D - Symantec

CIODigest
JANUARY 2009
STRATEGI ES AND ANALYSIS FROM SYMANTEC
Tom Lamming
Sr. VP, Transformation, Telstra
Plus
IT GRC:
Turning Risks
into Returns
The Double-Edged
Sword of
IP Convergence
Confidence in a connected world.
SYMANTEC IS
Automated enforcement of compliance policies that secure
and manage both your information and your infrastructure.
compliance.
Symantec.COM/everywhere
©2008 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are registered trademarks of Symantec Corporation or its affiliates in
the U.S. and other countries. Other names may be trademarks of their respective owners.
CONTENTS
FEATURES
[10]
[ COVER STORY ]
Getting to One Click
Tom Lamming is leading Telstra on an IT transformation the size of the Australian Outback that
is focused on delivering an unrivaled customer
experience.
10
By Patrick E. Spencer
[14]
[ INDUSTRY FEATURE ]
The Double-Edged Sword
of IP Convergence
As IP-based networks gain ground, telcos are
turning security threats and availability challenges
into new opportunities.
By Ken Downie
[18]
[ SOLUTIONS FEATURE ]
Turning Risks into Returns
Firms with strong IT GRC results enjoy much better
performance when it comes to satisfying customers
and growing revenues and profits. The principles
of good IT GRC are in fact the principles of good
IT management.
14
18
By Alan Drummer
DEPARTMENTS
[3]
[ Chairman’s Note ]
Software-as-a-Service:
Moving Beyond the Buzz
[26]
By John W. Thompson
[4]
[30]
Developing infrastructure solutions
without a software and hardware agenda
at Brazilian IT solutions provider TIVIT
The High Returns of
Risk Management
[22]
[ EMEA ]
A Rapid IT Ascent
IT standardization turbocharges business
value and propels agility and flexibility at
Piaggio Aero—the “Ferrari of the Air”
By Patrick E. Spencer
[ Latin America ]
Continual Transformation
Executive Q&A
By Alan Drummer
22
By Patrick E. Spencer
By Stephen Trilling
Innovations and best practices
substantially reduce information risks The Making of an Iconic IT
Production
A fascinating IT journey uncovers unique
business value in asset management,
workflows, and the helpdesk at
healthAlliance NZ
[ Upload ]
Symantec Security
Technology & Response
To Catch a Thief
Behavioral protection monitors
potentially malicious software
and network streams
[ APJ ]
By Mark L.S. Mullins
26
[32]
[ North America ]
Beneficial Change
A massive IT consolidation effort aligns
IT services and the business of government
to deliver change the State of Michigan
can believe in
By Mark L.S. Mullins
Cover photo by Justin Malinowski
32
SYMANTEC RESOURCES
Visit us online at www.symantec.com/business and take advantage of a world of resources to help
you have confidence in your connected world.
About Us
Corporate profiles, management
team, investor relations, careers. It
all starts right here
www.symantec.com/about
Podcasts
For people on the go, podcasts deliver
news, product information, and strategies you can use
www.symantec.com/podcast
Partners
Find the perfect partner to help
you manage your IT needs
www.symantec.com/partners
INFORM
Benchmarking straight from the
source—your peers
www.symantec.com/inform
Enterprise Solutions
Software, services, and solutions to
manage your most valuable assets:
your information
www.symantec.com/solutions
Yellow Books
Symantec Yellow Books help you save
time by providing best practices for
your specific environment
www.symantec.com/yellowbooks
Enterprise Online Store
Do you know what you need already?
Shop quickly and conveniently online
www.symantec.com/solutions
Book Smart
Symantec Press offers a variety
of executive, enterprise, and
consumer titles
www.symantec.com/symantecpress
Internet Security Threat Report
Up-to-the-minute information on
the latest vulnerabilities and threat
vectors
www.symantec.com/threatreport
Technical Resources
A technical community to help your
IT team keep your systems up and
running, no matter what
www.symantec.com/stn
CIO Digest
Online Extras
Online Services—Get the
Benefits Without the Maintenance
By getting services online rather than
building out the software
and hardware infrastructure to provide
them, businesses
are increasingly
shifting the burden of deploying
and maintaining
enterprise applications to vendors. Benefits of a software-as-a-service model include faster time to value,
2 CIO Digest January 2009
Customer Success
See how others in your industry
succeed with Symantec
www.symantec.com/
customersuccess
Events
Our events calendar
www.symantec.com/events
a quicker ability to scale, less
risk and up front investment,
and lower annual operating
costs in equipment and support staff.
Since the online service
vendor’s business depends
on service quality and
securing customer data,
these services are protected by considerable investments in state-of-the-art security and delivery technologies. The overall
result is that more than 94 percent of
organizations using an online service are
satisfied and plan to renew. Read more at
go.symantec.com/SaaSCIODigest.
IT Priorities in the 2009 Economy
Few in September 2008 would have predicted economic conditions as tough as
Consulting Services
Expert consulting services
from the leader in information
protection and availability
www.symantec.com/
globalservices
Education Sevices
Maximize your IT investment with a
skilled, educated workforce
www.symantec.com/
education
Managed Security Services
Complete, cost-effective security
managed response services
go.symantec.com/
managedservices
Early Warning Services
Prevent attacks before they occur
with customized, comprehensive
alerts of worldwide cyber attacks
go.symantec.com/
earlywarningservices
Webcasts
From endpoint security to information
management, storage to security,
and everything in between
www.symantec.com/webcasts
the ones we’re
facing now. How
is the downturn
changing the
way businesses think
and behave
and serve their
customers? How
has this impacted IT priorities for 2009?
Are companies retooling existing projects
or redefining challenges? Read more at
go.symantec.com/2009priorities.
CIO Digest Editor-in-Chief Blog
Gain insights, highlights of new onlineonly content, and interact with the
CIO Digest editorial team. Check out
the Editor-in-Chief blog at go.symantec.
com/CIODigestBlog.
CHAIRMAN’S NOTE
Software-as-a-Service: Moving Beyond the Buzz
O
ver the past few months I’ve noticed a constant theme running through my conversations with many
customers—they want choice. While this certainly isn’t new, it has become a more prominent issue as they
think through their IT investment plans for the coming years. For many customers—big and small—this may
mean considering a combination of on-premise and off-premise—or Software-as-a-Service (SaaS) solutions.
As businesses continue to grow and address the new challenges presented by the economy, SaaS may give them
added flexibility in how they manage their technology investments by providing access to world-class technology,
infrastructure, and people. SaaS can also give organizations the ability to predictably control a large part of their
IT costs and reduce risks when deploying important new infrastructure capabilities. Many of the early adopters,
including Symantec, have discovered the benefits associated with out-tasking some of their most critical information
management challenges to allow their internal teams the ability to re-focus on driving innovation.
The potential benefits of SaaS are obvious. However, you must carefully evaluate the partner you select to
ensure there is strong alignment between your goals and their delivery model. Make sure that you have service level
agreements in place that allow you to entrust data to an online service, ensuring that the service and support will be
available when you need it. You should also expect a SaaS vendor to be a leader in IT infrastructure offerings and have
a disaster recovery plan in place that ensures the security, reliability, and availability of their applications and data.
Lastly, look for a solution that is easy-to-use and doesn’t require additional IT staff or infrastructure investment.
This issue features an exclusive interview with Tom Lamming, senior vice president, transformation, at Australian
media-communications giant Telstra, as well as features on IT GRC (governance, risk management, and compliance)
and IP convergence in the communications segment. I also encourage you to check out the new Online Extras
area for CIO Digest, which includes an article on SaaS.
The coming year may prove to be one of the most exciting in the IT industry as we look to take full advantage on the
many new services to be delivered. And we look forward to working with you as you explore this new horizon.
Regards,
John W. Thompson
Chairman of the Board and CEO, Symantec Corporation
xyz
Managing Editor, Case Studies
Publisher and Editor in Chief
Managing Editor, Content
Managing Editor, Upload
Design Director
Contributing Writers
Circulation Manager
Web Producer
Podcast Producer
Patrick E. Spencer, PhD
Mark L.S. Mullins
Donna Tarlton
Dee V. Sharma
Joy Jacob
Ken Downie, Alan Drummer,
Mark L.S. Mullins, Dee V. Sharma,
Patrick E. Spencer
Bharti Aggarwal
Rebecca Donaldson
Wendell Davis
Symantec Marketing
Senior Vice President
Vice President
Carine Clark
James Rose
Subscription Information
Online subscriptions are free to individuals who complete
a subscription form at www.symantec.com/ciodigest/
subscribe. For change of email address, please send an
email to [email protected].
Magazine Subscription Customer Service
Please email us at [email protected].
Privacy Policy
Symantec allows sharing of our mail list in accordance
with our corporate privacy policies and applicable laws.
Please visit www.symantec.com/about/profile/policies/
privacy.jsp or write us at [email protected].
By Stephen Trilling,
Vice President of Security
Technology and Response (STAR)
their behavior. Once you determine that a threat is
exhibiting suspicious behaviors, you can block it and, in
many cases, clean up any damage it has already caused.
Back to our criminal analogy, if someone breaks into
a store and walks out with something, the police can
arrest the person based on behavior alone. Of course, if
the individual was a known criminal, fingerprinting may
have stopped him from entering the store in the first
place. Nevertheless, any further damage is averted.
Symantec’s behavioral protection technologies
can catch entirely new and unknown malware that
has bypassed classic, fingerprint-based antivirus
protection and heuristic protection. There are
three components to this behavioral technology,
all of which work together.
The first two components are primarily
intended to prevent malicious software
from getting onto your computer in
the first place. The first of these, Network
Intrusion Prevention, scans both incoming
and outgoing network streams to identify
suspicious traffic. If suspicious incoming
traffic is observed, it can be blocked before
it reaches the computer and does damage.
If suspicious outgoing traffic is observed as
originating from a program on the computer, the
program can be blocked from doing further damage on the
computer
The second component, Symantec Browser Defender,
integrates directly into popular Web browsers—between
Web pages and the browser’s logic—and applies “virtual
patches” to all known vulnerabilities in the browser. This
can stop malicious attacks that may occur inside the
browser when visiting a malicious Web site; for example,
it can prevent malicious JavaScript from running in the
browser and doing damage to your machine.
yx SECURITY TECHNOLOGY AND RESPONSE
To Catch a Thief
Behavioral protection can provide an added
layer of defense against malicious software
and guard systems from threats for which no
virus signatures yet exist.
W
riting virus signatures—the classic
mechanism for detecting and stopping
threats—is analogous to using
fingerprint matching to catch criminals.
If you’re looking for a known criminal
who has a fingerprint on file, it’s a
perfect system. If you don’t have
their fingerprint yet, this traditional
“blacklisting” mechanism isn’t
effective.
Heuristic technology—examining the
attributes of files on disk to check for suspicious
characteristics—takes threat detection a
step further. To continue our analogy, if you
see a person walking down the street in the
middle of summer wearing an ankle length coat with
something obviously concealed underneath, you identify
their appearance as “suspicious.” Although you might not
have their fingerprint, the individual may still represent a
security threat and therefore warrant further investigation.
Beyond blacklisting and heuristics, the last line
of defense is behavioral protection technology. This
involves monitoring actively running software and
network streams for behavioral patterns that could be
malicious. Using this approach, it is possible to identify
entirely new threats or classes of threats by examining
yx
Continued on page 8
>
SYMANTEC CHRONICLES
[ Blast Off with Norton ]
Norton 2009 is smart security—engineered for speed and
weightlessness. The latest
version has minimal impact
on PC resources while delivering maximum protection
against looming threats in
cyberspace.
To underscore this message, Symantec presented the
4 CIO Digest January 2009
Blast Off with Norton campaign. This past September,
the company invited journalists from around the world to
Las Vegas and treated them
to parabolic zero-gravity
flight over the Nevada desert.
Completing many of the
same exercises NASA uses
to train astronauts, they
experienced true weightless-
ness. Word of this once-ina-lifetime experience spread
quickly through blog postings
and videos, generating a terrific online buzz about Norton
and the campaign.
Excitement is now building
about the Blast Off with Norton contest, in which up to 35
participants can win a seat on
a chartered zero-gravity flight
in February 2009. Register
now for a chance to win at
www.norton.com/space.
[ Symantec PartnerEngage
2008: A Capital Event ]
Beginning with a reception at
Washington D.C.’s Newseum
and ending with an evening
at the Smithsonian Air and
Space Museum, this year’s
Joyce Hesselberth
[UPLOAD]
yx Symantec Executive Q&A
The High Returns
of Risk Management
What innovations and best practices
substantially reduce information risks?
By Alan Drummer
A
few key initiatives—and sometimes not the
most obvious ones—can make the biggest
difference in minimizing your company’s
information risks. That’s the conclusion of this
conversation with Francis deSouza, Symantec’s Senior
Vice President, Information Risk Management Group.
deSouza also details key benefits of the three
products at the core of Symantec’s Information Risk
Management (IRM) strategy: Brightmail Gateway 8.0,
Data Loss Prevention 9.0, and Enterprise Vault 8.0.
Q. Francis, if c-level decision makers have only 30 seconds
with you, what key points should they take away?
A. Francis: While it’s important for CIOs to protect their
company’s infrastructure, it is increasingly more important for them to protect their company’s information.
Information is often their most valuable asset—and in
many cases the most vulnerable asset. The key is to understand what important information exists in the company.
Q. What would you say are the building blocks of
a cohesive strategy for protecting unstructured
information?
A. Francis: There are four building blocks. First, keep
the bad stuff out—such as phishing attacks or spam.
Second, keep the good information in. Understand
what the important information assets are within a
company, where they are, and ensure they can only
leave the company appropriately, with adequate
protection. This is called data loss prevention. The
Symantec PartnerEngage
conference was held October
15 –17, 2008. To kick off
the event, Symantec treated
attendees to a media tour of
its D.C.-based Security Operations Center, where they
enjoyed a rare behind-thescenes glimpse of Symantec
security researchers scanning
for all forms of Trojans, botnets, executables, and other
malicious attacks. To find out
more about this event and
other partner resources, visit
www.symantec.com/partners.
[ FORTUNE’s Most Admired ]
Innovation, leadership,
financial strength—all traits
shared by the winners of
FORTUNE Magazine’s annual
list of “America’s Most Admired
Companies.” FORTUNE and
its survey partner, Hay Group,
queried more than 3,700
third priority around information risk management is
archiving. Companies need to retain information only
for a required period—not a day longer. They need
to understand retention requirements for different
types of information such as email and files—and then
apply those policies consistently. The fourth priority
is around e-discovery. Companies need to be able
to retrieve requested information in a timely way—
either for data mining, or to respond to an e-discovery
request quickly.
Q. To support those priorities, what new capabilities
is Symantec offering in messaging security?
A. Francis: We invest heavily in making sure that
we offer the best and most comprehensive threat
protection out there. That means we spend a lot of
time not only delivering our award winning antivirus
capability but also an antispam capability that delivers
the industry’s highest effectiveness with the lowest
false positive rates. We also have focused on delivering
the most scalable offering in the market today. Our
threat management products are in use by some of
the world’s largest ISPs to manage over 300 million
mailboxes—and they’re also in use all the way down
to small businesses and home offices. The third area
we’ve invested in is manageability. We make sure that
our products are simple to install and configure, and
customers can get up and running as fast as possible.
The other area we’ve invested in is being the only
company in the world that looks at incoming messages
to capture threats and outgoing messages to stop the
leak of sensitive information.
