Tuesday, June 5, 2012

Corporate data, supply chains remain vulnerable to cyber crime attacks, says Open Group conference speaker

Listen to the podcast. Find it on iTunes/iPod. Read a full transcript or download a copy. Sponsor: The Open Group.

This BriefingsDirect thought leadership interview comes in conjunction with The Open Group Conference in Washington, D.C., beginning July 16. The conference will focus on how security impacts the enterprise architecture, enterprise transformation, and global supply chain activities in organizations, both large and small.

We're now joined on the security front with one of the main speakers at the conference, Joel Brenner, the author of "America the Vulnerable: Inside the New Threat Matrix of Digital Espionage, Crime, and Warfare."

Joel is a former Senior Counsel at the National Security Agency (NSA), where he advised on legal and policy issues relating to network security. Mr. Brenner currently practices law in Washington at Cooley LLP, specializing in cyber security. Registration remains open for The Open Group Conference in Washington, DC beginning July 16.

Previously, he served as the National Counterintelligence Executive in the Office of the Director of National Intelligence, and as the NSA’s Inspector General. He is a graduate of University of Wisconsin–Madison, the London School of Economics, and Harvard Law School. The discussion is moderated by Dana Gardner, Principal Analyst at Interarbor Solutions. [Disclosure: The Open Group is a sponsor of BriefingsDirect podcasts.]

Here are some excerpts:

Gardner: Your book came out last September and it affirmed this notion that the United States, or at least open Western cultures and societies, are particularly vulnerable to being infiltrated, if you will, from cybercrime, espionage, and dirty corporate tricks.

Why are we particularly vulnerable, when we should be most adept at using cyber activities to our advantage?

Brenner: Let’s make a distinction here between the political-military espionage that's gone on since pre-biblical times and the economic espionage that’s going on now and, in many cases, has nothing at all to do with military, defense, or political issues.

The other stuff has been going on forever, but what we've seen in the last 15 or so years is a relentless espionage attack on private companies for reasons having nothing to do with political-military affairs or defense.

So the countries that are adept at cyber, but whose economies are relatively undeveloped compared to ours, are at a big advantage, because they're not very lucrative targets for this kind of thing, and we are. Russia, for example, is paradoxical. While it has one of the most educated populations in the world and is deeply cultured, it has never been able to produce a commercially viable computer chip.

Not entrepreneurial


We’re not going to Russia to steal advanced technology. We’re not going to China to steal advanced technology. They're good at engineering and they’re good at production, but so far, they have not been good at making themselves into an entrepreneurial culture.

That’s one just very cynical reason why we don't do economic espionage against the people who are mainly attacking us, which are China, Russia, and Iran. I say attack in the espionage sense.

The other reason is that you're stealing intellectual property when you’re doing economic espionage. It’s a bedrock proposition of American economics and political strategy around the world to defend the legal regime that protects intellectual property. So we don’t do that kind of espionage. Political-military stuff we're real good at.

Gardner: Wouldn’t our defense rise to the occasion? Why hasn't it?

Brenner: The answer has a lot to do with the nature of the Internet and its history. The Internet, as some of your listeners will know, was developed starting in the late '60s by the predecessor of the Defense Advanced Research Projects Agency (DARPA), a brilliant operation which produced a lot of cool science over the years.
The people who invented this, if you talk to them today, lament the fact that they didn't build a security layer into it.


It was developed for a very limited purpose, to allow the collaboration of geographically dispersed scientists who worked under contract in various universities with the Defense Department's own scientists. It was bringing dispersed brainpower to bear.

It was a brilliant idea, and the people who invented this, if you talk to them today, lament the fact that they didn't build a security layer into it. They thought about it. But it wasn't going to be used for anything else but this limited purpose in a trusted environment, so why go to the expense and aggravation of building a lot of security into it?

Until 1992, it was against the law to use the Internet for commercial purposes. Dana, this is just amazing to realize. That’s 20 years ago, a twinkling of an eye in the history of a country’s commerce. That means that 20 years ago, nobody was doing anything commercial on the Internet. Ten years ago, what were you doing on the Internet, Dana? Buying a book for the first time or something like that? That’s what I was doing, and a newspaper.

In the intervening decade, we’ve turned this sort of Swiss cheese, cool network, which has brought us dramatic productivity and all and pleasure into the backbone of virtually everything we do.

International finance, personal finance, command and control of military, manufacturing controls, the controls in our critical infrastructure, all of our communications, virtually all of our activities are either on the Internet or exposed to the Internet. And it’s the same Internet that was Swiss cheese 20 years ago and it's Swiss cheese now. It’s easy to spoof identities on it.

So this gives a natural and profound advantage to attack on this network over defense. That’s why we’re in the predicament we're in.

Both directions


Gardner: Let’s also look at this notion of supply chain, because corporations aren’t just islands unto themselves. A business is really a compendium of other businesses, products, services, best practices, methodologies, and intellectual property that come together to create a value add of some kind. It's not just attacking the end point, where that value is extended into the market. It’s perhaps attacking anywhere along that value chain.

What are the implications for this notion of the ecosystem vulnerability versus the enterprise vulnerability?

Brenner: Well, the supply chain problem really is rather daunting for many businesses, because supply chains are global now, and it means that the elements of finished products have a tremendous numbers of elements. For example, this software, where was it written? Maybe it was written in Russia -- or maybe somewhere in Ohio or in Nevada, but by whom? We don’t know.

There are two fundamental different issues for supply chain, depending on the company. One is counterfeiting. That’s a bad problem. Somebody is trying to substitute shoddy goods under your name or the name of somebody that you thought you could trust. That degrades performance and presents real serious liability problems as a result.
The supply chain problem really is rather daunting for many businesses, because supply chains are global now, and it means that the elements of finished products have a tremendous numbers of elements.


The other problem is the intentional hooking, or compromising, of software or chips to do things that they're not meant to do, such as allow backdoors and so on in systems, so that they can be attacked later. That’s a big problem for military and for the intelligence services all around the world.

