cio & leader. com · In enterprises today, a CISO has moved from the backstage to centre stage. He has been given more responsibility and editors pick Taking Centre Stage IT security

Volume 02 | Issue 12

Th

re

e T

ips

Ab

ou

T M

An

Ag

ing

Yo

ur

TiM

e | T

he

ne

ed

Fo

r n

eT

wo

rk

se

cu

riT

Y

Volume 02

Issue 12

September 21 2013150

nexT horizons Offshoring:

A Disadvantage Pg 42

besT oF breed

Four Conversations For Every IT Leader Pg 12

ViewpoinT

Back to theBusiness Model Pg 64

Tr ac k Te c h n o lo gy B u i ld B u s i n e s s s hap e s e lf

cio

& l

ea

de

r.c

om

A 9.9 Media Publication

12

C

M

Y

CM

MY

CY

CMY

K

cio_leader_round2_generic_high.pdf 1 18-09-2013 PM 08:36:10

1September 21 2013

editorialyashvendra singh | [email protected]

The Big Shift A CISO has today

transformed into a business enabler who

works alongside the C-suite

In more mature markets, the CISO already has a place at the high table and participates in all important discussions revolving around the company’s business. The more visionary corporates in India too have recognized the importance of the CISO role, according it the respect and command that it deserves.

In recognition of this grow-ing importance of the role of a CISO, we dedicate this issue’s cover story to enterprise secu-rity practitioners. The cover fea-ture focuses on how the role has undergone a transformation. We also get some of India’s top CISOs to discuss the challenges confronting the function today and the way ahead.

We will look forward to your valuable feedback.

It was not too long ago that a Chief Information Secu-

rity Officer (CISO) was looked upon as only a security protocol enforcer. His role was relegated to the background, and rarely interacted with the company’s C-suite. Times change, and so has the role of the CISO.

The need for information security stemmed from rap-idly growing businesses. To fuel their growth, enterprises increasingly became reliant on the availability of IT infra-structure. This in turn required strong security defences, and thereby, the role of a CISO.

commands more authority. The days when he was considered only a security protocol enforcer have long gone. A CISO has today transformed into a busi-ness enabler who works along-side the C-suite to implement secure practices in every dimen-sion of the business.

In fact, in addition to playing the role of a security evangelist and a strategist, a CISO is now being approached for providing inputs on risk also. He is being asked to shoulder the responsi-bility of risk management also.

The ambit of security, mean-while, has today grown to include, among other things, compliance training and aware-ness, disaster recovery and business continuity. This has vindicated the stand of security practitioners, who have long been contending that these were elements of security. They are now being asked by their management to address these as well.

Over time, not only did IT security become strategic in enterprises, privacy and security legislation gained impetus and became strict guidelines for cor-porates. The role of a CISO too mirrored this changing land-scape. The result was that the CISO function became a necessity rather than something that was given only lip service. The role saw a massive shift from being protector to becom-ing an influencer.

In enterprises today, a CISO has moved from the backstage to centre stage. He has been given more responsibility and

editors pickTaking Centre Stage IT security is becoming strategic in corporates. The role of CISOs is mirroring this change as they evolve from protectors to influencers

20

2 September 21 2013

Cover Story 20 | Taking Centre Stage IT security is becoming strategic in corporates. The role of CISOs is mirroring this change as they evolve from protectors to influencers

COpyrIghT, All rights reserved: reproduction in whole or in part without written permission from Nine Dot Nine Interactive pvt Ltd. is prohibited. printed and published by Anuradha Das Mathur for Nine Dot Nine Interactive pvt Ltd, Bungalow No. 725, Sector - 1, Shirvane, Nerul, Navi Mumbai - 400706. printed at Tara Art printers pvt ltd. A-46-47, Sector-5, NOIDA (U.p.) 201301

Please Recycle This Magazine And Remove Inserts Before Recycling

regulArS01 | Editorial06 | EntErprisE

roundup64 | viEwpoint

Cover design by: Shigil NarayaNaN

20

September 2013

3September 21 2013

SpeCiAl leAderShip SeCtion pAge 32A to 41

3

xx

33 | top down innovAtion in ServiCe delivery iS key to the future Nitin Jadhav, CTO, ESDS Software, talks about the challenges confronting CIOs

39 | opinion kinAbAlu in A dAy — the Climb Our strategy was not to break any time-based record, and as such, carried more than what most 1-Day climbers normally have

34 | leAding edgebulliSh on digitAl: mCkinSey Survey reSultS CEOs and other senior executives are increasingly engaged as their companies step up efforts to build digital enterprises

41 | Shelf life the one thing The Surprisingly Simple Truth Behind Extraordinary Results

xx

me & my mentee37| “A mentee should have accountability” Atul Nigam, head-IT, Samsung Data Systems and Chhavi Taneja, Sr. IT Manager, Samsung Data Systems, share their insights

4 September 21 2013

www.cioandleader.com

no holdS bArred56 | “Technology is a business enabler” Vishal Awal, Executive Director, Services, Xerox India and South Asia, talks about different aspects of document management

advertisers’ index

IBM FC,BCHP IFC, 11Vodafone 5ESDS 9Lenovo 15Juniper IBCJuniper IBC, 54 – 55

This index is provided as an additional service.The publisher does not assume any liabilities for errors or omissions.

12 | BEst of BrEEd: Four Conversations For every it Leader IT leaders must be prepared to have difficult conversations with their bosses and with their customers

60| tEch for govErnancE: ethiCs oF Monitoring your eMpLoyees Not monitoring employees could lead to cessation of business

42 | nExt horizons: oFFshoring: a disadvantage Companies that have over-embraced offshoring will take back many critical business functions

56

Managing Director: Dr Pramath Raj SinhaPrinter & Publisher: Anuradha Das Mathur

EditorialExecutive Editor: Yashvendra SinghConsulting Editor: Atanu Kumar Das

Correspondent: Debashis SarkardEsign

Sr. Creative Director: Jayan K NarayananSr. Art Director: Anil VK

Associate Art Director: Anil TSr. Visualisers: Manav Sachdev & Shokeen Saifi

Visualiser: NV BaijuSr. Designers: Shigil Narayanan, Haridas Balan

& Manoj Kumar VPDesigners: Charu Dwivedi

Peterson PJ, Pradeep G NairDinesh Devgan & Vikas Sharma

Consulting Sr. Art Director: Binesh Sreedharan MARCOM

Designer: Rahul BabuSTUDIO

Chief Photographer: Subhojit PaulSr. Photographer: Jiten Gandhi

advisory PanElAnil Garg, CIO, Dabur

David Briskman, CIO, RanbaxyMani Mulki, VP-IT, ICICI Bank

Manish Gupta, Director, Enterprise Solutions AMEA, PepsiCo India Foods & Beverages, PepsiCo

Raghu Raman, CEO, National Intelligence Grid, Govt. of IndiaS R Mallela, Former CTO, AFL

Santrupt Misra, Director, Aditya Birla GroupSushil Prakash, Sr Consultant, NMEICT (National Mission on

Education through Information and Communication Technology)Vijay Sethi, CIO, Hero MotoCorpVishal Salvi, CISO, HDFC Bank

Deepak B Phatak, Subharao M Nilekani Chair Professor and Head, KReSIT, IIT - Bombay

nEXt100 advisory PanElManish Pal, Deputy Vice President, Information Security Group

(ISG), HDFC Bank Shiju George, Sr Manager (IT Infrastructure), Shoppers Stop Farhan Khan, Associate Vice President – IT, Radico Khaitan

Berjes Eric Shroff, Senior Manager – IT, Tata ServicesSharat M Airani, Chief – IT (Systems & Security), Forbes Marshall

Ashish Khanna, Corporate Manager, IT Infrastructure, The Oberoi Group

salEs & markEtingNational Manager – Events and Special Projects:

Mahantesh Godi (+91 98804 36623)National Sales Manager: Vinodh K (+91 97407 14817)

Assistant General Manager Sales (South):Ashish Kumar Singh (+91 97407 61921)

Brand & EvEntsBrand Manager: Jigyasa Kishore (+91 98107 70298)

Product Manager-CSO Forum: Astha Nagrath (+91 99020 93002)Manager: Sharath Kumar (+91 84529 49090)

Assistant Manager: Rajat Ahluwalia (+91 98998 90049)Assistant Brand Managers: Nupur Chauhan (+91 98713 12202)

Vinay Vashistha (+91 99102 34345)Assistant Manager – Corporate Initiatives (Events):

Deepika Sharma Associate – Corporate Initiatives (Events): Naveen Kumar

Production & logisticsSr. GM. Operations: Shivshankar M Hiremath

Manager Operations: Rakesh Upadhyay Asst. Manager - Logistics: Vijay Menon Executive Logistics: Nilesh Shiravadekar

Production Executive: Vilas Mhatre Logistics: MP Singh & Mohd. Ansari

oFFicE addrEssPublished, Printed and Owned by Nine Dot Nine Interactive Pvt

Ltd. Published and printed on their behalf by Anuradha Das Mathur. Published at Bungalow No. 725, Sector - 1, Shirvane,

Nerul, Navi Mumbai - 400706. Printed at Tara Art Printers Pvt Ltd.A-46-47, Sector-5, NOIDA (U.P.) 201301

For any customer queries and assistance please contact [email protected]

6 September 21 2013

story InsIde

HP Announces New Offerings For Enterprise

Security Pg 8

million Will be the size of Indian public cloud market by 2013

IBM to Invest $1 Billion in Open Source Technologies the investment aims to help clients capitalise on big dataIMB has announced its plans to invest $1 billion

(USD) in new Linux and open source technologies for IBM's Power Systems servers. The investment aims to help clients capitalise on big data and cloud com-puting with modern systems built to handle the new wave of applications coming to the data center in the post-PC era.

A new IBM Power Systems Linux Center for develop-ers, clients and partners opened in Montpellier, France. Joining similar centers in Asia and North America, the Montpellier center is an immediate result of a larger ini-tiative by IBM to commit $1 billion towards Linux eco-system growth on IBM's Power Systems line of servers.

Two immediate initiatives announced, a new client center in Europe and a Linux on Power devel-opment cloud, focus on rapidly expanding IBM’s growing ecosystem supporting Linux on Power Systems which today represents thousands of independent software vendor and open source appli-cations worldwide.

The new center is among a growing network of centers around the world where software developers can build and deploy new applications for big data, cloud, mobile and social business computing on open technology building blocks using Linux and the latest IBM POWER7+ processor technology.

$434data BrIefIng

EntErprIsEround-up

ill

us

tr

at

ion

BY

ph

ot

os

.co

m

E n t E r p r i s E r o u n d - u p

7September 21 2013

The IDC Asia Pacific Mobile Phone Tracker released in August 2013 has revealed that for the third consecutive quarter, Windows Phone is the second most widely used smartphone platform in India

QuIck Byte on MoBIlIty

Intel Unveils Processors for Indian Cos the chip maker launched the Xeon Processor e5-2600 v2 productKeepIng in the mind the global datacenter business, chip maker Intel

has announced new processors for enterprises in India. Intel’s goal is to re-archi-tect the datacenter to enable a common, software-defined foundation for both datacenters and cloud service providers that span servers, networking, storage and security.

As part of the launch, Intel unveiled its Xeon Processor E5-2600 v2 product fam-ily which offers up to 45 per cent greater energy efficiency and 50 per cent higher performance as compared to the previous generation. The other products Intel launched are the Intel Atom C2000 processor family, first based on Silvermont micro-architecture. Intel also announced 4th gen Intel Core vPro processors offer-ing a range of enhanced capabilities across security, manageability and productiv-ity. Intel SSD Pro 1500 Series is optimized for the business user offering secured data and more productivity to the user with faster boot and application start times.

“Datacenters are entering a new era of rapid service delivery and we continue to see significant opportunities for growth across network, storage and servers,” said Narendra Bhandari, Director, Software and Services Group, Intel Asia Pacific.

Amid concerns over the visa curbs set out in the US Immigration Reform Bill, Murthy said Indian IT firms need to hire more locals for their onsite operations.

—N.R. Narayana Murthy,

Chairman, Infosys

—IDC

“Whenever the economy is not doing well in a country, it is inevitable that the unemployment levels go up. Therefore, the legislators would be concerned about jobs and therefore the countries will automatically take such decisions that may discourage outsiders from impacting the jobs in the country.”

They SaId IT

N R NaRayaNa MURThy

ima

ge

BY

ph

ot

os

.co

mim

ag

e B

Y p

ho

to

s.c

om


8 September 21 2013

HP Announces New Offerings For Enterprise Security the new products and services help cIos and cIsos to manage risksaddressIng the growing cyber security

needs of enterprises, HP announced new products and services to manage risk and ensure better protection against the threat landscape. The new offerings include security intelligence solutions, managed security services (MSS) and an advisory ser-vice for mobility.

“The new style of IT, like BYOD, has a lot of merits but brings in security risks along

with it. The key challenge is in balancing these. Companies are required to extend themsleves to allow more suppliers to come into the network and challenge is in ensuring the security of data and IPs. Also, disruptive adversaries are becoming more sophisticated each day and they are target-ing organisations big time. So, its crutial to have your defenses in line with these chal-lenges. HP' new offerings cater to mobility,

The online banking malware saw 29 per cent increase from the previous quarter from 113,000 to 146,000 infections

supplier security compliance and counters disruptive adversaries,” said Susanta Bhat-tacharya, director, Infrastructure Technology Outsourcing (ITO) Portfolio, Enterprise Services, HP India.

New and enhanced HP offerings provide real-time threat disruption and self-healing technology combined with crowd-sourced security intelligence:

HP Threat Central- a community- sourced security intelligence platform to facilitate automated, real-time collaboration among organisations in the battle against active cyberthreats.

HP TippingPoint Next-Generation Fire-wall (NGFW) addresses risks introduced by cloud, mobile and BYOD by delivering easy-to-use, reliable, high-performance security effectiveness with granular application vis-ibility and control.

HP ArcSight and HP Fortify offer data-driven security technologies, including HP ArcSight Application View, HP ArcSight Management Center, HP ArcSight Risk Insight and HP ArcSight Enterprise Secu-rity Manager (ESM) v6.5c , empower secu-rity operations teams to run more effectively with accelerated and real-time application-level threat detection.

HP SureStart, comes with self-healing technology that automatically restores a system’s PC Basic Input/Output System (BIOS) to its previously safe state if attacked or corrupted, delivering a “future proof” technological breakthrough to HP EliteBook customers.

“IT chiefs will benefits from HP's global expertise in security research and analytics. We provide an end-to-end security solution starting right from strategy to implementa-tion and management,” added Bhattacha-rya. New offerings from HP MSS and HP Enterprise Services include:

HP Supplier Security Compliance Solu-tion protects the flow of information across an organisation’s network of suppliers. After a data breach, organisations can gain control of their data to minimise the loss of money, trade secrets and customer trust.

HP Distributed Denial of Services (DDoS) Protection Services leverage leading security tools, HP MSS and 24/7 event monitoring by skilled security analysts to help organisa-tions detect and take immediate action on DDoS and web-application attacks.

gloBal tracker

Malware

so

ur

ce

: t

re

nd

mic

ro

ima

ge

BY

ph

ot

os

.co

m


10 September 21 2013

India has 550mn actual Mobile Users The study represents 94.8 percent of the Indian population

MobIlIty

samsung launched its galaxy

note 3, its latest update to

the note product line, yesterday

and it seems that the company

is slowly trying to pitch itself in

enterprise segment. “With BYod

picking pace, we see a very

bright prospect in the enterprise

moblity space and this is the

reason we introduced KnoX

enterprise mobile security solu-

tion on the galaxy note 3,” said

Vineet taneja, country head,

samsung mobile & it in an exclu-

sive interaction.

after BlackBerry announced

that it was open to sale of the

company back in august, this

might be the right time for sam-

sung to capture BlackBerry's

market in the enterprise mobil-

ity space. given the popularity

of google's android operating

system and the fact that sam-

sung owns the majority of the

android market share, it apears

to be a good idea for the com-

pany to focus on enterprise

mobility, especially at a time when

the BYod trend is being seri-

ously considered by enterprises.

“We want to increase our pen-

etrating within enterprises. the

KnoX goes right into the hard-

ware and application level and is

beyond any mdm solution,” said

manu sharma, director, mobile

Business, samsung. the new

galaxy note 3 comes with sam-

sung KnoX enterprise mobile

security solution.

a recenT survey by research firm

Juxt says india has 550 million actual

mobile users in the country. the

india mobile landscape (iml) 2013

study states there are a total of

770 million functional sims with

validity of which 640 million sims are

being used by 550 million mobile

devices owners.

the number of unique internet

cIOs are increasingly looking to enterprise architecture (EA) to help drive their digital strat-egy, according to Gartner. Fifty-two per cent of respondents in Gartner's 2013 CEO and Senior Executive Survey said their organisations have a digital strategy. Analysts believe that digital tech-nologies (what Gartner terms the Nexus of Forces — mobile, social media, big data and analytics — and the Internet of Things) create new opportuni-ties for innovative business models.

“Senior business executives are challenging

CIOs Looking at ea to drive digital Strategy analysts believe that digital technologies create new opportunities

fact tIcker

users that access internet from their

mobile data connections, desktop

or laptop, is around 94.7 million. the

number goes up to 143.2 million

if airtel live and reliance r World

users are also added.

the study reveals there are 20

million users who access internet

from their mobile phones through

data connections such as gprs

or 3g. out of this, 93 lakh access

internet only via their mobile phones

and surprisingly 77 percent of these

users were in rural areas.