Q. Data loss prevention—what is Symantec developing
in this area?
A. Francis: We acquired Vontu—the pioneer in data
loss prevention. That means Symantec now serves over
half of the data loss prevention marketplace. And our
innovations are focused on ensuring you can protect
sensitive information across your enterprise. That
includes understanding where confidential information
is both at rest and in motion—whether it’s entering or
leaving your company through email, Web messaging,
USB drives, the printer, or on mobile endpoints.
Continued on page 6
people from dozens of industries to select the companies
they admire most. Symantec
ranked fourth in the “Computer
Software” category on this
year’s list. The definitive report
card on corporate reputation,
the survey considered eight
categories to identify the winners. For more about this event
and other partner resources,
visit go.symantec.com/FortuneIndustryChamps.
>
[ Leading the Market in
Messaging Security ]
With the acquisition of
MessageLabs now complete,
Symantec strengthens its
commitment to the Softwareas-a-Service (SaaS) model. According to IDC, this acquisition
extends Symantec’s lead in the
messaging security market to
twice the market share of its
closest competitor. Protecting
more than three billion email
>
symantec.com/ciodigest 5
[UPLOAD]
Symantec Executive Q&A Continued from page 5
Q. On another topic—email storage costs and e-discovery
costs are hard to control and are pain points in many
organizations. What relief does Symantec offer?
A. Francis: We see customer email storage typically
growing at 30 to 70 percent a year. So we’ve done a
lot of work on Symantec Enterprise Vault to deliver
the industry’s most efficient message archive. We’ve
invested in technologies such as single instancing, so
only a single instance of multiple copies of a PowerPoint
attachment is stored. In e-discovery, we’re addressing
a different challenge. It may
cost a dollar just to store a
gigabyte of information, but
Check out the Executive Q&A
it can cost up to $30,000 to
Podcast with Francis deSouza at
have lawyers review that
go.symantec.com/QAdeSouza
gigabyte. For this business
requirement, we have Enterprise
Vault Discovery Accelerator. With it, customers can
fulfill a legal request in a matter of minutes or hours
that might have previously taken weeks.
Podcast
Q. That’s powerful. Companies might be discouraged by
the number of projects they should be launching in
IRM. What’s the easiest ROI?
A. Francis: One of the quickest paybacks can come
from our Brightmail Gateway solution. By blocking
spam, it reduces the volume of incoming messages,
saving bandwidth, storage, and messaging processing
costs—and shielding employees from productivity loss.
Another quick payback opportunity is email archiving.
Customers reclaim large amounts of primary disk
space—which often costs up to $45 per gigabyte—by
implementing Enterprise Vault. At Symantec.com we
have a number of ROI tools that quickly calculate the
potential payback. When it comes to data loss prevention, the payback is in cost avoidance. Customers build
a business case for a data loss prevention solution
around the costs of notifying customers of a data
breach, along with the severe damage to a company’s
reputation. When it comes to e-discovery, customers
MessageLabs
> connections,
brings a well established suite
of online services for messaging and Web security. These
online and hosted services,
software, and appliances
complement the offerings
available through the Symantec
Protection Network. To learn
more about the MessageLabs
acquisition, visit go.symantec.com/
messagelabs.
6 CIO Digest January 2009
[ Information Management:
Deconstructed ]
As storage costs rise and security risks intensify, IT managers are faced with many
challenges. A root cause?
Managing massive amounts
of unstructured data. Email,
instant messages, and other
unstructured information
combine to form a major
driver in the need to manage
often hit seven-figure litigation costs at a minimum.
That’s strong justification for getting Enterprise Vault and
Enterprise Vault Discovery Accelerator.
Q. What would you say are the most typical “barn
doors” that companies forget to lock before the
horses escape?
A. Francis: Great question. I think that there are a few.
Customers don’t always have the best handle on what
their sensitive information is, and where it lives within
their company. And it’s too late to start looking when
somebody loses a laptop or there’s a data breech. A
second area of high risk is not having an e-discovery
infrastructure in place. When a company is hit by litigation, it’s then hit with a double whammy. One is that it’s
hard to retrieve requested information fast—and often
that results in unfavorable reactions from the legal system. Second, because the retrieval infrastructure is not
in place, the cost of getting the information is very high.
Q. Good tips. It’s said that information risk management requires more than solutions—it takes an
awareness and discipline in all employees. What best
practices have you seen for spreading that awareness
and discipline?
A. Francis: One valuable practice is to proactively communicate within a company about the importance of
information assets—and teach every employee how to
protect those assets. Which information is sensitive?
What practices are inappropriate? Employees should
know if it’s inappropriate to send information to their
Hotmail or Gmail accounts to work on at home. Policies
need to be clearly laid out. Second, employees need to
clearly understand retention guidelines. What should be
kept? For how long? When should it be deleted? A third
best practice is to communicate that messages should
be retained in a central archive—and not on desktops
or in file shares. This ensures that when a message is
deleted, it’s deleted everywhere. n
Alan Drummer is Creative Director for Content at NAVAJO
Company.
information risk. Symantec’s
Information Risk Management (IRM) strategy encompasses products to help organizations secure and manage
all types of unstructured
information. Enabling businesses to protect their data
(wherever it resides), reduce
storage costs, and automate
workflows, IRM is a comprehensive offering to ease the
burden on any IT staff. The
suite includes antispam and
antivirus protection; content
filtering and content control;
an archive platform for unstructured content; and a
solution to discover, monitor,
and protect confidential data.
At the heart of Symantec’s
IRM solution are three
market-leading products for
messaging security, archiving,
>
SYMANTEC IS
Veritas storage software reduces cost, increases efficiency, and
helps
ensure your data center operates at peak performance.
storage
software.
Symantec.COM/everywhere
©2008 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are registered trademarks of Symantec Corporation or its
affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
[UPLOAD]
Trends in the use of virtualization technologies
36%
No virtualization in our
environment at this time
Tech Trends…
Non-critical server
42%
16%
16%
I
2008
15%
Some mission-critical servers
2007
n its 2008 Technology Survey, the
10%
International Legal Technology
Data center is largely
14%
or completely virtualized
Association (ILTA) reports that a
8%
significant number of legal firms, 23
12%
Test environment/lab only
15%
percent, have a “green” initiative or
5%
Infrastructure
servers
program, while another 21 percent
5%
indicate they are working on such a
2%
Other
program. In line with this, 80 percent
3%
of the firms that were already using
0
10
20
30
40
50
virtual server technology reported
The following excerpt from ILTA’s 2008 Technology Survey is reprinted here with
they increased their investments in
permission. For more information about ILTA or to order the complete survey, visit
virtualization solutions since last year.
www.iltanet.org .
While managing email is still the
most significant challenge, an interesting new trend in this area is the practice
of restricting the “Reply to All” button. Of course, it makes sense that a “Reply
to All” with several thousand users will generate many more problems than at a
>>
smaller organization. The results bear this out—a third of very large firms find
In its latest benchmark research report
this restriction necessary.
entitled “Improving Results for Legal
The survey covered 537 respondents representing firms with attorney
counts ranging from 5 to 3,400. More than 108,000 attorneys and 245,000
Custody of Information,” the IT Policy
total end users are represented by the data. Responses came from Canada,
Compliance Group finds that firms with
Australia, the United Kingdom, and the United States.
Legally Covered
Symantec Security
Technology and Response
Continued from page 4
The third component, called SONAR,
is intended to stop malicious programs
that are already on your computer.
SONAR uses process-based behavior
blocking to monitor all running programs, note any suspicious characteristics, and remove applications that
exceed a predefined risk threshold.
Details about key executables are
anonymously communicated back to
Symantec for further analysis—for
customers who agree to participate—
data loss prevention—
> and
Symantec Brightmail Gateway
8.0, Symantec Enterprise Vault
8.0, and Symantec Data Loss
Prevention 9.0. This comprehensive IRM suite enables organizations to secure and manage unstructured data, while
reducing cost and mitigating
risk. For more information visit
go.symantec.com/informationmanagement.
8 CIO Digest January 2009
and used for continuous improvement
in accuracy and scoring weights.
With a very low impact on system
performance, the latest versions of
Symantec’s behavioral protection technologies are integrated into the newest versions of our consumer products
and will be included in a future release
of Symantec Endpoint Protection. To
date, behavioral technologies have
already blocked more than 5.2 million
Web-based attacks for Symantec customers and have stopped thousands of
new programs from performing malicious activities on Symantec customers’ computers. n
[ Prosperity—underground ]
While the real economy suffers, the online underground
economy prospers. The latest
Symantec Report on the Underground Economy tells the
tale of an online underground
economy that has matured
into an efficient, global marketplace in which stolen goods
and fraud-related services are
regularly bought and sold, and
the most mature practices for legal
custody of information spend between
75 to 94 percent less on the
task than those with the least mature
practices. Only about 1 in 10—12
percent—of firms have the
technology needed to notify employees
about a legal hold in less than an
hour and respond to legal requests
for information within one day. These
firms have greater confidence in the
accessibility, integrity, and accuracy
of the records—key considerations for
lawyers.
Source: IT Policy Compliance Group, 2008. View the
complete report at www.itpolicycompliance.com.
where the estimated value of
goods offered by individual
traders is measured in millions of dollars. The report
is derived from data gathered by Symantec’s Security
Technology and Response
(STAR) organization and from
underground economy servers
between July 1, 2007 and
June 30, 2008. Stolen credit
card information is the most
advertised category of goods
and services in this underworld, selling for as little as
$0.10 to $25 per card. Stolen
bank account information, on
the other hand, can sell for as
much $1,000, and the average advertised stolen bank
account balance is nearly
$40,000. For more information visit go.symantec.com/
underground-eco. n
SYMANTEC IS
The industry leader in backup, clustering, and replication
software that runs across every platform in your data center.
disaster
recovery.
Symantec.COM/everywhere
©2008 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are registered trademarks of Symantec Corporation or
its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
COVER STORY
The Australian Overland Telegraph Line traversed the Australian Outback,
connecting Darwin with Port Augusta and Australia with the rest of the world.
Getting to
An IT Transformation the Size
of the Australian Outback
By Patrick E. Spencer
10 CIO Digest January 2009
In 1872, the completion of the Australian Overland
Telegraph Line was a monumental achievement.
Traversing more than 3,200 kilometers across the
Australian Outback, it connected not only Darwin in
the Northern Territory with Port Augusta in South
Australia but with the rest of the world. With its
completion, Australia had the ability to communicate in real time with the rest of the world.
Mart Moppel
One Click
When Tom Lamming joined Telstra, he assumed charge for an IT transformation initiative
as far-reaching as the building of the Australian
Overland Telegraph Line. The initiatives he
is now spearheading as senior vice president,
transformation, are game-changing moves that
will help catapult Telstra to the forefront of its
market space. While the benefits are far ranging,
from lower costs, to improved operational
efficiencies, to increased revenues, to greater
profit margins, the focus is on delivering an
enhanced customer experience.
Business strategy guides technology
The complexity of the IT transformation was
amplified by the fact that existing business operations
had to continue without any interruption. The
analogy of changing a tire on an 18-wheel tractor trailer speeding down the National Highway is
apropos. “We had to support the business simultaneously while evolving the IT environment,”
Lamming explains. “This undertaking is one of
the largest programs of its kind in the world. It
goes well beyond an IT fix; rather, it is a comprehensive business and IT transformation. To get
here, the IT team has gone from what I would
call an ‘administered business’ to one that’s
highly integrated and
outcomes based.”
Working with COO
Greg Winn, to whom
he reports, Lamming
determined they wanted
to get a core set of
technology providers in
place at the forefront
of the IT transformation initiative. Having
worked together on
similar initiatives before, they developed a
short list and got all of
the critical providers in
Tom Lamming,
place shortly after kickSr. VP, Transformation,
Telstra
ing off the program.
“Instead of a 6 to 12
Telstra One Click
month protracted RFP process, we
Founded: 1901
created a short list of world-class
Workforce: 47,000 (includes
technology providers for consideration,”
agency and contractors)
Lamming remembers. “We sought
Revenues (FY2008): A$24.7
global players with proven solutions
billion ($15.2 billion USD)
and a strong reputation for delivery
Fixed-line Services: More than
10.6 million (includes 9.3 million
and performance. We didn’t want
PSTN and 1.3 million ISDN)
something that was ‘good’ yesterday.
Mobile Services: 9.3 million,
We wanted technology solutions and
with more than half on 3G
providers that would lead us into
the future and that would help us in
executing on our very ambitious agenda.” In
addition, Lamming stresses the team looked for
providers with a proven roadmap and that wanted
to invite Telstra to join them for the “journey”
ahead, even helping with the navigation.
Telstra ultimately settled on a dozen or so core
technology providers that included Symantec. “We
weren’t going to shift from our model of heavily
outsourcing certain aspects of the technology
environment,” Lamming says. “We couldn’t do
it ourselves; we didn’t have the capability and
s
The IT transformation trek began on November
15, 2005, when Telstra CEO Sol Trujillo unveiled
a five-year strategy to transform Telstra into a
fully integrated, converged media-communications
company. The transformation touches on
everything from networks, products, IT systems,
customer relationships, and workplace culture, all
based on a vision of a new customer experience.
The latter includes the ability to offer customers
a simple, integrated, intuitive one-click, onecommand, any-screen, real-time interaction.
Trujillo and his new management team spent the
first 120 days conducting a baseline of the company.
Lamming describes the process: “We took a fairly
thorough review of all aspects of the company—how
we tracked against world-class benchmarks in terms
of process performance, where we were on the IT
front, where we were on the network front.” An
integral lynchpin to their analysis was IT, which was
lacking in key areas. Among other issues, Lamming
found more than 1,500 different IT systems in place
and over a dozen different customer databases residing on myriad systems.
Lamming, who held various client leadership
and practice management roles at Accenture—
including the Global Managing Partner for the
Communications Industry—took a very strategic
rather than a tactical approach in addressing the
above challenges. “Telstra is not in the business of
building IT systems,” Lamming says. “That’s not
our job. We are here to empower the business—to
help the business deliver a superior customer
experience.”
In addition, when translating business requirements into technology solutions, Lamming
emphasizes the importance of ensuring that IT
uses language indicative of the business—not
technology. “It is not the business’ job to learn
our jargon,” Lamming quips. “It is our job to
be able to communicate with the business and
articulate how we can help them perform.”
Changing tires on a speeding “18 wheeler”
symantec.com/ciodigest 11
COVER STORY
“
Our ability to execute
on the IT transformation will give us an unmatched capability.
”
—Tom Lamming,
Senior Vice President, Transformation
A view beyond the engine room
As Lamming and his team have
mapped their technology initia-
s
One Clicking
Symantec at Telstra
> Veritas NetBackup
> Veritas Storage Foundation HA
> Veritas Storage Foundation Cluster
File System
> Veritas Storage Foundation for
Oracle RAC
> Veritas Cluster Server
> Veritas Backup Reporter
> Symantec Enterprise Vault
> Symantec Consulting Services
> Symantec Business Critical Services
12 CIO Digest January 2009
customer experience from dealing
with multiple, product-centric
systems to a single, end-to-end
customer-centric solution,” Lamming
explains. “Prior to the rollout of the
new system, a customer purchasing
multi-product holdings would need
to place up to four different calls:
one for PSTN, one for Wireless, one
for Broadband, one for ip-TV. The
different systems weren’t integrated.
Customers can now place just one
call, and we’re able to address everything at one time.”
