32
Microsoft-Skype: A very big if 10 | FBI goes agile 12 | Google’s notebook as a service 18 | Java is real-time ready 35 | Cisco CIO’s practical plan 46 May 30, 2011 [ PLUS ] IPv6 SECURITY Done wrong, it can open holes p.31 Time for IT leaders to pump up the Big Ideas p.23 Innovation Atrophy By Chris Murphy Copyright 2011 UBM LLC. Important Note: This PDF is provided solely as a reader service. It is not intended for reproduction or public distribution. For article re- prints, e-prints and permissions please contact: Wright’s Reprints, 1-877-652-5295 / [email protected]

Informationweek full-issue-may-30-2011 4130152

Embed Size (px)

DESCRIPTION

 

Citation preview

Page 1: Informationweek full-issue-may-30-2011 4130152

Microsoft-Skype: A very big if 10 | FBI goes agile 12 | Google’s notebook as a service 18 | Java is real-time ready 35 | Cisco CIO’s practical plan 46

May 30, 2011

[PLUS]IPv6 SECURITY

Done wrong, it can open holesp.31

Time for IT leaders to pump up the Big Ideas p.23

InnovationAtrophy

By Chris Murphy

Copyright 2011 UBM LLC. Important Note: This PDF is provided solely as a reader service. It is not intended for reproduction or public distribution. For article re-prints, e-prints and permissions please contact: Wright’s Reprints, 1-877-652-5295 / [email protected]

Page 2: Informationweek full-issue-may-30-2011 4130152

16

COVER STORYInnovation AtrophyToo many IT pros have lost thefire for new ideas and new technology. IT leaders mustpump them back up.

16 SAP Making ProgressVital proof points are just ahead inmobile, in-memory, and cloud

18 Google’s Chromebook GambleService combines notebook withnew OS for Web software

19 VMware Manages The CloudOffering lets companies manageprivate and public cloud resources

Dropbox ChallengeFTC complaint questions service’ssecurity and privacy practices

20 A Call To The EnterpriseMicrosoft’s next Windows

Phone OS release getsenterprise features

Health DriverFord experiments with in-carhealth applications

21 Hadoop Is HotEMC is offering its own version,signaling an analytics arms race

[QUICKTAKES]

CONTENTSTHE BUSINESS VALUE OF TECHNOLOGY May 30, 2011 Issue 1,301

23

informationweek.com May 30, 2011 1

Page 3: Informationweek full-issue-may-30-2011 4130152

2 May 30, 2011 informationweek.com

31 Will IPv6 Make Us Unsafe?Maybe, if you ignore buggy code, motivatedhackers, and looming performance issues

35 Real-Time Ready JavaPredictable, real-time performance is possible

Contacts 6 Editorial Contacts6 Advertiser Index44 Business Contacts

Attend Enterprise 2.0 to see the latest social business tools and technologies e2conf.com/boston

June 20-23 in Boston

upcoming events: Enterprise 2.0

4 Research And ConnectReports from InformationWeekAnalytics, events, and more

6 FeedbackTouch-sensitive screens could reinvigorate the desktop

10 Full NelsonIf Microsoft can meld Skype andLync, the deal makes a lot of sense

12 Government TechnologistFBI recasts its troubled Sentinelproject into a model of success

14 CIO ProfilesThis CIO sees big opportunities ingoing global

46 Practical AnalysisCisco’s CIO banks on its own tech,guided by careful data analysis

48 Down To BusinessCisco and Microsoft should be ableto relate to Tiger Woods’ woes

[CONTENTS]

INFORMATIONWEEK (ISSN 8750-6874) is published 22 times a year (once in January, July, August, November, and December; twice in February, March, April, and October; and three times in May, June, and September) by UBM LLC,

600 Community Drive, Manhasset, NY 11030. InformationWeek is free to qualified management and professional personnel involved in the management of information systems. One-year subscription rate for U.S. is 199.00; for

Canada is $219.00. Registered for GST as United Business Media LLC. GST No. 2116057, Agreement No. 40011901. Return undeliverable Canadian addresses to Pitney Bowes, P.O. Box 25542, London, ON, N6C 6B2. Overseas air mail

rates are: Africa, Central/South America, Europe, and Mexico, $459 for one year. Asia, Australia, and the Pacific, $489 for one year. Mail subscriptions with check or money order in U.S. dollars payable to: INFORMATIONWEEK. For

subscription renewals or change of address, please include the mailing label and direct to Circulations Dept., INFORMATIONWEEK, P.O. Box 1093, Skokie, IL 60076-8093. Periodicals postage paid at Flushing, NY and additional

mailing offices. POSTMASTER: Send address changes to INFORMATIONWEEK, UBM LLC, P.O. Box 1093, Skokie, IL 60076-8093. Address all inquiries, editorial copy, and advertising to INFORMATIONWEEK, 600 Community Drive,

Manhasset, NY 11030. PRINTED IN THE USA.

14

Page 4: Informationweek full-issue-may-30-2011 4130152

4 May 30, 2011 informationweek.com

Collaboration ImperativeCloud computing provides more collaboration choicesthan ever before.

informationweek.com/analytics/imperative

Calculate Your APM CostsApplication performance management prod-ucts are essential for monitoring critical apps.They’re also expensive. We’ll guide you througha TCO exercise to help you calculate how muchan APM product set really costs.

informationweek.com/analytics/apmtco

Cloud Security: Understand The RisksSecurity concerns give many companies pause as theyconsider migrating portions of their IT operations tocloud-based services. But you can stay safe in the cloud.

informationweek.com/analytics/securecloud

Optimize Application PerformanceVirtualization can hide performance problems from tra-ditional tools. Our guidelines will help you manage appsin virtualized environments.

informationweek.com/analytics/appvirt

IT Under PressureCloud, mobility, and consumerization are stressing IT. Weasked 551 business tech pros how they’re coping.

informationweek.com/analytics/pressure

LinksInformationWeek AnalyticsTake a deep dive with these reports[ ]

Facebook, iGoogle, And MoreAccess our portfolio of social networking tools, includingFacebook applications and fan page, iGoogle widget,FriendFeed content, Twitter headlines, and RSS feeds. informationweek.com/take.jhtml

Take InformationWeek With You

Mobile consumer de-vices are being used inthe exam room, bring-ing with them concernsabout security, tech sup-port, and infection con-trol. That and more inthe new issue of Infor-mationWeek Healthcare.informationweek.com/hc/06

More InformationWeek[ ]Keep Out The Bad GuysStay up to date on what’s hot in security at Black HatUSA. It happens in Las Vegas, July 30-Aug. 4.blackhat.com

What’s Next In Social BusinessAttend Enterprise 2.0 to see thelatest social business tools, and learn how real customersare using them. It takes place in Boston, June 20-23. e2conf.com/boston

InformationWeek Healthcare IT Leadership ForumMeet up with healthcare IT leaders to discuss using tech-nology to improve clinical care. In New York, July 12. informationweek.com/2011hcforum

Let The News Find YouGet the news topics you follow—including healthcare,business intelligence, security—delivered to your in-box.informationweek.com/getalerts

[ ]

Subscribe to our more than 800 reports atanalytics.informationweek.com

Never MissA Report

>> Usage-Based Accounting informationweek.com/analytics/usagebased

>> Unified Computing Stack Wars informationweek.com/analytics/stackwars

>> IT Pro Impact Report: iPad 2 informationweek.com/analytics/proipad

>> Collaboration Security informationweek.com/analytics/collabsecure

>> Lessons Learned From Database Attacks informationweek.com/analytics/databaselessons

>> IT Automation: Breaking Budget Rules Coming June 13

Resources to Research, Connect, Comment

Get InformationWeek Healthcare[ ]

Page 5: Informationweek full-issue-may-30-2011 4130152

Please direct all inquires to reporters in the relevantbeat area.

IndexFor Advertising and Sales Contactsgo to createyournextcustomer.com/contact-us or call Martha Schwartz (212) 600-3015

[ ]

Copyright 2011 UBM LLC All rights reserved.

informationweek.com6 May 30, 2011

Rob Preston VP and Editor In Chief, [email protected] 516-562-5692

John Foley Editor, [email protected] 516-562-7189

Chris Murphy Editor, [email protected] 414-906-5331

Art Wittmann VP and Director, Analytics, [email protected] 408-416-3227

Stacey Peterson Executive Editor, Quality, [email protected] 516-562-5933

Lorna Garey Content Director, Analytics, [email protected] 978-694-1681

Fritz Nelson VP, Editorial Director, [email protected] 949-223-3608

David Berlind Chief Content Officer, TechWeb, [email protected]

REPORTERSDoug HenschenExecutive EditorEnterprise [email protected] 201-660-8467

Charles BabcockEditor At LargeOpen source, infrastructure, [email protected] 415-947-6133

Thomas ClaburnEditor At LargeSecurity, search, Web [email protected] 415-947-6820

Paul McDougall Editor At LargeSoftware, IT services, [email protected]

Marianne Kolbasuk McGee Senior Writer IT management and [email protected] 508-697-0083

J. Nicholas Hoover Senior EditorDesktop software, Enterprise 2.0,[email protected] 516-562-5032

Andrew Conry-Murray New Products and Business Editor Information and content [email protected] 724-266-1310

Eric Zeman Mobile, wireless [email protected]

CONTRIBUTORSMichael Biddick [email protected] A. Davis [email protected] Feldman [email protected] George [email protected] [email protected] Marko [email protected]

EDITORSJim Donahue Chief Copy Editor [email protected]

ART/DESIGNMary Ellen Forte Senior Art Director [email protected]

Sek Leung Associate Art [email protected]

INFORMATIONWEEK ANALYTICSanalytics.informationweek.com

Art Wittmann VP and Director [email protected] 408-416-3227

Lorna GareyContent Director, Analytics [email protected] 978-694-1681 Heather Vallis Managing Editor, Research [email protected] 508-416-1101

INFORMATIONWEEK.COMBenjamin TomkinsManaging Editor [email protected] 516-562-5336

Roma Nowak Senior Director, Online Operations and Production [email protected] 516-562-5274

Tom LaSusa Managing Editor, Newsletters [email protected]

Jeanette Hafke Web Production Manager [email protected]

Joy Culbertson Web Producer [email protected]

Nevin BergerSenior Director, User Experience [email protected]

Steve Gilliard Senior Director, Web Development [email protected]

INFORMATIONWEEK VIDEOinformationweek.com/tv

Fritz Nelson Executive Producer [email protected]

INFORMATIONWEEK BUSINESSTECHNOLOGY NETWORKDarkReading.comSecurityTim Wilson, Site [email protected]

NetworkComputing.comNetworking, Communications, and StorageMike Fratto, [email protected]

InformationWeek GovernmentJohn Foley, [email protected]

InformationWeek HealthcarePaul Cerrato, [email protected]

PlugIntoTheCloud.comCloud ComputingJohn Foley, [email protected]

InformationWeek SMBTechnology for Small and Midsize BusinessBenjamin Tomkins, Site [email protected]

Dr. Dobb’s The World of Software DevelopmentAndrew Binstock, Executive [email protected]

READER SERVICESInformationWeek.com The destination forbreaking IT news, and instant analysis

Electronic Newsletters Subscribe to InformationWeek Daily and other newsletters at informationweek.com/newsletters/subscribe.jhtml

Events Get the latest on our live events and Netevents at informationweek.com/events

Analytics Go to analytics.informationweek.com for original research and strategic advice

How To Contact Usinformationweek.com/contactus.jhtml

Editorial Calendar informationweek.com/edcal

Back IssuesE-mail: [email protected]: 888-664-3332 (U.S.); 847-763-9588 (outside U.S.)

Reprints Wright’s Media, 1-877-652-5295Web: wrightsmedia.com/reprints/?magid=2196 E-mail: [email protected]

List Rentals Merit Direct LLCPhone: (914) 368-1083 E-mail: [email protected]

Media Kits And Advertising Contactscreateyournextcustomer.com/contact-us

Letters To The Editor E-mail [email protected]. Include name, title, company, city, and daytime phone number.

SubscriptionsWeb: informationweek.com/magazine E-mail: [email protected] Phone: 888-664-3332 (U.S.) 847-763-9588 (outside U.S.)

