Security 2020

Technology for Growth and Governance

cT

o

fo

ru

m

Next HorizoN

TexTing more

EffEctivE in a DisastEr

Page 44

i Believe

iT nirvana for

top-LinE Growth

Page 04

CIOs need tO Chart Out a

Clear It seCurIty strategy fOr the COmIng

deCade | Page 28

A QUeStioN oF ANSWerS

EDucation is KEy to MitiGatE

risKs Page 16

Volume 07 | Issue 08

December | 07 | 2011 | 50Volume 07 | Issue 08

Bu

ild

ing

St

or

ag

e t

ha

t l

aS

tS

| Bu

ild

ing

an

it B

uS

ine

SS

of

fic

e | it

Pr

od

uc

tiv

ity

de

St

ro

ye

rS

A 9.9 Media Publication

The new network means business: Game-changing technologies that lower latency, require

far fewer devices and decrease power consumption by more than half. It’s why Codonis chose

QFabricTM to help transform their data centers, and why companies everywhere are thinking

about the future in a whole new way. Learn more at juniper.net/thenewnetwork

© 2

011

Ju

nip

er N

etw

ork

s, In

c.

Þ Inbound Response ManagementPriya Sharma, 1800 209 3062

022 - 67083830, [email protected]

“You can virtualize your network, you can build one physical underlying network. The capacity is there, the tools are there…That’s the solution that Juniper’s putting forward.”

ANDREW BACH, SVP,NETWORK SERVICES, NYSE EURONEXT

JN_IN_9dot9_FP_V1.0.indd 10 11/20/2011 6:41:06 PM

editorial

1 07 December 2011 cto forumThe Chief

TeChnologyoffiCer forum

yashvendra singh | [email protected]

editor’s pick

Offence or defence? As the threat

landscape turns more virulent, CIOs need to take a call whether

they want to be defensive or go on the offensive

28 Security 2020CIOs need to clearly chart out a strategy for their IT infrastructure security for the next decade

for technology leaders tasked with ensuring the

security of their enterprise, the latest intelligence report from Symantec is not very good news. According to their estimates, daily targeted attacks have increased four-fold – the greatest increase over a 12-month period ever recorded by the security vendor!

The continuous evolution of security threats has ensured that this area remains a criti-cal business priority for Cios.

efficiency without rendering the enterprise vulnerable to any threat – internal or external.

unfortunately, while the number of Cios in the coun-try runs into thousands, CSos number in hundreds. So, in the scores of enterprises that still don’t have a CSo office, the onus of security lies on the Cio. With security experts predicting 2012 to be even more virulent than 2011 (there are fears the next year could well see the successor of the notorious Stuxnet), the going will only get tougher.

you are the custodian of your enterprise’s most vital asset – information. Protecting data whether it is being used, is in transition or is static must get your mindshare on priority.

This issue’s cover story will help you in deciphering the emerging trends in enterprise security and

once again, the changing threat landscape promises to change the rules of the game. The emergence of consumerisation of iT and cyber terrorism are compelling Cios to re-look at their security strategies.

in some corporates there is an office of a CSo to comple-ment the function of a Cio in addressing security issues. in such enterprises, the two need to build camaraderie by working towards the common goal of achieving maximum business

the evolving role of the security function in the organisation.

i recently met a Cio who took me through his detailed security framework --- how he understood the risks, analysed the impact of security breaches vis-à-vis risks, and eventually implemented a security strategy that aligned with the business.

given the unpredictable nature of the enemy, i would love to hear your approach to tackling threats in your organi-sation. We would share it with your peers, since our effort is to spread the benefits of ‘col-lective wisdom’.

Tell us whether you believe this is the time for offence or defence?

2 07 DECEmbEr 2011 cto forum The Chief


DEcEmBEr 11

Cover Story

28 | Security 2020 With the growing number of threats and increasing sophistication of the same, CIOs need to clearly chart out a strategy for their IT infrastructure security for the next decade.

COpyrIghT, All rights reserved: reproduction in whole or in part without written permission from Nine Dot Nine Interactive pvt Ltd. is prohibited. printed and published by Kanak ghosh for Nine Dot Nine Interactive pvt Ltd, C/o Kakson house, plot printed at Tara Art printers pvt ltd.A-46-47, Sector-5, NOIDA (U.p.) 201301

ColumnS04 | I belIeve: IT NIrvaNa for Top-lINe GrowTh for achieving iT nirvana, Cios need to manage the two sources of value – growth oriented and leverage oriented. By

Randy SpRatt

64 | vIew poINT: why STarTupS DIeThe Second Child. By Steve

dupleSSie

FeatureS60 | TeCh for GoverNaNCeThe NexT revISIoN of ISo 27001 By dejan KoSuticPlease Recycle

This Magazine And Remove Inserts Before

Recycling

Co

ve

r D

eSi

gn

by

Pc

An

oo

P

co ntE nt s theCtoForum.Com

28

Managing Director: Dr Pramath Raj SinhaPrinter & Publisher: Kanak Ghosh

Publishing Director: Anuradha Das Mathur

EditorialExecutive Editor: Yashvendra SinghSenior Editor: Harichandan Arakali Assistant Editor: Varun AggarwalAssistant Editor: Ankush Sohoni

dEsignSr Creative Director: Jayan K Narayanan

Art Director: Anil VK Associate Art Director: PC Anoop

Visualisers: Prasanth TR, Anil T & Shokeen Saifi Sr Designers: Sristi Maurya, NV Baiju & Chander Dange

Designers: Suneesh K, Shigil N, Charu Dwivedi Raj Verma, Prince Antony, Binu MP & Peterson

Chief Photographer: Subhojit Paul Photographer: Jiten Gandhi

advisory PanElAnil Garg, CIO, Dabur

David Briskman, CIO, RanbaxyMani Mulki, CIO, Pidilite

Manish Gupta, Director, Enterprise Solutions AMEA, PepsiCo India Foods & Beverages, PepsiCo

Raghu Raman, CEO, National Intelligence Grid, Govt. of IndiaS R Mallela, Former CTO, AFL

Santrupt Misra, Director, Aditya Birla GroupSushil Prakash, Country Head, Emerging Technology-Business

Innovation Group, Tata TeleServicesVijay Sethi, VP-IS, Hero Honda Vishal Salvi, CSO, HDFC Bank

Deepak B Phatak, Subharao M Nilekani Chair Professor and Head, KReSIT, IIT - Bombay

Vijay Mehra, CIO, Cairns Energy

salEs & MarkEtingNational Manager-Events and Special Projects:

Mahantesh Godi (09880436623)Product Manager: Rachit Kinger (9818860797)

GM South: Vinodh K (09740714817)Senior Manager Sales (South):

Ashish Kumar SinghGM North: Lalit Arun (09582262959)

GM West: Sachin Mhashilkar (09920348755) Kolkata: Jayanta Bhattacharya (09331829284)

Production & logisticsSr. GM. Operations: Shivshankar M Hiremath

Manager Operations: Rakesh upadhyay Asst. Manager - Logistics: Vijay Menon Executive Logistics: Nilesh Shiravadekar

Production Executive: Vilas Mhatre Logistics: MP Singh & Mohd. Ansari

oFFicE addrEssPublished, Printed and Owned by Nine Dot Nine Interactive Pvt

Ltd. Published and printed on their behalf by Kanak Ghosh. Published at Bunglow No. 725, Sector - 1, Shirvane, NerulNavi Mumbai - 400706. Printed at Tara Art Printers Pvt ltd.

A-46-47, Sector-5, NOIDA (U.P.) 201301Editor: Anuradha Das Mathur

For any customer queries and assistance please contact [email protected]

www.thectoforum.com

44 | NexT horIzoNS: TexTING for DISaSTer reCovery Texting could and should play a major role in your Dr planning. By pam BaKeR

regularS01 | eDITorIal10 | eNTerprISe

rouND-up

advertisers’ index

Juniper IFC, 41,53Schneider 5Sigmabyte 6,7Seagate 9SAS 13Tata Communications 15Trend Micro 27Check Point 45Nokia IBCIBM BC

This index is provided as an additional service.The publisher does not assume

any liabilities for errors or omissions.

20 | beST of breeD: IT proDuCTIvITy DeSTroyerS VC's views on the causes of inefficiency in the iT organisation.By maRc j. SchilleR

20

a queStion oF anSwerS

16 |Educate to Mitigate risks Vijay Mhaskar, Vice president, Information Management group, Symantec shares his insights into the growing risks attached to social media.

44

16

I BelIeve

currentchallenge

4 07 december 2011 cto forum The Chief


The auThor Is esponsible for the global applications that serve the entire corporation

and for the overall IT strategy and information security for the company

By randy spraTT, CIO and CTO, McKesson Corporation

creating a balance between the strategies of business and activities that are commodity driven

gies of the business. on the other hand, you have a lot of activities that are commodity driven, and if you are not competitive with other entities that can provide those services, then you will be at a competitive disadvan-tage as a company.

in my mind, business nirvana is top-line growth. This suggests business-driven iT activity, and a high degree of iT agility. The businesses will want and expect new devices, new capabilities, new applications, new tools to reach and delight their customers. They are looking for social networking, iPad apps, smartphone apps, and linking into cloud-based services to reach their markets and deliver innovative prod-ucts and services. iT nirvana is making everything efficient, secure, leveraging economies of scale. in this scenario, iT controls things to a greater extent.

in many organisations, there is a pendulum that swings between these two scenarios, between Busi-ness nirvana and iT nirvana, never quite reaching either side before the momentum shifts in the other direc-tion every three to five years.

An innovative Cio focuses almost exclusively on enabling the business vision, and, for a time, achieves tre-mendous things for the organisation. in the process, he creates a shadow infrastructure and buys products at sub-optimal purchasing power. Proj-ects fall behind, costs accelerate, and the desired agility is not attained.

A cost conscious Cio spends a lot of time cleaning up the infrastruc-ture, and cutting staff. he de-empha-sises innovative, top-line growth opportunities in favor of more efficient operations, greater buying power and more reliable operations through solid iT processes.

__ This opinion was first published in

CIO Insight. For more stories, please visit

www.cioinsight.com.

There are two sources of value that a Cio must bear in mind, one is growth oriented, and the other is leverage oriented. These can be at odds. it is important for a Cio to successfully manage this paradox.

on the one hand, you need to innovate and be agile to serve the strate-

IT Nirvana for Top-Line Growth For achieving It nirvana, cIOs need to manage the two sources of value – growth oriented and leverage oriented

©2011 Schneider Electric. All Rights Reserved. Schneider Electric, InfraStruxure, StruxureWare, and APC are trademarks owned by Schneider Electric Industries SAS or its affiliated companies. All other trademarks are property of their respective owners. • 998-4108_IN-GB Schneider Electric India Pvt Ltd, 9th Floor, DLF Building No. 10, Tower C, DLF Cyber City, Phase II, Gurgaon - 122 002, Haryana, India, Phone: +91 124 3940 400, Fax: +91 124 4222 036

Tap the business value of your data centre!Learn how in our management software white paper.Visit www.SEreply.com Key Code 11499p Toll Free 1800 4254 877/272

Tap in to the health of your data centre As an IT or data centre manager, you know that doing your job well means saving your company both time and money. Today, there finally is a way for you to be completely tapped in to the overall health of your data centre. StruxureWare™ for Data Centres gives you visibility across your entire data centre infrastructure so you can make informed decisions — not arbitrary ones — about your infrastructure. For example, you can plan proactively for needed capacity and streamline workflow management to improve your business agility and availability. In fact, now more than ever, infrastructure decisions are business decisions.

An always available, efficient data centre What’s more, StruxureWare for Data Centres communicates in real time with the leading virtualization platforms: VMware vSphere™ and Microsoft® System Centre Virtual Machine Manager. The software’s built-in automated response capabilities ensure that virtual loads always have healthy host environments. With your VMs on healthy hosts, you can focus on running your data centre more efficiently. The software also gives insight into PUE/DCiE trending over time, enabling you to make intelligent energy management decisions. With StruxureWare for Data Centres’ planning and reporting capabilities, who’s the company hero now? You are!

APC by Schneider Electric™ is the pioneer of modular data centre infrastructure and innovative cooling technology. Its products and solutions, including InfraStruxure™, are an integral part of the Schneider Electric™ IT portfolio.

The strategic bridge between your data centre and your business? You.

Now, make informed decisions about your infrastructure:

> Plan proactively for needed capacity.

> Blueprint data centre expansions and consolidations.

> Streamline workflow management of your IT physical infrastructure to improve your business agility and availability.

> Make changes knowing how they will affect your business.

> Visualize change/capacity scenarios to improve your bottom line.

> View your current and historic PUE/DCiE and energy costs of subsystems to make intelligent energy management decisions.

Only StruxureWare for Data Centres enables a healthy, business-driven data centre.

> Executive summary

How Data Center InfrastructureManagement Software ImprovesPlanning and Cuts Operational Costs

White Paper 107

CTO_Forum_Magazine_1207_11499p.indd 1 11-11-17 上午10:07



Sigma-Byte, a pro-vider of network cabling, audio-visual solutions &

safety & security solutions, recently celebrated 20 years of bringing value to its cus-tomers. To celebrate this momentous occasion with

their long standing part-ner CommScope, Sigma-Byte hosted a gala event at the Hyatt Regency Hotel in Mumbai.

The event brought together various partners, customers and beneficiaries of Sigma-Byte – those who

hold a special place with the company. The celebration was kicked off with a performance by Aman and Ayaan Ali Khan, who along with Gino Banks, entertained the attendees. The event also featured Bharat Dabholkar, famous for his advertising work with Amul and various productions.

The high profile event was hosted by Diana Hayden, Former Miss World and featured speeches from Sigma-Byte and CommScope executives detailing their future plans.

CommScope and Sigma-Byte have had a long-standing relationship in bringing solutions with great value to their customers and both hope to continue to bring their efforts to them.

In an interview with ITNEXT, Ketan Kothari, MD, Sigma-Byte; Dr. Ispran Kandasamy, vice president, Enterprise sales, Asia-Pacific, CommScope; and Stephan Kowal, vice

Sigma-Byte Celebrating 20 Years of Bringing Value to Customers

From left Dr. Ispran Kandasamy, VP, Enterprise sales, APAC, CommScope, Mr. Ketan Kothari, MD, Sigma-Byte and Mr. Stephan Kowal, VP, Global Partner Organization, CommScope.

advertorial | SiGMABytE

7 07 december 2011 cto forumThe Chief


president, Global Partners, CommScope took a few minutes and spoke about the future and how they plan to take their services to the next level for their customers.

As one of the key integra-tors/partners of Comm-Scope’s solutions what are some the of the chal-lenges that you face today from the customers?KetAn KothAri: Custom-ers require connectivity that is foolproof. In India, the tendency is to get the solu-tion at L1 (i.e., the best price possible). Obviously the best solutions and services are not available at the lowest price. Customers acknowl-edge the need for products and services that are bet-ter than what is available in the market; however, there is always a tendency to lean towards the most competi-tively priced solution, which is not necessarily the best. Another challenge we see is there is a lot of misinforma-tion on what products and services are available in the market. In India, there is no guiding agency that recom-mends solutions or sets stan-dards. It makes it difficult to convince customers towards a particular solution being better than another. If there is no government or regulatory agency setting standardiza-tion guidelines, then things are very challenging for us.

how can you move beyond these challenges?Dr. iSprAn KAnDASAmy:

CommScope is a global entity and leader from a tech-

nology perspective in this entire marketplace. We help set many of the global stan-dards. So we try our best to educate our customers. We try to create awareness with respect to global standards. That’s important to do at this point of time.

KetAn KothAri: The chal-lenge in India is that because things are state driven you know when centre says something the state more or less opposes it. This makes it even more difficult to help in building standardization into our practice.

Dr. iSprAn KAnDASAmy: I think Ketan’s point regard-ing the establishment of a standardization process is important. At the rate that India is growing, infrastruc-ture build is going to become uncontrollable without stan-dards and the problems will erupt when customers are looking to scale up.

StephAn KowAl: There is also a human safety perspec-tive that comes into place. In the United Sates and Euro-pean Union, there are safety guidelines and ratings for cables. The government said that you need to use cables that do not burn or produce smoke. What you do not see is that there is no consistency in what should or shouldn’t be used. So when people use the most economical solu-tion it may not be the safest solution. We actually have partners who are educating customers about standards and how investment in our

cables can help from a safety and quality standpoint. These are things that need to be taken care of immediately.

Dr. iSprAn KAnDASAmy:

We try and educate our cus-tomers. We work actively with our partners to accom-plish this; however, the chal-lenge becomes when the customer is in a competi-tive environment and their competition does not have the same standards require-ments. Competitors imple-ment low-cost solutions all to save the customer money. This becomes an issue where you can rapidly lose market share.

Describe some of trends you are seeing in the con-nectivity space.StephAn KowAl: We are trying to find people who do not necessarily buy or sell our solutions but have a lot of influence over our solutions. What I see is the networks are becoming more of a central backbone for communications—hav-ing increased security of the network including heating, ventilation, access controls as well as controlling light-ing. There is a movement towards lighting itself by using a low voltage system. Companies like Cisco are putting energy management policies into the networks. So CommScope has teamed up with Cisco to include these energy management policies into network infra-structures by helping them design in-building intel-ligent networks. It is our

responsibility to go out into the industry and partner with companies that are cre-ating disruptive technologies and, at the same time, work with our partners to ensure that solutions customers want can be implemented.

Dr. iSprAn KAnDASAmy:

We are also seeing the pen-etration of fiber into net-works. Bandwidth and the distance data needs to travel today is pushing technology to move into more of a fiber-dominant space. So the issue in a fiber-intensive network is the quality of the installa-tion associated with that goes up. It is so important that we have high-quality partners like Sigma-Byte with us where they can make a big difference in shaping how customers adopt technology.