The reason we have the problem is that nobody knows how to vet a computer chip or software to see that it won't do these squirrelly things. We can test that stuff to make sure it will do what it's supposed to do, but nobody knows how to test the computer chip or two million lines of software reliably to be sure that it won’t also do certain things we don't want it to do.

You can put it in a sandbox or a virtual environment and you can test it for a lot of things, but you can't test it for everything. It’s just impossible. In hardware and software, it is the strategic supply chain problem now. That's why we have it.

If you have a worldwide supply chain, you have to have a worldwide supply chain management system. This is hard and it means getting very specific. It includes not only managing a production process, but also the shipment process. A lot of squirrelly things happen on loading docks, and you have to have a way not to bring perfect security to that -- that's impossible -- but to make it really harder to attack your supply chain.

Notion of cost

Gardner: So many organizations today, given the economy and the lagging growth, have looked to lowest cost procedures, processes, suppliers, materials, and aren't factoring in the risk and the associated cost around these security issues. Do people need to reevaluate cost in the supply chain by factoring in what the true risks are that we’re discussing?

Brenner: Yes, but of course, when the CEO and the CFO get together and start to figure this stuff out, they look at the return on investment (ROI) of additional security. It's very hard to be quantitatively persuasive about that. That's one reason why you may see some kinds of production coming back into the United States. How one evaluates that risk depends on the business you're in and how much risk you can tolerate.

This is a problem not just for really sensitive hardware and software, special kinds of operations, or sensitive activities, but also for garden-variety things.
This is a problem not just for really sensitive hardware and software, special kinds of operations, or sensitive activities, but also for garden-variety things.


Gardner: We’ve seen other aspects of commerce in which we can't lock down the process. We can’t know all the information, but what we can do is offer deterrence, perhaps in the form of legal recourse, if something goes wrong, if in fact, decisions were made that countered the contracts or were against certain laws or trade practices.

Brenner: For a couple of years now, I’ve struggled with the question why it is that liability hasn’t played a bigger role in bringing more cyber security to our environment, and there are a number of reasons.

We've created liability for the loss of personal information, so you can quantify that risk. You have a statute that says there's a minimum damage of $500 or $1,000 per person whose identifiable information you lose. You add up the number of files in the breach and how much the lawyers and the forensic guys cost and you come up with a calculation of what these things cost.

But when it comes to just business risk, not legal risk, and the law says intellectual property to a company that depends on that intellectual property, you have a business risk. You don’t have much of a legal risk at this point.

You may have a shareholder suit issue, but there hasn’t been an awful lot of that kind of litigation so far. So I don't know. I'm not sure that’s quite the question you were asking me, Dana.

Gardner: My follow on to that was going to be where would you go to sue across borders anyway? Is there an über-regulatory or legal structure across borders to target things like supply chain, counterfeit, cyber espionage, or mistreatment of business practice?

Depends on the borders


Brenner: It depends on the borders you're talking about. The Europeans have a highly developed legal and liability system. You can bring actions in European courts. So it depends what borders you mean.

If you’re talking about the border of Russia, you have very different legal issues. China has different legal issues, different from Russia, as well from Iran. There are an increasing number of cases where actions are being brought in China successfully for breaches of intellectual property rights. But you wouldn't say that was the case in Nigeria. You wouldn't say that was the case in a number of other countries where we’ve had a lot of cybercrime originating from.

So there's no one solution here. You have to think in terms of all kinds of layered defenses. There are legal actions you can take sometimes, but the fundamental problem we’re dealing with is this inherently porous Swiss-cheesy system. In the long run, we're going to have to begin thinking about the gradual reengineering of the way the Internet works, or else this basic dynamic, in which lawbreakers have advantage over law-abiding people, is not going to go away.

Think about what’s happened in cyber defenses over the last 10 years and how little they've evolved -- even 20 years for that matter. They almost all require us to know the attack mode or the sequence of code in order to catch it. And we get better at that, but that’s a leapfrog business. That’s fundamentally the way we do it.

Whether we do it at the perimeter, inside, or even outside before the attack gets to the perimeter, that’s what we’re looking for -- stuff we've already seen. That’s a very poor strategy for doing security, but that's where we are. It hasn’t changed much in quite a long time and it's probably not going to.
We’re talking about the Balkanization of the Internet. I think that's going to happen as more companies demand a higher level of protection.


Gardner: Why is that the case? Is this not a perfect opportunity for a business-government partnership to come together and re-architect the Internet at least for certain types of business activities, permit a two-tier approach, and add different levels of security into that? Why hasn’t it gone anywhere?

Brenner: What I think you’re saying is different tiers or segments. We’re talking about the Balkanization of the Internet. I think that's going to happen as more companies demand a higher level of protection, but this again is a cost-benefit analysis. You’re going to see even more Balkanization of the Internet as you see countries like Russia and China, with some success, imposing more controls over what can be said and done on the Internet. That’s not going to be acceptable to us.

Gardner: We’ve seen a lot with cloud computing and more businesses starting to go to third-party cloud providers for their applications, services, data storage, even integration to other business services and so forth.

More secure

If there's a limited lumber, or at least a finite number, of cloud providers and they can institute the proper security and take advantage of certain networks within networks, then wouldn’t that hypothetically make a cloud approach more secure and more managed than every-man-for-himself, which is what we have now in enterprises and small to medium-sized businesses (SMBs)?

Brenner: I think the short answer is, yes. The SMBs will achieve greater security by basically contracting it out to what are called cloud providers. That’s because managing the patching of vulnerabilities and other aspects and encryption is beyond what’s most small businesses and many medium-sized businesses can do, are willing to do, or can do cost-effectively.

For big businesses in the cloud, it just depends on how good the big businesses’ own management of IT is as to whether it’s an improvement or not. But there are some problems with the cloud.

People talk about security, but there are different aspects of it. You and I have been talking just now about security meaning the ability to prevent somebody from stealing or corrupting your information. But availability is another aspect of security. By definition, putting everything in one remote place reduces robustness, because if you lose that connection, you lose everything.

