some cases, training given to the implementation people is not synchronized with the timing the implementation people is not synchronized with the timing of a launch. In one case, training was given, but the system was of a launch. In one case, training was given, but the system was not ready. And by the time it came, the people had forgotten what not ready. And by the time it came, the people had forgotten what they were taught.they were taught.

REAL CIO WORLD | A U G U S T 1 5 , 2 0 0 7 6 3vol/2 | ISSuE/19


Another situation is when a vendor has trained everyone, but when you ask the staff they are not comfortable with the application. The problem need not be with the trainers, it could also be because right inputs weren’t given, or were not given at the right time, or the trainer did not understand the usability part.

Another aspect of training is preparing operators for a change of mindset because of a completely different environment. Operator training sessions have to be about preparing the operators to think differently, about the usage in the changed context.

In Bhoomi, for instance, when a new technology was being introduced, 30-40 officers were given training and were sent back to their villages with the assurance that they would get help. When implementing in rural areas, training is very crucial — in a metro it’s different. I talked to some officers in far-flung areas and one consistent input was that whenever they wanted help, they called this one operator. That kind of backup is what helps, not just a training manual.

You have evaluated several e-government projects. Could you compare citizen services programs such as Bangalore One and eSeva?

Bangalore One and eSeva are not really quite different. eSeva has been around for a longer time, and Bangalore One has explicitly gone on record saying they are copying the success of eSeva. They have the same business model and even the same technology partners. NISG (National Institute of Smart Governance) happens to be one of their consultants.

It is not fair to compare eSeva with Bangalore One because the latter is only in Bangalore, not across Karnataka; eSeva is a statewide project. There is also Project Nemmadi (peace), offering citizen services, a rural initiative in Karnataka. It doesn’t get into many services; it is focusing on core governmental issues like birth certificates etcetera.

Friends in Kerala, for example, in terms of the architecture and service providers, have taken an entirely different business model, quite in contrast with the eSeva model.

I don’t want to compare projects, though there are common points. The best known common points are centralization-decentralization approach where all the centers throughout the state have been connected like in eSeva, or one has taken a decentralized approach, as in Bangalore One. The second one is, top down versus bottom up. The first is where everything is pushed from the secretariat downwards, as in most projects; while the bottom up is one where citizen initiative carries the project forward. Friends is a bottom up initiative.

What role do politicians play in the success or failure of governance projects in India?

Bureaucracy is one area which has to have an interface with the political machinery. So support from the appropriate political machinery is absolutely important. Without impetus from political leaders, it is difficult. In his role, the politician can be a CEO. For instance the last CM of AP (N. Chandrababu Naidu) was playing the

role of a CEO, standing behind his officers and giving them support, saying: go ahead and do it, I am with you. That support from the CEO is important, whether he is a politician or a bureaucrat.

Another situation could be where the politician can be a technology master, an individual who understands both the technology issues as well as business issues relating to the particular department.

Politicians can play a critical role in ensuring success by just leaving the implementing officer alone. (Interference from politicians can also ruin a project.) If they want to, they can finish a good govern project by a seemingly insignificant move. I remember an instance where a politician did not do anything more than cause delay of payments to the private partner in a public-private-partnership project. How long can the private company sustain? This was his way of making sure the initiative died a natural death.

In your opinion, what are the major reasons for the failure of govern projects in India?

Reasons for failure of the projects are straightforward. It’s not always only about politicians. There are other factors like the lack of a stable champion, a good, clear objective and

inappropriate training. Sometimes over-emphasis on technology while compromising on governance issues is also a reason for failure.

How tech-savvy are state governments?

There are highly varied experiences, one cannot really say. Successful projects are there everywhere. One thing I can say for sure is AP (Andhra Pradesh) has a lot of media mileage. There are a whole range of other states doing equally well. Their variety of initiatives are better, and I may even go on to say that you will see interesting projects in the North-Eastern states, even Bihar and UP. There are differences, but one cannot form opinions based on media coverage. I can safely say that in terms of IT usage, no state is really left behind.

Is any estimation or evaluation ever done on the expenditure and investments on e-govern projects in India?

Expenditure in hard numbers is done but what is not done is really the outcomes of these projects and whether they have met their objectives. Often the impact is not really measured. This is because, in a good number of cases, objectives were not well-defined. That needs to be done first, in order to evaluate a project. Even if estimates are given, it is mostly one-time. Operating expenses are not accounted for and very often not even budgeted for. So, accounting over a long term becomes difficult. Very often, this contributes to the failure of the projects.