Sigma-Byte has been in the business for 20 years now. So what is next?KetAn KothAri: We want to build on the credibility we have built over the last 20 years and the skills we have developed and go into the next phase. The market is converging towards IP and our partnership with Com-mScope will assist us with obtaining a larger piece of the solution building busi-ness. We are expecting a lot of excitement in the coming future, especially given the nature of the amount of work that needs to be done on the standardization front. We are also always looking to acquire new customers. All I can say is its only going to get better from this point on.

SiGMABytE | advertorial

6 07 november 2011 cto forum The Chief


LETTERS

WRITE TO US: The CTOForum values your feedback. We want to know what you think about the magazine and how

to make it a better read for you. Our endeavour continues to be work in progress and your comments will go a long way in making it the preferred publication of the CIO Community.

Send your comments, compliments, complaints or questions about the magazine to [email protected]

ThE CTOS mORE InTERESTEd In SaTISfyIng ThE CfO & BOaRd RaThER Than ThE COnSUmER?

I see CTO is aligned to the CFO and the Board in that order, the CTO will have to also be good at resume writing as he will not last too long. But then the question arises, is the CFO aligned to the Consumer? If he is not, then even he may be in hot water sooner or later.Arun GuptA, Group CIO, Shoppers' Stop

Supporting BuSineSS through ‘Syntelovation'

We enable our clients' IT team to support THEIR business.To read the full story go to: http://www.thectoforum.com/content/supporting-business-through-%E2%80%98syntelovation

CTOf Connect Storage has always been the backbone of information. Roberto Basilio, VP, Storage Platforms & Product Management, Hitachi Data Systems talks about Hitachi’s plans for this market.http://www.thecto-forum.com/content/building-storage-lasts

OpiniOn

Muralidharan raMach-andranciO, Syntel inc

CTOforum LinkedIn groupJoin over 900 CIOs on the CTO Forum LinkedIn group

for latest news and hot enterprise technology discussions.

Share your thoughts, participate in discussions and win

prizes for the most valuable contribution. You can join The

CTOForum group at:

www.linkedin.com/

groups?mostPopular=&gid=2580450

Some of the hot discussions on the group are:Open Source vs Proprietary SOfTWaRE

Practically how many of you feel OpenSource Free

software are best solutions than any proprietor software's?

I would rather mention that, you call should depends on

the criticality of the application to serve the enterprise

business requirement, as opensource application can

have security breaches and lack of support in worst

come senario

—Vishal Anand Gupta, Interim CIO & Joint Project Director HiMS at The Calcutta Medical Research Institute

Syntel has instituted a programme that rewards innovative solutions

24X7 CIO

It is no longer about whether to go for cloud or

not. The question CIOs are asking themselves is when and for what | PAGE 28

CloudWeatherFair

S P I N E

Technology for Growth and Governance

CT

O

FO

RU

M

A 9.9 Media Publication

Volume 07 | Issue 07

November | 21 | 2011 | `50Volume 07 | Issue 07

WH

Y S

TAR

TU

PS

DIE

| SO

FT

WA

RE

DE

FE

CT

S V

ER

SU

S F

EA

TU

RE

S | E

-DIS

CO

VE

RY

IN T

HE

CL

OU

D

Delivering HealthElectronicallyPAGE 26

BEST OF BREED

I BELIEVESupporting Business Through ‘Syntelovation’PAGE 04

NO HOLDS BARREDAdopt MPS to Reduce Cost PAGE 52

8 07 DeCember 2011 cto forum The Chief




Enterprise

Round-up

FEATURE InsIdE

salesforce.com Claims Big Leap in social

Marketing Pg 12

Cloud services prices will include an energy surcharge by 2015

Cloud to be 51% of Data Centre Workloads by 2014 Global cloud computing traffic to reach 1.6 zettabytes by 2015In thE inaugural Cisco global Cloud index (2010 –

2015) issued recently, Cisco estimates global cloud computing traffic will grow 12-fold from 130 exa-bytes to reach a total of 1.6 zettabytes annually by 2015, a 66 percent compound annual growth rate (CAgr).

Cloud is the fastest growing component of data center traffic, which itself will grow 4-fold at a 33 percent CAgr to reach 4.8 zettabytes annually by 2015. Cloud is also estimated today to be 11 percent of data center traffic, growing to more than 33 per-cent of the total by 2015.

The vast majority of the data center traffic is not caused by end users but by the data centers and clouds themselves undertaking activities that are largely non-transparent to end users – like backup and replication. By 2015, 76 percent of data center traffic will remain within the data center itself as workloads migrate between various virtual machines and background tasks take place. 17 percent of the total traffic leaves the data center to be delivered to the end user, while an additional 7 percent of total traffic is generated between data centers through activities such as cloud-bursting, data replication and updates.

80%dATA BRIEFInG

Illu

st

ra

tIo

ns

by

sh

IgIl

n

E nt E r pr i s E ro u n d - u p



TC Infotech has launched a new package called Optsustain. Touted as India’s first such indigenously developed product, it has been purpose-built with the aim of simplifying the process of sustainability management across the globe.

QUICk ByTE On FInAnCIAL

Researcher Unearths ‘Scary’ Code on Cell Hidden software logs and reports usage-details to carrierAccoRdIng to a report on huffingtonPost.com, in a 17-minute video posted on

youTube, Trevor eckhart shows how the software – known as Carrier iQ – logs every text message, google search and phone number typed on a wide variety of smartphones - including hTC, Blackberry, nokia and others.

The application, which is labeled on eckhart’s hTC smartphone as "hTC iQ Agent," also logs the url of websites searched on the phone, even if the user intends to encrypt that data using a url that begins with "hTTPS," eckhart said.

"Why is this not opt-in and why is it so hard to fully remove?" eckhart wrote at the end of the video. in a post about Carrier iQ on his website, eckhart called the software a "rootkit." eckhart's video is the latest in a series of attacks between him and the company. earlier this month, Carrier iQ sent a cease and desist letter to eckhart claiming he violated copyright law by publishing Carrier iQ training man-uals online. But after the electronic frontier foundation, a digital rights group, came to eckhart’s defense, the company backed off its legal threats. The electronic frontier foundation said the software that eckhart has publicised "raises substan-tial privacy concerns" about software that "many consumers don’t know about."

Steve Wozniak, the maker of the Apple II computer which brought about a worldwide computer revolution, was in Bangalore recently to speak to a bunch of young entrepreneurs and achievers of the Young Presidents Organisation who wanted to hear the story of the most-loved technology brand in the world -- Apple.

— Steve Wozniak,Co-founder, Apple

“It doesn't matter if you don't make any money. Because you don't have any money to begin with. Steve Jobs and I did not have any money to begin with.”

They Said iT

STeVe WOZNiaK




Salesforce.com Claims Big Leap in Social Marketing new tool can turn brand conversations into useful customer engagementSAlESfoRcE.com has unveiled the radian6 Social marketing Cloud, which extends the social enterprise to marketing with new fea-tures in social monitoring, insights, engage-ment, workflow and websites.

Together these innovations, claims Sales-force.com, will let companies turn millions of social conversations about their products, brand and industry into dynamic engage-ments that strengthen customer relationships.

The radian6 Social marketing Cloud allows marketers to adapt to the new world of social marketing through these five key pillars:

Social monitoring: managing millions of

Social Conversations - radian6’s technol-ogy enables companies to monitor on a social scale by capturing 150 million sourc-es of social media conversations across the web including facebook, Twitter, youTube, linkedin, blogs, online communities and more. Also, radian6 now supports a total of 17 languages, with the addition of Turk-ish and Polish.

Social insights: leveraging Social media intelligence - The massive volume of social media conversations generated by consum-ers can be overwhelming to an organisation, but overlooking a tweet from a prospective

By 2015, low-cost cloud services will cannibalise up to 15 percent of top outsourcing players’ revenue.

customer could result in loss of sales. new radian6 Social insights provide intelligent dashboards and sophisticated analytics to filter through the noise, identify relevant conversations and perform marketing cam-paign analysis. now including third-party providers such as Klout, openAmplify and openCalais, Social insights provides an additional level of information like demo-graphics, influence, geolocation, sentiment and topic categorisation to conversations. This level of intelligence allows marketers to understand the impact of a campaign and have the flexibility to respond to customer sentiment and reaction in real-time.

Social engagement: Connecting with Cus-tomers and Prospects - The radian6 Social engagement Console now enables compa-nies to engage with customers directly where the conversation is taking place -- whether on Twitter, facebook or other social channels. The Social engagement Console also brings in third-party data to provide a comprehen-sive view of social conversations. new add-ons include the ability to see Trending Topics from Twitter, Bit.ly statistics to determine the reach of shared links and more. in addi-tion, radian6 is now natively integrated with Salesforce, across the full suite of Salesforce apps and platform.

Social Workflow: Delivering millions of Social Conversations Across the enterprise - With the launch of radian6 Social hub companies will be able to organise massive amounts of social media conversations by applying sophisticated analysis and rules. These action streams can automatically route relevant social content for quick engagement and response. in addition, Social hub now populates social customer profiles, helping marketers create relevant campaigns based on what the consumer likes.

Social Websites: empowering marketers to move at the Speed of Social - Siteforce empow-ers marketing organisations to move at the speed of social and quickly and easily build socially rich websites to engage with custom-ers and prospects. using a powerful drag and drop studio, marketers can build, edit and publish pixel perfect websites, without any help from iT. Siteforce uses a powerful and flexible content management system, allow-ing companies to better engage with custom-ers and prospects by adding social features like Twitter streams, facebook likes and more.

GLOBAL TRACkER

Dip in outsourcing players' revenues

so

ur

ce

: ga

rt

ne

r

Illu

st

ra

tIo

n b

y s

hIg

Il n




Things iT leaders should watch out for in 2012 Social media, mobile are likely security targets

JaxTR SMS

sabeer bhatia's new venture,

JaxtrsMs, aims to release

short messaging from the clutch-

es of closed groups. can he do a

hotmail to sMs? going by the

promise in the hotmail co-found-

er's press announcement, he well

could. after all, it's been a long

time since sabeer's last successful

venture, the ubiquitous free email

service hotmail, was bought by

Microsoft (1998). and this time,

the new venture could just click

on the simplicity and power of the

idea - unlike others such as arzoo

and live Documents.

called Jaxtr Inc., the new ven-

ture is founded by sabeer bhatia

and yogesh Patel. the firm has

launched JaxtrsMs, a cross-plat-

form, open texting application

to send an sMs to anyone in the

world for free.

JaxtrsMs is claimed to be

unique in that a mobile user can

send a text sMs to any mobile

phone in the world without

requiring the receiver to have the

JaxtrsMs application installed on

their phone. this “open” facet

of JaxtrsMs, claims the release,

distinguishes it from other free

mobile messaging applications

where messages can only be

sent within a closed network to

people who also have the same

app installed.

JaxtrsMs retains the number

of the user and no new number

is required while signing up for

the JaxtrsMs service.

WEb SEcuRIty provider Websense

has come up with its cyber security

predictions list for the year 2012. here

are the seven things It leaders need

to watch out for in the year ahead:

1. social media identity may prove

more valuable to cybercriminals than

credit cards. trust is the basis of social

networking, so if a bad guy compro-

mises your social media log-ins, there

thE mARkEt for business intelligence (Bi) soft-ware in india is forecast to reach revenue of $81.5 million in 2012 a 15.6 percent increase over 2011, according to gartner, inc. Worldwide Bi software market revenue is forecast to grow 8.7 percent to reach approximately $12.7 billion in 2012.

gartner analysts said the market for Bi platforms will remain one of the fastest growing software mar-kets despite expectations of an economic slowdown. organisations continue to turn to Bi as a vital tool for smarter, more agile and efficient business, and

Bi in india to reach $81 mn in 2012 demand drivers include consumerisation of BI

FACT TICkER

is a good chance they can manipulate

your friends.

2. the primary blended attack method

used in the most advanced attacks

will be to go through your social

media "friends," mobile devices and

through the cloud. We've already seen

one aPt attack that used the chat

functionality of a compromised social

network account to get to the right

user. expect this to be the primary

vector, along with mobile and cloud

exploits, in the most persistent and

advanced attacks of 2012.

3. 1,000+ different mobile device

attacks coming to a smartphone or

tablet near you. People have been

predicting this for years, but in 2011 it

actually started to happen. and watch

out: the number of people who fall

victim to believable social engineering

scams will go through the roof if the

bad guys find a way to use mobile

location-based services to design

hyperspecific geolocation social

engineering attempts.

they are increasing their current usage scenario from just an information delivery mechanism.

"The Bi market has remained strong because the dominant vendors continue to put Bi, analytics and performance management at the centre of their messaging, while end-user organisations largely continue their Bi projects, hoping that resulting transparency and insight will enable them to cut costs and improve productivity and agility down the line," said Bhavish Sood, research director at gartner. "it's a sign of the strategic importance of Bi that investment remains strong."

Among the sub segments, Bi platforms is still expected to be the largest in pure revenue terms, while CPm suites are expected to grow the highest. Adoption deadlines of ifrS and XBrl –extensible reporting language will further drive demand for CPm suites in india.

Decision making in india historically has been based on either "gut feelings" or on the business experience of managers. Bi will allow enterprises to make more fact-based decisions. Bi promotes rev-enue growth and faster innovation through shorter product and service life cycles and the ability to find where value is being created in the business.

"The demand side of the Bi platform market in early 2011 was defined by an intensified struggle between business users' need for ease of use and flexibility on the one hand, and iT's need for stan-dards and control on the other," said Sood.

"With ‘ease of use’ now surpassing ‘functionality’ for the first time as the dominant Bi platform buy-ing criterion, vocal and influential business users are increasingly driving Bi purchasing decisions, most often choosing easier to use data discovery tools over traditional Bi platforms — with or with-out iT's consent," he said.

Illu

st

ra

tIo

n b

y s

hIg

Il n

A Q u e s t i o n o f An swe rs V i jay M h a s k a r



Making the most of Social Media: Mhaskar gives insights into best practices for companies to leverage social media

V ijay M h a s k a r A Q u e s t i o n o f An swe rs



Vijay MhaSkar | VP, IMG, SyMantec

Educateto Mitigate risks

Vijay Mhaskar, Vice President, Information Management Group, Symantec in a conversation with Varun Aggarwal shares his insights into the growing risks attached to social media, and suggests measures to mitigate them

Social media threats are on the rise. In such a scenario,

how should enterprises build a social media strategy?We do see a growing trend wherein companies are adopting social media applications to improve collaboration between employees and partners and to build better relationships with customers. information is the most valuable asset to indian enterprises. however, it is also the most vulner-able asset, since a data breach can impact an organisation negatively.

Today’s organisations need to manage risk proactively, protecting not just the infrastructure that data resides in, but also the information itself. enterprises require a holistic information security and manage-ment strategy, which is risk-based and policy-driven, information-centric and operationalised across a well-managed infrastructure. enterprises need solu-tions that can help them develop and enforce policies, manage systems effi-ciently, protect information and iden-tities and protect the infrastructure.

Some of the best practices that companies can follow include: Begin with a formal and well-understood policy for employees’ use of public sites like popular social network-ing portals; monitor managed and unmanaged endpoints, on or off the network; notify employees when they try to send confidential data outside of the company; like all cor-porate communications, define how to use social media and train employ-ees regarding appropriate content to post; identify and understand legal

A Q u e s t i o n o f An swe rs V i jay M h a s k a r



or regulatory requirements specific to your industry, and implement policies to address regulations that call for retention of social media content; Consider deploying an archiving solution that enables the automatic capture and retention of social media content, especially if your industry is highly regulated; implement a data loss prevention solution to provide another layer of protection to prevent confidential and proprietary information from bleeding out of the company onto social network; enterprises should have a sustainable programme that allows them to measurably reduce risk of a data breach, demonstrate regulatory compliance and safe-guard customer privacy, brand equi-ty and intellectual property. With social networking growing exponen-tially, enterprises need to consider both the risks and opportunities pre-sented by this phenomenon.

The good news is that tools exist to help organisations gain the real business benefit from these sites. in order to secure this new age, Symantec has been assembling a set of solutions that bring together iden-tity and device security, information protection, context and relevance and the benefits from leveraging the cloud – the critical enablers of confi-dence in a connected world.

What are the various threats that you've observed over

the use of social media?We recently commissioned a survey to gauge the impact of corporate using social networking sites-the Symantec 2011 Social media Protec-tion flash Poll.

The findings clearly indicate a growing trend amongst enterprises engaging in social media and fall-ing victims to various related inci-dents that may result in serious consequences from reputation loss to loss of confidential information. in particular we would like to focus on the top three social media inci-dents the typical enterprise experi-

data and reputation while allowing access to social media? like all corporate communications, organisations must define how to use social media and train employ-ees regarding appropriate content to post. organisations must identify and understand legal or regulatory requirements specific to your indus-try, and implement policies to address regulations that call for retention of social media content. organisations must consider deploying an archiving solution that enables the automatic capture and retention of social media content, especially if your industry is highly regulated.

Keeping this in mind, Symantec enterprise Vault 10, the new version of our email and content archiving soft-ware now features data loss prevention technology. Another new feature is the ability to archive all social media inter-actions for compliance and eDiscovery purposes. This prevents data getting leaked outside organisations.

enced over the last year: employees sharing too much information in public forums (46 percent); The loss or exposure of confidential informa-tion (41 percent); increased expo-sure to litigation (37 percent).