Consequently, it seems to me that backup issues are really critical for people who are going to the cloud. Are you going to rely on your cloud provider to provide the backup? Are you going to rely on the cloud provider to provide all of your backup? Are you going to go to a second cloud provider? Are you going to keep some information copied in-house?
By definition, putting everything in one remote place reduces robustness, because if you lose that connection, you lose everything.


What would happen if your information is good, but you can’t get to it? That means you can’t get to anything anymore. So that's another aspect of security people need to think through.

Gardner: How do you know you’re doing the right thing? How do you know that you're protecting? How do you know that you've gone far enough to ameliorate the risk?

Brenner: This is really hard. If somebody steals your car tonight, Dana, you go out to the curb or the garage in the morning, and you know it's not there. You know it’s been stolen.

When somebody steals your algorithms, your formulas, or your secret processes, you've still got them. You don’t know they’re gone, until three or four years later, when somebody in Central China or Siberia is opening a factory and selling stuff into your market that you thought you were going to be selling -- and that’s your stuff. Then maybe you go back and realize, "Oh, that incident three or four years ago, maybe that's when that happened, maybe that’s when I lost it."

What's going out

S
o you don’t even know necessarily when things have been stolen. Most companies don’t do a good job. They’re so busy trying to find out what’s coming into their network, they're not looking at what's going out.

That's one reason the stuff is hard to measure. Another is that ROI is very tough. On the other hand, there are lots of things where business people have to make important judgments in the face of risks and opportunities they can't quantify, but we do it.

We’re right to want data whenever we can get it, because data generally means we can make better decisions. But we make decisions about investment in R&D all the time without knowing what the ROI is going to be and we certainly don't know what the return on a particular R&D expenditure is going to be. But we make that, because people are convinced that if they don't make it, they’ll fall behind and they'll be selling yesterday’s products tomorrow.

Why is it that we have a bias toward that kind of risk, when it comes to opportunity, but not when it comes to defense? I think we need to be candid about our own biases in that regard, but I don't have a satisfactory answer to your question, and nobody else does either. This is one where we can't quantify that answer.

Gardner: It sounds as if people need to have a healthy dose of paranoia to tide them over across these areas. Is that a fair assessment?
People need to understand, without actually being paranoid, that life is not always what it seems. There are people who are trying to steal things from us all the time, and we need to protect ourselves.


Brenner: Well, let’s say skepticism. People need to understand, without actually being paranoid, that life is not always what it seems. There are people who are trying to steal things from us all the time, and we need to protect ourselves.

In many companies, you don't see a willingness to do that, but that varies a great deal from company to company. Things are not always what they seem. That is not how we Americans approach life. We are trusting folks, which is why this is a great country to do business in and live in. But we're having our pockets picked and it's time we understood that.

Gardner: And, as we pointed out earlier, this picking of pockets is not just on our block, but could be any of our suppliers, partners, or other players in our ecosystem. If their pockets get picked, it ends up being our problem too.

Brenner: Yeah, I described this risk in my book, “America the Vulnerable,” at great length and in my practice, here at Cooley, I deal with this every day. I find myself, Dana, giving briefings to businesspeople that 5, 10, or 20 years ago, you wouldn’t have given to anybody who wasn't a diplomat or a military person going outside the country. Now this kind of cyber pilferage is an aspect of daily commercial life, I'm sorry to say.
Register for The Open Group Conference
July 16-18 in Washington, D.C.
Listen to the podcast. Find it on iTunes/iPod. Read a full transcript or download a copy. Sponsor: The Open Group.

You may also be interested in:

Tuesday, May 22, 2012

SAP gets huge cloud and extended business process boost with Ariba acquisition

SAP on Tuesday announced its intention to buy Ariba for $4.3 billion, a 19 percent premium on Ariba's market capitalization.

The move comes soon after SAP's SuccessFactors February buy and shows that SAP is quickly and aggressively acquiring its way to a full cloud business services capability. The announcement caps SAP's user conference last week and the cloud and data services news from it, including cloud suite offerings like SAP Business ByDesign and SAP Business One.

It will become a question in the market if SAP will favor it's own ERP technologies and installed base, or continue Ariba's strategy of inclusive and open alliances and partnerships.

Ariba has been growing rapidly through organic and acquisitions expansions, and has a global reach for its procurement, goods/services trading, spend management, supplier discovery and other extended enterprise business processes and services offerings. [Disclosure: Ariba is a sponsor of BriefingsDirect podcasts.]

Ariba has been open and partnered with all major ERP suppliers -- including SAP, Salesforce, IBM and Oracle, but not Workday. And Ariba recently announced a partnership with Microsoft Dynamics. It will become a question in the market if SAP will favor it's own ERP technologies and installed base, or continue Ariba's strategy of inclusive and open alliances and partnerships.

I personally think SAP should keep Ariba open to grow the cloud business services market, and treat all IT business services suppliers on equal footing, and therefore best support the most enterprises and suppliers. SAP should keep its ERP products and tactics separate from Ariba, and allow users to adopt a cloud-first approach, regardless of their on-premises or private cloud technologies.

Looks like a plan

It looks at this point like that is the plan. The combined companies plan to consolidate all cloud-related supplier assets of SAP under Ariba. The existing management team will continue to lead Ariba, which will operate as an independent business under the name “Ariba, an SAP company.” The SAP Executive Board intends to nominate Ariba CEO Bob Calderoni to the SAP Global Managing Board.

Clearly, SAP is focused on global cloud growth opportunities, but is wisely defining cloud as a place to do business and extend socially amplified discovery and collaboration efficiencies. Business returns on cloud services may well come more from enabling new business processes across organizational boundaries, than in retrofitting older software as services. SAP will also be able to make more alliances with the next generation of ISVs through an Ariba community approach.

Ariba is describing the combination with SAP as creating "the Amazon.com and Facebook for businesses all in one." That certainly is the potential. SAP is, and this has not always been the case with Walldorf, skating to where the hockey puck is going to be in buying Ariba.