Juxt co-founder mrutyunjay told

pti, “india has 550 million mobile

users as per our india mobile

landscape (iml) 2013 study. more

than 290 million, about 54 percent,

of these device owners are in rural

areas as compared to 250 million in

cities and towns.”

mrutyunjay added that the survey

was conducted between may and

mid-July 2013 covering 109 urban

centers and 196 villages.

CIOs and their IT organisations to be at the front of digital strategy, identifying innovative new busi-ness models and technologies, and getting more business value out of each technology invest-ment,” said Marcus Blosch, research vice presi-dent. “Enterprise architects can provide unique capabilities to help CIOs develop a new agenda for 'hunting and harvesting' in a digital world.”

Blosch said that organisations are looking to grow and improve efficiency of their operations, creating new demands on CIOs and EA.

“With the global economy still struggling, enter-prise architects around the world will need to use EA to help drive growth and innovation, while at the same time identifying opportunities for per-formance improvement and cost cutting at a time when IT budgets are flat,” said Blosch. “Given these factors, CIOs must extend IT's performance profile beyond tending, to hunting and harvest-ing for digital value. For enterprise architects, particularly those who sit within the IT organisa-tion, this is a great opportunity to move EA into a more strategic role. Business-outcome-driven EA is integral to achieving each of these areas to provide insight and support decision making. The EA team currently has the opportunity to become more strategic by aligning itself to support the CIO and the organisation.”

It is often hard to see where a new technology or idea applies, and what difference it will make. However, EA supports both hunting and harvest-ing by linking new technologies and innovations to the strategy and future-state business capabili-ties. EA teams can also do technology tracking and create innovation management processes to support hunting. Harvesting is driven through techniques such as business capability modeling.

ima

ge

BY

ph

ot

os

.co

m

C

M

Y

CM

MY

CY

CMY

K

cio_leader_round2_banking_high.pdf 2 18-09-2013 PM 08:37:29

Best ofBreed

Three Tips About Managing Your Time Pg 16

FeATures InsIde

Why Are You using social Media Channels? Pg 18

Four Conversations For Every IT Leader

IT leaders must be prepared to have difficult conversations with their bosses and with their customers By Charles Araujo

over the last month, a single word has repeatedly risen in my consciousness. I started the month delivering the opening keynote at the LEADit conference in Canberra, Austra-lia. I returned home and immediately left for the Pink Elephant Leadership Forum in Scottsdale, Ariz., where I delivered a morning keynote. As I spoke and then talked with people afterward, I found myself repeating the same word again and again: courage.

ill

us

tr

at

ion

by

an

il t


While in Australia, I also participated in a “hypothetical.” Originating in the U.K., a hypothetical is a simple panel construct, but one in which the participants play a fictional role in a hypothetical situation put forward by the session moderator; in our case, the moderator was the indefatigable Rob Eng-land, better known as the IT Skeptic. Dur-ing the hypothetical, I played the role of CIO and, because of the challenging hypothetical situation, I kept having some difficult con-versations with the rest of the panel. As we wrapped it up, I said, “The issue we haven’t addressed is there is a good chance that if I acted like this in a real career environment, I'd be looking for a job soon. These are tough conversations to have. They take a lot of courage. But the best, most successful IT leaders I know are having these conversa-tions every day.”

The incident made me realise that “cour-age” is the one thing that we don’t discuss enough when it comes to what it takes to be a great IT leader—the kind of leader we need to take us into the future. But as I contemplated it further, I realised there are four specific, courageous conversations that every IT leader must be prepared to have if you are going to lead your organisation into the future.

Conversation #1: With Your Boss“What are we capable of accomplishing?”One of the consistent themes during the hypothetical was the balance needed between IT's current commitments and new projects in the pipeline. Rob England deftly played the “minister” (we were a government ministry in the hypothetical) and kept putting ever-new demands on the organisation, driven by the political crisis of the moment. I found myself constantly say-ing, “If this is your new top priority, then we will need to discuss what things we are not going to be able to accomplish so that we can get this done.” It was a constant strug-gle of prioritisation. True to form, England pushed back, saying that he needed it all done, which forced me to stand my ground and insist that he prioritise the demands or put our entire delivery model at risk.

Telling your boss “no” is never easy and will often put you on the fast track to a new position “outside the organisation.” There-fore, many IT leaders understandably never

the resources that you will require to expand your capabilities (either people or money). It postures us in a positive position of say-ing “yes,” but we are also honestly acknowl-edging our limitations. That takes courage. But it is required if we are to effectively execute our roles and fulfill our duties to our customers.

Conversation #2: With Your Customer“What should we not do?”During my keynote in Australia, I identified what I call the “four new rules of the new era.” One of these rules is that we will be defined in the future by what we do not do. As technology becomes truly ubiquitous and finds its way into even the most pedes-trian applications, it will simply become impossible for IT organisations to reason-ably maintain control over all of it. Nor should we want to. The days of IT being the sole source provider and sole manager of technology are over. We need a new approach.

We need to begin having a courageous conversation with our customers. One in which we discuss candidly which business-es we should be in and which we should not be in. As IT professionals, we need to stop seeing ourselves as managers of technology. Instead, we must see ourselves as provid-ers of strategic technologies that produce a competitive advantage. As we move into this future, our value will not be defined by our ability to manage and deliver this vast array of technologies that could just as easily be

As IT professionals, we need to stop seeing ourselves as managers of technology. Instead, we must see ourselves as providers of strategic technologies that produce a competitive advantage

go there. They put up a mild protest, but then take on the new responsibility and do their best to manage. This is why most IT executives (and their teams) are under such strain. We have rampant demand that far exceeds supply. IT leaders may be reticent to say “no,ö but, clearly, saying “yes” uncon-ditionally isn't the answer either. Instead, a more courageous conversation is required.

I believe the right response in this all-too-common situation is, “Yes, we will need...” The key is to not refute or deny the new demand, but simply state to the requestor what it will take to deliver it. This is funda-mentally a question of capabilities. Every system has a finite production capability based upon design and capacity. In no case, can any system either produce something that it is not designed to produce nor pro-duce in excess of its available capacity. It is a simple fact, but one that we often ignore during these exchanges with our boss. We believe that somehow “we can get it done” and so pretend that we have the capability of accepting unlimited demand. But the hard reality is that our capacity is, in fact, a con-straint, and without this kind of control, we will run the risk of delivering only a small percentage of what we have commit-ted to accomplish.

It is much more honest and respectful to be upfront about our organisational capabil-ities, limitations and options. That is what the phrase, “Yes, we will need…” does. Typi-cally, you will end that sentence with either a description of the prioritisation that you need to take place ("…to deprioritise…") or

13September 21 2013

l e a d e r s h i p | B e s t o f B r e e d

delivered by other organisa-tions. Our value will be derived from the strategic technologies that we co-develop and deliver and that provide some form of unique advantage or differen-tiation to the organisation.

This revelation also brings realisation. We will be unable to deliver that kind of strategic innovation unless we shed all of those non-strategic technol-ogy platforms. It will demand that we be brutally honest about which elements of the technology stack, while perhaps important, do not provide the type of com-petitive and differentiating value that war-rant our involvement.

Those elements of the technology stack are the “lines of business” that we must exit. We must simply select an appropriate deliv-ery partner and then get out of the business of providing those services.

The challenging part is that we have spent the better part of the last four decades “training” our customers on how to interact with us. And the linchpin of those conversa-tions was that “everything technology-relat-ed comes through us.” So, to acknowledge that this is simply no longer the case will take courage.

The immediate reaction will understand-ably be one of, “Well, if I don’t need IT for this any longer, do I need them for any-thing?” It is a fair and honest question—and one that we need to be prepared to answer. Having this conversation will be scary. It will be inviting our customer to challenge everything for which we have historically stood. You will have to make this transition rapidly and deliver on your promise that an increased focus on the most strategic organ-isational initiatives will yield a competitive advantage and differentiation.

That’s a courageous promise, but it's one that every IT leader must be prepared to make.

Conversation #3: With Your Team“What delivers strategic value?”Humans are creatures of habit. Technical people take that age-old idiom to another level. Despite the rapid state of technological change, IT organisations and the IT profes-sionals that comprise them have remained

largely unchanged for the last 45 years. Structurally, organisation-ally and procedurally, we have largely done the same things, the same ways, for years. The problem is that many of those things that we have done for years have now become commoditised. They provide little discriminate value. Yet we continue to cling to them.

The hard truth is that the vast majority of the work that today's IT organisation performs does not provide any form of business value that is truly strategic or differentiating. It may be important and even crucial to day-to-day business operations, but it is also some-thing that can often be provided just as eas-ily by outside organisations.

As long as those services are not truly stra-tegic, the moment they can be acquired less expensively than the internal organisation can provide them, a conflict will exist. Fear will lead IT professionals to try to "protect their turf" and attempt to justify why they must continue providing this service. It does nothing but erode the trust with our customers and delay the inevitable.

Just as we need to be courageous in our conversations with our customers about what services provide meaningful business value, we need to have the same conversa-tion with members of our team.

As an IT leader, you must be brutally honest with yourself and your team. Of all of the things you do on a daily basis, which of them provide true strategic value to the organisation? The real answer is that there are probably a large number of activities that you presently perform that provide very little strategic value.

These are the things that you must simply stop doing. You must put the well-being of the organisation above your fears and find the most cost-effective manner in which you can provide those services—even though it is likely to be from an outside resource.

That takes courage. It will leave a large part of your team feeling very vulnerable. It may result in a smaller budget and footprint for your organisation.

It could even result in a staff reduction as you identify that you no longer need some purely technical resources. But it is the right

conversation to have. It is the only con-versation that will ensure your continued relevance. And it is what will be required to take you to a truly strategic level.

Conversation #4: With Yourself“Am I ready to go the distance?”Despite all of the angst that may have been generated by the first three coura-geous conversations, the toughest, most courageous conversation that you will need to have is with yourself. When I was playing the role of the CIO during the hypothetical in Australia, I was asked a question about what I would do given the circumstances. My answer was, “Keep my resume updated.” It got a good laugh, but it wasn’t much of a joke. There is a reason that the tenure of CIOs is relatively low compared to other executive roles. It can be a thankless job. Choosing to have these kinds of courageous conversations will not make it easier.

If you elect to follow my advice, you must be prepared for the fact that the resistance will be forceful and unrelenting. As an industry, we suffer from a type of selective amnesia.

We seem to forget (or just willfully ignore) the cautionary tales of organisations that failed to have these kinds of courageous conversations—and suffered the dire conse-quences. Yet, the halls of IT leadership are swarming with IT executives who continue to repeat the mistakes of the past.

Having the kinds of courageous conversa-tions that I am suggesting will certainly set you apart. But that may not be a good thing. The conversations will likely set you apart as someone who may be considered a “contrar-ian” or a “naysayer.”

Being courageous will demand that you tell the proverbial emperor that he has no clothes on. It will not win you any popular-ity contests.

So the final, and perhaps most important, conversation you must have is with yourself. You must ask yourself if you are willing to go the distance—to have these conversa-tions, to stick with them and to live with the consequences.

— This article was first published in CIO Insight. For more stories please visit www.cioin-sight.com.

$1bnwill Be the

amount iBm will Be investing in

open source tech


B e s t o f B r e e d | l e a d e r s h i p

AP_IND_PRN_Q2-14_36702_28x21 CIO Les.pdf 1 13/09/13 2:27 PM

Three Tips About Managing Your TimeTime management comes down to knowing what matters most to you By Larry Bonfante

i have coached a large number of execu-tive clients over the past few years. On many occasions I give them “home-work” assignments to complete before our next session. On more than one

occasion I’ve had a client admit that they did not complete their assignment. When I ask why, I almost always get the same response: “I didn’t have the time.” I would argue that, in our fast-paced society, time is perhaps our scarcest resource. It is also the resource that we cannot recapture (you can recoup lost money, but I’ve never met anyone who’s figured out how to create more time). Each of us has the same 24 hours a day to work with.

My friends and colleagues often marvel at how I find time to balance being a CIO, run-ning an executive coaching practice, raising a family, getting together with friends, and playing in a band. I’ll admit that as I write these words I feel exhausted just thinking about it all!

However, here are three suggestions to ensure that you invest your time so it pro-duces the greatest payoff.

My first suggestion is taking the time to determine your priorities. What really matters to you? I often ask the clients who tell me they don’t have time what would happen if, while running a major project, they received a call that their child was in a

ill

us

tr

at

ion

by

Ph

ot

os

.co

m

hospital emergency room. To a person, the answer is always the same: they would drop whatever they were doing and drive to the hospital to be with their child.

You see, the issue isn’t finding more time, it’s deciding what matters most to you and

making the decision to invest your precious time on those things (and those people) that matter most.

I always make time to get together with my friends. I’ve always made time to do things with my family. It’s a matter of prioritisation.

The issue isn’t finding more time, it’s deciding what matters most to you


B e s t o f B r e e d | m a n a g e m e n t

AP_IND_PRN_Q2-14_36702_28x21 CIO Les.pdf 1 13/09/13 2:27 PM

MEMBERSHIP BENEFITSAnnual membership to Inc. India Leaders Forum will entitle you to the following benefits

PEER NETWORKSProvides an opportunity for chief executive officers and owner managers to engage with a ‘like-minded’ peer group.

LEADERSHIP SUMMITSAnnual meeting to set the agenda for the community’s strategic and most current issues. The Forum’s summits bring together a focused audience and authoritative speakers, in a highly interactive format

BRIEFING SESSIONSA series of quarterly meetings throughout the year. Constructive debate, diverse opinions and in-depth discussions provide a premier networking and instructive forum

COMPLIMENTARY ADVERTISEMENTAccess to the 9.9 Media bouquet of magazines for complimentary advertising (Includes: Inc. India, CTO, CIO&Leader, CFO, IT Next, EDU & I2)

RESEARCH AND ADVISORYAccess to our in-house research reports on issues of relevance to high-growth companies.

Membership to Inc. India Leaders’ Forum is corporate but limited to Entrepreneurs, Directors and Chief Executive Officers

TO KNOW MORE ABOUT THE MEMBERSHIP PROGRAMMEPlease contact Rajat Gupta at [email protected] or call at 0120-4010 914

Inc. India invites all CEOs and

founder managers to an exclusive membership

programme which fosters knowledge

sharing in the community and

strengthens your efforts to build and take

your enterprise to the next

level of growth and business

excellence

CEOs JUST JOINED COCOBERRY | OZONE OVERSEAS | DTDC | DHANUKA AGRITECH | HOLOSTIK | PRECISION INFOMATIC SHRI LAKSHMI COTSYN | O3 CAPITAL | EMI TRANSMISSION | GRAVITA INDIA | AND MANY MORE...

“An ideal platform for business leaders to share leadership strategies and help business flourish”ISHAAN SURIDIRECTOR, INTERARCH BUILDING PRODUCTS

Why Are You Using Social Media Channels?If you are not using social media for the human interaction and two-way communication, you need to ask yourself why you are using social media By John Palinkas

You are probably a bit puzzled by the above headline. After all, almost everyone uses social media, right? If you ask your friends, they probably have at least one account

on Facebook, LinkedIn, Twitter, YouTube, etc. You probably even have accounts on multiple social media sites. Most compa-nies have switched from traditional mar-keting to social media. So, why is everyone using social media?

I recently became the vice president of marketing for the New Jersey chapter of Society for Information Management (SIM), a networking group for IT leaders.

I was asked to serve in the marketing role to specifically create a social media market-

marketing is one-way communication. But the fundamental difference about

social media marketing is sometimes not understood.

Social media marketing is all about two-way communication and interaction.

It lets you receive an imme-diate response to your mes-sage—and to react and change your message, if necessary.

A key differentiator is that social media provides a direct and immediate channel of two-way communication between people.

Indulge me with one more

ing campaign for SIM. As I was describing my plans with

other members, I discovered something interesting.

Many people think the only difference between social media marketing and traditional marketing is the channels you use. Let me give you an example.

Traditional marketing is all about “creating and delivering a message.”

This can be accomplished through TV, radio, print, etc.

It can also be achieved using social media channels like You-Tube, Twitter, etc. Traditional

$4.7bwill Be the amount fairfax will paY to

BuY BlackBerrY

My second suggestion is to use the same discipline you use in scheduling your work priorities.

I guarantee you that each person reading this article has recurring meetings that are set in stone in their calendars.

Perhaps it’s a monthly staff meeting or a monthly meeting with your manager. Well, then, why don’t we schedule the things that matter to us? I once had a client who told me he needed to master a certain competen-cy, but lacked the time to do so. I forced him to block an hour each week in his calendar to work on this issue.

Only a true emergency would be reason enough to forego this commitment. After six months he had created enough time to

truly start to improve this competency. Any athlete will tell you that success requires discipline.

Finally, I challenge you to keep a diary of how you spend your time over the course of the next week. When people ask me how I manage to keep so many balls in the air I tell them that while they are watching Survi-vor (or The Amazing Race or The Bachelor or any of the other nonsense that we call reality TV), I am on a call with a client helping him or her work on their leadership competencies.