Technology has a role to play here with solutions that can protect and archive the information making it recoverable in case of any regula-tory /compliance need. information protection will need to go beyond just the current set up to integrate the new medium and automate the pro-cess to ensure better access controls.

it’s more important than ever for companies to have controls in place to capture social informa-tion to comply with open records requests, industry regulations such as the supervision requirements and the eventuality of an eDiscov-ery request.

How can organisations safeguard their confidential

“With social networking growing exponentially, enterprises need to consider both the risks and opportunities”

Define how

to use social

media and train

employees

regarding

appropriate

content to post

Consider deploying an

archiving solution

that enables the

automatic capture

and retention

of social media

content

implement a data loss

prevention

solution

things i Believe in



Best of

Breed

it doesn’t take a genius to figure out that when a group of people (say, Cios for exam-ple) are constantly talking about their role and the future of their role, it’s likely they are in trouble—whether they want to admit

it or not. Judging from what’s been appearing online and in print over the past 24 months, it seems like we have a really big problem brewing.

Why You deserve to Be demotedThere are three very real and current challenges that are the big reasons for demoting the CIO By Marc J. Schiller

illu

st

ra

tio

n b

y P

C a

no

oP

Don’t believe me? Try it yourself. Do a search on “the role of the Cio.” look at the results for the last 90 days and see what comes up. Article after inter-view after white paper all talking about the big and important changes afoot for Cios.

To be sure, every executive examines their role and scope of responsibilities from time to time -- that’s natural. But if you look at the volume of material being

of email users will rely primarily on a browser or mobile instead of a desktop by 2016

50%DaTa BrIefIng

IT Productivity Destroyers Pg 22

Building an IT Business Office Pg 25

feaTures InsIDe

m a n ag e m e n t B E S t o f Br E E D

if they want a consultant, they will hire one with the specific expertise they need. After all, such consultants are a dime a dozen.2. IT is ubiquitous and no longer offers a strategic advantage. it has become a com-modity that can be purchased on-demand and in the cloud. 3. What can’t be bought in the cloud can be bought from an outsourced vendor. from desktop support to payroll processing and on to nearly every business process, there are plenty of competent outsourcers out there to get the job done.

given these three obvious realities, what are really the roles and the value-add of the iT group generally, and the Cio specifically?

now that, my friends, is a serious challenge. And that is what is going through the minds of business managers all over the world.

A real dialogue to address the challengesin place of attempting to give you a 30-sec-ond version on the “new” role of the Cio, i’d like to open a dialogue. i’d like to present just one idea that i believe will be helpful to iT leaders in both forming a sense of their role today and into the future. most importantly, i’ll present and test that one idea against the big three reasons to demote the Cio to see how it stands up. you get to be the judge.

returning to a very basic premiseThe real importance of the Cio role comes from the focus on information. it’s not a trivial point. in fact, when you think of the role of the Cio as being first and foremost

written about and discussed on the role of the Cio, it seems that Cios are obsessed with this issue. That’s especially clear if you do a similar search on “the role of the Cfo,” or even “the role of the Ceo.”

the folly of conventional wisdomnow comes the interesting or, some might say, the exasperating part. When you read these articles, white papers and interviews, there isn’t really a meaningful exchange of ideas around specific issues. They all just seem to say almost exactly the same boring and unbearably obvious thing. it goes some-thing like this:

The world is changing. Business is going faster than ever before. you can’t just be a technologist. you have to be a real business partner. you have to drive revenue. And when you do, everything will be great.

recently, it’s gotten even worse. here is a direct quote from the closing lines of the just-published CA white paper entitled: “The role of the Cio--Becoming the Boss.”

"… the penny is dropping in boardrooms around the world; cloud computing is driv-ing change and Cios are well placed to capi-talise [sic] on market conditions and offer their expertise to the organisation [sic] at a leadership level...Cios must maximise [sic] their muscle as the technology visionary within their business and help the board-room to emerge stronger in the future.”

“maximise their muscle?” What sort of fantasyland do these people live in? “The penny is dropping?” gimme a break. more like a bowling ball.

Beyond the sheer silliness of lines like these, this stuff drives me nuts for several reasons:

it’s beyond simplistic and obvious. of course the world is changing. of course you have to be close to the business. of course you have to seek out revenue-enhancing solutions. That’s been standard operating procedure for Cios for years already.

The flowery, esoteric, you’ll-be-the-Ceo-

It is ubiquitous and no longer offers a strategic advantage. It has become a commodity that can be purchased on-demand and in the cloud

someday ideas are nothing more than feel- good journalism. it promotes a completely unrealistic expectation for 95 percent of Cios. heck, research shows that less than 40 per-cent of Cios even report to the Ceo today.

The biggest problem i have with this kind of material is that it fails to address what’s really going on. These articles and white papers talk about how things ought to be and they describe the roles they believe Cios would like to play. They don’t address head-on the real challenges of the Cio today. in place of facing up to the very immediate and real threats to the Cio, they jump to future visioning. As if to say, when you act like this, everything will be fine.

So before i say a single word about the role of the Cio, i want to take a moment and put out there what’s really going on, what’s really driving so much of the role searching for Cios today. unless we clearly see the true nature of the challenges, no solution will work. it will simply be discon-nected from reality.

Meet the big three for lack of a better term, and for dramatic effect, i’ll call the very real and current challenges the three big reasons for demoting the Cio. They are:1. Today’s business managers are tech-savvy. They have grown up with technology, they understand it and they want to make their own technology decisions. They do not need a Cio slowing things down and making it more complicated. And don’t bother offering yourself as a “consultant” to the business.

Compliance & Security through effectivelog management at your fingertips

Visit: www.novell.com/products/sentinel-log-managerCall: 080 - 4264 4712 | Mail: [email protected]

*Limited period offer. Pay Rs.20,000/ + taxes only for implementation services and defend against an attack.

Novell is offering SentinelLog Manager absolutely FREE*

B E S t o f Br E E D m a n ag e m e n t



It Productivity destroyersVC's views on the causes of inefficiency in the IT organisation By Marc J. Schiller

about managing, securing, enhancing, and leveraging the organisation’s information assets, the three big arguments for demo-tion are easily countered. here’s how:1. Today’s Business Managers are Tech-Savvy: That’s both a blessing and a curse. it’s a blessing because a lot of the silly, handhold-ing activities required of iT in the past can be ditched. it’s a blessing because it makes technology-based discussions easier. But it’s also a curse, because business manag-ers are still business managers, and so they should be. They are impatient and want to get things done quickly. They don’t have the time or the inclination to work through all of the nitty-gritty details that are required to ensure that the systems they are putting in place do, in fact, col-lect and integrate data with other corporate resources. They don’t have the time or the expertise to evaluate the information integra-tion and interface requirements a particular system may create. And they certainly don’t want to be on the hook for all of the data security and regulatory compliance issues that are growing by the day. The beauty is, when you really lay out the information angle for a tech-savvy colleague, they usually get it. What’s more, this understanding will

often lead to support and compliance around issues like data governance and standards. When that happens, it’s magic. Because now you share a common destiny regarding the integrity of, and the access to, your organisa-tion’s most important asset: its information.2. IT No Longer Offers Strategic Advan-tage: Completely true. And that’s the most important reason to have a Cio. To make sure that iT investments are made with this fact clearly in mind. The Cio needs to be

there to remind everyone that the technology, per se, offers no operating advantage. To merit iT investment dollars, an appli-cation must be implemented in such a way as to confer unique value. With all the hype about erP, Crm, the Cloud, what-ever, it’s easy for the business to believe that a purchase from a vendor is all that is required. The Cio is there to remind the business of the very hard

work it takes to implement a real solution and to derive meaningful information from it. it’s the Cio, with his or her process and information perspective, who is uniquely positioned to articulate the metrics of value relative to any technology-enabled project, which, today, is nearly everything.3. Everything is Being Outsourced: if prop-

erly managing and extracting value from information assets that are fully under your control is hard, it’s 10 times harder when an outsourcer or cloud-based solution provider is involved. The challenges of information security, management, governance, integrity, integration, and meaning increase dramati-cally. Without a Cio (and his team) to focus on these issues, who will do it? Certainly not the functional outsourcer: it’s way out of scope for them. The business? of course not. They don’t have any of the necessary skills or knowledge. it’s the critical role of iT.

the opening salvoThis is far from the last word on the role of the Cio. in fact, it’s only meant to be the opening salvo. But it’s an important one. it’s important because it directly answers the questions that are driving some to think about demoting the Cio (including many Cios themselves). it’s important because it is rooted in what organisations really need. And finally, it’s important because it builds on what Cios can and should be doing for their organisations; today, and into the future.

— Marc J. Schiller, author of “The 11 Secrets of

Highly Influential IT Leaders,” is a speaker and a

strategic facilitator.

— This opinion was first published in CIO Insight.

For more stories please visit www.cioinsight.com

80%cloud services

will include a

global energy

surcharge by

2015

This article series is for the iT leaders, managers and professionals who seriously want to shake things up, for themselves and their organisations. it’s meant for iT leaders, managers, and professionals who know in their gut that there is always a better way to do things

and who are eager to learn and apply it.So, if you consider yourself a member of this group, stick with

me. Because this series is going to show you how to:1. gain an extra work day for yourself without working an extra minute, and2. increase your team’s productivity and work satisfaction by 20 per-cent, 30 percent or more.

Sound ambitious? Think i’m kidding? Well, i’m dead serious. So, let’s get started.




the hierarchy of organisational time-wasting activitiesorganisations are inherently inefficient. it’s just the way of the world.

iT professionals complain about the inefficiencies that impact personal productivity and cut into personal time. managers become frustrated by the slow progress of their team members. As an exter-nal consultant, i often get the “pleasure” of hearing these complaints from both sides of the management divide.

Where it gets interesting is when you ask iT professionals and managers to identify and rank the causes of inefficiency and time wasting. overall there are three big categories. They are presented below in order of time-wasting rank and degree of impact, from mild to severe.1. Personal time wasting: This covers items like spending too much

time on Twitter, linkedin, facebook, web surfing, news reading, and so on—all under the guise that it really does relate to your job. not surprisingly, pointing to this category is a favorite of managers. Although, with the appearance of many Cios on Twit-ter, it’s starting to be a problem at the leadership level as well. Degree of organisational impact: mild.2. misguided efforts and energy: This category refers to all those activities that some iT managers feel are very important but, in reality, have little value except in the most limited instances. The big culprits in this category are: email proliferation (too many cc’s, too many thank you’s, using email like chat instead of actually speaking with someone); global standards initiatives; vendor briefings to “stay on top of things”; department reorganisations that produce unclear org models and even more esoteric and meaningless titles for the same people; telling stories of the days when you changed vacuum tubes and picked the bugs out of the punch cards. Degree of organisational impact: moderate.3. Productivity destroyers: These are the activities that are described not with a roll of the eyes, but with a fur-rowed brow and a shaking head of disapproval. What makes this category stand out in particular isn’t the fact that it has massive impact on the individual and the organisation (which it does) but rather that there is nearly 100 percent agreement between managers and professionals on the biggest culprit. And the win-ner is: meeTingS! yup. Almost everyone (at least in the iT world) believes that the biggest personal and organisational productivity destroyer is the abundance of meetings they have to attend. Degree of organisa-tional impact: severe.

here we have an essential business activity that nearly everyone in iT feels is a major drain on pro-ductivity and progress. for years i ignored this obser-vation. i chalked up complaints about people doing email during meetings to bad etiquette. Statements about poor planning and agenda management, i figured, were about political rivalry or attributable to

the fact that they were unfairly comparing my highly prepared work-shops and seminars (which have to sparkle with sexy, multimedia presentations, studies, and data so that i can get paid) to the rest of their “normal” work day.

A few years ago i landed a venture capital (VC) firm as a client and i got a huge wake-up call. All of a sudden, i was in close contact with a different industry with a different mindset and different business practices. The biggest difference between the worlds of VCs and iT? Their attitude towards, and handling of, meetings.

for a VC, meetings (with entrepreneurs, investors, analysts, bank-ers, etc.) are a core competency. They don’t have to deliver systems or provide tech support. What they have to do is find, process, oversee and sell companies. And that takes a ton of meetings. meet-ing inefficiency isn’t just a productivity killer, it has the potential to

VCs don’t have to deliver systems or provide tech support. What they have to do is find, process, oversee and sell companies

illu

st

ra

tio

n b

y s

hig

il n




destroy the firm. They know this and live it deep in their bones. (At least the guys that i worked for did.) The very best illustration i have of this is the seven-minute triage meeting.

the seven-minute triage meetingAsk any entrepreneur how much time they would like to pitch their company to the VC. They are likely to say 60 minutes to 90 minutes. They are eager to cover all the ins and outs of their company and why it will be a winning investment.

now, look at things from the perspective of the VC, who needs to meet with lots of entrepreneurs in order to find the one or two they are going to back. The particular firm i worked with funded about one out of every 150 companies that pitched them—two or three new investments per year. using their numbers, that would require meeting with about 450 entrepreneurs. And if every one of them were given 90 minutes, it would result in 675 hours of initial pitch meeting time. Their solution? The seven-minute triage meeting.

once a week, several hours were set aside to meet with entrepreneurs. each entrepreneur was told they had seven minutes to give their pitch to the partners and to answer one or two key questions. Their thinking was pretty simple. if the entrepreneur couldn’t make a convincing case for the value proposition of the company in seven minutes, there wasn’t much point going any further. The sole purpose for the meeting was to determine whether or not the company merited a closer look. Super focused. Super disciplined.

It didn’t stop thereThe seven-minute pitch is just one example. This disci-pline around fixed meeting times extended to a number of other common business processes where they had figured out the appro-priate scope and time boundaries for the meeting to keep it focused and to direct follow-up activity.

A personal example. one of my first assignments was to pres-ent an overview of the competitive landscape for one of their portfolio companies. i had in mind a detailed analysis and

presentation. however, i was told that at this stage all that they wanted was a 20-minute overview of the players with their key strengths and weaknesses.

it focused me. it saved me time. And, it saved them money. i was hooked.

When i first encountered this approach, i figured it would pro-duce a lot of stress and resentment as people (myself included) were forced to fit into a tight time slot. in fact, i observed nearly the exact opposite response.

in place of stress, the highly focused agenda, framework and time constraint produced a sense of calm. People were very clear on what the meeting was about and what they needed to do—before, during and after the meeting. not only were the attendees well prepared, but there were few complaints about all the meetings.

It’s not just a time boxWhen i first shared my experience with my iT clients and told them that i wanted to implement a similar sort of system for iT, they thought i was crazy. Their immediate response: how could they pos-sibly do anything in seven minutes?

it’s a natural response, but it completely misses the point about what it is that makes the seven-minute triage meeting (or others like it) work. it’s not just a time box. it’s a defined business process expressed in a set of goals, executed in an agenda, and contained within an appropriate time frame.

my iT clients were hearing, “have short meetings.” But what i was trying to say was, “get your meetings into a tight, well-focused, framework, like those VC guys do, and your meetings will be pro-ductive and brief.”

the essential point and the big questionAfter a bit of trial and error, a winning approach emerged. it’s founded on one very basic idea with which nearly every iT profes-sional and manager can agree: meetings with very focused goals and objectives, controlled by the right agenda, have the potential to be

wrapped in a tight time frame. The only remaining question: how to realise that potential across iT with-out creating some wacky meeting definition project?

Is that it?no, of course not. But since good articles, like good meetings, need to live within strict parameters, that’s exactly where i will pick up later this week with Part ii. in the meantime, consider how you might apply the VC approach to your meeting schedule. you’ll be shocked at what you will uncover on your own.

— Marc J. Schiller, author of “The 11 Secrets of Highly

Influential IT Leaders,” is a speaker, strategic facilitator, and an advisor on

the implementation of influential analytics. He splits his time between the

front lines of client work and evangelising to IT leaders and profession-

als about what it takes to achieve influence, respect and career success.

Download a free excerpt of his book athttp://11secretsforitleaders.com

— This opinion was first published in CIO Insight. For more stories please

visit www.cioinsight.com

10%per year growth

of financial

impact of

cybercrime

through 2016

Ask any entrepreneur how much time they would like to pitch their company to the VC. they are likely to say 60 minutes to 90 minutes. they are eager to cover all the ins and outs of their company and why it will be a winning investment




Building an It Business officeTo bridge the gap between business and IT, financial firms are building an IT business office By BoB reinhold

The challenge of demonstrating the business value gained from iT spending has been an issue for as long as there has been iT. This is particularly a challenge

for financial services firms as they strive to respond to emerging regulatory requirements and drive a growth agenda in the current cost-constrained environment. But these chal-lenges are not unique to financial services. improving the ability to measure and commu-nicate the business value of iT is critical for any organisation in this challenging economic and regulatory environment.

one of the greatest pitfalls in linking spend to value is the common communications gap between the business and iT. iT profession-als have developed a robust set of metrics designed to drive the management of iT; unfortunately, expressions like “four nines of availability” and the maintenance of “DASD utilisation below 75 percent” are often meaningless to, say, the head of the wealth management business. According to David reilly, Technology infrastructure executive and Chief Technology officer at Bank of America, “there is a big difference between management information and management reporting — the metrics you use to measure yourself and run the business of iT are not necessarily the same things the business will use to judge your success.”

To bridge this gap, a growing number of financial firms are building an iT business office. This function aids in managing iT value delivery by packaging and measuring iT services in business terms and improv-ing the ability of the business to collaborate

with iT to manage technology investments. it’s a model that can work for any enter-prise. The goal of this function is to increase transparency and accountability, both for iT and the business and, ultimately, to deliver the maximum value out of technology to meet the needs of the business.

iT business offices take different forms depending on the organisation. regardless of whether there is a formal entity called the “iT business office,” or a rather informal adoption of business-aligned management and communication practices, we have found that two foundational elements are necessary to achieve the desired results.