Clearly, SAP is focused on global cloud growth opportunities, but is wisely defining cloud as a place to do business and extend socially amplified discovery and collaboration efficiencies.

SAP and Ariba can "deliver a truly end-to-end solution that enables companies to achieve a closed-loop from source-to-pay, regardless of whether they deploy in the cloud, on-premise or both," said the companies. Ariba network should also benefit from SAP’s flagship in-memory platform SAP HANA for improved data processing and analytics benefits.

With $444 million in total revenue, Ariba had 38.5 percent annual growth in 2011. Its business network recorded 62 percent organic growth in 2011. SAP’s global customer base of more than 190,000 companies includes the largest buyers and sellers in the world.

The acquisition is expected to close in Q3. Ariba's board unanimously approved the deal.

You may also be interested in:

Wednesday, May 16, 2012

Searching for data scientists as a service

This guest post comes courtesy of Tony Baer's OnStrategies blog. Tony is senior analyst at Ovum.

By Tony Baer

It’s no secret that rocket .. err … data scientists are in short supply. The explosion of data and the corresponding explosion of tools, and the knock-on impacts of Moore’s and Metcalfe’s laws, is that there is more data, more connections, and more technology to process it than ever. At last year’s Hadoop World, there was a feeding frenzy for data scientists, which only barely dwarfed demand for the more technically oriented data architects. In English, that means:

1. Potential MacArthur Grant recipients who have a passion and insight for data, the mathematical and statistical prowess for ginning up the algorithms, and the artistry for painting the picture that all that data leads to. That’s what we mean by data scientists.

2. People who understand the platform side of Big Data, a.k.a., data architect or data engineer.

The data architect side will be the more straightforward nut to crack. Understanding big data platforms (Hadoop, MongoDB, Riak) and emerging Advanced SQL offerings (Exadata, Netezza, Greenplum, Vertica, and a bunch of recent upstarts like Calpont) is a technical skill that can be taught with well-defined courses. The laws of supply and demand will solve this one – just as they did when the dot com bubble created demand for Java programmers back in 1999.

Behind all the noise for Hadoop programmers, there’s a similar, but quieter desperate rush to recruit data scientists. While some data scientists call data scientist a buzzword, the need is real.

It’s all about connecting the dots, not as easy as it sounds.

However, data science will be a tougher number to crack. It’s all about connecting the dots, not as easy as it sounds. The V’s of big data – volume, variety, velocity, and value — require someone who discovers insights from data; traditionally, that role was performed by the data miner. But data miners dealt with better-bounded problems and well-bounded (and known) data sets that made the problem more 2-dimensional.

The variety of Big Data – in form and in sources – introduces an element of the unknown. Deciphering Big Data requires a mix of investigative savvy, communications skills, creativity/artistry, and the ability to think counter-intuitively. And don’t forget it all comes atop a foundation of a solid statistical and machine learning background plus technical knowledge of the tools and programming languages of the trade.

Sometimes it seems like we’re looking for Albert Einstein or somebody smarter.

Nature abhors a vacuum

As nature abhors a vacuum, there’s also a rush to not only define what a data scientist is, but develop programs that could somehow teach it, software packages that to some extent package it, and otherwise throw them into a meat … err, the free market. EMC and other vendors are stepping up to the plate to offer training, not just on platforms, but for data science. Kaggle offers an innovative cloud-based, crowdsourced approach to data science, making available a predictive modeling platform and then staging sponsored 24-hour competitions for moonlighting data scientists to devise the best solutions to particular problems (redolent of the Netflix $1 million prize to devise a smarter algorithm for predicting viewer preferences).

With data science talent scarce, we’d expect that consulting firms would buy up talent that could then be “rented’ to multiple clients. Excluding a few offshore firms, few systems integrators (SIs) have yet stepped up to the plate to roll out formal big data practices (the logical place where data scientists would reside), but we expect that to change soon.

Opera Solutions, which has been in the game of predictive analytics consulting since 2004, is taking the next step down the packaging route. having raised $84 million in Series A funding last year, the company has staffed up to nearly 200 data scientists, making it one of the largest assemblages of genius this side of Google. Opera’s predictive analytics solutions are designed for a variety of platforms, SQL and Hadoop, and today they join the SAP Sapphire announcement stream with a release of their offering on the HANA in-memory database. Andrew Brust provides a good drilldown on the details on this announcement.

With market demand, there will inevitably be a watering down of the definition of data scientists so that more companies can claim they’ve got one… or many.

From SAP’s standpoint, Opera’s predictive analytics solutions are a logical fit for HANA as they involve the kinds of complex problems (e.g., a computation triggers other computations) that their new in-memory database platform was designed for.

There’s too much value at stake to expect that Opera will remain the only large aggregation of data scientists for hire. But ironically, the barriers to entry will keep the competition narrow and highly concentrated. Of course, with market demand, there will inevitably be a watering down of the definition of data scientists so that more companies can claim they’ve got one… or many.

The laws of supply and demand will kick in for data scientists, but the ramp up of supply won’t be as quick as that for the more platform-oriented data architect or engineer. Of necessity, that supply of data scientists will have to be augmented by software that automates the interpretation of machine learning, but there’s only so far that you can program creativity and counter-intuitive insight into a machine.

This guest post comes courtesy of Tony Baer's OnStrategies blog. Tony is senior analyst at Ovum.

You may also be interested in:

Tuesday, May 15, 2012

MuleSoft suite of tools eases way for SaaS integration in the cloud

MuleSoft this week launched Mule iON SaaS Edition, providing a broad set of new tools and services for swift software-as-a -Service (SaaS) integration in the cloud, and lowering the barrier to SaaS adoption for SaaS providers and developers.

The Mule iON integration platform as a service (iPaaS) connects across cloud-based applications and also connects SaaS to on-premise applications. MuleSoft's Anypoint technology for on-demand API connectivity eliminates the need for copious custom point-to-point code, said MuleSoft. [Disclosure: MuleSoft is a sponsor of BriefingsDirect podcasts.]