I believe I read somewhere that the aver-age American watches four hours of TV a day. Talk about a bad investment of time!

Time management comes down to know-

ing what matters to you and having the discipline to invest your limited time in the things that are priorities.

As the old expression goes, “put your money (or your time!) where your mouth is.”

— Larry Bonfante is a practicing CIO and founder of CIO Bench Coach, LLC, an execu-tive coaching practice for IT executives. He is also author of Lessons in IT Transformation, published by John Wiley & Sons. He can be reached at [email protected].



B e s t o f B r e e d | s o c i a l m e d i a

story and then we will get back to my original question.

My business partner, Charles Araujo, has an interesting LinkedIn policy.

He accepts invitations only from people that he has met in person or talked with. I decided to adopt this policy and try an experiment.

When I received a LinkedIn invitation from someone I did not know, I responded by saying that I did not accept connections from people that I did not know, but I would be willing to schedule an introductory call.

Here is the weird part: the majority of people never responded.

Obviously, they took the time to find me on LinkedIn and send me an invite. There must have been something there that inter-ested them. Or was there?

Let’s return to my original question about using social media channels.

If you look up the definition of “social,” you find “relating to the way in which people in groups behave and interact” and

“allowing people to meet and interact with others in a friendly way.”

I have seen people who follow thousands of persons on Twitter.

Who has time to read thousands of tweets every day? These people are obvi-ously not interacting.

The same is true with LinkedIn and Face-book. Why do you want to connect with someone you do not know?

For me, social media channels provide a way to constantly stay in touch with people as they change jobs, locations, phone num-bers, e-mail accounts and so on.

Social media channels provide a link that survives almost all of the changes either of us might go through.

Although I might not be interacting with them on a daily basis, social media chan-nels provide a permanent way of maintain-ing our relationship.

If you are not using social media for the human interaction, you need to ask yourself why you are using social media channels. Is it a numbers game to

see how many connections or followers you can accumulate? Are you trying to get your 15 minutes of fame? You need to ask yourself.

Are social media channels really mean-ingful when overused? Consider these questions the next time you start to follow or request to connect with someone that you don’t really know or when you receive a stranger’s invitation to connect.

— John Palinkas is a partner at The IT Transformation Institute. ITTI is a catalyst for transforming the IT industry. ITTI helps change the DNA of IT teams, solving today’s problems and breaking the cycles that led to them, and to create next-generation IT organisations. John has spent more than three decades in the IT services industry, working with industry leaders like AT&T, AT&T Solu-tions and British Telecom.

— This article was first published in CIO Insight. For more stories please visit www.cioinsight.com.

For me, social media

channels provide

a way to constantly

stay in touch with people

as they change jobs il

lu

st

ra

tio

n b

y P

ho

to

s,c

om

19September 21 2013

s o c i a l m e d i a | B e s t o f B r e e d


By Debashis SarkarDesign by Vikas Sharma | Imaging By Shigil Narayanan

IT security is becoming strategic in corporates. The role of CISOs is

mirroring this change as they evolve from protectors to influencers.

Taking CenTreSTage

21September 21 2013

t a k i n g c e n t r e s t a g e | c O V e r s t O r y

From being a typical backend guy to a management advi-sory role, there has been a paradigm shift in the role of the Chief Information Security Officer (CISO). Since the last decade and a half, technology has been a major business enabler. Hence, the role of IT specialists have been major-ly focused on two aspects — providing the necessary IT infrastructure and securing that infrastructure. With this division, the role of the CISO came into existence, which is significantly different from that of a Chief Information Officer (CIO) who mainly takes care of the overall IT infra-structure of the organisation.

Back in the early 90s, when employees used to work on the PCs given to them and businesses had their own hard-ware to store and manage data, IT specialists had a clear strategy — preventing the corporate data and infrastruc-ture from any possible threats. They were able to say no to anything they weren’t comfortable with.

The Change in IT securityThe scenario today is very different. With mobility, employees have started to own better devices than what their organisations can provide. The typical IT jargons are known to almost every employee and today they don’t

depend on the IT team for connecting themsleves to the corporate network. They have started to bring in their smartphones, laptops, tablet PCs to work and the IT team cannot say no. The IT department is, in fact, forced to balance risks and accomodate every new development whether they like it or not.

On the bring your own device (BYOD) trend, Sunil Lal-vani, MD, BlackBerry India believes, “The BYOD trend is here to stay, and therefore CIOs, even though apprehensive, are trying to facilitate rather than hinder the process. The BYOD phenomenon calls for a balancing act between the needs of the employee, the organisation and the available resources; where in everyone reaches an amicable compro-mise. CIOs who enact BYOD policies are exploring new grounds in the consumerisation of IT. They seek to cut costs, if the policies in place allow it, and change the way IT and non-IT staff interact. They also believe that costs will reduce drastically as employees will require less technical training if they use the same machines at home and at work.”

The mobile work force is expected to reach 1.3 billion by 2015, according to Gartner. Along with this, mobile secu-rity threats are increasing siginificantly with each passing day indicating a much greater risk to corporate data.

nformation security is moving beyond its technical niche into a strategic, enterprise-wide priority. In the last couple of years,

organisation have witnessed massive loss of sensitive data. As a result, infosec officers are experiencing a significant change as IT has come to the forefront


everywhere—in the cloud, on devices, and in virtual environ-ments. As these technologies are widely adopted, cybercrimi-nals continue to discover new vulnerabilities, and attacks are becoming more sophisticated, widespread, and easier to execute. In a world of new weapons, new business models, and new actors, cybercriminals continue to intensify their attacks against organisations of all sizes,” avers Anand Naik, Managing Director – Sales, India & SAARC, Symantec.

“Today, no organisation can confidently say that they haven’t been breached. It is better to assume that they are breached already and focus more on the response mecha-nism. The most basic change in IT security is that we have moved out from an age of prevention and are living in the age of detection and response,” says Felix Mohan, Global CISO, Bharti Airtel.

“Around a decade back, when the term IT security was coined, it predominantly meant security operations deal-ing with anti-viruses, firewalls. At that time, we could eas-ily count the number viruses and malwares that existed in the cyberspace and we even had knowledge of most of them. But technology has changed rapidly and today, we have to assess risks. Risk management has become a prime concern. Apart from taking care of risk functions, we have to deal with privacy issues, regulatory and com-pliance issues, which never existed 10 years back. Today, we cannot say no to any new technology. We have to find a workaround keeping the risks in mind,” says Sunil Varkey, CISO & Global Head – Information Risk & Policy Compliance, Wipro.

Looking at the outer cyber space, there are countless malware waiting to intrude into the network. But the big-gest threat is the employees themselves. Employees can either purposely take a malicious step to risk corporate data or much more likely, through human error. Whatever may be the cause, the organisation might end up in losses.

Apart from threats from employees, information secu-rity officers are tasked with identity and access manage-ment while keeping exernal security threats at bay. Keep-ing this in mind, the strategies have changed — from prevention to detection and response mechanism.

“Information technology has advanced very rapidly, and continues to do so. IT security challenges and solutions have also progressed. Technology used to counter the challenges due to connections to the Internet has evolved from firewalls, to intrusion prevention systems, data loss protection systems, increasingly sophisticated monitoring systems, and protection of individual endpoints, servers, backend systems," says P D Mallya, Head- Information Security Group (ISG), Infosys.

"In the 80’s, 90’s, and even in the early years of this century, malicious hackers used to exploit vulnerabilities in operating systems, and standard, off the shelf software like a Web server or a mail server. Operating system writ-ers are now more skilled at writing and maintaining code securely, so hackers turned their attention to off the shelf application software like Webservers and databases, and now to the code written for specific applications, exploit-ing,” he says.

“Today businesses across sectors unanimously agree that breaches of cyber security are a real and imminent danger increasing in their velocity and efficacy. Our sensitive infor-mation is no longer confined to desktops or data centers. It’s

Sunil Varkey, CISO & Global Head – Information Risk & Policy Compliance, Wipro.

We have to deal with privacy, regulatory and compliance issues, which never existed a decade ago

23September 21 2013


and does a lot of interaction on enabling business which is also highlighted as companies are hiring IT guys with an MBA degree,” says Varkey.

After transforming themselves into a business enabler, CISO now have to go the next level to provide more value and help the organisation in increasing its profits by implementing a better risk management process in place. With new and better technologies, CISOs have to take a close look into monitoring of risk. The key to succcess depends on how accurately a CISO can establish a frame-work to manage the present and the upcoming risks to the enterprise.

Skills related to technology is no doubt important and largely occupies the core competence of a CISO but along with technology skills CISOs have to portray themselves as a business consultant more than just being a technolo-gist. After successfully putting in place the organisation's tolerance and risk profiles, the next-gen CISOs have to keep on looking at new information risk and must have the abiltiy to step into other roles of organisation especially in enterprise risk management and the legal department.

With cloud computing and mobility, CISO have already started to see a significant transition. The focus has now shifted from direct operational responsibilities for these new technologies to more on governance and act like a consultant providing advice to their organisa-tion. In the era of cloud computing and BYOD, CISO have manage the provider of security and not manage security themselves.

While managing third-part providers, it is extremely crucial for CISOs to learn how to effectively fetch answer from them. With this the visibility of the CISO obviously cannot be ignored. They have to select the correct mix of security infrastructure and get clear information on the level of visibility they will have into the design, implementation, and operation of the vendor’s infra-structure. “Also, prior to meeting a vendor, they are required to form a check list of the organisation’s secu-rity requirements and ensure that the vendors comply to that,” adds Mohan.

Challenges facing today's CISOsEffectively managing the ever-evolving information secu-rity landscape and mitigating the payload of the unknown is in itself is big ask for the CISOs. However, it is impor-tant to take a risk-based approach to manage the present and future security challenges. According to Mallya of Infosys, some of the biggest challenges are the following:

Insecure software. Security imposes its own require-ments and restrictions on software, the way it can be composed and can be written. Practices for the design, development and deployment of software that assure its security are still far from prevalent amongst software developers and designers.

The change in the role of CISOAccording to a survey conducted by IBM’s Center for Applied Insights, the role of a CISO has changed from just a technologist to that of a business leader. The CISO is following the foot steps of a CIO and a CFO as they con-tinue to take more strategic organisational responsibili-ties. Information security officers are protectors of some of the organisation’s crucial assets like finance, customer data, intellectual property and also the brand itself. With this, organisations have clearly recognised the strategic importance of information security.

“The role of a CISO has evolved over time from an IT specialist to a management advisory role which includes business aspects, HR, physical security, vendor and part-ner management, regulatory compliance and also into a client facing role,” said Parag Deodhar, Chief Risk Officer and Vice President – Program Management & Process Excellence, Bharti AXA General Insurance.

With the transformation in IT security, the role of a CISO has changed from merely providing IT security to the organisation to managing the providers of that secu-rity. Today’s CISOs are constantly interacting with third-party vendors making them understand their specific needs. CISOs are also looking to consider cost seriously and leaves no chance to cut it down while signing a deal with the vendor.

Given the threat landscape, information security has to go together with information risk. CISO’s need to align themselves with the goals of their organisation and thus, managing risk forms an essential part of a CISO’s job while being in the management advisory role as well.

“Previously, IT security used to be taken care typically by a backend guy. He had no visibility or interaction. But now, CISOs have become a pure business enabler. His authorisation is crucial for a business process. The CISO has now become a business guy. He is very much visible

The CIO and CISO need TO wOrk TOgeTher

very ClOSely aS every prOjeCT Of The CIO haS

a CISO aSpeCT TOO


c O V e r s t O r y | t a k i n g c e n t r e s t a g e

line of defense, whereas the CIO role is in the first line,” feels Deodhar. Lack of relevant experience: The CISO mostly has a

background in core IT function, while very few CISOs have got the relevant certifications. Most of the CISOs, especially in non-BFSI industries come with specific knowledge on hardware and networking or single security solution and lack expert knowledge in application security.


Insecure handling of information by people. For exam-ple, with comprehensive information about people being available on social media, attackers use this information to dupe insiders to co-operate with them in compromis-ing the information systems of their corporations. The attacker can sends the individual a message asking them to click on a URL which can then compromise the indi-vidual’s system.

The public cloud. Organisations will want, and increas-ingly need, to exploit the opportunities for cost-effective use of IT resources that public clouds provide. It is the job of the CISO to make sure that the organisation’s informa-tion security requirements are met when using the cloud for IT.

The increasing computing power available at diminish-ing costs with end-users, including laptops and smart phones. Employees can use these devices for work pur-poses without authorisation, and the BYOD trend.

One of the most important challenge for the CISO is implementing stronger authentication models. A strong multi-factor authentication model has taken the centre stage with out-of-band model (OoB) comprising of fac-tors like a password or pin (which the entrant knows); a phone, card or token which the entrant has; biometrics ensuring the authenticity of the entrant. Security is slow-ing moving on from data to the individual and in such a scenario identity and its federation can provide much needed intelligence and levers for governance.

The next crucial challenge is cyber warfare. Apart from the internal threats coming from employees, outsider are always are looking to first become an insider first and then take away whatever they can lay their hands on. Also the mobile workforce in itself is a bbig security challenge for the organisation.

Apart from these some other crucial challenges as high-lighted by most Indian CISOs include:

Changing responsibilities and reporting to a manager from a different domain: As CISO is a new CXO person, its role is continuosly evolving and the responsibilities of the CISO keeps on changing depending on the industry and the reporting hierarchy. Most CISOs feel that its role should be independent of IT and audits as it helps the CISO to be non biased. Also, in a broad view reporting to the CIO or a CTO might not help be as effective as reporting to the risk committee chief of the organisa-tion. In some cases, the CISO has to report to a manager from a completely different domain which proves to be a major challenge.

“The CIO and CISO need to work together very closely as every project of the CIO has an aspect which requires CISO. They complement each other at the same time they should challenge each other. In many organisations CISO reports to the CIO, which results in CIOs overriding some of the controls due to conflict of interest. In my opinion CISO should be an independent position in the second

Parag Deodhar, Chief Risk Officer and VP, Program Management and Process Excellence, Bharti AXA General Insurance Co.

The role of a CISO has evolved over time from an IT specialist to a management advisory role which includes business aspects

25September 21 2013

Eye on ROI: CISOs constantly have to strike a balance between a portfolio of ideal security programmes and the realities of budget. “Pressure on information security budget remains. However, there is more interest in threat detection,” says Subhash Subramanian, CISO ICICI Bank. “ROI remain in the top of the priority list as the CFO continuosly looks at numbers,” Deodhar added. New technologies: “A lot of new technology has come

into the traditional enterprise IT, like BYOD, cloud and formulating a perfect hygene for each of these is a key

challenge. Another key issue is creating more access than before and managing them. Previously, IT was sure on whom to allow and whom not to allow, but now we have give measure risk and provide access to a lot a people depending on the type of data. Balancing privacy and security is also a concern,” adds Varkey of Wipro.

“The rapid changes in business, regulatory and IT landscape bring about multiple challenges for the CISO. The business and IT teams need to change the processes and technology to keep up with the market requirements and many a times risks are either not assessed or over-looked, resulting in business losses. CISOs need to keep pace with the changes and provide practical solutions to the business. In the current economic scenario, budget and resource constraints pose a major challenge as well,” echoes Deodhar.

"The most challenging adjustment for CIO’s adapt-ing to the BYOD trend, is the need for better systems to authenticate network users, essentially all of whom now access corporate systems with their own personal mobile devices. The IT infrastructure to support BYOD has devel-oped but there are a few kinks to iron out in terms of poli-cies and guidelines," says Lalvani.

BYOD plans are made on the assumption that employ-ees are expected to give up some level of control over their personal devices in exchange for access to corporate resources. CIO’s are also concerned with situations where in they have access to both private and professional infor-mation and employees view that as a violation of their personal space and privacy. Today, there are options to separate user’s personal and work-related information on the same device, thereby restricting the organizations remote access too.

This gives companies flexibility in terms of remotely wiping out the sensitive, confidential data that resides in an employee’s phone whenever the need arises, without deleting his/her personal information. There is need for continued efforts and investments to create a scalable, secure and manageable mobility infrastructure to support BYOD, and capitalise on the merits of this pervasive and growing trend.

Enterprise applications are clearly the next growth drivers for the enterprise mobility sector. The growth of workplace mobility has increased the demand for busi-ness applications and thus provides great opportunity for enterprise developers. Gartner projects that by 2017, 25 percent of enterprises will have an enterprise app store for managing corporate-sanctioned apps on PCs and mobile devices.

Managing RisksOrganisations — private and public, small and large —must give immediate heed to ensure they have the tech-nologies and processes in place to manage these security risks. But it is broader than just implementing a set of

Felix Mohan, Global CISO, Bharti Airtel

Today, no organisation can confidently say that they haven’t been breached



technologies and instituting the right collection of poli-cies. Sufficient layers of security are certainly important and while having data on your risk posture is an essential ingredient to success, it is greater than that. It boils down to how those different layers and technologies interop-erate with each other and how the data is analysed and reduced down to an actionable list.

“The relationship between the information security risk that you articulate and the risk to the organisation must be totally clear. Only then will a CISO get management support for its mitigation. Preventive controls are often not always practicable. Monitoring controls to detect inci-dents when they occur, and processes to respond to them and contain them before they cause much damage, often mitigate the risks sufficiently,” said Mallya.

“To be successful in warding off cyber-attacks, busi-nesses need to understand the attackers’ motivations and craft new strategies to combat them successfully. Simply put businesses need to develop security intelligence or security IQ. Those lacking it may simply find themselves overwhelmed by and unable to withstand the burgeoning onslaught of cyber-attacks,” added Naik.

Each organisation has its own risk appetite, which the management needs to arrive at. The CISO’s role is to assess the risk and present the clear picture to the management and enable them to take a decision on accepting or not accepting the risk. “Risk Measurement is an art and a science – some risks can be quantified, whereas some risks can only be measured in qualitative terms,” feels Deodhar.

While dealing with third-party vendor say for instance especially the public cloud it is important for a CISO to document all the risks the organisation faces if an applica-tion is moved. “Review the extent to which the cloud ser-vice provider mitigates those risks for you. Review what assurances you can get that the provider covers those risks effectively on an on-going basis. One of the assurances could be that there is a third party audit of their controls. Review whether you will be able to provide the mitiga-tions to risks that the provider is unable to mitigate,” added Mallya.

Policy makingProhibit mobile device use or restrict cloud surely cannot be the way ahead for today’s CISOs so, formulat-ing guidance and parameters is extremely crucial. As CISOs are moving from prevention to detection and response mechanism, IT policies form an essential backbone of a any information risk management and security programme.

“A policy must address real issues, real risks that can impact business goals, the goals of the enterprise. Top management supports such policies. Policies and controls that implement them can result in risks of their own. These must also be addressed,” said Mallya.

Security policies needs reasonable to the intended audience, and sustainable as these are meant influence employee behavior. So, CISOs must get this understand-ing clearly in their minds from the begining itself to come up with a successsful policy.

“The policy should be created with keeping the business objective in mind, short and simple, easy to understand and practical and cost effective to implement. Otherwise it will remain just another piece of paper which no one reads and follows,” adds Deodhar.

As cloud computing and BYOD are blurring the perim-eter of the organisation, classical threats and controls are no longer applicable and CISOs need to find innovative controls to manage the risks of these technolgies.

The Next Gen CISOWith the significant change in IT security, the next gen CISO needs to develop several key competencies as their evolving role is slowly getting aligned the business prospect of the organisation. A few skillsets which many experts feel that will help the CISO to be a better business enabler include-

Better communication skills Knowledge on organisational behavior and psychology Developing business knowledge Better understanding of information risk management Focusing more on consulting and advisory rathan just

being a technologist And lastly, developing a proper insight on compliance

and privacy. With mobility and cloud computing, a CISO cannot

say NO and he is required to be a solution provider, who can provide a practical and cost effective solution or work around to achieve the business objective with acceptable risk.

TO be SuCCeSSful In wardIng Off Cyber-aTTaCkS, buSIneSSeS need TO underSTand The aTTaCkerS’ mOTIve


27September 21 2013

altaf Halde, Managing Director (South asia), kaspersky Lab, india, discusses the changing enterprise information security landscape and its impact on the CISO’s role YaShVeNDra SINgh

Better Visibility = Better Management


The nexus of force — cloud, mobile, social and APT — is radically transforming security.

As organisations look at how to protect this informa-tion, the big question ahead of security practitioners is where they should be making their security investments and how much? What are your thoughts on this?Business is increasingly adopting new technologies with-out considering the security implications. While some businesses are adequately prepared, many are not, pro-viding further incentive, if any were needed, for the ever more sophisticated APTs, organised hackers, malware and spyware developers, and spammers. Most of the time security practitioners are reacting to change while trying to protect their businesses. They are assessing risk after technology has been adopted.

The core challenge in today’s environment isn’t that there are no tools available, it’s that each individual tool adds to the complexity IT security team faces when try-ing to implement their security policies. And as you are aware, complexity is the enemy of IT security. Integrated security capabilities are required with easy to manage cen-tralized management system with powerful control tools, in order to see the risks across systems and endpoints, while at the same time manage costs, increase perfor-mance, and lower resource footprint.

For instance, the unified Kaspersky Endpoint Protection Platform (EPP), also called Kaspersky Endpoint Security for Business, has been specifically designed with a single console to manage growing security needs. Robust control tools, encryption systems and mobile device management can all be controlled from one place – while keeping anti-malware protection at the core of everything that happens on your network.

With one platform, one console and one cost, you are able to reduce the risk to your data, reduce the complexity of your security tools, and reduce the investment while delivering against business demands.

As more and more organisations have their ven-dors, service providers and customers plugging

into their network and vice versa, how can organisa-tions address risk from these third partiesProtecting the company’s data without adding to the resource requirement is the key challenge for IT teams. How about having a solution that controls, manages guest access and removable media and secures company or employee-owned devices from a central location?

Imagine having one clear view of your entire IT environment - from network to device, data centre and desktop. You get the total visibility you need to manage threats, the ability and flexibility to respond quickly to

malware and the capacity to respond to the changing needs of the business, whether that’s mobile device sup-port or managing guest access on the network.

Now, Kaspersky Endpoint Security for Business (KESB) has an interface that’s intuitive and technology that’s easy to use, easy to deploy and easy to manage. As soon as a new device is introduced to the network, you’re made aware and your policies automatically applied.

It is a scalable and modular solution that can grow with your business and respond to change because of its sin-gle-code architecture, which no other security company provides. No bolt-on functions. No bought-in, cobbled together technologies. Just one code-base, developed in-house, designed to complement and enhance overlapping functionalities.

What should a CISO outsource? What should be kept in house? Is it a good idea to have an exter-

nal SOC/incident management team? How does a CISO achieve this fine balance?The evolving risk and threat landscape might be complex, but the approach needed is clear – as are the business benefits a CISO can deliver to the rest of the organisation. The key things to be clear about are as follows. High detection rate = Reduced business risk No matter what, business data needs to be kept safe Mobility and BYOD is unstoppable, there is a need to embrace

Productivity of the IT team needs to increase Most importantly, Better visibility = Better management CISOs may outsource the operational tasks to a trusted

partner. By freeing themselves from time-consuming


mOST Of The TIme SeCurITy praCTITIOnerS are reaCTIng TO Change whIle TryIng TO prOTeCT TheIr buSIneSSeS

29September 21 2013

activities, they can focus on the bigger picture to strat-egize and implement practices to secure their organisa-tion. At the same time, timely review of the outsourcing agency's activities need to be done so as not to miss any suspicious behaviour in their network.

Ideally, there should be two parties working in tandem — internal and external (outsourcing agency). A steering committee (including CISO/CIO) should be in command.

These days as threats become more complex (mobile malware, APT, organised cybercrimes), some niche ser-vices/solutions are best taken in outsourced model/cloud model - rather can implementing all in-house. At the same time, there should be overall visibility available to CIO/CISO (steering committee) at any given time.

BYOD is a reality in enterprises today. The success of a CSO lies not in resisting but in

embracing this fact-catching trend. What goes into making a successful BYOD strategy? How should a CSO balance the risks and rewards arising out of BYOD?In deciding to implement a BYOD programme, a busi-ness should consider the following key risks and ensure the benefit to the organisation in costs savings, employee morale, etc.; outweighs those risks: Mixing Business and Personal Data Software Licencing Issues

Discovery/Litigation: Specifically, the employee must understand that the employer and, potentially, others may need to inspect the device and review its contents in the context of litigation.

Repetitive Stress And Other Workplace Injuries Shared Use Of Devices With Non-Employees Employee Disposal of DeviceOnce the risks have been assessed, an effective BYOD

programme should have three components: policy, train-ing, and technology/enforcement.

Effective IT security is a core component of any regula-tory compliance initiative. Many industry sectors now mandate encryption as a standard part of data protection compliance. Encrypt your data to avoid data breach risks.

Kaspersky Lab’s MDM functionality means you can say yes to mobile work initiatives without exposing the busi-ness to additional risk.

At the same time, better visibility equals better manage-ment. The Kaspersky management console (Kaspersky Security Centre) gives your business complete visibility across virtual, physical and mobile endpoints.

With Kaspersky Lab’s MDM functionality as soon as a new device is introduced to the network, you’re made aware and your policies automatically applied.

What are your plans for the Indian market? How are you enabling Indian CSOs to adapt to the

changing environment?India is one of Kaspersky Lab's key markets in Asia-Pacific and growing extremely fast, particularly in the B2B space. Our enterprise readiness stems from the fact that we now have an excellent Endpoint product – Kaspersky Endpoint Security for Business (KESB), which has taken us up a few notches higher in the Leader’s quadrant besides IDC and Forrester also naming us the top 3 global leaders in the endpoint market. We are trusted by world leaders in security as is reaffirmed with our technology alliances and OEM agreements with companies includ-ing Microsoft, IBM, Cisco, Juniper Networks, Blue Coat, Check Point, D-Link, GFI, Netgear, SonicWALL RSA, ZyXel, etc.

In terms of solution offerings, we have targeted security solutions: Kaspersky Security for Virtualization, Security for Mobile, Mobile Device Management, Systems Man-agement, Security for Collaboration, Security for Storage, Security for Mail/File Servers, to name a few.

Our Kaspersky Security Center (KSC) allows organisa-tions to implement a flexible, scalable model of antivirus protection management.

It can operate on a network of any size, whether it’s a small group of machines or a complex distributed net-work. Easy to install, and time-efficient to manage, protec-tion system management with Kaspersky Security Center minimizes the total cost of ownership of any Kaspersky Lab antivirus solution.

The kaSperSky managemenT

COnSOle gIveS yOur buSIneSS COmpleTe

vISIbIlITy aCrOSS vIrTual, phySICal

and mObIle endpOInTS



The real leader has no need to lead-

he is content to point the way.

— Henry Miller

32ASeptember 21 2013

SpeciAl

leAderShip SecTion

32B September 21 2013

CIO&LEADER This special section on leadership has been designed keeping in mind the evolving role of CIOs. The objective is to provide an eclectic mix of leadership articles and opinions from top consultants and gurus as well as create a platform for peer learning. Here is a brief description of each sub-section that will give you an idea of what to expect each month from CIO&Leader:

An opinion piece on leadership penned by leadership gurus. Plus, an insightful article from a leading consulting firm

This feature focusses on how CIOs run IT organisations in their company as if they were CEOs. It will comment on whether IT should have a separate P&L, expectation management of different LoB heads, HR policies within IT, operational issues, etc. This section will provide insights into the challenges of putting a price on IT services, issues of changing user mindset, squeezing more value out of IT, justifying RoI on IT, attracting and retaining talent, and competing against external vendors

A one-page review of a book on leadership

Top down

leAding edge 34

33

41 ShelF liFe

i n T r o d u c T i o n

Cross leveraging our strong traction in the IT Manager community, this section will have interviews/features about IT Managers and CIOs talking about their expectations, working styles and aspirations. In this section, a Mentor and a Mentee will identify each other’s strengths and weaknesses, opine on each other’s style of functioning, discuss the biggest lessons learnt from each other, talk about memorable projects and shared interests

Me & MY MenTee37

Innovation in Service Delivery is Key to the FutureNitin Jadhav, CTO, ESDS Software, talks about the challenges confronting CIOs

operating on a company-wide scale versus a centralised technical source is more lucrative. Driving down IT costs is another indicator which will increase the number of beneficiaries. A platform which encourages new episodes of innova-tion and impacts customer experiences should be laid down. The importance of customer service should be instilled at horizontal levels of the organisation so that excellent customer service becomes a common goal. A different angle to it is the ability to manage your technology partners which indirectly impact cus-tomer service. Innovation and pro-active approach in service delivery is the key to the future. Fortunately, we are at the right time in the right place where we can assist our growing nation by delivering intelligent solutions that we are well known for. We are not just a typical Data Center but rather a solution-provider and we take pride in it. Currently there is need of robust and scalable solutions in the area of e-governance, BFSI sector and for SME’s. There is mandate from RBI to have all the co-op banks moved on core banking in next few years due to which we see lot of opportunity in this sector where we not only provide core banking solutions on hosted model, but also build data centers from ground up in their facility and provide them with disaster recovery services. —As told to Atanu Kumar Das

CIOs are a vital link between the organisation and key contributors in fulfilling the organisation’s objec-tive. Their calculative risk-taking ability and proactive approach will decide IT’s brilliance. Above everything, the attitude of a CIO will play a major role in managing risks, which are integral in the IT umbrella. The nature of the competition has risen to a very high level and our readiness towards a new technology or an opportunity will matter by and large in creating breakthroughs in the IT roadmap. None of the CIOs remain anonymous to these facts. They understand that demands will be met faster than ever before with the evolution of cloud com-puting and that by leveraging cloud even organisations from the smaller towns can deliver like big corporates.

I feel that the best business strategy for CIOs is to conceptualise a framework in which the IT teams are well-versed with emerging technologies and are self-suf-ficient in terms of knowledge and resources. The idea of

Top DownniTin jaDhavCTo, ESDS SofTwarE SoluTionS

33September 21 2013

As busIness continue to embrace digital tools and technologies — especially when engaging with customers — C-level execu-tives in a recent McKinsey survey say they are stepping up their own involvement in shaping and driving digital strategies. This is vital to the success of digital programs, as survey respondents most often cite a lack of senior-management interest as the reason for an initiative’s failure. Respondents also suggest that organizational alignment is critical to seeing real business impact from digital.

In the survey, we asked respondents about five digital-enterprise trends: big data and advanced analytics, digital engagement of

customers, digital engagement of employ-ees and external partners, automation, and digital innovation. Specifically, we inquired about their companies’ adoption of and focus on each trend, what impact digital technolo-gies can (and do) have on their businesses, and what obstacles companies face in meeting their digital goals. We found that despite the organisational and talent chal-lenges, executives remain optimistic about digital business.

They report, for example, that their compa-nies are using digital technology more and more to engage with customers and reach them through new channels. What’s more, growing shares report that their companies

are making digital marketing and customer engagement a high strategic priority. Nev-ertheless, there is more work to do: most executives estimate that at best, their companies are one-quarter of the way toward realising the end-state vision for their digital programmes.

Focusing on customers and the top lineExecutives say each of the five digital trends we asked about is a strategic priority for their companies. Of these, the trend that ranks highest is customer engagement: 56 percent say digital engagement of customers is at least a top-ten company priority, and on the

CEOs and other senior executives are increasingly engaged as their companies step up efforts to build digital enterprises by brad brown, Johnson sikes, and Paul Willmott

lEaDing EDgE

BraD Brown, johnSon SikES, anD paul willmoTT

Bullish on Digital: McKinsey Survey Results


35September 21 2013

whole respondents report notable progress since 2012 in deploying practices related to this trend. Companies have made particu-larly big gains in their use of digital to posi-tion material consistently across channels and to make personalised or targeted offers available online.

By comparison, companies have been slower to adopt digital approaches to engag-ing their own employees, suppliers, and external partners. Here, executives say their companies most often use online tools for employee evaluations and feedback or knowledge management; smaller shares report more advanced uses, such as collab-orative product design or knowledge sharing across the supply chain.

Responses also indicate growth in the company-wide use of big data and advanced analytics, matching our experience with companies of all stripes, where we are seeing executives consider analytics a critical prior-ity and dedicate increasing attention to the deployment of new analytic tools. Notably, respondents report increased use of data to improve decision making, R&D processes, and budgeting and forecasting. What’s more, executives say their companies are using analytics to grow: the largest shares report focusing their analytics efforts on either increasing revenue or improving process quality; reducing costs tends to rank as a low-er-level priority. Likewise, when asked about the next wave of business-process automa-

tion, respondents say their companies are automating a wide range of functions to improve the overall quality of processes (by removing breaks or errors, for example) or to build new digital capabilities (for example, remote monitoring) into the processes; few say their companies have automated processes primarily to replace labour. When asked about innovation practices, more than 40 percent of respondents say their compa-nies are either incorporating digital technol-ogy into existing products or improving their technology operating models (for instance, using cloud computing). Just 23 percent say they are creating digital-only products.

More-involved CeOsAcross most of the C-suite, larger shares of respondents report that their companies’ senior executives are now supporting and getting involved in digital initiatives. This year, 31 percent say their CEOs personally sponsor these initiatives, up from 23 percent who said so in 2012. This growth illustrates the importance of these new digital pro-grams to corporate performance, as well as the conundrum that many organisations face: often, the CEO is the only executive who has the mandate and ability to drive such a cross-cutting programme.

Thirty percent of respondents also report a chief digital officer (CDO) on their com-panies’ executive teams, a sign of the wide-spread awareness that these initiatives are important. This result also squares with our experience that some organisations have cre-ated the CDO role as an executive-level posi-tion with cross-cutting responsibilities for all digital initiatives.

Organisational challenges continueDespite the host of technical challenges in implementing digital, respondents say the success (or failure) of these programs ulti-mately relies on organisation and leadership, rather than technology considerations. We asked executives to think of past initiatives at their companies (one initiative that worked and one that didn’t) and then identify the most decisive factors behind each outcome. Executives most often attribute the success of digital programs to managerial factors—senior management’s interest and attention, internal leadership, good program manage-

ima

ge

BY

ph

ot

os

.co

mB r a D B r o w n , j o h n S o n S i k E S , a n D p a u l w i l l m o T T | l E a D i n g E D g E


l E a D i n g E D g E | B r a D B r o w n , j o h n S o n S i k E S , a n D p a u l w i l l m o T T

their end-state visions (56 percent), but over-all, there is room for improvement.

Looking ahead Find the right digital leaders. Leadership

is the most decisive factor for a digital program’s success or failure. Increasing C-level involvement is a positive sign, and the creation of a CDO role seems to be a leading indicator for increasing the speed of advancement. These developments must continue if companies are to meet their high aspirations for digital.

Manage expectations. Just as important as finding the right leader is setting the right agenda and maintaining an aspirational vision without straying into overexuber-ance for digital. Leaders will have to walk this line carefully, given executives’ reports of organisational, technical, and cultural challenges.

—The artcile is published with prior permission

from Mckinsey Quarterly.

Brad Brown is a director in

McKinsey’s Brussels office

Johnson Sikes is a director of the McKinsey

Global Institute and a director in the San

Francisco office.

Paul Willmott is a director of the McKinsey

Global Institute.

ment, and alignment between organisational structure and goals—and are less likely to cite any technical considerations. Interest-ingly, the absence of senior-management interest is the factor respondents most often identify as contributing to an initiative’s failure. Organisational issues can also hinder companies’ efforts to meet goals and see real impact from digital. As in 2012, executives most often say misaligned organisational structures are the biggest challenge their companies face in meeting digital goals. This is followed by insufficiently reworked business processes (to take advantage of the digital opportunities) and difficulty finding functional talent (such as data scientists or digital marketers). In contrast, a lack of infra-structure and absence of good data are less pressing than they were last year. At compa-nies where organisational structures do pose a challenge, fewer report a corporate-wide financial impact from digital business: 31 percent of these executives say their digital efforts have yielded a measurable impact on top- or bottom-line results, compared with 43 percent of executives who aren’t facing this issue. At the same time, many respondents are unsure of how best to measure their efforts: only 36 percent say their companies have a top-line metric for monitoring their digital programmes’ overall progress.

High expectations and continued investmentChallenges aside, executives remain bull-ish on digital business: 65 percent say they expect these trends will increase their com-panies’ operating income over the next three years, similar to last year’s results. CEOs are more positive than executives in any other role, with more than one in five saying they expect income from digital to increase by more than 30 percent in three years’ time.

When asked about their expectations for digital’s top line, executives at business-to-business companies are actually more optimistic than their business-to-consumer peers, perhaps due to the increased consum-er expectations, price transparency, and com-petitive pressures that business-to-consumer companies face. While respondents see value from all five trends, they are hoping for more value from customer engagement than other trends: executives who expect an income boost from digital business attribute

the largest part of that increase to digital cus-tomer engagement. Among those expecting a negative impact on company income, the largest share of respondents say it’s due to their inability to adequately respond to changing customer behaviour and expectations.

Executives say their companies continue to invest heavily in their digital programs—and, on average, expect to spend more rela-tive to last year’s results. There are some notable differences across regions: respon-dents in North America, for example, say their companies are investing at levels well ahead of those in other regions, including Europe, where companies traditionally keep pace with North America. But currently, only about one-third of executives say their companies are spending the right amount on digital, and many worry about under-investing in these programmes. Still, the responses indicate that companies have a long way to go in accomplishing their digital-business agendas. Fifty-seven percent say their companies are up to one-quarter of the way toward realising their end-state visions for their digital programmes, and just 40 percent say their organisations’ digital efforts have yielded a measurable business impact thus far. Executives who say their companies spend the right amount on digital are much likelier than average to report real business impact (60 percent), as are those who say their companies are at least halfway toward

16%

15%

20% 19%

31%

Automation

Digital innovation of products, operat-ing model or business model

Big data and advanced analytics

Digital engagement of customers

Digital engagement of employees, suppliers or business partners

Of the ways that companies can use digital, customer engagement promises the most potential value.

37September 21 2013

mEnToraTul nigamhEaD-iT, SamSung DaTa SySTEmS inDia

mEnTEE

Chhavi TanEja, SEnior iT managEr, SamSung DaTa SySTEmS inDia

What do you look for in a mentee/mentor?AtuL nIgAM The first and foremost thing that I

look for in a mentee is responsibility and accountability. Because I believe these two things define he attitude of the person. Moreover, I also look for technical efficiency because that is integral in our job profile. For example, my mentee used to be in a separate process all together, but I saw something in her and got her into the infra-structure side and today she heads 25 people across India and that shows that if you can groom a person in the right manner, he/she can deliver exceptional results. Another important thing for the mentee to possess is the urge to be flexible, one cannot be rigid all the time and should be willing to work in different projects. I always prefer someone who is willing to learn and has the habit of taking challenges. CHHAvI tAneJA I am very clear in my mind that in a mentor I do not want someone who wants a clone of himself. I want a mentor who is open to ideas and gives the freedom to work on our own. A mentor should have the potential to nurture talent within you and he should be able to respect his subordinates. I find all these quali-ties to be present in my mentor and I consider myself lucky to be able to work with him.

How do you identify and priorities areas where you think your mentee needs to focus on for

further professional development?

AtuL nIgAM I want my mentee to be always abreast of the technology. I always ask them to read journals and they should be always updated. I see the interest of a person and try and motivate him/her in doing that. For example, Chhavi has been doing exceptionally well in the PC infrastructure division of the company and I always ask her to focus on her job to grow in the future.

Do you think your mentor spends enough time with you? How do you think your

mentor could contribute more towards your professional growth?CHHAvI tAneJA My mentor spends a lot of time with us and discussed not only professional aspect but also personal part. He is the same with the entire team and he makes sure he takes out time individually for each one of us and spends time with us that would help us to grow as a better professional and a better human being. I always used to think, what is it about Atul that makes people work with him for more than 10 to 12 years. But after working with him for four years, now I realise that it is his personal touch that makes people stick to him.

How do you think your mentee can take on more responsibilities and take more/

bigger decisions?AtuL nIgAM In terms of operational work, I have given

“A mentee should have accountability”

mE & my mEnTEE


“to reach the best possible solution, one should always have healthy

arguments”

a free hand to my mentee to take all the day-to-day decisions. Because if Chhavi has to take my permission for every operational decision than the work gets delayed and it is a loss for the com-pany. But when it comes to taking strategic decisions, then I am involved with other stakeholders and we take a decision after every-one on board agrees to that.

Does your mentor delegate enough tasks and responsibilities to you? How often do you take key

decisions yourself? CHHAvI tAneJA Yes, my mentor delegates enough tasks to me and he has the belief that I will do a good job in that. One has to earn that in his/her life and I think I have earned it. The kind of freedom my men-tor has given, allows us to take key operational decisions and that I think will help us a lot in the years to come.

Are there any conflicts between you and your mentee? If so, how do you resolve them? If not, what do you think is

the secret of your smooth working relationship?AtuL nIgAM I always believe in letting the other person speak and I know we all think in different manner. But it also opens up a lot of options. We definitely have conflicts of opinion, but we sort it out by

healthy conversation. To reach the best solutions you should always have arguments.

Please describe your working relationship with your mentor and how the two of you address key challenges

together or resolve any conflicts of opinion.CHHAvI tAneJA I would describe our working relationship as very cordial and productive as we always think of the benefit of the com-pany and then take decisions.

What are the two or three key things you have learned from your mentee/mentor?

AtuL nIgAM I have always seens that Chhavi never gives up her stand when she is right and that is very commendable. Another nice trait about her is that she is very methodical and process-oriented. Since she has been a part of the PC infrastructure division, she has brought in many processes which is really helpful. CHHAvI tAneJA Atul is very consistent when it comes to project imple-mentation. Another important part is he has taught us to be quantita-tive in terms of everything that we do, which makes us realise how much we are able to achieve in terms of percentage in a project.—As told to Atanu Kumar Das

“i am very clear in my mind that in a mentor i do not want someone who

wants a clone of himself”

m E & m y m E n T E E | j a y a n T a p r a B h u & k E y u r D E S a i

39September 21 2013

DaviD limopinion

Kinabalu In A Day — The Climb! Our strategy was not to break any time-based record, and as such, carried more than what most 1-Day climbers normally have

aBouT ThE auThorDavid Lim, Founder, everest motivation team, is a leadership and negotiation coach, best-selling author and two-time mt everest expedition leader. he can be reached at his blog http://theasiannegotiator. wordpress.com, or [email protected]

FLeW Silkair to Kota Kinabalu. Magesh and I arrived at Kota Kinabalu’s airport and got picked up by our pre-arranged transport directly to the Park HQ. Much as I would like to save money by staying outside the Park, we needed an early start, hence the stay at the Hill Lodges. This was nice but just so overpriced. The following morning, we packed what we needed to go. Fortunately, Mountain Torq, operator of the world’s highest via fer-rata on Mt Kinabalu, and also owner of the Pendant Hut sponsored much of the on-mountain logistics!

Our strategy was not to break any time-based record, and as such, carried more than what most 1-Day climb-ers normally have: I had a light frameless backpack, 3 light alloy trekking poles (one was a spare), 2.5 litres of water, high energy snacks comprising mixed nuts, vari-ous cereal bars, a few GU gels. Other items were a full set of rain gear, one light warm layer to wear at night, a super light 240gm down jacket from Uniqlo, headtorch, batteries, a weather proof.

Canon D20 camera, my Blackberry phone and a small ziplock containing First Aid stuff and meds. Altogether, perhaps the pack weighted about 6kgs, a large part of that was the water. There are water tanks at each of the seven rest stops en route to the summit but these are filled with untreated mountain run-off water. not want-ing to take that gastro-intestinal risk, I took bottled water instead. as mentioned, the idea behind the climb was to do a self-supported , porter-less climb, includ-ing spending a night onthe mountain at Pendant Hut (3280m) after the summit. After a quick breakfast on eggs, potatoes, a drink, we registered with the Park headquarters, whereupon we met our assigned guide. As someone who normally eschews such aids, I was

less keen on doing such straightforward ventures with a local “guide” but since the death of a teenager who got lost and died of exposure in 199, things have changed at Kinabalu National Park. Every hiker/climber needs to wear an ID tag, and strict checkpoints need to be fol-lowed so the park tracks the number of people going up and coming down.

Magesh is a fit 34 yearold professional trainer, and he’d been kicking my butt for six months with a train-ing programme that included strength work, core work, and specifically, lots of exercises aimed at strengthening balance and one-legged stance strength; ny long term weakness. A less intense programme in 2012 resulted in one of my best-ever post disablity performances on the 6000-metre virgin peak climb, Sangay Ri, in China in Sept 2012.My typical weekly training regime would comprise:

high intensity circuit training for strength or strength endurance ( x2 per weeek)

one 30 minute hill run one staircase climbing session x 45 mins one Bukit TImah local hill climbing session x 2 hours one “other” session comprising yoga, P90X, or stretchingWe started at 7am, with a quick ride in a van with a

couple of other climbers to the beginning of the Summit Trail at Timpohan Gate ( 1866m). From here, it would be a thigh-busting 2250 metres or so of vertical height gain to the 4095m summit.

We left at 730am, making a quick start and working up a sweat in a few minutes. Mentally, I knew of the list of shelters along the way that were the landmars of the summit trail, each one progressively higher. Most trek-


tion than usual. I had slowed down a lot by the time I cleared the steep bit below the last hut. Emerging over a rise I saw a new, green building. What the %$£@?? Turns out it’s the new set of toilets, built just above Sayat Sayat. A new checkpoint shelter was also built. No sign of any rangers, but I met a few Austrians and Bulgarians attempting some technical routes.I soon drank the last of my water (from the original 2.5 litres), ate a GU gel, and continued up the summit slabs. At about 3pm , the weather inevitably began to turn. From an ascent rate of about 375m per hour, I had dropped to about a climb rate of 230m per hour.

The cramps that started at 3400m had eased off -proabbly because of my slower climb rate, so that was good. It began to drizzle, and then rain. Bugger. Time to put on my rain shells. By the time I had finished, the rain had eased somewhat. And then the plough up the summit pyramid block. Ananias’s main help was to be there to have some chit chat with me – anything from climbing gear to his dreams and ambitions. It broke the monotony of the final stretch.

DAVID LIM IS A LEADERSHIP AND NEGOTIATION

COACH AND CAN BE FOUND ON HIS BLOG http://

theasiannegotiator.wordpress.com, OR subscribe to his free

e-newsletter at [email protected]

ima

ge

BY

ph

ot

os

.co

m

most trekkers would climb with a guide

and porter, or go really light

to make the top and return

to the base in around 10

hours. we opted for a different

approach

kers would climb with a guide and porter, or go really light to make the top and return to the base in around 10 hours. We opted for a different approach. Knowing that the trail wouldbe wet and slippery after the typical afternoon downpour, and hazardous with my disabil-ity, a one-night stay at Pendant Hut was planned, and though important, the time taken to summit was less of an issue. After all, this was in all probability the first mobility-impaired ascent of the peak!

After leaving Magesh at Laban Rata – he looked so whacked, it would be cruelty to have asked him to con-tinue – I went up with Ananias Mukim, a friendly Parks guide. The most tiring part of the clinb then began, tack-ling one steep set of cut steps or stairs after another, as the vegetation began to give way to more alpine shrub-bery. It was past noon, and the weather was still holding.

Familiar landmarks from past trips came and went. Finally, the ropes began. The start of the Panar Laban slabs just below the 3660m Sayat Sayat Hut have these thick white ropes that are fixed all the way to the sum-mit. Most of the time you won’t need them, and they serve more as a marker. The first section was a traverse up some 60-degree slabs, than a steeper, more sus-tained bit. This was just around where two climbers fell in two separate incidents in 2013. I was pretty tired by then, and what should have been a doddle in the old days became a task demanding far more concentra-

o p i n i o n | D a v i D l i m

41September 21 2013

The One Thing The Surprisingly

Simple Truth Behind Extraordinary Results

tHe One tHIng by Garry Keller and Jay Papasan is about focussing on one idea rather than running after a lot of things. Everyone should pick one thing and focus completely to the one thing only.

Gary Keller is chairman of the board and cofounder of Keller Williams Inc. which is the #1 real estate company in United States. Jay is the editor at HarperCollins Publishers and co author of Gary’s books. He is a frequent speaker and corporate trainer.

“The One Thing” explains the successful habit to overcome the six lies that block our success, beat the seven thieves that steal time, and leverage the laws of purpose, priority, and productivity. Sometimes it's the only thing you do. But it's always the ONE Thing that delivers extraordi-nary results.

In one of the chapter the authors say “Where I'd had huge success, I had narrowed my concentration to one thing, and where my success varied, my focus had too.” The theme

of the book concentrates on one Rus-sian proverb, “If you chase two rab-bits, you will not catch either one.” And the book points out numerous illustration to justify this point.

The flow of the book is really very good. It is very readable and well written with good examples and sto-ries to justify he authors’ idea. It has several drawings that nicely fill the gaps and visualise the written text.

In the second chapter of the book, the authors starts the conversation with a quote from Mark Twain, “It ain't what you don't know that gets you in trouble. It's what you know for sure that just ain't so.” Here the authors later mention that the problem is we tend to act on what we believe even when what we believe isn't anything we should. As a result, buying into the ‘One thing’ becomes difficult because we've unfortunately bought into too many others — and more often than not those “other things” muddle our thinking, misguide our actions, and sidetrack our success.

In the sixth chapter titled “The Disciplined Life”, the authors say that “you don't need to be disciplined per-son to be successful. In fact, you can become successful with less disci-pline than you think, for one simple reason: success is about doing the right thing, not about doing every-thing right.”

The trick to success is to choose the right habit and bring just enough dis-cipline to establish it. That's it. That's all the discipline you need. As this habit becomes part of your life, you'll start looking like a disciplined per-son, but you won't be one. What you will be is someone who is something regularly working for you because you regularly worked on it.

The book concludes with “all suc-cess in life depends within you. You know what to do. You know how to do it. Your next step in simple. You are the first domino.”

By Atanu Kumar Das

aBouT ThE auThorSgary Keller is the founder and chairman of the board for Keller Williams Realty, the largest real estate franchise in North america. Before Jay papasan co-authored the bestselling millionaire Real estate series with gary Keller, he worked as an editor at harper collins publishers.

“You don’t need to be a disciplined person to be successful. In fact, you can become successful with less discipline”— gary kEllEr & jay papaSan

ShElf lifE

NEXTHORIZONS

Features InsIde

Ill

us

tr

at

Ion

b

y p

ho

to

s.c

om

Green Clinic refreshes Its technology arsenal Pg 44

the H-1B Visa Conundrum Pg 46

Corporate IT remains a source of great dissatisfaction in many companies. After enduring high project failure rates for more than 50 years, companies should

already know that highly competent, tight knit teams are a source of competitive advantage and project success. Companies should know that knowledge workers, and successful teams, are corporate assets, not expenses. Moreover, companies should know that talented professionals are not an

Companies that have over-embraced offshoring will take back many critical business functions By Frank Wander

Offshoring: A Disadvantage


interchangeable commodity. Unfortunately, workers don’t count, so everyone just sol-diers on.

When I examine how traditional IT operates, the book Extraordinary Popular Delusions and the Madness of Crowds immediately comes to mind. In it, Charles Mackay recounts how otherwise intelligent people get caught up in manias, like the Dutch tulip craze in the 1600s, where, at the height of the fad, a single tulip bulb sold for 10 times the annual salary of a craftsman. It is part of human social psychology that once a herd mentality takes root, most everyone goes along, afraid to speak out, even if they know the situation makes no sense. That is where we have ended up in IT. Many people in the industry quietly say the offshore model is a source of enduring failure, yet it remains a staple of IT.

Offshoring is a tool. Like all tools, it must be used correctly. Offshoring has legitimate uses, and I’ll briefly touch on them later. Generally, it increases the cost of application development and maintenance because it uses a leverage model, where large numbers of inexperienced resources with little to no institutional knowledge are thrown at a problem. Failure rates are high. Productivity is low. The model is the exact opposite of what works. I experienced this firsthand, as a CIO, when one of my managers replaced a team of 50 offshore resources with six full-time, high aptitude employees, and deliv-ered more projects.

The problem with offshoring is that decisions are made using a single factor: dollars per hour of labour. Instead, what should be used is productivity, which is out-put divided by cost. Someone making $100 per hour can easily be 10 or 20 times more productive than an inexperienced offshore resource that costs $25. Worse yet, vendors get paid for bodies, so they want you to use a lot of them. Vendors also need to make a good margin. Therefore, cheaper resources are more desirable because they pro-duce a greater profit. And therein lies the problem.

Let’s examine the factors that drive IT knowledge worker productivity, so you can make an informed deci-

sion about offshoring. Even though some of these factors are not easily measurable, they are still true. Team Size. Small teams are the most productive staffing model. This has been proven time and again, and I have personally observed it many times. Case in point: In a 2005 study, QSM, an IT consulting firm, compared small and large team outcomes across 564 similarly sized projects (100,000 equivalent lines of source code). The large teams averaged 32 persons, and consumed 178 months of total effort; the small teams averaged four persons, and consumed only 24.5 months of total effort to complete the projects. Interest-ingly, the elapsed time was approximately nine months for the small and large teams. Clearly, the smaller team was much more efficient, but offshoring is designed around larger teams, and it requires more overhead on the domestic side to communicate, manage, design and document everything. These large teams are slow, costly, and unproductive, even at lower rates.

Time-to-Competency. This represents the length of the learning curve. Time-to-competency varies based on the complexity of what has to be learned and the aptitude of the talent. Many business systems are complex to grasp, and if you have ever tried to take over an application and modify it, as I have, you know how daunting it can be to unravel the logic puz-

550mIS THE NumbER

Of mObIlE uSERS IN INdIa

zle, and learn the business functions. Some complex systems take years to master. A resource who has become an expert on one of these highly complex systems can navi-gate the code with ease. That individual is a corporate asset, not an expense. You want to hang on to them, because it is very costly to replace their institutional knowledge. Yet, companies still replace proven, highly expe-rienced teams with junior offshore resourc-es who possess no institutional knowledge. Errors like this just keep on giving.

TurnoverAt one time, turnover was a key indicator of organisational health. Leaders worried about it, and asked why people were leav-ing. They knew experience was walking out the door. But now, leaders negotiate con-tracts where the turnover is built in. Many IT executives have signed contracts with offshore providers where resources are replaced, by design, after 18 or 24 months. Given the long time to competency on many business systems, these contracts ensure novices are often doing the work. Add to this the high voluntary turnover rates found offshore, and you end up with dangerously inexperienced teams.

Institutional KnowledgeBeyond the time-to-competency required to learn a platform, there are many types of institutional knowledge. Institutional knowledge is only acquired on the job, so it has high productive value. It is also the source of incremental and breakthrough

The problem with offshoring is that decisions are made using a single factor: dollars per hour of labour. Instead, what should be used is productivity, which is output divided by cost

43September 21 2013

O f f S H O R I N g | N E X T H O R I Z O N S

innovation. What are the products and services offered, and what differentiates them? What matters in this culture? How does work get done around here? How are the test and production environments set up? What are the firm’s procedures? Who are the key contacts? And so on. This is everything you need to know to be produc-tive, and it is costly to acquire. New work-ers are therefore unproductive because they have to find their way around. Low levels of institutional knowledge result in a lack of productivity, innovation and a loss of competitive advantage.

High Aptitude TeamsSomeone with high aptitude can master something in six months, while someone lacking the proper aptitude will take two years to achieve mediocrity–or never grasp

it at all. This is the mythical man month that Frederick Brooks wrote about 45 years ago. By filtering team members over time, you can build a small, high aptitude team. Nothing in IT is more productive, especially when the team is tight knit. Studies have repeatedly shown that the highest aptitude professionals in this business are 10 times more productive than the average profes-sional. Get one of these individuals on the team, and you really have a home run. But you can only build a high aptitude team by carefully recruiting, retaining and growing talent. You can’t do that with offshoring.

Social Capital IT is a product of mind and emotion, and requires a deeply collaborative group of pro-fessionals to produce anything. These aren’t just coworkers, they are co-creators. Social

capital is a measure of the sum total of these relationships. If the workers have strong relationships, information flows freely, and work speeds up. However, when work rela-tionships are weak, social interaction is slow, and the exchange of information required to create shared understanding moves at a snail's pace, driving up project costs. A tight-ly woven group of professionals represent the social fabric of productivity. When work is offshored, the social fabric is torn apart, and it is very difficult to rebuild this across cul-tures, time zones and continents. Add in the high resource turnover rates, and you have a disconnected group of professionals that are laboring to get work done.


Green Clinic Refreshes Its Technology ArsenalGreen Clinic upgraded its tech in one fell swoop, providing its staff with anytime, anywhere info access By William Atkinson

founded in 1948, Green Clinic Health System employs approximately 450 people, including more than 50 physi-cians. Based in Ruston, La., the organisation provides health-care services from a surgical hospital, a community clinic and six satellite locations.

As a way to improve patient care, Green Clinic recently embraced leading-edge technology as a means to provide its physicians, nurses and administrators with electronic access to patient files and other medical records from any location, and on any Internet-connected device. Green Clinic made the decision to completely refresh its technology due, in part, to problems caused by its aging desktop computers. Strategically, it also wanted to reduce IT costs and complexity, while improve information security, employee productivity and patient care.

Green Clinic selected Dell to deploy a full range of end-to-end solutions and services, which include end-user computing, servers, systems management and security software, storage, virtual desktop

solutions and professional services.After purchasing new desktops and laptops for its

hospital, clinic and satellite locations, Green Clinic deployed Dell KACE Deployment and Systems Manage-ment appliances, which enable the clinic to automate system provisioning, saving about $20,000 in overtime costs by provisioning 155 laptops in just one day. The clinic has also reduced machine rebuild times from hours to minutes using the KACE solution to wipe and re-image any corrupted or infected PCs. As a result, applications now run faster and with fewer problems. “We looked at several systems management software

64%ORgaNISaTIONS aRE

lOOkINg aT ImplEmENT-INg bIg daTa pROjECTS

IN 2013


N E X T H O R I Z O N S | S y S T E m S m a N a g E m E N T

packages with our most recent PC refresh three years ago, both to manage the new system and to rein in control over existing systems,” says Jason A. Thomas, CIO and director of IT for Green Clinic Health System. “One of the ones we kept coming back to was KACE.”

Green Clinic has also moved to a Virtual Desktop Infrastructure (VDI) fueled by Dell DVS Enterprise, with Dell PowerEdge R610 and R710 servers using Dell PowerVault MD3 Series storage arrays. With assistance from Dell technicians, Green Clinic was able to get its VDI up and running in three weeks. Now, the medical staff can access virtualised desktops using a combination of Dell Wyse C90 thin clients, Dell Latitude E6420 laptops, and their own tablet PCs or smartphones.

Green Clinic can also leverage its KACE systems management appliances to push out updates on both physical and virtual desktops with new software releases in as little as five minutes.

In addition, Green Clinic employees rely on KACE to manage devices both on and off the network, which meets HIPAA require-ments for consistent levels of management for both remote and onsite workstations.

The Dell-enabled environment also allows clinicians and physi-cians to use their own personal tablets and smartphones without any restrictions. The clinic's IT team works with physicians to rec-ommend BYOD strategies, while ensuring that any personal laptops are managed with the help of the KACE appliances, which automati-cally encrypt data on the hard drive and during transmission.

Dell’s end-to-end solutions have helped Green Clinic streamline data security and HIPAA compliance, which safeguard its physi-cians from the risk of financial penalties.

To ensure that protected health information is always secure, Green Clinic installed Dell SonicWALL firewalls, which lock down the network connecting the clinic to satellite sites, while also opti-mising bandwidth, which is especially important in rural areas with low bandwidth connections.

To further protect critical systems and patient data, Green Clinic deployed Dell SecureWorks’ Managed Intrusion Prevention Service, which alerts and blocks the organisation’s network from potential cyber-attacks.

“With Dell's connected security solutions encompassing Dell KACE, SecureWorks, SonicWALL and Dell Wyse, we are able to meet existing system requirements while addressing the growing need for BYOD and virtualisation,” says Thomas.

“Dell’s end-to-end solutions help us proactively support and centrally manage our crucial EMR systems across Green Clinic’s physical and virtual environments,” says Thomas, “while ensuring that our physicians, nurses and clinical staff have unrestricted, yet secure, access to all the information they need from whatever device they choose to use in order to deliver the highest levels of quality patient care.”

— This article was first published in CIO Insight. For more stories please visit www.cioinsight.com.

Dell’s end-to-end solutions helped Green Clinic streamline data security and HIPAA compliance

Ill

us

tr

at

Ion

by

ph

ot

os

.co

m

45September 21 2013

S y S T E m S m a N a g E m E N T | N E X T H O R I Z O N S

We’ve recently seen much debate and discussion about the proposed legisla-tion to change existing poli-cies governing H-1B work

visas. While it remains to be seen exactly how this will play out, now is the time for CIOs to assess their resources, both internal and external, to ensure their organisation is properly aligned and primed for success.

In a nutshell, the proposed legisla-tion would make it easier for Western IT services providers to gain access to these temporary work visas, and to restrict India providers from using the H-1B vehicle. In the short term, the changes would give Western IT service providers a significant competitive edge. (Here’s a summary analysis of the proposed legislation by Paul Roy, a partner at the law firm Mayer Brown.)

Having passed the Senate, the legislation is currently being debated in the House and a final vote isn’t likely until October or November. Given that the overall immigra-tion package is at the mercy of Washing-ton’s climate of political partisanship, we’re presently in a wait-and-see period. Indeed, the ultimate outcome could range from dramatic changes to existing standards, to partial implementation, to no changes at all.

Despite this uncertainty, CIOs with out-sourced operations would be well served to prepare now for a range of potential scenarios and contingency plans. Whatever

The H-1B Visa ConundrumGiven the uncertainty about H-1B visas, CIOs should prepare for a range of potential scenarios By Esteban Herrera

legislative changes are implemented would likely fall within this spectrum: Minor changes with minimal impact on service provider margins, resulting in no service degradation. More substantial changes that would neg-atively affect service provider margins, resulting in some service degradation. Major changes that have a dramatic impact on service provider margins and result in severe service degradation.If significant changes are implemented,

and they have an immediate impact on service providers and existing agreements, organisations can take several steps to understand and address their exposure, and to preemptively adjust and mitigate riskOne response would be to move as much as pos-sible offshore, while paying more for what is left on shore. This would avoid a situation of paying a premium for an existing set of services.

Another approach, if significant changes are implemented, is that an organisation

Another compelling issue is how the future demand for labour resources will be met

Ima

ge

by

ph

ot

os

.co

m


N E X T H O R I Z O N S | m a N a g E m E N T

should conduct an assessment exercise with its service provider to gain transparency into the number of onsite resources that are H-1B visa holders. If, for example, the number is less than 10 percent, one would think disruption, additional costs and ser-vice degradation would be minimal, and the focus could be on succession planning for the affected individuals. If the number is 10 to 30 percent, the provider would likely see a measurable margin hit. In this case, provid-ers could try to recover that hit elsewhere or preemptively move additional work off-shore. Here, an organisation will need to understand who is moving where and how that could impact operations. Lastly, any number above 30 percent would be a cause for immediate concern and should prompt a company to work with its service provider to explore alternative delivery methods.

Having touched on the short-term impli-cations of the proposed visa changes, I want to share a macro view of the work visa issue from both an economic and workforce man-

agement perspective.My colleague Sid Pai recently

examined the financial and operational implications of visa reform on free trade agree-ments, and has also described a potential scenario in which US visa reforms motivate the India firms to ramp up their invest-ment in US operations—with the unintended consequence of making them more formidable competitors to US service providers.

Another compelling long-term issue is how the future demand for labour resources will be met. The H-1B programme dates to the 1990s, suggesting the existence of a long-standing domestic shortage of work-ers with specific skill sets. Yet, the provi-sions in the legislation mandate that this shortage will decline, as the percentage of visa holders that a company can employ must gradually shrink over time. As Paul Roy summarises in a recent article on the

proposed H-1B legislation, “as of 2015, the bill would cap the combined number of H-1B and L-1 employees at 75 percent of a company’s U.S. workforce. In 2016, the cap would decrease to 65 percent, and from 2017 on, the maximum would be 50 percent.”

How would an increasingly larger share of labor demand be met by domestic resources?

One way would be for more qualified US workers to enter the market. The labor argu-ment holds that there are plenty of qualified Americans and the H-1B programme is just a way to suppress wages. If that’s the case, capping H-1B visas would likely result in significantly higher costs and lower margins for providers.


29%WaS THE gROWTH Of

ONlINE baNkINg mal-WaRE IN THE SECONd

quaRTER Of 2013

advts.indd 56 12/22/2009 3:02:47 PM

m a N a g E m E N T | N E X T H O R I Z O N S

Untitled-3 1 9/27/2013 12:20:29 PM

iN-SHORT

Enterprises at Risk From

Dangerous Java & Flash

Update Gap Page 50

iN-PeRSON

Web Security is becoming a

major challengePage 51

OPiNiON

Wheel Locks: Mostly Annoying

Page 52

Security For growth and governance

Big challenge with this type of organisational profile is the presence of what we commonly refer

to as legacy systems By RaFal lOS

a STaRT-uP WiTH legacy PROBlem

iNSide

48aSeptember 21 2013

Over the past year, the Widget Power Unit Company has been busy creating its own infrastructure, hiring entire new departments that never existed before (they used to be services provided by the parent company until a year ago), generating sales and manufacturing and shipping those power units all over the world. Business is good. Now they're expanding globally to new markets, and scaling up their business.

Now I’m sitting around the table with Bill the CIO, Amy the “security manager,” and a few other select people who run operations, architecture, and other critical components. Oh, one more thing is critical to think of here —

don’t know about you, but I abso-lutely loved watching the show House on Fox. I loved the character of Dr. House for many reasons, but primar-

ily because he loved to solve puzzles oth-ers either gave up on, or saw as “solved.” I feel a little like Dr. Greg House when I get to tackle a new puzzle—and a recent engagement gave me pause. I’ve never run into an organisation that had all the complexities and challenges of a start-up company, coupled with the pain of a leg-acy brick-and-mortar organisation, so I was naturally hooked.

i

c O v e R S T O R y | S e c u R i T y

48B September 21 2013

49September 21 2013

the Widget Power Unit Company is almost fully outsourced, each department within IT has a manager, but behind them are small armies of contractors. Servers, desktops, networking, applications and other critical pieces, including security operations (I use this term loosely here, bear with me) are all contractors.

Adding to the complexity, there are different outsourcing organisations. It's the usual list of IT outsourcing suspects, including a small, local boutique company. Ordinarily you’d take a hard look at this type of arrangement and question how this company gets anything done — but I assure you the arrangement, while not optimal, works.

Over the course of two days I had the opportunity to do in-depth discovery with the leadership of the organisation’s Information Technology group. What struck me is hearing things like “We’ve never had to think about that before, that’s always been provided by the mothership!” from Bill the CIO. This included things like risk management and legal functions!

As we were talking about strategy and trying to determine what his org. structure would look like, services they would offer, and their insource/outsource strategy going forward; it occurred to me just how difficult a job Bill had ahead of him. This is a puzzle Dr. House would find worthy of

using modern technology. This is a lot more difficult than it sounds if you haven't tried it.

Technology – You may carry some of the legacy systems and platforms with you from your old situation into the new independent business, but you'll likely not have all the resources since you didn't manage them yourself. Things like machine management tech (HMI, ICS systems) may come with the plant or factory or office. But other things like that SAP platform you depend on, or the materials ordering system, probably will need to be developed ... and your workforce knows that old system not some new replacement you put in place.

Choosing your technology is a delicate dance of death on a high-wire. You also have to get things to interoperate. You will likely have some dinosaurs talking to some new systems that are just shedding their shrink-wrap. The challenges are many. The purse is likely small. This is no time for a weak stomach, and desire to sleep, but it sounds like fun to me.

— This article is printed with prior permission from www.infosecisland.com. For more features and opinions on information security and risk management, please refer to Infosec Island.

Choosing your technology is a delicate dance of death on a high-wire. You also have to get things to interoperate. You will likely have some dinosaurs talking to some new systems that are just shedding their shrink-wrap

his time, and I'm certainly thrilled to be engaged here.Big challenge with this type of organisational profile is the

presence of what we commonly refer to as legacy systems. These are systems and applications that fall into the outdated bucket. Ordinarily start-ups don’t face these issues since they're starting with a clean slate, but organisations that are spin-offs often face the worst of both worlds. They struggle with supporting outdated systems and applications which are vital to their mission, but at the same time are often strained to find the people necessary to keep these dinosaurs running.