Agreement on value componentsA critical requirement for successful

alignment is to get iT and the business to

agree on a common definition of what is valuable to the business. Pascal Boillat, Cio of fannie mae, introduced the concept of an iT business office when he joined the government-sponsored entity and imme-diately focused on creating a common set of goals between business and technology. By agreeing on goals and standards of mea-surement, the “business gains transparency into iT and is empowered to make more informed decisions. The collaboration raises accountability on both sides,” he says. Bank of America’s reilly emphasises the impor-tance of having the business take ownership of values and measurement: “you have to hold yourself accountable to what the busi-ness cares about; while this may be difficult, it is the business impact that matters.”

illu

st

ra

tio

n b

y s

hig

il n




Two kinds of value should be defined:1. Transformative value. This is a change

from the current environment to a desired future state. This type of value is often associated with significant strategic initia-tives, such as implementing a new financial system. To keep focused on the strategic objective, the iT business office should ensure that business stakeholders and iT share a vision of the ultimate business out-come to be achieved through the effort, as well as value to be achieved over the course of the initiative. Transformative value can also be associated with more general, cul-tural or environmental changes, such as reducing complexity in the applications architecture or adopting a more mature set of iT processes. in both cases, iT is charged with moving the organisation along a path; progress on the path should be visible and measured by definable business outcomes.

2. operational value. This, essentially, is the effective delivery of iT. Typically, it is defined and measured by iT’s ability to meet appropriate service levels. But it is important for “effective” to be defined in the language of the business. for example, translating the phrase “four nines of system availability” to “one hour of unavailability per year” may be clear language for a busi-ness executive, but still more information may be needed to understand its signifi-cance. in this case, an outage occurring as a series of events during peak trading hours will have a significantly greater impact than a single outage occurring overnight.

According to Bank of America’s reilly, “What business executives really care about is reducing or eliminating the number of incidents that impact their business.” To that end, reilly advocates measuring the number and duration of business-affecting incidents, and holds himself and his team accountable to the business stakehold-ers’ definition of impact. As important as defining goals is defining how they will be measured and reported — specifically the processes, roles and responsibilities for iT business office functions. Whether you have established a formal business office or are simply introducing business office practices into your organisation, you must define the organisational structure that will be estab-lished to capture and report on the metrics that demonstrate iT value delivery.

it is important to be pragmatic in this effort. The business office function will fail if it requires a large bureaucracy or expen-sive custom reporting. in some cases, close proxies may need to be used for metrics that are difficult to capture and quantify. for example, let’s say your goal is to increase the adoption of an improved systems-devel-opment lifecycle process. it would be hard to measure the adoption directly, other than by observing the actions of a large team of people. however, you can measure the indicators of success, such as the number

ness operations data. Similarly, automating workflows with business process manage-ment tools will enhance the efficiency and effectiveness of the process.

Some organisations apply the iT business office concept to individual business units or functional areas. When this approach is taken, experience has shown there is an advantage gained from establishing common measures that all business units report. establishing a common set of score-cards and measurement approaches across business units streamlines the convergence process and ultimately lowers the cost of the overall implementation.

Successful implementation of an iT busi-ness office function will result in enhanced transparency, improved trust, joint account-ability and, ultimately, alignment between iT and the business.

"our primary objective in starting the iT business office was to help us apply the same disciplines to technology that you take for granted in running a business: establish-ing goals and measuring progress against them with a strong focus on the financials,” says fannie mae’s Boillat. “The end result has been far greater transparency for the businesses [than was previously possible], giving them the opportunity to direct and really own their iT spend."

The business office helps firms under-stand the levers available to business deci-sion-makers to provide a degree of control over iT cost allocations. Since iT is one of the biggest costs at many institutions, this can be a significant gain for firms.

The benefits extend beyond the walls of the organisation. An iT business office can enable improved communication with regulators, the board of directors and inter-nal and external auditors. firms can take a holistic, centralised look at the iT risk man-agement function in response to business objectives, regulatory requirements and board directives, and demonstrate the matu-rity and reliability of iT processes to regula-tors, auditors and other stakeholders.

— Bob Reinhold is a Principal in the Financial

Services Office of Ernst & Young LLP. The views

expressed herein are those of the author and do not

necessarily reflect the views of Ernst & Young LLP.

— This opinion was first published in CIO Insight.

For more stories please visit www.cioinsight.com

of emergency bug fixes, which would be reduced if team members follow a rigorous development process.

it can be a challenge to gather information and produce reports on a regular basis with-out incurring major repeated costs or busi-ness interruptions. efficiency, repeatability, and speed to implementation are important to fannie mae’s Boillat: “We found we lacked the infrastructure we needed to auto-mate gathering the metrics, so we had to start off with fairly basic measurements,” he says. “The lesson here is not to wait for the perfect reporting systems. Start with what you can and make it an iterative process."

it’s best to automate as much of the reporting process as possible. means of automation would include direct reporting from financial systems or creating purpose-built data stores to capture relevant iT busi-

You can measure the indicators of success, such as the number of emergency

bug fixes, which would be reduced if team members follow a rigorous

development process

Learn more at trendmicro.com/cloud-security

*Sourced from: Worldwide Endpoint Security 2010-2014 Forecast and 2009 Vendor Shares, IDC

BRIDGE YOUR DATACENTER TRANSFORMATION SECURELY WITH TREND MICRO

PHYSICAL. VIRTUAL. CLOUD.

As datacenters transform from physical to virtual, and eventually into the cloud, gaps in datacenter security widen. As virtual machines overtake physical hosts and sensitive data moves into the cloud, your datacenter perimeter blurs and the complexity of security increases. Turn to

Trend Micro, the leader in server security, to bridge your datacenter transformation - higher consolidation, better manageability, faster performance, and plainly more secure. The result is a

true business advantage.

TREND MICRO IS #1 INSERVER SECURITY, WORLDWIDE -

PHYSICAL OR VIRTUAL*

For more information, visit us at www.trendmicro.co.inCall: 1800 103 6778

Email: [email protected]: 91-11-42699000 Mumbai: 91-22-26573023 Bangalore: 91-80-40965068

C

M

Y

CM

MY

CY

CMY

K

IND_9DOT_CTO_210x280_15DEC_BRIDGE_FA.pdf 1 17-Oct-11 2:45:49 PM

here has been a sea change in the security landscape in the year 2011. For the first time, threats such as Distributed Denial of Services attack, considered a highly sophisticated attack vector, were executed using open source tools.

Hacktivism, or the use of hacking as a means of showing protest, became commonplace this year. Hacktivism groups such as Anonymous and LulzSec emerged, threatening governments, corporates and anyone who they thought was not doing the right thing.

The threat of cyber war loomed large, giving governments sleepless nights. Iran built its first cyber command to fend off cyber attacks. Israel similarly built a Cybernetics taskforce, while the US announced its strategy to retaliate hostile acts in cyberspace with military might.

With their acceptance increasing in enterprises, and the concept of Bring Your Own Device to work (BYOD) catching on, mobile devices were on the receiving end of security breaches. The first couple of months of 2011 saw the largest number of malware in its history of mobile platform.

Amidst this changing security scenario, CTO Forum look ed at some of these threats and came up with strategies that enterprises could adopt to mitigate them.

With the growing number of threats and their increasing sophistication, CIOs need to chart out a clear strategy for their IT infrastructure security in the coming decade.By Varun Aggarwal

Illu

st

ra

tIo

n B

Y P

C a

no

oP

s e cu r i t y COVE R S TORY

29 07 december 2011 CTO fORumTHe CHIeF

TeCHnOLOgYOFFICer FOrUm

INSIDE30 | The Cyber Defence Team32 | Going the Consumer Way34 | Security Priorities 202036 | Consumerisation of IT38 | Evolving Role of Security 40 | CFO's View On Security

The CyberThe Cyber

Richard Stiennon, Chief Research Analyst, IT-Harvest and author of Surviving Cyberwar shares insights into some of the new threats faced by enterprises and suggests new measures to counter them

DefenCeDefenCeTeamTeam

ew threats and new measures to counter them call for a reorganisation of IT security teams so that they can focus on defending the organisa-tion from targeted attacks.

It is only ten years since most enterprises established separate security teams to address

vulnerabilities and deploy and maintain patches and virus signature updates as well as configure and maintain firewalls. To ensure that policies were created and enforced most organisations also cre-ated the position of Chief Information Security Officer (CISO) who enacted those policies and became responsible for ensuring that the organisation was in compliance with standards and regulations. The rise of targeted attacks must be met by similar organisational enhancements. The terminology and titles are not important but the roles and responsibilities described here are required to mount an effective cyber defence.

It is interesting to note that the Cheong Wa Dae (Korean Presi-dent’s “Blue House”) has instituted a special Cyber Defence Team in reaction to concerted attacks on the computers of the g20 Summit Committee in Seoul.

“Since June, the government has been running a special cyber defence team to prevent attacks against major private and public computer networks. “ -The Chosunilbo

Countering targeted attacks calls for new measures. One of those measures is creation of specialised teams that are not bogged down in the day to day tasks of blocking viruses and cleaning up machines. Here is my proposal for such an organisation.

Team Lead: Cyber Defence CommanderThe title may evoke a too martial image. Perhaps cyber defence team lead, or director of cyber defence, will be a better fit. But the idea of one-throat-to-choke in estab-lishing a leadership role is an effective way to motivate a team and its leadership with the seriousness of its task. They must be instilled with the idea that they are targeted, under attack daily, and engaged in a battle to protect the organisation from a malicious adversary.

The cyber defence team replaces the traditional computer emer-gency response team (CerT) and will probably incorporate most of the same people.

The cyber defence commander is responsible for establishing the cyber defence team, assigning and directing roles, making sure the correct tools and defences are deployed, putting in place controls and audit processes, and reporting to upper management on the results of those processes, and audits. The cyber defence command-er would also be the primary point of contact for communicating to law enforcement and intelligence agencies when the inevitable situ-ation arises that requires outside help or communication.

A large organisation with divisions spread around the globe or separate large business units may well have cyber defence teams deployed in each division with their own leaders who report up to the cyber defence commander. (Call them lieutenants if you must but I am not going to take the military command structure that far.)

The cyber defence team should have three primary roles: an out-ward looking role, an operational role, and an inward looking role. each of those roles is described next:

Cyber defence analysts are the intelligence gatherers. They study the threatscape with an eye towards emerging threats to the organisa-tion. most organisations assume that because

they have so many people in IT security that someone is looking out for the latest attack methodologies or tools, and even keeping tabs on the various groups that engage in cyber attacks. Unfortunately the operational aspects of IT security are too consuming to allow this type of outward looking focus. IT security practitio-ners are very inquisitive and attempt to keep up with the huge volume of information available to them at conferences, from vendors, and in the news. But their activities are ad-hoc and mostly voluntary. Would TJX

growth in targeted

attacks from January 2011to

November 2011

30 07 december 2011 CTO fORum THe CHIeF


have succumbed to an attack that entered through a WiFi access point in a store in minneapolis if they had had someone staying abreast of the news who would have seen the exact same meth-odologies used against a Lowe’s store in Southfield, michigan four years before? A team of cyber analysts working at a mining or oil and gas exploration company would have been alert to the news that the three largest such firms in the US (marathon Oil, exxonmobil, and ConocoPhillips) were compromised in 2008. They would have had contacts within the community who would have given them a heads up. They would then have seen the 2009 attacks against BHP Billiton, rio Tinto and Fortescue metals group, the major natural resources companies in Australia and analysed those attacks for similarities. They would have raised a red flag that their own organisation could be targeted as well and increased the vigilance of the internal teams.

Cyber defence analysts assume the role played by counter intelli-gence agents inside most governments. They gain an understanding of the attackers and their tradecraft and advise those responsible for defending against them. As members of a cyber defence team these analysts will be responsible for:1. Understanding the state of the art in attack methodologies. They should research and understand the successful and attempted attacks against similar organi-sations. They do this through monitoring news reports, secu-rity research reports from the vendors including mcAfee Labs, Versign’s iDefense team, Veri-zon’s Threat report, F-Secure’s mikko Hypponen, Symantec’s threat report, Sourcefire’s VrT, Fortinet research, Infowar monitor, IBm X-Force, as well as independent researchers such as Dancho Danchev, Brian Krebs, nart Villineuve, and dozens of others.2. getting to know potential attackers and monitoring their activity. Is the organisa-tion a target for industrial espionage from competitors or state sponsored spies? Could a particular fanatic group, be it PeTA, greenpeace, Islamic Jihad, or a religious faction, be targeting the enterprise?3. monitoring known attack sources and distribut-ing the IP addresses of those sources internally for purposes of blocking and alerting.4. Communicating the threat level to the rest of the cyber defence team.5. Assisting in evaluating technology for internal deployment.

A valuable methodology for the research is being developed by the

Infowar monitor team working at the University of Toronto. They dub their methodology “fusion research”, a combination of technical analysis, contextual understanding, and field investigations. Trans-lating this into the activities within an organisation would mean working with their peers to discover methodologies being used successfully against them, and the tools and defences they deploy. It would also mean having an understanding of the industry they are in and the value of their information assets to various potential adversaries. Banks, long the target of cyber crime, and casinos, with vast experience fighting insider threats, have had this type of inter-action with their peers for years. It is time for manufacturers, non-profits, universities, state and local governments to do the same.

The second role within the cyber defence team is the operational role. members of the cyber defence operations team must:1. Select and deploy network and host based tools to monitor activity, alert on unusual activity, block attacks, and assist in removing infec-tions that have made it through all of the cyber defences.2. Interact with the rest of IT operations to ensure that infections are quickly snuffed out and cleaned up.3. engage in forensics activities to perform post mortems on suc-cessful attacks, gather evidence, and improve future operations.

The members of the internal cyber defence team supplement the rest of IT operations. They are not responsible for the daily updating of servers and desktops or the distribution of AV signa-tures or maintaining firewalls. Their job is to discover and miti-gate attacks as they occur. This is a 24x7x365 job. A primary responder must be identified for each evening, weekend, and holiday shift. They must be able to receive alerts, quickly gain access to the monitoring sys-tem, and take defensive action when an attack occurs.

The third component of the cyber defence group is the red Team. They look inward. They

scan the network for holes in the defences and new vulnerabilities. They engage in attack and penetration exercises to test defences. They evaluate new IT proj-ects to ensure that authen-tication, authorisation, and defences are included in the initial design all the way through to deployment.

each of these three roles has special tools that they should use to accomplish their duties.

The cyber analysts make use of knowledge management tools

“The cyber defence team should have an outward looking role, an operational role, and an inward looking role”—Richard Stiennon, Research Analyst, IT-Harvest and author of Surviving Cyberwar




WayWayConsumerisation is leading to the third wave — “use the good things out” i.e. finding ways

to use the good things (information assets, data etc.) outside the organisation perimeter in

a secure form to enhance its value By Sameer Shelke

onsumerisation of Information Technology or the enterprise (adaptation of cloud services, social net-working and mobile devices) is being experienced by all of us, the extent and time of adaptation is the only variable.

many ask the question, is consumersiation applicable only to a B2C environment? Is it relevant in a B2B eco-system. The perennial question, would organisations adapt CSm (cloud, social & mobile) for serious business systems?

The B2B world needs to adapt CSm, in a phased and controlled manner using the following steps:

Use IAAS or PAAS cloud services, so that applications and data are “controlled”

Define standard builds and approved mobile devices under con-trolled environments, e.g. virtualisation

Only allow communication applications on mobile devices Social media usage restricted to specific departments Basically we are seeing CSm creeping into the enterprises because

to categorise and create linkages between disparate data sources. An internal wiki can serve as the basis of communication with the other members of the team. A sophisticated tool from Palantir Technologies can help them track sources of attacks, record data, remember IP addresses and malicious domains, and even keep track of the identities, affiliations, and methods associated with particular groups or individuals.

The cyber defence operations team will use advanced packet capture, network behavior monitoring, application monitoring, and endpoint protection tools. netwitness provides the best tool for capturing network traffic and applying filters that contain knowledge of attack sources, and other cross correlation capa-bilities. By deploying a network flow monitoring solution from Arbor networks they can see changes in traffic patterns that are indica-tive of an attack. guidance Software, known for its forensics tool kits has a cyber defence product that leverages the end point protection of HBgary to identify and remediate infections. Fireeye is a network gate-way defence against zero hour malware and blocks attempts to commu-nicate with command and control servers operated by attackers.

The cyber defence red Team makes use of many open source tools to act as surrogate attackers. nessus can be used for scan-ning for vulnerabilities it is open source and the basis of several commercial products most notably Tenable. Vulnerability scan-ning is also a function of the regular IT operations so it is impor-tant that the red Team use a different set of tools than those used by operations. Core Impact is the most advanced commercial attack and penetration tool.

The organisation and duties of the Cyber Defence Team arise from the new threat of targeted attacks. There is a fundamental difference between defending against random attack from virus-es, worms, and botnets and targeted attacks. When the viruses and worms are written to specifically infect an enterprise’s sys-tem and gain control of internal processes, communications, and data, traditional tools are ineffective and traditional organisations are at a loss. By assigning responsibility to a core team of cyber defence specialists the enterprise can begin to address their vul-nerability to targeted attacks.

ConsumerConsumerGoinG TheGoinG The



COVE R S TORY s e cu r i t y

of business benefits it offers and user demands. The main reason for this being, behind every B2B there is a “C”. The “C”, the consumer is using CSm models in personal life and is demanding the same services in the work life. maybe it’s a new definition of work life balance.

Today’s senior and mid level management in organi-sations are at varied levels of maturity is using CSm. Tomorrow leaders are growing up today using CSm, they get smartphones and social networking accounts before their driving license. So the influence of “C” on the enterprise would only grow.

What does this do to enterprise security? The strat-egy and the control posture of organisations to manage information risk. Since the enterprise is transforming so should enterprise security. Today enterprise security strat-egies are built around “information assets”. We estimate the value of the asset, its exposure probability and define the controls. The first wave of security used the concept “keep the bad things out” (firewall’s, IDS, IPS), the second wave added “keep the good things in” (DLP, Drm). Con-sumerisation is leading to the third wave “use the good things out”. I.e. find ways to use the good things (informa-tion assets, data etc.) outside the organisation perimeter (internet) in a secure form to enhance its value.

The first two waves were one dimensional the focus was information assets; the third wave adds the dimension of use or openness, driven by the con-sumer. The focus changes to the user / consumer and the risk’s from information usage in the open world, which is outside the organisation perimeter.

As an example organisations now need to identify, assess and con-trol the risks arising from its information which is on the internet in social media sites, blogs, micro blogging sites etc. This uncontrolled information could have serious business impact, simple examples being product pricing information, reviews, support credentials etc.

Another dimension would be risks to information from people, which are considered the weakest link in security. The combina-tion of the weakest link and uncontrolled information would test even the most mature security postures. In relation to people risks, social engineering, which is commonly defined as the art of manipulation people, is a major risk area for control postures to focus on. recent increase in phishing attacks, show this trend. rSA research reported that phishing attacks reached an all time high of 38,970 in September 2011 alone. Spear phishing attacks like the one used in the publicised rSA attack demonstrate the focus hackers are giving on the weakest link.

A combination of consumerisation and people risk increases the risk to levels we haven’t seen before. Taking the phishing example again, phishing attacks on consumers using CSm are more effective than tra-ditional web or enterprise scenarios because:

Its difficult to spot phishing emails on smaller compact mobile device screens

gesture usage on smartphone, sometimes we click links we don’t mean to

We use mobiles on the move, which might make phishing emails difficult to spot

mobile devices are used by kids, we never know what they would click Social networking is used to connect to unknown people, risk of

phishing increase Frequent changes in social networking or cloud services con-

figurations are expected, hence those become good phishing email subjects etc.

Organisations now need to develop their enterprise risk manage-ment strategies to address this new world and the third wave of “using good things out”. The third wave adds on the first two, hence the organisation control posture would become more varied and complex, which is an issue to manage itself.

Consumerisation is here, Consumerisation of enterprise security is following and we need to prepare ourselves for it. The ostrich syn-drome (i.e. denying or refusing to acknowledge something that is blatantly obvious as if your head were in the sand like an ostrich) is something we as risk managers can’t afford.

“Consumerisation is here, Consumerisation of enterprise security is following and we need to prepare ourselves for it”

—Sameer Shelke, Co-founder, Chief Operating Officer & Chief Technology Officer, Aujas Networks




20202020PrioriTiesPrioriTies

“The proliferation of tablets and smartphones will make it tough to ensure that the security infrastructure remains capable of protecting the organisation from new vulnerabilities.”—Satish Warrier, CISO, Godrej Industries

Consumerisation of it

Cyber War

“As a Nation, we need to prepare extensively to protect our National Critical Information

Infrastructure from targeted cyber attacks as rogue nations are increasingly using cyber warfare to cripple their enemy countries.”

— Parag Deodhar, Chief Risk Officer, Bharti AXA General Insurance

seCuriTyseCuriTy

appliCation seCurity

“Understanding that security needs to move from the perimeter to internal, we need to evaluate the security of applications within the enterprise.” —Murli Nambiar, Group CISO and CTO, Reliance Capital




The security landscape is fast changing and in order to keep ahead of the bad guys, organisations need to be geared up to address some of the key security challenges that they would have to face going forward it GovernanCe

“There is a rapid expansion of Enterprise Ecosystem where external partners are increasing, which requires even greater

emphasis on third party/ vendor security governance, through disciplined analysis

and actionable risk management.”—Pankaj Aggarwal, CISO, Aircel

privaCy

“With the amendment of IT act and increased compliance requirement from foreign business partners, Information Privacy is a key priority for organisations. Considerable work need to be done in every organisation in achieving Information Privacy compliance.”—Sunil Varkey, CISO, Idea Cellular

tarGeted attaCks

“The combination of new vulnerabilities and more specific targeted attacks will lead to continued growth in bottom-line financial impact due to

successful cyber attacks.”—Sharad Sadadekar, AVP - IS and IT Governance, HDFC Life



The introduction of social media and mobile in the enterprise brings along not just productivity gains but also their own set of risks. Enterprises therefore, need to build a strategy to mitigate these risks By Varun aggarwal

mployees are increasingly using their own devices for business– a trend known as the con-sumerisation of IT. The rate at which employees are bringing in their own devices to work is quite alarming. employers don't seem to know how many or what consumer technologies are in use

in their workplace. Workers report using consumer devices at twice the rate employers reported, according to a research IDC recently conducted on IT consumerisation trends on behalf Unisys. Accord-ing to the report, workers are dissatisfied with the level of support IT provides for consumer technologies. employees think their employ-ers are more permissive of the use of consumer technologies than the employers actually are. most workers, 67 percent, say they can access non-work-related websites, but only 44 percent of employers say their employees can access non-work-related sites. meanwhile, 52 percent of workers say that can store personal data on the com-pany network, but only 37 percent of employers say this is the case.

With Consumerisation of IT, becoming a reality, CIOs need to find ways to allow this transition in a safe and secure manner so

that sensitive data is not comprised in order to provide conve-nience for employees.

Building a caseWhile there is an increasing demand from employees to open up social media in the enterprise and allow for BYOD, enterprises do not see the lack of this as a deterrent to attract talent.

“normally before joining the organisation, employees do not ask for thinks such as social media access in the organisation or allow-ing personal devices to work etc. However, once the employee joins the organisation, he starts to compare it with their previous organi-sation and tends to demand access to social media for better produc-tivity,” opines Satish Warrier, CISO, godrej Industries.

Therefore, even while you’re able to attract talent even without consumerisation of IT being a part of your organisation culture, retaining talent and motivating could be challenging.

“BYOD is not just about bringing a personal device into the enterprise network. The employee sees this as an incentive because he can access his email and enterprise applications on that device while at the same time he can access his personal data and play games etc on the same device. BYOD is also about identifying the critical applications that the enterprise wants to activate on the user device and thereby improve employee productivity,” opines Pankaj Agrawal, CISO, Aircel.

For example, if the sales force gets access to some of the enterprise applications on the move, it can greatly enhance their productivity.

most CIOs agree that we cannot stop these technologies from entering the organisation because of the concept of employee well-being at work. These technologies are said to reduce the stress level of people to hence increase productivity.

“The new concept from world over is the reduction of emailing. According to a statistic, only 20 percent of emails are actually

useful. Therefore, employees need to use social media and chat for most of their communication. The pressure especially would come from mnCs operating in India to enable such policies,” opines murli menon, CISO, Atos.

On the flip side, the management may also see consumerisation of IT as an additional cost because in

“Once an employee joins the organisation, he tends to demand access to social media for better productivity”—Satish Warrier, CISO, Godrej Industries

of iTof iTConsumeris aTionConsumeris aTion



secure environment. Similar security for the mobile can be provided through app related container.

Data ClassificationIn order to build a successfully implement consumeri-sation of IT, organisations first need to identify classi-fied information within the organisation. You need to define what needs to be protected, what enterprise data can be downloaded on the end point and what shouldn’t be downloaded.

moreover, data classification has to be linked to the best tech-nology and process available. One also needs to define the kind of granularity you want. For eg. You can either focus on just the structured data or go deeper and look at unstructured data in the form of files, emails etc. Classification should be broad based to start with and then depending on your needs, you can gradually move towards granular levels.

order to enable the technology, you need to setup controls using new tools that cost money. The need for the concept varies drasti-cally between industry verticals and therefore, in order to get a management buy-in for the same, CIOs need to engage with the business. CIOs need to clearly articulate the productivity benefits for consumerisation of IT.

A combination of solutions need to be deployed to successfully enable BYOD in an organisation. You need a security solution to protect the end point and combine it with a virtualisation solution to isolate and protect the enterprise data residing on the device.

Preparing the infrastructureAllowing social networking and bring your own device concept in the enterprise, exposes the enterprise to a wide variety of risks. For one, the enterprise data is now residing on a device that is not owned by the company.

“When you look at BYOD as a concept, you need to look at a solution that can actually provide a secure shell for the users to work in—whether he comes from a mobile device, a laptop, or working from a business center. You need to ensure that when he connects to the enter-prise, to access his emails or any other enterprise applications, you need to restrict him to a shell so that he cannot take anything outside that environment,” suggest murli nambiar, group CISO & CTO, reliance Capital.

Felix mohan, group CISO, Bharti Airtel warns, “The funda-mental concern with BYOD is how do you extend the control of the enterprise on its owned corporate data which now resides on a personal device.”

“This doesn’t happen with most solutions because all solutions available in the market are basically mDms which control but do not provide containers. The only way to control BYOD is to create a virtual container within which the enterprise data remains secure. no data can go out from the container to the personal environment of the device and nothing from the personal environment can enter that container,” he suggests.

This is similar to the traditional workstation environment, where you in order to access enterprise data on a laptop, enterprises installed VmWare virtual environment on the laptop to create a

“When you look at BYOD, you need to look at a solution that can provide a secure shell for the users to work in”—Murli Nambiar, Group CISO & CTO, Reliance Capital

ConclusionConsumerisation of IT is not just about deploying a technology, it is a shift in the enterprise culture and therefore CIOs need to build an entire ecosystem around it and as the concept gets more mature, the tools and technology available to effectively enable it would also let organisations put up more critical applications on the mobile to fur-ther increase productivity. Unless the tools reach that maturity level, organisations should restrain themselves from allowing sensitive applications on the mobile.

Finally, a combination of solutions needs to be deployed to success-fully enable BYOD in an organisation. You need a security solution to protect the end point and combine it with a virtualisation solution to isolate and protect the enterprise data residing on the device.

Consumeris aTionConsumeris aTionP

ho

to

BY

JIt

en

Ga

nd

hI




role of seCuriTyrole of seCuriTyevolvinGevolvinG

The security function is constantly evolving similar to the IT function 10 years back. As security issues become real for enterprises, the role of a CISO is becoming strategic By Varun aggarwal

he growing awareness around information security can be sensed by watching Sachin Ten-dulkar talking about the importance of security in an advertisement. There are some banks who have also started advertising about the effects of phishing and how users need to be aware

of them. even the end user today talks about data security without being a geek. What’s driven all this is a spate in large number of high-profile attacks in just the last 6-9 months.

While industrial espionage or national espionage with the use of IT was thought of something furturistic, recent events have come to prove that these threats have manifested into real risks for organisa-tions. even from a national security perspective, the attacks on pri-vate enterprises can wreck havoc considering 80 percent of national

infrastructure is in the hands of private entities. The evolution in the awareness about information security has

also brought to the forefront the role of the security function in the organisation or the role of a Chief Information Security Officer. How is his role going to be defined going forward and what should he do in order to become strategic for the organisation?

According to Felix mohan, group CISO for Bharti Airtel, every leader needs the qualities of collaboration, communication and convincing and a CISO should work on certain principles to make their role strategic.

“CISO’s role is to maintain and manage an information risk pro-gram such that information assets are reasonably protected. How-ever, information assets are not the only assets that a company has. There are tangible and intangible assets. Brand and reputation also

need to be protected. Financial assets need to be protected by preventing fraud. The CISO's role need to evolve into the role of a CSO. The more you enlarge your role, the more you make your presence felt in the organisation,” he suggests.

The second vector is agility and business intelligence. What role does a CISO play in order to make the company more agile and to have more business intelligence! “CISO needs to embark on intelligence based security. Intelligence based secu-rity would help the CISO fend against Advanced Persistent Threats. To embark on this journey, CISO needs to become a planner. Like Peter Drucker said, the work of a manager is 80 percent planning, 10 percent replanning and rest of the 10 percent in coordinate to make sure those plans are imple-mented. Less than 25 percent of a CISO’s time is spent on even looking at a plan. That should substantially increase. And in order to plan better, he needs to get threat intelligence,

intelligence on busi-ness to understand new lines of busi-ness etc. CISOs also need to know the reference of intelli-gence,” mohan says.

gartner predicted 10 years ago that

“The more you enlarge your role, the more you make your presence felt in the organisation”—Felix Mohan, Group CISO for Bharti Airtel



consumerisation of IT would be a big issue, yet not many CISOs are geared up to enable it in a secure manner.

CISO to CROnext step is to move from security to risk management. The work of board of directors is to manage risks. Theoretically, the more risks you take, the more money you make. And as organisations are under tremendous pressure to make more money, they are taking more risks. “It is important for CISO to articulate in a business understandable language, the impact of these residual risks associated with information risks. When you communicate this to the management in an effective manner, they start looking up to you with a lot of respect,” mohan explains.

Take for example if an employee’s mobile phone gets lost. That is a physical risk but it may contain corporate data, making it an IT risk. That data loss may result in a loss of reputation for the organisation, making it a repu-tational risk and finally, based on that loss in reputation, company’s stocks may plunge, making it a credit risk.

CISOs need to assimilate all these risks and evolve into a role of enterprise risk manager. In order to become strategic, CISOs need to become Chief risk Officer by gain-ing knowledge about finance and business.

“more than 50 percent of our interactions should be with busi-ness. As more and more things are getting online, security is becoming an important thing. CISOs can suggest extremely con-sumer centric strategies to business and become more strategic,” says KS narayanan, Head - Information risk management, Ing Vysya Bank Ltd.

CISO as a Compliance officernext is CISO’s role in compliance. Previously, compliance was all policy based. Then came government based regulations leading to regulatory compliance. There is a third kind of compliance that we’ll be evolving to and that is customer centric compliance. Customer centricity is the prime need for the CISO. The entire business is now becoming customer centric but CISOs can play an important role in becoming customer centric. The more you start looking at the pain points of end customer in terms of trust and security, the higher are the chances of retaining that customer. CISO can help in building that trust.

Finally, CISO needs to bring in innovation. While CISOs can look at bringing innovation in terms of cost and productivity, but the real innovation is in working with vendors. Vendors are not just for hir-ing. We need to co-create with vendors. You need to look at how you can create security solutions together with the vendors. Similarly, you need to co-create with the customers. You need to ask the cus-tomers what challenges they are facing.

ConclusionFor a lot of businesses like online, security

is highly strategic. The security issue is real and threats are now getting manifested into actual risks. CISOs need to start working on their hygiene and assume that they are under attack. Though it should be a given that the investment that goes into protection is less than the value of the asset that we are protecting. Also, the secu-rity measures would not be the same for every organisation and may vary dramatically between industry verticals.

“People at various levels can be strategic. CIO, for eg., can take a strategic decision on whether to build a Crm application inhouse or outsource it. Similarly a CISO can take a strategic decision on whether to hire a partner for the core security team or build an internal security team and build competence for them. He can take a decision on whether he should manual handle compliance or invest into an automated grC solution,” opines Pankaj Agrawal, CISO, Aircel.

“There is a strategic component to the CISO’s role. It is up to the CISO how much he wants to contribute to that strategic compo-nent,” adds murli menon, CISO, Atos.

The good news is that the CISO community in India is working together, keeping competition aside, so that there is no need to rein-vent the wheel.

—[email protected]

“People can be strategic at various levels in an organisation. A CISO can take strategic decisions as a CIO does”— Pankaj Agrawal, CISO, Aircel




Mahendra Negi, CFO, Trend Micro, in an interaction with Varun Aggarwal, shares his view on how a CFO views the role of IT and security in an organisation.

Cfo’s vieWCfo’s vieWon seCuriTyon seCuriTy

Being a CFO yourself, how do you prioritise security

budget requests sent to you by the CIO or the CISO?In today’s business environment, information has become key to suc-cess for any businesses. That’s why information security has become extremely critical and it has also become one of the top priorities for organisations. Whenever, I receive a request from the CIO or the CISO, I analyse the criticality of the request and its implication on the business and then prioritise accordingly. How-ever, as an organisation our endeavour has been to keep the information highly secured as we consider that as the lifeline of our business.

How do you see cloud from a both security as well as

financial perspective? How can CIOs communicate the need and benefits of cloud to a CFO?Cloud computing means far-reaching changes to the information and telecommunications industry, as cloud computing promises users and providers significant cost reductions and new business models. I believe a technology platform change takes place when the new plat-form provides both a) better usability, and b) better price performance. Cloud computing delivers this, and that is why in the last few years, cloud computing has grown from being a promising business con-cept to one of the fastest growing segments of the IT industry. now, companies are increasingly realising that simply by tapping into the cloud they can gain fast access to best-of-breed business applications or drastically boost their infrastructure resources, all at negligible cost. But usability usually comes at the cost of security, thus as we use the cloud more and more, we expose more and more data to security risk. However, as the cloud services ecosystem grows, specialised compa-nies will address the security issue.

I believe it is important for today’s CIOs to bring an entirely new set of skills. Today’s CIO will continue to require an understanding of infrastruc-ture and architecture, but he needs to bring in a Business understanding of finance, marketing, operations, Hr and the other functions. It is impor-tant for the CIOs to understand and explain the same to the management by embracing new services that make their companies competitive, while mitigating risks and allowing for small-scale failures in the pursuit of long-term success. In fact, management is looking at having strategic value in a world, where cloud computing is a given for future competitiveness.

How do you perceive information risk in your overall

enterprise risk management strategy for your organisation?enterprise risk management strategy is critical for our organisation. We have a very strong enterprise risk management strategy in place and I am confident about the confidentiality of our information. We also have a dedicated team which monitors the company’s security posture 24/7, and a prioritisation methodology which enables us to address critical security risks very quickly. So while risk can never be completely eliminated, we have a better risk management strategy than most companies.

What do you consider more important-risk mitigation or risk management? How should a CIO/CISO look at risk?

risk management is an expansive term, which may include the miti-gation of risk. mitigation techniques aim at reducing the impact that a risk will create if it occurs. CIO/CISO should understand the risk and its impact on company’s mission and effectiveness. Seeking justifica-tion on budgetary impacts is also an important consideration. P

ho

to

BY

JIt

en

Ga

nd

hI




The AnnuAlThe AnnuAlCSO SuRVeY

2011CSO SuRVeY

2011

CEO: 3.4% COO: 6.9% CIO / CTO: 55.2% CFO: 10.3% Other: 24.2%

The CSO Survey is an annual survey carried out by 9.9 Media amongst Chief Information Security Officers / Head of Information Security as well as CXOs in Indian

organisations to understand the challenges and perceptions faced by the CSO community.

In this third edition of the survey, we have gleaned some inter-esting inputs and insights. We began this survey with checking out how many organisations had a dedicated CISO or Head of Information Security.

An interesting and significant change observed over 2010 was that

the percentage of organisations having a dedicated CISO has gone up from 38 percent in 2010 to 78.3 percent in 2011. This reflects the growing importance of Information Security & Risk Manage-ment in organisations.

In those organisations where there is no dedicated CISO, the responsibility usually falls on the CIO (72 percent of the cases).

Often, reporting structures within organisations can have a significant impact on the role. So we decided to find out how this has been in India and what the CISOs think of their reporting structures. It was observed that a significant 55 percent report to the CIO or CTO.

Interestingly, however, only 58 percent of respondents think that the above reporting structure is in the best interests of the organi-sation. The others think that they should be reporting either into the CEO (31 percent), the Board of Directors (25 percent) or the Risk Committee (25 percent).

Next we looked at how the Information Security Function is viewed by the Organisation. In response to the question, “Does senior management view your role as strategic and critical and not as a cost overhead?” about 48 percent of respondents were skeptical.

However, what was heartening to note was that 76 percent of

Who do you report to within the organisation?

organisations had a governance structure in place to specifically deal with Information Security & Risk Man-agement issues.

Amongst the key challenges faced by CISOs, manag-ing business risks was rated the highest (54 percent), followed by managing multiple compliance require-ments (44 percent).

42 07 december 2011 cto forum THE CHIEF

TECHNOlOgyOFFICER FORuM

Challenges faced by CISOs

What activities take up a large chunk of a CISO’s time?

given the plethora of responsibilities on the CISOs shoulders, we wanted to understand what activities take up a large chunk of a CISO’s time.

Among the key activities taking up the CISO's time, respondents rated “Interaction with business stakeholders” (42 percent) and “New Initiatives” (38 percent) as the leading time-consuming activities.

CISOs today work in a domain that changes by the minute – and hence keeping up with developments in this field is critical. So how do CISOs manage to keep up?

given the expertise and deep knowledge required for this role, along with the requisite maturity and leadership skills, it is of little surprise that most CISOs have spent considerable time in this domain and/or related domains.

35%

41%

54%

41%

26%

27%

44%

Investigating security incidents

Detecting security incidents

Managing business risks

Staffing the security team

Prioritising security investments

Tight budgets

Managing multiple compliance requirements

Vendor Management: 21% End user related issues: 29% Team development / management: 24% Management reporting: 20% New initiatives: 38% Operational / administrative tasks: 32% Defining security strategy and roadmaps: 20% Compliance management and reporting: 16% Interaction with business stakeholders: 42% Security incidents: 8%

43 07 december 2011 cto forumTHE CHIEF

TECHNOlOgyOFFICER FORuM

S e cu r i t y coVE r S torY



NEXTHORIZONS

illu

st

ra

tio

n b

y a

nil

t

in nearly every case, texting on mobile phones works even when voice calls are impossible. it stands to reason then that texting could and should play a major role in your

disaster recovery (Dr) planning."The very first responders usually are

average citizens, who happen to be on the scene of where a disaster is unfold-ing,” said lee mcKnight, professor at the School of information Studies (iSchool) at Syracuse university. “for Cios, those first responders may well be your own employ-ees, helping their community and helping your business."

mcKnight, like many others, finds SmS (texting) to be such a critical feature in successful recovery efforts that he’s work-ing on ways to make it even better for emergency use. Specifically, he is working on the iDAWg -- intelligent Distributed Augmented Wireless gateway -- a device that can share SmS messages, photos, voice and data, across any device, operat-ing on any frequency, to aid in disaster recovery; even when cell towers are down or jammed with traffic.

Texting could and should play a major role in your disaster recovery (DR) planning By Pam Baker

Texting for Disaster Recovery

6 Tips for Better Mobile Security Pg 47

FeaTuReS InSIDe



N E X t H or I Zo N s D i sa s t e r re cove ry

S.O.S. for SMSCritics might question why anything else is needed when the current cell phone provid-er-based SmS seems to be working beauti-fully. The answer almost always circles around to a need for SmS that may be less vulnerable to traditional provider quirks.

Blackberry, for example, recently suf-fered widespread service disruption across europe, the middle east and Africa on a disaster-free day due to a glitch in a data center. Vodafone egypt was quick to tell its customers that the problem was all on Blackberry's side of the equation in a rather indignant defense of its own reputation. The phone carrier didn’t add that such an outage could affect any carrier and any SmS service data center at any time.

for the most part, companies are aware of current SmS frailties and are actively seek-ing other means of augmenting or leverag-ing it. for example, itrezzo's BlackBerry Pin sync solution was developed at the request of The Department of Veteran Affairs in direct response to 9/11. itrezzo's customers -- Department of Justice, fCC, u.S. Army Corp of engineers, The Carlyle group, City of Berkeley, St. Jude hospital, Shell, hogan lovells, hBo, and Cnn among others -- count on the company’s unified contact management (uCm) solution using both SmS and Blackberry Pin-to-Pin blasts to see them through.

for eight years, itrezzo uCm has deployed servers behind the firewalls of these com-panies and government agencies. But it’s important to recognize that even this ser-vice, like other services used today, still rely on servers and data centers.

Such are the rigors of keeping clouds aloft and earthly communications plugged in – datacenters are at the root of everything, SmS included – and datacenters can and do fail. nonetheless, SmS is the best we have at the moment and it works reasonably well in disaster zones. So how can it best be harnessed for use in enterprise disaster recovery efforts?

Behind the lines of fire (and hurricanes)The secret to successfully recovering from a disaster is and always will be in the availabil-ity of resources far behind the front lines of the event. Certainly, a strong Dr server

back-up plan should be in place with regular updates and testing to ensure all is ready and functional. But SmS can be helpful here too in triggering the recovery from the backup centers or other offices.

“in a situation where data loss has had a filter effect across geographically seg-regated offices, a quick fix solution may be easily sent via SmS to a contact on the other end for quick resolution," said Abhik mitra, product manager in Data recovery at Kroll ontrack.

handled; if anyone replies to a text message, someone needs to be on the receiving end to ensure all messages are received.”

Pros and conseven so, for Dr purposes, SmS trumps just about all other options as one of the easiest and cheapest emergency communication systems. But that doesn’t mean you can sit back and relax and let the phone carriers handle all the disaster preparations. you’ve still got some planning to do.

london-based Anthony Vigneron, iT leader at Clifford Chance, a international law firm, provided this list of pros and cons to consider while deciding where, when and how to integrate SmS in your Dr planning:

Pros: SmS does not depend on your internal iT systems which may have failed.

SmS messages are more likely to be read and not caught in spam or junk filters.

SmS does not require use of expensive smartphones.

When planning for Dr scenarios, person-al-liable or corporate-liable phones can be used for this service, allowing greater reach.

Cons: SmS should be part of an emergency communication plan but not the only meth-od- SmS message delivery is not guaranteed and can be delayed.

SmS traffic takes lower priority than voice services by carriers.

in certain extreme national security sce-narios, it is possible for the authorities to take over all services and stop delivery of SmS traffic.

Due to its service design as a store and forward, SmS is inherently poorly secured and should not be used to communicate sensitive information. it can also be subject to spoofing, which could cause staff to react when it is not necessary.

— A prolific and versatile writer, Pam Bak-

er's published credits include numerous articles

in leading publications including, but not limited

to: Institutional Investor magazine, CIO.com,

NetworkWorld, ComputerWorld, IT World, Linux

World,and Internet News.

— This article has been reprinted with permis-

sion from CIO Update. To see more articles

regarding IT management best practices, please

visit www.cioupdate.com.

McKnight, like many others, finds SMS

(texting) to be such a critical feature in

successful recovery efforts that he’s

working on ways to make it even better for emergency use

for all practical purposes, it is wise to plan for anything in line of the disaster to be damaged or lost. The problem, of course, is you never quite know where the front line will be in the next disaster so the question of where to put the back-up datacenters always remains difficult. The question of how to send messages to employees also becomes a vexing planning exercise.

“The challenge then becomes how does one communicate information to thou-sands of possible employees in a company setting? After all, one does rely on these very iT systems to communicate mass messages,” said mitra.

The most obvious answer to that is SmS since the majority of phones in the market today enable text messaging.

“however, SmS should be used to aug-ment an existing disaster recovery plan, not serve as a substitute for one,” warned Dave Sobel, Ceo of evolve Technologies. “you don’t want an actual disaster to be the first attempt at measuring the success of SmS communication,” said Sobel. “Another thing to keep in mind is how responses are



m a n ag e m e n t N E X t H or I Zo N s

first line of defense in protecting your privacy and securi-ty. it helps prevent others from pick-ing up your phone or device and snooping around if it becomes lost, stolen, or just left unattended. it’s also usually required if encryp-tion is enabled on the device.

if encryption isn’t supported by the oS you should still definitely require yourself to set a password. Though your data can possibly be recovered by deter-

6 Tips for Better Mobile SecurityHere are some tips for managing mobile security in a better way By eric Geier

The more you do on your mobile device, the more you should be concerned about its security. This is especially true if you use it for work. Keep in

mind, if your device is configured with your employer’s email or messaging server, they may already be implementing some of the security tips we’re going to discuss.Tip No. 1 - Choose a mobile OS that sup-ports encryption, oh, and use it: if you are truly concerned about the security of your mobile phone or device you should use a mobile operating system (oS) and device that supports hardware-based encryption, such as Apple’s ioS or rim’s BlackBerry, for both internal and external storage. This means the data stored on it is protected even from the most advanced hacker. Without encryption it’s possible that someone could recover the data on the device even without your lock pin or password.

full device encry motorola mobility's business-oriented smartphones offers encryption capabilities on Android 2.3. Android 3.x includes an APi to help developers offer encryption on tablets, which some currently implement. And in the next year, we should see Android 4.x tablets and smartphones support encryp-tion. WhisperCore is a third-party encryp-tion solution you may want to also keep your eye on. Beta versions are currently available for nexus S and nexus one.Tip No. 2 - Set a lock pin or pass-word: enabling a password, whether it’s called a pin, passcode, or passphrase, is the

illu

st

ra

tio

n b

y a

nil

t

Auto-wiping is natively supported by ioS, Windows Phone 7, and BlackBerry.

Android requires the use of a third party app, such as Autowipe or a security app as in the last tip.

Just remember to keep all your data regu-larly backed up and use a solution that lets you restore the data to a new device in case you can’t find the one you wiped.Tip No. 4 - Setup remote tracking and man-agement: Before your phone or device gets misplaced or stolen you ought to setup a

mined individuals without them knowing the password, you’ll at least protect it from the causal snoopers.Tip No. 3 - Enable auto-wiping of data: most mobile oSes support automatic wiping of the device’s data after a certain number of incorrect passwords attempts. This is great if encryption isn’t supported by the device but it can actually be just as beneficial for encrypted devices. Because giving others unlimited guesses to your password makes it much more possible that they could get it right, and once that happens the data is decrypted.

N E X t H or I Zo N s mo b i l i t y

remote tracking and manage-ment solution. most let you see the device’s gPS location on a map, send audible alerts to help you find it, and display a visual message to tell others how to return it. They typically also let you remotely lock and/or wipe it before someone else gets their hands on it.

for ioS 4.2 or later, Apple pro-vides a free service. for earlier ioS versions there’s the mobileme service from Apple at $99 a year after the 60 day free trial.

for Android you have to use a third-party app, such as the security apps mentioned in the last tip.

for Windows Phone 7 microsoft provides the free Windows live for mobile service.

for BlackBerry, rim provides the free BlackBerry Protect service.Tip No. 5 - Limit Wi-Fi hotspot usage: When you use public Wi-fi hotspots that aren’t encrypted, all your internet traffic is trans-

mitted through the air and can be easily intercepted. The most important sites and ser-vices, such as banking web-sites, usually implement their own (hTTPS/SSl) encryption that protects their individual traffic. But most email provid-ers and many social network-ing sites don’t; thus eaves-droppers can likely capture their passwords and traffic.

on the other hand most 3g, 4g, and other cellular data connections are usually encrypted by the carriers. Plus eavesdrop-ping on these types of connections isn’t as popular. Therefore, when you’re out and about you should try to use the data connec-tion rather unsecured Wi-fi hotspots.

if you insist on using Wi-fi hotspots, use those that provide enterprise encryption and 802.1X authentication, such as from T-mobile and iBahn. Alternatively, consider using a VPn connection to secure your traffic from local eavesdroppers.

Tip No. 6 - Use an antivirus or security app: Viruses, malware, and hacking on mobile devices aren’t a huge issue now but they are becoming more of an issue. you should consider installing a security app to help prevent infections and intrusions. most AV solutions also offer additional features, such as remote wiping, backup and locating.

AVg and netQin provide free security apps for Android. lookout offers free apps for Android, BlackBerry and Windows mobile. Some paid options include mcAfee WaveSecure, Kaspersky mobile Securi-ty and Trend micro mobile Security.

— Eric Geier is the founder of NoWiresSe-

curity, which helps businesses easily protect

their Wi-Fi networks with the Enterprise mode

of WPA/WPA2 security. He is also a freelance

tech writer—become a Twitter follower or use

the RSS Feed to keep up with his writings.

— This article has been reprinted with permis-

sion from CIO Update. To see more articles

regarding IT management best practices, please

visit www.cioupdate.com.

472%increase

in anDroiD

malware

samples since

July 2011

data ce n t re S e cu r i t y c to f cu s tom s e r i e s

49 07 DECEmbEr 2011 cto forumThe Chief


While data centre spending is on the rise, the next five years could see forces emerging that promise to shrink space requirements

Worldwide data centre hardware spend-ing is

projected to reach $98.9 billion in 2011, up 12.7 percent from 2010 spending of $87.8 billion, according to Gartner, Inc. Data centre hardware spending is forecast to total $106.4 billion in 2012, and surpass $126.2 billion in 2015.

Data centre hardware spend-ing includes servers, storage

Remodeling the Data Centre

and enterprise data centre net-working equipment.

"Worldwide data centre hard-ware spending will finally reach and surpass 2008 levels," said Jon Hardcastle, research direc-tor at Gartner. "Growth in emerg-ing regions — particularly Brazil, Russia, India and China (the BRIC countries) — is balanced by continued weakness relative to pre-downturn levels in Japan and Western Europe. Storage is the main driver for growth. Although only a quarter of data centre hardware spending is

on storage, almost half of the growth in spending will be from the storage market."

The very largest size category of data centres (which is data centres with more than 500 racks of equipment) will increase its share of spending from 20 percent in 2010 to 26 percent in 2015, driven by the cloud and the shift from internal data centre provision to external.

In 2010, 2 percent of data centres contained 52 percent of total data centre floorspace and accounted for 63 percent of data

centre hardware spending. In 2015, 2 percent of data centres will contain 60 percent of data centre floorspace and account for 71 percent of data centre hard-ware spending.

"Traditional in-house enter-prise data centres are under attack from three sides. Firstly, virtualization technologies are helping companies to utilize their infrastructure more effec-tively, inhibiting overall system growth. Secondly, data centres are getting more efficient, lead-ing to higher system deployment densities and inhibiting demand for floor space. Thirdly, the move to consolidated third-party data centres is reducing the overall number of midsizedata centres. Meanwhile, the largest data cen-tre class is, of course, benefitting from the rise of cloud comput-ing," Hardcastle said.

Meanwhile, Gartner also highlights four forces that would have a significant impact on data centres during the next five years. These forces will result in shrinking data centres by 2018, and space requirements could be only 40 percent of what they are today, claims Gartner.

The primary factors impact-ing data centres in a significant way during the next five years include: smarter designs, energy efficiency pressures (or green

illu

st

ra

tio

n b

y s

hig

il n

c to f cu s tom s e r i e s data ce n t re S e cu r i t y



As awareness has increased, there has been a constant uptick in the attention paid to energy consumption in data centre, and new data centre managers take a hard look at energy efficiency in both design and execution

IT), the realities of high-density environments, and the potential of cloud computing.

"In the world of IT, everything has cascade effects, and in data centres the traditional methods of design no longer work with-out understanding the outside forces that will have an impact on data centre costs, size and longevity," said David Cappuc-cio, Managing VP and Chief of Research for Infrastructure at Gartner. "However, these very forces can actually work in your favor, providing the means to apply innovative designs, reduce capital costs and operating costs, increase long term scale, and keep up with the business."

Gartner recommends that data centre managers who are trying to determine how to optimally design and plan for the leading-edge datacentre of the future focus on the following four factors:

Smarter DesignsTraditional methods of design-ing data centres were created during the mainframe era, and, because of their high costs, many mainframes were tar-geted for average performance in the mid-90 percent range during production time slots. As a result, there was minimal variation in the operating tem-perature or power consumption during long periods of time.

Today's data centres have many different demands on mechanical/electrical systems, depending on workload mix, function and age of equipment. New designs have taken this into account by adding differ-ent density zones for different workload types. This zone might employ directed cold air, or even in-rack cooling to support very

high density workloads with minimal disruption, or impact, on the rest of the floor. Second-ary zones would support steady-state applications that consume a consistent amount of power and produce manageable heat loads, while low-density zones would be designed to support low-power equipment (perhaps telecom and storage).

Green PressuresMost data centre managers paid little attention to the "greening of IT," unless they were pressured into it by senior management or the public. However, as aware-ness has increased, there has been a constant uptick in the attention paid to energy con-sumption in datacentres, and new data centre managers take a hard look at energy efficiency in both design and execution. The development and marketing of power utilization efficiency (PUE) by the Green Grid continues to gain ground in the market, and many new data centres are being developed with specific PUE targets in mind, for the energy-efficiency advantages and the public relations impact.

Conquering DensityWith smarter designs and green pressures, data centre manag-ers and designers have begun to focus on the compute density in their environments. Most data centres are woefully underuti-lized from a space perspective. The physical floor space may be nearing capacity, but in many cases, the actual compute space within racks and servers is very poorly used, with average rack densities approaching just 60 percent worldwide.

Newer designs focus on this issue and are developed to

offloading services to the cloud, ownership and management of IT assets is shifted to the pro-vider, essentially outsourcing the service to someone else.

As this practice increases in popularity, the landscape for what remains of the corporate data centre will change signifi-cantly. Only core business func-tions — those that differentiate a business from its competition, or are truly mission-critical — will remain in the primary datacen-tre. All other non-critical ser-vices will eventually migrate to external providers, having the long-term effect of shrinking physical datacentre require-ments. Gartner predicts that by 2018, data centre space requirements will be only 40 percent of what they are today. The focus of these data centres will be on core business ser-vices, and, as those services continue to demand more IT resources, the shrinking size of servers and storage (and tele-com equipment) will more than offset that growth

allow optimal rack density, often approaching 85 to 90 percent, on average, thus increasing the compute-per-square-foot ratio dramatically. The advent of private cloud environments and resource pooling will provide methods to enhance vertical scalability, while at the same time improving the productivity-per-kilowatt ratio.

Cloud ComputingData centre managers are beginning to consider the pos-sibility of shifting nonessential workloads to a cloud provider, freeing up much-needed floor space, power and cooling, which can then be focused on more-critical production workloads, and extending the useful life of the data centre. Shifting workloads is not new; many companies use colloca-tion facilities as an overflow mechanism. However, the difference is that, with collo-cation, the compute resource is still owned and managed by the application owner. With




The CIOs stay back only out of sheer decency. As a result, vendors run the risk of alienating their customers by this play of words

Vendors should refrain from using titillating titles around data centres to attract the audience

Food for Thought or Snack Gone Bad?

communication with the team members who create or buy applications. The assumption is the two factions are not on the same page on timelines, which results in delay.

Agreed that virtual machines can be provisioned quicker than physical machines—CIOs will also agree with this, but that’s only part of the story. If not enabled with policy, it can also lead to innumerable virtual machines (with limited or no use), thereby blocking resources and creating inefficiency. Virtu-alisation continues to remain at the periphery of deployment, with core and large package providers as yet to certify their applications on virtual servers.

Typically, IT organisations are more organised in nature, with visibility of planned deployments and requirements of licenses or hardware. Dependencies are well known, and irrespective of the physical or virtual environ-ment that the enterprise may prefer, this is rarely a cause of delay. So has the data center become the cause of business angst? Well, I’ve never heard of such a scenario!

Coming back to the event under discussion, presenters attempted to justify their stance by stating that their global research data had indeed given them such insights. Talk about assumptions!

Vendors should refrain from such titillating titles to attract the audience. Vendors end up with the realisation that most participants badly want to leave. The CIOs stay back only out of sheer decency and respect. As a result, vendors run the risk of alienating their key customers by continuing this play of words. —By Arun Gupta, Group CIO,

Shoppers StopArun Gupta,Group CIO at Shoppers Stop

In the recent past, I attended a few seminars conducted by large IT solution providers with a tantalising subject line, “How to achieve business agility” (or something on sim-

ilar lines). CIOs obviously turned up in large numbers—only to realise the old adage that if it’s too good to be true, it probably is.

Almost all the organisers want-ed to focus on how to improve data center efficiency, utilisa-tion, management and agil-ity in provisioning new servers. According to all of them (without exception), the delay in provi-sioning a new server can lead to compromises in business agility, thereby adversely impacting the outcomes. Each vendor’s formula for success revolved around their solution for virtualisation and (or) management tools, which allow quicker provisioning of virtual machines—allowing the IT organisation to bring up a new application within hours, as com-pared to the days when physical servers were in vogue.

I find this unpalatable, as it presupposes that everyone in the IT organisation is only focusing on the infrastructure, with no




Environmental issues need to be addressed to ensure availability. Today, when IT systems fail, it is the business that stops By George Spafford

There are many reasons to cre-ate segregated physical loca-tions for servers and other critical

infrastructure equipment.First, access is controlled,

thus limiting security threats. Second, the controlled access limits human error arising from accidents and “curiosity.” Third, the concentration allows for effi-cient oversight and administra-tion. Fourth, and the focus of this article, the relative consolidation of assets enables a controlled environment to better manage the risks associated with air-conditioning, fire and flooding.

Air-Conditioning/System CoolingToday’s IT systems generate a tremendous amount of heat and need dedicated air-conditioning systems to be properly cooled. Some years ago, I was involved with a small server room that didn’t have a dedicated AC unit, but did have a dedicated duct. It worked great during the week when people were present to cause the AC unit to run because the thermostat wasn’t in the server room. On weekends, the office area would cool off quickly and shut down while the server room baked. We knew something

Prevent Disaster in the Data Centre

odd was going on when RAID drives and other components started failing far too often.

The climax came when a Dell-hosted clustered SQL Server system announced at the con-sole that it had reached a critical internal temperature and was shutting down immediately to protect itself. This made several production departments grind to a complete halt. The first step was to put in a temperature probe that had an IP address that could be SNMP-polled every few minutes. The data was logged, trended graphically and the resulting report to senior management with graphics resulted in a dedicated AC unit getting capital approval and installed in record time.

A second benefit of air-con-ditioning relates to filtered air. Manufacturing environments are often very dusty places. Systems with cooling fans that either draw or push air through a cabinet to cool actu-ally wind up coating all com-ponents with dust over time in uncontrolled environments. Depending on the thickness and type of dust, overheating and/or short circuits can hap-pen. Air conditioning feeds to data centres should have the dust removed and ensure that humidity is at proper levels.

When planning for cooling systems in a data centre, take power failure into consideration. Frequently, groups plan to keep the equipment and lights on, but overlook cooling. In the event of power failure, air-conditioning (or whatever the cooling system is) may very well be needed to protect sensitive electronics.

Conditioned PowerIT systems need stable, reli-able power. It is not cost-effective to buy dozens of good UPSes. It is more economical to buy several good systems that can protect dozens, if not hundreds, of devices than buy-ing one-off power fixes.

First, lightning strikes need to

be dealt with. Second, fluctua-tions in voltage, harmonics, EMI/RFI and other problems need to be removed. Third, in the event of an outage, there must be a solu-tion that allows for the systems to stay on-line the necessary amount of time for a controlled shutdown and this may mean UPSes or a mixture of UPSes and generators. These types of solutions are very economical when applied to a large col-lection of systems, but less so when applied to fewer and fewer systems. Moreover, all these systems need maintenance and the fewer the better. Monitor-ing and swapping batteries in a handful of enterprise UPSes is better than trying to keep track of

illu

st

ra

tio

n b

y a

nil

t




dozens of small UPSes spread all over. In the end, business needs and associated risks must drive the solution and the investment.

Fire ManagementThe best way to deal with a fire in a data centre is when it is just starting. There are fire detection systems that are so sensitive they can detect the increase in par-ticulates and temperature as a group moves through a data cen-tre. These sensors go far beyond the traditional smoke detectors and can send alerts via the net-work as well as backup means. These systems can be deployed in a controlled environment such as a data centre with much suc-cess. The whole idea is to detect a problem and react before the fire becomes significant and is man-ageable. By layering early detec-tion with a corrective control, namely suppression, the risks of

damage from fire can be further mitigated. Take the time to inves-tigate fire suppression technolo-gies that can put out fires without damaging electronics and leaving particulates. Using the threat of fire as an example, always think about how to compensate in layers. How can the risk be pre-vented? How can it be detected early on when the impact is minimal? Most times, a layered approach is more effective than any single method.

WaterFor some data centres, flooding is a very real concern. In dedi-cated data centres, it is possible to elevate equipment, re-route water pipes, disconnect water sprinklers and use alternative fire suppression systems, and so on all aimed at reducing the risk of damage due to water in a particular location.

SummaryEnvironmental issues need to be addressed to ensure avail-ability. The mixture of elements to consider depends on the data centre, geographic loca-tion and so on. Some systems must be located relatively near the user community and need to be protected regardless. In all cases, a balance must be struck between costs, risks and benefits. In the end, its all about meeting the needs of the business. Today, when IT

systems fail for whatever rea-son, it’s not just old-fashioned report printing that stops — it is the business that stops.

— George Spafford is an IT consul-

tant and a long-time IT professional.

He focuses on compliance, man-

agement and process improvement.

—This article has been reprinted

with permission from CIO Update.

To see more articles regarding

IT management best practices,

please visit www.cioupdate.com.

Environmental issues need to be addressed to ensure availability. The mixture of elements to consider depends on the data centre, geographic location and so on

While benefits of consolidating the data centre are clear, corporates have not been too vigilant in protecting it By Robert Ciampa

4 Risks of Data Centre Consolidation

Over the past sev-eral years, organi-sations large and small have initi-ated or continued data centre con-

solidation projects. Unlike some other IT initiatives, the benefits

from this exercise are clear and well-documented, and include both economic and operations advantages. The reality remains that the data centre frequently contains an organisation’s most important asset: Information. Given the prodigious efforts to

collect and provide access to this corporate resource, have we been equally vigilant in protecting it as well? Unfortunately not.

Too often, a re-engineering effort quickly follows a consolida-tion project because the opera-tional benefits are negated by

amplified vulnerabilities, which include information risk, asset risk, access risk and audit risk. Since the economic benefits of consolidation are so evident, organisations frequently rush to implementation while not fully dealing with the risk factors.




Fortunately, a holistic approach exists that not only mitigates these key challenges, but also allows information leaders to overcome some of the political challenges that permeate their consolidation efforts.

First, we must explore some fundamental concepts. From an information viewpoint, we’ve seen astronomical growth in storage capacity, leading to the rise of information lifecycle management, which represents how information is managed, moved and viewed.

We’ve followed this with a dramatic increase in our trans-action processing capability. Finally, we’ve made it easy to provide information beyond our corporate borders to our cus-tomers and business partners. In essence, we’ve become a high-performance, information-dependent machine.

Does that make us more vul-nerable? Absolutely.

If that’s the case, what are the risk factors? The media has been awash with coverage of informa-tion breaches, illegal access, lost tapes, etc. Information, as we’ve articulated, has value—even in the wrong hands.

Exacerbating all this is com-pliance. Depending on your markets, you may be subject to a variety of regulatory con-straints about the informa-tion you harbor. Also consider the financial risk factor. If the malcontents and the regula-tors don’t get you, the market certainly will, even at the hint of a breach. So, let’s consider each of the risk factors in turn, and then address mitigation.

Risk Factor 1: Information RiskData centre consolidation represents an incredible con-

Risk Factor 2: Asset RiskWhich assets contain the sensitive information? Great question, especially when we mix in server virtualisation and storage area networks (SANs). The benefits of the afore-mentioned technologies are great, but it remains a challenge for most organisa-tions to identify assets which contain some of the critical information we highlighted in Risk Factor 1. This is a major compliance challenge, as

detection, etc. Whether the information is distributed, con-centrated, or virtualised, getting the policy in place for managing access remains a challenge.

Risk Factor 4: Audit RiskAggravating these challenges are the ever-increasing audit requirements. It doesn’t mat-ter whether you’re a privately held entity not controlled by the Sarbanes-Oxley Act, or if you just have sensitive information, you’re going to have to prove that you have the requisite controls in place and that they’re working.

Even within a consolidated data centre, collecting information is difficult, especially since audit information may have to be cor-related with other information outside the data centre. Activat-ing specific auditing functionality within point products might not only result in large log files and trigger a number of events, but may in fact impact operational and transactional performance as well. This, of course, runs counter to some of the justifica-tion for consolidating the data centre in the first place. These risk factors aren’t going away. Outsourcing is not a cure-all either, as service providers are also dealing with these challeng-es. Though technology is evolving to address these issues, it does not preclude the need for cross-functional planning and a candid assessment of requirements.

—Robert Ciampa is VP, marketing

and business strategy at Trusted Net-

work Technologies, a provider of iden-

tity audit and access control solutions.

—This article has been reprinted

with permission from CIO Update.

To see more articles regarding

IT management best practices,

please visit www.cioupdate.com.

Since the economic benefits of consolidation are so evident,

organisations rush to implementation while not fully

dealing with the risk factors

centration of information on an infrastructure that’s highly accessible. Remember that not all data is created equal, with some being much more sensitive than others. However, because the economics of the new data centre are so com-pelling, there is now a much broader variety of data within it.

identification of critical assets is just as important as identi-fying the data they contain.

Risk Factor 3: Access RiskOnce we have a base under-standing of the critical infor-mation and assets within our new data centre, how do we control access?

Organisations often have a vast array of not only authentication techniques, but also of authori-sation methods. Depending on their information, different assets might require different access methods, which may in turn be incongruous with other tech-nologies in place. To overcome access challenges, numerous technologies are thrown at the problem. These include but are not limited to router access controls, virtual LANs, firewalls, single sign on (SSO), intrusion il

lus

tr

at

ion

by

an

il t




Among primary keys to effective IT support is understanding how your data is being preserved, provisioned and presented By Christopher Burgess

I don't give a lot of thought as to where my data sits, as long as it is available to me. I know that if I'm storing it on my hard drive, I'm also back-ing it up to my secondary and

tertiary devices. But if I'm storing or backing it up to a third-party environment, be it via my online document storage service or that used by my company (such as a centralised location), I make assumptions on the service being available and accessible, as well as having sufficient storage space for my data. When any of these conditions aren't present, then I call for help.

It stands to reason that if you're creating video content, you're using more storage space than if you're creating written docu-ments and your space will fill more quickly.

If the storage devices are approaching 90 percent full, you know it is time to increase stor-age capacity. Do you have the same visibility into your work environment? So what are the information technology (IT) pro-fessionals thinking about with respect to you and your data?

For that answer, I visited the third installment of Cisco's Con-nected World Report, which iden-tifies those areas that are top of mind for the IT pros.

You, Your Data and Its Data Centre

The number one issue is secu-rity, followed by uptime and per-formance. I was pleased to read how global IT departments are looking to create smarter data centers with the ability to deploy and deliver applications quickly with the elasticity to dynamically meet our demands.

The IT pros from all 13 coun-tries represented in the report were also integrating virtualisa-tion as a key strategy to achieve the aforementioned goals, along with flexibility, reduction in costs, and ecological impact, that is, to be more green.

Indeed, the IT prognosticators predicted 45 percent of all pro-duction environment data cen-ters would be virtualised in three years. With our data and applica-tions resident and available from virtualised data centers, it stands to reason why security is the number-one concern.

The report notes the follow-ing as primary keys to effective IT support: Understanding how applications and their data behave in your dynamic virtu-alised environment; how your data is being preserved, iden-tification of what training and education will be necessary to allow both you and your IT/Info-sec departments to keep pace with technology.

real necessity given the ubiqui-tous use of video by the end user (that would be you and me) of whom 50 percent expect video to eventually be their primary mode of communication.

In sum, we are creating content — be it data, audio or video — and we are using an ever-increasing number of applications.

At home, whether we realise it or not, we are creating our own data centers, whether within those hard drives on our desks or via online service providers.

At work, we rely on others to do the heavy lifting and to create robust virtualised work environ-ments. So what can you, as the individual, do to help your own business environment?

When the IT pros show up at your desk asking you to iden-tify, forecast or project your needs, work with them. They are attempting to get ahead of your requirements. You see, in the end, it all boils down to you, your data, and the data center supporting you. — Christopher Burgess is a senior

security advisor to the chief secu-

rity officer of Cisco.

— This article is printed with prior

permission from Infosec Island. For

more features and opinions on infor-

mation security and risk manage-

ment, please refer to Infosec Island.

In sum, we are creating content — be it data, audio or video — and we are using an ever-increasing number of applications

I agree: Just like we read and learn as individuals, those departments that support us must allocate a portion of their professional day to learning. The report notes that IT pro-fessionals who have the most robust cross-training and col-laboration capabilities will also enjoy the greatest number of professional opportunities.

But like our personal infra-structure, the budgeted monies of the professional infrastruc-ture must be stretched to meet identified (and the unidentified) requirements, and thus I was pleased to read how approxi-mately 70 percent of the IT budgets within the 13 countries identified are increasing year-over-year. This increase will be a

N O H O LDS BARR E D PE RSO N ' S N A M E

58 07 december 2011 ctO fORum The Chief


IT’s backbone”“Storage is

Storage has always been the backbone of information. In an interview with Ankush Sohoni,

Roberto Basilio, VP, Storage Platforms & Product Management,

Hitachi Data Systems talks about Hitachi’s plans for this market

Could you talk about Virtualisation 2.0 and Hitachi’s role in enabling it?

Clearly virtualisation is a tool that brings ease of management. With the iT having to mange an ever increasing amount of data, clearly you need to have ease of management, reporting and provisioning. As we need more and more access to information, we need an easy way to provide a medium to store the information. This is the key. management is what is required. Currently there is a disconnect between what business needs - which is how can i reach more customers, and the ability of the iT infra-structure to deliver. So virtualisation becomes a tool to gain agility.

iT budgets are not increasing and living within the means of these budgets is challenging. Cios need to be lean and do more with less, but we have a running joke at hitachi, of whether one should do more with

59 07 december 2011 ctO fORumThe Chief


RO b E R tO bA S i l i O N O H O LDS BARR E D

less until you do everything with nothing. But jokes apart, this is the current landscape within enter-prises today.

What are some of the challenges enterprises

are facing in adopting storage virtualisation? Clearly the challenge is to gain con-fidence in the technology. nobody even knew what Vmware was ten years ago. i didn’t even know where they were based. Confidence in the technology started to come when they became a part of emC and started to have successes of their own through some large early adopt-ers. These early adopters can afford to have an additional platform to play with. i found that the users here are still the ones who cant afford to experiment. They are look-ing for ways to have references so as to start virtualising.

The adoption curve is bound to be slow as compared to the rest of the world. The curve here starts two to three years later. however, this is something that everyone will have to adopt because you cant afford to waste resources. you cannot have underutilised resources today. it’s important that we understand that the tools are there, the infrastructure is real and it works. People can now believe that they can now adopt these things with confidence

Could you detail out the new technology you’’re

introducing as part of the virtualisation 2.0 roadmap?

ing to another one, you need access to information, There must be a way to disjoint information from the application that created it and make it available to another one.

let me take an example. india is going through uiD. Part of this initiative is to create information that you will need to last the test of time. The children of your children may need access to this informa-tion. So the question is how do we create that information and retrieve it through the cycle of time. its real-ly about finding ways to disconnect them from the medium The more information we create the more the need to search and retrieve that information in the most efficient manner possible.

Could you share some best practices that can help

our readers achieve storage excellence? Clearly its hard to speak generally. The first thing that any Cio needs to do is understand their problem and their needs. These are key. Storage is at the end of the link in the iT pro-cess and forms the backbone. Clearly you cannot start from there but tech-nology is something you will need. Data needs to be stored efficiently in a way that can be utilised even decades after its creation.

The main idea is to be able to cre-ate legacy that can be utilised. This dictates that storage infrastructure needs to be robust and efficient.

Data needs to be stored efficiently in a way that can be utilised even decades after its creation.

The main idea is to be able to create legacy that can be utilised. This dictates that storage infrastructure needs to be

robust and efficient

DoSSier

Company:Hitachi Data Systems

EstablishEd:

1989

hEadquartErs:

Santa Clara, California

sErviCEs:

Information Storage

Hardware, Information

Storage Software,

IT consulting and

services

nEtwork:

Over 5300 employees

in more than 100

countries

Today we are looking at bringing in the concept of merging high end infrastructure with affordable and flexible form factors. We want to give the same tools to every single enterprise inspite of size and bud-get. We want to enable enterprises by giving them the ability to imple-ment an architecture that can take them along their growth path. We want to give them tools to deal with their growth. enterprises in india are in a high growth phase.

growing business volumes and transaction sizes require that enter-prises scale dynamically without tax-ing the infrastructure. What we are delivering very shortly is the ability to dynamically migrate data from one platform to another. As platforms become less useful, enterprises may need to go to the next step. you need to be able to create the links that will help enterprises transition from one technology to the next. This is the kind of value we are looking to create for our customers.

Today we are used to large capacity provisional disk drives. its no news that SSDs are becoming more rele-vant but they don’t solve the problem. if you do not have enough bandwidth in the system then you cannot take the advantage. Also you have to put technology close to the applications.

What are some of the storage trends you are seeing with

respect to Indian enterprises?There is a major need to be able to retrieve information independently of the application. you may be in one country and you happen to be travel-



It’s been six years since the last revision of ISO/IEC 27002 (in 2005) – much has changed in information security since then, and this standard definitely needs some “facelifting” By Dejan Kosutic

POINTS5

ISO 27002 lists all of

133 controls as in ISO

27001 with detailed

explanation of best

practices for their

implementation

ISO 27002 wIll remain a code

of practice for

implementation of

security controls

ISO 27001 wIll remain the only

certifiable standard in

the ISO 27k series

thIS alIgnment wIll be the biggest

job that’s ahead

of you

In the tranSItIOn period you will have

plenty of refreshed

best practices to

choose from

The NexT RevisioN of iso 27001

t E cH f or G oVE r NAN cE s e cu r i t yIl

lus

tr

at

Ion

BY

pr

Inc

e a

nt

on

Y



ISO 27001 and ISO 27002What these two standards have in common are the 133 controls – they are offered as a kind of catalogue in Annex A of iSo 27001, with the idea that appropriate controls are selected based on the risk assessment.

iSo 27002 lists all of these 133 controls again, but offers detailed explanation of best practices for their implementation. for a detailed explanation of the differ-ences between iSo 27001 and iSo 27002, read iSo 27001 vs iSo 27002.

This relationship between the two stan-dards is why iSo 27002 has changed its name in 2007 – it was previously called iSo/ieC 17799, but its name was changed to iSo/ieC 27002, making it part of iSo 27k series.

This most important link between iSo 27001 and iSo 27002 – identical structure of iSo 27001 Annex A and iSo 27002 con-trols – will most likely still be included in new revisions of both standards. however, the way it is structured and the individual controls will most probably change.

Expected Changesit is impossible to predict all the changes in iSo 27002 because the final draft hasn’t been written yet. however, most likely changes can be judged by hearing what iSo 27001 experts have to say – here’s a summary of sugges-tions from iSo 27k forum, the leading expert forum about iSo 27001/iSo 27002:

Accountability – definition of what it means in relation to human resources management

Authentication, identity management, identity theft – they need better descrip-tion because of their criticality for web-based services

Cloud computing – this model is becom-ing more and more dominant in real life, but hasn’t been covered in the standard

Database security – the technical aspects

haven’t been systematically laid down in the existing revision

ethics and trust – an important concept not covered at all in the existing revision fraud, phishing, hacking, social engineering

– these particular types of threats are gaining more and more importance, but aren’t cov-ered systematically in the existing revision

governance of information – this concept is very important for the organisational aspect of information security and is not covered in the current revision

iT auditing – needs to focus more on computer auditing

Privacy – needs to go broader than exist-ing data protection and legal compliance, especially because of cloud computing

resilience – this concept is completely missing in the existing revision

Security testing, application testing, vulner-ability assessments, pen tests etc. – these are essentially missing in the current revision

As gary hinson from the iSo27k forum argues, several of these issues are already covered, but they were not given sufficient emphasis in the current revision of the standard – key terms widely used today are either completely missing or are only vaguely alluded to.

Also, the new iSo 27002 will refer more on other standards that define certain areas in more detail – for instance, Section 14 Business Continuity manage-ment will refer to iSo 22301 and iSo/ieC 27031.

All these changes mean that not only some of the controls will change or will be added, but it also means that the structure of the standard will change – instead of existing 11 sections of Annex A / iSo 27002, some new sections will probably have

to be created, and others merged.And these structural issues are probably

the toughest ones since the body in charge of the revision will need to ensure compat-ibility with the existing revision. This is why we have no idea at the moment what these structural changes will look like.

ISO 27002 Certification?many people still ask me whether it is pos-sible to get certified against iSo 27002. The situation with the new revision will stay the same – currently it is not possible, nor will it be possible to get an iSo 27002 certificate because unlike iSo 27001, this is not a management standard.

This means iSo 27002 will remain a code of practice for implementation of security controls. it will not define the management system–e.g. the documentation management, internal audit, management review, corrective and preventive actions, risk management, etc. – all these remain in the domain of iSo 27001. Therefore, iSo 27001 will remain the only certifiable standard in the iSo 27k series.

Implications for the ISMSif you already have your information Security management System implemented, you don’t have to worry too much – no matter which changes the new revision will bring, you will have enough time to implement the changes.

once the revisions are published, you will need to align the structure of your controls in the Statement of Applicability with the new Annex A in the revised iSo 27001. And although the structure won’t change too much, this alignment will be the biggest job that’s ahead of you.

And this is where the new iSo 27002 will bring the most value – in the transition period you will have plenty of refreshed best practices to choose from. And since iSo 27002 is quite detailed, and you still have

the freedom to choose only the appropriate stuff for your organi-sation, it will definitely help you make such transition easier.

--This article is printed with prior

permission from www.infosecis-

land.com. For more features and

opinions on information security

and risk management, please refer

to Infosec Island.

Since ISO 27002 is closely tied to iSo 27001, this revision has to be done simultaneously for both standards, and is expected to happen in the latter half of 2012 or during 2013.

s e cu r i t y t E cH f or G oVE r NAN cE

85%of fortune 500

organisations

will fail to

effectively exploit

big data by 2015



Free From Defect Software LicenceSoftware industry as a whole needs to take on a “we’ll stand by our software” attitude By Keith MenDoza

I have been writing open-source software on the side for quite some time now. i've used both gPl and the Apache licenses for my work. The flip-flopping between the licences is mainly caused by me feeling

that a particular license meets my target audience.The one item that bothers me is the "no warranty" clause. i

personally think that it's high time that the software developers take on the challenge of providing a guarantee that their soft-ware will work as designed. That all necessary due diligence have been done to make sure that the software does not con-tain bugs that could lead to loss of data or a security breach.

As storage got cheaper, everyone got reckless and quality basically went down the drain as more development frame-work started providing the proverbial kitchen sinks.

i've began work on a JavaScript-based web application framework that i've called flat8 and i'm going to take the moral high ground by licensing it in a way that basically says "i've done my best to test and secure the software that i'm writing. if a bug/defect is found, that i intend to fix it after so many days."

Why am i doing this? Because i feel that software developers are capable of doing this; so i'm going to be the first to do it and i hope that others will follow. if i actually pull it off, i hope that others will see that it indeed can be done; if i fail, then i hope that others will learn from my mistake.

This is a question that i would like to pose to the open-source soft-ware community in general: Assuming that we can ignore the lawyers for a second, what amount of effort would you be willing to put to pro-duce software that is free of defect from workmanship? how will you go about making sure that your software is indeed free from defect?

here is my list that i came up with: A clear list of requirements will be produced, documented, and

agreed on. Any assumptions taken will be documented. Thorough development documentation will be produced. Basically

the architecture, detailed design, testing, and source code documen-tation will be produced.

Complete operating manual will be produced. Software is thoroughly tested to make sure that all requirements

t E cH f or G oVE r NAN cE so f t wa re l i ce n ci n g

and assumptions are tested; and the results are published to provide a benchmark for proper operation.

Secure coding standards will be adhered to, and source code will go through code scan to make sure that the code is as clean as possible.

SCm practices will be followed.These are conditions that i would put in place to keep the software

under warrantee: Software is not used in a way outside of the given requirements.

user followed all user documentation and have referenced the test result to confirm that their input fall within the published parameters.

The provided unit and functional tests actually passed on the plat-form where the software is running.

if the software industry as a whole takes on a "we'll stand by our software" attitude then information security issues will go down significantly. At the end of the day everything from the BioS, to the kernel, to the services, are all software.— This article is printed with prior permission from www.infosecisland.com.

For more features and opinions on information security and risk management,

please refer to Infosec Island.

Illu

st

ra

tIo

n B

Y s

hIg

Il n



ThoughTLeaders

and clinical efficacy of medicines before granting their approval for market launch. Submission of clinical outcomes from large multi-centric clinical trials involving thousands of patients are needed before the approval is granted. This lengthy drug development process generates enormous quantities of data which the pharmaceutical companies have to track and pre-serve for many years. information technology plays an indispensable role in generation, encryption and storage of sensitive drug develop-ment data. many indian informa-tion technology companies are functioning as strategic partners to large pharmaceutical companies in the drug development process.

given the vast information gen-erated by artificial genetics, many large pharmaceutical companies are using the power of cloud comput-ing to boost computing capacity. multiple stakeholders in the per-sonalised medicine ecosystem vis- à -vis clinical research communities, research-based institutions, investi-gators, contract research organisa-tions, pharmaceutical companies, providers, patients, labs, and payers are joining the cloud based disease

The pharmaceutical industry is facing unprecedented challenges. The impendingt patent cliff which could see big pharmaceutical com-panies lose over $105 billion worth of patented drug sales by 2015 is a cause of great concern. Compound-ing this impending patent cliff is the increased cost of development of new drugs, and requirements of regulators for enhanced safety and efficacy monitoring.

iT plays a vital role all along the phar-maceutical value chain –but nowhere is the role of iT more important than in research and development and sales force productivity improvement. information technology has also been used effectively in other areas of the pharmaceutical value chain like manu-facturing and supply chain with wide ranging success.

Computer simulations of the drug interactions with the human body i.e. in-silico research are an accepted process for drug development. Com-puter simulations help predict how the drug will react with the human body, enabling companies to take an informed go/no-go decision to invest in expensive clinical trials.

regulators, the world over are plac-ing increasing emphasis on safety

networks creating ever increasing volume of data. large pharma com-panies are using the power of cloud computing for proteomics, statistics, and adaptive clinical trial design.

Pharmaceutical companies employ large sales teams to reach out to physicians to promote their brands. ensuring that the sales force has adequate information to have a meaningful conversa-tion with the physician is a key to improving the productivity of the sales team. many companies have begun using mobility solutions to achieve this goal. These mobility solutions enable two-way commu-nication between the

sales team in the field and the mar-keting and administrative teams in the regional/zonal offices. The sales representatives can use the devices to file their sales reports, expense statements and requisition for promo-tional material etc .

The marketing teams can update the sales representative with new pro-motional material, additional infor-mation on the physician which helps enhance the quality of the communi-cation which would help strengthen the relationship between the repre-sentative and the physician.

KrishnaKumar sanKaranarayanan is an Managing Consultant – PwC India

KrishnaKumar sanKaranarayanan

IT in Pharma R&D IT plays a vital role all along the pharmaceutical value chain – but nowhere is its role more important than in R&D and sales force productivity improvement

Information technology plays an indispensable role in generation, encryption and storage of sensitive drug development data.

VIEWPOINT



AbOuT ThE AuThOr: Steve Duplessie

is the Founder of

and Senior Analyst

at the Enterprise

Strategy Group.

Recognised

worldwide as

the leading

independent

authority on

enterprise storage,

Steve has also

consistently been

ranked as one of

the most influential

IT analysts. You

can track Steve’s

blog at http://www.

thebiggertruth.com

ThIs POsT is less about true startup death and more about companies who have passed their first major hurdle–they have successfully navigated their youth and delivered a real product to a real market. Sometimes, they have been wildly successful with their first product. Then comes the second prod-uct, and that shits the bed. if the first product was noT wildly successful, a failure of the encore can kill your company. Success creates incremental impediments to success v.2.

it’s hard as hell to develop a product/solution that solves a legitimate prob-lem in an expanding market. it takes skill, clarity, and a heck of a lot of luck. once a young company does it, how-ever, they almost always screw up their second product.

Why? first, because they have been successful, they often take shortcuts the second time they didn’t take the first time. They make ASSumPTionS on round two, often lethal assump-tions. They assume that because they have a customer that is happy, that customer will buy anything they try to sell them. They assumAe that because they have a relationship with Chuck

Product 2 is harder than product 1, i’m sorry to tell you. Product 2 is devel-oped while the world has eXPeCTA-TionS about you. no one expects you to do anything right on product 1–as the odds are against you and no one knows who you are anyway. By the time product 2 comes around, you’ve already succeeded to some degree. if anything, you should spend more time up front making sure you are building something that someone wants, that solves a legitimate prob-lem, that leVerAgeS the relation-ships you have built with channels/customers on product 1, etc. Assum-ing you have your act together here and not doing it is an almost guaran-tee of a product fail. i estimate that as much as 80 percent of all second products are tremendous disappoint-ments. it may even be higher.

By the time you’ve hit two in a row, you know what it takes. it doesn’t mean you won’t get cocky and screw up your third or fourth, but if you do–you’ll know exactly why. you assumed. When you assume, you make an “ass out of u and me,” to steal a line from felix unger.

the iT minion, they have a relationship with the entire iT department. Just because a storage weenie bought your gizmo, does not mean the network guy will have any idea who you are, care, or give you the time of day. Because the backup guy bought your software, you have yet to make the Cio’s “must have” vendor list. Stop assuming you matter more than you do.

They also believe that because they successfully sold product 1 to some guy way down on the totem pole, that guy will somehow become the most important, relevant person in the iT department universally, and as such be able to command other groups to buy your new shiny toy. They won’t. They don’t do their homework (market research), they don’t test their assump-tions. They just build it. first they were tremendously successful selling a new network switch. Then, because of that success, they spend 18 months and 9 million dollars developing the greatest solar navel lint collection device the world has ever seen. Then they bum out because for some unknown rea-son the world doesn’t seem as excited about it as they did.

Why Startups Die The Second Child

Steve DupleSSie | [email protected]

Illu

st

ra

tIo

n b

y p

rIn

ce

an

to

ny