In recent commentary, Ross Mason, founder and CTO of Mulesoft, said, "The world today is moving at lightning speed to SaaS and cloud applications, and the idea of gaining competitive advantage through legacy enterprise applications is no longer relevant."

I agree. Key differentiators less involve building applications now than in the effective composition of services. Cloud and SaaS providers need to give their clients better means to leverage APIs and craft business processes across both enterprise and multiple Saas provider boundaries. This rationalization of cloud services stew is the new integration nut to crack.

The problem is, what type of platform and organizations can fulfill the role of cloud services orchestration hub? The role may not fit well for any one SaaS provider, nor any single or cadre of enterprises. For the time being, a best of breed platform and supporting ecosystem must evolve, and then the market will decide on who or what will be the acceptable hub mechanisms.

And the market for cloud integration technologies is clearly heating up. Also this week, FuseSource unveilved at CamelOne in Boston the Fuse ESB Enterprise 7.0 and Fuse MQ Enterprise 7.0 products to general availability. These platforms enable "Integration Everywhere," says FuseSource, with modular, open source products based on Apache Software Foundation projects. [Disclosure: FuseSource is a sponsor of BriefingsDirect podcasts.]

QuickStart Plan


Integration platform provider MuleSoft also unveiled on Monday a new QuickStart Plan for fast growth SaaS vendors and systems integrators (SIs) that enables them to build their own revenue-generating integration apps on the Mule iON cloud platform in just a few days. Pricing for Mule iON SaaS Edition is based on a per month, volume of use basis, not based on connectivity, encouraging more connections over time.

On other integration news, SAP today said it plans to offer its own cloud-based integration technology, and also plans to enable its ecosystem of partners, including solutions from Mulesoft.

New features available with Mule iON SaaS Edition, which is available now, include:
  • Graphical data mapping and transformation capabilities enable SaaS vendors and SIs to build and deploy integration apps without writing custom code by using the Mule Studio drag-and-drop interface.
    The dark side of SaaS and Cloud is that while they are relatively easy to procure and deploy, it is difficult to integrate them with existing enterprise applications and other SaaS offerings.
  • Cloud Connector ToolKit creates new cloud connectors in Mule Studio for any public or private Web API.
  • Customer self-service portals allow customers to independently manage integrations, minimizing dependency on developers and reducing support calls.
  • SaaS Operations Center provides complete visibility into end user environments with a multi-tenant portal to monitor, manage and maintain integration apps, including:

    • Operational dashboards: deliver better customer support with live integration status and performance metrics.
    • Real-time notifications: meet availability requirements and improve service level agreements (SLAs) with immediate notifications for events or performance issues as they occur.
    • Proactive alerts: reduce support calls by proactively monitoring and addressing issues before they impact customers.
In addition, Mule iON SaaS Edition introduces a gallery of over 20 packaged integration apps and more than 100 Cloud Connectors for the most common integration use cases.

Opportunities for everyone

Ovum's Carter Lusher sees opportunities for everyone involved:
The dark side of SaaS and Cloud is that while they are relatively easy to procure and deploy, it is difficult to integrate them with existing enterprise applications and other SaaS offerings. What makes integration even more challenging is the proliferation of SaaS deployed within an organisation as line-of-business managers procure point solutions to their specific needs that really should be integrated with other systems in order to maximize value and manageability.
This becomes a challenge for IT and the vendors who are faced with a plethora of public and private APIs that require brute force to integrate. Integration is expensive, with estimates of $8 of integration work for every $1 of SaaS subscription or software license.
For systems integrators, Mule iON SaaS Edition offers the ability to create reusable connectors for a variety of horizontal and industry-specific applications and SaaS.
For SaaS and traditional enterprise applications, MuleSoft’s Mule iON SaaS Edition offers the ability to create pre-packaged integration modules that will give them a compelling story during the sales cycle without dramatically increasing costs or long-term maintenance. For example, HR talent management SaaS vendor PeopleMatter used Mule iON to create a new hire onboard module that connects with ADP payroll processing through ADP’s private APIs.
For systems integrators, Mule iON SaaS Edition offers the ability to create reusable connectors for a variety of horizontal and industry-specific applications and SaaS. This not only reduces the cost of integrations, which can be a competitive advantage in a sales cycle, but also gives the SI the opportunity to sell more value-added consulting as the focus of sales discussion moves away from brute force integration to maximizing the business value of enterprise applications or SaaS.
In other news, MuleSoft announced a record quarter in Q1 2012, achieving a 109 percent increase in bookings year over year, the privately held San Francisco company said. This was driven by new customer wins among major companies and key SaaS vendor partnerships added in Q1 include Avalara and Zuora. Additionally, the company reported a strong customer renewal rate of 95 percent.

You may also be interested in:

Friday, May 11, 2012

Investing well in IT with emphasis on KPIs separates business leaders from laggards, survey results show

Listen to the podcast. Find it on iTunes/iPod. Read a full transcript or download a copy. Sponsor: HP.

The latest BriefingsDirect enterprise IT trends discussion surfaces some fascinating new findings from a recent survey on chief information officer (CIO)-level priorities. We uncover what distinguishes leaders from laggards among businesses, and identify which IT approaches and solutions are driving the most powerful business results these days.

To help dig into the HP-sponsored, blind survey, explain what it means, and learn how these results can lead to establishing winning new IT strategies we're joined by Joel Dobbs, President and CEO of Compass Talent Management Group. He's also an Executive in Residence at the School of Business at the University of Alabama at Birmingham (UAB), and a lead blogger and member of the Enterprise CIO Forum. What’s more, Joel is a retired CIO himself, coming from such organizations as GlaxoWellcome, Schering-Plough, and Eisai.

We're also joined by Daniel Dorr, a Worldwide Solutions Manager for HP Enterprise Marketing. The discussion is moderated by Dana Gardner, Principal Analyst at Interarbor Solutions. [Disclosure: HP is a sponsor of BriefingsDirect podcasts].