People – Organisations that fit in this profile have a major issue. You're hiring people who can tend to the dinosaurs, while trying to hire people who can make sure you're technologically competitive and able to innovate in today's market.

Now consider that you are a start-up, and hiring is a priority, but your pool of cash isn't endless. Good luck finding an employee that has the skills to maintain your Cobol systems, while trying to help your organization be cloud-ready. If you find one of these folks, good luck affording them.

Process – Business processes that were largely supported (at scale, as a shared service) by the parent company now have to be replicated, and you need to hopefully replicate ancient processes

ima

ge

by

ph

ot

os

.co

m


4 Disruptive Trends That CIOs Should Harness

the time has come for enterprise technology

decision-makers to drive innovation in their organisa-tions and become leaders. the emerging technologies and business models such as cloud computing, mobili-ty and big Data offer a great opportunity for the cios.

“During the last few years most of the innovations in organisations were driven by technology. over a period of time, the role of it has evolved in an organisa-tion. it is no longer seen as a support, but a business enabler,” said sunil man-glore, mD, ca technologies at an event organised by ca technologies, in partnership with cio&Leader magazine, in hyderabad. the theme of the two-day event was “innovation.”

“the four disruptive tech-nologies — big Data, mobil-ity, Devops, saas — today present a cio with the opportunity to bring about innovation in his organisa-tion. if a cio fails to harness these technologies, he will end up being a follower instead of a leader,” man-glore said.

Nearly 50 percent of enterprise traffic uses a Java version that was more than two years out of date, according to Websense ThreatSeeker Intel-ligence Cloud analysis. The research stated that only 19 percent of enterprise Windows-based computers ran the latest version of Java (7u25) between August 1-29, 2013. More than 40 percent of enterprise Java requests are from browsers still using outdated Java 6. As a result, more than 80 percent of Java requests are susceptible to two popular new Java exploits: CVE-2013-2473 and CVE-2013-2463.

The report further stated that 83.86 percent of enterprise browsers have Java enabled and about 40 percent of users are not running the most up-to-date ver-sions of Flash. In fact, nearly 25 percent of Flash installations are more than six months old, close to 20 percent are out-dated by a year and nearly 11 percent are two years old.

New Java exploits CVE-2013-2473 and CVE-2013-2463 are already making a big impact by targeting computers running outdated versions of Java. It's clear the cybercriminals know there is a Java update problem for many organizations.

For example, Websense ThreatSeeker Intel-ligence Cloud noticed an uptick in new hosts running the Neutrino exploit kit in the first and second weeks of August 2013. This could be

attributed to Neutrino's addition of Java-based code execution exploits including CVE-2013-2463, which is based on AWT/2D vulnerabilities and affects all Java 6 users (tip of the hat to F-Secure). Typically associated with ransomware payloads, Neutrino is best known for its easy-to-use control panel and features that evade AV and IPS systems. Forty percent of Java 6 users are vulnerable to these new exploits.

enterprises at risk From Java and Flash Update Gap

Databriefing

91%will be the

size of free mobile apps

in 2013

IN-SHOrTiL

Lu

st

ra

tio

n b

y p

ho

to

s.c

om

51September 21 2013

Vijay SethiVp and cio, hero motocorpIN-PerSON

What are the top web security challenges confronting

organisations today?Web-based applications are now becom-ing defacto standards for all applications. Some of the newer consumption models of IT services like cloud are also gaining lot of ground. Even some of the old legacy apps are being redone to get web interfaces. Reasons for different organisations web enabling their applications could be differ-ent – be it flexibility of usage, better user

Vijay Sethi, VP and CIO, Hero MotoCorp, in an interview with Atanu Kumar Das talks about different stances organisations should take to counter web security

“Web security is a major challenge”

interface, better performance or simply modernisation. However, with these ben-efits, the web based architecture also brings along certain risks which need be kept in consideration when deploying or consum-ing web based applications.

Some of the key web security challenges as I see include application development or misconfiguration related issues, cloud apps related issues, network access relates issues, and others like APT, forgery issues and site defacing etc.

Can you elaborate on Advanced Persistent Threats and forgery?

With increasing web presence of the organ-isation, APTs are also increasing. APT gen-erally take a slow approach making them difficult to detect. Forgery are kind of risks and threats that come from online scam-mers where they create forged sites and trick users into providing sensitive informa-tion and get access to passwords.

What should enterprises do to mitigate these risks?

Enterprises should not get into compla-cency or false sense of security just because there has been no attack – be alert at all times. They should do periodic penetra-tion testing and vulnerability analysis tests and close the vulnerabilities ASAP and do re-scan. Perhaps the most fundamental is authentication with web based systems, the restrictions regarding physical presence at specified locations has gone away but the risk of an unauthorised authentication have grown. Possibility of compromised accounts and passwords has made it difficult for organizations to identify genuine access to applications and information. Another important thing for the organisa-tions is to understand that aplication secu-rity has to be a focus area. Lot of companies just focus on network and hardware and systems security and not on application part. Good coding practices go a big way in this. Also with increasing reliance on web services for consumption and dissemina-tion of information, organisations need to ensure that proper security is built web services. For cloud related apps, one needs to ensure necessary measures including contractual things are done The recent past has seen very fast penetration of cloud based services as it offers flexibility to organ-isations. Public clouds based on shared infrastructure changes the way we need to look at information security and risk man-agement as the public cloud environment is much more vulnerable than a privately hosted application.


Wheel locks barely add any anti-theft “security” — primarily because thieves can get these things quite easily, you don’t need any special permissions, validation that you own that particular make and model

aS I was trying to change a tire on my wife's SUV the other day, in the pouring rain, I realized something... those little wheel locks (the funny-shaped bit that's on one of the wheel lugs so you have to have the “key”) are the quintessential example of a security idea that just doesn’t past real-world muster.

There I was, changing a tire, get-ting soaked, and now I was going to have to dig through my glove box, arm rest, trunk compartment for that special key so I could get the damn wheel off.

As I was cursing the people who put these things on the truck I tried to understand why they are put on cars anyway. Turns out, this is a security feature, right?

To keep people from stealing wheels from nice cars (or some-times not) these were meant as a deterrent to theft, and to frustrate the would-be wheel thief. There's just a few problems with this...

Wheel locks barely add any anti-theft “security” — primarily because thieves can get these things quite easily, you don’t need any special permissions, validation that you own that particular make and model, or really anything else. If I wanted to steal the wheels off of a high-end Mercedes I'd simply call

but not in the beginning or end, and an upper-case letter, but no spaces of “special characters,” and no repeats) ... come to think of it I'm starting to feel like passwords altogether are going this direction in general.

My plea to you security profes-sionals out there, and those that are aspiring to lead enterprises into the future of security — please, please think about what you're asking not just developers but end-users to do and then weigh that carefully against the real risk- reduc-tion benefit.

Often times if you’re forced to do a failure-mode analysis-like activ-ity around your desired control you may find out that there are 100 ways this new thing can be heavily incon-venient to the end-user, while there are less then a handful of cases where it will benefit and reduce risk.

Love wheel locks? Hate ’em? Have a real-life story to share? Love to hear your input, frustrations, and snarky commentary.

Hit me on Twitter (@Wh1t3Rab-bit) and hashtag your tweets with #SecBiz ... let's learn from other seemingly great ideas!

up the local dealership, ask them for one, and then go off and steal the wheels off the car.

The inconvenience to losing one of these is immense — if you've ever lost one, or can't find out, you know what I’m talking about.

As I was there on the side of the road, getting soaked and cursing up a storm I wondered where I could get one so the rest of my day wasn't spent calling dealers, and trying to get a ride to pick one of these up from a dealer that was less than 25mi away. Very frustrating.

Wheel locks are expensive! — I’m not one to complain about a $25 part, but when I have to pay the dealership $25 (or more) to replace one of these wheel locks, which is just annoying to me any-way, I’m upset and feel like I'm getting hit when I’m already down. Again, very frustrating.

The lesson learned? Sometimes something that has a reasonable perceived security value to inconve-nience trade-off is completely wrong in the real world.

This is perfectly in-line with how I feel about having to change your password every 30 days, or those often insane-sounding complexity requirements for passwords (you know, 10 characters, two numbers

OPINIONBy Rafal los THe aUTHOr is Principal, Strategic

Security Services at HP Enterprise

Security

Wheel Locks: Mostly Annoying

Untitled-3 1 9/27/2013 12:20:29 PM

There are numerous challenges confronting organisations in the web security space. CIOs and CISOs are trying to find out numerous ways to protect their organisa-tions from attacks originating from the web.

According to Vijay Sethi, VP and CIO, Hero Moto-Corp, “Web-based applications are now becoming defacto standards for all applications. Some of the newer consumption models of IT services like cloud are also gaining lot of ground. Even some of the old legacy apps are being redone to get web interfaces. Reasons for different organisations web enabling their applications could be different – be it flexibility of usage, better user interface, better performance or simply modernisation. However, with these benefits, the web-based architecture also brings along certain risks which need be kept in consideration when deploying or consuming web-based applications.”

Some of the key web security challenges as are witnessed include:

Application development or misconfiguration related issuesThese are the challenges given the way coding is done for the applications — the kind of develop-ment standards that are used. Some of the exam-ples of security issues / vulnerabilities / threats that could crop up because of this would include things like SQL injection, broken authentication and session management, cross site scripting, using default or common credentials to gain access


to a system (say default usernames such as admin, and passwords as password123 etc)

Cloud Apps Related IssuesThese are kind of risks and threats that come from putting one’s mission and critical data on cloud

Network Access Relates IssuesWith increasing population being given access to applications from outside, configuration of security devices like firewalls, IPS, IDS etc could in itself be a source of threat

Others like APT, Forgery Issues etcWith increasing web presence of the organisa-tion, Advanced Persistent Threats (APTs) are also increasing. APT generally take a slow approach making them difficult to detect.

Forgery are kind of risks and threats that come from online scammers where they create forged sites and trick users into providing sensitive infor-mation and get access to passwords.

According to Sajan Paul, Director – Systems Engineering — India & SAARC at Juniper Networks, “Hackers today are getting more sophisticated. The impact of cyber attacks is getting larger and they are beginning to use new ways of attacking. The problem is existing security products address only part of the security challenge. New threat types leveraging web applications require additional defences because the ones typically deployed are ineffective. Signature-

Web SecuriTy: WayS To MiTigaTe riSkSDo not get into complacency or false sense of security just because there has been no attack

Sajan Paul Director — Systems Engineering — India & SaaRC, juniper networksSajan Paul is the Director for systems engineering and technology consult-ing in India covering both enterprise and service provider verticals.In his current role at Juniper , he drives strategic solution initia-tives and technology architectures which uniquely help our customers in their busi-nesses. He leads a team of architects who help customers build their next generation telecom infrastructure.

IDENTIFYING THREATS

based solutions are also throwing too many false pos-itives to be useful which in turn results in blocking legitimate customers.” The year 2013 has been con-sidered as the year when companies will move critical systems into the cloud. This migration into virtual infrastructures changes how we address information security and risk management.

Sameer J Ratolikar, CTO, Bank Of India, feels that detection of blended threats is very important. “The top web security challenges include detection of blended threats and zero day attacks, targeted attacks are point of considerations. Secondly, data leakage issues through web from employee-owned devices are equally important for the CIO/CISO to detect.”

A CISO should always think of proper access control, good policies over data infiltration/exfiltra-tion, blended and advanced threat management, speed of threat detection, threat intelligence data-base, feels Ratolikar.

Ways of mitigating risksAccording to Sethi, some the ways as which compa-nies should do to avoid/mitigate web security risks could be:

Do not get into complacency or false sense of security just because there has been no attack.

Do periodic penetration testing and vulnerability analysis tests and close the vulnerabilities ASAP and do rescan.

With web-based systems, the restrictions regard-ing physical presence has gone away but the risk of an authentication have grown.

Lot of companies just focus on network and hard-ware and systems security and not an application part. Good coding practices go a big way in this.

For cloud related apps, one needs to ensure nec-essary measures including contractual things are done. The recent past has seen very fast penetra-tion of cloud-based services as it offers flexibility.

“However, in doing all this – a fundamental thing what we need to keep in mind is securing web apps and related data should be done without compromising the basic benefits for which organ-isations moved towards the web based environ-ment. Security measures should be taken without making them a bottleneck in the usage of those applications,” avers Sethi.

The SolutionJuniper Networks’ Junos WebApp Secure (formerly known as Mykonos Web Security) takes web appli-cation protection to the next level by providing more definitive intelligence about attackers. It uses ground-breaking Intrusion Deception Technology to defend against web-based threats on real-time basis. This solution uses deception to create detec-tion points or tar traps to identify malicious actors in real-time as they attempt to hack their desired target. Once attackers are identified, WebApp Secure prevents them from compromising critical information, wastes their time by presenting false vulnerabilities and provides valuable intelligence to thwart future attacks.

“Juniper’s Junos Spotlight Secure is a new cloud-based hacker device intelligence service that will identify individual attacker devices and track them in a global database. It will create a persistent fin-gerprint of attacker devices for precise identifica-tion and blocking of attackers,” says Paul.

55September 21 2013

A D V E R T O R I A L

dossier

Vijay Sethi VP and CIO, Hero MotoCorpAs a Cio, Mr sethi is respon-sible for all aspects related to information systems at Hero MotoCorp — world’s largest two-wheeler company. He is also member of the top Leadership team of the organisation and a member of various business committees in the organisation. Mr sethi is also responsible for all technology initiatives and sup-port to the business across the organisation in achieving its goals and objectives and ensuring that investments in iT deliver signifi-cant value to the business.

ThE sEcTIOn BROUGhT YOU BY

“Juniper Net-works’ Junos Spotlight Secure is a new cloud-based hacker device intelli-gence service that will iden-tify individual attacker devices and track them in a global database. It will create a persistent fingerprint of attacker devices for precise iden-tification and blocking of attackers” —Sajan Paul


N O H O L D S B A R R E D | v i S H A L A w A L

In an interaction with CIO&Leader, Vishal Awal, Executive Director, Services, Xerox India and South Asia, talks about different aspects of document management and how organistions can become more productive by leveraging it

DOSSIER

company:Xerox

established:

1960

headquarters:

Connecticut, USA

products:

Copiers, displays,

faxes, printers,

projectors,

scanners etc

employees:

146,000

“Technology is abusiness enabler”

57September 21 2013

Apart from the global economic turmoil, what has led CIOs to

cut cost? Technology is a business enabler and you need that to be optimally deployed to enhance business processes. When there are global pressures on businesses, com-panies look at reducing internal costs, and IT invariably is one area where budgets are axed. Therefore CIOs look for business part-ners among IT players which could simplify how work gets done, and provide them with the solutions that free them from their non-core operations while reducing cost and improving efficiency, so they can focus on their real business.

How important has document man-agement become for organisations/

CIOs these days?Document management is one of the most neglected parts in most organisations in spite of the crucial role it plays in enabling operations and its contribution to productiv-ity and efficiency of the organisation. The reasons are evident — the ownership in split across functions, costs are not visible and impact on organisational efficiency and productivity is not measured. As per IDC, as much as three to 15 percent of an organisa-tional spend could be incurred within docu-ment management domain.

What most enterprises do not realise is that the costs of having a fragmented, decentral-ised document strategy are staggering. It is more than simply paying too much to create, manage and produce documents. Without a well-managed document strategy, organisa-tions are at a disadvantage in several key business parameters, including: End-to-end costs that are not visible and not actively managed

Printed information and the associated data security issues

Cost of obsolescence – Equipment, tech-nology and operational model

Brand consistency across the organisa-tional footprint leaves a lot to be desired

Sub-optimal document related workflows and processes, leading to lost productivity

Less than desirable experience delivered to end-customersEffective document management is about

using communications and information, both digital and paper, to their full potential.

Xerox services provide a strategic approach towards document management across the enterprise. We can help organisations man-age as much or as little of the process as you desire. It’s about reducing cost, increas-ing productivity and driving higher value business transformation. By taking control of the end-to-end processes for each docu-ment, applying Six Sigma methodologies and processes and using market-leading solutions and services, we ensure that the

Marketing may need high quality, brand-driven, full-color output. And really docu-mentation is much more than print – it is a crucial link to collate, disseminate and store information and the distribution, collation, analysis and archiving of the information within an organisation. Xerox has world-class tools, processes and proven resources to optimise even the most complex and diverse environments to manage and opti-mise the information and documentation workflows. Our Enterprise Print Services provide comprehensive device and print management from the desktop or mobile device all the way up to the centralised print center.

The fact that Xerox manages across all print environments through intelligent routing maximises the ability to provide the lowest cost infrastructure to meet the output requirements, thereby optimising docu-ments costs.

Why should a CIO outsource docu-ment management services? How

will it help in cost control measures?More and more CIOs in Indian enterprise landscape are outsourcing document man-agement services. We see a fundamental structural change happening where more and more customers/CIOs are shifting from a CapEx-led captive print infrastructure to an OpEx-driven managed print services, thereby reaping the benefits of lower costs, enhanced productivity, robust security and risk management, mobile or cloud printing, user and cost centre-based accounting and security features, effective print governance via SLA assurance and single point of accountability.