I can give one example of a project where funds were sanctioned, hardware was procured, people were trained, but everything was lying unused. There was no budget provided for consumables, so there was no printing paper. Recurring expenses were not budgeted for. How can we evaluate a project until all its aspects are taken care of? CIO

Special correspondent Kanika Goswami can be reached at [email protected]

100,000The number of common services kiosks to be set

up under the National e-Governance plan.

Source: Press Information Bureau, Government of India

THE BIG roll-ouT

Interview.indd 63 8/10/2007 7:38:50 PM

Stuck in the SOA Soup By BoB Violino

I.T. ArchITecTure | While the potential benefits of SOA are clear, like the ability to reuse existing assets, the standards picture looks anything but settled.

In its most recent study on the topic, Forrester Research counted some 115 standards floating around SOA and Web services! It also found it impossible to confirm which vendors support which standards. Yet, CIOs must press ahead with SOA projects in order to meet business needs. Hong Zhang, director and chief architect of IT Architectures and Standards at General Motors, has been balancing the standards dilemma with ongoing SOA work for several years.

Zhang says it’s actually good that there are many standards related to SOA. “This indicates that the software industry is moving toward a broad adoption of SOA,” he says. “The challenge is that there is no common, consistent architectural framework to guide the evolution, integrity and integration across these standards. Many of these standards are not yet mature.”

How can CIOs navigate the muddy waters until those standards do grow up? Technology executives and industry experts offer this advice: closely monitor the standards scene

An alphabet soup of industry

standards has emerged around service-oriented architecture. But you don’t have to

drown in this bowl of acronyms.

technologyEssEntial From InceptIon to ImplementatIon — I.t. that matters

Ill

us

tr

At

Ion

By

PC

An

oo

P

Vol/2 | IssuE/196 4 a U G U s t 1 5 , 2 0 0 7 | REAL CIO WORLD

Essentisl Tec.indd 64 8/10/2007 6:21:21 PM

and keep your options open but, by all means, don’t delay the launch of key SOA projects. Several strategies can help you avoid getting stuck in a standards pickle.

The Standards That MatterFirst off, you can construct just a key list of standards, not a comprehensive one, as you do your SOA planning. For instance, standards such as SOAP and WSDL have been broadly adopted and others, including WS-Security, are ready for wide adoption, says Randy Heffner, an analyst at Forrester Research. But other specifications needed to build Web services that operate with high quality of service — such as standards for management, transactions and advanced security — are mature enough only for aggressive technology adopters, he says.

Of the emerging SOA and Web services standards, Heffner says CIOs should focus on the following: SOAP 1.1, WSDL 1.1, WS-I Basic Profile 1.0 or 1.1, UDDI 3.0.2, WS-Security 1.0 or 1.1, WS-BPEL 2.0, BPMN, WSRP 1.0, XML Schema 1.0, XSLT 1.0, XPath 1.0, XQuery 1.0, XML Signature and XML Encryption.

CIOs should favor standards-based SOA over native protocols, Heffner says, “but don’t sacrifice needed quality of service (QoS) for any given app just to use standards.” Where an application must have greater QoS than Web services can provide, “do tactical workarounds that stay close to the design models of emerging specifications,” he says. Is it necessary for CIOs to know which vendors are supporting which standards at this point? “Not in a comprehensive way,” Heffner says. “But CIOs that are making a major software infrastructure partner choice should get a strong picture of candidate vendors’ current and future support for SOA and Web services specs.” You need to understand your current vendors’ plans as well, he says. Otherwise, you risk investing in technology that might not meet the long-term business goals of the organization or its SOA strategy.

Many organizations will look for temporary solutions — say middleware — to overcome a lack of mature standards. “From the CIO’s perspective, there’s a lot of pressure to adopt a middleware platform to fill in where standards are not there, but in a way that doesn’t lock them into it,” says Jim Stogdill, CTO at Gestalt LLC, a defense and energy consulting firm that helps clients launch SOA projects.

But it’s important not to commit too much to one middleware vendor, “because it will be much more disruptive later to swap out,” he says.

Stogdill advises organizations to stick with fairly common standards such as SOAP and WSDL, “and also look to where your line of business application vendors are providing services: then, integrate line of business applications via those service interfaces using unintrusive middleware.

GM’s Selective StrategyFor its part, General Motors learned in its early SOA efforts to identify which standards were most important to what the company was trying to achieve. GM launched its first SOA project in 2000, an architecture called Northstar, for its global online vehicle showroom services (GM Global BuyPower). Northstar’s goal: to establish a global common SOA plan flexible enough to support the dynamics of GM’s business, says Zhang. To achieve this, GM designed the architecture to separate business functions from business process flow (the sequence of the business functions to be performed). The company also separated the physical locations of business data from those of the business functions using the data, and user interfaces from the business process flow, business functions, and business data, Zhang says.

GM successfully deployed the Northstar architecture in more than 40 countries in 2001. The architecture helped GM fulfill various business needs quickly, such as meeting data location regulations, making business process flow changes based on business engagement rules and varying

the end user’s software experience based on culture differences in individual countries, says Zhang.

Since the company also uses SOA in other consumer-focused online services, including GM OnStar services, it plans to develop an enterprisewide strategy and governance program for broad deployment of SOA internally and with external partners, he says. As part of the planning for GM’s next-generation SOA implementation, he’s evaluating the latest enabling standards and technologies.

For GM today, the most important specs are those that help standardize the interfaces among services across the well-defined service layers (presentation, business process and so on). The next most important specs are those that help standardize the implementation of the services within each of the service layers.

As part of developing its enterprisewide SOA strategy, the company is identifying the

three tips for navigating the sea of service-

oriented architecture standards.

1. use your early soA efforts to help decide

which standards are most important to your

business goals.

2. Ask for examples of successful soA

standards deployment stories. Just because

standards have been out for a year doesn’t

necessarily mean they’re ready for full-scale

deployment.

3. If you’re using middleware to provide a

temporary integration fix because of the

lack of a suitable standard, make sure not to

overcommit to one vendor or product.

—B.V.

3 soA Implementation tips

EssEntIAl technology

REAL CIO WORLD | a U G U s t 1 5 , 2 0 0 7 6 5Vol/2 | IssuE/19


SOA standards around which of its needs are mature, which should be monitored and which are mandatory. Among these, GM is looking at WS-I Basic Profile 1.1 for enterprisewide interoperability. After this, the company will be able to make a well-informed decision about which vendors and products to use in its broad rollout of SOA.Another SOA adopter, TD Banknorth, has taken a strategy of prioritizing standards adopted by vendors recognized as market leaders in the SOA space (for example, webMethods) and those recognized by

several key standards organizations. The banking company is using a service-based architecture as a framework for the development of Web services for application integration, according to CIO and executive VP John Petrey. TD Banknorth initially used SOA in 2004 when it deployed webMethods’ Fabric software suite to use a Web service to simplify the process of completing customer address changes.

The Web service, being implemented now, allows TD Banknorth’s call center agents or branch employees to make changes in address, then automatically have those changes take effect in each of the customer’s accounts with the bank. Today, TD Banknorth is planning other SOA projects, one involving a small-business loan origination service and another for the company’s online banking system.

“The primary benefit of SOA we realize is significant reuse of services across the integration solution space,” says Petrey.

That’s resulting in a substantial reduction in service development time and the creation of higher-quality services that require less debugging and testing, he says.

To date, TD Banknorth has adopted basic standards around Web services, including XSD, SOAP and WSDL, says Petrey. “Going forward, the most important standards will be related to WS-I, like policy, reliability and security, and, to a lesser degree, addressing,” he says.

The bank works “only with standards adopted by vendors recognized as market leaders in the SOA space…and regarded as

sufficiently mature” by industry research firms such as Gartner, Petrey says. “The standards we adopt are recognized by multiple standards organizations like W3C and WS-I,” he adds.

TD Banknorth queried companies that had adopted standards such as WS-Security and SAML, “and found that most were struggling,” says Petrey. “The standards supposedly were ready for adoption over a year earlier, yet no one was really using the standards the way they were designed or marketed. We didn't find a success story.”

Among the lessons the bank has learned in its foray into SOA: build an architecture in a way that promotes a modular, flexible and incremental deployment, “with placeholders for those standards to be adopted as subsequent functionality requires,” says Petrey.

Mastering MiddlewareAt smaller organizations, some CIOs are forging ahead with SOA without a

major emphasis on standards. The John F. Kennedy Center for the Performing Arts in Washington, D.C., is a midsize organization that uses a lot of commercial software products, some of which are moving toward SOA, says Alan Levine, the CIO.

For example, the center’s enterprise resource planning vendor, Lawson, is moving to a services architecture. The Kennedy Center’s customer relationship management platform, Tessitura — an industry-specific application developed by Impressario, a wholly owned subsidiary of the Metropolitan Opera — also is moving toward SOA.