This integrated approach creates
enhanced operating efficiencies,
more cross-sell opportunities,
better margins—or even revenue—
and lower costs. “We’re a ‘light
standard’ here,” Lamming quips.
“Our competitors cannot compete
with us on networks, products, and
services. Our ability to execute on
the IT transformation will give us
an unmatched capability.” Lamming
concludes with the following analogy: “It’s like the space shuttle,
all fueled up and on the launch
pad. When we are operationally
bedded down and our customers
are migrated—which is already
largely the case for consumer and
small business customers—we will
be ready for takeoff. And while the
preparation for launch is immense,
the results are beyond the world as
we have known it.”
Rationalizing down to Symantec
Telstra is rationalizing down to a
common set of software. For example,
“rather than having five separate
JUSTIN malinowski
weren’t going to spend months
interviewing and hiring a team
to do so.” However, leadership of
the IT initiative remains in the
full purview of the Telstra team.
“For the Telstra team,” Lamming
explains, “it was important for
us to understand that leadership
is not something outsourced. We
needed to get the Telstra leadership in place, and then integrate
the different technology providers
into this team.”
tives to the agenda of
the business, service
level agreements (SLAs)
have taken on greater
relevance. The performance of IT is geared
and measured based
on the performance of
the business. Lamming
describes this process
with an analogy: “IT
is in the engine room
of the ship, and the business is at the
helm. There has to be good communication between both, but it is the
business that sets the direction.”
Then, when Telstra measures
the results, they are done from the
compass of the business. Lamming
describes this using the analogy of
the “hand in glove” approach, noting
that Telstra has “worked very hard
not to bifurcate what’s IT versus
what’s the business. It’s a shared
outcome, not just an IT outcome.”
We must yield actual outcomes for
the investment we are making.”
While Telstra is still in the process
of standardizing its IT systems, it is
already realizing tangible value. “The
key benefit for us from a technology
point of view is that we’ll have one
IT environment that we will maintain around a core set of technology
providers,” Lamming says. “We have
stayed committed to our one factory
principles: ‘do it once; do it right for
the customer; do it in an integrated
way; do it at a low unit cost’.”
The customer is at the center of
Telstra’s IT transformation. “What
we are doing is transforming the
The Symantec team subsequently
worked with Telstra and its strategic
providers to design and implement a
high availability and disaster recovery
solution leveraging Veritas Storage
Foundation HA, Veritas Storage
Foundation for Oracle RAC, and
Veritas Cluster Server. The solution
breaks into two basic pieces.
First, Symantec Consulting
Services worked with Accenture
and Sun, Telstra’s preferred server
platform vendor, to deploy a clustered environment that taps the
N+1 technology of Veritas Cluster
Server for clusters up to 15 nodes
across Telstra’s business-critical
Sun Solaris-based servers. The
high availability cluster also uses
Veritas Storage Foundation Cluster
File System that allows Telstra to
share data between multiple hosts.
The ability to cluster multiple
hosts to one or two hot spares
translates into savings of millions
of dollars in hardware, software,
and maintenance for Telstra.
Second, using Veritas Storage
Foundation, Telstra was able to
gain better flexibility of its tiered
EMC storage environment, moving
some data archiving to tier-three
storage versus tier-one storage.
This enabled Telstra to avoid
additional tier-one disk storage
purchases, equating to significant
cost avoidance.
Archiving email for
storage and compliance
Recently, seeking to control
burgeoning volumes of email
data and comply with legal
discovery requirements, the
Telstra team elected to implement Symantec Enterprise
Vault. Symantec Consulting
Services is currently helping with the implementation,
which includes Enterprise Vault
Microsoft Exchange Journaling
and Discovery Accelerator. Once
fully deployed, the solution will
provide email archiving and
e-discovery for more than
45,000 mailboxes and more than
20 terabytes of email data.
Savoring the results
of the journey
Ranking as one of the great
engineering feats of 19th century
Australia, the Australian Overland
Telegraph Line
involved thousands of differCheck out the Executive Spotlight
Podcast with Tom Lamming at
ent individuals
go.symantec.com/lamming
in planning and
actual construction—and took many years
to plan and another two years to
build. Yet despite the enormous
expenditure of time and resources, the end result was well worth
the journey.
The same can be said of the IT
transformation journey Lamming
embarked upon. While five years
is a virtual eternity in technology
years, the expedition for Lamming
and the rest of the Telstra team and
its technology partners is proving
to be quite fruitful. And unlike the
Australia Overland Telegraph Line,
they haven’t had to wait until the
completion of the journey to savor
some of the results. n
Podcast
Patrick E. Spencer (Ph.D.) is the editor
in chief for CIO Digest and the author
of a book and various articles and
reviews published by Continuum Books
and Sage Publications, among others.
s
CRM systems, we’ll be down to one,”
explains Lamming. This consolidation creates new challenges and
criticalities. “Our challenges are
greater from an IT point of view.
By consolidating everything into
one place, our points of failure become more important and service
levels become much greater.”
As Telstra built out its nextgeneration data center environment,
it tapped several key technology
providers—and Symantec was one
of those selected. While Telstra
had a history of leveraging different
storage management and availability
solutions from Symantec, this
historical experience was not the
reason for Symantec’s selection.
“[Symantec] was chosen because of
the skill set of its consultants and
world-class technology,” Lamming
says. Considerations such as Symantec’s
reputation, ability to deliver both
global and local resources, and the
capability to provide on-site technological expertise formed the core of
Telstra’s evaluation criteria.
“There is an understanding that
we have much to do, and we need
to work together,” Lamming notes.
“Symantec, working with the other
technology vendors in the data
center, was a workable solution.
We knew the teams, understood
their roles, and that we would not
have any hand-off issues.”
The initial project involving
Symantec focused on backup and
restore. The previous solution had
a number of shortcomings, and
Symantec worked with the Telstra
team and its different technology
partners to consolidate data protection operations across its data
center environment on Veritas
NetBackup. Symantec Consulting
Services provided as many as 10
consultants on site throughout
various stages of project implementation. The solution backs up more
than 140 terabytes of data each day,
including 600 percent spikes in daily
backup volumes, while improving
backup success rates by 10 percent.
Clicking on the IT
Transformation Results
(November 2008)
> Delivered more than 20,000
requirements for core platforms
> Completed 95,000 test cases
across 175 applications and 625
interfaces for core platforms
> Deployed 4,700 square meters of
next-generation data center
> Trained 17,800 users across the
business as well as industry
partners, shops, and dealers
> 600 new workflows and instructions; 1,900+ training courses
> Operating more than 6.7 million
customers and more than 12
million services on the new systems
symantec.com/ciodigest 13
INDUSTRY FEATURE
The
Double-Edged
Sword of
IP Convergence
Remember the “picture phone” that Judy
Jetson—the teenage daughter on the nowvintage Hanna-Barbera cartoon, The Jetsons—
used to tie up for hours? In less than 10 years,
it’s likely that most households will have one.
By Ken Downie
That’s how fast change is occurring in the
telecommunications industry. After food,
water, and shelter, communication is arguably
the fourth most important universal need.
Hence, it’s no surprise that consumer demand
for new services is high—and no stretch to
say that trend will continue, no matter what
economic blips occur.
A confluence of this increasing global
demand and a technological shift toward
open, off-the-shelf architectures is quickly
transforming the sector, resulting in new
opportunities for telcos and, of course, new
challenges.
Bridging two worlds
One of the biggest challenges for telecommunications companies today is keeping one foot firmly
planted in the “old world” while preparing for
14 CIO Digest January 2009
the new. Fixed-mobile convergence—the seamless
integration of fixed-line and mobile telephone
services, often accompanied by image, music, and
video download options—is one way telcos are
attempting to bridge the two worlds.
“Fixed-mobile convergence is an attempt by
the wired-line carriers to hold on to customers
in an era that’s increasingly dominated by
wireless communications,” says Robert
Rosenberg, president of Insight Research, a
telecommunications market research firm based
in Boonton, New Jersey.
Line losses—when customers discontinue
their fixed-line service in favor of a wireless
plan—are increasingly diminishing the
bottom line for telcos. On the flip side, intense
competition in the wireless world is driving
down prices, squeezing margins there as well.
Even as the lines blur between wired and
wireless carriers, both face a familiar challenge:
how to cut costs and offer new services.
The widely-used Internet Protocol, or IP,
offers a compelling way to do both. “Voiceover IP (VoIP) provides a much cheaper way to
RICHARD BORGE
As IP-based networks gain ground,
new opportunities and challenges
are emerging for telcos
assemble and maintain a network,
whether you’re on the wired or the
wireless side,” says Rosenberg.
“It’s very clear now that telco
networks are increasingly IP-based,
especially in the backbone, and
that the endpoints themselves will
increasingly be IP.”
New services, new risks
The migration to IP-based “next
generation networks”—or NGNs—is
not happening overnight. However,
it is being accelerated by consumer
demand for new services, such as
file exchange and music downloading, streaming movies, and IP TV.
While today these services make
only minimal contributions to the
bottom line for most telcos, they
present a tremendous revenue opportunity for the future.
But along with new product
opportunities and infrastructure
cost savings comes increased risk.
“IP-based networks are more easily
compromised because there are more
people out there who are familiar
with the technology,” Rosenberg says.
“The potential for security breaches
or denial-of-service attacks—as well
as the level of sophistication of the
attacks—increases dramatically.”
To deal with these threats, telecommunications companies must
first determine their potential impact
on the business, and then decide
what defense and remediation
tactics to employ.
Security first
A company that offers an interesting perspective is du, one of the two
major telecommunications providers serving Dubai and the United
Arab Emirates. Launched in late
2005, du has had both the challenge
and the advantage of entering the
market in the middle of the shift to
an IP-based infrastructure.
Defining and building a security
infrastructure that would not
become quickly outdated was one
of the company’s top priorities—a
challenge that fell to Walid Kamal,
du’s vice president of technology
security and risk management. “We
had the opportunity to approach
security from the ground up, which
is not necessarily the norm in the
telecommunications industry from
what I have seen,” says Kamal.
Risk management is firmly
embedded in du’s governance model.
“We have a very systematic, ongoing
approach to network security,” explains Kamal. “We identify business
risks, prioritize them, and evaluate
technology solutions that can help
us mitigate those risks. When we
Kamal has divided his staff into
three distinct domains: security
technology design, architecture,
and implementation; security
operations/incident investigation;
and policy, compliance, and audit.
The company’s Security Operations
Center operates around the clock to
proactively defend against network
attacks. To supplement internal
resources, du has added Symantec
Managed Security Services and
Symantec Residency Services; the
latter includes an onsite Symantec
Resident Resource who helps to
Walid Kamal, Vice President
of Technology Security and
Risk Management, du
want to introduce new products,
sometimes we need to freeze the
technology until we can mitigate the
risk. After all, if you’re introducing
a new product and you don’t have
solid security, you will fail.”
In addition to traditional fixed-line
service, du offers VoIP, IP TV, and
mobile communications services.
“The change toward next-generation
networks has begun,” Kamal notes.
“In some ways, we are already
there. Nonetheless, regardless of
the underlying technology, there
will always be risk involved, and
the fundamental principles of risk
management don’t change.”
identify and remediate threats.
“We need to make sure our dynamic
environment is secure not only
today but over the long term,”
Kamal explains.
In addition to the above, du
deployed Symantec Security
Information Manager as part of its
Managed Security Services rollout
to automate the monitoring of its
security environment. Symantec
Security Information Manager
offers a centralized view of log
file data from devices such as
endpoints and firewalls, allowing
du to identify critical alerts
within five minutes, versus up to
symantec.com/ciodigest 15
one week using manual log-file
analysis tactics.
“The ability to identify threats
quickly was another critical criterion for our assessment,” Kamal
comments. “We know we have to be
very proactive and should have immediate turnaround and minimum
response time if any security incident occurs in our organization.”
Managing billions
of endpoints
Another trend driving security
requirements in the telecommunications industry is the emergence
of new, mobile, intelligent endpoints
that blur the lines between the
computer, phone, music and video
player, and Blackberry.
“I don’t even know what a computer is anymore,” says Insight
Research’s Rosenberg. “And it doesn’t
matter. Protecting these endpoints
and the data stored on them will be
16 CIO Digest January 2009
a challenge. The centralized management that
we had in the days of the
public switched telephone
network (PSTN) is gone,
and now what we’re trying
to do is essentially manage
billions of endpoints.”
To secure its endpoints
and manage them from
one central interface, du
is in the process of consolidating its various endpoint security technologies onto Symantec Endpoint Protection 11.0 with
Symantec Network Access
Control. The Network
Access Control option will
allow du to ensure that
any endpoint is compliant
before allowing it to connect to the network. “This
technology is under proof
of concept now at du and
will allow us to cut costs
and reduce administrative
time by standardizing on
one technology for endpoint protection,” Kamal
says. “This will also help
us be more proactive in identifying
security and risk issues as well as
the needs of the business.”
Competing on uptime
While security is indeed a primary
challenge in the telecommunications
industry, gaining customers—and
keeping them—is also paramount.
With competition fierce, especially
in emerging markets, telcos are increasingly competing on availability
of services. Any downtime represents
lost revenue, lost customers, and a
tarnished reputation.
At Swisscom IT Services, which
serves Swisscom, the largest
telecommunications provider in
Switzerland, this is a priority for
Bruno Kocher, head of enterprise
storage services. “Availability of
systems and data is becoming
more and more critical for
telecommunications companies,”
says Kocher. Located in Berne,
Swisscom IT Services also makes
its storage and backup offerings
available to other corporate
customers with similar needs for
high availability, such as banks and
transportation companies.
To ensure high availability,
Swisscom IT Services is using
Veritas Storage Foundation HA,
which includes Veritas Cluster
Server for automated failover. The
solution enables the company to
make storage allocation changes
on the fly, with no application
downtime.
As an IT organization, Swisscom
IT Services has been an innovator.
The company maintains the largest
blade server farm in Europe, built
Switzerland’s first storage area
network (SAN) earlier this decade,
and was one of the first major IT
providers to realize the management
benefits of booting its servers from
the SAN, rather than from local disks.
“We always have the latest technology, especially when it comes to
protecting customer data and providing maximum availability for our
customers,” Kocher says. “Because we
have SLAs, if we had any sort of data
loss, we would have to pay the customers for that loss. Also, aside from
the financial impact, there would be
damage to our reputation.”
To protect its customers’ data,
Swisscom IT Services uses Veritas
NetBackup to centralize backup-andrecovery operations across its Solaris
and Microsoft Windows environments. “Telcos are very quickly
going to have to be backing up a lot
more data,” Kocher notes. “The data
that Swisscom IT Services backs up
for customers has increased by over
1,000 percent since 2002.”
Staying green, saving green
As data stores continue to grow
and redundancy becomes more
and more important, companies
are challenged to deliver on the
notion of “green IT” while still
meeting business requirements.