Xerox Services provide the benefit of secu-rity, cost saving, accessing web, back office, expense system, validation and extraction of consolidated data for enterprises. We streamline customers’ Document- Intensive Business Process investment by offering outsourced services and service delivery platforms rather than capital inten-sive procurement.

This helps customers to optimise on capital infusion and select pay per services mode as a viable alternative for ROI. We deliver superior value services to all the seg-ments of enterprises.

We offer a comprehensive one-stop-shop

v i S H A L A w A L | N O H O L D S B A R R E D

Without a well-managed document strategy, firms are at a disadvantage

in several key business parameters

entire lifecycle of documents is managed using appropriate technology in adherence to appropriate standards.

We understand that all enterprises have varying documentation processes and requirements to successfully achieve their objectives. Some may require high-volume print and distribution, while others may need scanning and digitisation solutions integrated with the work-flows for forms or records management. HR, R&D and Finance may require secure printing, while

N O H O L D S B A R R E D | v i S H A L A w A L

solution to our customers for their office print infrastructure optimisation.

This allows companies like Vodafone, Alstom Projects India Ltd, Cisco, Standard Chartered Bank etc. to get more out of their existing global print infrastructure and ben-efit from a consistent approach regardless of size or location.

Xerox provides end-to-end management of an enterprise print and imaging environ-ment, spanning four stages: Assess – A top-to-bottom assessment of an enterprise's document workflows, output and hardware costs to help organ-isations base-line their print and imaging consumption, footprint and costs

Optimise – design/re-engineer a custom-ised and optimised solution for the office print network

Manage – management of all print and imaging devices with guaranteed savings and service levels

Improve – ongoing visibility, control and value continuum

We have in-house end-to-end capabilities to transform and optimise business process and document management value-chain.

Is it practically possible for a CIO to deliver more value, faster and

cheaper, while ensuring troubled projects are fixed or terminated?Yes it is possible via deploying leading-edge tools, systems, technology, interfaces and process frameworks as per the business requirements.

In this scenario, Xerox managed print services offers a comprehensive assessment of a company’s current fleet of multi-vendor copiers, printers and other hardware; and then creates a print environment that best meets the needs of the workplace.

The resulting benefits include lower print costs, faster, easier ways to manage documents, enhanced security, higher level of service to end users and environ-mental sustainability opportunities.

Why do you think CIOs and IT man-ager have opted for outsourcing

and how successful has this model been so far?CIOs and IT managers in India have opted for IT outsourcing due to varied reasons like economic pressures and devel-opment of technologies in cloud computing & virtualisation.

This has been successful due to afford-able, secure and efficient services in the IT and BPO space though there have been challenges too in terms of delivery as per SLA. Hence there are reports that infer that 43 percent of CIOs have had challenges with outsourcing deals.

However, if you look at document man-agement outsourcing services, there is a need for more and more companies to adopt this trend in order to drive profitabil-ity, productivity and effectiveness towards business growth, while maintaining a secure environment towards information management.

advts.indd 56 12/22/2009 3:02:47 PM

Are you at that stage in your career... when you start looking for something more. It could be a new direction, fresh focus or the next mountain to climb.

You’ve already come a long way, but it’s time to aim for the top - the pinnacle.

But scaling the next mountain is a big stretch. You need new skills. You require new perspectives. You want to be a stronger leader.

The Pinnacle Programme will help you do all this - and more.

Stop being consumed by

where you are...

...focus instead on where you want to be.

9.9 Mediaworx, B-118, Sector 2, Noida – 201 301, India Tel: +91 120 4010999

www.theleadershipinstitute.in


TECH FORGOVERNANCE

Not monitoring the online activities of employees could lead to actions that could cause the cessation of business By Edwin Covert

Will be the number of mobile application downloads in 2013

102bData BriefiNg

illu

st

ra

tio

n B

Y p

ho

to

s.c

om

Ethics of Monitoring Your Employees

61September 21 2013

s E C u R i T y | T E C H F O R G O V E R N A N C E

BPOiNtS

5 serious cyber loafing is defined

as abusive

virtue ethics approach means

making decisions

based on

community-based

norms

utilitarian approach means

decisions are made

for the greatest

good for everyone

the goal is to

make sure the

employees are not

misusing assets

reason demands consistency

and rejects

contradiction

While employee monitoring is therefore legal, the GAO report did not discuss the ethical considerations involved in employer-based monitoring. In order to address this question, Reynolds (2012) suggests four possible approaches. Unfortunately, each approach is limited: each only considers the desired end-state and has no abil-ity to consider the manner of how organizations perform the monitoring. This additional step would require a deontological analysis (Martin, 2012). Therefore, in order to determine the ethical nature of employee monitoring, one must view the question through both teleological and deontological prisms.

Defining Non-Work Activity and MonitoringThe pervasiveness of the internet at work has led to an increase in the number of employees who use it for non-work purposes: 56 percent of employees used it for such in 2000; it was 59 percent in 2003 (Blanchard & Henle, 2008, p. 1068). What activities are employees perform-ing that have their employers concerned? Blanchard and Henle (2008) define two types of employee activity not related to work: minor and serious. Both of these are described as “cyberloafing” or using company resources to conduct personal business. Minor cyberloafing is clas-sified as using personal email services to check email or reading the latest news at Foxnews.com or CNN.com and usually tolerated. Serious cyber loafing is defined as abu-sive or potentially illicit activities. Examples include illegal music piracy or sending harassing emails.

To curb such serious activity, Workman (2009) says, “it has become common practice … to allow the electronic observation of web surfing activity, monitoring emails, and telephone call monitoring of office employees” . He cites a 2005 study by Vasterman, Yzermans and Dirkz-wager showing the number of organisations monitoring their employees had risen 137 percent between 1999 and 2003 and they did it by monitoring the web sites employ-ees visited, reading their email traffic, perusing the files on their computer, and reviewing keystroke logs (p. 219).

Businesses and other organisations have invested millions of dollars in their IT systems and infrastructures. According to one report, organisations spent nearly $7,300 per user in 2011 on IT (Computer Economics Inc, 2012). To protect their investment against potential lost productivity and illegal actions, organisations have begun monitoring the behaviour and activities of their employees.

These findings of the types of monitoring are consistent with the 2002 survey by GAO (US General Accounting Office, 2002, p. 3).

Establishing the AlternativeIs there an alternative to surveillance in the workplace? An organisation could not monitor how its information technology systems are used. Blanchard and Henle (2008) however are concerned that not monitoring could lead to considerable legal liabilities. For example, an employee who spends his or her hours opening visiting adult-orient-ed or pornographic websites can create what the US Equal Employment Opportunity Commission (EEOC) calls a hostile work environment (Laws, Regulations & Guid-ance: Sexual Harrassment) when the viewing is noticed by someone who does not want to see or is offended by such material. Or an employee might put the organisation at risk through illegal activities such as online gambling. In some cases, organisations run the risk of becoming liable under the “respondeat superior” doctrine which states employers can be held liable for the activities their employees perform (Harger, 2011).

Determining the Most Appropriate Ethical FrameworkAs a means of determining the ethical nature of employee monitoring, Reynolds (2012) describes four potential approaches to solving an ethical dilemma. Before apply-ing a particular one it is useful to review them. The first is what he calls the Virtue Ethics Approach. This approach centers on making decisions based on community-based norms and how one’s decisions are perceived by the com-munity. The second approach is known as the Utilitarian Approach. For this approach, decisions are made based on what “has the best overall consequences for all people who are directly or indirectly affected” i.e. the greatest good for everyone. The third approach concerns itself with equity: the Fairness Approach. Here, Reynolds says decisions or actions are reviewed as to how well they dis-


T E C H F O R G O V E R N A N C E | s E C u R i T y

The Need for Network Securityif an android device is compromised, the network admin can prevent sensitive data from being exposed By Patrick Oliver Graf

Android has recieved at lot of atten-tion over the past year, and rightful-ly so. The operating system is, after all, the most widely used in the world. Yet, with each version and

new feature that Google rolls out, the secu-rity of mobile devices with older Android releases falls farther down the priority lad-der, and unfortunately for IT executives, this means their enterprises become more susceptible to potential attacks.

Recognising this, the Department of

Homeland Security (DHS) and the FBI have issued a warning to police and fire departments, as well as emergency medical service providers that mobile devices with outdated Android versions pose a serious security risk to their organisations. Threat-Post reported that the warning came via an unclassified memo distributed to the aforementioned organisations back in July, though it was only recently made public. Citing unspecified industry statistics, the memo stated that 44 percent of Android

users are currently running Gingerbread, which was originally released in 2011 and is now significantly less supported.

Improvements have been implemented in more recent versions of the operating sys-tem, but Gingerbread has had quite a few security vulnerabilities, such as premium-rate SMS Trojans, rootkits and fake Google Play domains that attackers use to trick users into installing malicious applications. The obvious concern here is that employees that have not updated their personal mobile

tribute both the “burdens” and the profits of a decision. Finally, he notes the Common Good Approach (not to be confused with the Utilitarian Approach’s greatest good). In this last approach, decisions or actions are viewed the through the prism of a “common set of values and goals” that each member of the system depends on.

There are many stakeholders involved in the decision to monitor an organisation’s employees. One obvious group is the employees themselves since they are the ones having their activity monitored. Another group of stakeholders is management who has the responsibility of enforcing the monitoring rules and making decisions about what to do with the results. A third group could be shareholders, or those individuals and groups that put initial money into the organisation and have a vested capital interest in seeing it succeed. A final group might be the general public. How an organisation is perceived by customers is important in this era of social media. As Hartl (2003) notes, public opinion is everywhere in this era.

Using Reynolds’ (2012) descriptions, it is evident the utilitarian approach is the most logical framework because the action in ques-tion centers on balancing the values of all of the above stakeholders. While the utilitarian approach is suited for this particular scenario, it is still a teleological view of the situation, or as Martin (2012) calls

it, an approach that says things are “best understood by considering their goals.” In this case, the goal is mak-ing sure the employees are not misusing organisational assets and putting the organisation at risk through illegal activity. It would be more equitable to all stake-holders to unify this ‘ends justify the means’ approach with Kant’s deontological approach of being logically consistent. According to Martin (2012), one of the critical elements of Kant’s approach to ethical examination was the categorical imperative: the idea that “reason demands consistency and rejects contradiction”. In order for employ-ee monitoring to be ethical, it not only has to satisfy the utilitarian approach’s mandate to have to best outcome for

the most number of people, it should also satisfy Kant’s maxim of being internally consistent, or applied equally across all scenarios. Faced with the binary question of whether to monitor or not, under the proposed blended utilitarian/logically consistent framework, conducting monitor-ing of employees is clearly more ethical than the alternative. Not moni-toring the online activities of employees could lead to actions that could cause the cessation of the business. If that happens, no one wins.

— This article is printed with prior permission from www.infosecisland.com. For more features and opinions on information security and risk management, please refer to Infosec Island.

50%ANdROid usERs dO NOT usE sECuRiTy sOFTwARE iN THEiR

dEViCE

s E C u R i T y | T E C H F O R G O V E R N A N C Eim

ag

ing

BY

vik

as

sh

ar

ma

Outdated Android versions pose a serious security risk to their organisations

devices are exposing critical networks and sensitive information to unnecessary risk. The FBI and DHS have urged their employ-ees to regularly update their smartphones and tablets and to only download applica-tions from the official Google Play store. But will those precautions be enough? What happens when someone attempts to access his/her corporate network on an unsecured mobile device? The simple answer is: noth-ing good. As we recently discussed, putting faith in your employees is a nice gesture, and continuously educating them can be helpful, but these steps alone do not make the best security strategy. Centralised VPN management of these devices is critical for government agencies — and enterprises — that are seeking to protect themselves against data breaches. This can help IT exec-utives keep security under control.

— This article is printed with prior permis-sion from www.infosecisland.com. For more features and opinions on information security and risk management, please refer to Infosec Island.


VIEWPOINT

About the Author: Steve Duplessie

is the founder

of and Senior

Analyst at the

Enterprise Strategy

Group. Rgnised

worldwide as the

lent authority on

enterprise storage,

Steve has also

consistently been

ranked as one of

the most influential

IT analysts. You

can track Steve’s

blog at http://www.

thebiggertruth.com

In Short, technology is nice — but assuming that you have a “bet-ter way” to do something that can already be done some “less better” way by spending money with some incumbent vendor — your road to success will be brutal and statisti-cally rare. I’m glad you have a better mousetrap, but history is littered with the carnage (or lack thereof in this metaphor) of better mousetraps.

But, if you have a better mousetrap — or (gasp!) sometimes a technically INFERIOR mousetrap — combined with a disruptive business model you have a far better chance of upsetting the status quo — or, better yet, the money flowing from the customer to the incumbent.

Summer is over. It always ends too fast and launches me back into reality with a tad bit of melancholy. I’m sure you feel for me. Having said that, the end of summer also rekindles a Renaissance of thinking sometimes. After some reflection, and a million homemade diet moji-tos (yes, I’ve mastered the zero extra calorie ((except the Cuban rum part)) mojito), I’m back to harping on lever-

all the time, your cost decreases!It will take a while for the market

to get their brains around this (com-mon sense is often the last thing to come to the forefront in IT, in case you haven’t been paying attention for the last 40 years or so) — but thus far MSPs — from small to ABSURDLY large — are buying in, hook, line, and sinker. The company guarantees you will not pay MORE — only less, and it could be much less — so why not? Why not is the interesting ques-tion — and the only answer that will come up is “because that’s not how we do it.” The status quo. People are used to buying licenses, whether they use them or not.

Whether they recover one file or a billion. Add more servers, add more licenses. It’s what we do. Why is this so interesting to me? Because backup is a $5B annual spend — and IF the likes of Asigra can alter the flow of that dough 10 percent, that means $500M will NOT go to the incumbent dominant players, and that will cause BILLIONS in market capitalisation shifts — which in turn, will cause total mayhem.

aging business models as a competi-tive weapon.

Two examples of this that I’m keep-ing a keen eye on right now happen to both be in the data protection area — Actifio and Asigra.

Both very different technologies, solving different problems to a large degree, but both seeing early success by attacking hyper-established mar-kets with business model disrupters.

Asigra is the arms dealer to the who’s who of cloud backup MSPs. Privately held, 1000 years old, always profitable, and zero outside money (they are my heroes, truth be told — I love everything about what they do and have done) — and are arguably the inventors of the first legit cloud service (backup) — over dial-up lines (let alone, dedupe, compression and a million other things that are all in vogue now). Meaning, why do you keep paying to back up 100 percent of your data (i.e.. buy all the licenses you MIGHT need in order to ever restore up front) whether you restore all of it or not? Why not pay for what you actually restore? And even better — if you DON’T restore everything

Back To The Business Model

Common sense is often the last thing to come to the

forefront in IT

STEVE DuPlESSIE | [email protected]

illu

st

ra

tio

n B

Y p

ho

to

s.c

om

So outcomes from thousands of previously made decisions can continuously improve business models. Single transactional decisions can be optimised. And recommended actions can be delivered where they’ll have the most impact.

IBM, the IBM logo, ibm.com, Smarter Planet and the planet icon are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. A current list of IBM trademarks is available on the Web atwww.ibm.com/legal/copytrade.shtml. © International Business Machines Corporation 2013.

AUGMENTING INTUITION:

ARMING EMPLOYEES WITH ANALYTICS.

Data from inside the company (like trend reports) and from the customer himself (like social media activity) likely holds the answer. But employees don’t have the tools to process such a staggering amount of ever-changing data fast enough.

For one single decision, that doesn’t seem like a very big problem. But how many decisions are made in your organisation every day? Together, they can signifi cantly impact your bottom line.

MORE THAN A GUT FEELING.

A new approach to decision making can help employees see the best next steps at every single touch point. By integrating predictive analytics, business rules and optimisation, decision management solutions from IBM can enable real-time, adaptive decisions. Turning data and decision trees into insights and actions.

“ Gut feel is great for everyday problems. But, it often leads us astray when we’re presented with complex streams of information. We can be blinded by the newest and nearest data point and miss the big picture.”

— Nate Silver, statistician, author and writer for The New York Times

A SOLID RECOMMENDATION.

That’s what Santam Insurance did. Using an advanced analytics solution from IBM, the South African company

captured data from incoming claims and separated likely fraudulent and high-risk cases from low-risk ones. Santam saved millions of dollars previously lost to fraud, and also dramatically reduced processing time.

With Smarter Analytics from IBM, organisations are arming employees with the information they need to make decisions more

IBM helped Santam Insurance automatically assess fraud risk and settle

legitimate claims 70 times faster.

Boardroom initiatives, customer preferences and purchase histories

all inform sales decisions.

informed, recommendations more adaptive and outcomes more profi table. Learn more at ibm.com/decisionmanagement/in

A customer is unhappy. He calls the help desk and reaches an operator who must decide—in a matter of seconds—the best way to address his concerns and turn his mood around.Ultimately, the operator presents the customer an o� er—maybe based on instinct, maybebased on corporate policy. But how does he know it’s the right one?

SMARTER TECHNOLOGY FOR A SMARTER PLANET

LET’S BUILD A

SMARTER PLANET.

Documents

cio & leader. com · In enterprises today, a CISO has moved from the backstage to centre stage. He has been given more responsibility and editors pick Taking Centre Stage IT security