ADVISORY BOARD

Dave Bent Senior VP and CIO, UnitedStationers

Robert Carter Executive VP and CIO,FedEx

Michael Cuddy VP and CIO, ToromontIndustries

Laurie Douglas Senior CIO, Publix Super Markets

Dan Drawbaugh CIO, University of Pittsburgh Medical Center

Jerry Johnson CIO, Pacific Northwest National Laboratory

Kent Kushar VP and CIO, E.&J. Gallo Winery

Carolyn Lawson Director, E-Services, California Office of the CIO

Jason MaynardManaging Director, Wells Fargo Securities

Randall Mott Sr. Executive VP and CIO,Hewlett-Packard

Denis O’Leary Former Executive VP,Chase.com

Mykolas Rambus CEO, Wealth-X

M.R. Rangaswami Founder, Sand Hill Group

Manjit Singh CIO, LasVegas Sands

David SmoleyCIO,Flextronics

Ralph J. Szygenda Former Group VPand CIO, General Motors

Peter Whatnell CIOSunoco

Bright House* www.brighthouse.com . . . . . . . 13

Brocade www.brocade.com . . . . . . . . . . . . . . . . . . 3

CDW Corp. www.cdw.com . . . . . . . . . . . . . . . . . . C3

DTsearch Corp. www.dtsearch.com . . . . . . . . . . 43

Faircom www.faircom.com . . . . . . . . . . . . . . . . . 40

Gimpel Software www.gimpel.com . . . . . . . . . 42

Goldman Sachs & Co. . . . . . . . . . . . . . . . . . . . . . . . .

www.goldmansachs.com . . . . . . . . . . . . . . . . . . . . 45

IBM www.ibm.com . . . . . . . . . . . . . . . . . . . . . C2, 17

iDashboards www.idashboards.com . . . . . . . . . 15

Infragistics Inc. www.infragistics.com . . . . . . . . 39

ISACA www.isaca.org . . . . . . . . . . . . . . . . . . . . . . . . 5

ITWatchDogs www.itwatchdogs.com . . . . . . . . 45

Melissa Data www.melissadata.com . . . . . . . . . 38

Microsoft www.microsoft.com . . . . . . . 36, 37, C4

MovinCool www.movincool.com . . . . . . . . . . . . 22

Pivotal Solutions www.pivotal-solutions.net . . . 45

Programmer’s Paradise . . . . . . . . . . . . . . . . . . . . .

www.programmersparadise.com . . . . . . . . . . . . . 41

SAP www.sap.com . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Seapine Software Inc. www.seapine.com . . . . 34

SMS Memory Module Assembly . . . . . . . . . . . . . .

www.smsassembly.com . . . . . . . . . . . . . . . . . . . . . 45

VMware www.vmware.com . . . . . . . . . . . . . . . . . 11

*Regional/demographic

Print, Online, Newsletters, Events, Research

Page 6: Informationweek full-issue-may-30-2011 4130152

8 May 30, 2011 informationweek.com

Saving The PC From ExtinctionMicrosoft’s natural user interfacefor the Xbox may inject new lifeinto the sluggish Windows marketwhile proving there’s still room forinnovation on the desktop. —PaulMcDougallinformationweek.com/1299/pc

For me, one of the technologies thathasn’t caught on enough—but per-haps will now, thanks to the tablets—is touch-sensitive screens for laptopsand desktops. They’ve been aroundfor decades; I remember using one onan ancient Mac Plus way back in1987 when I worked at Apple. (Itwas our high-tech in/out board.)Today, a touch-screen laptop or

desktop would be immensely usefulfor surfing, manipulating images,working with files, clicking buttonsin apps. Pretty much anything donewith a mouse or trackpad would beeasier with a touch screen, as longas the screen can tilt to a comfort-able angle.That’s one of the reasons I like

tablets so much, especially whencombined with a keyboard dock:They’re the best of both worlds. Fast,efficient text entry plus editing plusfast, accurate manipulation of on-

screen elements. A 12- to 17-inchlaptop-sized tablet screen with a key-board dock would make an almostideal workstation for most workers.They just need a bit more speed andsome storage. —jasonscott

With sales in the high tens of millionsa year or more, I don’t think there’sgrave danger that PCs are going away.Are there other tools that performsome of the tasks they do, and inmany cases better? Yes, there are. Butis there a better tool for general busi-ness computing? No. —UberGoober

Core Competencies For Developing IT LeadersHow to groom high-potential direc-tors for executive-level success. —Larry Tiemaninformationweek.com/1299/tieman

This is a great article for preparingdirectors for success at the next level.Most if not all VPs got to their posi-tions due to an organizational beliefthat they could execute. Oftenmissed are the traits that new VPsneed in order to be successful at thenext level. It’s often assumed that allof the experience to date (technical,project/program, detail) will translateseamlessly to automatic success in anew role, which isn’t the case. Utiliz-ing this framework should help allinvolved. —cmbh

Most good technicians will adapttechnologically wherever they findthemselves, but turning them intoleaders requires a manager versed inmore than just a technical core com-petency. Self-starters of this magni-tude exist but are very rare. Mostpeople need encouragement andguidance to become effective leaders.

Sure, we all could tell horror sto-ries about people who didn’t workout for one reason or another orsome political situation that got outof control. But it has been my expe-rience that employing similar prin -ciples to those outlined in this ar-ticle has been overwhelmingly bene-ficial in producing well-roundedquality leaders. Even the most in -corrigible of individuals at least be -gan to recognize their shortcomings,which proved to be a critical firststep in them becoming profitableteam mem bers. —Soniman

Much of what is described is how tomake a better manager, not a betterleader. Some of the best leaders in myexperience never had the top titles.Leadership should be about inspira-tion, partnering, influence, teambuilding, taking risks, innovation.Financial management doesn’t re quireleadership—it’s a skill that all midlevelmanagers and above should be able toperform. —dmoore75001

IT Pros Don’t See Cisco’sClaimed TCO AdvantageNetwork architects want automation,virtualization support, and stan-dards, and they aren’t getting all thatfrom Cisco. —Art Wittmanninformationweek.com/1300/wittmann

It’s simple. If you have one vendorthat can truly provide a global end-to-end networking solution for yourcompany’s needs, then do it. Thatway, you have one “back to pat” andone “throat to choke.” There’s no fin-ger-pointing or concerns for interop-erability as the onus is on that com-pany to make the solutions integrate.Otherwise, you have to build and ed-ucate teams of support staff just tokeep the network up. —cschwartz770

Write to us at [email protected]

Page 7: Informationweek full-issue-may-30-2011 4130152

informationweek.com10 May 30, 2011

Skype, the omnipresent unified commu-nications service for consumers andeven small businesses, is a much better

fit for Microsoft than it was for eBay. And ifMicrosoft executes on the $8.5 billion deal’srich possibilities, Skype might just be a stun-ningly good fit. If.There’s wide-ranging fear that Microsoft

will suffocate Skype’s multiplatform support.Evidence suggests that Microsoft works toensure that its applications run across plat-forms, and now even as Web-based services.But evidence also suggests that Microsoftdoesn’t always give non-Windows platformsthe same attention. Witness Outlook on Mac,which lagged the Windows version for years.For enterprise users, the big question is

what the Skype/Lync road map will look like.Microsoft CEO Steve Ballmer noted that Mi-crosoft would integrate the two. From Lync,users will be able to connect with other busi-ness users (partners, customers) via Skype,which already supports federation with Win-dows Live IM, AOL IM, Yahoo IM, andGoogle Talk (via an XMPP gateway).However, Skype and Lync make different

assumptions about the network. Lync’s en-coder is built for optimization on enterprisenetworks; Skype’s, for the public Internet.Lync and Skype share almost identical end-

user features, including chat, audio, video,screen sharing among individuals and groups,as well as various calling-control features, likecall forwarding and transfer and voice mail.But Lync has many additional enterprise fea-tures, including Active Directory integrationfor role-based access control and authentica-tion. Lync allows centralized call manage-ment, end-point encryption, and call logs,and it can work with a variety of SIP gate-ways, as well as with a variety of videoconfer-encing systems, including room-based ones.For Microsoft Office and Exchange cus-

tomers, the Lync integration is huge. Beingable to detect and extract presence informa-tion in Outlook, for example, or to click-to-call from a Calendar invite makes collabora-tion seem natural. It’s a no-brainer to addthose same capabilities to Skype.The next question is how Microsoft will

compete with enterprise products such asCisco’s WebEx and Adobe Connect, which of-fer everything from corporate webcasting torich media internal conferencing. Microsoftdoesn’t have a product here, while Skype re-cently said that it would partner with Citrix,using GoToMeeting as Skype’s Web confer-encing platform. There’s no reason that part-nership can’t stay in place, and Microsoftshould extend that capability to Lync.The biggest opportunity for Microsoft is in

extending Skype’s mobile reach. There stillisn’t an iPad version, though the iPhone oneworks reasonably well. There’s an Androidversion, but not with video (coming soon).There’s no Skype for RIM’s BlackBerry orPlayBook. Microsoft says Skype is coming toWindows Phone 7, and maybe it can get itsnewest pal, RIM, on board as well.If Microsoft can make mobile Lync access

happen through Skype, then you’ve got mobilecommunications across devices everywhere,inside the enterprise and out. Carriers mayhave something to say about that, but they’restarting to get on board. From any tablet, theability to connect via video into, say, an enter-prise-class room video system, or join a Go-ToMeeting call ... that becomes compelling.Extend those capabilities to consumers

(Xbox, Kinect, Windows Live Messenger, andTV, where Skype is making inroads), and Mi-crosoft + Skype = $8.5 billion.

Fritz Nelson is the editorial director forInformationWeek. You can write to Fritz [email protected].

Why Microsoft Plus Skype Is An Enterprising Idea

If Microsoft can meld

Skype and Lync,

this $8.5 billion deal

may just become a

winning combination

FRITZ NELSON

Nelsonfull

Page 8: Informationweek full-issue-may-30-2011 4130152

Can the FBI transform one of the fed-eral government’s most problem-plagued IT projects, its Sentinel case

management system, into a model of successfor other agencies? Sentinel and its predecessor case manage-

ment system have been symbols of all that’swrong with government IT—over budget,blown deadlines, short on functionality. Theearlier IT failure that Sentinel grew out of, theFBI’s Virtual Case File system, was scrappedin 2005 after four years and $170 million indevelopment costs. Last September, after a partially completed

Sentinel had been put on hold, FBI CIOChad Fulgham decided to take over manage-ment of the project from lead contractorLockheed Martin. Fulgham, a former seniorVP of IT with Lehman Brothers, outlined aplan to use agile development to expedite theproject’s completion, with a goal of finishingit this year. Since then, a small team of FBItechnologists has been developing “workingsoftware” in intervals of a few weeks.Sentinel is a software and hardware sys-

tem that will be used by FBI agents to man-age the information associated with the casesthey handle. The digital system will replacepro cesses that in some cases are still paper-based. Sentinel’s planned capabilities in -clude records, document, and evidencemanage ment; workflow; records search; anda “workbox” for each user. Speaking at InformationWeek’s Government

IT Leadership Forum in Washington, D.C.,recently, Fulgham and FBI CTO Jeff Johnson,another former Lehman Brothers IT manager,explained how they shifted the Sentinel proj-ect from traditional “waterfall” applicationdevelopment—where requirements are es-tablished at the beginning and can take yearsto deliver—to agile development’s iterative,incremental methodology.

Fulgham, who inherited Sentinel when hejoined the agency in December 2008, walkedother federal agency CIOs through the agileprinciples that his team is following: therapid development of useful software, con-stant adaptation to changing requirements,close cooperation between businesspeopleand developers, and self-organizing develop-ment teams.A “system of record” will be delivered this

summer, with a broader release in September.Already, 10,000 employees are using the sys-tem’s existing capabilities. The FBI plans topublish a case study on its approach afterSentinel is completed later this year.When the case management system con-

tract was awarded to Lockheed Martin inMarch 2006, it was budgeted at $425 millionwith a due date of 2009. How, when, and atwhat cost the project comes across the finishline are being watched closely. The inspectorgeneral, the Government Accountability Of-fice, the Office of Management and Budget,and Congress have all weighed in on Sentinel.It’s worth noting that the FBI team didn’t

start from scratch with Sentinel when itshifted to agile development. Two of the pro-ject’s four phases were completed underLock heed Martin, and much of the system’sfunctionality comes in the form of commer-cial software from EMC, Entrust, IBM, Mi -cro soft, and Oracle. The way the FBI changedcourse midproject is significant because itsuggests an escape route for other agenciesstruggling with elephant IT projects.Before anyone takes a page from the FBI’s

agile playbook, however, Fulgham and Co.must finish what they’ve started. Ten yearsand more than a half-billion dollars into thiseffort, we’re all waiting to see how it ends.

John Foley is editor of InformationWeek Gov-ernment. Write to him at [email protected].

FBI Recasts Sentinel As A Model Of Agility

The agency’s CIO

and CTO share the

approach they’re

taking to hasten

completion of a

long overdue case

management system

JOHN FOLEY

12 May 30, 2011 informationweek.com

governmentTechnologist

Page 9: Informationweek full-issue-may-30-2011 4130152

14 May 30, 2011 informationweek.com

Career TrackHow long at current company:More than 10 years at AdvancedHealth Media, which offers com-mercial compliance managementsoftware and other services for thepharmaceutical industry.

Career accomplishment I’m mostproud of: I’m very proud of thepatents that we’ve been awarded forour technology. I can tell my sonthat I’m officially an inventor! In ad-dition, I’m honored to have won theNew Jersey Technology Council’sCIO of the year award for 2011.

Most important career influencer:I was influenced most by Dr. Stew-art Barbera back in the early 1990s.He gave me the opportunity andmotivation to start my first busi-ness. The entrepreneurial lessons Ilearned from that have helped metremendously in my career.

Decision I wish I could do over:I’d love an opportunity to revisitsome early decisions made whilegrowing our company. One thingthat comes to mind is allowing cus-tomization of our core products.While we ultimately created a new,much more configurable system, wespent a lot of time (and resources)supporting the original platform.

On The JobIT budget: Around $15 million

Size of IT team: Approximately 130

Top initiatives:>> Fine-tuning our technologyproducts in support of our expan-sion into the global market.

>> Optimizing our browser-basedsystems for better mobile usability.

GREG MILLERExecutive VP and CIO, Advanced Health Media

Tech vendor I respect most: SteveJobs: leader, visionary, decision maker

Least-favorite corporate plunderer:Donald Trump; even though he’s suc-cessful, I just don’t like his self-aggran-dizing attitude

Business pet peeve: People whospend too much time in CYA moderather than focusing on solutions

Favorite president: Ronald Reagan, agreat leader and communicator

If I weren’t a CIO, I’d be ... a beachumbrella rental attendant

>> Increasing computing efficiencyand decreasing our data centerfootprint through server and desk-top virtualization.

How I measure IT effectiveness:The best measurement is customersatisfaction. Everything else is just anumber.

VisionThe next big thing for my com-pany will be ... utilizing the toolsand technology that we’ve devel-oped for our U.S.-based operationsto deliver our products and servicesglobally. The U.S. is a leader inpharmaceutical regulatory and com-pliance management. The rest of theworld is now catching on and needssystems to help manage interactionswith healthcare professionals.

One thing I’m looking to change:Institute better governance usingtools that provide real insight intothe performance of our IT invest-ments. We’re in the early stages ofenhancing CA’s Clarity, our IT gov-ernance and portfolio managementtool, to help us better manage ourlarge IT initiatives.

The federal government’s toptech priority should be ... securityto ensure that our systems areavailable and operational. We haveall become very dependent on theavailability of our Internet-basedcommunications—just ask the peo-ple of Egypt.

Kids and tech careers: Almost allcareers are technology focusedtoday. Technology has become partof the business fabric rather than abehind-the-scenes cost center, so Ihope that my children pursue tech-nology careers.

Read other CIO Profiles at informationweek.com/topexecsCIOprofiles

Ranked No. 67 in the 2010

Page 10: Informationweek full-issue-may-30-2011 4130152

16 May 30, 2011 informationweek.com

Since taking the helm ofSAP 15 months ago, co-

CEOs Bill McDermott andJim Hagemann Snabe havehammered away on their bigthemes of mobile, in-mem-ory, and on-demand soft-ware. At the company’s an-nual Sapphire customerconference this month, theexecs showed tangibleprogress in delivering on themobile and in-memoryfronts, with still a long wayto go in cloud computing.

SAP’s making custom mo-bile app development morefeasible with a new 2.0 ver-sion of the Sybase Unwiredmobile platform, which inte-grates with SAP applicationinfrastructure, and a soft-ware development kit. SAPand Avon, for example, haveco-developed an iPad appfor cosmetics sales reps,which allows face-to-face in-teraction with a customer.The rep can show productpictures and descriptionswhile also checking on avail-ability and past customer or-ders through back-end inte-gration to SAP systems.

As for in-memory comput-ing, chairman Hasso Plattnerpromised the general releaseat the end of June of SAP’sHana appliance, which Platt -ner champions as offering20x performance gains andbig cost savings comparedwith conventional disk-based

data warehousing systems.Plattner says Hana can runon a Mac Mini desktop com-puter for a small business, oron comparatively modest$500,000 commodity serv -ers in enterprise deploy-ments. Hana will get its costadvantage from compressionand elimination of redundantstorage and management lay-ers, he said.

SAP CTO Vishal Sikka pre-sented video testimonials ofmore than a dozen Hana pi-lot deployments, mostly in-volving reporting, analysis,and what-if planning scenar-ios that previously took hoursand can be whittled down toseconds. Colgate-Palmolive,for example, said it cut thetime required for sales prof-itability analysis from 77minutes to 15 seconds in theCentral American region,where it tested Hana.

Canoe, a cable companyjoint venture, has a pilot ap-plication on Hana that deliv-ers ads to millions of indi-vidual cable subscribers inreal time, customized basedon what users are watching,which commercials theytend to watch, and whenthey change channels.

SAP also announced HanaCloud, an Internet-deliveredversion of Hana, which Me-didata Solutions is using tooffer an on-demand platformfor analyzing drug clinical tri-

als. President Glen de Vriessaid embedded Hana Cloudservices will let Medidata’sdrug-company customersquickly analyze billions ofrows of patient data to moni-tor the progress and cost ofthose trials.

Cloud, Such As It IsCloud computing is the

weakest of SAP’s innovationthrusts. The on-demandBusiness ByDesign (BBD) ap-plication suite is SAP’s topcloud initiative, yet its goal isa mere 1,000 customers bythe end of this year.

“We’re conservative intalking about the cloud be -cause we went to markettoo early with Business By -Design, and we burned ourfingers by talking aboutsomething without havingit,” Hagemann Snabe said,referring to the initial re -lease in late 2007. “I wouldrather have it and showthan talk about it.”

But SAP has more in thecloud. Its Sales OnDemand,a new sales-force automationapplication built on BBD, ison track for release by June,the company said.

More surprising is a deal

with Amazon Web Services.SAP has certified SAP Busi-nessObjects and more than adozen of what SAP callsRapid Deployment Solutionapplications to run in Ama-zon’s cloud. RDS apps areslimmed-down, preconfig-ured versions of standardSAP applications, includingsales and marketing, supplychain, product development,manufacturing, and finance.SAP said the combined costof licensing, managementservices, and Amazon WebServices for an RDS CRMapp will be lower than aSalesforce.com subscription.

SAP is delivering most ofthe products it has promised,but the most critical dates arestill over the horizon. Hanamust live up to Plattner’spromises of huge performancegains and cost savings when itarrives in June. Sales OnDe-mand, which takes on Sales-force, will test SAP’s cloudprogress. And customer adop-tion of 19 new mobile appsdue in September will be oneproof point as to whetherSAP’s $5.8 billion Sybase ac-quisition was worth it

—Doug Henschen ([email protected])

MOBILE AND MORE

SAP Is Delivering In Critical Areas

[QUICKTAKES]

Hagemann Snabe andMcDermott are getting there[

Page 11: Informationweek full-issue-may-30-2011 4130152

informationweek.com

Google co-founder SergeyBrin is correct in assert-

ing that the desktop com-puting model is funda -mentally flawed. Managingcomputers and user accessto them is a burden. Com-puter management shouldhave been simplified and au-tomated long ago.

Google’s alternative is po-tentially revolutionary:Chromebooks, which busi-nesses can get as a $28-a-month service that com-bines a notebook computerwith Chrome OS, Google’snew operating system forWeb software. Google Apps,the company’s email andproductivity suite, costs $50a year in addition to that.

It’s time to “sweep thedesktop clean and startover with a machine that’sdesigned to run in thecloud,” said Dave Girouard,president of Google’s enter-prise group, in a press con-ference at the Google I/Odeveloper conference ear-lier this month.

Since these machines relyon Web software, Chrome-books promise fewer securityand provisioning headaches,easier device and accountmanagement, and online op-erating system upgrades, at alower cost than operatingtraditional desktops. Sam-sung and Acer will make thehardware. “Chrome booksare a new model that doesn’tput the burden of managingyour computer on yourself,”Brin said. “And companiesthat don’t use [the ChromeOS] model, I don’t think

will be successful.”But Google has some hur-

dles to clear in convincingCIOs to change their desk-top approach in a way thatwould redefine the businesscomputer market. Makingthe transition isn’t that sim-ple, except perhaps for tech-savvy startups with no leg -acy IT infrastructure.

Google sees governmentagencies and schools asprime prospects for Chrome-books; their monthly price is$8 less than for businesses.But many of the Web appsused in government requireInternet Explorer.

And Google has faced re-sistance to a much less radi-cal pitch, that of usingGoogle Apps for email.Google has sued the U.S.Department of Interior infrustration, saying it didn’tgive Google Apps a fairshake when choosing onlineemail, and considered onlyMicrosoft.

Change comes slowly onthe desktop. Google’s SundarPichai, speaking at GoogleI/O, noted that half of busi-nesses still run Windows XP,an operating system releasedin 2001 and patched period-ically since then.

OS Overload?Then there’s fragmentation

between Chrome OS fornotebooks and Google’s An-droid OS for tablets andsmartphones. A convergencemight seem obvious—andappeal to businesses, whichdon’t relish dealing with an-other OS. But Google says

they’re separate. “We’re com-fortable seeing them coexist,”says Pichai.

The potential for networkbottlenecks may also limitChromebooks’ uptake in thenear term. Google Docsworks fine in the cloud; theperiodic transfers of data dur-

ing file save operations usu-ally go unnoticed. But largefiles don’t work well withWeb apps connected by thinpipes, which is why Google isbacking high-speed Internetprojects. Companies thathave to transfer large filesmay find that Chromebooks’limited local storage optionsdon’t meet their needs.

Then there are ongoingconcerns about cloud secu-rity and reliability, not tomention control of data. Asthe recent Amazon WebServices outage demon-

strated, cloud services canfail and customers can losedata. Microsoft’s BPOS emailsuite likewise went downbriefly during May. On-premises systems may be atleast as prone to problems,but when failures happen inhouse, there’s someone totalk to—and fire, if need be.

Outages in the cloud bringan apology, a promise thatnext time will be better, andmaybe a service credit. Pick-ing up and moving to an-other cloud service providerwhen you’re unhappy isn’tnecessarily easy or even pos-sible. And with Chrome-books, Google hasn’t laid outany refund option for the re-quired three-year contracts.That’s a big commitment.

Nevertheless, Google’sgamble is a good one. Applecould have done it, but itsheritage is as a maker of pre-mium hardware and soft-ware, not a commoditycomputing service provider.Google on the other handcan rely on its search ad rev-enue to subsidize comput-ing as a service over theWeb. It can afford to reduceits cut of Web app revenuein its Chrome Web Store to5% to encourage more apps.

Google’s strategy has agood shot of paying offeventually. Schools andsmall businesses will be thefirst on board, and they maycreate enough momentumto sustain a desktop shift. Ifso, Google’s competitorswon’t take this lying down.

—Thomas Claburn([email protected])

ANOTHER OPERATING SYSTEM

Google Gambles On Chromebooks As A Service

[QUICKTAKES]

18 May 30, 2011

Brin has a fix for thebroken desktop[

Page 12: Informationweek full-issue-may-30-2011 4130152

May 30, 2011 19

Targeted squarely at thetrend toward the con-

sumerization of IT in theworkplace, VMware has in-troduced a service that letsIT pros manage private andpublic cloud resources.

VMware’s new HorizonApp Manager is a servicehub extension for MicrosoftActive Directory and otherdirectory ser vices. “It ex -tends and it federates,” pro-viding IT administratorswith real-time control ofenterprise and public cloudservices, says Noah Was -mer, VMware’s director ofad vanced development.

Administrators can quicklyadd and remove user accessto public cloud apps such asBox.net, Salesforce.com,Webex, and Google, as well

as to corporate services, hesays. For users, it provides asecure portal with singlesign-on for corporate andpersonal cloud apps via arange of devices.

The idea is to bridge thegulf that separates enter-prise apps from the publiccloud and bring them to -gether with secure, easy-to-maintain standards. Hor i -zon App Manager ad heresto security assertion markuplanguage and open authen-tication guidelines.

“Convincing cloud ser -vice providers to open theirAPIs for this is the bigunknown,” says Jeremy Les -niak, president of Ver montComputing.

Cloud ser vices are popu-lar with users because they

can be accessed and man-aged without formal IT sup-port. “In many enterprises,these same reasons havehindered adoption,” Lesniaksays. “VMware is setting outto allow organizations to

have the cost savings andflexibility of cloud servicesbut still maintain controlover security.”

Priced at $30 a user, Hor -izon App Manager is thefirst component to ship aspart of a unified, virtualworkspace vision, calledProj ect Hor izon, that VM -ware unveiled last summer.

This is the first service toreally help companies sup-port users who are increas-ingly bringing in unapprovedpersonal devices like tabletsand accessing cloud services,Wasmer says. Though some

IT pros have a problem withit, the trend is here to stay.

The management servicealso keeps Active Directorypasswords behind the fire-wall and allows access tothird-party cloud apps with-out requiring new federa-tion software or net gate-ways. —Gina Smith

([email protected])

THE CONSUMER EFFECT

VMware Service Manages Cloud Apps

ONLINE FILE SHARING

Dropbox Accused Of Misleading On Security

Acomplaint filed earlierthis month with the Fed-

eral Trade Commission al-leges that the popular Drop-box file-sharing servicemisled users about the secu-rity and privacy of their files.Dropbox, which claims 25million users, offers cross-platform file synchronizationand online backup, and it’sjust the kind of easy-to-accessonline app that businesspeo-ple increasingly tap.

Previously, Dropbox hadstated on its website that allfiles stored on its servers“are encrypted and are inac-cessible without your ac-

count password.” But Drop-box—unlike competitors,such as SpiderOak andTarsnap—uses file dedupli-cation. When a user uploadsa file, the site studies it tosee if it’s been uploaded bya different user. If it hasbeen, it then links to thepreviously uploaded file.

File deduplication typi-cally results in poorer se -curity and privacy, saysChristopher Soghoian, agraduate fellow at the Centerfor Applied CybersecurityResearch at Indiana Univer-sity, in a blog post. Soghoianfiled the FTC complaint.

Deduplication can make itpossible for outsiders to sur-mise what’s already onDropbox’s servers, some-thing police or copyrightholders might do to look forcontraband files, Soghoiansays. It won’t tell who up-loaded a file, but “presum-ably Dropbox can figure itout,” Soghoian says, andcould be forced to if pre-sented with a court order.

Soghoian also questionsDropbox’s use of a single en-cryption key for user data,raising the risk that a mali-cious insider could accessdata or hackers could steal

keys needed for decryption.In response to the com-

plaint, Dropbox said in anemailed statement: “We be-lieve this complaint is with-out merit, and raises issuesthat were addressed in ourblog post on April 21.”

Dropbox’s website previ-ously said: “Dropbox em-ployees can’t access userfiles.” In April, in response tocriticism from Soghoian andothers, Dropbox altered thewording to say: “We havestrict access controls that pro-hibit employee access to userdata.” —Mathew J. Schwartz

([email protected])

“It extends and it federates,” Wasmer says of VMware’s cloud management service.

Page 13: Informationweek full-issue-may-30-2011 4130152

[QUICKTAKES]

informationweek.com

Just how smart shouldyour car be? Ford Motor is testing the

limits of that by workingwith medical device makerMedtronic and app makerssuch as WellDoc to experi-ment with in-car healthservices.

For example, Ford isworking with Medtronic todevelop continuous glucosemonitoring and tracking ca-pabilities, and warn a dia-

betic driver of a low bloodsugar level, before dizzinesssets in. Such readings alsocould be sent wirelessly to apersonal health record, alongwith answers to automatedquestions based on readings.

Ford’s apps would lever-age the automaker’s Sync in-vehicle media system, whichamong other things lets driv-ers make hands-free callsfrom their smartphones anduse voice commands to con-

trol music from their MP3players. With health apps, itprovides a hands-free way toget information.

Another idea from Ford:Diabetic children could bemonitored, a feature per-haps valuable on long roadtrips. “Is the child in thebackseat just sleeping, orsuffering hypoglycemia?”says Gary Strumolo, Ford’sglo bal manager of interiors,infotainment, health, and

well ness research. The firstmobile health apps aren’tlikely to show up on themarket for about a year.

One that Ford is testingmeasures stress levels usingheart rate detection sensors ina vehicle’s seats. At times ofhigh stress, Sync might playmore soothing music andhave cellphone calls auto-matically routed to voicemail. —Marianne KolbasukMcGee ([email protected])

APPS EVERYWHERE

Ford Wants Cars To Check On Your Health

Microsoft’s next big Win-dows Phone OS release,

code-named Mango, prom-ises a number of enterprisefeatures, including email en-hancements, Lync support,connectivity to Office 365,and added email controls.

Despite criticism of Mi-crosoft for shifting to an en-tirely new mobile platformwith Windows Phone 7, thecompany has plodded ahead.Indeed, the user experienceis actually quite promising,even if it started life missingsome fairly obvious features.Mango, due later this year,provides marked improve-ments, and Microsoft finallyseems to be paying attentionto the enterprise.

For end users, the OutlookMobile client will includepinnable folders, meaningusers can take, say, a projectfolder and pin it to the Win-

dows Phone startscreen. Microsoft willalso add conversationviews, like the desktop ver-sion of Outlook has, but op-timized for the mobile screen.

Conversations will be in-dented and will include a ver-tical line that indicates there’smore than one email in thethread—clicking on the lineexpands the thread. The con-versation view takes place us-ing Exchange Active Sync,and can work with Hotmailand Windows Live Mail aswell, says Paul Bryan, seniordirector for Windows Phone.

Microsoft will also pro-vide server search, to lookfor archived messages on themail server.

In another important step,Microsoft will add a mobileversion of its Lync unifiedcommunication system.Many companies use Lync

on the desktop, and it’s nowalso part of Office 365. Onthe desktop, Lync providesinstant messaging, presence,and audio and video chat,plus desktop sharing. LyncMobile will include only in-stant messaging and pres-ence, for now.

Lync can access on-prem -ises Lync servers, but it canalso access the instant mes-saging service from Office365. In fact, in Mango, OfficeHub (one of Windows Phone7’s key user experience hubs)will work with Office 365.This means Word, Excel,Notes, and PowerPoint doc-uments can be saved andshared using the Office 365online service, as well as on

Windows Live SkyDrive, Mi-crosoft’s online storage ser -vice. The Office Hub will au-tomatically discover andprovision Office 365 ser -vices, including Exchange,SharePoint, and Lync; usersjust enter an account num-ber and password. TheSharePoint ser vice uses thenative Windows Phone 7SharePoint application.

Other Mango additions in-clude support for InformationRights Management, which isa part of Windows Server en-vironments that’s typicallyenabled for applications likePC-based email. Administra-tors set it up for ExchangeServer, and it provides a set ofemail-sending templates thatcan enforce a policy, like pre-venting the recipient fromprinting or forwarding anemail. —Fritz Nelson

([email protected])

WINDOWS PHONE

Mango Update To BringEnterprise Features

20 May 30, 2011

Windows Phone 7 isn’t perfect for business[

Page 14: Informationweek full-issue-may-30-2011 4130152

May 30, 2011 21

In pursuit of big-data analy-sis, EMC plans to release

its own distributions of opensource Apache Ha doop dis-tributed processing software,along with an appliance thatwill analyze both structuredand unstructured data on asingle platform.

At the same time, startupDataStax has released a simi-lar product called Brisk thatcombines Apache Cassandraopen source software forlarge-scale transaction pro-cessing with a Hadoop distri-bution. Brisk combines alow-latency database for su-per-high-volume Web andreal-time applications withHadoop analytics.

Throw in SAP’s in-memoryambitions, and you can seelots of leading IT vendors ad-dressing mixed data analysison unified platforms.

Hadoop is quickly gainingpopularity due to its ability toanalyze massive volumes ofunstructured data—includ-ing textual information, likesocial network comments,and machine-generated data,such as network and securitylogs, as well as sensor data—that doesn’t neatly fit intoconsistent columns and rows.

EMC says it will releaseEMC Greenplum HD Com-munity and Enterprise Edi-tion distributions of Hadoopin the third quarter. It also isplanning a Greenplum HDData Computing Appliancethat will combine the Green-plum database and the Enter-prise Edition Hadoop distri-bution on one appliance.

EMC isn’t the first to ana-

lyze structured and unstruc-tured data on one platform,but it’s the first appliance torun a relational database andthe Hadoop stack on a singlehardware platform. Thecombo promises to improveperformance and eliminateredundant hardware.

Hadoop AppealUnstructured data can’t be

analyzed in conventional re-lational databases, so compa-nies swamped with tens orhundreds of terabytes rely onHadoop, which can spreadprocessing across tens, hun-dreds, or thousands of com-pute nodes on commodityserv ers, depending on thescale of the deployment.Hadoop also provides aMapReduce engine that helpssplit up workloads whenhandling particularly largesets of unstructured data.

To date, Hadoop deploy-ments and conventional rela-tional data warehouses haverun on separate hardwareplatforms, yet companiesusually need to do SQL-styleanalysis of the data sets thatemerge from Hadoop analy-ses. Data integration and datawarehouse-appliance ven-dors have partnered withCloudera, which has a pop-ular Ha doop distributionand is the leading provider ofenterprise-grade Hadoop ser -vices and support. Hewlett-Pack ard’s Vertica and Ter a -data, for example, integratewith Cloudera Hadoop de-ployments so data sets can bemoved to their platforms forfurther SQL analysis.

EMC Greenplum has alsopartnered with Cloudera, butwith this latest move it effec-tively will become a competi-tor, offering its own Hadoopsoftware distributions, ser -vice, and support, albeit withan emphasis on deploymentson EMC appliances.

“With the amount of in-novation that we see that’spossible, it just makes muchmore sense for us to own

the Hadoop distribution aspart of our stack,” says LukeLonergan, a Greenplum co-founder and CTO of EMC’sdata computing division.

EMC’s Enterprise Editionfeatures a proprietary re-placement of the HadoopDistributed File System,which it claims is two to fivetimes faster than the stan-dard HDFS.

Greenplum can alreadyquery HDFS from within itsdatabase. Other vendorsthat support mixed struc-tured and unstructured dataanalysis include Aster Data,which was recently acquired

by Teradata. Its SQL-Map -Reduce capabilities let de-velopers handle many typesof unstructured data queryand processing jobs, thoughnot quite to the degree sup-ported by Hadoop.

Given the fast-moving stateof Hadoop developments,there will undoubtedly bemore novel combinations ofHadoop aimed at blendeddata-analysis capabilities.Lonergan predicted thatwithin three years, singleplatforms will handle the mixof unstructured data andHadoop-style analysis, struc-tured-data query with SQLanalysis and data mining, andreal-time, low-latency in-memory analysis of high vol-umes of information.

EMC has the first two cov-ered and is “working aggres-sively” to cover the third,Lonergan says. SAP is tack-ling the second and third ar-eas with its in-memory strat-egy, and SAP’s Bus iness -Ob jects analytics initiativescould lead to interest in un-structured-data analysis.

DataStax has addressedunstructured and real-timewith Brisk, and it could addother open source softwarefor SQL-relational analysis.

Oracle has talked up theblend of transactional andanalytics support, but it’s aneither-or pro po si tion when itcomes to configuring its Ex-adata appliance. Real-time,in-memory loading andanalysis also isn’t in the pic-ture as yet with Exadata.

—Doug Henschen([email protected])

BIG DATA

EMC’s Hadoop Move Points To Analysis Arms Race

WHAT ISHADOOP? A collection of open source distrib-uted data-processing componentsfor analyzing large volumes of un-structured data, such as Facebookcomments, Twitter tweets, email,instant messages, and security andapplication logs. It’s designed toscale out on low-cost commodityservers and is being used by thelikes of AOL,eBay, Facebook, JP-Morgan Chase, LinkedIn, Netflix,The New York Times, and Twitter.

Page 15: Informationweek full-issue-may-30-2011 4130152

May 30, 2011 23informationweek.com

hese days, information technology giveth. Web-enabled mobile devices and applicationsare the biggest game changers since the PC. Thecloud has redefined how we think about com-puting power and even the need for data cen-

ters. Big data analytics are a looming business opportunity. The Windows desktop is giving way to a variety of de-vices—tablets, smartphones, maybe even Google rent-a-Chromes, all working alongside conventional PCs and lap-tops. IT is being embedded in everything from cars to slotmachines to handheld checkout devices in retail stores. It’s a whirlwind of potential that business technologists

can help their companies seize. So why aren’t people morefired up about doing that? When InformationWeek, in our 2011 U.S. IT Salary Sur-

vey, asked IT professionals about their most important jobattributes, the ability to work on creating new, innovativeIT solutions was cited by only 20% of IT staff, down 11points from 2009’s survey. A mere 21% cited working withleading-edge technology—a five-point drop from 2009.Just 39% cited the challenge and responsibility of the jobas an attribute, a decline of eight points. Hardly the stuffof a profession facing the opportunities of a lifetime.ADP CIO Mike Capone saw this mood recently at a

breakfast meeting with IT pros from other companiesaround New York City, which led him to give an im-promptu pep talk. Based on the questions and discussionthat ensued, it became clear that a lot of the attendees felt

[COVER STORY]

InnovationAtrophy

Too many IT pros, beaten down by cost cutting,have lost the fire for new ideas and new technology.

IT leaders need to pump them back up.

B y C h r i s M u r p hy

T

Page 16: Informationweek full-issue-may-30-2011 4130152

“beaten down” by cost cutting and leftout of company strategy, he says. David Guzmán, CIO of the market-

ing data and technology company Acx-iom, thinks IT leaders evaluating theirinnovation strategies need to start byacknowledging reality—that cost cut-ting has dominated the business envi-ronment and taken its toll on thetroops. “All investment in IT has hadto be very ROI-focused,” Guzmán says.“It’s part of what we’ve had to do tokeep pace with the business.” Dell CIO Robin Johnson looks at the

InformationWeek salary survey datashowing diminished interest in work-ing on the newest technologies andisn’t at all worried. In fact, “I think wehave far too much of a focus on newtechnology,” he says. At every IT team meeting, Johnson

reminds his people that they’re in thebusiness of making Dell’s business runbetter, not implementing technologyfor technology’s sake. Johnson has adedicated innovation team. But start-ing with what a technology can do, in-stead of a business goal like cutting or-der-to-cash time, has led to a lot offolly for IT operations. One way to in-terpret the data from our salary survey,he says, is that “IT has grown up a lot.”That’s good, as long as it doesn’t mean

that those youthful innovation muscleshave gone flabby in the pro cess. Thedanger is innovation atrophy, a conditionwhere risk taking and daring become soneglected amid belt tightening, quickROI, outsourcing, and plain old fearthat IT pros forget how to take a chanceon a big, potentially brilliant idea.Even the most successful companies

must constantly guard against innova-tion atrophy. Bill McNabb, CEO of mu-tual fund giant Vanguard, saw his com-pany seize the Web to reshape itsoperations—from being a company de-pendent on the phone and mail for cus-tomer relations to one in which Webinteractions are the norm. Sometime af-ter that flurry of Web innovation,though, the company hit what McNabb

calls “a bit of a lull in innovation.” Inan effort to get more high-impact proj-ects into the mix, Vanguard’s leadershiptook steps to create ad hoc projectteams geared to the rapid developmentof prototypes. In 2010, Vanguard wasat the top of the InformationWeek 500,our annual ranking of IT innovators. Fostering innovation should be high

on every CIO’s priority list, as compa-nies shift into growth mode as the

economy recovers. (See story, p. 26.)Their approaches, however, must beconsistent with their companies’ cul-ture, such as their tolerance for risk andfailure, or how far into the futurethey’re planning. Following are some ofthe key questions CIOs must consideras they look to build innovation muscleor tone up after extended inactivity.

>> Innovation Lab Or Not?Some companies establish lab envi-

ronments where technologists are ded-icated to the pursuit of IT innovation.

These formal efforts must be well man-aged. Without a clear purpose, theyrisk becoming the corporate equivalentof a high school science fair. The mission of innovation labs differs

by company. Dell’s IT innovation teamconsists of about 15 people chargedwith coming up with completely differ-ent approaches to business problems.Ideally, the team creates templates andframeworks that others in the companycan implement where there’s a need.For example, Dell’s testing a screen for

internal enterprise search that soundsspartan even compared with Google’ssimple search page design, with only abox for the search terms. Say someonein customer service has a part number,invoice, or customer name and address,and needs more information. The ideais to let that person type one of thosedata points into the search box and getoptions laid out in search results format.The business goal is “radically simplify-ing” how employees interact with tech-nology and ultimately customers, John-son says. That customer service repwouldn’t have to know which applica-tion to use with the tidbit of informationin hand; the search tool makes that easy. In Johnson’s view, the technology

behind that radically simple interfaceis secondary. Yet, as is so often the casein IT, making something appear sosimple takes a lot of back-end sophis-tication. Behind this search box is anarray of enterprise search software,such as Microsoft’s Fast, embedded inhundreds of applications used withinDell. The search screen is in pilotmode. “I don’t know if we’ll deploy itor not,” Johnson says. Acxiom’s IT innovation lab has a

different mission. It’s focused on eval-uating emerging technologies. Acx-iom’s business is data, providing infor-mation that companies use tosupplement their own customer datafor marketing programs and segmen-tation. “We were Big Data before BigData was cool,” Guzmán says.So Acxiom has a 1,500-square-foot

Get This And All Our Reports

Try our InformationWeek Analytics reports with a free copyof the 2011 U.S. IT Salary Survey: informationweek.com/analytics/salary2011

This report includes exclusivesalary research based on our sur-vey of more than 18,000 IT pros.