Here are some excerpts:
Gardner: What was the idea behind doing this survey at this time?

Dorr: Dana, a lot of companies talk about how important technology is, and we all represent our technology as the right answer to the problem. But if our job is to help our CIO clients better use technology to solve business results -- and if our job is to help our CIOs work more effectively with their executive committees and CEOs -- the best way for us to help them is to determine which technologies actually change or correlate with in-market results.

In other words, if we look at revenue leaders in-market, which technology seems to be most closely associated with those who lead in-market performance? It's not technology for technology’s sake, or because it’s exciting or new -- but technology that actually seems to represent business results.

So our goal here was to help our clients do a better job of assessing which technologies lead to in-market business results and which technologies might not.

We wanted to understand the difference between market leaders, from a revenue perspective, and market laggards or followers, and see what their IT environments looked like. We surveyed 688 organizations. We spoke to IT decision makers, so we would call that "CIO minus one." We didn’t speak to the CIO directly. We spoke to the people that reported to him or her.

Everyone that we spoke to had to have significant knowledge about applications, information, data center operation, security, and cloud. The survey was conducted over nine different geographies: the US, Brazil, Mexico, UK, Germany, France, Japan, China, Australia, and covered a number of different industry groups.

This was not a public survey. In other words, the people responding didn't know the survey was coming from HP. It was a blind survey. We asked over 55 different questions around areas of application, security, information, cloud, etc. to understand which attributes were most strongly correlated with in-market or revenue performance, and those that weren't.

The questions we were trying to answer were what do market leaders do versus followers? How do industry leaders differ from followers? Is there a difference depending on the region or the market or the industry? And where do IT decision makers focus on a day-to-day level, versus the more CIO strategic forward two-year thinking level?

The results came into us in December 2011. So this is pretty accurate and up-to-date data.

Gardner: How about some of the top findings?

In search of priorities

Dorr: We asked more than 50 questions to understand from organizations where their priorities were and what they were doing today and then we compared that to their in-market performance. And I would say the answers fell into three buckets: They were around infrastructure issues, information and information management, and people and processes.

On the infrastructure side of the equation, we asked a number of questions, but the ones that rose to the top in terms of driving in-market or correlation between revenue performance were probably three or four. A lot of it had to do with application modernization and security, when it came to the infrastructure side of the equation.

For example, market leaders tended to have fewer custom applications and fewer legacy applications. They tended to use their server capacity more efficiently than their peers. Those were some of the big ones around the infrastructure side of equation.

With security, the market leaders tended to build security, not only into the boundary, but also into the applications themselves, versus the market followers who tended to focus on an us-versus-them mentality, or just boundary security.

… Companies that manage risk more effectively and more automated definitely outperformed their peers. As a technology company, we're always looking at the infrastructure. We're always talking about how infrastructure can lead to competitive advantage, and we saw that. But a lot of times we forget the people and process side of the equation.

Companies that manage risk more effectively and more automated definitely outperformed their peers.



One of the other areas that jumped out at me was the need for clarity and agreement of key performance indicators (KPIs). Market-leading companies who outperform in revenue over their peers had more clarity within IT about which KPIs were important and had agreement on those KPIs. Everyone is marching and working toward the same goals. That had a huge impact on me as well.

It’s not just about infrastructure. It’s not just about managing risk. It’s also the people/process side of the equation that is critical in market-leading companies.

Gardner: Joel, when you hear that those who are doing well seem to have fewer custom apps, fewer legacy apps, higher utilization rates on their servers, what does that tell you about these types of organizations?

Dobbs: It tells me a couple of things. We'll start with the second one, server utilization. What I think you're seeing there is the affected people who have really done a good job with virtualization. You're not having is a lot of equipment sitting around idle or used at under-capacity. So I suspect virtualization probably plays into that difference significantly for a number of people.

Custom and legacy applications was something I hadn't really thought about until I read this material. I suspect that what you're seeing is probably a result of modernization of the applications that I call commodity applications, things like human resources, some of the financial applications, a lot of things that are generic across businesses. You're probably seeing some of the leaders move to more software-as-a-service (SaaS)-type applications in order to free up their staff to work on things that are much more strategic to their business.

Unique value

So the things that they're working on are probably things that are adding unique value to their business, and they're not spending a lot of cycles doing things with generic applications that they can buy and let somebody else manage.

If you're just doing security on the boundaries, that's a cheap way to do security, if you think about it. You put a firewall in place, you configure the thing, and you do the boundary security stuff. But when you're building another layer of security into your applications, that tells me that there's a lot more focus on the realization of the value of what's in there, in terms of the data and the way that it’s used.

There's very much an intentional focus on protecting not only the perimeter of the institution, but making sure that there's added security and protection within the perimeter. I would expect that folks who are really serious about understanding the value of the information within those systems, and [understanding] the risk to their corporate reputation, should those be compromised, are being very intentional about mitigating those risks.

Gardner: So it's a strategic, comprehensive approach to security across the assets -- including the applications.

Daniel, before we move on, a question on the infrastructure. When I saw this, I said that sounds like services orientation (SOA) -- modernized apps, fewer monolithic stacks, higher utilization vis-à-vis virtualization. Was there anything else that would back up my hunch that services orientation or SOA was also prominent in the way they are doing infrastructure?

Virtualization, in and of itself, did not rise to the surface of market leaders versus followers.



Dorr: You're absolutely right, but the key component here is actually using it for the right purposes. Virtualization was one of the questions, but you'll notice virtualization, in and of itself, did not rise to the surface of market leaders versus followers.

It wasn't just that you're moving to a service-oriented view, but you're actually implementing it in a way that means something to the business. You're actually seeing a change in capacity usage. You're actually seeing a change in custom and legacy applications.

Again, not following that shiny object, but it's implementing it in a way that's strategic to the business, is what we are seeing here that leads to success. It's not just virtualization, but it's using virtualization to its full capacity.

