Tr ac k Te c h n o lo gy B u i ld B u s i n e s s s hap e s e lf

Volume 01 | Issue 11

Pa

na

lP

ina

’s “W

or

ld

Wid

e W

eb

” | ne

W T

ec

hs

ra

ise

do

ub

Ts

on

Pr

ivac

y &

se

cu

riT

y

Volume 01

Issue 11

November 2012150

a quesTion of ansWers

Point Solutions are Passé Pg 12

besT of breed The Amazon Cloud and

PCI Compliance Pg 16

vieWPoinT

Size Matters Pg 68

s p i n e

In a career spannIng close to three decades, Prashun Dutta, CIO, tata POwer, has blazed new traIls wIth It by transformIng busIness processes. page 26

A special section on leadership designed

keeping in mind the evolving information needs of CIOs

Page 38A to 51

A 9.9 Media Publication

cio

& l

ea

de

r.c

om

11

Now with ‘Server Class’

Drives

® - Built on world-class EMC storage technology

- Advanced storage, security, and content sharing that is easy and affordable® ®- PC, Mac and Linux ; 4TB to 36TB in a single array

® ® ®- Certified for Vmware , Windows Server, Citrix XenServer

- Protect and share your data from anywhere with Iomega Personal Cloud

- Server class drives for higher reliabilty and performance

- Video Surveillance ready - connects upto 48 cameras.

` 4,99,000

for 36TB** Taxes extra.

Network Storage for BusinessNVR for IP Surveillance - up to 48 cameras

CTO_Forum_161112 Size:213x283(bleed) 210x280 (Trim) 200x270 (Type)

StorCenter ix2

2TB/4TB/6TB

RAID 1, JBOD

1 x GbE

Starts at ` 18,000/-

StorCenter ix4

4TB/8TB/12TB

RAID 1, JBOD

2 x GbE

Starts at ` 45,000/-

StorCenter Px4-300d

0TB/2TB/4TB

RAID 0, 1, 5, 10

5+1 Hot Spare, 2 x GbE,

USB 3.0, Starts at ` 59,000/-

/8TB/12TB

StorCenter Px6

0TB/ 6TB/12TB

RAID 0, 1, 5, 6, 10

5+1 Hot Spare, 2 x GbE,

USB 3.0 Starts at ` 69,000/-

2TB/ /18TB

StorCenter Px4-300r

0TB/4TB/8TB

RAID 5, 10, JBOD

2 x GbE,

Starts at ` 1,49,000/-

/12TB

2 November 2012

editorialyashvendra singh | yashvendra.singh@9dot9.in

Leading the Change

Transformational leadership has come to be the most important leadership style today.

– as parents, friends, in office, or even as spouses.

In the area of enterprise technology, such leaders trans-form business processes by leveraging IT.

In this issue’s cover story, we have featured one such trans-formational leader. Prashun Dutta, the CIO of Tata Power has been a transformational leader throughout his profes-sional journey. He has enabled a positive change in not only the various organisations he has worked in but also in those who have worked alongside him.

So, would you like to become a transformational leader? Maybe you are one already. Do write to us about your leader-ship style.

Transformational leaders radiate a steely determina-

tion. Despite challenges and obstacles in their path, they don’t stray from their plans and directions. Individuals such as Winston Churchill, Mahatma Gandhi, and Martin Luther King are all examples of trans-formational leaders. They egg others to be more and do more.

History has shown what impact such leaders, in their respective fields, can have on others. Investor, philanthropist and business magnate, Warren Buffet, has successfully trans-formed Berkshire Hathaway

leveraging hi-speed processors and applications.

I feel Mahendra Singh Dhoni is yet another example of a transformational leader. In moments of high pressure, Dhoni remains confident, focused and calm – traits that rub on to other players eventually translating into success for the team. Under his leadership, Indian cricket has gone from being good to becoming great.

According to experts, trans-formational leadership has come to be the most important leadership style today. The abil-ity of such leaders to inspire, motivate and band people together to achieve higher per-formance levels has become extremely relevant in the pres-ent times.

While most of us will never be called to lead the country or the national cricket team, we can emerge as transformation-al leaders in our own spheres

from being a clothing manufac-turer to becoming a stock mar-ket behemoth that constantly outperforms competition.

Such leaders don’t shy away from taking tough measures to sustain growth. Jack Welch, for instance, became the CEO of General Electric (GE) in the 1980s. He began the transfor-mation of GE from a non-lean and bureaucratic enterprise into a nimble corporate.

Co-founder of Apple, Steve Jobs, goaded his team to become the best, and they acted in response. Jobs was able to transform business by

editors pick26 The Transformer

In a career spanning close to three decades, Prashun Dutta, CIO, Tata Power, has blazed new trails with IT by transforming business processes

With Riverbed, you’ll get breakthrough performance

–whether yours is a private, public or a hybrid cloud

environment. You’ll have greater �exibility to implement

your cloud strategy and business goals. And you’ll have

resilience when you need it the most.

You’ll have your cloud on your terms.

Go to:riverbed.com/hybridcloud

For any queries, please contactmarketingindia@riverbed.com

YOUR CLOUDPRIVATE, PUBLIC OR HYBRID. OPTIMIZED FOR PERFORMANCE.

4 November 2012

november 2012

Cover Story 26 | The TransformerIn a career spanning close to three decades, Prashun Dutta, CIO, Tata Power, has blazed new trails with IT

COPyrIghT, All rights reserved: reproduction in whole or in part without written permission from Nine Dot Nine Interactive Pvt Ltd. is prohibited. Printed and published by Anuradha Das Mathur for Nine Dot Nine Interactive Pvt Ltd, Bungalow No. 725, Sector - 1, Shirvane, Nerul, Navi Mumbai - 400706. Printed at Tara Art Printers Pvt ltd. A-46-47, Sector-5, NOIDA (U.P.) 201301

Please Recycle This Magazine And Remove Inserts Before Recycling

regulArS02 | Editorial08 | EntErprisE

roundup68 | viEwpoint

Cover Design by: shokeen saifiimaging by: anil t photos by: jiten gandhi

Tr ac k Te c h n o lo gy B u i ld B u s i n e s s s hap e s e lf

Volume 01 | Issue 11

Pa

na

lP

ina

’s “W

or

ld

Wid

e W

eb

” | ne

W T

ec

hs

ra

ise

do

ub

Ts

on

Pr

ivac

y &

se

cu

riT

y

Volume 01

Issue 11

November 2012150

a quesTion of ansWers

Point Solutions are Passé Pg 12

besT of breed The Amazon Cloud and

PCI Compliance Pg 16

vieWPoinT

Size Matters Pg 68

s p i n e

In a career spannIng close to three decades, Prashun Dutta, CIO, tata POwer, has blazed new traIls wIth It by transformIng busIness processes. page 26

A special section on leadership designed

keeping in mind the evolving information needs of CIOs

Page 38A to 51

A 9.9 Media Publication

cio

& l

ea

de

r.c

om

11

26

5November 2012

xx

39 | top Down It In eDuCAtIon Max Gabriel, Senior VP and CTO, Pearson India, believes that digitising content will go a long way in helping the education sector

48 | the beSt ADvICe I ever gotnever gIve up on Anyone Vishwajeet Singh, CIO, Epitome Travel Solutions shares his leadership mantra

49 | opInIon Common negotIAtIng mIStAkeS Losing Thousands on the Bargaining Table

42 | leADIng eDgeelevAtIng teChnology on the boArDroom Boards are starting to guide management by asking the right questions about technology

51 | ShelF lIFe leADerShIp 2.0 In today’s fast-paced world everyone is searching for tools that can help them to rise above the rest

my Story40 | No Room for Error for Today’s CIOs Ashish Pachory, CIO, Tata Teleservices, shares his perspective on various aspects of becoming a successful CIO

SpeCIAl leADerShIp SeCtIon pAge 38A to 51

45 | me & my mentee leADIng by exAmpleMentoring is all about leading by example

6 November 2012

A QueStIon oF AnSwerS12 | “POINT SOLUTIONS Are PASSé” Sundar ram gopalakrishnan, VP, APAC, Oracle talks about the importance of an integrated security approach

Managing Director: Dr Pramath Raj SinhaPrinter & Publisher: Anuradha Das Mathur

EditorialExecutive Editor: Yashvendra SinghConsulting Editor: Atanu Kumar Das

Assistant Editor: Varun Aggarwal & Akhilesh Shukla

dEsignSr. Creative Director: Jayan K Narayanan

Sr. Art Director: Anil VKAssociate Art Directors: Atul Deshmukh & Anil TSr. Visualisers: Manav Sachdev & Shokeen Saifi

Visualiser: NV BaijuSr. Designers: Raj Kishore Verma, Shigil Narayanan

Suneesh K & Haridas BalanDesigners: Charu Dwivedi, Peterson PJ & Midhun Mohan

MARCOMAssociate Art Director: Prasanth Ramakrishnan

Designer: Rahul BabuSTUDIO

Chief Photographer: Subhojit PaulSr. Photographer: Jiten Gandhi

advisory PanElAnil Garg, CIO, Dabur

David Briskman, CIO, RanbaxyMani Mulki, VP-IT, ICICI Bank

Manish Gupta, Director, Enterprise Solutions AMEA, PepsiCo India Foods & Beverages, PepsiCo

Raghu Raman, CEO, National Intelligence Grid, Govt. of IndiaS R Mallela, Former CTO, AFL

Santrupt Misra, Director, Aditya Birla GroupSushil Prakash, Sr Consultant, NMEICT (National Mission on

Education through Information and Communication Technology)Vijay Sethi, CIO, Hero MotoCorpVishal Salvi, CISO, HDFC Bank

Deepak B Phatak, Subharao M Nilekani Chair Professor and Head, KReSIT, IIT - Bombay

nEXt100 advisory PanElManish Pal, Deputy Vice President, Information Security Group

(ISG), HDFC Bank Shiju George, Sr Manager (IT Infrastructure), Shoppers Stop Farhan Khan, Associate Vice President – IT, Radico Khaitan

Berjes Eric Shroff, Senior Manager – IT, Tata ServicesSharat M Airani, Chief – IT (Systems & Security), Forbes Marshall

Ashish Khanna, Corporate Manager, IT Infrastructure, The Oberoi Group

salEs & MarkEtingNational Manager – Events and Special Projects:

Mahantesh Godi (+91 98804 36623)National Sales Manager: Vinodh K (+91 97407 14817)

Assistant General Manager Sales (South):Ashish Kumar Singh (+91 97407 61921)

Senior Sales Manager (North): Aveek Bhose (+91 98998 86986)Product Manager - CSO Forum and Strategic Sales:

Seema Menon (+91 97403 94000)Brand Manager: Jigyasa Kishore (+91 98107 70298)

Production & logisticsSr. GM. Operations: Shivshankar M Hiremath

Manager Operations: Rakesh Upadhyay Asst. Manager - Logistics: Vijay Menon Executive Logistics: Nilesh Shiravadekar

Production Executive: Vilas Mhatre Logistics: MP Singh & Mohd. Ansari

oFFicE addrEssPublished, Printed and Owned by Nine Dot Nine Interactive Pvt

Ltd. Published and printed on their behalf by Anuradha Das Mathur. Published at Bungalow No. 725, Sector - 1, Shirvane,

Nerul, Navi Mumbai - 400706. Printed at Tara Art Printers Pvt Ltd.A-46-47, Sector-5, NOIDA (U.P.) 201301

For any customer queries and assistance please contact help@9dot9.in

This issue of CIO&Leader includes 12 pages of CSO Forum free with the magazine

www.cioandleader.com

advertisers’ index

Iomega IFCRiverbed 3Symantec 7IBM 1, IBCSchneider 24-25Microsoft BC

This index is provided as an additional service.The publisher does not assume any liabilities for errors or omissions.

16 | BEst of BrEEd: The AmAzon Cloud And PCI ComPlIAnCe An organisation needs to subscribe to EC2, VPC and S3 in order to build a basic platform capable of computing

60 | tEch for govErnancE: PAnAlPInA’s “World WIde Web” It is important to include contractual language

53 | nExt horizons: IsrAel vs IrAn The strategic importance of 5° domain,the cyberspace

12

The ultimate backup appliance.

In the future, all backup will look like this. But until then, there’s the NetBackup 5220 appliance from Symantec—

the only fully integrated backup, deduplication, and storage appliance with industry-leading, factory-installed

Symantec software. So it’s practically ready to go right out of the box. It’s hard to believe anything this simple

can be so technologically advanced. But it is. See for yourself at www.symantec.com/in/nbu

Interested in an NBU appliance demo?

Just email sheraz_hasan@symantec.com, or call +91-22-30671526

It’s not the best in class, it’s the only one in its class.

Confidence in a connected world.

Copyright © 2012 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, the Checkmark Logo, and NetBackup are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries.

scm.487_backup_appliance 9dot9.indd 1 11/20/12 3:57 PM

8 November 2012

story InsIde

EMEA IT Spending Will

Grow 1.4% Pg 08

Growth in It spending in Asia Pacific in 2013 over 2012

How Will the Future CIO Role Look Like? Gartner identifies four roles for It and CIos of the future Gartner observes that the changing shape of IT is

causing CIOs to question the role of IT in the organi-zation and the part they will play in it. As businesses confront global economic uncertainty, changing market dynamics and cultural discontinuities created by tech-nological innovation, their different parts require differ-ent ways of interacting with IT. "We are witnessing the emergence of a new generation of CIOs, one that aims not so much to 'run' IT as to ensure that the business achieves strategic value from the use of technology," said John Mahoney, VP and distinguished analyst at Gartner. "Although this isn't an entirely new develop-

ment, the extent of the change is growing and a tipping point will be reached in the next five years,” he added.

Gartner has identified four dominant futures for IT in the organization. They are not mutually exclusive and may exist in combination:

IT as a Global Service Provider: In this scenario, the IT organization is an expanded and integrated shared-ser-vice unit that runs like a business, delivering IT services and enterprise business processes. It is virtually or fully centralised that focuses on business areas and business value, adopts a marketing perspective, capitalizes on its internal position and delivers competitive services.

8%data BrIefInG

EntErPrIsEround-uP

ima

ge

by

ph

ot

os

.co

m

E n t E r p r i s E r o u n d - u p

9November 2012

Religion-driven IT is estimated to generate more than $40 billion in software and service opportunities by 2017. the dynamic of It and religion will create a new industry, generating software and service opportunities., according to Gartner analysts

QUICK Byte In It

Tablets' Growth to Triple by 2016 Gartner expects 821 million smart devices to be sold in 2012the consumerization trend has hit IT as an unstoppable force, as 821 million smart devices (smartphones and tablets) will be purchased worldwide in 2012 and pass the billion mark in 2013, according to Gartner, Inc. Smart devices will account for 70 percent of total devices sold in 2012. “For most businesses smartphones and tablets will not entirely replace PCs, but the ubiquity of smartphones and the increasing popularity of tablets are changing the way businesses look at their device strategies and the way consumers embrace devices,” said Carolina Milanesi, research vice president at Gartner.

“In 2016, two-thirds of the mobile workforce will own a smartphone, and 40 per-cent of the workforce will be mobile,” said Milanesi. Tablets will be the key acceler-ator to mobility. Gartner estimates that in 2012 purchases of tablets by businesses will reach 13 million units and will more than triple by 2016, to reach 53 million units. Smartphones have become truly pervasive in every aspect of an employee’s life. Gartner estimates that 56 percent of smartphones purchased by businesses in North America and Europe will be Android devices in 2016, up from 34 percent in 2012 and virtually no penetration in 2010.

The Wipro Chairman said that the demand for IT services in the US is persisting although the mood in terms of economic and employment growth remains muted.

They Said iT

azim Premji

ill

us

tr

at

ion

by

ph

ot

os

.co

m

“What is distinct from the overall economy in the US is that the IT demand is still holding out, though not a bumper demand we have seen two-three years ago.”

—Azim Premji,

Chairman, Wipro

E n t E r p r i s E r o u n d - u p

10 November 2012

EMEA IT Spending Will Grow 1.4% By 2015, Big data will create 1.3 million It jobs in eMea it spendinG in Europe, the Middle

East and Africa (EMEA) will reach $1.154 trillion in 2013, a 1.4 percent increase from 2012 projected spending of $1.138 tril-lion, according to Gartner, Inc. Despite the ongoing economic malaise, Gartner sees pockets of growth in IT in Europe, mainly driven by devices and software. Big data will also change the landscape of IT – creating new jobs.

“This year is a pessimistic year for IT spending in Europe,” said Peter Sonder-gaard, senior vice president at Gartner and global head of Research. “In 2012, we estimate that IT spending will decline 3.6 percent in EMEA and 5.9 percent in West-ern Europe. However, the EMEA region will return to growth in 2013 and continue to grow through 2016 when spending will reach $1.247 trillion.”

Google's android operating system will be used on more computing devices than Microsoft's Windows within four years

“The mobile device market is currently the bright spot of the IT industry,” said Mr. Sondergaard. “We are seeing tablets and smartphones significantly outpace purchas-es of traditional PCs.”

Gartner estimates that spending on mobile devices in EMEA will amount to $136 billion in 2012, reaching $188 billion in 2016. In Western Europe, both consumers and busi-nesses are adding tablets to their portfolio of mobile devices - increasing the total mobile device market growth by 8 percent in 2012. This contrasts with a decline of 5 percent in the mobile PC market in Western Europe. In Eastern Europe and the Middle East and Africa, mobile phone shipments will dominate the market, with tablet adoption increasing through to 2016.

By 2016, two-thirds of the workforce will have a smartphone or tablet device. This will change the way consumers buy soft-ware and transform the market. Traditional software providers will have to rewrite their applications for these tablet-based environ-ments, and there will be a strong increase in software spending. Gartner estimates that EMEA IT spending in software will grow 3.1 percent in 2013, nearly reaching the $100 billion mark in 2016.

Consumers and workers becoming more mobile will lead to a complete change of architecture. Information will expand and accelerate driven by the Nexus of Forces, becoming a higher strategic priority for businesses. “The Nexus of Forces are the confluence and integration of cloud, mobile, social and information that will transform IT architecture and create a new informa-tion layer in our economy that will create new jobs, new revenue, and require new skills,” said Sondergaard.