Levine says he’s taking steps to implement SOA without being overly concerned about standards. “We focus on creating the ‘glue’ that allows the SOA capabilities of the different commercial systems to fit together.”

To that end, the center is developing middle-tier solutions in-house, he adds.

“Our focus is rather than trying to choose a standard, knowing what to do to get the back ends to interoperate,” says Levine. Of course, middleware strategies depend on your organization’s size and existing systems. Overall, keep your eyes on the prize: a nimble IT organization. As GM’s Zhang puts it, the ultimate goal of using SOA is “to establish a flexible information systems and services environment that can quickly realign” as business needs change. CIO

Bob Violino is a freelance writer. send feedback on this

feature to [email protected]

EssEntIAl technology

At smaller organizations, some CIos are forging ahead with soA without a major emphasis on standards. they do this by focusing on the 'glue' that hold various soA-enabled commercial systems together.

Vol/2 | IssuE/196 6 a U G U s t 1 5 , 2 0 0 7 | REAL CIO WORLD


The Prospects of GPL3 Adoption The new license ensures that source code ownership is respected, but will it also see widespread buy-in? By Bernard Golden

Pundit

open source | After an extended gestation, the Free Software Foundation (FSF) released its update to the GPL Version 3 license.

From the point of view of end users, one of the most attractive things about the license is that it specifically states that using a GPL3-licensed program over a network does not trigger a need to offer source code. Originally, I thought this was one of the most problematic aspects of the GPL3 drafts, as many organizations would never allow themselves to be put in a position to need to distribute source code to end users, customers, or even internal employees.

Another attractive aspect of the license for end users is that it allows organizations to give code to other parties that are doing software development for them without being defined as conveying code. This has been a grey area in the past, and the new license addresses it unambiguously.

What are the prospects for GPL3 adoption? That's the critical question. The earlier drafts were such that many organizations would have never adopted GPL3-licensed code.

The current license is likely to see inconsistent adoption. End users are likely not so much to embrace it, as not prohibit GPL3-licensed code from internal

use, meaning that GPL3-licensed code will slowly make its way into production infrastructures. Some technology providers will begin using it, while others, particularly in the embedded market segments, will resist adoption, perhaps going as far as to fork products in order to keep GPL2 versions around.

When it comes to Linux, on balance I think it will not move to GPL3. Despite Linus Torvald's recent not-so-negative comments regarding the license, I heard pretty negative things about it from kernel developers at the recent Linux Foundation Community Summit. In any case, there

are significant practical challenges to any thought of migrating the kernel to GPL3, so conversion is unlikely.

Where can you learn more about GPL3? Obviously, a good first stop is the Free Software Foundation website itself. Another good source I found is written by Luis Villa, an ex-Novell employee now attending Columbia Law School. He wrote a series of articles on the license beginning with Part 1- The License available at http://tieguy.org/blog/2007/06/26/gpl-v3-the-qa-part-1-the-license), discussing the license and its effect on developers and users.

I took part in a podcast about GPL3 last month along with some other open source-

involved folks (and Rob Enderle, who is more of a general industry analyst). Our general conclusion was that GPL3 would not have dramatic impact. However, a couple of the participants felt that adoption of the license would be more rapid than I expect, and one of them, Matt Asay, was pretty disappointed with the provision that use over a network did not trigger the need for source code distribution, feeling that this enabled companies to freeload on the work of others.

In the end, this license seems more evolutionary than revolutionary. Most organizations will digest its conditions and

be able to move on without major disruption to their activities. Many of the things that motivated Richard Stallman to update the license seem to have been watered down in this final version, for which we should all be thankful. Overall, this license will neither accelerate nor retard the rapid march of open source software throughout the technology industry, which is the most significant trend in software today. CIO

(Concluded)

Bernard Golden is Ceo of navica, an open source

consultancy, and the author of Succeeding With open

Source (addision-Wesley, 2004). Send feedback on

this column to [email protected]

The license seems more evolutionary than revolutionary. Most companies can move on without great disruption.

essenTial technology

Vol/2 | issUe/186 8 a U G U S T 1 , 2 0 0 7 | REAL CIO WORLD

ET-Pundit.indd 68 8/10/2007 6:23:43 PM

cio august 15 2007 issue

Documents

lakh engineers

number of engineers

engineering talent

indian companies

large companies

farflung talent

unidentified talent

graduating engineers