When a server is not critical
enough to warrant a dedicated,
Justin Hession/GETTY IMAGES
Bruno Kocher,
Head of Enterprise
Storage Services,
Swisscom IT Services
j[mmcp_mn[h^\shi^_&Mqcmm]igCN
M_lpc]_mom_mnb_H%+]fomn_lcha
][j[\cfcnc_mi`P_lcn[m=fomn_lM_lp_l
nil_^o]_b[l^q[l_]imnm]igj[l_^
ni[nl[^cncih[fih_'ni'ih_[]ncp_'
j[mmcp_]fomn_lcha[l]bcn_]nol_(Nb_
]igj[hscm[fmichp_mnca[nchaq[sm
nicgjlip_cnmmnil[a_oncfct[ncih
[h^e__jjiq_l]imnmch]b_]e(
ËMnil[a_nc_lchacm\_]igcha
gil_cgjiln[hn[m]igj[hc_mnls
nil_^o]_]imnmnimn[s]igj_ncncp_&Ì
Ei]b_l_rjf[chm(Ë@il\ca^cmem&
bc_l[l]bc][fmnil[a_g[h[a_g_hncm
nb_`onol_(Lcabnhiq&q_Îl_fiiecha
chnibiqMsg[hn_]?hn_ljlcm_P[ofn
][hb_fjoml_^o]_iolmnil[a_]imnm
nblioab^[n[^_^ojfc][ncih[h^
[l]bcpcha(=igj[hc_m][hhifiha_l
[il^nie__jhih'[]ncp_^[n[ih
nc_l'ih_mnil[a_Ênb_jl_mmol_
ihg[lachmcmniial_[n(ÌNbcmcm
ch]l_[mchafscgjiln[hn[mn_f]im
]igj_n_qcnbChn_lh_n]ihn_hn
jlipc^_lmfce_S[bii[h^Aiiaf_`il
mig_m_lpc]_m&b_[^^m(
<_dZ_d]d[mh[l[dk[ijh[Wci
È
ÆHeX[hjHei[dX[h]"Fh[i_Z[dj"?di_]^jH[i[WhY^
Mqcmm]igCNM_lpc]_m&`il
chmn[h]_&i_lm[bimn_^ihfch_
\[]eojm_lpc]_`ilMqcmm]igÎm
mg[ff\omch_mm]omnig_lm(ËQ_^i
]b[la_\[]emniMqcmm]ig&[h^nb_s
]b[la_nb__h^]omnig_lm&ÌEi]b_l
_rjf[chm(ËQ_Îl_domna_nnchamn[ln_^
qcnbnbcmm_lpc]_(Ì
Nijlipc^_oj'ni'^[n_^[n[`il
^[cfs]b[la_\[]em&Mqcmm]igCN
M_lpc]_mom_mP_lcn[m=igg[h^'
=_hnl[fMnil[a_(ËP_lcn[m=igg[h^'
=_hnl[fMnil[a_acp_momnb_Í\ca
jc]nol_Îi`iolmnil[a__hpclihg_hn&Ì
Ei]b_lm[sm(ËQ_[fq[smb[p_nb_
f[n_mnch`ilg[ncihihmnil[a_oncfc'
t[ncih&`l__^cmemj[]_&[h^msmn_g
mn[nomqcnbionb[pchani]b_]enb_
ch^cpc^o[fmsmn_gm(Ì
Ei]b_lcm]oll_hnfs_p[fo[ncha
P_lcn[m<[]eojL_jiln_lni`olnb_l
_hb[h]_]b[la_\[]e_]c_h]s(Ë;n[
af[h]_&q_Îff\_[\f_nim__nb_mn[nom
i`_[]b]omnig_l&Ìb_m[sm(ËQ_Îff
\_[\f_nicgjlip_iolm_lpc]_'f_p_f
reporting
and chargebacks based
l_jilncha[h^]b[la_\[]e\[m_^
▲
▲
;gc^mnnb_`l_htc_^]igj_ncncih
[h^g[lachjl_mmol_&h_ql_p_ho_
ijjilnohcnc_m[l__g_lacha`iln_f]im(
G[hs[l_[fl_[^sa_h_l[nchal_p_ho_
\si_lchah_qm_lpc]_mmo]b[mg[h'
[a_^m_]olcnsm_lpc]_m&ihfch_\[]eoj
[h^[l]bcpcham_lpc]_m&[h^mi`nq[l_'
[m'['m_lpc]_"M[[M#i_lcham(
ËN_f]imqcffch]l_[mchafs\_
j[lnh_lchaqcnbinb_ln_]bhif'
ias[h^m_lpc]_jlipc^_lmmo]b
[mMsg[hn_]ni]ig_ojqcnb
\oh^f_^mifoncihmnb[njlipc^_
[bcabf_p_fi`m_]olcns&ÌLim_h\_la
kocjm(
;]]ol[n_&_]c_hnl_jilncha
[]limmgofncjf_msmn_gmcm[gomn
[mn_f]im\_achnii_lnb_m_nsj_m
i`bimn_^m_lpc]_m&Ei]b_li\m_lp_m(
ËQ_h__^nijlipc^_[h[]]ol[n_
l_]_cjn`ilnb_]omnig_lÊbiqgo]b
mnil[a_nb_s[l_omcha&[h^biq
q_Îl_]b[lacha`ilnb[n&Ìb_m[sm(
ËCnÎm\_]igchaf_mm[h^f_mm__]ncp_
nib[p_p[lcioml_jilnchaniifm`il
^c_l_hnjf[n`ilgm(Cngomn\_[h
ch^_j_h^_hnf[s_l\_nq__h[ffnb_
n_]bhifiac_m(Ì
Ç
H[]WhZb[iie\m^[j^[hoekÊh[W
Ón[Z#b_d[YWhh_[hehWm_h[b[iiYecfWdo"
?FYecfb[j[boY^Wd][ij^[dWjkh[e\
j^[j[b[Yecckd_YWj_edi[gkWj_ed$
ih\[]eojpifog_m`il_[]bi`iol
chn_lh[f]omnig_lm(Ì
A[[f_d]fWY[m_j^Y^Wd][
Qbcf_nb[njc]nol_jbih_gcabn
hin\_chsiolecn]b_hs_nÊil
chsiolji]e_nÊnb__h^l_mofn
i`nb_]oll_hnnol\of_h]_chnb_
n_f_]iggohc][ncihmch^omnlsqcff
\_[lc]b_l&gil_m[ncm`schaom_l
_rj_lc_h]_(=igj[hc_mnb[n[l_
[\f_nijlipc^_nb[n_rj_lc_h]_
m_]ol_fs&l_fc[\fs&[h^[nnb_fiq_mn
]imnqcffqch(
ËL_a[l^f_mmi`qb_nb_lsioÎl_[
×r_^'fch_][llc_lil[qcl_f_mm]igj['
hs&CJ]igjf_n_fs]b[ha_mnb_h[nol_
i`nb_n_f_]iggohc][ncihm_ko[ncih&
_mj_]c[ffsihnb_jli×n[\cfcnsmc^_&Ì
Lim_h\_la]ih]fo^_m(ËN_f]im[l_
aichanib[p_nia_nf_[h_l[h^go]b&
go]bg_[h_lchil^_lnimolpcp_(Ì■
F`i?jrid`dn\rmdo`m\oI<Q<EJ
>jhk\it)Cdnrjmfc\n\kk`\m`_di
<omch_mm@ch[h]_&Chn_lh_nQilf^&\i_
<omch_mm=l_^cnh\b\udi`n)
J^[8_]][ijI[Ykh_joJ^h[Wj<WY_d]J[bYeiJeZWo
J^[9[djh[\ehj^[Fhej[Yj_ede\
DWj_edWb?d\hWijhkYjkh[9FD?"W
KA]el[hdc[djW][dYo"_iik[Z
WijWj[c[djWjj^[?d\ei[Ykh_jo
;khef[(&&-Yed\[h[dY[j^Wj
j^[i^_\jje?Fd[jmehai_ij^[
X_]][iji[Ykh_joj^h[Wj\WY_d]j^[
j[b[Yeci[YjehjeZWo$Ç?i[[j^[
[dl_hedc[djel[hj^[d[nj\ekh
ehÓl[o[Whii[[_d]_dYh[Wi[Z
j^h[Wji"ÈiW_ZHe][h9kcc_d]"
^[WZe\ademb[Z][WdZWZl_Y[
Z[b_l[hoWjj^[9FD?$'
'
CWjj9^WfcWd"Ç?F9edl[h][dY[9h[Wj[i
I[Ykh_jo>[WZWY^[i\ehJ[bYeiÆ9[djh[\eh
j^[Fhej[Yj_ede\DWj_edWb?d\hWijhkYjkh[
MWhdie\:Wd][hi"È7fh_b(-"(&&-"
]e$iocWdj[Y$Yec%ldkd[j$
J[b[YecD[jmeha_d]8[\eh[WdZ7\j[h?F
8[\eh[
7\j[h
H[fh_dj[Z\hecÇJ^[<kjkh[e\J[b[Yecckd_YWj_edi(&&,#(&''"È?di_]^jH[i[WhY^"
mmm$_di_]^j#Yehf$Yec$
iocWdj[Y$Yec%Y_eZ_][ij'-
SOLUTIONS FEATURE
Turning Risk
into Returns
How IT governance, risk management, and
compliance drive better business outcomes
P
By Alan Drummer
18 CIO Digest January 2009
How can you turn operational risks into returns? It’s a
matter of putting the right IT governance, risk management,
and compliance (GRC) processes in place. And frequently,
that’s not the most sought-after assignment.
“Being in charge of managing IT risk is often seen as being
in the business of ‘no,’” says Scott Crawford, research director
at Enterprise Management Associates. “That’s how a chief
information security officer recently put it to me. But the alignment of IT governance,
risk management and compliance is not the business of ‘no’—it isn’t a business inhibitor;
rather, it’s actually a business enabler.”
A 2008 survey by the IT Policy Compliance Group confirms this observation.1 Firms
with better IT GRC results are also enjoying much better performance when it comes
to satisfying customers and growing revenues and profits. They have 17 percent higher
revenues, 14 percent higher profits, 18 percent higher customer satisfaction rates, and
spend 50 percent less on regulatory compliance annually. “To put it simply, the principles
of good IT governance, risk management, and compliance are actually the principles of
good IT management,” Crawford says.
To succeed in IT GRC management, more than half of the 224 companies surveyed
in one study on the subject have, in the words of a respondent, “turned process into
a strategic asset.”2 “They’ve adopted Information Technology Infrastructure Library
(ITIL) standards,” Crawford says. “ITIL’s ‘three-legged stool’ is a foundation for
successful IT GRC. People are an asset—but they can also be a vulnerability. To be successful, people need processes that guide them to the desired behavior and results and
technology that automates the processes and makes them easy to perform consistently.”
DAVID SPUR
eople: they’re your problem in this
area—and your answer. By their
actions, they potentially expose
your organization to risks that could
damage or destroy it—yet they bring
you the precious skills and teamwork
that deliver value to your customers and
bring back returns.
Greg Malacane agrees. As a senior
business analyst for The Alchemy
Solutions Group, Malacane works
with IT organizations to analyze and
measure the business value they’ve
achieved, or are projected to realize,
from a given initiative or solution set.
“In almost every study we’ve done
in the compliance area, successful
organizations are meeting challenges
by centralizing, standardizing, and
automating compliance tasks with
technology,” he reports.
So if processes and technologies
are key, which ones are proving most
useful? How are organizations using
them to turn risks into returns? Here
are key lessons learned by three top
IT decision makers.
Create a single sign-on
Risk: Access control is a fundamental
in compliance. Imagine running a
health plan where 4,000 clinicians
take laptops into the field to visit
30,000 patients a day. Each patient
visit requires a clinician to access
multiple applications—and each
application takes a different user ID
and password. Some clinicians try
to recall their sign-on information
from memory and get locked out.
Others write down their IDs and
passwords on their laptops. This
was a management challenge facing
Larry Whiteside, Jr. when he became
chief information security officer at
Visiting Nurse Service of New York.
Process: “We developed a single
sign-on capability,” Whiteside explains. “We let users log in once and
gain access to multiple applications.”
Technology: Whiteside worked
with his development team to
use Lightweight Directory Access
Protocol (LDAP), taking advantage of
its simple, extensible, multi-platform
access to applications.
Returns: On a patient visit,
clinicians sign in once—and then
can devote their full attention to
the patient. With 4,000 clinicians
saving about 10 minutes a day, more
than 3,000 hours a week are being
reclaimed for patient care.
See everything
Risk: What you can’t see, you
can’t manage or remediate.
“We have 60 locations
and 4,000 endpoints in
the field,” Visiting Nurse
Service’s Whiteside reports,
“but when I came here, we
didn’t have any way to get
security intelligence about
the environment. We could
only see what was going in
or coming out the gateway.”
Process: Whiteside chose
to automate the gathering
and correlation of logs from
all endpoints, firewalls, hosts,
virtual private networks
James Ng, VP of IT,
(VPNs), intrusion detection
Energy Market Company
systems (IDS), directories,
logs. “It would take at least two
and applications.
full-time employees to check all
Technology: Logs from Symantec
the logs that are correlated and
Endpoint Protection on all desktops
prioritized automatically now,”
and servers feed into a LogLogic
he says. “We get the network
appliance, which in turn feeds into
intelligence we need to make more
Symantec Security Information
informed decisions.”
Manager. Meanwhile, Symantec
“
To put it simply, the principles of
good IT governance, risk management, and compliance are actually the
principles of good IT management.
”
—Scott Crawford, Research Director, Enterprise Management Associates
Security Information Manager
captures logs directly from networkbased devices such as firewalls,
routers, and switches. “Everything
is correlated inside Symantec
Security Information Manager, so
I get a comprehensive correlated
and prioritized picture of events
occurring from the firewall to the
desktop,” Whiteside says. “We get
the view we need of what’s going on.”
Returns: Whiteside’s security
team can focus on tasks more
strategic than pouring through
To err is human,
to automate divine
Risk: How do you know when an
endpoint is infected? If unreported,
will it infect the rest of the network?
That was the potential at Singapore’s
Energy Market Company, the operator
of Singapore’s wholesale electricity
marketplace. “The uncertainty wasn’t
acceptable,” says James Ng, vice
president of technology.
Process: Ng chose to automate the
detection and isolation of infected
endpoints using Symantec Endpoint
symantec.com/ciodigest 19
Centralize endpoint
administration
s
Risk: Quality, efficiency,
and cost savings mean
everything to Molina
Healthcare. That’s because
it’s a Medicaid managed
care organization that
delivers healthcare to
Larry Whiteside, Jr., CISO,
Visiting Nurse Service of New York over 1.2 million individuals and families in 10
states
and
17 owned-and-operated
Protection and Symantec Network
medical clinics. Molina Healthcare
Access Control. The infrastructure
has been meeting its challenges
now denies a connection to any nonsince 1980, and over the years
compliant device that attempts to
several of its state plans have been
connect to the network.
rated best in the United States by a
Technology: The endpoint protecmajor news magazine.
tion solution identifies any infected
“Our founder said this is the busidevice. The network access control
ness of nickels,” says Sri Bharadwaj,
solution immediately isolates an infected endpoint from the network. It director of infrastructure and operations. “Unlike commercial health
also denies a network connection to
insurers who can raise their rates if
any device that is not compliant with
their costs go up, we can’t. The state
Energy Market Company security
governments tell us how much they
policies or current in its antivirus
will be paying. So, it is incumbent
protection and patches.
on us to leverage our administrative
Return: An infected endpoint on
efficiency to keep costs low. We try to
Energy Market Company’s network
manage our medical costs, but control
is automatically isolated in seconds.
our administrative spending.”
“The user can’t do anything on the
A chief problem the IT team
infected PC,” Ng says. “In the past the
at Molina Healthcare faced was
user may not have called us, and
the complexity of
managing endpoints
for 2,300 employees
in multiple states—
and keeping them
In comparison, 50% of
94% define configuration medium
patched and properformers indicated
change control processes and
tected compliantly.
that more than 10% of security
enforce them
events were disruptive to IT.