Over the next three years, together with the North America and Japan, EMEA will be the most active region in using big data. By 2015, 4.4 million IT jobs will be created globally to support big data, creating 1.3 million IT jobs in EMEA, including 1.2 mil-lion IT jobs in Western Europe alone.

However, public education systems, as well as training within companies, are not sufficient to satisfy that demand. “We expect that organizations will be unable to fill out these positions, and we estimate that only 31 percent of the IT jobs will be filled in Western Europe,” said Sondergaard.

GloBal traCKer

Android on the Rise

so

ur

ce

: g

ar

tn

er

ima

ge

by

ph

ot

os

.co

m

11November 2012

4.4 million iT jobs globally to support Big data by 2015 1.9 million iT jobs will be in the US

tAblEts

mait, the apex body rep-

resenting india’s it hard-

ware, training and r&D services

sectors, has announced the

findings of its first-ever tablet

study in the indian market.

the tablet market, pioneered by

the launch of the ipad in 2010,

has been growing rapidly and

the study puts the growth rate

at 40 percent over the next 5

years, compounded annually.

commenting on this new

opportunity, alok bharadwaj,

president, mait, said, “the tab-

let market is the new blue-eyed

growth opportunity in india. it is

fast becoming one of the drivers

of rapid growth in the it content

consumption and hardware

sector in india. With the intro-

duction of several national and

international brands of tablets

in india, the market is witness-

ing a revolution of sorts with

these devices changing the

way services are delivered in

various other sectors such as

education, healthcare and gov-

ernance. We expect the market

to touch 1.6 million units in the

current financial year and grow

to touch 7.3 million units by

2015-16.”

according to bharadwaj, a key

factor in the growth of tablets

has been the encouragement

from the government in adopt-

ing and developing low-cost

options for use in our villages

and other rural areas.

WorldWide it spending is

forecast to surpass $3.7 trillion in

2013, a 3.8 percent increase from

2012 projected spending of $3.6

trillion, but it’s the outlook for big

data that is creating much excite-

ment, according to gartner.

“by 2015, 4.4 million it jobs glob-

ally will be created to support big

data, generating 1.9 million

current application portfolios are preventing banks from making the transformation they need to re-engage with customers and stakeholders, according to Gartner. Gartner said that apps enable a new style of engagement with customers--one that is focused on providing context-aware services.

“The banking industry has lost its way, both in the services it provides to customers and its future profitability to stockholders.” said Kristin Moyer, research director at Gartner. “Banks need to trans-form both their delivery models and architectures

Banks Should Bank on aPis and apps Use of aPIs and apps will enable flexibility

faCt tICKer

it jobs in the us,” said peter

sondergaard, senior vice presi-

dent at gartner and global head

of research.

“in addition, every big data-

related role in the us will create

employment for three people

outside of it, so over the next four

years a total of 6 million jobs in

the us will be generated by the

information economy.“

“but there is a challenge. there is

not enough talent in the industry.

our public and private education

systems are failing us. therefore,

only one-third of the it jobs will

be filled. Data experts will be a

scarce, valuable commodity,”

sondergaard said.

“it leaders will need immediate

focus on how their organisa-

tion develops and attracts the

skills required. these jobs will be

needed to grow your business.

these jobs are the future of the

new information economy.”

to remain profitable and relevant in the financial services’ value chain. Applications are preventing transformation in the banking industry because they are rigid and reactive.”

Gartner said banks need to stop relying on reactive product delivery and start providing a delivery model transformation that uses public and private Web application programming inter-faces (APIs) and apps. This new approach will enable banks to deliver needs-based services that are relevant to the context, location and technol-ogy customers are using, which will lead to proac-tive delivery that either anticipates a customer need or improves their financials. It will also allow banks to respond quickly to new opportunities, and third-party developers to build the banking solutions they need.

For example, a mortgage refinance app that can indicate whether it makes sense to refinance a mort-gage, given current interest rates. With a few more clicks, the customer could apply and then view the process steps required for the bank to complete the transaction. “This would be an entirely new way of banking, and if banks ignore this trends they will quickly find themselves relegated to low-margin, low-growth market segments and products that will no longer be profitable,” said Moyer.

Retiring redundant, monolithic applications is necessary to improve agility and efficiency, but also to prevent out-of-control complexity. The pro-liferation of apps will increase complexity, and if a bank already has substantial application redun-dancy, it will not be able to improve agility or efficiency by adding apps and APIs into the mix. However, APIs and apps can replace an applica-tion, or an app can call an application through an API or middleware layer.

ima

ge

by

ph

ot

os

.co

m

Need of the Hour: Organisations need to develop and implement a comprehensive security strategy

SuNdar ram GopalakriSHNaN | VP, Oracle

Sundar Ram Gopalakrishnan, VP- Technology, APAC, Oracle Corporation, in an interview with Varun Aggarwal, talks about the importance of an integrated security approach

The Advanced Persistent Threats often abuse various

security loopholes at different lay-ers to get into an organisation. In such situations where a single solution can’t detect an intrusion, how do you think an organisation can protect itself?Organisations today, while recogni-ing the need for an end-to-end secu-rity solution, fail to look at security comprehensively until they’ve had a security breach. It is only at such time that they realize the importance of having a security strategy in place. Oracle helps organizations develop and implement a comprehensive security strategy that can protect them against internal and external threats and help them address the changing compliance requirements.

Point solutions are hard to inte-grate and scale, eventually making

it an expensive proposition. These also often leave security gaps since there is no centralised management or reporting, with independent own-ers for every solution. End-to-end Oracle security solutions offer the lowest TCO and comprehensive security. Organizations can leverage Oracle solutions to not only meet their compliance needs but also to securely centralize and streamline IT infrastructure, data, applications and identity management.

Data breach investigations have shown that security controls must be multi-layered to protect against threats that range from account misuse to SQL injection attacks. In addition, the ever changing regula-tory landscape and renewed focus on privacy demonstrates the need for solutions to be transparent and cost effective to deploy.

What is the state of security you see in India? What are

the sectors you’re focused at right now?In India, we are focusing on sectors like Telecom, BFSI and Government as these sectors own extensive classi-fied or confidential data and are more prone to security threats. These sec-tors are also guided by strong regula-tory compliances. Oracle with its full spectrum of security solutions is in a strong position to address the needs of these demanding industries.

Industry leading organizations globally rely on Oracle’s security solutions. Some of the Indian cus-tomers using Oracle security solu-tions include Hindustan Petroleum Corporation Limited (HPCL), TVS Motor Company and Aircel Limited.

Oracle’s innovative range of securi-ty solutions is sophisticated to adapt

“point Solutions are Passé”

S u n d a r r a m G o p a l a k r i S h n a n | a Q u e S t i o n o f a n S w e r S

13November 2012

to external threats as well as provide protection against internal threats. The portfolio includes Oracle Iden-tity Management, Oracle Privileged Account Manager, Oracle Database Security, Oracle Advanced Security, Oracle Database Vault, Audit Vault and Database Firewall.

Information ranging from trade secrets to financial and confiden-tial data has become the target of sophisticated attacks both in India and around the world. While most organizations have deployed perim-eter firewalls, intrusion detection, and anti-spam technologies, they lack an in-depth, inside-out data protec-tion security strategy. According to the recent Independent Oracle Users Group (IOUG) Data Security Survey undertaken amongst database and information security profession-als, organizations are inadequately protecting sensitive data and data-base infrastructure. The results are disturbing with 60% of respondents saying they are either likely or some-what likely to have, a data breach over the next 12 months.

Similarly, a recent study revealed 48% of breaches were caused by insiders – so with all the monitor-ing 48% of breaches were caused by people who had either excessive access or even legitimate access to the data. 92% of stolen records are from database servers, 89% of records were stolen with simple SQL injection attacks and a whopping 86% of attacks were due to lost or stolen credentials.

Can you elaborate more on the study findings?

The new survey from the Indepen-dent Oracle Users Group (IOUG) titled "Closing the Security Gap: 2012 IOUG Enterprise Data Security Survey," uncovers some interesting trends in IT security among IOUG members and offers recommenda-tions for securing data stored in enterprise databases.

Produced by Unisphere Research and underwritten by Oracle, the

are able to prevent privileged users from abusing data, and most do not have, or are not aware of, ways to prevent access to sensitive data using spreadsheets or other ad hoc tools.

Lack of consistent auditing. A majority of respondents actively collect native database audits, but there has not been an appreciable increase in the implementation of automated tools for comprehensive auditing and reporting across data-bases in the enterprise.

What are your recommenda-tions for CIOs and CISOs

given the state of affairs?We believe that securing data requires not just the ability to monitor and detect suspicious activ-ity, but also to prevent the activity in the first place. To achieve this comprehensive approach, we recom-mend CIOs to apply an enterprise-wide security strategy.

report is based on responses from 350 IOUG members representing a variety of job roles, organization sizes, and industry verticals. Some of the key findings include: Corporate budgets increase, but trailing. Though corporate data security budgets are increas-ing this year, they still have room to grow to reach the previous year’s spending. Additionally, more than half of respondents say their organizations still do not have, or are unaware of, data security plans to help address contingencies as they arise.

Danger of unauthorized access. Less than a third of respondents encrypt data that is either stored or in motion, and at the same time, more than three-fifths say they send actual copies of enterprise production data to other sites inside and outside the enterprise.

Privileged user misuse. Only about a third of respondents say they

a recent study revealed 48%

of breaches

were caused by

insiders

Corporates fail

to look at security

comprehensively

until they’ve had a

security breach

Though

corporate data

security budgets

are increasing

this year, they

still have room to

grow to reach the

previous year’s

spending

things i Believe in

“Securing data requires not just the ability to monitor and detect suspicious activity, but also to prevent the activity”

A Q u e s t i o n o f A n s w e r s | s u n d A r r A m G o p A l A k r i s h n A n

14 November 2012

How can you effectively manage

cybersecurity, mobile security and

cloud security?

How can you make sure the

technology supply chain is

secure?

What are the best approaches to maintaining effective GRC initiatives?

How can you establish

leadership in aligning security to the

business?

How to adapt Enterprise

Security to the new realities ?

Join India's Leading Security practitioners in their quest to understand the security trends and challenges, and indeed,

develop a road-map to secure your organisations

For any querIeS, pLeaSe contact: Astha Nagrath Khanna , astha.nagrath@9dot9.in, Ph: 9902093002

Date: December 6 - 7, 2012

Venue: Jaypee Greens Golf and Spa Resort, Greater Noida

FIND ALL YOUR ANSWERS AT THE

Register Now ! http://tinyurl.com/csosummit

Event by Knowledge Partners Security Partners Category Sponsor - Awards

Presenting Sponsor

Associate Sponsors

Best ofBreed

Security & Admin Cost May Offset BYOD Savings Pg 19

FeAtureS InSIDe

Face it: employees rule It Pg 20

The Amazon Cloud and PCI Compliance

A company needs to subscribe to eC2, VPC and S3 in order to build a basic platform capable of computing

If there ever was a hot topic these days it would be “The Cloud” and, in particular, the Ama-zon cloud. And that discussion inevitably leads to how are the Amazon cloud offerings are PCI compliant? A lot of this discussion has to do with the very limited amount of informa-tion regarding the Amazon service offerings. For some very bizarre reason, Amazon puts organisations interested in their PCI compliant services in a Catch-22 situation. Unless you

sign up for one or more of the services, you cannot obtain the information on how the Amazon

Ill

us

tr

at

Ion

by

ph

ot

os

..c

om

unlocking Big Data in Social technologies Pg 21 More

16 November 2012

service offerings are PCI compliant. As a result, there is a lot of mis-information run-ning around regarding the Amazon cloud. So to debunk all of the myths running around, I thought I would explain what the Amazon cloud is and is not and how it ends up PCI compliant and what you need to understand when deciding to use the Ama-zon cloud.

And before I get calls from someone at AWS about the fact that I am somehow singling them out or I am being unfair. I do not have a problem with AWs or anyone organizations’ cloud service offerings. What I have an issue with is how some service providers use obfuscation and confusion about their services in ways that make customers unsure of whether they are get-ting something that is PCI compliant. As I see it, the AWS service offerings seem to be PCI compliant, but there are things that possibly should be further explained so that everyone understands how that compliance is achieved.

The first part of the mythology revolves around what PCI compliant services Ama-zon Web Services, LLC (AWS) is actually providing. According to AWS’s Attestation Of Compliance (AOC), AWS is a Hosting Provider for Web and Hardware. The AOC calls out that the following services have been assessed PCI compliant. Amazon Elastic Compute Cloud (EC2); Amazon Virtual Private Cloud (VPC); Amazon Simple Storage Services (S3); Amazon Elastic Block Store (EBS); Amazon Relational Database Service (RDS);

Amazon Elastic Load Balancing (ELB); Amazon Identity and Access Management (IAM).The AOC lists nothing for software pro-

vided through any of their services. As a result, a big myth that gets busted right off the bat is that AWS is providing software. At the end of the day, all AWS’s services are offering is Infrastructure as a Service (IaaS). As a result, how AWS is PCI compliant is fairly easy to figure out. They have totally minimized their responsibility on the PCI compliance front.

In addition to the AOC, AWS provides customers with a document entitled “AWS PCI DSS Controls Responsibility Summary” (CRS). This document explains the various

In the shared responsibility category falls requirements 1, 10 and 11. For requirement 1, AWS acknowledges that this is a shared compliance responsibility between AWS and their customer. However, AWS’s responsi-bility is only to provide a firewall and ensure that it segregates their customers from one another. The remainder of the responsibility for complying with requirement 1 is left to the customer.

For requirement 10, AWS indicates that they are responsible for: Maintaining log files for EC2 and S3 cus-tomer management operations (e.g. cre-ation, modifications and deletion of these environments) for at least a year.

Maintaining logs for the underlying soft-ware that provides the various services for at least a year.This log information is monitored at least

daily and is available to customers for their particular environment should it be neces-sary. All other parts of requirement 10 are the responsibility of the customer.

For requirement 11, AWS indicates that they are responsible for ensuring the securi-ty of their environment including ensuring wireless security. Customers are responsible for ensuring the security of the environ-ments they construct using AWS’s services.

All of the remaining requirements, 2, 3, 4, 5, 6, 7, 8 and 12 are solely the responsibility of the customer.

So after all of this rigmarole, what is the advantage to be gained? Not much near as I can tell. The bulk of responsibility for PCI compliance still falls on the organisation using the AWS services. So organisations looking to offload as much of their PCI compliance responsibilities as they can to AWS are looking in the wrong place.

But it does not end there. We are seeing

“AWS indicates that they are responsible for ensuring the security of their environment including ensuring wireless security.”

services and the responsibilities a customer organisation has when using these services.

The first piece of infrastructure used by AWS is virtualisation in the form of Xen as their hypervisor. Because of the way AWS has implemented Xen, every virtual instanc-es created by EC2 acts like an individual physical server in that there are no connec-tions to any other server unless the organ-isation defines such connections. This is referred to in the CRS as instance isolation. Finally comes the firewall. EC2 includes a firewall that is managed by the customer. Access to the firewall is controlled by an X.509 certification and access credentials provided through IAM. In addition to utili-ties to manage the cloud environment, AWS provides various application programming interfaces (API) to manage the AWS cloud environment.

The bottom line is that, at a minimum, an organisation needs to subscribe to EC2, VPC and S3 in order to build a basic plat-form capable of computing (i.e., server, connectivity and storage). The need for other services outside of these will depend on what the organisation is attempting to accomplish, whether or not they need the flexibility and scalability provided by AWS and other business factors.

From a PCI compliance perspective, the CRS categorises the 12 PCI requirements into those that are AWS’s responsibility, shared responsibility between AWS and their customer and those requirements that are solely the customer’s responsibility.

In the AWS is responsible category falls requirement 9 or physical security and envi-ronment controls. Since AWS is providing the facilities to operating the underlying physical hardware, it is solely responsible for this requirement.

17November 2012

c o m p l I a n c e | B e s t o f B r e e d

more and more startup service providers that are using AWS services to avoid the capital costs of hardware and software of a 24/7/365 operation. Where this becomes tricky is when you have a service provider providing PCI compliant services effectively using AWS for their “data center.” In some cases, these service providers are trading on the fact that because AWS is PCI compliant, then their services must also be compliant. However, what these service providers forget is that once they start going beyond the IaaS model and offer services in the Platform as a Service (PaaS) and Software as a Service (SaaS) realm, they are now responsible for portions of PCI compliant that Amazon is not. As a result, organisations need to con-duct due diligence on vendors using other cloud providers to provide their services to ensure that everyone is PCI compliant.

So do I think your organisation should rush right out and sign up for AWS? Maybe if you have the right business case. But I do have some concerns regarding AWS’s ser-vice offerings and the statements surround-ing how they are PCI compliant.

My first concern is in regards to require-ment 1.2.3. This requirement is one of the few that is not allowed to be marked ‘Not Applicable’. As such, the QSA is required to document what procedures they conducted to ensure that any existing wireless is either not in-scope or that there is wireless in-scope and how it is secured. To document this, AWS’s QSA has written:

“[AWS] maintain this control for all inter-nal and external services that it provides. In EC2 and VPC environments, this includes the network at the hardware and manage-ment level networks, which are not exposed to customers.”

This statement says nothing of what procedures were conducted to ensure that wireless was not visible to cus-tomers as well as the controls AWS maintains to ensure wire-less stays out of scope. Essen-tially, we are asked to trust AWS that wireless is not on any cus-tomer networks. Now, to be fair, AWS is operating secured data centers comprised with racks of hardware all virtualised, so the likelihood that wireless would exist in such an environment

on any one customer’s network is remote at best. . However, the PCI assessment pro-cess is all about verifying such statements, not just accepting them at face value as fact. As a result, I am concerned that what is supplied as evidence for complying with this test leaves much to be desired. What should be documented here are the pro-cedures the QSA used to confirm that the controls AWS has in place are adequate to ensure that rogue wireless does not end up in their data centers.

Related to requirement 1.2.3 is require-ment 11.1. As with 1.2.3, 11.1 is also not allowed to be marked as ‘Not Applicable’ regardless of whether wireless is imple-mented or not. For all of the tests under 11.1, the following statement is made.

“[AWS] maintain[s] this control internally.”So what exactly does AWS do to ensure that

their data centers remain wireless free or that wireless does not end up on the customer side of the network? No idea. I would like to assume that AWS is doing the right things in this regard, but, again, the PCI assessment process does not allow for assumptions, they require proof and this just does not pass muster. At a minimum, there should be a discussion of the procedures used by AWS to ensure wireless is not an issue.

While we are discussing requirement 11, we should cover vulnerability scanning,

penetration testing, intru-sion detection and critical file monitoring. All of which are the customer’s responsibility, not AWS’s. Again, AWS is providing IaaS and nothing else, so any such controls will need to be provided by the customer.

When reviewing the detailed responses in requirement 9, it was interesting to see that AWS is responsible for ensuring that

for the portion of any customer’s cardholder data environment (CDE) that exists in AWS, AWS ensures that destruction of hardcopy materials are properly destroyed so to be unrecoverable. This begs the question, “Why would AWS have any hardcopy to destroy in the first place if they do not have access to customers’ environments?” No further explanation is given, but one would guess it was their lawyer’s idea just in case AWS might somehow come into contact with CHD on hardcopy.

The next area I have issue with is not related to the service, but related to how an organisation contracts for the service. In an effort to fully automate things, unless you are a Fortune 50 looking to put your entire computing environment in AWS’s data centers, you can forget about negotiat-ing a contract. When you sign up for any AWS service, you either accept their con-tractual terms and conditions by checking the ‘Accept’ box and clicking Okay, or you don’t get to use AWS. I know of a number of organisations that had real issues with that approach and, as a result, backed away from a more aggressive use of the AWS environment or decided they just could not accept the terms and did not go to the cloud at all. While the AWS contract does cover PCI compliance, but it essentially makes the customer the one legally responsible for compliance with AWS providing support when necessary.

So that is AWS in a nutshell. Not a bad thing, but something an organisation needs to go into with their eyes wide open and understanding that they still have signifi-cant responsibilities even though they are now in “The Cloud.”

— This article is printed with prior permission from www.infosecisland.com. For more features and opinions on information security and risk management, please refer to Infosec Island.

Organisations need to conduct due diligence on vendors using other cloud providers to provide their services to ensure that everyone is PCI compliant

47%Increase In the

worldwIde sales of smartphones In Q3,

2012

18 November 2012

B e s t o f B r e e d | c o m p l I a n c e

Security & Admin Cost May Offset BYOD SavingsSecurity can also be a dangerous and costly concern for companies implementing BYOD By Rainer Enders

there is a difference between enabling a mobile workforce and enabling a BYOD (bring-your-own-device) workforce.

Companies need to mobilise, that is without question -- but for too long BYOD has become nearly synonymous with this effort. In reality, BYOD is just one of the ways enterprises can mobilise, and in many cases, it is not the most secure, or necessar-ily the most cost-efficient way to do so.

The Aberdeen Group found that BYOD, on average, costs companies 33 percent more than adopting a company-owned device policy. This is particularly surprising because, at first glance, BYOD seems to be the ultimate cost saver.

Your employees buy their own devices, equipping themselves with the resources needed to be mobile. The ROI seems incredibly high because there is very little initial investment. But the problem comes in when companies jump on the BYOD bandwagon without properly assessing the associated costs and coinciding risks.

After all, it's foolish to believe BYOD, a drastic departure from typical corporate pro-tocol, comes without costs.

For one, BYOD requires significant cross-departmental overhead to ensure that every-one involved in employee administration is on the same page. This includes executives

from IT, human resources, finance and other different departments.

If an enterprise has a particularly mobile sales force, which many companies do, then the head of that division needs to be on board, as well. Accordingly, rules and proto-cols need to be developed, refined and then implemented in order to educate employees

on the proper use of their now hybrid per-sonal/professional devices that will be with them at all times. In order to coordinate and execute these protocols, time must be taken from all departments -- time that could be devoted elsewhere.

Security can also be a dangerous and costly concern for companies implementing

Ima

ge

by

ph

ot

os

.co

m

19November 2012

B Y o d | B e s t o f B r e e d

a BYOD culture. Enterprises need to protect themselves from employees unwittingly exposing company data to insecure networks and people outside their organisations.

Because so many individuals own mul-tiple mobile devices these days, a single employee could conceivably access an employer's corporate network from upward of a half-dozen different devices. This makes developing the protocols around BYOD exceedingly complicated.

If security is a priority, then VPN software will be an absolute necessity. This requires locating a VPN that can work properly across a wide range of devices and operating systems. Then, depending on the type of software used, this could involve installing software on every device an employee plans to use, from an iPhone to a home desktop.

Bear in mind, even under these most stringent of security circumstances, par-ticularly in BYOD cultures, employees may believe it is acceptable to access sensitive information from, say, a friend's computer or a public terminal, in the process leaving the network particularly vulnerable.

This begs some essential questions: Who is responsible for the damage that might be incurred when company security is compromised via employee-owned devices? Who determines who is responsible? What

is proper punishment? These need to be answered, especially if the compromised information has legal ramifications.

Then, of course, there is the issue of employees leaving the company. Where does a CIO draw the line between respect-ing the former employee's privacy, and mandating that personal devices be scanned so that he or she does not leave while still being able to access the company network and documents? For companies that embrace mobility through employer-issued devices, these types of questions do not require exploration.

This is not to say that BYOD should be

outright banned or wholly discouraged. Rather, at companies, particularly those with high-risk profiles, CIOs should consider investing in company-owned mobile devices for employee issuance. Doing so would allow for greater oversight of the entire net-work and ensure higher security.

Unlike in BYOD environments, the CIOs could dictate which devices and operat-ing systems are used across the company, in addition to standardising applications installed for remote access. There would certainly be an initial investment in devices, but this might be offset by fewer hours spent on security implementation and coor-dination between departments. And the bot-tom line is, eschewing BYOD leaves enter-prises with more control over what happens with—and on—the devices rightfully owned by them.

Mobility is no longer an option. It is a req-uisite for survival. And with the incredible advances made in handheld devices over the last decade, there is an undeniable pull toward employees using their own resourc-es to work from home or the road—and an even stronger pull to indulge in these per-ceived cost savings.

— This article is printed with prior permis-sion from www.infosecisland.com. For more fea-tures and opinions on information security and risk management, please refer to Infosec Island.

If security is a priority, then VPN software will be an absolute necessity. This requires locating a VPN that can work properly across a wide range of devices and OSs

Face it: Employees Rule ITSooner or later, you will eventually be forced to adopt BYOD anyway By Samuel Greengard

It's remarkable that some CIOs still question and debate the value of the bring-your- own-device (BYOD) move-ment. At this point, the train has already left the station, and any organ-

isation that isn't riding this express is rap-

idly heading toward obsolescence. The issue isn't only about giving employees the choice to use their own devices; it's about embrac-ing the opportunities these devices provide.

Once upon a time, running an IT depart-ment was a lot simpler. You installed enter-

prise systems, made sure they were running smoothly and forced everyone to use them as the business saw fit. BYOD has turned this paradigm upside down and inside out. Essentially, the inmates run the asylum and dictate the terms.

20 November 2012

B e s t o f B r e e d | B Y o d

Suggestion: Get used to it. It's the new normal. What's ironic about this scenario is that BYOD has fueled the consumerisa-tion of IT, which, in turn, has unleashed productivity gains that were unimaginable only a few years ago. Suddenly, it's easier to connect dots—and data—by connecting to people instantaneously, wherever they're at and whatever device they're using. In a post-PC world, it's the digital equivalent of a wormhole through the IT universe.

Most CIOs wouldn't have thought of any-thing as brilliant as BYOD and IT consum-erisation. Employees, particularly younger workers, figured it out for them and then forced it on the enterprise.

Capgemini Consulting and MIT Sloan Management recently reported that the digital leaders of the business world outperform the digital laggards in a number of ways. Those in the digital elite category achieve 26 percent higher profitability and 12 percent higher market valuations than their counterparts.

There are no longer any valid excuses for fighting BYOD. Yes, security and compli-ance issues exist, but it's critical to view these within the framework of overall enter-prise security and to extend solutions and strategies to the mobile arena.

Many employees will use their own devic-es regardless of corporate policies, and you will merely increase the security threats and reduce potential productivity returns. You

will also alienate a lot of workers.You will eventually be forced to adopt

BYOD anyway, perhaps a few months or a year or two down the line. By then, you will be choking on the exhaust of a digital revo-

lution that has passed you by. — This article is printed with prior permis-

sion from www.infosecisland.com. For more fea-tures and opinions on information security and risk management, please refer to Infosec Island.

There are no longer any valid excuses for fighting BYOD

Ill

us

tr

at

Ion

by

ph

ot

os

..c

om

Unlocking Big Data in Social TechnologiesBig data was the real story at Oracle's OpenWorld By Tony Kontzer

the display at EMC Corp.'s booth at this week's Oracle OpenWorld show in San Francisco featured a famous quote uttered by a British entrepre-neur in 2006: "Data is the new oil."

The quote was being bandied about to promote an ambitious global project called "The Human Face of Big Data," an effort commissioned by EMC, and sponsored by the likes of Cisco Systems and VMware, that

aims to use crowdsourcing to get a handle on humanity's increasing need to generate and crunch data. For example, a widely dis-tributed smartphone application collected data, between Sept. 25 and Oct. 2, that indi-

21November 2012

m a n a g e m e n t | B e s t o f B r e e d

cated that the reason people can't find a cab when it rains in Singapore is that drivers looking to avoid having their pay withheld for accidents simply pull over to wait out rainstorms. They don't pick up new fares.

While such findings may not hold much value for the average IT executive, the implications of big data certainly do. And

although the news from OpenWorld cen-tered on Oracle's slew of new cloud services and a new platform that socially enables all of the company's applications, big data was clearly the dominant theme.

Oracle CEO Larry Ellison's anticipated keynote address, which was entitled "The Oracle Cloud: Where Social is Built In,"

focused instead on how the company's ven-erable database and analytics technologies can crunch the big data inherent in social network streams.

Ellison began his keynote touting Oracle's cloud—which now features new services such as planning and budgeting, financial report-ing, and data and insight—as having the broadest set of applications in the industry. He then quickly introduced Oracle's new social platform, which he characterised as being far preferable to stand-alone social applications.

But what he clearly wanted to demonstrate was the kind of insight that can be gleaned from social data when the right analytical tools are used. Specifically, he showed the packed hall how two products—Oracle's Exa-data database and its Exalytics in-memory analytics appliance—were used to analyse nearly 5 billion Twitter posts to determine what celebrity would be the best spokesper-son to promote a new Lexus sedan.

Ellison made it clear that Twitter data, in particular, consists of much more than the posts themselves—it includes timestamps, geotags, device types, and more, and the data is of both the structured and unstruc-tured variety. In the end, Oracle ended up analysing 27 billion relationships, nearly a billion retweets and hashtags, 2.8 billion mentions and another 1.3 billion replies.

And as Ellison pointed out, the conclusion itself—that gold-medal Olympic gymnast Gabby Douglas was the best fit to promote the new Lexus—wasn't nearly as significant as the process by which that conclusion was reached, which included drilling down into the data to find out whose posts most fre-quently mentioned cars, for instance. "This was a very simple question that required an enormous amount of data processing to get the data," Ellison said. "This is something we would have had to guess at before."

Now that sophisticated data crunching tools from Oracle, EMC and the like are making it possible to extract the value of big data, companies have no choice but to try and use that data to change their business.

"Otherwise," said EMC CEO Joe Tucci during a morning OpenWorld keynote Oct. 2, "they'll be out of business."

— This article is printed with prior permission from www.infosecisland.com. For more features and opinions on information security and risk management, please refer to Infosec Island.

Twitter data consists of much more than the posts themselves—it includes timestamps, geotags and more

Ill

us

tr

at

Ion

by

ph

ot

os

..c

om

22 November 2012

B e s t o f B r e e d | B I g d a t a

“No known exploits in the wild...”the detection mechanisms we have available to us, by nature, necessitate a patient zero By Rafal Los

these days you can't open your email box or scroll through Twitter without reading of some new exploit against a system or platform you depend on. You'd think that when I read that

there are "no known exploits circulating in the wild" I'd be excited or at least relieved, right? Not so much. Here's why.

Any time I see someone write, or hear someone say that there are "no known exploits in the wild" I cringe a little.

While on the one hand it's good that the people who are doing the detecting haven't found anything or anyone out there actively exploiting your Java install with today's sandbox bypass, it gives me pause to ask whether it's because there isn't anything out there ...or if it's simply not being found.

Outside the ring of seasoned security professionals the phrase "not known to be exploited in the wild" is dangerous. Why? Simple - people who don't know to think past the word known may assume that it's OK not to take precaution against this exploit du'jour. It's been said before many times, but the good attacks you catch when someone becomes patient zero, while the best attacks are the ones where no one fig-ures it out until much, much later.

So should you take precaution against the exploit du'jour? Of course.

The detection mechanisms we have avail-able to us, by nature, necessitate a patient zero. Like in medicine, someone has to be the first to get sick so we can detect and

respond otherwise the bug is just floating around in the air being menacing. The problem in cyber space, and much like in real life illness, it seems that if it's out of sight it's out of mind. Defensive security professionals are busy worrying about *active threats* so a potential threat isn't much bother until someone can tell them there is reason for alarm. Phrases like "not known to be exploited in the wild" can have the unfortunate consequence of allowing people who are already overloaded on 'secu-rity' worry to put it out of their mind and get back to more relevant "right now" risks.

It's human nature, and just the way we are wired... I know I can feel some of that on myself when I hear that phrase. I guess I would change it to be slightly more effective by adding "at this time" at the end of the sentence - although I doubt it would make too much of a different.

This is just something to think about, as you read the newswires, talk to your col-leagues and leadership - keep this bit of psy-chology in the back of your mind. I'd love to hear how it impacts you, and whether you feel that it has the same effect on you that it does on me?

Ill

us

tr

at

Ion

by

ph

ot

os

..c

om

23November 2012

s e c u r I t Y | B e s t o f B r e e d

24 November 2012

Summary

The cost of electric-

ity for data centers is a

substantial operating cost

that can and should be

managed. The electrical

power consumption is

typically shared evenly

between the IT loads and

DCPI devices. any ratio-

nal approach to reduction

in electrical usage must

treat the combined IT /

DCPI design as a system

in order to maximize

the benefit.

Electricity usage costs have become an increasing fraction of the TCO for data centers. It is possible to dramatically reduce the electrical consumption of typical data centers.

Electrical power usage is not a typical design criterion for data centers, nor is it effectively managed as an expense. This is true despite the fact that the electrical power costs over

the life of a data center may exceed the costs of the electrical power system including the UPS, and also may exceed the cost of the IT equipment.

The greatest advantage can be gained in the design of new facilities, but some savings are possible for existing and evolving facilities as well. Simple no-cost decisions made in the design of a new data center can result in savings of up to 30% of the elec-trical bill, and with systematic effort up to 50% of the electrical bill can be avoided.

Energy consumption reduction in IT equipmentOperational: retiring IT systems – Most data centers have old technology platforms that remain operational for archival or research purposes. In fact,

most data centers actually have application servers which are operating but have no users. It is useful to inventory these systems and create a retirement plan. In many cases, systems can be taken off line and powered down, even if they are not physically retired. A power consumption reduction of up to 20% is possible in typical cases. Even if the floor space is not recovered, the power capacity recovered can be very valuable as users deploy higher density IT equipment.Operational: operating existing systems in an efficient manner – Today, most new servers have power management features. That is, they are able to reduce power consumption at times of reduced computational load. This was not true a few years ago, when the power consumption of virtually all IT equipment was constant and independent of computational load. Users should be aware of this change in IT technology, and be aware of the status of the power management features on their IT systems.

Implementing Energy EfficientData Centers

DATA CENTER CORNEREnErgy EffIcIEncy

25November 2012

For a typical system that is loaded at 30% of rating, the electrical cost of IT load is approximately $2,300 per kW per year.

%than the selection of power and cooling devices in determining the efficiency of a data center.Using efficient DCPI devices – Although the selection of DcPI devices such as power and cooling equipment has less effect on the overall system electrical consumption than does IT architecture, DcPI right-sizing or DcPI system design, device selection is nevertheless is an important element in designing a power-efficient data center.

There is a substantial variation in the electrical losses between DcPI devices of the same type oper-ated under the same conditions. for example, in a December, 2005 paper by the U.S. Electric Power research Institute, it was found that different UPS systems operated at 30% of load rating varied in losses from 4% to 22%, which is a 500% variation. It is important to note that this variation cannot be ascer-tained from the specification sheets for these prod-ucts. Schneider Electric clearly demonstrates that the electrical losses in real applications can only be correctly predicted if the appropriate models are used and that typical manufacturer’s data is inadequate to make quantitative predictions of the electrical con-sumption of data centers.

ConclusionA data center designed for reduced power consump-tion also saves other costs such as capital and operat-ing costs associated with power and cooling systems, as well as saving space.The electrical power consump-tion is typically shared evenly between the IT loads and DcPI devices. Any rational approach to reduction in electrical usage must treat the combined IT/DcPI design as a system in order to maximize the benefit.The cost savings opportunities have been shown to be very large yet the investment required to achieve them is small or even zero in some cases, when compared with legacy approaches to data center design.

90of the

electrical bill can be

avoided through

systematic effort.

Operational: migration to energy efficient computing platforms – Most data centers have so-called “low density servers” that are 3-5 years old. Typically these servers draw the same or less power per server than today’s blade servers and are physically much larger per server. Migration to modern blade servers from legacy servers on a server-by-server basis typically does nOT reduce the total power consumption and may even raise it. However, such migration will permit much higher packing densities for servers. Blades do not create more heat than equivalent 1U servers, but they do create heat in a smaller area which gives rise to heat removal problems that create the perception that blades create excess heat.

Energy consumption reduction in DCPI equipmentRight-sizing – Of all of the techniques available to users, right-sizing the DcPI system to the load has the most impact on DcPI electrical consumption. Most users do not understand that there are fixed losses in the power and cooling systems that are present whether the IT load is present or not, and that these losses are proportional to the overall power rating of the system. These fixed losses are the dominant form of DcPI electrical consumption in typical installations. In installations that have light IT loads, the fixed losses of the DcPI equipment commonly exceed the IT load. Whenever the DcPI system is oversized, the fixed losses become a larger percentage of the total electrical bill. for a typical system that is loaded at 30% of rating, the electrical cost of IT load is approximately $2,300 per kW per year. If the system were right-sized to the load, the electrical cost of IT load falls to approximately $1,440 per kW per year which is a 38% savings in electrical costs.Energy-efficient system design – The system design has an enormous effect on the electrical consumption of data centers, and two data centers comprised of the same devices may have considerably different electrical bills. for this reason, the system design is even more important

DATA cEnTEr cornerC U S T O M P U B L I S H I N G

BROUGHT TO YOU BY

A Technology Leader: Prashun Dutta, CIO, Tata Power, has what it takes to be a true tech leader

C O V E R S T O R Y | T h E T R a n S f O R m E R

by atanu kumar dasdesign shokeen saifi imaging anil t & haridas Balan photos jiten gandhi

in a career spanning close to three decades, Prashun Dutta, CIO, tata POwer, has Blazed new trails with it By transforming Business processes.

inside

man with a Vision page 28

“prashun's style is truly democratic”page 34

“dutta is a great Boss to work with” page 36

t h e t r a n s f o r m e r | C o V e r s t o r y

prashun dutta, cio, tata power, has Been associated with it for almost two decades. his appreciation of Business realities has always helped him use it in transforming the way his organisations work

Man

Visionwith a

28 November 2012

C O V E R S T O R Y | T h E T R a n S f O R m E R

prashun Dutta, CIO, Tata Power boasts of a career span that many would envy. An Electrical Engineer from Banaras Hindu University,

with a post graduation in Industrial Engi-neering from National Productivity Council (NPC) and having done a fellowship from IIM Calcutta, Dutta wanted to be anything but an IT professional. Starting his career with the NPC, Dutta soon relaised the importance of adding value to his qualifi-cation. After completeting three years at NPC, he decided to pursue a fellowship pro-gramme from IIM, Calcutta. Armed with the fellowship, Dutta joined TCS in 1985.

Going down memory lane, Dutta recalls, “My journey from management consultancy to IT is rather interesting as I never wanted to be in IT. When I was in TCS, I made a conscious decision to stay from away from IT because IT those days was all about pro-gramming and I used to detest it."

"Many of my colleagues would advice me to take up IT because in those days that was the best way to land up a foreign posting. But I was very happy with management consultancy as it allowed me to think, anal-yse and come up with solutions that would eventually help the company to grow. I worked in TCS for almost 10 years and then moved to Reliance," he says.

During the selection interview at Reliance, Dutta specifically asked not to be assigned a role involving IT. However fate had some-

thing else in store for him. In September 1994, Dutta joined Reliance in the polyester business and within two months, was hand-ed over the responsibility of IT for that busi-ness. There was nobody heading IT at that point in time and coming from TCS, Dutta had a better understanding of IT.

Dutta took up the job reluctantly. During the tenure, he implemented several IT proj-ects successfully that earned him accolades.

“Even though I was not hands-on with IT, my understanding of it was pretty good. The polyester business of Reliance is large and there was plenty to do. I started off with one thought in mind, let me try and do new things using IT in a way which would ensure better productivity for the organisa-tion," he says.

In the first couple of months, whatever Dutta touched, turned to gold. While an IT manager joined Dutta's department, he left soon leaving Dutta with no option but to manage IT for the long-term at Reliance.

“i was Very happy with

management consultancy as it allowed

me to think, analyse and

come up with solutions

that would eVentually

help the company”

Prashun Dutta

some unknown facts

Favourite Book: Autobiography of a Yogi: Yogananda Paramhansa

Favourite Authors: Rabindranath Tagore, Charles Dickens, George Barnard Shaw, Fritjof Capra

Favourite Wheels: BMW, Mercedes

Favourite Movie: One Flew Over the Cuckoo’s Nest

Favourite Sports: Badminton, Lawn Tennis, Table Tennis

Favourite Music: Hindi, Bengali and English songs of 1960s and 1970s

How do you spend free time: Reading and Listening to Music

How do you balance work life: Never take work to my home

If not a CIO, what would you be: I would be associated with either Economics, Sociology or History

29November 2012

“i haVe always taken

challenges hands-on and

in fact i loVe to Be in a situation

where there appears to Be

no way out.”Prashun Dutta

“I have always taken challenges hands- on and in fact I love to be in a situation where there appears to be no way out. It makes me think and come up with solu-tions that nobody could perceive would be possible. The BSES project was one of the high points in my career. I had no prior knowledge of IT systems in distribution but still came up with a road map which was truly world-class."

Dutta carried these learnings (of start-ing from scratch and building world-class systems) when he later worked on Reliance Infra's Metro Rail and Roads' businesses.

Coming out with flying colours when in a sticky situation is the trait of a leader --- a characteristic that Dutta has exhibited throughout his career.

The Democratic ManagerWhen it comes to managing a team, leaders instil confidence in their team members, bestow trust in them and and give them work that is not only tough but also chal-lenges their ability.

“I believe in delegating work to my juniors and pushing the work down. I always encourage my people to do things and I tend not to be aggressive. This

may mean that I have to be patient with my team but that is the way I get the work done," says Dutta.

"I also tend to give people different type of exposure. For example, if the position of a project manager is vacant in a particular project, I tend to push a person from my team who has not yet taken the position of a project manager to lead that project. The person may be reluctant to take up the job but I give him the confidence that I am with him and he doesn't have to worry if he does commit any mistakes. For instance one of my colleagues who was responsible for IT infrastructure was made responsible for IT for the Roads business, which was a much larger canvas to work upon. I always ensure that I handle the top management, create an ambience congenial for working and man-age the same effectively,” he says.

High Points Low PointsIn a career of more than three decades, Dutta has had numerous high points and some low points. One of the most memorable moments of Dutta's career was when he was associated with TCS. "Mid-way through one of the largest man-agement consulting projects, the client was extremely unhappy and was expressing his displeasure in a rather brazen manner cre-ating a host of problems and it was getting increasingly difficult to make any progress on the project. The overbearing client was not only unhappy but had intimidated the entire team." says Dutta. Brought in as a consultant, Dutta volun-teered to get the project done and asked for a month's time to salvage the situation.

“Even though I was not directly involved in the project, I volunteered seeing the dis-comfiture of the team members to face the situation. I had the confidence of getting the project done," he says.

"Exactly after a month of working on the project, we had to give the client a 'make-or-break' presentation. I remember, we started the presentation at 10.30 in the morning and the presentation went on till 7 pm and at the end of the day the client was so happy that he gave us two more projects which were much bigger than the current one," recalls Dutta.

"I really felt very good, not because I did the project but because I had the confidence

The Toughest MomentsIn 1998, Reliance decided to go in for SAP implementation. Dutta was assigned to inte-grate the sales and distribution of 15 differ-ent products, each with its peculiar market nuance, within ERP solution. Dutta feels that working on the project ignited an interest in IT. The project made him understand the real power of IT and how IT could transform business.

“From being totally averse to computer programming, here at Reliance, I was doing something which was totally different. It was undoubtedly the biggest and complex SAP project at that time. We had to accom-modate the differences in the various prod-ucts within an overall framework laid out for the organisation," he recalls.

Dutta over came the challenges (in the form of diverse products) by close and intimate interactions with end-users and real-time collaboration amongst his team members.

Another interesting project that Dutta recalls was the integration of BSES's distri-bution network with that of Reliance.

BSES was taken over by Reliance. Utili-sation of IT in the distribution business throughout the country was marginal and primitive. BSES had a computerised billing system and a few customer facing applica-tions while the entire work of operations and maintenance was executed manually. There was, obviously, enormous scope for IT enablement and with the support of the top management of Reliance, Dutta pre-pared a detailed road map for the distribu-tion business.

"The road map covered the entire gamut of activities in the distribution business and its integration with existing operations tech-nology. The plan, provided a platform for knowledge management, training, collabo-ration and communication," avers Dutta.

A foreign consultancy firm, engaged by Reliance at that stage, assessed the road map, in the light of their extensive experi-ence, and commented that if implemented fully this would be really world-class sys-tems for the distribution business.

"The road map now stands implemented and has emerged as a de facto standard for the distribution business in the country," he says.

Dutta feels he delivers his best in the toughest situations.

some achivements

1998-2000: One of the biggest SAP implementation in India for 15 distinct products of Reliance each having its own market nuances

2003-05: Integration of BSES business after Reliance took over the company

2005-06: Implementation of GIS in Reliance for Distribution Business

2007-08: Power Generation project for Reliance

2009-11: Metro plus Road project for Reliance

t h e t r a n s f o r m e r | C o V e r s t o r y

31November 2012

in me to take up what seemed a very difficult task and make a marked difference to what was an explosive situation,” reflects Dutta.

In terms of low points, Dutta remembers when one of the project he was involved in was done in a hurry. As a result, there were glitches in the project, which eventually meant that the project had to be partially redone at a cost to the company.

Dutta learnt an important lesson from this which was the need for greater involvement at the lower levels -- something that he did not focus on. “Everybody involved in the project had missed spotting the error, and it eventually led to costs for the company. But the management was very supportive as they had seen my team perform exceptionally well in other circumstances. But I still consider this as one of the low points of my career,” says Dutta.

Lessons learnedOn the important learnings that made him a better professional, Dutta remembers when he was working with Reliance in 1995 when he was asked by his boss to get in touch with a client on an urgent basis. When Dutta tried to contact him, he found out that the person was in the US and would be back only after a week. When Dutta apprised his boss of the situation, the boss asked Dutta, “Are there no phones in the US?” During those times, companies did not allow employees to make STD calls let alone ISD calls.This one line changed the way Dutta per-

vision large. A good leader must demonstrate confidence and needs to delegate work and should have the ability to lead from the front. A successful leader should have the ability to handle tough moments and should also have the ability to take the beatings be it from the top or from the juniors," he says. According to Dutta, a leader should always be fair and should not give undue advan-tage to anybody. He should have credibility and should be above controversy. Another important trait for leaderership is to be articulate and be a good listener. "There should be multiple channels which should be open to a leader from where he gets to know about numerous things but he should not be judgmental and should have the ability to make decisions based on his own thinking," says Dutta.

“A leader should build consensus for any major issue and should have the ability to tell his team if he doesn't know anything. If you are the boss, you are not god. There will be times when you may not know a certain thing and if you share that with your team, it makes you more humane and the respect only grows with such interactions,” he says.

In his present role at Tata Power, the highest priority Dutta accords is to ensure a much higher level of penetration and usage of IT at all levels, coupled with intelligent integration of operations and information technology. His overall vision is to ensure that IT is the first port of call for all decision makers within the organisation.

On the changing role of the CIO, he says, "The role of the CIO is definitely changing and far transcending IT and going on to be a catalyst's role in technology enabling any organisation. Leadership, in that context, would imply carrying people, not only the IT team but large chunks of the business per-sonnel as well."

What is in store for futureDutta feels that five years down the line, he will be busy in spreading the vision of holis-tic thinking be it through lectures, articles or any other medium.

“I would like to work for another two to four years and then get involved with spreading the message of holistic thinking. I am an avid believer in holistic thinking and I would like to spread it to different avenues,” says Dutta.

ceived things. He realised immediately that if a task has to be performed it has to be per-formed. One has just to figure out how and not why the task cannot be done. Eventually, they did get in touch with the client in the US and got the work done.

“This incident changed me as a per-son and how I viewed things. From that moment, I started to look for solutions to solve problems rather than taking problems to the management,” says Dutta.

Another learning that Dutta carried though his carrer was the ability to think big to achieve something big.

“Once we needed leased lines in Reliance and I ordered for two leased lines. My boss called me up asked why had I ordered for two leased lines and I explained it to him. He then asked me why didn't I order four leased lines and constrained myself to only two. At that moment I realised that I had been focussing more on costs should not be too cost than was perhaps necessary rather than on things which would enable me to help the business to grow. This is also a very important learning,” sums up Dutta.

Being a successful leaderDutta feels that to be a successful leader one has to have the vision about where he wants the company to be at a specific time frame. "To be a good leader one has to have holis-tic vision of the future. The vision need not be large as it is the picture that will make the

“the role of the cio is definitely changing and far transcending it and going on to Be a catalyst's role in technology enaBling any organisation”Prashun Dutta

32 November 2012

rajeeV Bhadauria is the head of hr at reliance infra. he has worked with prashun dutta for more than nine years. Bhadauria speaks to atanu kumar das on what makes dutta an efficient leader and a charming personality.

“Prashun’s style is truly DeMocratic”

How do you see Prashun Dutta as a person?

Prashun is a true embodiment of modality. He is a very modern person and has a scientific temper. He is a very learned person and is very intel-lectual. Whenever you have a conver-sation with him, you understand the kind of knowledge he has on varied subjects and people are mesmerised by that. I have been associated with him at Reliance Infra for nine years and we have had several discussions where I got to learn a lot from him.

Rajeev BhadauRia | director (hr) jindal steel pVt ltd

What is Dutta's style of working?

I must say that his style of working is very versatile and he encourages participation. He has always ensured that his team gets involved in each and every project and he takes inputs from every individual. I would say that his style of working is very democratic and this makes him different from any other boss. People can approach him without any inhibition and this quality is very important to have when one wants to lead from the front.

How do you rate him on the leadership scale?

On a scale of 10, I would rate him at seven or eight. If we talk about the professional front, he has so much knowledge to share that anybody would love to have a discussion with him to know more. In terms of personal front, he brings in a lot of joy and motivation which are very important traits. He can transform the way people work and he has used IT to the best of use at Reliance and everybody lauds him for his efforts

C O V E R S T O R Y | T h E T R a n S f O R m E R

34 November 2012

in the company. He is very creative and has out of box thinking. Another important things about Prashun is that he doesn't carry a baggage and can react positively to any situation that comes in front of him.

What are the things that you have learned from Dutta?

I have the learned the concept of holistic thinking from Prashun. He really understands how to define vision for life and he has made me understand it be giving numerous examples. He knows the difference between forest and the trees and he ensures that he transfers his knowl-edge to the next generation.

Any other things you would to share about him?

Prashun sings very well and is an avid sportsperson. He likes to play badminton and is also associated with table tennis and lawn tennis. Moreover now a days he has started going to the gym regularly and I was one of the guys who has forced him to do so. In my eyes, Prashun is a true Bengali Bhandralok.

“dutta has always ensured that his team gets inVolVed in each and eVery project and he takes inputs from eVery indiVidual.”rajeev BhaDaurIa, DIreCtOr (hr), jInDal steel Pvt ltD

t h e t r a n s f o r m e r | C o V e r s t o r y

35November 2012

shripad zare is presently working with prashun at tata power. in an interaction with atanu kumar das, zare discusses the Value add that dutta Brings to the taBle and how he is transforming Business at tata power

Dutta is

Prashun has recently joined Tata Power. How has your

association been with him in the last six to seven months?In the last six to seven months, a plethora of changes have been initiated by him in Information & Communication Technology (ICT) area. He has initiated key strategies and structural changes for creating a business focus. To facilitate closer interaction and collaboration he has assigned dedi-cated account managers and deliv-

ShRipad ZaRe | head-mis and process automation, corp it, tata power

ery teams to enable propagation of ICT in Tata Power. Prashun believes in inclusive growth in ICT and that is what is getting practiced in Tata Power since he has joined. He believes that ICT is not something which is different from business. He believes that key in transform-ing the business lies in bringing more and more areas not covered hitherto under the ambit of ICT systems thereby enhancing the penetration of systems in business.. Thus most of the data, information

and knowledge becomes available through ICT systems thereby mak-ing them “The first port of call” for business users.

What are the new things that are being implemented

in Tata Power?Enhancing existing & bringing new processes around ICT systems across the enterprise to handle both structured and unstructured data is the major thrust. State of the art ICT systems are being selected for

work with

a GreatBoss to

C O V E R S T O R Y | T h E T R a n S f O R m E R

36 November 2012

“prashun is a person who

is not prejudiced, a good listener and

open to learn. he is Very friendly and

approachaBle. he is also a great mentor”

shrIPaD Zare, heaD-MIs anD PrOCess autOMatIOn, COrP

It, tata POwer

the purpose. Extending ICT infra-structure to next level of maturity to ensure high availability and ease of operation continues to be another major focus area. Consolidation & Integration of technologies and ICT systems to ensure long term sustainability con-tinues to be a priority agenda.

How is Dutta as a boss?Prashun is a person who is

not prejudiced, a good listener and

open to learn. He is very friendly and approachable. He brings in a rich experience (both professional and academic) to the company that there is a lot to learn from him. He is a great mentor on not just profes-sional issues but on varied topics. He encourages everybody to do their bit thus improving the team work. In our short association I have learnt that to be a good boss, one needs to be patient and confident about his team.

t h e t r a n s f o r m e r | C o V e r s t o r y

37November 2012

C&L S

ECTIO

N

“Earn your leadership every day.”—Michael Jordan

38ANovember 2012

SpECIAL

LEAdErShIp SECTION

C&L S

ECTIO

N

38B November 2012

CIO&LEADER This special section on leadership has been designed keeping in mind the evolving role of CIOs. The objective is to provide an eclectic mix of leadership articles and opinions from top consultants and gurus as well as create a platform for peer learning. Here is a brief description of each sub-section that will give you an idea of what to expect each month from CIO&Leader:

An opinion piece on leadership penned by leadership gurus. Plus, an insightful article from a leading consulting firm

The article/interview will track the leadership journey of a CIO/CXO to the top. It will also provide insights into how top leaders think about leadership

This feature focusses on how CIOs run IT organisations in their company as if they were CEOs. It will comment on whether IT should have a separate P&L, expectation management of different LoB heads, HR policies within IT, operational issues, etc. This section will provide insights into the challenges of putting a price on IT services, issues of changing user mindset, squeezing more value out of IT, justifying RoI on IT, attracting and retaining talent, and competing against external vendors

Cross leveraging our strong traction in the IT Manager community, this section will have interviews/features about IT Managers and CIOs talking about their expectations, working styles and aspirations. In this section, a Mentor and a Mentee will identify each other’s strengths and weaknesses, opine on each other’s style of functioning, discuss the biggest lessons learnt from each other, talk about memorable projects and shared interests

Featuring a top CIO/Technology Company Head and the best guidance/recommendation he received with respect to his personal or professional growth. The advice could relate to dealing with people, managing personal finance, and balancing work and life

A one-page review of a book on leadership

TOp dOwN ME & MY MENTEE

MY STOrYLEAdINg EdgE 4240

49 4548

51

ThE BEST AdvICE I EvEr gOT

ShELF LIFE

I N T r O d u C T I O N

IT in EducationMax Gabriel, Senior VP and CTO, Pearson India, believes that digitising content will go a long way in helping the education sector

the educational fraternity and get the most out of it. I have been working with the IT team to develop the necessary tools that would enable us to tap the varied schooling environment in the country. The education market in India is huge and we would witness more digitisation in the coming years and Pearson is gearing up to meet the challenges. My prerogative at Pearson is to ensure that I provide the right IT infrastructure for the organisation.

In the last 12 months I have done a lot of travelling to understand the needs of the schools in the country and help develop tools which can be readily used by the educational institutes.

Another important factor which I notice is that since we have so much to do, we always need to be focussed otherwise we will end up doing things which are not required. As a CIO I always believe that we should identify the things that are not important as this would help us in only doing this which would yield results in the future.

I am hopeful that in the coming years there will be lots of challenges that we would be facing and I am all geared up to tap this ever growing education mar-ket in the country. — As told to Atanu Kumar Das

One Of the biggest challenge facing the education industry today is digitising the content and making it available for educational purposes. Pearson, one of the largest and oldest educational publication globally is now working towards digitising most of the content that will be useful for educational institutes in India. When I came to India about a year back, I had a clear mandate that we need to use IT to the fullest so that it can benefit the schooling fraternity in the country. We have recently tied up with Micromax and are offering useful educational content in tablets to many educational institutes in the country. We have already covered 15,000 schools and the number is only going to increase in the coming years.

Learning today has become very social and teachers are using many social mediums to educate the students. Pearson also wants to cash on this and invest more time and create tools that can help students to interact with

Top DownMax GabrielSenior Vp anD CTo pearSon inDia

39November 2012

In an interaction with Atanu Kumar Das, Ashish Pa-chory, CIO, Tata Teleservices, shares his perspective on various aspects of becoming a successful CIO

Ashish Pachory is the Chief Information Officer at Tata Teleservices. Pachori has extensive experience in aligning IT solutions to an enterprise's business needs.

As a CIO, how have you ensured that IT acts as a profit making department for

the organisation? I began by defining a clear statement of purpose, which was simply this: IT exists to make the business suc-ceed. Period. If this is demonstrated in the day-to-day behaviour of the entire IT workforce, you have already taken a major first step towards integration of IT with business. A major part of the difficulty in settling down into a senior role is overcoming perceptions built about you. This gets compounded if you try to establish your-self by asserting your superiority. I was always keen to learn from everyone, regardless of their function or level in the organization. I also never had a problem about consulting much younger colleagues about a problem I was grappling with. Even if it was not in their function or domain. I do not believe that only seniority and expe-rience bestows wisdom. This has helped me not just to build knowledge but also in bonding with people.

What traits do you look for in a leader?It may sound bookish, but the one trait

that leaders, CIO or not, must have is a burning pas-sion to achieve their mission. No one wants to work for, or with, a listless leader. I discovered early that in the CIO role it’s not so much about what I do, but what I inspire. Being passionate about your goals is the best form of inspiration you can provide. I was very conscious of this right from the start and am very

proud today to have a very energised team, driven by extraordinary commitment. It always works from the top down.

It was also imperative to achieve strong integration with the business, given that IT plays such a key role in enabling business processes and influencing business outcomes. This led me to derive the goals and priorities for the IT leadership team directly from the business goals. Next, we regularly share with business where we are through a set of business facing metrics and are perfectly flexible in our processes to adapt to changing business climate. The IT leadership team is measured – among other things – on the time they spend with the business teams, including joining the teams in meet-ings with end-customer. This helps us attain a common perspective and a first-hand feel of the pain points that can then be ingrained better into the IT strategy and delivery methodology.

What motivates you on a day-to-day basis?At Tata Teleservices, the core IT team is not a very

large team. It was therefore not difficult for me to make sure that every person in the team is an empowered stakeholder in the business outcome. This in itself becomes a very strong motivator, that keeps the team energized and focused. And I know it works, because I have the same involvement and empowerment from my superiors in the company, and it makes me feel very good about what I do.

No Room for Error for Today’s CIOs

My STory aShiSh paChory

40 November 2012

a S h i S h p a C h o r y | i n T e r V i e w

What has been the biggest challenge for you professionally?

My big challenge professionally was to find my bearings while making a tough transition. I had to hit the ground run-ning with zero margin for error. It cannot be described as one single incident. Each day came with its ‘incidents’, and every such incident posed threats. There were mistakes made and lessons learnt – as it continues to happen even today. But look-

ing back, this also made me fuller and richer in experience, and better prepared to handle the future.

My advice to aspiring CIOs would be to expand their horizons beyond technology. It is not easy as that’s our comfort zone with most of our lives spent in it. It is important to relate to people, feel their pain and be a trustworthy partner in their own missions. Technology is just a tool to sculpt your mas-terpiece, not the masterpiece itself.

Any word of advice you have for CIOs?

As a final word, I would like to assert my belief that the present is the best time ever to be a CIO. Look around yourself. There is so much riding on technology, particularly information technology. Hence as CIO you can play a very constructive role in shaping the future of your business as well as the larger community. I find that to be a great feeling, and it’s what keeps me going.

1 Achieve strong

integration between IT and

business

2 A CIO should have a

burning passion to achieve

his mission

3 Every person in

the team should be an

empowered stakeholder in

the business outcome

4 A CIO should begin

any project with a clear

statement of purpose

5 A CIO can play a

constructive role in shaping

the future of business as

well as the larger community

5poinTS

41November 2012

Businesses are BecOming increasingly digital and it’s not just a matter of process automation or resource-planning systems. Technology trends such as big data, cloud computing, mobility, and social media are giving rise to new marketing and operational capabilities. Indeed, technology has become too embedded in the fabric of the busi-ness—and too critical for competitive perfor-mance—to be left to the IT function alone.

MoAs a result, many senior-executive teams have been called upon to get involved in technology issues. Boards are also begin-ning to take a strategic view of how technol-ogy trends are shaping their companies’ future. More boards than ever before are asking questions that ensure executives

focus on the right issues. Deeper board involvement is also serving as a mechanism to cut through company politics and achieve endorsement of larger, integrated technol-ogy investments.

The value at stake from getting technology right is typically quite large. Recent research indicates that about half of M&A synergies depend on IT, which makes it a core driver of deal success.1 The risk of cyberattacks is another area that can directly affect both operations and the broader brand or busi-ness reputation. In fact, some boards are beginning to direct their risk committees to oversee cybersecurity issues.2

There are also many other competitive opportunities and threats that are driven

by technology trends, such as new entrants causing industry disruptions with radically different cost structures or game-changing innovations. What’s more, major corporate investments or transformations, such as supply-chain or operating-model transforma-tions, often have a major IT component that can imperil delivery if anything goes wrong.

a constructive it role for boardsIt’s not surprising that many corporate directors and senior executives would like boards to have a more frequent and more constructive role in IT strategy. In a McKinsey survey of corporate directors, more than half said their boards had one technology-related discussion a year or none

Elevating Tech on the Boardroom AgendaBoards are starting to guide management by asking the right questions about technology By michael Bloch, Brad Brown, and Johnson sikes

leaDinG eDGe

MiChael bloCh, braD brown, anD JohnSon SikeS

42 November 2012

at all. Almost half of the survey respondents indicated that this level of attention was insufficient (Exhibit 1). Moreover, a separate McKinsey survey of executives suggested a significant gap exists between the conversa-tions their boards ideally should be having and the ones the boards actually were hav-ing. For example, more than half of the respondents said their boards should dis-cuss forward-looking views of technology’s impact on their companies’ industries. Less than 30 percent reported that their boards had these discussions (Exhibit 2).

Given the importance of technology, many companies are considering a more struc-tured approach to board engagement. In our experience, this involves new forums, new thinking about board organization and

about interfaces with management, and, when needed, an infusion of talent so that the board includes people with better knowl-edge of technology.

how ciOs can raise their board gameIndeed, some national governance bod-ies agree. South Africa’s code of company governance, for instance, now mandates regular interactions between boards and executive management on technology top-ics,3 making the country one of the most advanced in this regard.

Boards can take a number of measures to engage management on technology issues:

Sponsor periodic reviews of technology’s long-term role in the industry. Some boards

are taking responsibility for the big picture by engaging in forward-looking conversa-tions about how technology affects the industry and what the implications are for their companies. Some companies may have a CIO or other senior executive who can facilitate such a discussion. Those that don’t, and those that prefer an outside view, involve external experts who can help gener-ate a discussion about technology trends and topics that can inform current and future strategies. Given the rapid pace of change, such big-picture discussions should take place every 12 to 18 months—or more frequently if necessary.

The CIO of one financial institution, for example, requested substantial investment to modernize legacy software platforms and develop new capabilities in advanced risk analytics across the business. In response, the board looked for an outside perspective and arranged a presentation and discus-sion rooted in the company’s industry context. The presentation, which looked at recent trends, found that while a new type of player—large, highly tech-enabled and data-driven companies—was emerging in the commercial market, there would still be room for a sizable number of smaller players with varying technology capabilities. The presentation also highlighted leading practices applied by other companies and drew on developments from other sectors in using data and analytics to improve cus-tomer segmentation and risk assessment. By engaging the board with these perspec-tives and then discussing the implications, the company gained a better understanding of its business-technology gaps and the investments that would be required to close the most critical gaps. As a result, the CIO received funding for substantial expendi-tures in the next corporate-investment cycle.

Establish board reviews of the IT portfolio and major projects. Some boards are also beginning to introduce an annual “state of the union” report on the company’s wide-ranging IT capabilities and infrastructure and how they support corporate strategy and operations. This is essentially a review of the entire IT portfolio’s alignment with corporate and business unit strategy, focus-ing on major IT systems and components. These often include core business systems (for example, enterprise resource plan-

43November 2012

M i C h a e l b l o C h , b r a D b r o w n , a n D J o h n S o n S i k e S | l e a D i n G e D G eil

lu

st

ra

tio

n B

Y p

ho

to

s.c

om

44 November 2012

l e a D i n G e D G e | M i C h a e l b l o C h , b r a D b r o w n , a n D J o h n S o n S i k e S

structure. While boards often need to improve their technology expertise, there are also structural steps that can make them more effective stewards. One is to create a technology-focused committee to ensure more frequent and directed discussions on these topics. Twenty-two percent of survey respondents reported that their companies’ boards had a committee responsible for technology oversight. It is important to remember, however, that delegating this work to a committee does not relieve the full board of broader responsibilities, such as discussing technology trends.

Another way to strengthen technol-ogy governance is to delegate risk-related technology issues to the board committee that oversees company risk. Many boards already consider some technology topics in their audit reviews. However, they could expand oversight to conduct risk reviews of systems and review the operational risk from business processes dependent on those systems. They could also review how company data are used and how these data are safeguarded, as well as discuss concerns about broader cybersecurity issues.

A UK group has tasked its board’s audit committee with overseeing technology risks. The group COO reports regularly to this committee. In addition, the audit com-mittee regularly asks the company’s internal audit department to examine the IT-security strategy and report on its findings. The committee then mandates the group COO to report on the measures being taken to fill existing gaps.

Technology is becoming increasingly important to corporate strategy, and boards have a crucial role to play as trusted advis-ers. That means engaging continuously in discussions about technology trends and the company’s technology portfolio, as well as building the expertise of corporate directors and creating structures that strengthen IT governance. Now is the time to act.

ning, customer relationship management, and industry-specific systems), as well as the company’s IT operating model and resource strategy. The review should also look at ongoing issues and projects, like cybersecurity and major transformational efforts, which often have a substantial IT component. Moreover, the review should include discussion about IT talent and CIO succession plans. For greatest impact, this report should feature joint presentations by IT executives and corporate and business-unit managers. Boards also need to more frequently review major business projects that have a significant technology compo-nent. One company, for example, is rolling out a massive systems-transformation proj-ect, estimated to cost several hundred mil-lion dollars and representing the company’s largest investment over a five- to ten-year period. Given the importance of this effort, the board conducts regular progress reviews with the project leader, who is supported at these reviews by the CIO and the head of the business area.

Leverage technology-savvy board mem-bers. Greater board involvement in technol-ogy matters means that corporate directors,

just like CIOs, have to raise their game. Many more boards are seeking to better understand technology issues and their business implications than they have in the past. For boards that are lacking in this regard, there are ways to build the expertise that will enable them to have constructive dialogues with IT.

One approach is to bring on, over time, more board members with technology back-grounds who can help start these conversa-tions more organically during the course of board meetings. A recent report from Spencer Stuart4 indicated that 20 percent of boards are actively looking for directors who have this expertise. Finding the right board member can pay significant dividends. This is borne out by survey results (Exhibit 3) and our client experience.

Some boards are also considering their own “technology boot camp” training ses-sions, much like the risk or accounting training that some boards conduct for com-mittee members. Although this will not turn board members into experts, it would give them a chance to become familiar with the core issues.

Strengthen the technology governance

Michael Bloch is a director in McKinsey’s Tel

Aviv office; Brad Brown is a director in the

New York office, where Johnson Sikes is a

consultant.

53

Ideal

Board priorities appear to be misaligned.

What technology - or IT- related issues, if any, are the most important ones addressed by your organzation's board of directors?

Source: Dec 2011 McKinsey survey of executives

% of respondents, n = 927

Forward-looking discussion of how technology will affect your industry

Approval or review of very large IT projects

Yearly discussion on how IT enables broader business strategy

Security- and risk- related issues

IT talent, succession, and mentoring

The board does not address technology or IT issues

Do'not know

28

28

3426

1422

4119

124

44

Current

39

45November 2012

MenToranoop hanDaexeCuTiVe Vp/ Cio, FullerTon inDia

MenTee

karanDeep SinGhDireCTor - iT ManaGeMenT, aon hewiTT

What exactly is mentoring?anOOp handa Mentoring is about the mentor’s

ability to demonstrate himself what he desires from the mentee. The mentor should be able to do what he preaches otherwise the mentor- mentee relationship would not be sustainable.

The mentee should look upon you as a role model, only then will he take your feedback seriously. In his actions, work habits and daily behavior, the mentor should act as a role model for the skills he wants the mentee to imbibe. If the mentor is not demonstrating an experience which he wants the mentee to learn then this process won’t be successful.

Secondly, the talking part is also important. The mentor should have an ongoing dialogue with the mentee on where does he want to excel and how. One can’t leave everything to the practical aspect with the assumption that the mentee will learn with experience. The talking part has to be in combination with action.

But how does a mentor apply this rhetoric in prac-ticality? I firmly believe he should keep a select group of employees (also mentee) with him when he is deal-ing with important stakeholders. This can be even if those employees have no direct correlation with the stakeholders. The mentee’s physical presence when the mentor (read CIO) is having a conversation with the vendors, supervisors will help him pick-up on the skills about how to discuss contractuals, pricing nego-tiations etc.

Karandeep singh Talking is not mentoring; mentor-mentee is a guru-shishya kind of a relationship. It’s about the hands-on learning that you get in an office environment. To the best, the mentor should trust the mentee about the successful completion of the assignments. The trust on the mentee should be to such an extent that he takes it for granted that the job will be done.

There are two types of reporting structures. One is restricted to doing live reporting in terms of what’s going on. The conventional one. The other relation-ship is of a different kind. It’s about a professional approach, but more about how two colleagues gel with each other and work together as a team for the growth of the organisation and of the two individuals involved. This is truly a mentor-mentee relationship.Mentoring is also about the charisma that the mentor carries with him. His persona makes employees follow him.

It also depends on the mentee. To my experience, the mentor would be interested in providing guidance but how do you take things from him is a different situ-ation for everybody. Leaders are everywhere and they like people to learn from them. But it is also on the mentee to catch the learnings on his side.

What are your expectations from the mentee/mentor?

anOOp handa The readiness of the mentee to learn and accept feedback is the primary expectation. The

Mentoring is About Leading by Example

Me & My MenTee

M e a n D M y M e n T e e | a n o o p h a n D a & k a r a n D e e p S i n G h

46 November 2012

“the mentor should be a guide for your life. it can be about office related or out-of-office matters.”

CIO has to identify employees in the team who accepts and are open to feedback - positive or a consultative approach directing the mentee to work on areas of improvement. There are certain team members who are not comfortable about the feedback- exchange con-cept altogether.Karandeep singh The mentor should be a guide for your life. It can be about office related or out-of-office matters. The decision taken by the mentee can be against the opinion of the mentor but he should always be ready to guide and give his version of the situation.

How would you explain the working style of your mentor, Anoop Handa?

Karandeep singh He keenly listens and understands to what you are trying to do and communicate. After careful questioning, he will reach to the moot point and then arrive at a logical conclusion. It can be about a pro-fessional or a personal issue. Apart from IT and other cross functional teams, he keeps a good connect with the business leadership team too.