INNOVATION ATROPHY[COVER STORY]

informationweek.com24 May 30, 2011

Page 17: Informationweek full-issue-may-30-2011 4130152

May 30, 2011 25

lab where it puts the latest software andgear through its paces. For example, ittested Cisco’s new UCS server blade sys-tem before it was released and got itshands on one of the first of IBM’s xSeriesservers. It’s essential that lab personnelstay close to Acxiom’s customers as away of keeping such work relevant. “Ifthey are really involved in the business,understanding what’s happening in ourbusiness and what our customers’ prob-lems are that we’re trying to solve, themore they can apply what they’re doingto those problems,” he says.Acxiom recently colocated the tech

R&D team with its product develop-ment group, since their work is soconnected. One of the hardest challenges with

driving IT innovation is getting every-one involved, so it doesn’t become thesole responsibility of one small team.That’s one of the risks with an innova-tion lab: The company’s other technol-ogists interpret it as a sign that they’reoff the hook for big ideas.Capone sees the opposite risk at

ADP: how to share the wealth. “Thechallenge I have is everyone wants towork on the new stuff,” he says.At ADP, like Acxiom, IT’s not a back-

office or support function. ADP han-dles payroll for half a million compa-nies, and systems and software are theheart of the business. ADP’s IT teamworks regularly with the company’sbusiness units to drive new products.ADP opened an innovation lab a few

weeks ago. It will be staffed with a coreteam of four or five technologists, in-cluding some new hires from outsidewith innovation expertise, and 15 to20 others will rotate through the lab ontemporary assignments of around sixmonths. This is out of an IT depart-ment of about 5,000 people.Capone’s strategy is to engage more

people in the pursuit of innovation,while maintaining a sharp focus on theneeds of the business and its customers.CNA Insurance this year made a ma -

jor shift to rely on outsourcers heavily

for IT operations. It used to have about1,000 IT staffers and 1,000 contractors,and the majority of them focused onwhat CIO Ray Oral calls “run the busi-ness” IT operations. Now CNA hasabout 400 IT staff mostly fo cused on“change the business” IT proj ects, hesays, while four key ser vice pro vidershandle most IT operations. In addition,though, Oral has three of its serviceproviders provide innovation lab ser -vices. Oral says they’re still developinghow best to use this new model, but onething he likes is that, in addition to thepeople the outsourcers have full time onCNA concerns, they also pull in asneeded people who specialize in otherindustries—from manufacturing toderivatives trading—to bring new ideas. Vanguard had a formal IT innova-

tion lab in the early 2000s. The labpursued long-range, “maybe-someday”projects. Its goal was to get people tothink about the potential of emergingtechnologies, Web technologies in par-ticular. But it was an un-Vanguard-like

place. The company is the king of low-cost mutual funds, and its innovationsare grounded in practical client needs. That’s why CIO Paul Heller led the

creation of an ad hoc innovation pro-gram. Employees volunteer to work onnew ideas, and they generally do so ontop of their day jobs, not in lieu of them.A small team of five people is dedicatedto innovation, but most of their work in -volves assisting the ad hoc teams, doingthings such as coordinating develop-ment scrums to get prototypes going. Is a lab the right way to keep inno-

vation strong? That depends on yourcompany’s culture and the kind ofinnovation it demands.

>> What’s Your Time Frame? One gauge of the cultural question

is to consider how quickly the busi-ness needs to get results from its inno-vation efforts. Is three years down the road too far?

Not at Caesars Entertainment (formerlyHarrah’s), the world’s largest casino op -

What Matters?Percentage of IT staff who rank these items among their seven most important job attributes

2011 Point changefrom ‘09

Base pay 50% -10 Job and company stability 45% -4 Benefits 43% -7 Flexible work schedule 42% +5 My opinion and knowledge are valued 40% +4 Challenge of job and responsibility 39% -8Vacation time and paid time off 38% +8 Job atmosphere 36% +2 Recognition for work well done 31% +8 Having the tools and support to do my job well 29% +5 Working with highly talented peers 25% +9 Skill development, educational, and training opportunity 25% +6 Telecommuting and working at home 24% +5 Commute distance 23% 0 My work is important to the company’s success 22% +3 Ability to work with leading-edge technology 21% -5 Ability to work on creating “new” innovative IT solutions 20% -11

Data: InformationWeek Analytics 2011 U.S. IT Salary Survey of 9,936 IT staff, January 2011

Page 18: Informationweek full-issue-may-30-2011 4130152

26 May 30, 2011 informationweek.com

erator, which for years has had a teamdedicated to innovation projects. Ledby CTO Katrina Lane, the innovationgroup stayed in place through a reces-sion that hit the tourism and entertain-ment industries hard.A long-term view for the innovation

group is important because, whileeveryone’s on the lookout for newideas, no one else in the company isspecifically charged with looking sev-eral years down the road for disrup-tive technologies. But a long horizondoesn’t equal a lack of urgency. “Thegroup has to not be constrained by‘It’s got to pay back tomorrow,’ ” Lanesays. “But at the same time, we have toactually start doing things tomorrow,to evolve the vision and try thingsout.” That means building prototypesand even testing them in casinos to getreal-world interaction.The recession prompted Caesars to

think more consciously in terms of aportfolio of projects—to always havesome with quick expected returns,along with others whose returns mightbe realized in three years or more. Lane doesn’t think IT pros have

lost the fire for exploring new tech-nology, but she sees other risks toinnovation. “There is a pressure infinding the time and opportunity tothink a little further out when there’san environment of being very effi-cient in what we do,” she says. At ADP, Capone will urge innova-

tion teams to create prototypes in six-to 12-month cycles—18 months max.Too short? Some will say so, but Ca -pone feels tremendous pressure to“compress the cycles” of how quicklyIT delivers on new ideas. One reason faster innovation is more

feasible today than it once was is be -cause “the tools have become so pow-

erful,” Capone says. There are cloudplatforms for on-demand server capac-ity and better tools for collaboration.ADP uses iRise’s visualization softwareto generate rapid software prototypes,so business partners can say “we likethat; don’t like that” be fore developersstart writing code. On the demandside, smartphone and tablet usersamong ADP’s customers are coming toexpect a constant stream of new capa-bilities. “My man tra is everythingcloud, everything SaaS, everythingmobile,” Capone says.

>> Do You Know Your Customers?Innovation efforts can’t become too

far removed from customer needs.Even companies with a long-term view—unless they’re doing truly funda-mental, almost academic research—need this grounding in reality. ADP’s approach of rotating lab staff

[COVER STORY] INNOVATION ATROPHY

Corporate IT is about to face a surgein demand for innovation, but is itready? In the first quarter of 2011,20% of S&P 500 companies reported

that their revenue exceeded prerecession peaks. Many morewill reach this milestone before the end of 2011. When this hap-pens, the brakes come off capital spending. In fact, that elite20% grew capital spending up to 65% faster than the rest. With greater capital spending comes more appetite for in-

novation, and at most companies IT is expected to play a fullpart. But despite all the hype about IT innovation and the CIOas “Chief Innovation Officer,” the reality is that corporate IT’sability to innovate has atrophied. In many organizations, yearsof cost cutting, standardization, and simplification came at theexpense of innovation. Deploying ERP, consolidating data cen-ters, or completing an outsourcing deal are difficult and worth-while but rarely innovative. Besides not being innovative, they may actually be harmful

to innovation. The behaviors and processes required—effi-ciency, repetition, process discipline, and risk aversion—arecontrary to the flexibility and creativity that lead to innovation.One leading CIO told us recently that many innovators and crit-

ical thinkers left her organization as they battled their waythrough a multiyear ERP implementation.To be truly effective at innovation, CIOs must rethink the way

IT works with the rest of the business, incentivizes staff, andevaluates investments. CIOs must do this without sacrificing theefficiency and operational excellence they have so painstak-ingly acquired. In recent research, Corporate Executive Board’sInformation Technology practice examined how exemplar ITorganizations are successfully navigating this dilemma.

1. Foster Openness To InnovationInnovation entails creative tension and a willingness to take

risks. For example, business-facing IT staff must be able to“challenge” their business partners, not just build relationshipsand seek consensus. More broadly, IT leaders should take an-other look at IT staff performance criteria to ensure that cre-ative thinking and appropriate risk-taking are encouraged, notpenalized.

2. Expand The Pipeline Of New IdeasInnovation requires openness and collaboration within and

beyond IT. We have seen a number of techniques, including reg-

4 Steps To Spark Innovation ANDREW HORNE, CORPORATE EXECUTIVE BOARD

Page 19: Informationweek full-issue-may-30-2011 4130152

May 30, 2011 27

should keep it close to business needs.Beyond that, every IT team member isrequired to spend time with customers.Developers listen in on customer re-views of ADP products, for example,which Capone finds motivates themeven when customers complain. “I reallylike it when my developers hear that,”he says. “IT people have a lot of pride.”ADP IT managers must spend a “day

in the life” of a salesperson—workingthe phone, meeting customers, hearingfirsthand what they want. “That’s wheresome of our best ideas come from,”Capone says. Watching HR pros processpayroll, ADP teams saw that their workis “interrupt driven”—people constantlyhave to stop a batch process to deal withsomething else. That realization gotADP’s IT pros focused on making it eas-ier for those customers to pause a joband come back to it. Last fall, ADP delivered a mobile pay-

roll app for the iPad. Payroll mightseem like the ultimate desk job, untilyou think of the head of a landscapingfirm going from job to job, squeezingin payroll duties along the way. Cus-tomers like that said, “You finally un-derstand I don’t sit at a desk all day,”Capone says.Likewise, Acxiom’s Guzmán sends

his IT staff on sales calls and has themhelp put proposals together. He andCapone both work in businesses whereIT is vital to their companies’ services,but that direct connection is increas-ingly the norm across industries, asnew mobile experiences change cus-tomer expectations. “Innovation burnswhen it has a problem to solve,” Guz -mán says. But what if IT work is being done

by outsourcers whose people may notunderstand your business and cus-tomers as well as longtime staffers do?

Done wrong, outsourcing can bedeadly to innovation. Financial services company UBS

minimizes that risk by drawing a dis-tinction between outsourcers used forone-time projects—“transactional” re-lationships—and those that are part-ners with which it has long-term rela-tionships. One of those long-termrelationships is with Luxoft, whichuses IT teams located mainly in Russia,Ukraine, and Poland. UBS at timeshelps Luxoft recruit IT pros by lettingthem highlight the projects they’llwork on for UBS, and the interactionthey’ll have with UBS employees. To keep its partners close to its cus-

tomers’ needs, UBS employs agile de-velopment, where its outsourcers workdirectly with its line-of-business man-agers. For example, two scrum teamsof 16 people from Luxoft work directlywith front-office trading managers on

ular newsletters highlighting innovations in IT and idea-shar-ing partnerships with external parties, as well as less conven-tional approaches, such as spotlighting when employees areworking around IT systems, in order to uncover unstated enduser needs.

3. Triage The Most Promising IdeasOften, the hardest part of innovation isn’t generating ideas;

it’s deciding which to place bets on and pursue. A traditionalproject proposal without measurable ROI may just be a badproposal, but an innovative idea may have no measurable ROIbecause it hasn’t been tested. To distinguish between the two,IT organizations need a quick, lightweight filtering mecha-nisms based primarily on nonfinancial criteria and drivers ofcompetitive advantage. The idea is to determine whether aninnovation warrants further exploration, not to generate abusiness case or estimate ROI, as too little is known about theinnovation to assess the business case effectively.

4. Adopt A ‘Test And Learn’ Approach“Fail” is an unwelcome word in IT, but sometimes, indeed

often, innovations fail. The secret is to get to the failure asquickly and cheaply as possible, accept the failure withoutfaulting anyone, and move on. One way to do this is to identify potential uncertainties. Typ-

ically, the uncertainties relate to the business model, not thetechnology. Asking “Will this idea really improve how we dobusiness?” is usually a better approach to finding the uncer-tainties than asking “Will this technology work?” Having iden-tified the uncertainties, the next step is to test them, startingwith the most serious. For example, an insurance company we work with wanted

to test whether a new type of online quote generator wouldwin more business from agents. The biggest uncertainty waswhether the delivery of faster quotes would make a differ-ence in the market. Having identified the value of fast quotesas the first uncertainty to test, the company looked for a sim-ple low-cost experiment. Instead of building a prototype, itasked its call center to start providing quotes by email. Thefaster quotes did win business, so they moved on to test thenext uncertainty. So what does the innovative IT organization look like? It’s

an organization that challenges its business partners, encour-ages its staff to be creative and take risks, doesn’t always lookat project ROI (at least not at first), and isn’t afraid to fail. Thisis a tall order, but if IT can master it, then it will provide a ca-pability few can match.

Andrew Horne is managing director at the Corporate Executive Board. Write to us at [email protected].

Page 20: Informationweek full-issue-may-30-2011 4130152

28 May 30, 2011 informationweek.com

projects to improve trading software.Projects like these might go through aconventional, hierarchical planningprocess to start, but the agile develop-ment iterations drive the results. “Itdoesn’t mean we don’t plan,” saysMark Butterworth, head of UBS Com-mercial Business Strategy. “But we’reincreasing the communication and be-ing very clear on how we progress insmaller steps.” At CNA Insurance, the company has

a five-year “enterprise business roadmap”—a plan for developing the IT ca-pabilities it needs to build to meet busi-ness goals. CNA shares that with its out-sourcing partners, so they can bringideas in support of that strategy. “We’retrusting them more,” says CIO Oral. Another change that grew from

CNA’s shift to a heavily outsourced op-eration is that the business and ITteams needed to do a better job ofspelling out requirements, Oral says, as

they relied more on service providers.As they employed visualization toolsfrom iRise to mock up things such ascustomer interfaces early in the designprocess, it took some time and trainingfor business and IT teams to buildspecs in a more iterative way. “Youhave to get used to this notion that it’sOK to throw something away and startover,” Oral says. It’s OK, that is, as longas the project is in the early stages,where they’re throwing away two days

[COVER STORY] INNOVATION ATROPHY

When you check the local weather forecast onyour smartphone, the device sends a GPS co-ordinate of 10 to 15 decimal points. If you’restanding in Central Park, the request is nar-

rowed down to a few yards of your exact location. But as you might guess, the forecast you get on the west

side of Central Park isn’t any different from what you get onthe east side. “I’m good at weather,” says Steve Smith, CIO ofAccuWeather, a 49-year-old company that specializes in pro-viding weather forecasts. “I’m not that good.” Smith’s problem is that the servers in his data center treat

those two nearby forecasts as two separate requests, eventhough the data people receive is the same. So the data centergenerates a new response rather than use a cached copy ofthe request. The problem is made more acute by the fact that requests

for AccuWeather data have exploded in the last year, thanksto mobile devices. In January 2010, AccuWeather was gettingabout 100 million data requests a day. In January of this year,750 million, many of them automated requests from devicesto keep weather apps updated.One way Smith has dealt with this challenge is to put five

simple lines of code on the edge servers run by one cachingservice provider, AT&T. That code recognizes when someone’ssending a GPS coordinate to request weather, and it truncatesthe number to two decimal points—about 1 kilometer. AT&Tlooks at the request and, if it’s identical to one recently made,serves a cached version of the content.The benefit from those few lines of code: 300 million to

500 million fewer requests a day handled by AccuWeatherservers. That means AccuWeather’s data center doesn’t need to

process those requests, and users get the data faster, since it

comes from AT&T’s nearby content delivery network serversinstead of AccuWeather’s Pennsylvania data center. That work-load reduction, plus a data center upgrade that involved mov-ing to Dell blades with VMware’s virtualization software, hashelped AccuWeather handle the explosion in mobile datawithout expanding its data center. This experience has Smith thinking what else can be

pushed out of the data center. “I still feel I do too much serv-ing” of information, he says. If you think of cloud computing narrowly—as moving ap-

plications to Amazon’s EC2 service, for example—Smith's in-novation points to a new reality. There will be many cloudmodels. Amazon’s business model is impractical for most ofAccuWeather’s computing. Amazon charges for the quantityof data processed, as well as for the number of requests. Ac-cuWeather's typical data request is a tiny 4-KB XML file, but itgets hundreds of millions of them a day. Cloud computing isgoing to evolve to fill these niches.Smith and his IT team aren’t just innovating on infrastruc-

ture. Much of their new development is going into apps formobile devices. AccuWeather was one of six apps available onthe first iPad when it debuted. To keep up with the pace of opportunity in mobile services,

Smith has software developers working directly with marketingand product development teams. That takes a different men-tality than IT pros are used to, having to start developing asideas take shape and adjust as demand and devices change. “IT folks are structured by nature,” Smith says. “I’m asking

them to get outside the box—you’re not going to have it allwritten down—and fly by the seat of their pants a bit. Oh, andby the way, your timeline was yesterday. You don’t have theluxury of months and months.”

—Chris Murphy ([email protected])

5 Lines Of Code In The CloudWEATHER VANE

Page 21: Informationweek full-issue-may-30-2011 4130152

of mockups—not a year later, after amajor investment has been made. The closer ties IT teams are forming

with customers and products actuallymight be one explanation for Informa-tionWeek’s survey data showing a de-cline in the percentage of IT pros whoseek out leading-edge technologies asa priority in their jobs. For the past few years, Lane’s team

has been working to improve the slot-machine experience by adding screenswhere guests can order drinks or getpersonalized marketing messages, ifthey have a registered rewards card.That’s innovation to be sure. But shedoubts anyone at Caesars would thinkof it as an IT-led project. They justthink of it as a collaborative project.

>> How’s Your Appetite For Failure?It’s easy to say that real innovation

entails risk, which means some willfail. CIOs talk a good game about awillingness to fail, with the appropriatecaveats of “fail fast” and learn from theexperience. But they must be specificabout what that means.At Caesars, there should be about a

50-50 chance that a prototype testedin a casino doesn’t pass muster and isripped out rather than permanentlydeployed. “Otherwise, the bar is toolow,” Lane says.Think about that. We’re not talking

about half of whiteboard ideas panningout. This is half of the things that makeit through the filter, become workableprototypes, and get put in front of cus-tomers. Is 50-50 an acceptable successrate for your company? CIOs need to be clear about these

kinds of expectations. Otherwise, ITteams will make their own assumptions,and probably play it safe. These are peo-ple who lived through the brutal, risk-averse recession of 2008 to 2010. Innovation requires a balance be -

tween thinking big and being realisticabout what’s technically possible today.Remember Dell’s model, where CIOJohnson pushes teams to think of busi-

ness value before technology. Couldn’tsuch efforts become pipe dreams thatare technically unfeasible? “We’ve donea few of those,” Johnson admits. Johnson comes back to the focus on

value. If innovation teams are gearedtoward plausible outcomes and doingcost-benefit analyses, then “the impos-

sible dreams are self-regulating,” hesays, because risk and reward arebeing taken into account. But a key tension point in any inno-

vation strategy is how much toemphasize hard ROI metrics. Oneschool of thought says that IT innova-tors need to know it’s OK to spendmoney that ends up going nowhere.“You’ve got to start stuff and be pre-pared to kill it,” Johnson says. “Ifyou’re placing safe bets, you’re notdoing innovation.”

>> What’s The CIO’s Role? Innovation atrophy will set in

unless creative people fight it. That’swhere the CIO has to set the tone.Guzman puts the heat on himself to

build a creative culture where peoplequestion the status quo. As CIO, heneeds to know Acxiom’s customersbut also have the technical chops toinspire people to consider newapproaches inside their specialties. It’swhy he participates in the advisoryboards of vendors including IBM,Intel, and VMware. While Acxiom has formal commu-

nications channels, like the IT team’s“Not So Personal Portal,” Guzmánputs the most stock in informal dis-cussions. “They have to walk out ofthose fired up,” he says. “Our top net-working architect has to have his

thinking changed when he talks withme. Our top database architect, samething. It’s a leadership imperative.” Capone looks at the CIO role as

helping “envision what’s possible” withIT-driven innovation. CIOs must lightthe fire, so their companies don’tbecome complacent. “You need some

burning issues, particularly some com-petitive threat, to motivate the troops,”he says. Then the CIO needs to makesure IT is part of the strategic responseand helping to channel that energy.At Caesars, Lane has been thinking

about how to get the word out aboutits latest innovations. PowerPointslides just don’t do justice to projectslike its interactive slot machinescreens, so her team is experimentingwith Web conferencing tools that canconvey the cool factor, build excite-ment, and pull in feedback from awider range of people.More than anything, though, fear of

failure leads to innovation atrophy.CIOs must establish that risk is part ofthe innovation process, giving IT a li -cense to experiment. Because IT is sointegral to a widening array of prod-ucts and services, businesses can’twait for IT teams to get every elementperfect in a lab. That means tryingnew ideas where failure is scariest—infront of actual customers.“If you really want to do innovation

that will lead to customer-facing oremployee-facing new technologies,you have to get proof-of-concepts outthere,” Lane says. “Sometimes theywork. Sometimes not so much.”

Write to Chris Murphy [email protected].

May 30, 2011 29

“You’ve got to start stuff and be preparedto kill it. If you’re placing safe bets, you’renot doing innovation.”—Dell CIO Robin Johnson

Page 22: Informationweek full-issue-may-30-2011 4130152

May 30, 2011 31informationweek.com

We see security as a majorstumbling block in en-terprise migrationsfrom IPv4 to IPv6. For

starters, the code is mostly untested,and too few of our current network se-curity products support IPv6, some-thing the black hat community isbanking on. And there’s widespreadconfusion—the idea that some charac-teristics of IPv6 make it intrinsicallymore secure than IPv4 is, sadly, justplain false, and information securityteams are largely in the dark on how tohelp their companies safely transition. Consider the “NAT-bashing” slide, a

fixture in IPv6 presentations. Presen-ters gleefully list all the reasons Net-work Address Translation is evil, andexplain how an abundance of IPv6 ad-dresses will finally let us eliminatewhat was always supposed to be a tem-porary address-conservation kludgeand get back to a true peer-to-peer In-ternet. High-fives ensue.Except, IT security professionals

don’t share the enthusiasm. Let’s faceit, IPv6 idealists can wave their fists atNAT all they want, but there are legiti-mate concerns about losing the abilityto shield internal address schemes.No wonder, then, that among the ses-

sions InformationWeek Analytics pre -sented at the recent Interop conference,by far the most popular was our pro-gram on IPv6 with a focus on security. Aquick show of hands revealed that mostattendees are still in the planning stagesof their deployments, par for the courseamong companies we work with. The

good news is that they can take advan-tage of the lessons learned by telecomcarriers and ISPs, which tend to be wellalong the road to IPv6. And while manyconventional enterprise security sys-tems will need to change to work in av6 network, the upgrade also providesopportunities for improvement—possi-bly even an outright reimagining ofyour security strategy.A prime opportunity to see how all

this works in real life is World IPv6Day, set for June 8. This is a milestonein the transition from IPv4 to IPv6,when companies including Akamai,Face book, Google, and Yahoo willoffer their content over IPv6 for 24hours. The event will provide valuabledata on connectivity, ranging fromsimple system misbehavior to theamount of user traffic that will switchto IPv6 when content is available over

the 128-bit version of IP. We’re alsofielding our first InformationWeekAnalytics IPv6 Survey now throughJune 13, at informationweek.com/survey/ipv6, to see where our readers are onthe migration curve. We’ll share ourresults in an upcoming report.

The Perimeter ProblemBack to security. One thing that

quickly becomes clear when rolling outIPv6 is that network systems them-selves are the easy part of the project,so much so that it’s become acceptedwisdom to start a deployment in thecenter and work outward. Difficultiespresent themselves in greater numbersas you make your way toward the net-work edge, where users are connectedto services. Envision a “core-to-edge”deployment strategy with your IPv6-enabled network in the middle, sur-

Will IPv6 Make Us Unsafe?Maybe, if you don’t pay attention to buggy code, motivated attackers, andlooming performance issues. But it also brings opportunity. By Jeff Doyle

>> Security involves more than firewalls and access control lists. Are all your IP systemsready for IPv6? How about your processes and people? Training is critical.

>> Some networking systems process IPv6 in software, vs. hardware support forIPv4. Can you say CPU depletion attacks?

>> Many modern operating systems enable IPv6 by default. Do you know where allinstances of these operating systems reside?

>> IPv6 standards and code are new, and new code is buggy. There have been security holes found, and more will come to light as v6 systems are put intoproduction. Monitor and patch.

>> Black hats are studying IPv6 closely, looking for new attack vectors. Your securityteam needs to do the same.

5 Key ConsiderationsFor IPv6 Security

Page 23: Informationweek full-issue-may-30-2011 4130152

32 May 30, 2011 informationweek.com

rounded by concentric perimeters ofservices. Closest to the center are theservices essential to the fundamentaloperation of the network: DNS, DHCP,and the like. Around that perimeter arethe services necessary to both managethe network and provide support:Think configuration management,change policy enforcement, monitor-ing, alarming, and logging.The outsideperimeter comprises your security bul-wark: firewalls, access control lists, in-trusion detection and prevention sys-tems, and the policies enforced bythem. The order in which systems aretackled under this model reflects thecurrent v6 readiness of our systems. If your company lists support for

IPv6 among the must-have criteriawhen purchasing new security gear,you’re ahead of the game—and likelyfrustrated that there isn’t more suchgear available. While network architectshave long had a wide variety of IPv6-capable routers and support systems tochoose from, security products havelagged the rest of the industry. Incredi-bly, until recently, relatively few fire-walls had useful IPv6 capabilities, andthere are still significant limitations.

Security MythologyWe hear all the time that IPv6 is in-

trinsically more secure than IPv4. Thismisconception likely springs from thefact that support for authentication andencryption is integral to the IPv6 spec-ification. Problem is, a capability calledfor in a spec does not necessarily trans-late into a capability that works in anactual network. In fact, our experienceshows that few IPv6 implementationsprovide “built-in” authentication andencryption, and end-to-end IPv6 ses-sions are not automatically secured.Again, a limitation of vendor imple-mentations of the specification. Another facet of the IPv6 security

myth stems from characteristics of theprotocol that, while not directly secu-rity-related, do have security implica-tions. For example, you’ll often hear

that IPv6’s huge address space makesit immune to port scanning. Assuminga port scanner could “hit” one addressper second, a scan of the entire addressspace of a 64-bit subnet would takeupward of 584 billion years. That’s animpressive stat, but it ignores the factthat smart subnet spies are already se-lective about the ports they scan andpredictive about the IP addresses theytarget. Yes, port scanning is more prob-lematic on a typical IPv6 subnet—forboth snoops and for your own securityteam—compared with almost any IPv4subnet. But stating that IPv6 is im-mune to scanning is just plain wrong.

And don’t assume that because mostnetwork engineers aren’t yet familiarwith IPv6, the bad guys aren’t either. Infact, as we discuss in our full report, atinformationweek.com/analytics/ipv6sec,the opposite is true: There are black hatsout there who see IPv6 as a once-in-a-lifetime opportunity. So much newcode, so much time to probe for flaws. It’s up to you to ensure that your sys-

tems are protected and your securitypersonnel are educated. The best placeto start identifying potential vulnerabil-ities is to understand key differencesbetween IPv6 and IPv4 that affect se-curity. Here are seven areas to know:

Neighbor Discovery Protocol:NDP is essential to the operation ofIPv6. It replaces several functions per-formed by separate protocols underIPv4, such as router discovery andredirects, and enables new functionsfor IPv6. However, NDP also presentsa range of exploits for an attacker whocan gain local access to a subnet.

ICMPv6: The ICMP messaging pro-tocol is a favorite vector for denial-of-service and CPU attacks, and guardingagainst ICMP message floods is a fun-damental security best practice. ButIPv6 is more dependent on ICMP thanis IPv4, so simply blocking all ICMPmessages at security checkpoints willbreak some IPv6 functions.

Fragmentation: Fragmentation at-tacks are another old favorite thatmight be given a new spin by IPv6.Unlike IPv4, IPv6 routers don’t frag-ment packets. Instead, the spec re-quires the originating end system ei-ther to test the maximum transmissionunits along a path to a destination andfragment accordingly or to fragment allpackets exceeding 1,280 bytes—thesmallest MTU an IPv6 interface is al-lowed to support.

Extension Headers: IPv6 econo-mizes its default header by eliminatingoptional fields. Instead, when an op-tional capability, such as fragmentation,source routing, encryption, or authenti-cation is required, an applicable exten-

[IPV6 SECURITY]

Get This And All Our Reports

Become an InformationWeek Analytics subscriber and get ourfull report on IPv6 security at informationweek.com/analytics/ipv6sec.

This report contains 15 pages of action-oriented analysis, including:

> What attackers are looking for in IPv6 networks

> More on the seven critical features in IPv6 that affect your security stance

> Key ways to mitigate your operational risk

> PLUS: Tell us about your IPv6plans at informationweek.com/survey/ipv6 and win an iPad!

Page 24: Informationweek full-issue-may-30-2011 4130152

May 30, 2011 33

sion header is inserted between the de-fault IPv6 header and the packet pay-load. Unfortunately, attackers can abuseextension headers in a number of ways,as we discuss in our full report.

Flow Labels: The Flow Label field isthe only field in the default IPv6 headerthat has no analogous function in theIPv4 header. It’s intended to enable effi-cient processing of microflows for im-proved service classification, but main-stream network systems do not yet useit. An intentionally miswritten Flow La-bel value could create a covert channel.

Automatic Tunnels: Automatictunneling mechanisms, such as 6to4and Teredo, are supported by mosthost operating systems. They’re used tocreate IPv6 connectivity over an IPv4-only network or segment, but they mayalso be used to create an unsecuredchannel, and most lack a means of authentication.

Large-Scale NAT: Also called Car-rier-Grade NAT, or CGN, LSN isn’t apart of the IPv6 specification, but it isoften associated with IPv6 transitionalarchitectures. LSN setups allow net-work operators to centralize their pub-lic IPv4 address pools, thus extendingtheir useful lives by multiplexing moreIPv4 flows to each address. These cen-tralized NATs—often single points offailure for tens of thousands of end sys-tems—represent attractive targets forCPU or address pool depletion attacks.

Beyond Black HatsSecurity goes beyond deflecting at-

tacks. You must also guard against un-intended side effects that can bringdown portions of your network as ef-fectively as any denial-of-service ex-ploit. In the case of IPv6, there are twokey nonmalicious threats to watch for.First, don’t assume that because you

achieve a given performance level froma network system running IPv4 you willrealize the same performance when youadd IPv6. A router that processes andforwards IPv4 packets in hardwaremight process IPv6 packets in software.

A firewall’s CPU might slow significantlywhen it processes IPv6, particularly ifextension headers are involved. Theother major nonmalicious threat to yourIPv6 network is lack of training. Fromthe very different address format to thekey protocol differences between IPv4and IPv6, your network operators andengineers need to be prepared.

Watch For BugsIPv6 implementations almost always

mean running code that hasn’t yet un-dergone production vetting. A routervendor might have supported OSPFv2

for almost 20 years, but OSPFv3 forIPv6? It’s new—and very likely buggy.Did your firewall vendor release IPv6support only within the past couple ofyears—or even months? Then there aresurprises awaiting you. This isn’t an in-dictment of sloppy development work;we all depend on extensive productiondeployments to reveal problems. Yetworldwide, IPv6 is still in its earlystages of use, meaning even IPv6 im-plementations that were written yearsago may just be getting their first large-scale field tests.Even standards bodies are occasion-

ally guilty of overlooking security risks.Two infamous examples of early over-sights in IETF specifications were anIPv6 source routing vulnerability thatopened the possibility of amplificationattacks and firewall bypasses, and anICMPv6 vulnerability that allowed ping-pong attacks on point-to-point links.

Both vulnerabilities were well known inIPv4 and had long been corrected inearlier standards, but were simply over-looked in initial IPv6 specifications. Andwhile these mistakes have been cor-rected in newer versions of the protocol,you need to assume that some operatingsystems in your network incorporate theolder, problematic standards—whichbrings us right back to awareness, com-munication, and testing.

New OpportunitiesThe transition from IPv4 to IPv6 is a

major evolution. It’s also unavoidable,unless retirement is in your near-termplans. And although IPv6 presentssome new security challenges, none ofthem are insurmountable given theright preparation. In fact, smart CIOsare looking at the transition as an op-portunity. Are your security practicesand systems all that you want them tobe? If not, an IPv6 deployment can bethe perfect time to assess your situationand improve or replace your currentsecurity architecture and practices.The transition to IPv6 is also an op-

portunity for us as a community to re-consider the way security is practiced.Are firewalls and intrusion detectionsystems sufficient protection? All of the1,000-plus respondents to our latest In-formationWeek Analytics Strategic Secu-rity Survey use firewalls, and 93% haveintrusion detection/prevention systemsin place. But walls have never truly pro-tected us—maybe it’s time to considera new outlook, like moving to a modelof end-to-end authentication and en-cryption, creating “zones of protection”around individual hosts and servers,and adding improved algorithms forthreat analysis and interdiction. Andmaybe IPv6 can help us get there.

Jeff Doyle is president of Jeff Doyle andAssociates. He specializes in IP routingprotocols, MPLS, and IPv6 and hasworked globally with large IP serviceprovider networks. You can write to us [email protected].

>> Extension headers

>> Neighbor Discovery Protocol

>> Heavier dependency on ICMP

>> Flow labels

>> No NAT66—get over it

5Key PolicyChanges In IPv6

Page 25: Informationweek full-issue-may-30-2011 4130152

Java has long been one of the cen-tral technologies of enterprise ap-plications. The speed and scalabil-ity of the JVM, in particular, have

endeared it to large IT organizations. Buttoday, companies need more than justfast performance; they are increasinglysearching for deterministic, real-timeperformance. Determinism in this sense means that

a given action will occur within a fixedtime interval, such as delivery of a stockquotation within some number of mi-croseconds. Historically, Java hasn’tbeen used to fill that role, because of

some early design decisions in the plat-form. However, new options and newtechnologies are enabling IT organiza-tions to use Java for both standard busi-ness needs and situations where deter-ministic, real-time requirements mustbe met. Few things generate more confusion

in the programming world than dis-cussions of real-time software. Manyconfuse it with high-performancecomputing, while others use it to de-scribe any system that pushes data tothe user without a user request. Thesecharacterizations alone simply aren’taccurate. While it’s true that boththese aspects may be part of real-time

system behavior, the definition of areal-time system centers on one word:time. Correctness means producingthe right answer, and doing so at a pre-cise moment in time. Another source of confusion is the

difference between hard and soft real-time systems. A hard real-time require-ment is one in which a task needs tobe completed at or before a certaintime, every time it’s required, regard-less of other factors. A soft real-timesystem contains some tolerance interms of missing its deadline. For example, stating that a foreign

exchange trade needs to settle withintwo days is a hard real-time require-ment, whereas stating that videoplayer software needs to update itsframe 60 times per second is a softreal-time requirement—occasionallydropping a frame isn’t considered anerror. However, it’s still a real-timesystem because too many droppedframes, or too much delay betweenthem, is considered an error.

Java And Real-Time DevelopmentJava Standard Edition (Java SE) is

not ideally suited for real-time require-ments. Existing Java Virtual Machines(JVMs) just aren’t designed for pre-

dictability and determinism. For instance, garbage collection

(GC), in which the RAM allocated tono-longer-used data items is reclaimedfor reuse by the JVM, is one source oftrouble. GC can occur at any time, forany length of time, with few optionsfor users to control it. This potential forunbounded delays makes it impossibleto guarantee a system’s behavior; it isnondeterministic. Attempts to pool ob-jects or somehow control their lifetimeto avoid GC are often in vain, as GCpauses may still occur. However, Java SE’s real-time defi-

ciencies go beyond the garbage collec-tor. The just-in-time (JIT) HotSpotcompiler—the same one that compilesbytecode to machine code—is alsonondeterministic. Because JIT compi-lation can occur when your code is ex-ecuting, and can take an unknownlength of time to complete, you can’tbe guaranteed that your code will meetits deadlines all the time. Even Javaclasses that have been JIT-compiled aresubject to reoptimization at any pointin the future. More importantly, Java provides no

guaranteed way to prioritize threads orevent handling within your applicationcode. Therefore, even if GC and JITcould be controlled, real-time behaviorcouldn’t be guaranteed without theability to prioritize your thread pro-cessing. With strict priority controlcomes the need for advanced lockingbeyond what most standard JVMs pro-vide. These are important points to

Read all about software development at Dr. Dobb’s: drdobbs.com

May 30, 2011 35informationweek.com

Real-Time Ready JavaPredictable, real-time performance is possible By Eric J. Bruno

New options and new technologiesmean Java increasingly can handledeterministic, real-time requirements.

Page 26: Informationweek full-issue-may-30-2011 4130152

remember as most people blame theGC and JIT compiler entirely for Java’slack of real-time ability.

The C++ AlternativeA common alternative to Java for

real-time development is C++, butthis is a flawed solution. While C++is a good language, it isn’t an entitythat magically yields predictabilityand determinism. It requires greatskill and enormous knowledge, alongwith operating system support andintegration, to deliver a real-time sys-tem in C++. For instance, although GC problems

don’t exist in C++, the C runtime onwhich C++ depends for heap manage-ment can exhibit nondeterministic be-havior. Quick examination of somestandard C runtime library code reveals

that locating free memory chunks foruse by the program can involve exten-sive memory manipulation. This canlead to unpredictable results duringmemory operations.Instead, with C++, the developer

bears a great burden to ensure deter-ministic, predictable execution across allaspects of application processing. This

usually results in a dependence uponthird-party libraries for memory man-agement, thread processing, and inter-action with the operating system for I/Ooperations. These are all features thatthe Java VM provides built-in. Used cor-rectly, the JVM can perform these oper-ations while providing support for real-time development. Here’s how.

Real-Time Java SolutionsIn the late ’90s, a group of real-time

and programming language expertsfrom around the globe worked togetherto define a specification to define howJava should behave in the real-timespace. The result was the Real-TimeSpecification for Java (RTSJ), whichdoesn’t change the Java language at all,but instead outlines areas of enhance-ment to the platform to meet real-timerequirements. These include:>> Thread scheduling: The RTSJ

states that a real-time scheduler beused to schedule tasks, but it doesn’tspecify the algorithm, nor how to doit. RTSJ implementations typically relyupon and work with the OS to achievethis goal. RTSJ does, however, definenew thread types—i.e. RealtimeThread(RTT), and NoHeapRealtimeThread(NHRT)—for real-time Java execution.>> Memory management: The RTSJ

doesn’t require a garbage collector, nordoes it specify any algorithms for it.Instead, it defines new memory re-gions beyond the heap, and specifiesthat the collector not interfere withthem. Therefore, it’s possible to per-form memory management outside

38 May 30, 2011 informationweek.com

Unethical Behavior Rampant Inside IT Development Teams Ethically dubious actions make it difficult for developers to be trusted by users and other IT staff

informationweek.com/1301/ddj/ethics

Endless ProjectsHow can you create a nontrivial project that can be completed in a reasonable amount of time?

informationweek.com/1301/ddj/endless

Java Meets Objective-C The programming languages and the platform libraries have a lot in common

informationweek.com/1301/ddj/java

MORE DR. DOBB’S ONLINE

[DR. DOBB’S REPORT] JAVA

Page 27: Informationweek full-issue-may-30-2011 4130152

[DR. DOBB’S REPORT] JAVA

the scope of the Java GC.>> Resource sharing: With enhanced

thread scheduling comes the need forthread priority control. The RTSJ re-quires the priority inheritance protocolbe implemented through the Java syn-chronized keyword, along with a set ofwait-free queues.>> Asynchronous execution control:

To control asynchronous event han-dling, the RTSJ defines how event-han-dling code is to be scheduled and dis-patched deterministically. It alsoextends the Java Exception handler toallow immediate shifts of executionwithin a real-time thread. Finally, it de-fines a way to terminate a thread’s exe-cution safely and deterministically.>> Physical memory access: The abil-

ity to create and access objects within

specific regions of physical memory isdefined, allowing Java code to interactwith I/O and other hardware devices de-terministically, and with minimal latency.The overarching goal of the RTSJ is

not to change the Java language (for ex-ample, it included no new keywords)but to allow the average Java developerto build real-time software. However,that’s not to say some changes in cod-ing practice aren’t required. Let’s takea quick look at how the RTSJ affectsJava programming.

RTSJ In PracticeThe Java developer needs to em-

brace some new concepts to use RTSJ.For instance, the two new threadclasses described previously requiredevelopers to specify certain aspects of

their behavior. These include priority,scheduling behavior (periodic or ape-riodic), and memory region require-ments. For instance, while an RTT canaccess objects that reside anywhere, anNHRT can’t access objects that resideon the heap. The RTSJ defines additional memory

regions where objects can reside, to en-sure no interference with the Javagarbage collector. These regions includeScopedMemory, ImmortalMemory, andPhysicalMemory. A ScopedMemory re-gion is an area of memory outside of theJava heap that can be defined and cre-ated at runtime, and within which Javaobjects are created. When the real-timecode finishes with the region (some-thing the developer controls), the entireregion and the objects it contains are

Page 28: Informationweek full-issue-may-30-2011 4130152

marked as free, and all references tothem are removed; no GC is required. The sole ImmortalMemory region is

an area of memory where Java objectslive for the life of the VM. Objects cre-ated here are never collected, nor arethey freed in any way. Hence, Immor-

talMemory is a limited resource meantto provide deterministic access to datacommonly needed within a real-timeJava application.There are sometimes complex rules

for object reference and access betweenthe various memory regions, but I won’t

go into those details here. Those detailsas well as asynchronous event handling,asynchronous transfer of control, andphysical memory access can be re-viewed in the RTSJ document or in oneof the books written on the topic.

Real-Time Java ImplementationsRTSJ has seen a few revisions over

the years, and it’s still actively beingimproved. For instance, JSR-282 is inthe early draft review stage, and willdefine version 1.1 of the RTSJ. Be sureto look at the current specification, andthen the proposed revision, to get a feelfor where things are headed.Officially compliant RTSJ implemen-

tations include the Sun (now Oracle)Java Real-Time System, the IBM Web-Sphere Real-Time VM, and the TimesysRTSJ reference implementation. BothOracle and IBM provide support formultiple operating systems, includingSolaris and specific Linux distributions(real-time scheduler required). There are no RTSJ-compliant imple-

mentations available for Windows, butnot because of the common miscon-ception that Windows can’t providereal-time behavior. To some degree itcan, via its real-time thread support,but it simply doesn’t provide enoughreal-time thread priority levels to meetthe RTSJ’s requirements.The common Linux distributions

also don’t meet the RTSJ’s requirementsfor real-time systems. Instead, IBM pro-vides its own real-time Linux variant toguarantee real-time behavior, and Ora-cle requires you use either Red Hat’sMessaging-Realtime-Grid Linux distri-bution, or Novell’s Suse Linux Enter-prise Linux extensions for Suse LinuxEnterprise Server.

Real-Time, Without RTSJThere are other real-time Java imple-

mentations that aren’t strictly RTSJ-com-pliant, although they may implementmost or part of the API. These include:>> Aicas JamaicaVM: A Java SE/

RTSJ-compatible implementation with

42 May 30, 2011 informationweek.com

[DR. DOBB’S REPORT] JAVA

Page 29: Informationweek full-issue-may-30-2011 4130152

a real-time, deterministic garbage collector. >> Aonix PERC: A Java SE/RTSJ-compatible imple-

mentation with its own real-time, deterministicgarbage collector. Aonix also has support for embed-ded devices with memory limitations, as well as sys-tems with safety-critical requirements.>> Fiji: A small-footprint Java implementation for

embedded systems with deterministic garbage collec-tion and support for safety-critical systems.>> Javolution: A real-time Java library that provides

a set of classes for deterministic execution and RTSJsupport.Again, true real-time Java development goes beyond

the need for just real-time garbage collection. Whenchoosing a real-time Java VM, whether it’s RTSJ-com-pliant or not, be sure to choose one that guaranteesyour application will meet time-based requirements,with enough support to deterministically scheduleyour application’s processing. Let’s take a look at someareas real-time Java is being used today.

Business Success CasesI’ve evaluated and deployed real-time Java in a wide

range of applications. These include financial applica-tions, such as trading engines, quote publishing, andnews delivery; military systems, such as object track-ing and flight control; telecommunication systems; andother specialized projects, including embedded sys-tems, robotics, and embedded controllers.Specific projects include a trading system devel-

oped at Reuters, embedded systems development atPerrone Robotics, a system for tracking space objectsat ITT, flight systems at Boeing, and various militaryprojects. Most of these projects have been a big improve-

ment over using specialized languages and program-ming environments that would have otherwise beenrequired. Projects where real-time Java sometimesdoesn’t fit are ones where non-real-time requirementsare mixed in, such as the need for high transactionrates and overall throughput. These are two areas thatoften require a trade-off to achieve predictable real-time behavior.As tight time requirements become a greater part of

enterprise computing, it’s helpful to know that thesame Java language and tooling used for developingstandard applications can also be used to create deter-ministic, real-time computing solutions.

Eric J. Bruno is the author of “Real-Time Java Pro-gramming” and a blogger for Dr. Dobb’s Journal.Write to us at [email protected].

[DR. DOBB’S REPORT] JAVA

Page 30: Informationweek full-issue-may-30-2011 4130152

informationweek.com44 May 30, 2011

Business ContactsExecutive VP of Group Sales,

InformationWeek Business Technology

Network, Martha Schwartz

(212) 600-3015, [email protected]

Sales Assistant, Adrienne Darnell

(212) 600-3327, [email protected]

SALES CONTACTS—WEST

Western U.S. (Pacific and Mountain states) and

Western Canada (British Columbia, Alberta)

Western Regional Director, JohnHenry

Giddings

(415) 947-6237, [email protected]

Account Director, Matt Stovall

(415) 947-6245, [email protected]

District Sales Manager, Rachel Calderon

(516) 562-5338, [email protected]

Inside Sales Manager, Vesna Beso

(415) 947-6104, [email protected]

Sales Assistant, Ian Doyle

(415) 947-6105, [email protected]

Strategic Accounts

Account Director, Sandra Kupiec

(415) 947-6922, [email protected]

Account Manager, Shoshana Freisinger

(415) 947-6349, [email protected]

Account Executive, Matthew Cohen-Meyer

(415) 947-6214, [email protected]

SALES CONTACTS—EAST

Midwest, South, Northeast U.S. and Eastern

Canada (Saskatchewan, Ontario, Quebec, New

Brunswick)

District Manager, Jenny Hanna

(516) 562-5116, [email protected]

District Manager, Michael Greenhut

(516) 562-5044, [email protected]

Account Manager, Cori Gordon

(516) 562-5181, [email protected]

Inside Sales Manager East, Ray Capitelli

(212) 600-3045, [email protected]

Sales Assistant, Bill Myers

(212) 600-3163, [email protected]

Strategic Accounts

Eastern Regional Director, Mary Hyland(516) 562-5120, [email protected]

Account Manager, Tara Bradeen(212) 600-3387, [email protected]

Account Executive, Jennifer Gambino(516) 562-5651, [email protected]

Account Executive, Elyse Cowen(212) 600-3051, [email protected]

Sales Assistant, Kathleen Jurina(212) 600-3170, [email protected]

SALES CONTACTS—NATIONAL

Dr. Dobb’s

Sales Director, Michele Hurabiell(415) 378-3540, [email protected]

Account Executive, Shaina Guttman(212) 600-3106, [email protected]

Sales Assistant, Casey Franklin(212) 600-3157, [email protected]

SALES CONTACTS—MARKETING

AS A SERVICE

Director of Client Marketing Strategy,Jonathan Vlock (212) 600-3019, [email protected]

SALES CONTACTS—EVENTS

Senior Director, InformationWeek Events,Robyn Duda (212) 600-3046, [email protected]

MARKETING

VP, Marketing, Winnie Ng-Schuchman(631) 406-6507, [email protected]

Director of Marketing, Sherbrooke Balser (949) 223-3605, [email protected]

Marketing Manager, Monique Luttrell(949) 223-3609, [email protected]

AUDIENCE DEVELOPMENT

Director, Karen McAleer (516) 562-7833, [email protected]

Subscriptions Subscriptions informationweek.com/magazine

E-mail: [email protected]

Phone: (888) 664-3332 (U.S); (847) 763-9588 (outside U.S.)

ADVERTISING AND PRODUCTION

Publishing Services Manager, Lynn Choisez (516) 562-5581 Fax: (516) 562-7307

MAILING LISTS

MeritDirect LLC (914) [email protected]

REPRINTS AND RIGHTS

For article reprints, e-prints, and permissions, please

contact: Wright’s Media, (877) 652-5295,

[email protected]

Back Issues Phone: (888) 664-3332 (U.S.); (847) 763-9588 (outside U.S.)

E-mail: [email protected]

BUSINESS OFFICE

General Manager, Marian Dujmovits

EDITORIAL OFFICE

(Fax) 516-562-5200

UBM LLC

600 Community Drive

Manhasset, N.Y. 11030 (516) 562-5000

Copyright 2011. All rights reserved.

UBM TECHWEB

Tony L. Uphoff CEO

John Dennehy CFO

David Michael CIO

Joseph Braue Sr. VP, Light Reading Communications

Network

Scott Vaughan CMO

John Ecke VP and Group Publisher, InformationWeek

Business Technology Network

Ed Grossman Executive VP, InformationWeek Business

Technology Network

Martha Schwartz Executive VP, Group Sales,

InformationWeek Business Technology Network

Beth Rivera Senior VP, Human Resources

David Berlind Chief Content Officer, TechWeb, and

Editor in Chief, TechWeb.com

Fritz Nelson VP, Editorial Director, InformationWeek

Business Technology Network, and Executive Producer,

TechWeb TV

UBM LLC

Pat Nohilly VP, Strategic Development and Business

Admin.

Marie Myers Sr. VP, Manufacturing

Page 31: Informationweek full-issue-may-30-2011 4130152

informationweek.com46 May 30, 2011

At the Interop show in Las Vegas thismonth, I attended the keynote pres-entation of Cisco CIO Rebecca Ja-

coby. Later that day, she sat down with RobPreston and me for a longer conversation.What we got was a fairly pragmatic discus-sion of Cisco’s needs and how those fit intothe ideal view of service-oriented IT and de-livery of those services.One thing that’s always been true: Cisco

believes in the products it sells. With just afew exceptions, the company uses its ownproducts, from phones to big bad routers. Sowith the introduction of its Unified Comput-ing System (UCS) server products, Cisco hashad the challenge and opportunity of adopt-ing its own new products as it moves from aworkload-optimized environment to a highlyautomated hybrid cloud environment. In herpresentation, Jacoby said 57% of 1,300 ap-plications identified within Cisco data centershad been virtualized. Whether you’re a glass half full or glass half

empty type, that 57% is an interesting num-ber. On one hand, it speaks to just how hardthe process is. Those 1,300 apps don’t allprovide unique services; they integrate withone another, often in ways that may be hardto discover. Sometimes moving an app to avirtualized server is as simple as packaging itup into a virtual machine and launching it.Other times, you learn about dependenciesyou’d think should never occur (“What doyou mean we can’t change the IP address forthat app?”). On the other hand, UCS is a new product

line by any measure, and while the Ciscobrass is keen to see its products used inter-nally, Jacoby’s got a tight budget just likeevery other CIO. So that 57% represents alot of hard work, and it likely also representsthe easiest applications to migrate. Jacoby’sgoal is to have 80% of Cisco’s IT services vir-

tualized by the end of this year. And of course virtualization isn’t the end

goal. It’s a means to providing better serviceto business units and allowing them to betterunderstand and control the costs and bene-fits of the services they choose.

The Outsourcing DecisionLike everyone else heading down this path,

Jacoby’s team is constantly evaluating whichservices need to run within Cisco’s data cen-ters and which can be outsourced. While Ja-coby was vague about the services Cisco islooking to outsource, she did have some ad-vice for budding entrepreneurs: Think aboutstarting services in emerging markets. That’swhere companies like Cisco need help, asemerging markets are a very expensive propo-sition. Even Cisco, with its extensive field op-erations, would buy from those who know lo-cal markets and offer quality services there.The most surprising thing about our dis-

cussion with Jacoby was the extent to whichshe sounded like every other talented CIO,particularly as she got past the noticeably un-comfortable task of delivering the Cisco mes-sage that she’s required to present. She’s data-driven, service-oriented, and pragmaticabout serving her customers. She’s veryaware that she’s serving a company of ex-perts, and that the best way to handle theirgood intentions is to listen to their advice,but listen more to what her performancenumbers are telling her. There’s a lot to besaid for that approach.

Art Wittmann is director of InformationWeekAnalytics, a portfolio of decision-supporttools and analyst reports. You can write to him at [email protected]. More than100 major reports will be released this year.Sign up or upgrade your membership atanalytics.informationweek.com/upgrade.

Cisco Eats Its Own Dog Food, But Pragmatically

practicalAnalysisART WIT TMANN

CIO Rebecca Jacoby is

progressing from

virtualization

to private cloud

to hybrid cloud—all

guided by careful

data analysis

Page 32: Informationweek full-issue-may-30-2011 4130152

Tiger Woods limped off the course a cou-ple of Thursdays ago after shooting asix-over-par 42 on the first nine holes of

The Players Championship, one of pro golf’smost prestigious tournaments. Suffering a soreknee and other physical and psychological ail-ments, some self-inflicted, Woods, whoseworld ranking has fallen out of the top 10 afterbeing at No. 1 for more than five years, lookedlost. Back in the clubhouse, his competitorslater expressed dutiful respect, bordering onpity, for their former chief nemesis. But the aweand the fear were gone.

Cisco and Microsoft are struggling throughtheir own Tiger Woods times. Once theundisputed leaders of their markets, they’renow vulnerable to younger, more agile rivals.

At Interop in Las Vegas this month, Cisco,which once dominated this networking-cen-tric show, was the brunt of uncharacteristi-cally strident attacks from competitors, justdays after it reported weak financial results.When I later asked Alan Baratz, president ofAvaya Global Communications Solutions anda former top Cisco exec, to size up his formeremployer, he wasn’t shy: “They’re vulnerable.They expanded into a lot of areas in a shortperiod of time. They got distracted. And theyalienated a lot of customers when they wentinto the data center, opening up opportuni-ties for competitors to take advantage.”

Cisco CEO John Chambers, in announcingthat Cisco’s third-quarter net income fell17.6% from the year-earlier quarter on 4.8%higher revenue, was subdued in his assess-ment. “We have acknowledged our chal-lenges,” he said in a statement. “We know whatwe have to do. We have a clear game plan.”

That game plan entails shedding some pe-ripheral product lines (the Flip videocam wasthe first to go, a couple of months ago) andshoring up operations. But as my colleague ArtWittmann noted in a recent column, Cisco’s

challenges are more than operational. The com-pany faces ever more sophisticated competitors,especially as it looks to unite networking,servers, and storage into a single architecture.

Already, sales of Cisco’s fat-margin prod-ucts are under pressure: While Cisco’s switchand router revenues were flat to downthrough its first three quarters, HP’s compet-ing networking business has been growingsteadily, up 118% in the second quarter com-pared with the year-earlier quarter—albeit ona much smaller base than Cisco’s. As Artwrote: “Its competitors are almost universallyaccustomed to living with smaller profit mar-gins. And while it would be foolish to countCisco out of any market it wants to competein, it would be equally foolish to expect thatCisco will be able to maintain its historicalgrowth and margins.”

As for Microsoft, rivals are gunning for itscash cows. Just as the ASP is making a vigor-ous comeback in the form of software as aservice, thin client computing is all the rageagain, as Google (Chrome OS and Chrome-books—see p. 18), various tablet and smart-phone makers, and even the long-time thinclient champions forward their own com-pelling Windows-less visions. When I recentlyasked a group of CIOs whether reports of thedemise of the PC are greatly exaggerated, I wassurprised to hear they didn’t think so.

Meantime, Google Apps is an establishedWeb-only alternative to Office among con-sumers, and it’s only a matter of time beforeenterprises take a serious look at it. The Web2.0 movement is a threat to Microsoft’s Ex-change and SharePoint franchises.

Cisco and Microsoft—like Woods—aren’t tobe taken lightly. But there’s blood in the water.

Rob Preston is VP and editor in chief of InformationWeek. You can write to Rob at [email protected].

Cisco, Microsoft, And The Tiger Woods Effect

These still-dominant

vendors aren’t to be

taken lightly, but

competitors no longer

show awe or fear

ROB PRESTON

48 May 30, 2011

Businessdown tofrom the ed i tor

informationweek.com