Dobbs: I agree completely.

Gardner: So we have talked a little bit about infrastructure. What were some of the other major areas, Daniel?

Dorr: The second big area was around information. There was a huge difference around the area of audit and compliance. For example, we saw that more than half of the market leaders had automated their audit and compliance, about 52 percent. Market followers tended to be much less. Around 39 percent had automated their audit and compliance.

Information strategy

There was an information strategy in place in both market leaders and market followers. However, market leaders tended to have automated their information-management strategy, versus followers, who just had it documented.

Also, we see a big difference in the use of business intelligence (BI) to automate decision making. About 18 percent of market leaders are automating their decision making using BI tools, while only 7 percent, so less than half of them, less than half of them as leaders, are doing that.

Now, there is still a huge amount of room for growth on both leaders and followers there, but to see only 18 percent rise to the surface already tells you the importance of automating BI decision making as a clear difference for market leadership.

Gardner: Let's go back to Joel on those two items. This gets to a point that I'm really interested in, a movement in business nowadays to much more of a data-driven and analysis-driven decision process. Perhaps the older way might be summed up by the highest paid person's opinion (HPPO) being the way that ultimately decisions were made.

But Joel, how do you react to some of these findings around information management and BI?

Dobbs: There are a couple of things here. One is that there's been an interesting evolution over the last 20 years in this field. We started out in IT automating various business processes. The focus was on making those processes faster or more efficient or something of that sort. As a result of that, we were generating information that had valuable use, but really wasn't being used that much.

What you're seeing with the leaders is that they not only understand it, but they're doing it.



It was during the reengineering revolution in the early '90s that people began to look at that. Along with the uptake of Six Sigma and Lean Sigma, people began looking at harvesting that data that was collected almost as a byproduct of automation and using it for continuous improvement and various other things.

This whole field has matured. Take the example of just the retail industry and all the information that’s collected as a result of point-of-sale processing and things like that. What we've learned is that that’s a rich trove of information that can be mined and used for all kind of things.

What you're seeing with the leaders is that they not only understand it, but they're doing it. That’s a big differentiator between those who understand it and have the insight and the capabilities to take this information and look at it in different ways. I suspect some of the automating of business, the BI automation, as we were talking about, is really a way of going back and using technology to create options for decision making, based on automated looks at data.

Let's talk about the automation of, I think the term you used, Daniel, was the automation of their information strategy, versus documentation. What that tells me is one group is doing it and the other group is just writing it down, and that’s a big difference. It’s like the difference between what most people do with strategy. Most people develop a strategy and there comes nice a book that sits on a shelf somewhere, and very little gets done about it.

The ones who are really leaders are the people who develop a strategy and then part of that strategy is a strategy to implement the strategy. That’s what this automation that you saw among the leaders really reflects -- not just talking about it, but actually doing it.

Single view

Dorr: I agree completely with Joel’s points. If you think about it, there were seven key attributes that rose to the surface for market leaders, revenue leaders, and revenue followers.

Three of those were around information. Automating your audit and compliance, having an automated information strategy. In other words, as Joel said, doing it, versus just writing it down, and really using BI for decision making. Three out of seven are around information. So clearly this is a key theme for in-market performance.

One of the things we do at HP is workshops for CIOs to help align business and IT and identify the impact that IT can have on the business. This comes up every single workshop we do.

I don’t think we can understate the importance of helping the business see what’s happening and understand what’s happening through automating audit and compliance.



We did it with a retailer recently. It took them days to process in-store information, in order to know what SKUs were selling and how well marketing programs were doing. By the time they had that information, it was too late for them to do anything.

They couldn’t change the SKUs on shelf. They couldn’t update, migrate, manage, or move the marketing program into new regions or what have you. As a result, their performance in-market clearly showed the difference. They were at a 20 percent disadvantage to the revenue leader in their category.

So I don’t think we can understate the importance of helping the business see what’s happening and understand what’s happening through automating audit and compliance, through actually implementing the information management strategy and trying to automate as much as possible decision making using BI.

Dobbs: I would add one thing. Daniel pointed out that there is increasingly a competitive advantage. The competitive advantage becomes not just doing it, but doing it faster than your competitors and being able to understand the meaning and the application of the data ahead of your competitor.

The retail example is a great one, where you're lagging days behind in your ability to harvest and use the information. Increasingly, the competitive advantage becomes being able to make adjustments and move much more quickly, whether it’s deciding where to place inventory or how much inventory you need to keep on hand, and all those kind of things. Time is money, and being able to move quickly can be a huge advantage.

What about cloud?

Gardner: We haven’t talked too much about cloud computing, and this did come up as one item that distinguishes leaders over laggards. Perhaps we could address that. Daniel, what is it about cloud that popped out in this survey?

Dorr: The focus of the survey was what capabilities clients have today and how that correlates to their revenue performance. We didn’t see a lot of cloud attributes rising to the service in people’s current capabilities. We did, however, see it rising to the surface in the focus area, where we asked IT decision makers, the CIO minus one, what was important to them. We did see a pretty significant difference between what market leaders, revenue leaders, thought was important about cloud versus market followers.

In fact, almost half of revenue leaders see cloud as incredibly important to them versus their peers, almost half of that number in the market followers. So, we're seeing a lot more priority focus on cloud computing going forward.

We didn’t see it driving current revenue performance, which makes sense. Cloud is somewhat of a new technology. We haven’t seen it fully deployed in many cases in driving today’s revenue.

Gardner: For the benefit of our listeners and readers, Daniel, maybe we could just go through the list at a prioritized basis, with descending priority, on what distinguished the leaders over the laggards. I think the top one is security as we mentioned, but let’s just go through it on a list basis, so they can get a sense of the importance.

Cloud is somewhat of a new technology. We haven’t seen it fully deployed in many cases in driving today’s revenue.