As far as project work is concerned, he owns up and delegates responsibilities end to end and avoids any interference in the daily execution. He allows the men-tee to take the lead and execute the task with his individ-ual approach. Having said that, he will also ensure that, at any point of time in the execution stage, the situation is not going out of hand.

Another unique part of his working style is sending proactive updates to the business. As an owner of the project he will make it a point to keep the business updated about the progress of the project at regular intervals and as per the requirement. Thus the business leadership appreciates his presence because he is the only person who would proactively send the updates to the business on what’s happening to the organisation on the IT front, what are the next steps and the time-lines we are approaching without anybody asking him for it.

This is the reason why the IT department is in the limelight because the business is aware about what’s happening in our department. So, it’s not only about updating on the progress but also about completing the task given. His work speaks for himself.

Tell us about the experience of working on common projects?

Karandeep singh Within office, we jointly worked on setting up the entire datacenter. It was a three month project. Additionally, establishing the call centre, CRM, sales force automation and the integrating them to work seamlessly was a major challenge that we overturned.

Anoop would listen to the issues faced on integration and try to decipher the root cause. When needed, he also brought in the vendor in the dialogue with the internal IT team and solve the issues. He aptly took the responsi-bility and resolved the problem in collaboration with us and the vendors.

Anoop gave me the opportunity to represent the IT department and do the reporting in front of the top management about the ongoing and future activities. By doing this, his objective was to prepare the next line of IT leadership. One more trait of his that I highly admire is he always attributes the achievements to a person and accordingly acknowledges them in front of the CXOs at regular gatherings, meetings etc. For e.g. this person

47November 2012

a n o o p h a n D a & k a r a n D e e p S i n G h | M e & M y M e n T e e

“mentoring is about the mentor’s ability to

demonstrate himself what he desires from the mentee”

solved the nagging issue during the datacenter set up or he was the one who should be credited for the success-ful completion of the XYZ project.

On the personal front, he used to hear our side of the story and always suggest how his approach would have been had he been in our position. Still, he would ask us to take our independent decision.

Where do you want your mentee to be and what are your aspirations about the career

growth path of the mentee?anOOp handa Link him to the succession plan. You

have to leave a successor. It helps both. In terms of peo-ple whom you are mentoring, they get the opportunity to grow and the CIO can also move forward in accepting bigger responsibilities.

How to identify the strengths and weaknesses of your mentee?

anOOp handa I think the constant contact with the team, the keenness to observe, and the day to day experi-ences while he is working on a project, issue, challenge, strategic footprint etc goes a long way in identifying the strengths and weaknesses.

The CIO has to observe where he is excelling, in which areas does he require coaching. I believe the day to day observations are important.

It’s not only about what is he doing but how is he doing. The moment you focus on the ‘how’, you can eas-ily find out where is he lacking.

Karandeep was a very good technical resource. After doing all the ground work and research, he will find out the best possible solution from the market. What I found lacking in him was the ability to connect the technical knowledge with business implications and present & showcase the technology project proposals to the top management from a business parlance. The presentation skills, being in front of the senior team and asking for proposal approvals, based on the ground work was a kind of an improvement area.

In many instances, he came back not getting a go-ahead for certain projects that he proposed. Also the CFO always wanted me to accompany him for meet-ings. They felt he was not comfortable discussing the financial aspects or about strategic initiatives. Even karandeep suggested I accompany him to the meeting because he knew I can plug in that gap where he lacked. I recommended him to go alone and if the need arises, I will join in.

I asked him to focus on learning about the business benefits from a particular IT project, to understand the RoI, TCO fundamentals and present it before the CFO.

Over a period of time, these incidents started reduc-ing. He was really elated when he got the first project approval from the management single handedly. In this instance he proved the financials and rationale for managing the internal email to be handled internally with the domestic infrastructure rather than on a cloud model with the amount of users we have and also the kind of business we are in.

Thus now, if I look back from when he joined, he has graduated his thought process linking technology with business. He is in position to make a business case about a technology project and also prove the financials in RoI, TCO terms and get it sanctioned. This has been possible due to his enhanced understanding of the busi-ness – technology linkage.

there have been numerous advices that we receive from different quarters of life but some advices stick with us through our lifetime. One such advice that changed the way I perceived things is from my previ-ous boss when he said that “never give up on anybody.” Let me share the experience, which I had couple of years back. There was one employee in the organisa-tion who was not performing and I was fed up with him and I thought that there is no way I can keep this employee in the organ-isation and I had made up my mind to sack this employee.

I went to the CEO of the company and said that I would like to sack an employee from my department as he was not per-forming and in the way I will also save some cost of the company.

The reaction of the CEO took me my surprise. He told me that how will I feel if the CEO would want to sack me as an employee. I had never thought of that kind of reaction from my boss and I said that I would definitely feel bad.

The CEO then explained to me that when we hire an employee it is our job to ensure that we get the best out of him/her. Every employee can give his share of expertise to the company and as a mentor and leader we should have to capacity to extract the best from the employee.

I then realised that it is imperative for a leader to show true leadership quality and not give up on somebody and

that person and try and understand what problem that person is facing.

As a head of a particular department, it is our duty to ensure that every employee has a convenient environment to give his best and I started to ensure that in my work life.

I am glad what the CEO told me that day because that has made me a better person and has enabled me to think in a different perspective and try and understand the problem of others.

We should no run from the problem but try and come up with solutions even if that means going that extra mile to achieve it.

try and understand that employee who is not being able to perform and come up with ways where he/she can give his best to the company.

This experience really changed me as a person and I went back to my desk and started to think about what the CEO just told me. From that day onwards I started to look at handling manpower in a different way and I used to come up with innova-tive approach that would excite my team to work to their potential.

If somebody was having any problem in performing, I would spend more time with

ViShwaJeeT SinGhCio, epiToMe TraVel SoluTionS

“Never Give Up on Anyone”

The beST aDViCe i eVer GoT

48 November 2012

49November 2012

DaViD liMopinion

Common Negotiating Mistakes Losing Thousands on the Bargaining Table

abouT The auThordavid Lim, Founder, Everest motivation team, is a leadership and negotiation coach, best-selling author and two-time mt Everest expedition leader. he can be reached at his blog http://theasiannegotiator. wordpress.com, or david@everestmotivation.com

One Of the quickest and best ways to increase your negotiating ability is to eliminate the common errors made by many of the most experienced negotiators. An examination and constant review of the common errors listed here will help you eliminate these errors from your negotiating style and help make you a more effec-tive negotiator in Asia.

1) underestimating your own power or strength in a negotiation Because of the complexity of most negotiations and the many factors which affect power in a negotiation, studies have indicated that most negotiators tend to underestimate their own power in a negotiation. You are aware of the limits to your power in a given negotiation situation, but are often unaware of the limits to power of the other party. There is a consistent tendency to under-estimate your own power in a negotiation. In that sense, if you come from a non-Asian culture which insists on things being said all the time, you may miss calibrating the other side’s nuances. A Japanese executive may say “ this will be a bit difficult” when he actually means “this is not going to happen at all”. Sometimes silence after a prelimiinary position is taken is a wise move as both parties sit back momentarily to absorb the information. Sometimes, if the suspense is too great, the first party that proffers a concession, a sweetener, will be one los-ing money at the end of the meeting

2. Jumping to a conclusion One of the most common errors made in negotiations is jumping to a conclusion or making assumptions rather than getting the full facts involved. A good example here

would be assuming what the other party’s needs and desires are, rather than skillfully probing with ques-tions to determine precisely what they are. Rather than assuming, the skilled negotiator become more effec-tive by asking probing questions which can sometimes determine the real needs and desires of the other party.In team negotiations, awareness of who are the more talkative members of the other party may allow you to engage them such that they may inadvertently reveal more than they had anticipated. For example, they admit that they are running short of time as an event for which the vendor was being assessed has been brought forward. If you are a vendor, and have already engaged them for some time, the other party may feel too invest-ed to start the process all over again. This knowledge, if extracted can be immensely useful. The skilled negotia-tor avoids jumping to a conclusion.

3. focusing on position, not interestOne of the most significant findings to come out of the Harvard negotiation Project was the understanding that a very common error in negotiation was to focus on the other person’s position, without looking behind that position to the real needs and interests of the other party. The much-quoted example is the two daughters arguing over the last orange in the house. They each were concerned only about the other’s position. That is, “I want the orange.” A wise father, hearing the dis-pute, handed one of the daughters a knife and asked her to slice the orange in half, indicating that the other daughter would then select which half she wanted. On a global scale, some of the seemingly intractable problems in Arab-Israeli conflict have to do with parties

o p i n i o n | D a V i D l i M

50 November 2012

The only reason to negotiate in the first place is to arrive at a conclusion that is better than that which would be achieved without the negotiation

ima

gE

BY

ph

ot

os

.co

m

adopting entrenched positions, rather than looking at mutual interests. Anwar Sadat’s historic break from this positional way of looking at issues led to the landmark Israel-Egypt peace deal, which has led to nearly 30 years of peace between the two countries.

A brilliant solution? Not really. Because, you see, each of the daughters got only one-half of what they could have had, had they taken the time to look at the interest behind the position. One of the daughters wanted the orange for juice; the other needed the peels for bak-ing. Now, you might suggest that this is a very simple example, and that most experienced business people would see through it and not make that mistake in the business-negotiating environment. However, in numer-ous business simulations, participants get caught up in positional arguments, and then may feel they have to continue behaving in a way consistent to that position, leading to a lack of clarity as to their interests.

4. entering a negotiation without a BatnaFisher and Ury, in the popular book, Getting to Yes, point out the extreme importance of determining a BATNA — Best Alternative to Negotiated Agreement — before entering any negotiation. The only reason to negotiate

in the first place is to arrive at a conclusion that is better than that which would be achieved without the negotia-tion. If we take the time to analyze our BATNA, we will then know clearly what our “best alternative” is. In the case of a business dispute, your BATNA might be a law-suit and subsequent trial. In the case of negotiating the cost of a financial consulting project, your BATNA might be using another consultant.

Don’t fall into the trap of cumulatively looking at all options and seeing the many different benefits inherent in all of them. You will not have the option of all of them and, therefore, it is necessary to weigh your current negotiation situation with the best alternative to a nego-tiated agreement.

One of the major advantages of having a BATNA in every negotiation is that it helps you determine your negotiating philosophy; whether one is “hard” or “soft”, “firm” or “flexible” now becomes largely a consideration of how strong a BATNA you have. An extremely strong BATNA allows you to use the more risky tactics of “walkout” or “take-it-or-leave-it.”

5. getting hung up on a negotiated item In practically all negotiations, there is more than one item to be negotiated. Whenever this is the case, the skilled negotiator realizes that they need not be hung up on a single negotiated item. Price might be a good example. If price becomes a non-negotiable item for one side in the negotiation, the other side could concede price negotiations, if they got concessions that accom-plished the same thing in the areas of interest rates, payment plans, quality and content specifications, etc. The experienced negotiator looks at the total package and is not hung up on a single negotiated item. In Asian societies which often value the relationship ahead of the transaction, sometimes being too tough over one single item can sour an otherwise profitable relationship.

6. assuming a fixed pie Many negotiators view each negotiation as a fixed pie. Anything I gain, you lose, and vice versa. Actually, how-ever, this is not the case because of the many variable factors in the negotiation and the relative value of each of those factors to the various negotiators. Someone may concede on price to the other party who holds price as perhaps the key item in the negotiation. However, that concession on price may have been achieved through the price-sensitve party conceding something that was not price related – for example, on the speed of delivery, exchange of documentation, and so on.

DAVID LIM IS A LEADERSHIP AND NEGOTIATION

COACH AND CAN BE FOUND ON HIS BLOG http://

theasiannegotiator.wordpress.com, OR subscribe to his free

e-newsletter at david@everestmotivation.com

51November 2012

Leadership 2.0 In today’s fast-paced world

everyone is searching for tools that can help them to

rise above the rest

great Leadership is impulsive; it melts unique skills into an incor-

porated whole. But, still it is difficult to understand a great leadership. One might come face to face while work-ing with a great leader, but sometime even he or she finds it difficult to explain what are the ingredients required to become a great leader.

The recent published book by Drs. Travis Bradberry and Jean Greaves, authors of Emotional Intelligence 2.0, share discoveries based on an extensive study which separate result oriented leadership skills from inconsequential or harmful. The book introduces a new epitome of leadership. It help readers to under-stand leadership. Besides it could be a used as a guide for leaders to inno-vate methods to become great.

The study pinpoints 22 critical leadership skills. After comparing each of the skills with other the authors discovered that all of them can be categorised into two parts. First are the skill sets that help people to get into a leadership place. These skills are called core leader-ship skills as they form the very basic of a productive and solid leadership.

Second are the skills that people use to rise above the rest. These skills, called adaptive leadership, create dynamic and agile leaders. Such lead-ers are effective in any environment.

The book highlights that core leadership skills can ensure build-ing blocks and help a people to get promoted into a leadership positions. Only these skills won’t make a great leader on its own, but one would not be able to do much without these skill sets. An experience leader will recognise the core leadership skills and take a fresh look at their day to day skills. On the other hand, core skill will help an aspiring leader to cast their own blade. Core leadership primarily includes strategy, action and results.

Similarly, the adaptive leadership skills set great leaders apart from the rest. These skill sets represent unidentifiable skills that great lead-ers have often in common. Adaptive leadership enables true excellence by combining unique skills, perspective, and efforts. This includes emotional intelligence that capture awareness of self and others, and use it to man-age and form quality relationships.

Leaders, in most cases, view them-selves in a favorable light than other people do, like most the people do. The fact that great leaders’ often over estimates adaptive leadership skills highlights that these skills are tough to master. As a result only few have honed their skills adequately. Adap-tive leadership skills present a good opportunity for leaders to set them-selves aside and take themselves to the level next.

Test is one the cool features of the book. It asks around 70 questions and takes 20-30 minutes of time. The feedback of the result is powerful in increasing self-awareness of ones leadership quality and helps to focus and fine tuning the key areas of lead-ership. The best part is that it guides through which skills to work on and point out the strategies that will help to improve in the required area.

The book will definitely help aspir-ing leaders and common people, will-ing to take the ladder of leadership, to identify his skill levels and build it into strengths. After adopting the strategies highlighted in the book one can take his leadership skills to new heights.

abouT The auThorSDrs. travis Bradberry and Jean greaves are the award-winning authors of Emotional intelligence 2.0, and the cofounders of talentsmart.

“We stumbled upon a new way to understand great leadership and an innovative method for any leader to become great.” — Dr. TraViS braDberry

ShelF liFe

NEXTHORIZONS

NEXTHORIZONS

Features InsIde

ima

ge

by

ph

ot

os

.co

m

Israel vs Iranthe strategic importance of 5° domain,the cyberspace By Pierluigi Paganini

Time passes and the di pute between Iran and Israel is becoming increas-ingly more complex to manage. Apparently everything seems crystal-lised waiting for one of the contend-

ers make the first move, in fact, both states are boosting investment in the development of their cyber capabilities.

The cyberspace is the domain in which both countries are trying to offend the adversaries, recently the Israel’s Channel 2 reports that the Israel Defense Forces is planning to double the number of actual

digital Forensics for Handheld devices Pg 57 More

ddos attacks on the rise: Prolexic report Pg 55

53November 2012

the same things you’d do to him given half a chance."

The recruiting of aspiring cyber experts is very effective, a network of head hunters in the country look for high school students that are following an educational path char-acterised by the predominance of IT mate-rial. This is not the only way to recruit cyber specialists, great relevance is taken by social media, IDF is searching for them also ana-lysing forums and social networks.

The initiative of IDF to increase the capa-bilities of its cyber units recruiting young-sters is not new, just last week I've written of similar initiative of Britain’s Government Communications Headquarters (GCHQ) intelligence agency and even before of Chi-nese cyber army.

But if Israel is recruiting new cyber units we cannot ignore the progresses of Tehran, the Iranian governments is intensifying its cyber activities, in particular fearing a pow-erful cyber attack it is trying to secure the infrastructures of the countries.

I believe that Iran is making meaningful progresses in cyber warfare and soon it will

members of the well-recognised Unit 8200, the Israeli Intelligence Corps unit respon-sible for collecting signal intelligence and code decryption. The unit is responsible to conduct both defensive and offensive opera-tions in the cyberspace, a domain consid-ered fundamental by Israel government.

The Israel cyber unit is considered one of the most active in the creation of offensive tools, majority of security experts blamed it for the creation of Stuxnet virus in a joint venture with US. Stuxnet is not the only malware designed to attack a foreign state through the cyberspace, let's remind in fact the recently analysis on Flame mal-ware are demonstrated an intense activity of cyber espionage in Middle East area, and also in this case appears high probable the support of Israel cyber units.

A conflict in the cyberspace is very dif-ficult to engage, in many cases a country suffers continuous cyber attacks that appear conducted by state-sponsored hackers but there is no certainty about their origin, we must also consider that it is possible to intentionally make a series of offensives against a state so that the blame falls on nations not really involved, the strategy of misinformation is considerable one of the primary option in a case of conflict.

When we speak of cyber war we must be really careful, collect evidences of attacks is hard. During the last Cyber Threat Summit in Dublin I presented my research "The rise of cyber weapons and relative impact on cyber space" highlighting the expense of main countries that we consider most advanced in cyber warfare scenario.

US, China, UK, Iran, and at least other 140 States all over the world are currently working to the creation of a new generation of cyber weapons, despite the substantial cuts in military spending due the global crisis these investments in cyber warfare are increasing in impressive way.

The Channel 2 presented an advanced technological Israel that has recruited expert hack-ers to aggregate the unit Unit 8200 with the slogan:

“if you’re a computer genius, this is the place for you!”.

Richard Silverstein, a famous author, journalist and blogger,

with articles appearing in Haaretz, the Jew-ish Forward, Los Angeles Times and many other important press agencies argues in an article published on Tikun Olam with the propaganda of the Israeli government.

The journalist remarks that a cyber attack could cause the loss of human lives and serious damage, he is scared by the fact that simply using a keyboard it is possible to destroy a critical infrastructure, interrupt telecommunications or highjack defense missiles against their owners.

The famous author writes: "As I’ve writ-ten, it’s only a matter of time before some-

one pushes a Send button and unleashes code that derails a train, causes an explosion in a power plant, or poisons a water supply. Even Leon Panetta warned of this eventual-ity. Only of course, he warned of someone doing it to us, rather than us doing it to some-one else. We all know that the things you accuse your oppo-nent of wishing to do to you are

140STaTES all OvER THE

wORld aRE cuRRENTly wORkINg ON cREaTION Of a NEw gENERaTION Of cybER wEapONS

Improve the cyber capabilities

Nato 2012

Upgrading the cyber defence capabilities and enable the Nato computer incident Response capability (NciRc) to achieve full operational capa-bility by the end of 2012

58m €

Usa2013-2017

With a cyber budget of $ 1.54 billion from 2013 to 2017, DaRpa will focus increasingly on cyber-offence to meet military needs

1,548 $

UK 2012extra investment to develop deterrents to hostile viruses and hackers

650m £

israelFrom 2012

expense of more than $13 million in the coming years to develop new technologies for cyber defence

13m $

china

estimating actual pLa military expenditures is dif-ficlt because of poor accoutning transparency and china's still incomplete transition from a command economy. Using 2011 prices and exchange rates, DoD estimates china's total related spending from 2011 ranges between $120 billion and $180 billion. china's cyber security market will expand remark-ably in the coming years, from a valuation of $1.8 billion in 2011 to $50 billion by 2020, representing a dramatic compound annual growth rate (cagR) increase of 44.7%

?

iran 2012

on December tehran announced an ambitious plan to improve its cyber-warfare capabilities devel-oping new technologies and creating new team of cyber experts.

18 $

54 November 2012

N E X T H O R I Z O N S | S E c u R I T y

be very dangerous also thanks to the sup-port of cyber mercenaries.

Iranian government is aware that the enemy is increasing cyber capabilities that it will use against vital components of the country. That's why Iran should adopt a smart civil and cyber defense strategy against this attackers according the declarations of Head of Iran's Civil Defense Organisation Brigadier General Gholam Reza Jalali.

"So, threats determine the direction of our movement". "I think that utilising hi-tech is like playing in enemy's court because it has been developed based on the capabilities of the enemy."

He then said the US and Israel own a major share of infrastructural companies and hi-tech firms to the very same end. "Thus, Iran is necessitated to design a new model for cyber defense."

Iran is daily hit by a large number of cyber attacks, they are making a great experience in this sense and the experts of the govern-ment are learning on how to monitor for-eign offensives and how to defend country's industrial systems.

Don't forget that country's experts were the first, such as Kaspersky Lab Team, to be able to neutralise "Flame" virus discovered last may using an indigenous anti-virus software.

Let's remind also that last April 24 coun-try's experts had limited the effects of a series of cyber attacks against the country's Oil Ministry, Hamdollah Mohammadnejad, deputy minister in engineering affairs, according the Fars News Agency declared: "Recently, a few number of National Iranian Oil Company (NIOC) servers were attacked by a malware, but the cyber security experts of oil industry contained it immediately."

We all must be aware of the progress of Iran in cyber warfare scenario, at least on

the defense perspective but what will hap-pen if similar progress have been obtained also on the offensive perspective?

Are we ready to neutralise a cyber weap-ons, such as Stuxnet, created by its experts?

It's quite strange, but this time we are observing more propaganda made by Western governments that objective results obtained from the improvement of cyber capabilities in countries such as Iran and North Korea must be monitored with great attention in cyber warfare scenario. — This article is printed with prior permission from www.infosecisland.com. For more features and opinions on information security and risk management, please refer to Infosec Island.

Iranian government is aware that the enemy is increasing cyber capabilities that it will use against vital components of Iran

DDoS Attacks on the Rise: Prolexic Report the report reveals an increase in number of attacks with an average bitrate in excess of 20 Gbps, which is a worrying trend By Pierluigi Paganini

The second half of 2012 has started with a sensible increase of Distrib-uted denial-of-service attacks against financial institutions and bank-ing that caused several problems to

the victims.To face such a dangerous menace, it’s

fundament to analyse the phenomena start-

ing from the data provided by security firms that design solutions to protect companies from these kind of attacks. They have a priv-ileged point of view because they are able to collect data directly from the field, acquiring information from the systems they installed at their customers.

Prolexic is a well known vendor that peri-

odically publishes interesting statistics on DDoS attacks and their evolution, and with respect to the recent attacks, I find the anal-ysis of last Q3 2012 report very useful.

The title of the report is exhaustive, “Q3 2012 was defined by extremely large DDoS attacks. It is clear that bitrates of 20 Gbps are the new norm”. It has been

55November 2012

S E c u R I T y | N E X T H O R I Z O N S

China confirms the leadership for origin of DDoS attacks with 35% attacks originating from there

observed an increase number of attacks with an average bitrate in excess of 20 Gbps, a worrying trend if we consider that the majority of company are not prepared to these offensives.

So large attacks represents a novelty com-pared to similar isolated events occurred last year according the declaration of Prolexic's president Stuart Scholly.

This is significant because very few com-panies or organizations have the necessary network infrastructure to deal with such attacks. There might be some companies with popular websites such as Google or Facebook that are able to handle such high-bandwidth floods, but most companies are not, Scholly said.

How to mitigate so powerful attacks?Prolexic is planning to respond to the new wave of attacks upgrading the capacity of its own cloud-based DDoS mitigation infrastructure to hold out high-bandwidth attacks. The report provides an interesting comparison with the same period of previ-ous year and also with the data registered in the previous quarter.

The scenario is worst respect same period of last year. It has been observed an increase of the number of the attacks of 88 percent but what is impressive is the efficiency of the offensive, to a reduction in of the aver-age attack duration (19 hours vs. 33 hours) is corresponded an increase in average attack bandwidth of 230 percent reaching 4.9Gbps.

What is changed respect previous quarter?Despite the total number of attacks is declined of 14 percent it has been registered an increase in average attack bandwidth of 11 percent.

The average attack duration is slight increased passing from 17 hours to 19 hours and also Packet-per-second volume increase of 33 percent.

Prolexic firm classifies DDoS attacks into those targeting infrastructure (Layer 3 and 4) and applications (Layer 7), the first group accounted for 81.40 during Q3 2012 while application- based attacks represented 18.60 percent of total attacks.

Once again China confirms the leadership

for origin of DDoS attacks with 35.46 per-cent attacks originating from there, mainly linked to the effect of botnet diffusion fol-lowed by US at 27.85 percent and India at 7.8 percent. Let’s note that the only country of South America is Brazil, but Prolexic alerted on a gradual increase in botnet activ-ity originating from that area.

The Prolexic noted that the high-bandwidth DDoS attacks are arranged in different way respect the past, in the last incidents weren't caused by botnets of com-promised computers to launch the attack but by botnets of compromised servers exploited by attackers due the presence of un patched vulnerabilities in outdated archi-tectures and applications.

On the occasion of the recent attacks against US banks Dan Holden, director of

research at Arbor Networks, confirmed that the attackers were compromising PHP applications on web servers and Wordpress sites using the outdated TimThumb plugin in order to deploy tools that allowed total control of the victims.

"Attackers connect to the tools directly or through intermediate servers/prox-ies/scripts and therefore the concept of command and control does not apply in the usual manner," he declared to CSO Website.

The report proposes a case Study on “itsoknoproblembro” web-based DDoS suite, the toolkit used to launch high-band-width attacks against U.S. financial institu-tions, despite the origin of the application isn’t clear, the experts of Prolexis noted that it is constantly improved.

ima

ge

by

ph

ot

os

.co

m

56 November 2012

N E X T H O R I Z O N S | S E c u R I T y

The report states:“A tsunami of high bandwidth

packet floods was observed during Q3 2012. These attacks targeted a number of high profile organizations within financial services, media/tele-com, energy, and other sectors. The bot toolkit responsible for the majority of these attacks is a PHP-based suite known as “itsoknoproblembro”, and the infected hosts are known as “brobots.”

The toolkit is used by a meaningful number of attackers that don't need admin-

istrative privileges access to a compromised server in order to install it and launch attack.

Main advantage of "Itsoknoproblembro"The toolkit appears very simple to manage and according Pro-lexic experts it “allows attackers to react faster to any defenses they might encounter and modify their attack strategy”, it

is so considered an adaptive tool that allows attackers to send the orders to the compro-mised servers almost instantly.

What to expect in Q4?The increase in the number of observed attacks and related offensive capability leave bode well for the next quarter, we also con-sider that the period is historically "delicate" for the approaching Christmas Holiday.

This time of year we expect an increase in online shopping and in general the use of web services that are the main targets of attackers responsible for the offensives discussed.

— This article is printed with prior permis-sion from www.infosecisland.com. For more fea-tures and opinions on information security and risk management, please refer to Infosec Island.

7.8%Of all wORldwIdE

ddOS aTTackS ORIgINaTE OuT Of INdIa

Digital Forensics for Handheld Devices“digital Forensics for Handheld devices” is a valuable reference By Ben Rothke

Today’s handheld device is the main-frame of years past. An iPhone 5 with 64 GB of storage and the Apple A6 system-on-a-chip processor has more raw computing power entire

data centers had some years ago.With billions of handheld devices in use

worldwide, it is imperative that digital foren-sics investigators and others know how to ensure that the information contained in them, can be legally preserved if needed.

In Digital Forensics for Handheld Devices, author Eamon Doherty provides an invaluable resource on how one can obtain data, examine it and prepare it as evidence for court. One of the reasons many comput-er crime cases fail to be prosecuted is that the evidence was not properly handled and could therefore not be admitted into court.

Once of the first things a defense attorney will do in a computer crime case is to attack

how the digital evidence was obtained and preserved. In far too many cases, it was done incorrectly and the evidence, no mat-ter that it may be a smoking gun, can’t be admitted into court. The case then is dis-missed, to the chagrin of the victim.

The books 8 chapters of nearly 300 pages are densely packed text, where Doherty brings significant real-world experience to every chapter. As the cybercrime training lab director at Fairleigh Dickinson Univer-sity, he brings both an academic formality in additional to real-world experience in this highly tactical guide.

Chapter 1 details cell phone forensics. After a brief introduction to the history of the cell phone, it details the entire inner workings of a cell phone. The chapter also details differences in cell phones world-wide. An important fact is that many Asian countries have cell phones available 12-18

months before they appear in the US. With that, American forensic investigators need to be cognizant of this when entering into an investigation.

The chapter includes an overview of the Susteen Secure View application which is an extremely powerful tool for the mobile phone forensic investigator. Besides that tool, in each chapter, Doherty lists many tools that provide specific assistance to the topic at hand. The book is worth it for those listings alone.

Chapter 2 is similar to the previous chapter except this is about digital camera foren-sics. The chapter provides a detailed overview of how digital cameras operate and how the underlying hardware works. The chap-ter includes an extremely comprehensive overview of seemingly every tool available to investigate images on a digital camera.

The chapter also includes a number of

57November 2012

f O R E N S I c S | N E X T H O R I Z O N S

fascinating case studies on how to effectively perform a forensics analysis of a digital cam-era. It concludes with an observation that when considering a career in forensics, as fascinating as it is; it may not be for everyone.

Doherty notes that as a forensics inves-tigator, the examiner is often exposed to disturbing material. He quotes a report that studied investigators from over 500 agen-cies who had been exposed to child pornog-raphy during investigation of crime involv-ing child exportation. The report noted an alarming 35 percent of the participants had problems arising from work exposure to child pornography.

Chapter 5 provides an extremely detailed look at forensics investigation on a corpo-rate network. Throughout the book, Doherty stresses the need for effective chain of custody and other issues to preserve digital evidence. It is imperative to preserve the integrity of the digital evidence obtained from the time it was seized until it is pre-sented in court.

To facilitate this, the book states a best practice to use checklists to ensure nothing is forgotten. The importance of checklists

has been detailed in The Checklist Manifes-to: How to Get Things Right where author Atul Gawande makes a compelling case for the use of checklists.

As to evidence and checklists, Doherty writes that once the evidence is obtained, a chain of custody form should be filled out. Each time the evidence is copied, processed, or transported, it should be documented on the chain of custody form. If others receive a copy of the evidence for prosecution or defense purposes, they too should sign for it. This is an imperative if it expected that the evidence would end up in court or be used for human resources purposes. But at the corpo-rate setting detailed in chapter 5, that same level of diligence is not necessarily required.

Chapter 5 also has overviews of nearly 50 different forensic tools for every imaginable purpose. While the book has exploratory and technical overviews on many tools and numerous case studies, this is not an intro-ductory text on the subject. It is meant for someone with a technical background that is looking for a technical reference to gain competence on the topic of digital forensics.

The only lacking of the book is that while

the author is an expert on the topic and the tools, the writing style is one that screams out for an editor. The text suffers from run on sentences and repetition of defining the same acronym, in addition to other readabil-ity issues. The book is pervasive its use of passive voice that can be annoying to many readers. It is hoped that the second edition of this book will be updated with the current tools of the time and a good re-editing of the text to ensure its readability doesn’t suffer.

Aside from the grammatical issues, for those looking for a very hands-on guide to gain proficiency on the topic, Digital Foren-sics for Handheld Devices is a valuable reference. Dr. Eamon Doherty has a unique perspective in that he has academic, law enforcement and very practical experience, which is manifest in every chapter.

The notion of digital forensics is seize it, examine it and then prepare it for evidence in court. In Digital Forensics for Handheld Devices, you found out how to do just that.

— This article is printed with prior permission from www.infosecisland.com. For more features and opinions on information security and risk management, please refer to Infosec Island.

When consid-ering a career in forensics, as fas-cinating as it is, it may not be for ev-eryoneim

ag

e b

y p

ho

to

s.c

om

58 November 2012

N E X T H O R I Z O N S | f O R E N S I c S

60 November 2012

TECH FORGOVERNANCE

It is important to include contractual language specifically targeted to the FCPA By Mary Shaddock Jones

of smartphones sold in third quarter are running on Android

75%DAtA BrIeFIng

ima

ge

by

ph

ot

os

.co

m

Panalpina’s “World Wide Web”

61November 2012

C O m p l i A N C E | T E C H F O R G O V E R N A N C E

OPOIntS

5 PanalPina World

Transport is one

of the world’s

leading suppliers

of forwarding and

logistics services

PWT and its

subsidiaries

provided clients

with importation,

customs clearance

etc till the shipped

goods reached

their destination

jurisdiction

This is a company

that should be lifted

up as a model for

others to follow

Once a third party

has passed the due

diligence process,

it is important to

include contractual

language

cOmPanies can

be held liable for

the acts of third

parties acting on

their behalf

According to the Department of Justice, Basel, Swit-zerland based Panalpina World Transport “is one of the world’s leading suppliers of forwarding and logistics services, specialising in global supply chain manage-ment solutions and intercontinental air freight and ocean freight shipments and associated supply chain manage-ment solutions.” It operates “a close-knit network with some 500 branches in over 80 countries,” does business in a further 80 countries with partner companies, and employs approximately 15,000 individuals. The criminal information focuses on a “network of local subsidiaries … each of which was responsible for providing the freight forwarding and logistics services to customers and for coordinating with other Panalpina-affiliated companies with respect to the transportation and shipment of cargo from abroad.” In addition, PWT and its subsidiaries “pro-vided customers with importation, customs clearance and ground shipment services once the shipped goods reached their destination jurisdiction.” The subsidiaries under investigation were from the U.S., Nigeria, Angola, Brazil, Azerbaijan, Kazakhstan, Russia and Turkmenistan (hence my reference to the “world wide web”!)

There have been many blogs, papers and articles written about the facts and settlement the DOJ and SEC entered into with Panalpina and many of the oil service compa-nies utilising its services. There is no reason for me to recite the facts of that case again. More importantly, I have seen first-hand the improvements made by Panalpina in its own compliance program since the investigation began in 2005. This is a company that should be lifted up as a model for others to follow. I have always been taught that it isn’t the fact that you get knocked down that shows your strength and courage, but the fact that you get back up and learn from your mistakes.All of us can learn improve-ments from each and every one of the FCPA reported settlement agreements, including that of Panalpina.

Practical Pointer for today’s blog- once a third party has passed the due diligence process, it is important to include contractual language specifically targeted to the FCPA. There are several well recognised concepts that should be included in the contractual language, including

On November 12, 1990, Sir. Tim Berners-Lee with help from Robert Cailiau published a formal proposal for the World Wide Web in Switzerland. Today, twenty-two years later- we look at a different world wide web, one which ensnarled a Switzerland based company named “Panalpina”.

an overarching statement that the Agent or Partner will not authorise, offer, or pay anything of value to a foreign government official (or private entity if UK Bribery Act is encompassed) for the purpose of obtaining or retaining business or gaining any improper business advantage. This concept is followed by the promise to submit ite-mised invoices, with accurate supporting documentation to allow for transparency in the processing of payments. Along with these two requirements are the rights to audit, to terminate or suspend the contract, and perhaps, the right to recoup any losses and investigation costs for viola-tion of the above. The final agreements would include the obligation to undertake training, periodic due diligence requalification and annual certifications.

Recently, we discussed the Due Diligence process and provided some language to assist in the identification of “Red Flags” when considering the use of a third party Agents or Partners. Today, we provide you with additional language to consider utilising once an Agent or Partner has been retained:

In addition, unless approved by the Company Compli-ance Officer or his or her designee, all contracts with Agents or Partners shall contain provisions addressing the following matters: payment mechanisms that comply with this Manual, the FCPA, the UKBA and other applicable anti-corrup-tion and/or anti-bribery laws during the term of such contract;

the counterparty’s obligation to maintain accurate books and records in compliance with the Company’s Policy and Compliance Manual;

the counterparty’s obligation to certify on an annual basis that: (i) counterparty has not made, offered, or promised any payment or gift of money or anything of value, directly or indirectly, to any Government Official (or any other person or entity if UK Bribery Act applies) for the purpose of obtaining or retaining business or getting any improper business advantage; and (ii) coun-terparty has not engaged in any conduct or behavior prohibited by the Code of Conduct, Anti-Corruption Policy and Compliance Manual and other applicable

62 November 2012

anti-corruption and/or anti-bribery law; the Company’s right to audit the counterparty’s books and records, including, without limitation, any docu-mentation relating to the counterparty’s interaction with any governmental entity (or any entity if UK Bribery Act applies) on behalf of the Company, and the counterparty’s obligation to cooperate fully with any such audit; and

remedies (including termination rights) for the failure of the counterparty to comply with the terms of the contract, the Code of Conduct, the Anti-Corruption Policy and Compliance Manual and other applicable anti-corruption and/or anti-bribery law during the term of such contract.All contracts that provide for the disbursement of funds by the

Company to a third party shall be in writing and shall require the other party to submit a written invoice for payment in compliance with the terms of its contract with the Company. All invoices shall be accompanied by accurate and sufficient supporting documentation for all outlays to third parties. Contracts requiring the disbursement of funds by the Company for such services shall also require that, unless the Company Compliance Officer or his or her designee

determines that payment in another jurisdiction does not violate local law and that a valid business reason for payment in another jurisdiction exists, funds shall be transferred only to a bank account owned by the desig-nated recipient and that such account shall be located in the jurisdiction where the relevant business services are to be performed/occurs.

Companies can be held liable for the acts of third par-ties acting on their behalf. The use of the contracting strategies suggested above will clearly communicate to the Agent and/ or Partner the seriousness of your com-pany’s commitment to abiding by the law and spirit of

the FCPA and similar anti-corruption laws and regulations.

—Mary Shaddock Jones has practiced law for 25 years in Texas and Louisiana primarily in the international marine and oil service indus-tries. She was of the first individuals in the United States to earn TRACE Anti-bribery Specialist Accreditation (TASA). She can be reached at msjones@msjllc.com

This article is printed with prior permission from www.infosecisland.com. For more features and opinions on information security and risk management, please refer to Infosec Island.

T E C H F O R G O V E R N A N C E | C O m p l i A N C E

New Techs Raise Doubts on Privacy & Securitythere are several problems with patents like the one under discussion By Pierluigi Paganini

Recently a colleague alerted me on a news published online related to a patent obtained by Microsoft titled "CONTENT

DISTRIBUTION REGULATION BY VIEW-ING USER".

The patent could, according to some experts, a clear violation of privacy because it uses technology to gather information on user's consumption of video content.

The major concerns are related to the use of cameras of video devices such as PC, mobile devices and TVs to identify the user and verify its rights for vision and of course to determine his habits with the

13.5%q-O-q GROwTH iN

CONsumER pC mARkET iN iNdiA iN q3, 2012

purpose to pack it for the best offer in terms of contents.

How does Microsoft will use the cameras?There are several technologies that can

serve the purpose, probably using "facial recognition techniques" combining with analysis of video and audio input.

The patent states:"[0028] In an alternative embodiment, a

fee can be charged for each viewer of the content for each view. In another alternative, at 225 and 240, a per-viewer license may comprise counting the number of viewers in a viewing area and directly charging for each identified user in the viewing area.

Viewers may be uniquely identified and a count of the viewers determined, with the licensee then charged for each viewer accessing the content. Age and identity restrictions can be applied in this embodi-ment as well. "

The cameras could be used to validate user's license and enabling content vision, they must be able to count the number of users present in front of video. The patent authorizes a private company to get so inva-sive in our homes and maybe this is the first of different similar cases.

TV, PC and gaming console are object technological extremely evolved that thanks

63November 2012

s E C u R i T y | T E C H F O R G O V E R N A N C E

to sensors, cameras and microphones are able to operate a meticulous control of the surroundings.

Last year I presented a project funded by the US government to acquire information through the analysis of gaming console on the network. There are several problems with patents like the one under discussion.

Who will govern the information obtained and how? Are these devices secure from external attacks? Who guarantees the secu-rity of information collected?

The doubts are raised mainly by the implementation of the content of the patent, let's image for example what could happen if an hacker takes control of such devices. It will be able to spy on victims, and similar attacks represent serious risks from differ-ent perspective.

Governments, but also cybercriminals could be interested to exploit the devices, same interest is from a commercial perspec-tive to gather information on user's habits.

The patent applies to both streaming con-tent as well as downloaded material, and it is sure that many other companies are inter-ested in the technology.

I personally think the technology is ripe for

several similar uses but to be really useful it always have to compare with the demands of privacy and safety of users ... unfortunately the trade goes in the opposite direction.

This article is printed with prior permission from www.infosecisland.com. For more features and opinions on information security and risk management, please refer to Infosec Island.

ima

ge

by

ph

ot

os

.co

m

Software is Eating the World: APIs are the FuelMobile applications have become the driving force of transformation on the Web By Ben Kepes

CloudU Notebooks is a weekly blog series that explores topics from the CloudU certificate pro-gram in bite sized chunks, writ-

ten by me, Ben Kepes, curator of CloudU. How-tos, interviews with industry giants and the occasional opinion piece are what you can expect to find. If that’s your cup of tea, you can subscribe here.

Over the past handful of years I’ve com-

mented on a seemingly disconnected bunch of areas: the rise of cloud computing, the forced re-design of how enterprises work, the focus on more project-specific teams, dis-persed workers. The list goes on. In the last 12 months of so I’ve seen these formerly discon-nected areas converge together into one topic area – call it Enterprise 2.0, social, mobile, local or whatever; it is starting to look consis-tent – the need for an organisation to be more

nimble in reacting to external and internal factors; the need to meet employees’ demands in terms of how and where they want to work; and the desire to unlock data from both inside and outside the organisation.

All of these desires are delivered, at least in part, by the cloud – cloud brings a level of agility that allows organisation to be more nimble than before. Cloud powers workers in disparate geographies to collaborate on proj-

64 November 2012

T E C H F O R G O V E R N A N C E | s O F T w A R E

ects. Cloud enables the mobile provisioning of mass infor-mation in new ways. Cloud makes insights into vast stores of data more readily obtained.

If cloud is the enabler of this dramatic shift of organisa-tions, then the API is the glue that holds it all together. APIs have an integral part to play in delivering all this agility. Want to give your employees access to data inside legacy systems? An API strategy can help with that. Want to tie together two discrete applications in ways that deliver a specific need? APIs are the glue that binds. Want to set up some cloud infrastructure that lets you scale and deliver in a utility fashion? It is APIs that sit behind much of that.

Given this critical, yet often unheralded, role that APIs play in all of this, it was interesting to read an article by 3Scale CEO Steven Willmott recently. The article is well worth reading in its entirety, but essentially Willmott puts the case that the so-called “App Economy” is in fact better titled the “API Economy.” As Willmott says:

Mobile applications have become the

driving force of transformation on the Web, creating not only whole new categories of software, but also creating new ways of con-suming content and accessing services.

Much of Willmott’s article focuses on the massive growth of consumer APIs. At the same time however he touches on the fact that there are a number of vendors that are solely focused on enabling the realisation of

an API strategy by organisa-tions. These companies do the heavy lifting which allows an organisation to focus on the strategy behind their API strategy rather than the mechanics of actually deploy-ing an API. It is this latter trait that makes these compa-nies, and the rise of the API, of such critical importance for enterprises.

By extension for many existing enterprises, “cloud” wasn’t a strategy per se, but rather a way of delivering an outcome. Oftentimes this outcome is quite simply the unlocking of existing data, the provisioning of that data across multiple platforms and services and the ability to inte-grate that data with data from

other sources.The API is the common thread across all

of these desires, and it is for that reason that enterprises need to think about their API requirements sooner rather than later.

This article is printed with prior permission from www.infosecisland.com. For more features and opinions on information security and risk management, please refer to Infosec Island.

If cloud is the enabler of the dramatic shift of organisations, then the API is the glue that holds it all together

Nation Approach to Information ActivitiesConnectivity is how information is passed from Point A to Point B By Joel Harding

What are logical ways for us to discuss what we do? That question alone raises a ton of questions. Who is

we? What is it we do? Who does what? Can

something fall into multiple categories? Now that IO has a new definition, there

is no longer a clear cut way to divide up the parts. My friend and mentor, Dr. Dan Kuehl, invented a model I like to use, called the

Three C model. ‘What we do’ can be divided into Connectivity, Content and Cognitive. I’m going to paraphrase below, probably badly, so please excuse me for not reproduc-ing his highly refined explanation.

illu

st

ra

tio

n b

y p

ho

to

s.c

om

65November 2012

C O N N E C T i V i T y | T E C H F O R G O V E R N A N C E

Connectivity is the how information is passed from Point A to Point B. This may be a broadcast message over FM radio, it might be via cyber in an email, it might be by fax, telephone, television, even the spoken word from your mouth to my ear.

Content is how we put the message together, what is contained within the mes-sage or what is shown, heard or even felt, tasted or smelled. In Afghanistan there is a low literacy rate, so more pictures are used. This may also be a narrative, what words we use can also be less or more dependent on culture, history, religion and a myriad of other factors.

Cognitive is how is the message received and then internalised by our audience. I prefer to use Measures of Effectiveness as part of my initial planning process, so when planning and then conducting the rest of an information operation we can better measure the efficiency of our campaign. My friend Dr. Lee Rowland uses the principle of “Under what conditions will a certain behavior change”, which is more difficult to determine but offers a much more refined approach and ensures cognition and effi-ciency of messaging is both easily measured and determined.

But IO cannot and will not work without including the rest of the government, not in peace, crisis or even war. I recently sat down with some friends and we discussed information operations at a higher level, at the governmental level. In the US the Department of Defense does IO, the Depart-ment of State is in charge of Strategic Com-munication and Public Diplomacy, but I was having problems describing a “whole of government” approach, and I was hav-ing even more difficulty explaining how a “whole of nation” effort might be divided. We finally came up with five categories for what I might call government/corporate/private information activities.

Information Operations. The integrated employment, during military operations, of information-related capabilities in concert with other lines of operation to influence, disrupt, corrupt or usurp the decision-mak-ing of adversaries and potential adversaries while protecting our own. This will include Department of Defense, to include Cyber Command and the CIA. Most important about this category is these are the only enti-

ties that may conduct offensive operations; they can break things.

Strategic Communication & Public Diplo-macy: SC: the synchronised coordination of statecraft, public affairs, public diplomacy, military information operations, and other activities, reinforced by political, economic, military, and other actions, to advance U.S. foreign policy objectives. PD: communi-cation with foreign publics to establish a dialogue designed to inform and influence. SC/PD would also include “liberation tech-nologies” or ways to bypass, circumvent and/or thwart blocking, filtering and jam-ming by authoritarian governments. This will include the Department of State, the BBG and others as identified.

Information Research and Analysis. Data, information and intelligence collection, reporting by all media, analyis, editing and publishing. This will include reporters, editors, intelligence collection, intelligence analysis and publishing.

Technical Innovation. How we communi-cate information. This includes cyber, com-munication means of all types, and efforts of assuring information and managing risks related to the use, processing, storage, and transmission of information or data and the

systems and processes used for those purpos-es. This will include information assurance, cyber defense and research and development efforts for the storage and transmission of information, broadcast, satellite, telegraph, even semaphores. This includes DISA, cor-porate and private R&D efforts.

Information Infrastructure Assurance. Efforts to protect government, corporate and private infrastructure from natural and man-made threats to critical, corporate and private infrastructures. This would the Department of Homeland Security and other efforts to protect critical and private infrastructure.

The problem I seem to have is categoris-ing military public affairs, I might have to change the name to military information activities or some such generic name. Many Public Affairs officers seem to believe they can inform without influencing.

If I take a whole of nation approach then I should include marketing, public rela-tions, perception management, reputation management and strategic communications (with an s). —This article is printed with prior permission from www.infosecisland.com. For more features and opinions on information security and risk management, please refer to Infosec Island.

Cognitive is how is the message received and then internalised by our audience.

illu

st

ra

tio

n b

y p

ho

to

s.c

om

66 November 2012

T E C H F O R G O V E R N A N C E | s T R A T E G y

I Lost My Theory of MindWithout the theory of mind everything that social engineers do would fail By Will Tarkington

The theory of mind is an intri-cate part of understanding how humans interact. Now my blog typically deals with real world

examples of my social engineering tech-niques. However I’m taking a moment to discuss one piece of theory.

The reason I’m taking the time to do this is simple. Without the theory of mind every-thing that social engineers do or attempt to do would fail. The theory of mind is basical-ly one’s ability to differentiate perspectives. From perspective comes intention, from intention comes reaction, and from reaction comes reward (or failure).

So to begin with the First Order of the Theory of Mind:

The first order is simply the awareness of self. You know that question you hear people ask “Is this animal self-aware?” This is the first order of the theory of mind. In essence it’s the ability to determine that you are unique. That you have an individual perspective and individual desires. It is this ability that lets you make statements like; “I would like chocolate over vanilla.” It may seem odd but without this you could not think of yourself collectively or individu-ally as an entity. There would be no YOU to want chocolate. il

lus

tr

at

ion

by

ph

ot

os

.co

m

s T R A T E G y | T E C H F O R G O V E R N A N C E

The Second Order of the Theory of Mind:The second order provides you the ability

to identify someone else’s perspective. For this example we are going to use a common example that happens all over the world. Salt, there is a salt shaker and in the first order you would be aware that you want the salt. In the second order you would be aware that someone ELSE wanted the salt.

This is important because it means you can now decide if the person reaching towards you is likely trying to kill you or not. It also means that you can now decide if you want to assist that person in getting the salt. You can also evaluate if your wanting the salt should trump their wanting of the salt.

However the REAL fun begins in the next order.

The Third Order of the Theory of Mind:This is the place where most of the Social

Engineering will start to come into play. Essentially and convolutedly the third order is:

I want the saltYou want the saltI am aware that you want the saltI am aware that you are aware that I want

the saltIt is at this exact moment that negotiation

begins. Prior to this event it was a contest of desire vs desire and now it’s part of an abstract concept involving “trade” or recip-rocation. If I give you the salt now will you help me later? I know you know I’m helping you. Thus social mechanisms such as guilt and friendship or rivalry come into play.

The Fourth Order of the Theory of MindAre we ready? This is going to start get

convoluted but here we go!I want the saltYou want the saltI know you want the saltYou know I want the saltI know that you know that I want the saltI know that you know that I know that you

know that I want the saltWheeeeeeeeeeee it’s starting to turn into

the princes bride here. The only other thing I want to note is that TOM (Theory of Mind)

doesn’t have to relate to only 2 people in regards to their orders.

So for example a third order TOM could be:

I want the saltYou want the saltSheri wants the saltI am aware you and Sheri want the saltIn this scenario you start to see the com-

plexities of making alliances or influencing different people to change the outcome. Who should get the salt? Which is more beneficial to me Sheri or you? Are you both aligning against me?

This is the crux of our social society.I encourage everyone interested in human

behavior to spend some time studying the TOM become aware of when to apply it and how to apply it. This makes all sociological research easier to do.

The theory of mind is basically one’s abil-ity to differentiate perspectives. From perspective comes intention, from inten-tion comes reaction, and from reaction comes reward (or failure).

advts.indd 56 12/22/2009 3:02:47 PM

68 November 2012

VIEWPOINT

I recently attended HDS’s Influ-encer Summit. It’s where a company hosts those who are supposed mar-ket influencers - analysts, bloggers, etc. What’s interesting is that it didn’t include traditional media, who I think still have legitimate influence. Different issue. First, on the HDS event itself, bravo. A company like HDS never gets the kudos it deserves, because of its historical conservatism. Did you know HDS, who has had over 12 record quarters IN A ROW (and is growing faster than any other large player in the space - 20% y/y in the Americas, for example), sells only HALF of its stuff to large enterpris-es? The rest is small enterprise and midmarket. I didn’t know, or didn’t pay attention the last time they told me that. Their channel accounts for a huge percentage of revenue - also something I elected to forget.

Anyway, what the HDS presenta-tions made me realize is that size really does matter. Not so much the size of the company as the size of the portfolio, at least today. HDS is part of Hitachi LTD, which just so

applied to use cases, ranging from escalators to content stores, and everything in between. It’s pretty amazing when you think about it.

So, in summary, HDS made me change the way I think about holis-tic technology implementations and the advantages a big company can have. The big Japanese tech com-panies are built from a foundation of technology, which is then applied to market use cases. Most US tech companies do the exact opposite - they build products based on mar-ket use cases and develop technol-ogy to improve those outcomes. Subtle but different.

Thus, in the age of the “stack” in IT, most are building a consolidated use case model, but few can bring to bear technologies that are very far reach-ing. Those that can have an inherent leg up on those who can’t. Those who can’t may be better marketers and thus more effective in certain use cases, but for overall economic value that spans outside of that specific use case, it seems a more global technol-ogy base has a higher likelihood of longer term success.

happens to be a $118B tech power-house. How does that help? Well, for example, HDS built the train system in London used for the Olympics. What’s the relevance? The train sys-tem uses some serious bad ass tech-nology - like the ability to do instant analysis on data inputs from a zillion sensors in real-time. Their trains themselves are highly automated - using thousands of sensors feeding millions of inputs a second into a real BIG DATA system keeping the trains running on time, not crashing, adjusting for weight, temperature, external conditions, etc.

The point is that when a disk sub-system maker normally talks about how great their big data story is, I yawn. HDS, in this example, brought some credibility to the story. If they can do real time analysis and automat-ed decision making based on machine generated data, then how can they not be smart when it comes to me mak-ing a goofy marketing query against a fairly static (albeit large) data set that has no real time significance?

Hitachi, at its core, develops tech-nology. That technology is then

Size Matters The size of a company’s

portfolio matters

STEVE DuPlESSIE | steve.duplessie@esg-global.com

About the Author: Steve Duplessie

is the founder of

and Senior Analyst

at the Enterprise

Strategy Group.

Recognised

worldwide as

the leading

independent

authority on

enterprise storage,

Steve has also

consistently been

ranked as one of

the most influential

IT analysts. You

can track Steve’s

blog at http://www.

thebiggertruth.com

illu

st

ra

tio

n b

y p

ho

to

s.c

om