Process: “We
High performers had approxineeded
an easier
91% monitor the IT environ- mately half the median incidence
management
interment for changes
of disruptive security events as
face,
with
the
ability
77% monitor IT access and both medium and low performers. to centrally manage
use for indications of fraud and
Source: Scott Crawford, “EMA’s 2008
all our endpoints,”
unusual behavior proactively
Survey of IT Governance, Risk and
Bharadwaj notes.
Compliance Management in the Real
“We needed a way to
64% reported 10% or fewer World,” Enterprise Management
security incidents disruptive to
Associates, Inc., www.enterprise
inventory them cenmanagement.com.
IT in past year
trally and remotely,
What do high performers in
IT GRC have in common?
20 CIO Digest January 2009
inspect their registries, install
software, push out patches, and
streamline our help desk.”
Technology: Molina Healthcare
uses centralized standards management software to create and detect
standards, assess technical controls,
detect deviations, and remediate
them. It also uses automated centralized helpdesk software and a client
management suite for centralized,
automated patch management and
software management. The health
maintenance network relies on
Symantec Control Compliance Suite,
Altiris Helpdesk Solution, and Altiris
Client Management Suite for the
above capabilities.
Returns: “We have 2,300 employees, and managing all our endpoints
is now a part-time assignment for
a single resource,” Bharadwaj says.
“Had we tried to do all the management tasks on our own without the
tools from Symantec, it would have
required four or five employees
working full time, all with a big
travel budget.”
Get control of
unstructured data
Risk: When employees create PST
files to archive their email messages,
the files are unmanaged, easily
lost and corrupted, and difficult to
search—creating multiple compliance
and risk management issues.
Process: Molina Healthcare’s
Bharadwaj chose to archive the
organization’s email so that PST files
are no longer needed. They’ve been
banned. Existing PST files have been
detected and migrated to a central
repository where their contents are
now indexed and easily searchable.
Technology: Bharadwaj’s team
deployed an archiving solution
using Symantec Enterprise Vault
that enables employees to store,
manage, and discover unstructured
information across the organization.
Returns: At Molina Healthcare,
3,000 PST files were detected and
ingested to a central vault using
Enterprise Vault PST Migrator where
their contents are easily searchable.
ROBIN RAO
the infected PC could
have gone unnoticed.
With this system in place,
there is consistency in
the way we detect and
remediate problems.”
“By enforcing policies and managing
storage requirements using writeonce read-many-times (WORM)
technology, we have been able to
maintain storage and allow for future
growth without an increase in storage
cost,” Bharadwaj says.
Centralize and
encrypt that backup
Follow through automatically
MICHAEL BRUNETTO
s
Risk: When monitoring compliance
checkpoints, any manual system is
vulnerable. “We can’t just depend
on people alone for security and
compliance,” says Energy Market
Company’s Ng. “We have a small
IT staff, and we need to count on
automation and technology, not
just people, to fulfill our compliance
obligations.”
Process: Ng sought a way to
make compliance monitoring consistent. “We have a 40-page statement of IT policies, and to ensure
Who do you trust?
Sri Bharadwaj, Director of Infrastructure
and Operations, Molina Healthcare
our full trust,” he says. “But when
people, process, and technology are
integrated—we can.” n
Alan Drummer is Creative Director for
Content at NAVAJO Company. His work has
appeared in the Los Angeles Times, San
Francisco Examiner, Create Magazine, and
on The History Channel.
Progress can be quick—Molina
Healthcare’s Bharadwaj has seen
1
“New Research Shows Benefits of Improving IT
it. “A year ago, we identified gaps in
GRC Practices and Capabilities,” announcements,
www.itpolicycompliance.com, May 15th, 2008.
governance, risk management,
2
Scott Crawford, “EMA’s 2008 Survey of IT
and compliance and put plans in
Governance, Risk and Compliance Management
place to address them,” he says.
in the Real World,” Enterprise Management
“We wanted to ensure that
Associates, Inc., www.enterprisemanagement.com.
every desktop or laptop is
protected, and every endLaw and Order
point is managed approprifrom Symantec
ately from a central locaControl Compliance Suite: Integrated products
tion, and all of this can occur
that automate processes to reduce compliance
without much disruption to the
costs
business. That was our vision.
Security Information Manager: Collect, store,
And we’ve made great progress
and analyze log data as well as monitor and
in the past nine months.”
respond to security events
Now Molina Healthcare has
Altiris Helpdesk Solution: Incident managethe classic three legs to the
ment tool that helps ensure availability and
raise service levels while reducing costs
stool, says Bharadwaj: “People
Altiris Client Management Suite: Easy-to-use
and processes might not always
systems management solution that reduces
sync up, but to a great extent,
the total cost of ownership for desktops,
we’re using technology to
notebooks, and handheld devices
automate, managing risk and
Enterprise Vault: Email and content archiving
guiding people into compliance
solution enables users to store, manage, and
in whatever they do.”
discover unstructured information across the
Energy Market Company’s
organization
Ng has another way to sum this
Data Loss Prevention: Delivers a unified
solution to discover, monitor, and protect
up. “In people alone, because
confidential data wherever it is stored or used
everyone is human, we can’t put
s
Risk: “We had people managing
backup tapes across our multi-state
environment,” Molina Healthcare’s
Bharadwaj says. “It was resource
intensive and not consistent. If we
needed to pull certain data, it was a
nightmare to find the tape.”
Process: Bharadwaj and his team
decided to centralize and automate
backup and deploy encryption.
Technology: Molina Healthcare
chose deduplication technology
in the form of Veritas NetBackup
and NetBackup PureDisk to reduce
bandwidth and storage consumption.
This enables centralized backup
over the network without disruption
to production. With the NetBackup
Encryption options, data is encrypted
both in motion and at rest.
Returns: “We’ve reduced backup
costs by about 60 percent,” Bharadwaj
reports. “We can recover a production
application in two hours instead of
10 to 15 hours. And we have 256-bit
encryption and centralized backup—
making our data more secure and
helping us meet governance, risk
management, and compliance
obligations.”
compliance, we have to translate
that into action—into who does
what, quarterly, monthly, yearly,”
he observes.
Technology: The 40 pages of
policies at Energy Market Company have been translated into
an extensive Excel spreadsheet
to track steps taken. But Ng and
team have other plans. “We’re
evaluating an automated system—
in this case Symantec Control
Compliance Suite. One of its advantages is that it will eliminate
ambiguity. When there’s a compliance task to be done, an employee
will be automatically reminded
to execute it and management
alerted until it’s done.”
Returns: Everyone will be able
to focus on more valuable tasks.
“Automation will relieve management from chasing the IT staff,” Ng
says. “The software will do the
work for us.”
symantec.com/ciodigest 21
EMEA
A Rapid IT Ascent
IT Standardization Prompts a Vertical Climb in Business Value
F
technologies that did not
talk to each other.
After significant analysis, Zuffada determined
that standardization should
be at the core of the nextgeneration IT infrastrucJosè Di Mase, Mubadala Developture. The overriding objecment Company (totally owned by
tive of the standardization
Standardizing at takeoff
the Abu Dhabi Governement), and
initiative was to reduce IT
The bar had obviously been set very high
Tata Limited (recent stakeholder
agreement announced)
costs while driving operawhen Roberto Zuffada, who was given
Total Order Book Value: More than
tional efficiencies.
the charter to design and build a next$700 million USD
Microsoft technologies
generation IT infrastructure representative
IT Team: 25
would
play a pivotal role for
of the company’s brand, was named CIO
Website: www.piaggioaero.com
the Piaggio Aero team. “We
two years ago. There was much work to
decided to standardize on a
do; the legacy environment consisted of
number of different Microsoft solutions,” Zuffada says,
a number of different technologies configured in
“from Microsoft Windows for our server platform and
isolated silos. For example, the server environment
included mainframes, various UNIX and Linux flavors, operating system, to Microsoft Exchange for email, to
Microsoft SharePoint for publishing and information flow,
as well as Microsoft Windows-based servers. At the
to Microsoft .NET for application development.”
same time, applications were based on proprietary
22 CIO Digest January 2009
PIAGGIO AERO S.p.A.
s
or the past eight years the infamous
“prancing horse” logo has been proudly
displayed on the P.180 Avanti—the “Ferrari
of the Sky.” Many may not realize this, but
the genesis of the logo actually dates back almost
a century when it was displayed on the tail of an
airplane belonging to a legendary World War I Italian
Air Force pilot (see the “Genesis of the ‘Prancing Horse’”
sidebar). It made its reappearance in aeronautics with the
release of the P.180 Avanti in 2002.
The P.180 Avanti, the flagship product of Piaggio
Aero Industries S.p.A., is an impressive aircraft—the
fastest turboprop in the world (402 knots per hour
with a maximum cruising altitude
By Patrick E. Spencer of 41,000 feet and a range of 1,500
miles). Its engineering design
required a complete rethinking of conventional aircraft
configurations, resulting in a patented Three-LiftingSurface Configuration (3LSC) that requires 34
percent less wing span and dual turboprops
Turbocharged for
on the backside of the wing. The P.180 Avanti,
Performance
which has sold more than 170 worldwide,
Founded: 1998
is used to shuttle Ferrari’s executives and star
Operations: Only company in the
Formula One drivers around Europe, if not the
world to be active in all aspects of
world, to unveil new cars, win Grand Prix
aircraft design manufacturing and
events, and much more. In addition, both
maintenance, aero-engines producFerrari Racing Team drivers, Felipe Massa
tion, and aero-engines repair and
overhaul
and Kimi Raikkonen, are spokespersons of
Key Shareholders: Piero Ferrari,
Piaggio Aero and the P.180 Avanti II.
Eliminating 98
percent of email
An overwhelming volume—
approximately 98 percent—
of the email Piaggio Aero receives
is spam. End users were spending
as much as 30 minutes each day
deleting spam from their inboxes,
while the IT team was spending an
inordinate amount of time managing
the Exchange environment in order
to sustain system performance.
Zuffada’s team designed a dualcascade control architecture using
Symantec Premium AntiSpam. The
first server is used for overflow
while the second server is used to
analyze the remaining email. With
the elimination of 98 percent of
email, the overall productivity of
the IT team improved 30 percent;
the time saved is now reallocated to
more strategic tasks. Additionally,
end users have seen a dramatic
productivity improvement.
Data protection with
a business case
The previous IT infrastructure had
backup-and-restore solutions for
each server platform and operating
system. Ongoing administration of
this environment was extremely
inefficient and time consuming.
When Zuffada and his team consolidated the server environment
onto Microsoft Windows-based
HP servers, they made a decision
to migrate from EMC Legato to
Veritas NetBackup. “A key business requirement was the need for
more granular restores,” Zuffada
explains. “The ability, for example,
to restore a single email was very
interesting to us.”
The Piaggio Aero team worked
with Symantec Consulting Services
to roll out the next-generation
data protection solution in October
2008. Backups are configured
for disk-to-disk-to-tape to HP
StorageWorks Enterprise Virtual
Arrays and HP LTO 3 tape
libraries. The backup window
shrank 50 percent while the time
required to perform a restore was
reduced 60 percent. The solution
is expected to scale with a backup
volume growing at an annual
rate of 30 percent, enabling the
Piaggio Aero team to avoid adding
more backup administrators
despite a larger backup volume per
administrator.
Extending green to IT
Just as the design of the P.180 Avanti
is sensitive to its carbon footprint,
including 50 percent higher fuel
efficiencies than most other
business jets, 30 percent higher fuel
efficiencies than the most efficient
twin turboprops, and the ability to
land and takeoff on runways as short
as 3,000 feet, Zuffada and his team
are designing their next-generation
IT infrastructure with green
concerns in mind.
Virtualization is part of this process. “Now that we have a standard
server platform in place, we are ready
to move towards virtualization,”
Zuffada notes. “Our focus here is to
create a more energy-efficient data
center environment by consolidating servers and reducing power
consumption.” Though they have
not finalized a technology decision
yet, Zuffada and his team are in the
final stages of evaluating different
technology options and anticipate an
implementation timeframe in 2009.
Archiving structured and
unstructured data
In early 2007, the Piaggio Aero team
migrated their email system from
Lotus Notes to Microsoft Exchange.
While this improved system performance and provided end users
with additional functionality, other
challenges remained. “We simply
had lost email before,” Zuffada says,
“and we didn’t have any means to
retrieve email stored in corrupt PST
s
The need to standardize the IT
infrastructure was accentuated by
the requisite to deliver a streamlined,
more integrated product lifecycle
management (PLM) for Piaggio
Aero’s next-generation projects.
“The design and manufacturing
of our future aircraft will be based
on a new PLM that requires a new
ERP system,” Zuffada explains.
“In order to get to the point of
selecting and deploying this new
ERP solution, we had to
get the underlying IT
infrastructure in place.”
Beyond Microsoft, the
Piaggio Aero team has
formed strategic relationships with other technology providers, including
Symantec. “We’ve elected
to standardize on Symantec technologies on a number of different fronts,”
Zuffada says. Initiatives
encompass data protection,
endpoint security, mail
security, and email and
document archiving and
management.
Genesis of the
“Prancing Horse”
T
he prancing horse was first
displayed on an aircraft—
not an automobile. Count
Francesco Baracca, a great pilot
who served with the Italian Air
Force during the First World War,
exhibited the prancing horse on
the tail of his aircraft.
The mother of Count Francesco
Baracca donated the symbol to
Enzo Ferrari after watching him
race to a victory on the Salvio circuit in 1923. She instructed him to
place it on his cars, indicating it was
a representation of her son, who
had died when his plane was shot
down in 1918, and would bring him
luck. Enzo Ferrari thereafter added
the yellow color as a symbol of the
city of Modena, and the “Cavallino
Rampante” was born.
The son of Enzo Ferrari, Piero
Ferrari, was named chairman of
Piaggio Aero 1998. In 2000, when
the Scuderia Ferrari (Ferrari Racing
Team) chose the P.180 Avanti II, the
prancing horse returned to the field
of aeronautics again (it is displayed
on the nose and tail of the P.180
Avanti II flown by the team).
symantec.com/ciodigest 23
Symantec Enterprise Vault and began implementing the solution with
the assistance of Symantec Consulting Services in November 2008.
Roberto Zuffada, CIO,
Piaggio Aero S.p.A.
“
Technology is not enough. IT must understand the business and the
underlying business processes in
order for technology deployments
to be successful.
”
—Roberto Zuffada, CIO, Piaggio Aero Industries, S.p.A.
24 CIO Digest January 2009
The deployment includes ingestion of PST files using Enterprise
Vault PST Migrator. The solution
also moves Exchange storage from
tier-one SAN disks to less expensive tier-two storage disks inside
the same storage system, equating to as much as a 30 percent
reduction in storage cost. In
addition, the team projects data
deduplication savings—through
single-instance archiving and data
compression—of at least 30 percent that will reduce their storage
footprint and power consumption.
When Zuffada and his team
migrated from the silo-based IT
infrastructure to Microsoft Windows, they pinpointed endpoint
security as an area they wanted to
address. As part of this process,
they engaged Symantec Consulting
Services to conduct a penetration
test to ascertain the vulnerabilities
of their network.
With the results in hand, the
team determined they needed to
standardize on one centralized
endpoint security toolset. This
would help to improve overall efficiencies while creating a mechanism for checking client logs and
tracing data. “We are centralizing
antivirus, antispyware, application
and device control, firewall, as well
as policies and procedures underneath Symantec Multi-tier Protection,” Zuffada says. “This will provide a greatly enhanced endpoint
security environment and help us
drive business efficiencies.”
Soaring to success
When asked what has helped
him achieve success throughout
his career, Zuffada indicates the
answer is twofold: technology and
the business. Zuffada explains:
“Technology is not enough. IT
must understand the business
and the underlying business
processes in order for technology
deployments to be successful.”
And when these two elements are
combined, the potential results
might be “The Ferrari of IT.” n
Patrick E. Spencer (Ph.D.) is the editor
in chief for CIO Digest and the author of
a book and various articles and reviews
published by Continuum Books and Sage
Publications, among others.
s
tory that could be easily and quickly
retrieved.”
In addition, there was a pressing
need to create an archival solution
for unstructured data. The team
not only had a need to archive file
and print data but product lifecycle
management data created by various
authoring tools such as Microsoft
Office SharePoint Server.
As a result, the ability to archive
both structured and unstructured
data was at the core of the evaluation criteria the Piaggio Aero team
established. They ultimately selected
Delivering security to
the endpoint
Symantec Helps to
Propel Piaggio Aero
> Symantec Multi-tier Protection
> Symantec Enterprise Vault
> Symantec Premium AntiSpam
> Veritas NetBackup
> Symantec Consulting Services
Fabio Lombrici
EMEA
files or email that had been accidentally deleted. We needed a solution
that would allow us to archive and
store email in one centralized reposi-
IOC7DJ;9
IOC7DJ;9
IOC7DJ;9
FHEJ;9JICEH;
FHEJ;9JICEH;
8KI?D;II;I
8KI?D;II;I
8KI?D;II;I
C;:?KC
C;:?KC
F;EFB;
F;EFB;
F;EFB;
C;:?KC
?DJ;HD7J?ED7B
?DJ;HD7J?ED7B
D;JMEHAI
B7FJEFI
87DAI
B7FJEFI
D;JMEHAI
D;JMEHAI
87DAI
87DAI
D;JMEHAI
D;JMEHAI
D;JMEHAI
?DJ;HD7J?ED7B
L?:;EIL?:;EI
B7FJEFI
8H7D9>
E<<?9;I
8H7D9>
8H7D9>
L?:;EI
E<<?9;I
E<<?9;I
J;7CIJ;7CI
9B?;DJI
J;7CI
9B?;DJI9B?;DJI
9ECFKJ;HI
9ECFKJ;HI
<?B;I
9ECFKJ;HI
<?B;I
FHEJ;9JICEH;
B7M
;C7?BI
B7M
CE8?B; ;C7?BI
CE8?B;
<?HCI
<?HCI
:;L?9;I
:;L?9;I
;C7?BI B7M
CE8?B;
<?HCI
?D<EHC7J?ED
?D<EHC7J?ED
:;L?9;I
?D<EHC7J?ED
EH=7D?P7J?EDI
EH=7D?P7J?EDI
J;7CI
J;7CI
I;HL;HI
I;HL;HI
?D:?L?:K7BI
?D:?L?:K7BI
EH=7D?P7J?EDI
IE9?7BD;JMEHAI
IE9?7BD;JMEHAI
J;7CI
I;HL;HI
M;8I?J;I
<?B;I
I;HL;HI
M;8I?J;I <?B;I
I;HL;HI
?D:KIJH?;I
?D:KIJH?;I
?D:?L?:K7BI
C;:?97BH;9EH:I
C;:?97BH;9EH:I
IE9?7BD;JMEHAI
9KIJEC;HI
9KIJEC;HI
M;8I?J;I <?B;I
I;HL;HI
?D:KIJH?;I
C;:?97BH;9EH:I
:;IAJEFI
;D:FE?DJI KI;HI
:;IAJEFI
;D:FE?DJI
KI;HI
;D:FE?DJI
KI;HI
:;IAJEFI
:7J7
KD?L;HI?J?;I
C7DK<79JKH;HI
9ECF7D?;I
M?D:EMI DED
FHE<?JI
;DL?HEDC;DJI FHE<?JI
;DL?HEDC;DJI
9ECCKD?J?;I
9ECCKD?J?;I
;DL?HEDC;DJI FHE<?JI
IC7BB8KI?D;II;I
IC7BB8KI?D;II;I
9ECCKD?J?;I
>EKI;>EB:I
8BE=I
>EKI;>EB:I
8BE=I
8BE=I
>EKI;>EB:I
=EL;HDC;DJI
KD?L;HI?J?;I
KD?L;HI?J?;I
C7DK<79JKH;HI
C7DK<79JKH;HI
:7J7
:7J7 :7J7
:7J7
L?HJK7B
L?HJK7B
?D<EHC7J?ED
;DL?HEDC;DJI
;DL?HEDC;DJI
L?HJK7B
?D<EHC7J?ED
?D<EHC7J?ED
9;DJ;HI
?:;DJ?J?;I
9KIJEC;HI
=EL;HDC;DJI
=EL;HDC;DJI
:7J7
9;DJ;HI
:7J7
9;DJ;HI
I;HL;HI
?:;DJ?J?;I
I;HL;HI
I;HL;HI
?:;DJ?J?;I
<?B;I
IOIJ;CI
IOIJ;CI
IOIJ;CI
9ECF7D?;I
9ECF7D?;I
:7J7
:7J7
M?D:EMIDED
DED
M?D:EMI
IC7BB8KI?D;II;I
;DL?HEDC;DJI
J>7D7DOEJ>;H9ECF7DO$
J>7D7DOEJ>;H9ECF7DO$
J>7D7DOEJ>;H9ECF7DO$
IOC7DJ;9?I'?DI;9KH?JO$
IOC7DJ;9?I'?DI;9KH?JO$
@e_d\ehY[im_j^j^[i[Ykh_job[WZ[h$
@e_d\ehY[im_j^j^[i[Ykh_job[WZ[h$
Fhej[Yjoekhi[b\WjiocWdj[Y$Yec%[l[hom^[h[
IOC7DJ;9?I'?DI;9KH?JO$
Fhej[Yjoekhi[b\WjiocWdj[Y$Yec%[l[hom^[h[
@e_d\ehY[im_j^j^[i[Ykh_job[WZ[h$
Fhej[Yjoekhi[b\WjiocWdj[Y$Yec%[l[hom^[h[
ž(&&.IocWdj[Y9ehfehWj_ed$7bbh_]^jih[i[hl[Z$IocWdj[YWdZj^[IocWdj[YBe]eWh[h[]_ij[h[ZjhWZ[cWhaie\IocWdj[Y
ž(&&.IocWdj[Y9ehfehWj_ed$7bbh_]^jih[i[hl[Z$IocWdj[YWdZj^[IocWdj[YBe]eWh[h[]_ij[h[ZjhWZ[cWhaie\IocWdj[Y
9ehfehWj_edeh_jiW\\_b_Wj[i_dj^[K$I$WdZej^[hYekdjh_[i$Ej^[hdWc[icWoX[jhWZ[cWhaie\j^[_hh[if[Yj_l[emd[hi$
9ehfehWj_edeh_jiW\\_b_Wj[i_dj^[K$I$WdZej^[hYekdjh_[i$Ej^[hdWc[icWoX[jhWZ[cWhaie\j^[_hh[if[Yj_l[emd[hi$
ž(&&.IocWdj[Y9ehfehWj_ed$7bbh_]^jih[i[hl[Z$IocWdj[YWdZj^[IocWdj[YBe]eWh[h[]_ij[h[ZjhWZ[cWhaie\IocWdj[Y
9ehfehWj_edeh_jiW\\_b_Wj[i_dj^[K$I$WdZej^[hYekdjh_[i$Ej^[hdWc[icWoX[jhWZ[cWhaie\j^[_hh[if[Yj_l[emd[hi$
APJ
The Making of an
Iconic IT Production
An IT Journey that Starts and Ends in New Zealand
Clinicians diagnose the problem
Efficient management of IT systems plays an important
role in helping healthAlliance to achieve its goal of
26 CIO Digest January 2009
minimizing costs and optimizing budget for front-line
medical services. With that in mind, Brimacombe and
his team embarked on a search to address two primary
issues in 2006.
“Several years ago I would go to meetings with
clinicians,” Brimacombe says, “and they would complain about two things. The first was the IS helpdesk.”
The experiences were myriad—and all negative. “They
would call and would wait for ages until someone
called them back, and when they did finally answer
they didn’t have an answer to the problem,” Brimacombe
continues. “Further, when the helpdesk staff did log a
problem, they never got back to the requestor.”
The second issue was in regard to actual IT assets.
The clinicians complained “there weren’t enough of them,
they were too old and slow, and had poor performance.”
BRIAN STAUFFER
T
he unusual and varied landscape of New
Zealand has made it a popular destination
for the production of several well-known
films, including The Lord of the Rings trilogy,
The Chronicles of Narnia series, and The Last Samurai.
The pioneering spirit behind these iconic productions is
embodied in the efforts of healthAlliance NZ Ltd., which
provides various shared services, such as procurement,
materials management, recruitment, payroll, finance,
and information services, to the Counties Manukau
and Waitemata District Health Boards. Indeed, led by
CIO Phil Brimacombe, healthAlliance’s information
systems (IS) team has garnered a number of awards
since the organization’s founding in 2000 that recognize
its technology thought leadership and innovation.
These include two BearingPoint Innovation
Awards. The one granted for the Kidslink Wellchild
Project, which dramatically
By Patrick E. Spencer increased immunization rates
among children, was particularly
meaningful, as it was presented to Brimacombe and
his team by New Zealand’s prime minister.
Success for the IS team has not come without a
significant amount of strategic planning, focus, and
hard work. “Healthcare is the most complex and most
challenging IT environment in which I’ve ever worked,”
Brimacombe explains. “It’s also the most interesting
and the most stimulating. You never get bored. Things
constantly change in healthcare.”
For example, transformation in biomedical services
over the past decade has created additional IT challenges.
Brimacombe explains: “Every new bit of biomedical
equipment that comes out today comes with software,
whereas 10 years ago it was almost all mechanical.
Every bit of specialized equipment comes with its own
specialized software. This is how we’ve rapidly spiraled
up to the order of 900 different applications.”
“
Healthcare is the most complex and
most challenging IT environment in which I’ve ever worked.
IT assets: Where? What? Who?
Helpdesk empowers end users
The other piece to the larger puzzle
Brimacombe and his team concurrently sought to solve was the
”
—Phil Brimacombe, CIO, healthAlliance NZ Ltd.
helpdesk problem. In addition to
the complaints of clinicians, the
existing helpdesk solution did not
provide helpdesk personnel with a
larger view of assets. “We needed
a helpdesk system integrated with
our asset management solution,”
says Alistair Mascarenhas, service
delivery team leader at healthAlliance.
“Helpdesk personnel needed the
ability to click through directly into
the inventory information of the
device that the user was using at
that point in time.”
In order to address these requirements, the healthAlliance team
selected Altiris Helpdesk Solution
that is part of the Service and Asset
Management Suite. “With the Altiris
Helpdesk Solution, we have given our
users control,” Brimacombe explains.
“They can log their own requests
all through the web portal. We then
instantly email them a job number,
priority of the call, and service level
associated with it.”
s
In order to identify the issues the
clinicians helped define, Brimacombe
and his team pinpointed the underlying technology drivers. “When
people complained about a machine,
often it was the first we knew about
it, as we didn’t know exactly where
it was, who was using it, and what
software was running on it,”
Brimacombe relates.
“The other big challenge was the
fact that the fleet was rapidly growing. Three or four years ago we only
had about 4,000 desktops. Today, we
have 6,500, and we’re adding about
500 new desktops and moving about
800 to 1,000 to end of life every year.”
And while the status quo was painful
enough, the growth and evolution in
the IT environment was going to create
even more problems. “Without the right
tools, the situation was simply going to
get worse,” Brimacombe reports.
After a lengthy RFP process, Brimacombe and his team settled on Altiris
Service and Asset Management Suite
in June 2007 and began deployment in
October 2007. Working with Symantec
Consulting Services, Brimacombe and
his team completed the implementation in less than three months. For
asset management, Brimacombe and
his team use two components from the
Service and Asset Management Suite:
Asset Management Solution and
Application Metering Solution.
“With Altiris Asset Management Solution, we now know the
location of every one of the 6,500
machines, who is using each one,
who’s responsible for it from a cost
center standpoint, and what’s running on it,” Brimacombe explains.
“In addition, we’re able to use the
Application Metering Solution to
pinpoint if there is software running
on one of the machines that isn’t being used and shift it to a machine for
someone who wants it.”
He continues: “Most of our users
didn’t even know there were service
level agreements for IT helpdesk
requests.” As a result, by understanding the service levels attached
to their request, end users know
what to expect in terms of a
response—particularly when they
will receive an actual response.
“One of the reasons end users
thought the previous helpdesk
system was a failure,” Brimacombe
says, “was that it was absolutely
drowning in calls from users who
had submitted a request and
wanted to know the status. Now,
we have been able to move users
to check status online and to pick
up the phone only when there is a
critical problem. This solution is
transforming service delivery and
taking away barriers that we had in
trying to move forward with our IT
strategy. I no longer hear clinicians
complain about the helpdesk. In
addition, the number of complaints
The New Zealand
District Health Board
D
istrict Health Boards (DHBs) in New Zealand are responsible for
providing, or funding the provision of, health and disability services
in their district. There are 21 DHBs in New Zealand, which came into
existence on January 1, 2001, when the New Zealand Public Health and
Disability Act 2000 came into force. The statutory objectives of the DHBs
include: (1) improving, promoting, and protecting the health of communities;
(2) promoting the integration of health services, especially primary and secondary care services; and (3) promoting effective care or support of those in
need of personal health services or disability support.
The DHBs are expected to demonstrate social responsibility by fostering
community participation in health improvement and upholding the ethical
and quality standards expected of providers of services and public sector
organizations. Objectives include promoting the inclusion and participation
in society and independence of people with disabilities, reducing health
disparities by improving health outcomes for Maori and other population
groups, and reducing—towards elimination—health outcome disparities
between various population groups.
symantec.com/ciodigest 27
Founded: 2000
District Health Boards Served:
Counties Manukau and Waitemata
District Health Boards Facilities:
Four hospitals, 70 community and
mental health sites, 130 dental
school sites
Residents Served: More than
1 million
IT Team: 112 professionals
Website: www.healthAlliance.co.nz
Phil Brimacombe is the
CIO at healthAlliance NZ
Podcast
28 CIO Digest January 2009
for the deployment, we engaged
Symantec Partner Bay Dynamics
for implementation assistance,”
Mascarenhas notes. The solution
was initially integrated with the IS
helpdesk and then extended to the
payroll helpdesk when the Helpdesk
Solution was rolled out for the payroll
department. “The solution has given
us a lot of flexibility,” Mascarenhas
comments. “We previously had three
individuals trained on generating
reports with Crystal Report. However,
with the IT Analytics Solution, the actual business owners have the ability
to create their own reports—both those
on the IS and payroll teams.”
Business processes flow
downhill with workflow
In May 2008, Brimacombe and his
team identified manual workflow
processes as their next target. “We
currently have a huge number of
manual processes such as taking
orders for cell phones and requests
for software or other services,”
Brimacombe explains. “These are a
time-consuming task, and we rarely
get all of the requisite information the
first time around and need to go back
to the user to capture additional detail.” He and his team pinpointed two
initial areas to address—the helpdesk
interaction evaluation process and
Hollywood loses its
“exclusivity rights”
Hollywood no longer has exclusivity
rights on New Zealand as a place for
exceptional uniqueness and inspiration. Indeed, if Brimacombe and his
team have their way, it will become
just as well known as a source for IT
thought leadership and innovation.
“We’re only in the initial stages of a
fascinating journey, one that will take
us to some exciting places,” Brimacombe concludes. And while Brimacombe and his team have already
“visited” some interesting sites on
their trek, there are many destinations left to see. n
Patrick E. Spencer (Ph.D.) is the editor in
chief for CIO Digest and the author of a book
and various articles and reviews published
by Continuum Books and Sage Publications,
among others.
s
about the performance of individual
systems has declined.”
In all, the results for IS helpdesk
productivity are impressive. By
moving more than 1,600 monthly
move or change requests online, the
team is able to track and monitor these
requests and provide a faster turnaround for requests from end users.
With the IS helpdesk success in the
foreground, Brimacombe and his team
went in search of other areas where
they could leverage the Helpdesk
Solution. They found the next
challenge to tackle with the payroll
department, which manually managed information requests from DHB
employees—a time-consuming
and inaccurate process.
Working with
Check out the Executive Spotlight
Symantec
Podcast with Phil Brimacombe at
go.symantec.com/Brimacombe
Consulting
Services, the
IS team extended the Helpdesk
Solution to the payroll department
in the summer of 2008. “Correcting
payroll errors is vastly simplified and
calls are systematically tracked and
managed, thereby expediting issue
resolution,” Mascarenhas says.
In late 2007, the healthAlliance
team added Altiris IT Analytics Solution to the IS helpdesk solution. “As
we didn’t have the in-house expertise
user software requests—and elected
to employ Altiris Workflow Solution
as the basis. Symantec Consulting
Services worked alongside the IS team
to configure both workflow solutions.
“The Workflow Solution provides
us with the means to automate all
of these low-level activities and
keep our resources focused on more
complex and difficult tasks,” Brimacombe says. “This is the start of a
really exciting journey to improve
our service delivery. The higher we
can lift the quality of our service
delivery, the more we can engage
customers in our more strategic
programs. It’s a win-win scenario all
around. We’ve only scratched the
surface with Workflow Solution and
are currently looking at five or six
other areas for deployment in the
next few months.”
Symantec Credits at
healthAlliance NZ
> Altiris Service and Asset
Management Suite: Asset
Management Solution, Helpdesk
Solution, and Application
Metering Solution
> Altiris IT Analytics Solution
> Altiris Workflow Solution
> Symantec Consulting Services
> Symantec Education Services
Rachael Joel
s
APJ
Credits on
healthAlliance NZ Ltd.
SYMANTEC IS
Reap the benefits of increased flexibility with storage, security,
and management software that’s optimized for virtualization.
virtualization.
Symantec.COM/everywhere
©2008 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are registered trademarks of Symantec Corporation or its affiliates
in the U.S. and other countries. Other names may be trademarks of their respective owners.
LATIN AMERICA
Continual Transformation
Fresh Opportunities Surfing the Internet’s Waves
M
uch has been written about the entrance
of the “Millennial Generation” into the
workforce. For them, the Internet has been
a fact of life since their formative years.
For those of us who did not grow up with the Internet,
it is nevertheless difficult to remember how different
life was in the days when the (land-line) telephone was
the fastest way to reach someone, and the best way to
transmit documents was something called the facsimile.
The Internet has indeed transformed how life is lived,
and it seems that the Internet transforms itself every few
years, providing new challenges and new opportunities.
Building Brazil’s Internet
From hosting to outsourcing
When NetStream was sold in 1999, Scrideli and six of
his colleagues left to form a new startup, Optiglobe,
with the help of U.S. venture capital firms. “Our American
partners had a business plan to build Internet data
centers and provide hosting services for all of Latin
America,” Scrideli explains. “My first mission was
30 CIO Digest January 2009
Paulo Scrideli,
Director of Technology
and Solutions, TIVIT
s
Paulo Scrideli’s career has mirrored the history of the
Internet in Brazil. In 1996, at the age of 24, he was
involved in the startup of Universo
By Mark L.S. Mullins Online (UOL). “The Internet was not
yet in Brazil at the time,” he recalls.
“We were in fact a pioneer commercial ISP and content
provider in Brazil.”
In those days, Scrideli explains, “one of my first jobs
was to create systems that were able to convert information from newspapers to HTML for use on our portal.
We had to build the system from the ground up, as there
were not specialized tools for this at the time.”
From that auspicious beginning, Scrideli has surfed
the Internet wave, taking advantage of new opportunities
each time the technology has matured to the next level.
After UOL, he operated his own company for two years,
helping businesses build their presence on the Web and
developing some of Brazil’s first e-commerce sites. As
broadband access became more in demand, he helped
to launch NetStream, a company that developed “last
mile” fiber networks in Brazil’s major cities.
TIVIT Essentials
Founded: 2005 as a result of a
merger of Proceda and Optiglobe
Headquarters: São Paulo
Employees: 27,000
Total Data Volume: 1.7 petabytes
2007 Revenue: R$750 million BRL
($420 million USD)
to lead the technology
infrastructure creation
for the data centers.”
After Optiglobe
secured $600 million
in capital and vendor
financing and built massive data centers in São Paulo,
Rio de Janeiro, and Buenos Aires, the Internet bubble
burst. “We had to reinvent the company to use our data
centers’ capacity,” Scrideli remembers. “We converted
our non-stop architecture to support mission-critical
IT operations for non-Internet related business and
started to build an IT outsourcing company.”
Over time, properties outside Brazil were
divested and Votorantim Novos Negócios (VNN),
which had owned approximately
5 percent of Optiglobe’s total
shares, bought a 100 percent
stake of the Brazilian operation
and began building one of Brazil’s
largest outsourcing firms.
VNN merged Proceda with
Optiglobe to form TIVIT in 2005,
and TIVIT merged with a BPO over
voice company named Telefutura
in 2007. Today, the company provides
IT solutions integrated with call
center and business process outsourcing services to some of the
most important firms in Brazil.
And Brazil is just the starting
point. In the last two years, TIVIT has
signed its first offshore contracts for
remote infrastructure management
and systems development. “Creating
the same kind of differentiation in
this new competitive environment is
a big challenge,” Scrideli notes.
Managing rapid data growth
”
—Paulo Scrideli, Director of Technology and Solutons, TIVIT
high standards with relatively simple
administration,” asserts Scrideli.
“In the typical environments that
TIVIT supports, these solutions are
necessary to assure the service levels
required to win our clients’ business.”
Securing and managing
endpoints
TIVIT has standardized on Symantec
Endpoint Protection for security for
servers, desktops, and laptops. “If a
customer wants to use another antivirus product for their hosted servers,
we will let them,” Scrideli relates, “but
Symantec is our standard.”
Altiris Client Management Suite
helps TIVIT to roll out applications
quickly and efficiently across
the company, but the solution is
even more valuable in the firm’s
helpdesk and field services lines
of business. By enabling administrators to deploy, manage, and
troubleshoot systems remotely,
“Altiris helps us be more competitive by allowing our staff to solve
more problems remotely and on the
first call,” says Scrideli. “Without it,
I would have to hire 20 to 30 percent
more field service staff.”
A diverse career
Scrideli, who holds Mechanical
Engineering and International
MBA degrees, has worn a variety
of hats over the years at the firms
he has served—from operations and
support to IT infrastructure and
telecommunications, from information security to strategic alliances
and marketing.
“In 1996, a 64K link was everything that UOL had available to
provide information to thousands
of users,” Scrideli recalls. “Now,
the scale, the numbers, and the
Internet itself are something completely different.” Nowadays, UOL
has about 1.7 million subscribers
and a monthly average of more
than 15 million unique household
visitors in Brazil.
“In the same way, eight years
ago, it was very difficult to convince
CIOs to have their IT environment
not 5 or 10 meters from their desk,
but rather miles away. Today, a lot
of them see the value in having a
strategic partnership with a company like ours.”
“The CIO role itself, I believe, is
completely different today,” Scrideli
adds. “A good CIO today is not just
an IT manager, but it’s someone
who understands the business and
tries to find ways to use IT to create
differentiation for the business.”
And you can bet that as things
evolve further, Scrideli will be riding
the next wave. n
Mark L.S. Mullins is a managing
editor of CIO Digest and manager of
Symantec’s Global Customer Reference
Program team.
s
TIVIT’s revenues are growing by
50 percent annually, and “our data
volume has grown by 180 percent in
the past year to 1.7 petabytes” says
Scrideli. “We have no agenda when
it comes to hardware and software
platforms for our customers’ data.
As a result, we look to standardize on
infrastructure solutions that are compatible with a variety of systems.”
For data protection, TIVIT
standardized on Veritas NetBackup,
with a variety of agents and options
to optimize backups and provide
disaster recovery. The firm has
maintained backup-and-restore
success rates well over 99 percent
while minimizing backup staff time.
“Our success depends on our ability
to scale efficiently,” Scrideli says,
“and NetBackup is an important
piece of our strategy.”
Symantec storage management
and high availability solutions work
together to help TIVIT meet its service
level agreements, which promise
99.99 percent availability and provide
maximum flexibility for its customers
with regard to storage allocation and
data migration. “Veritas products from
Symantec have enabled us to meet our
“
A good CIO today is not just an IT manager, but it’s someone who
understands the business and tries
to find ways to use IT to create
differentiation for the business.
Serving TIVIT Customers
with Symantec Technology
> Veritas NetBackup 6.5
> Veritas Storage Foundation
> Veritas Cluster Server
> Veritas Volume Replicator
> Symantec Endpoint Protection
> Altiris Client Management Suite
symantec.com/ciodigest 31
NORTH AMERICA
Beneficial Change
A Massive IT Consolidation Improves Effectiveness
By Mark L.S. Mullins
and other types
of manufacturing,
state budget cuts
have occurred several
times in recent years,
prompting agencies to
find innovative ways to
do more with less.
Information technology has been a part of these
mandates, and the key strategy has been consolidation.
In 2001, Gov. John Engler issued an executive order
creating the Michigan Department of Information
Technology (DIT), a cabinet-level agency devoted to
serving the technology needs of each of the state’s
departments.
Merging IT processes statewide
“The mandate was to consolidate 19 disparate IT
organizations,” recalls Ken Theis, who is now the state’s
CIO. “The result was that about 2,300 employees were
brought together under one organization—plus the
HR functions associated with those workers, all IT
contracts, the ownership of the hardware and software,
procurement processes, and information security.”
32 CIO Digest January 2009
The governor had already experimented with a
piece of the IT consolidation puzzle with his 2000
initiative to centralize all state Web services under
a revamped Michigan.gov portal. “At the time, every
agency had its own Web site with its own look and feel,”
says Dan Lohrmann, who led this effort before going
on to become the state’s CISO. “The idea was to bring
everything together and launch
a single portal for the state for
e-government.”
The creation of the DIT
was a similar but much
larger undertaking.
“The governor’s
strategic objective
was twofold,”
Theis asserts.
“One was to bring
efficiencies in doing
technology across
the 19 agencies, but
another was effectiveness.
He thought that bringing
things together would not
only formalize our standard
architecture and standardize
our processes, but ultimately
would result in technology that better supported the
goals and objectives of his administration.”
Early challenges
By the time DIT was launched in early 2002, Gov.
Engler was less than a year from the end of his final
term in office and campaigning was beginning in
earnest for the fall election. “There was a significant
effort to ensure that we were far enough along that
the agency would survive the transition to a new
administration,” remembers Patrick Hale, who is now
the state’s CTO.
This urgency meant that “time was not taken
to properly plan the organizational structure, the
key methodologies, and processes,” Theis relates. “This
created great anxiety—not only with our 2,300 employees,
James yang
“C
hange” was ubiquitous as a campaign
theme in last year’s election cycle in the
United States. The concept filled the stump
speeches and policy papers of members
of both major political parties—for incumbents and
challengers alike. For those who were elected on the
platform of change, the challenge will be not simply
supporting change, but rather
implementing beneficial change.
Perhaps more than
most states, Michigan’s
government has experienced frequent change.
Hit hard by the decline
of the domestic
automobile industry
but most importantly, with our 19
client agencies. Many probably hoped
that the new governor would go back
to the old model.”
The quick transition also exacerbated problems in supporting the
agency’s newly consolidated but very
heterogeneous infrastructure. “We
centralized before we standardized,
and that became a true challenge,”
Theis states. “For example, technicians were suddenly fixing PCs in
other agencies where they had no
understanding of the technical environment and little documentation
that they could consult.”
About the same time, the state
initiated an early retirement incentive, and more employees than
expected took advantage of it. “We
lost 320 of our employees—almost
20 percent of our workforce—and
were not able to replace them,”
Theis recalls.
Getting strategic
Jennifer Granholm won the 2002
election, and despite the change
in political parties in the governor’s mansion, “she expressed full
support for the overall model very
early in her administration, though
she also made the commitment to
address the real concerns that had
been raised by our employees and
our client agencies,” says Theis.
Once the new administration
signaled its support, the DIT team
began assessing how to move
forward. “We got a little bit of
room to breathe,” Theis recalls,
“and we asked, ‘Strategically, how
are we going to deal with this?’”
As a result, the change management and strategic planning
processes that had been deferred
were now able to proceed. These
discussions resulted in several key
initiatives, including the Secure
Michigan initiative and the standardization and consolidation effort
known as Michigan One.
Securing Michigan
Lohrmann, who worked for six years
at the National Security Agency
and has written a book and many
articles and blog posts on IT
security, led Secure Michigan.
He worked with Hale and his
team to build security into the
IT infrastructure as it was being
designed.
“We had to look at things much
more as an enterprise, and we had
to do a lot of very basic things to
get there,” Lohrmann explains.
“For example, we had 19 different
security policies around acceptable
use. We had to formulate to an
enterprise-wide PC policy. And we
had to make sure that the policy,
and the technologies that support
it, would still work after everything
was consolidated.”
The business needs of the state
agencies also had to be considered. “I
Podcast
The state
is currently
Check out the Executive Spotlight
in the process
Podcast with the Michigan DIT
of upgrading
team at go.symantec.com/StateofMI
to Symantec
Endpoint Protection. “With
so many people connecting at
restaurants and airports, we
know that the comprehensive
security technologies of Endpoint
Protection are the way to go,”
Lohrmann says.
The state relies on Symantec
Critical System Protection to protect
against intrusions on critical
servers, and Symantec Security
Information Manager to correlate
log data from across the state’s
systems to provide custom alerts
and reports on the state’s security
landscape. As part of this imple-
“
When governors put their strategic
plans together, IT organizations
usually struggle to even get into the
room. Our organization actually helps the governor facilitate that process.
”
—Ken Theis, Director and CIO,
Michigan Department of Information Technology
had a big challenge to be an ‘enabler’
rather than a ‘disabler’ from a
security perspective—not just turning things off, but figuring out how
to allow them and secure them,
Lohrmann says.”
Standardizing security software
One of the first solutions Lohrmann
standardized on was Symantec
AntiVirus. “It’s been a phenomenal
product,” Lohrmann asserts, “and
it’s not just the product. When we
have state-wide security issues,
we need people on the other end
of the phone who not only have a
global view, but also can zero in on
our issues. Symantec has both.”
mentation, Symantec Consulting
Services designed custom data
collectors for some of the state’s
infrastructure.
For monitoring and reporting
on compliance with regulations
and standards, Lohrmann’s team
has relied on Symantec Enterprise
Security Manager for several years,
which is now integrated with
Symantec Control Compliance Suite
9.0. “It would be impossible for my
staff to keep up with reporting and
compliance remediation if we didn’t
have Symantec’s automation tools,”
Lohrmann contends, “and I’m looking forward to using the enhanced
features of the integrated product.”
symantec.com/ciodigest 33
s
NORTH AMERICA
Assessing the
State of Michigan
Admitted to U.S. Union: 1837
2007 Population (est.): 10,071,822
State Employees: 55,000
DIT Employees: 1,700
Governor: Jennifer Granholm
ships. I needed to make sure our
organization was responsive to the
needs of the business.”
As functions were disabled or
changed as a part of the consolidation
process, Theis met with affected
agency directors to find appropriate
workarounds or process changes. “In
retrospect, Ken’s role was key at the
time,” Lohrmann asserts. “We could
not have pulled things off as quickly
or smoothly without the buy-in that
he was negotiating.”
Consolidating the
infrastructure
While Lohrmann was standardizing
security operations, Hale was busy
helping to plan and implement
Michigan One—first as a consultant,
and later as a state employee. “The
first year or two,” he remembers,
“Michigan One was heavily focused
on securing our network. But even
in that first year, there was work
underway to re-architect things.
We wanted to make sure that our
s
Michigan One:
Symantec Solutions
> Veritas NetBackup 6.5
> Symantec Critical System Protection
> Symantec Security Information
Manager
> Symantec Enterprise Security
Manager (now a part of Symantec
Control Compliance Suite)
> Symantec Endpoint Protection
(implementation in process)
> Symantec Network Access Control
(implementation in process)
> Symantec Consulting Services
> Symantec Business Critical Services
34 CIO Digest January 2009
infrastructure would support our
enterprise vision.”
“We’ve got 1,400 remote offices,”
Hale explains, “and some are located
in rural geography with very limited
connection capabilities. We had
to deal with that infrastructure
before we could lay on top of that a
standardized solution.”
In 2004, Hale’s team began moving systems into consolidated data
centers. “As we did so,” Hale relates,
“we began to find architectural details that we didn’t like, and we had
to shut down some systems. This
made some things inconvenient
for state users. However, the risk
that was unknowingly being taken
outweighed the benefits.”
Nurturing relationships
At the time, Theis was DIT’s agency
services deputy director, responsible
for maintaining lines of communication with client agencies. As Hale
and Lohrmann were making these
difficult transitions, “my focus was
to repair these fractured relation-
An emergency with backups
In 2005, Hale’s team accelerated its
consolidation efforts, closing 32 data
centers in the Lansing area alone
and consolidating them into three
centralized centers. “At the time, we
also brought in a number of legacy
backup solutions,” Hale recalls. “As a
result, in late 2005, we started to see
backup success percentages getting
into the low 70s. That’s a whole lot of
backups failing every night, literally
into the hundreds.”
Due to its reliability and compatibility with a variety of systems,
Veritas NetBackup had already
been selected as the state’s backup
standard. With failed backups putting the state’s two petabytes
of data in jeopardy, Hale’s team
engaged Symantec Consulting
Services to expedite implementation of NetBackup across the
enterprise. In addition, a new SAN
solution from Symantec Partner
EMC was deployed concurrently.
“Today, we’re successfully
executing 21,000 backup jobs a
week,” Hale reports. “We have now
gone almost a year since we have
had any backup fail for multiple
nights, and our backup success
Michael Schimpf
Three of the leaders of Michigan’s Department of Information Technology (from
top to bottom): Dan Lohrmann, Deputy Director and CISO; Patrick Hale, Deputy
Director Infrastructure Services and CTO; Ken Theis, Director and CIO.
rate is now at 98 percent. Further,
our restore rate with NetBackup
is 100 percent. The product’s
scalability and ease of use allowed
us to save about $250,000 annually
in backup administrator time.”
“
We had to look at things much more
as an enterprise, and we had to do a
lot of very basic things to get there.
”
—Dan Lohrmann, Deputy Director and CISO,
Michigan Department of Information Technology
Well-deserved recognition
While a number of states have
undertaken IT consolidation
projects in recent years, Michigan
was among the first, and the team
has received many awards over
the years for its efforts. The state
received three awards for excellence in information technology
at the National Association of
State Chief Information Officers
(NASCIO) last September—with
awards for the Michigan.gov Web
site, the data center migration
project, and the information security and privacy project.
Regarding efficiency, the numbers
speak for themselves. DIT’s workforce
today is just over half of what it was
in 2002. “When we consolidated,”
Theis explains, “we had around 2,300
employees and 2,300 contractors.
Today, we have 1,700 employees and
800 contractors.”
Yet everyone involved would
assert that these efficiencies were
accompanied by a significant
increase in the breadth and quality
of IT services over the past seven
years. “Ironically, IT is tied more
strategically to the business needs
of each agency today than when
each department had its own IT
shop,” Hale quips.
A place at the table
“When governors put their strategic
plans together,” Theis explains,
“IT organizations usually struggle
to even get into the room. Our
organization actually helps the
governor facilitate that process
through our 19 client agencies. It
gives us tremendous insight into
the critical capabilities, goals, and
objectives of the organization—and
it helps us align our organization
toward helping them achieve those
objectives.”
“I think we were very fortunate,”
Theis concludes. “Both governors
really saw the vision of how can
we better utilize technology to
transform state government. I
think that’s why Gov. Engler was so
passionate about putting it in place
before he left. Then, Gov. Granholm
understood the true value of IT as a
strategic tool to help her accomplish
the things that are important to her
administration.”
And those are changes that you
can believe in. n
Mark L.S. Mullins is a managing editor
of CIO Digest and manager of Symantec’s
Global Customer Reference Program team.
s
Change Management: Repairing a Moving Vehicle
I
n 2002, Patrick Hale was a managing partner in
a consulting firm that specialized in technology
integration and change management during mergers and
acquisitions, with a client list that included large financial
services and pharmaceutical firms. A graduate of Michigan
State University, just a few miles from the capitol, Hale
had been an entrepreneur since finishing his studies, and
supplemented his education at “the school of hard knocks.”
When the state retained him as a consultant to help
organize the new Department of Information Technology (DIT),
he immediately understood the enormity of the task at hand. “I
describe it in private sector terms,” Hale says. “If you compare
the state to a company and what it spends on IT, the State of
Michigan is approximately a Fortune 24 company—with 19
separate lines of business. Literally overnight, they combined
those 19 divisions and moved all the people, all the processes,
and all the support into one organization.”
While the organizational change happened overnight, the
physical, cultural, and process changes took much longer. “For
the first year,” Hale recalls, “it was nothing more than just
trying to deal with the operational challenges and keep things
moving without too much disruption.”
In the first and second years,
“we got folks to work chipping
away at these challenges. And
once we began making tangible
progress, it got easier and easier to
move to the next step”—including
the massive consolidation of data
centers completed in 2005.
Symantec Business Critical
Services has been a key partner
during this time of transition. “It
Patrick Hale, Deputy Director
Infrastructure Services and
has been invaluable as we have
CTO, Michigan Department of
dealt with merging many systems Information Technology
together. Our folks call our
Business Critical Account Manager
when the chips are down. Inevitably that partnership is
there when it matters the most.”
The work has been fulfilling for Hale. “A little over
four years ago, I woke up one day and found myself a
state employee,” he quips. You wouldn’t expect a natural
entrepreneur to feel at home in state government, “but I’ve
really been able to be as entrepreneurial here as anywhere.”
symantec.com/ciodigest 35
INDEX
The following companies, products, organizations, and institutions appear in this issue of CIO Digest:
Accenture.................................................................................9
Australian Overland Telegraph Line........................10-11, 13
Bay Dynamics........................................................................ 28
Behavioral Protection..............................................................4
Centre for the Protection of National Infrastructure......... 17
County Manukau District Health Board.............................. 26
County Waitemata District Health Board .......................... 26
du.............................................................................. 15, 16, 17
EMC........................................................................................ 34
Energy Market Company................................................ 19-21
Enterprise Management Associates....................... 18, 20, 21
Ferrari..............................................................................22, 24
FORTUNE..................................................................................5
Hay Group................................................................................5
healthAlliance NZ Ltd..................................................... 26-28
Information Risk Management.......................................... 5, 6
International Legal Technology Association..........................8
Insight Research............................................................. 14-17
IP Convergence............................................................... 14-17
IT GRC.............................................................................. 18-21
IT Policy Compliance Group............................................. 8, 18
Kidslink Wellchild Project..................................................... 26
Lightweight Directory Access Protocol............................... 19
Michigan Department of Information Technology....... 32-25
Michigan One........................................................................ 33
Microsoft Exchange Server.................................................. 23
Microsoft Office SharePoint Server...............................22, 23
Molina Healthcare.......................................................... 20-21
National Association of State Chief Information Officers......35
NetStream............................................................................. 30
New Zealand District Health Board..................................... 27
OptiGlobe.............................................................................. 30
Piaggio Aero S.p.A.......................................................... 22-24
“Prancing Horse” Logo......................................................... 23
Software as a Service..............................................................3
State of Michigan............................................................ 32-25
Swisscom IT Services......................................................16, 17
Telstra.............................................................................. 10-13
The Chronicles of Narnia...................................................... 26
The Last Samurai.................................................................. 26
The Lord of the Rings............................................................ 26
The Alchemy Solutions Group............................................. 19
TIVIT................................................................................. 30-31
Universo Online.................................................................... 30
Visiting Nurse Service of New York................................ 19-21
Votorantim Novos Negócios . .............................................. 30
The following Symantec products, services, and solutions, as well as topics, appear in this issue of CIO Digest:
Altiris Application Metering Solution................................. 27
Altiris Asset Management Solution.............................. 27, 28
Altiris Client Management Suite ............................20, 21, 31
Altiris Helpdesk Solution...................................20, 21, 27, 28
Altiris IT Analytics Solution................................................. 28
Altiris Service and Asset Management........................ 27, 28
Altiris Workflow Solution..................................................... 28
Blast Off with Norton............................................................. 4
MessageLabs....................................................................... 5-6
Network Intrusion Protection................................................4
Norton 2009............................................................................4
SONAR.....................................................................................8
Symantec AntiVirus............................................................. 33
Symantec Brightmail Gateway..........................................5, 8
Symantec Browser Defender.................................................4
Symantec Business Critical Services......................12, 34, 35
Symantec Consulting Services..... 12-13, 23, 24, 27, 28, 34
Symantec Control Compliance Suite...........5, 20, 21, 33, 34
Symantec Critical System Protection...........................33, 34
Symantec Data Loss Prevention................................. 5, 8, 21
Symantec Education Services............................................. 28
Symantec Endpoint Protection....... 8, 16, 19, 20, 31, 33, 34
Symantec Enterprise Security Manager......................33, 34
Symantec Enterprise Vault............5, 6, 8, 12-13, 17, 20, 24
36 CIO Digest January 2009
Symantec Enterprise Vault .
Discovery Accelerator.................................................. 6, 13
Symantec Enterprise Vault Microsoft .
Exchange Journaling......................................................... 13
Symantec Enterprise Vault PST Migrator ...................20, 24
Symantec Managed Security Services............................... 15
Symantec Multi-tier Protection.......................................... 24
Symantec Network Access Control........................15, 20, 34
Symantec PartnerEngage .....................................................4
Symantec Premium AntiSpam.....................................22, 24
Symantec Report on the Underground Economy.................8
Symantec Security Information Manager....... 15, 19, 33, 34
Symantec Security Operations Center................................. 5
Symantec Technology Security and Response.................5, 8
Veritas Backup Reporter..................................................... 17
Veritas Cluster Server................................. 12-13, 16, 17, 31
Veritas CommandCentral Storage...................................... 17
Veritas NetBackup ..................12-13, 16, 21, 23, 31, 34, 35
Veritas NetBackup PureDisk............................................... 21
Veritas Storage Foundation................................................ 31
Veritas Storage Foundation HA.............................. 12-13, 16
Veritas Storage Foundation Cluster File System..........12-13
Veritas Volume Replicator................................................... 31
?:;DJ?<?;:?D(&&?:;DJ?<?;:?D(&&-
LKBD;H78?B?J?;I
LKBD;H78?B?J?;I
;9EH:;:
HH;9EH:;:
;NF;H?;D9;
"&/'8EJI
**"&/'8EJI
"&&&
(+"&&&
(+
O;7HIE<
I;9KH?JO
I;9KH?JO
;NF;H?;D9;
ED?JEHJ>H;7JI:7?BO
CC
ED?JEHJ>H;7JI:7?BO
"&&&9EDJH?8KJEHI
++&&"&&&9EDJH?8KJEHI
O;7HIE<
""+&&
''+&&
;CFBEO;;I
;CFBEO;;I
MEHB:M?:;
MEHB:M?:;
<H7K:KB;DJ79J?L?JO
<H7K:KB;DJ79J?L?JO
(,
IOIJ;CIFHEJ;9J;:
:;J;9J?D=
:;J;9J?D=
'(&C?BB?ED
IOIJ;CIFHEJ;9J;:EL;H
=BE87BI;DIEHI
=BE87BI;DIEHI
"&&&
**&&"&&&
IOC7DJ;9
'(&C?BB?EDEL;H
(C?BB?ED
(C?BB?ED
:;9EO799EKDJI<?=>J
:;9EO799EKDJI<?=>J
IF7C7D:F>?I>?D=
IF7C7D:F>?I>?D=
(
$$)C?BB?ED
(
)C?BB?ED
F>?I>?D=7JJ;CFJI
F>?I>?D=7JJ;CFJI
IJEFF;:?D,CEDJ>I
IJEFF;:?D,CEDJ>I
*&&F7J;DJI
*&&F7J;DJI
?DEDB?D;I;9KH?JO
?DEDB?D;I;9KH?JO
J>;H;ÊII7<;JO
J>;H;ÊII7<;JO
?DEKHDKC8;HI
?DEKHDKC8;HI$$
IOC7DJ;9?I'?DI;9KH?JO$
IOC7DJ;9?I'?DI;9KH?JO$
@e_d\ehY[im_j^j^[i[Ykh_job[WZ[h$
@e_d\ehY[im_j^j^[i[Ykh_job[WZ[h$
Fhej[Yjoekhi[b\WjiocWdj[Y$Yec%[l[hom^[h[
Fhej[Yjoekhi[b\WjiocWdj[Y$Yec%[l[hom^[h[
ž(&&.IocWdj[Y9ehfehWj_ed$7bbh_]^jih[i[hl[Z$IocWdj[YWdZj^[IocWdj[YBe]eWh[h[]_ij[h[ZjhWZ[cWhaie\IocWdj[Y
9ehfehWj_edeh_jiW\\_b_Wj[i_dj^[K$I$WdZej^[hYekdjh_[i$
ž(&&.IocWdj[Y9ehfehWj_ed$7bbh_]^jih[i[hl[Z$IocWdj[YWdZj^[IocWdj[YBe]eWh[h[]_ij[h[ZjhWZ[cWhaie\IocWdj[Y
9ehfehWj_edeh_jiW\\_b_Wj[i_dj^[K$I$WdZej^[hYekdjh_[i$
SYMANTEC IS
From antivirus to virtualization. From enterprise data center management to laptop
protection. Symantec offers an integrated portfolio of software solutions to help you
secure and manage all the assets of your information-driven world. Take control today.
everywhere.
Symantec.COM/everywhere
© 2008 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are registered trademarks of Symantec Corporation or its affiliates in
the U.S. and other countries. Other names may be trademarks of their respective owners.
Printed on Recycle Paper