Dorr: Sure. Of the 50 attributes that we asked our CIO minus one IT decision makers and directors, what was happening within their IT environment, seven of those attributes rose to the surface, and they fell into three buckets, as we talked about briefly before. One was around the infrastructure side of the equation or the core computing environment, one was around information, and then the final one was around people and processes.

… With the survey, once we identified which specific attributes differentiated market leaders and market laggards or market followers from a revenue perspective, we then put it on a maturity score and we would score them based on those key attributes. You can see a clear difference between those with obviously a higher score, a higher maturity in their IT environment, around those key specific areas and their in-market performance.

Specific areas

S
o from the infrastructure side, it was custom applications and legacy applications. Leaders had fewer custom applications -- 38 percent versus the followers at 45 percent.

Leaders had fewer legacy applications -- 25 percent versus followers at 32 percent.

Leaders used their server capacity more efficiently. They used about 80 percent of their server capacity at peak usage, versus followers using only 71 percent.

Leaders had security built into the applications as well as at the boundary, versus only a boundary-level security, inside/outside view of the world.

In the information area, leaders automated audit and compliance at an average of about 52 percent versus followers at 39 percent.

Leaders had automated their information strategy, versus followers only documenting their information strategy.

Leaders tended to use more BI and automated decision making versus followers. So 18 percent of leaders had automated business decision making using BI, versus followers at only 7 percent.

Then there is the people and processes side -- and this is an area where CIOs can actually start working on right now without spending a cent -- which was clarity and agreement of KPIs. We saw a big difference in market leaders. There was a high degree of clarity within their organizations about what the KPIs were and agreement on those KPIs, versus only a moderate level of agreement within market followers.

That’s an area where CIOs can take action today. They don’t even have to talk to a vendor or an analyst at all. They can walk right into the CEO’s office and start working on that problem today.

Gardner: Let’s move to a separate lens to view this through. One of the things you asked was a series of questions that led to some conclusions about what distinguishes those who do best, and what leaders were focused more on. You broke it out into five different areas and you got some indicators of why it’s important, leaders versus laggards. Perhaps you could run through those as well.

Leaders had security built into the applications as well as at the boundary, versus only a boundary-level security, inside/outside view of the world.



Dorr: At the end of the survey, we asked them areas of importance, and we gave them security, information and insight, infrastructure convergence, application transformation, and cloud computing. We asked them to rank which were the most important to them. And we asked them to rank their current capabilities.

This was different from the attributes. For example, most of our IT decision makers ranked security, defined as keeping the lights on, as the number one priority. When they ranked their current capability, again, they ranked their current capabilities quite high, doing that well today. Although leaders tended to feel they were doing a better job of keeping the lights on, versus revenue followers.

Number two on the list was information and insight, in terms of driving what is important today from an IT organization. Again, the average of how important it is was not significantly different between leaders and followers. What was significantly different was how well they rated themselves.

We saw this in the individual attributes, but also when they ranked it at the end as well. Leaders tended to outperform, or believe they were doing a better job managing information and insight, than their followers by almost twice as much.

No huge difference

T
here were no huge differences on converged infrastructure or applications between leaders and followers, but the area where we saw a big difference was in cloud computing. Leaders ranked it much higher in importance and believed their current capabilities are much higher than their industry peers.

Gardner: So we've got some interesting takeaways here about the role of modernizing, gaining visibility, measuring along the way, being comprehensive in how IT approaches these problems, being responsive to the business on the business terms rather than the technology terms, with an emphasis on culture as well and the people and the process.

Daniel, for those folks who are intrigued and would like to get some of these statistics and findings themselves, do you have a place they can go to learn more to either perhaps see a slide deck, a white paper? What’s available for them?

Dorr: A couple of places. First of all, you can join us at the HP Discover 2012 event in Las Vegas in June. We'll be presenting these results there and sharing it with attendees there. In addition, they will be posted on hp.com.

Gardner: Great. Joel, what takeaways do you have from this in terms of whether people should readjust their thinking or perhaps take a pause and ask what they can be doing different when they sort of tease out some of the findings here?

Impact of investments


Dobbs: There was an interesting study published by MIT just a month or so ago that looked at a number of companies. What they found is that some of these companies that were investing heavily in IT, the IT investments actually had a greater impact on profitability than the same amount of money invested in research and development or in advertising. That’s a shocking finding.

I think what happens, when you delve underneath these companies who get such great returns on IT, you find two or three different things that are embodied in what we saw in some of the leaders here.

One of them is really good governance around decision making. The second thing is probably ownership of IT by the entire executive team. And I think the third thing is that they're probably measuring their return using business metrics on the investments that they make.

That’s what differentiates the leaders from the laggards -- they're approaching IT holistically as a core part of their business strategy, instead of seeing it as a support function or a back-office function.

That’s what differentiates the leaders from the laggards -- they're approaching IT holistically as a core part of their business strategy.



And things like this study that we've just been talking about today, as well as the MIT study, help add credence to the idea that money is well invested in IT, and I emphasize well-invested. It can have a tremendous payback, but only if you use it wisely.

Gardner: And that sort of runs counter to the perception of IT as a cost center, rather than as an enabler for growth and opportunity.

Dobbs: Precisely.

Gardner: Okay. Daniel, last word to you, are there takeaways or areas that we may not have covered that you think we should also uncover here?

Dorr: Joel said it very eloquently. There is a large body of research. Now, we have HP's own research. We have the MIT study, showing that there is a clear correlation between technology and in-market revenue results. As CIOs, we should feel confident to walk into the CEO’s office and talk to them about the strategic benefits that we can offer the organization.

The two biggest areas that we should be having conversations with our business counterparts today are clearly around information and KPIs. If we have agreement on those, we've covered more than half of the key attributes that we see between market leaders and market followers.

So there's a lot of opportunity for us in IT to start playing an even bigger leadership role in helping our companies innovate and drive in-market results. I look forward to seeing what the results look like two years from now, once we see cloud and other things deployed and driving even bigger benefits.
Listen to the podcast. Find it on iTunes/iPod. Read a full transcript or download a copy. Sponsor: HP.

You may also be interested in: