Tuesday, November 13, 2012

For Dell’s Quest Software, BYOD puts users first -- and with IT’s blessing

Listen to the podcast. Find it on iTunes. Read a full transcript or download a copy. Sponsor: Quest Software.

The growing acceptance of bring your own device (BYOD) at enterprises comes with promise and perils.

Our next BriefingsDirect discussion examines why the users’ personal use, ownership and maintenance of the computing and mobile devices of their choosing is making more sense for more organizations. We'll learn about how and why through the example of one company, Quest Software, that has begun supporting BYOD -- even with the full blessing of IT.

We'll see how this has had benefits far beyond just the users’ sense of empowerment, in terms of meaningful IT advancements in centralized applications, control and support, virtual desktop infrastructure (VDI) use, better disaster recovery (DR) practices, better data protection and more. And we'll see how Quest has used a number of tools to manage the risks.

Here to share insights into how BYOD can work well at Quest Software, and even into their new corporate owner Dell, is Carol Fawcett, the CIO of Dell Software and the former long-term CIO of Quest Software. The interview with her is conducted by Dana Gardner, Principal Analyst at Interarbor Solutions. [Disclosure: Quest Software is a sponsor of BriefingsDirect podcasts.]

Here are some excerpts:
Gardner: I'm really intrigued with this BYOD thing. Just a year or two ago, people were saying, "What?" and scratching their heads, saying, "Are you kidding? You're going to let your users choose their device?" But as this has been put into place and some of the implications have been thought through, it seems to be an interesting possible benefit set.

So let me start with where you began. What were the challenges, or what were the forces or trends at work, too, that got you all at Dell Software involved with BYOD?

Fawcett: I don’t think that we actually necessarily started down the path of a BYOD project, because as many listening will know, this started years ago. We started a project where we said we wanted to enable our users to access applications and data on a select set of devices, which for us started with the obvious, the iPad. Then came the Android smartphones, and the list continued on.

Carol Fawcett
This list will continue to grow as time goes on and new devices are brought in. The good news is that there are product offerings now in the marketplace that are helping with that demand and helping IT departments everywhere.

So instead of looking at it as BYOD, it’s now turned into a BYO-x phenomena that the C-level started. And as everyone in an organization saw them bringing different devices into meetings, of course, they all wanted to jump on the bandwagon. Slowly but surely, the wave began, and that's how we got where we are today.

Gardner: This is interesting. There is a sort of direction from the user side, which is to say, they probably like the choice and they had some personal preferences, or they've been able to be more productive in their personal lives using certain technologies.

Then there has also been this direction from the enterprise, which is to say, they like the idea of centralizing, controlling apps and data. And then delivering those out to devices (like with VDI) can be a way of encouraging this control. It’s almost like a confluence of two forces -- VDI and BYOD -- that make a whole greater than the sum of the parts. And we don’t see that very often in IT.

Pull it together

Fawcett: It’s one where you have to pull the needs and the demands of an IT organization together with what the users want to go to, and that’s just what we're seeing out there everywhere in the industry. You definitely have to pull it together, try to satisfy the IT governance and the policies that we set up, and balance that against what the users are saying: "I have to have this in order to get my job done."

Gardner: It sounds as if some of the basic principles and benefits of VDI come to play here. That is to say, the provisioning, the control, the access management. So is there a fortuitous intersection of where VDI was entering into more and more organizations -- particularly those that want to control for security or regulatory purposes or intellectual property (IP) control, that sort of thing -- with this idea of multiple devices, multiple panes of glass, full mobility.

Did that play a role there, too? Were you already going down a VDI track or trajectory and this helped you get to BYOD quicker and better?

Fawcett: We started down the VDI path. In fact, many companies did years ago, when we started to do more with offshore resources. We wanted to have offshore resources, we wanted to give them desktops, but we wanted to make sure they were secure. That was the first introduction of where VDI makes a lot of sense, where you want to secure data, have folks doing coding, but knowing they can’t take code with them. That’s the way it started.
We are a technology company, so some of our policies may be more relaxed than the policies of companies outside our realm.

But then you start to find other use cases for VDI that really start to benefit the rest of the user community. VDI is one of those things that started a while back and now has slowly grown into this BYOD solution.

Gardner: Did you know how much BYOD was going on there? How did you find out and how would it become something you could control?

Fawcett: That’s the question of the hour. I'd love to be able to say that we knew exactly how many people were bringing in what kinds of devices, but the reality is, we are a technology company, so some of our policies may be more relaxed than the policies of companies outside our realm.

For example, in a bank or in the government, you can pretty much lock down an environment, and every employee coming in knows it's going to be locked down because of who they are and who they work for.

Our organization is made up of technologists located around the world. You know some of them are looking for ways around the fences. It’s just built into their nature. It's almost like a competition for them, "Can I figure this out?" Now add in the remote and traveling users and you can see how this expands the challenge as time goes on.

Gardner: Was there anything in particular in the Quest Software portfolio that you think gave you an on-ramp, perhaps a better return on investment (ROI), and even overall better control and management, as you move toward this BYOD, support of many panes of glass, centralized IT management direction?

Fawcett: Yes, we are drinking our own champagne, and it all goes back to where you just asked me if I knew how much BYOD was actually in our environment. That's where we started using one of the first phenomenal tools that we have, which is called MessageStats. This is a great tool that reaches out and helps us track the trending within the organization at a macro and micro level. We know which devices and OS versions are being used, by whom, and at what time.
It provided a critical insight as to which virtual desktop technologies provide the best fit for each user, based on their needs.

In fact, I asked my team just recently, when we first started talking, "Can you pull a list on all the devices that I use, that are registered to me?" So I saw my own list of the devices and I was shocked to see how they actually are tracked, right down to the level of when was the first time I ever connected the device to the network, last successful sync, last policy update, what kind of device was it.

It was so granular, and quite frankly, it was so very Big Brother-like, it kind of scared me. But again, you can't make a solution for what you don't understand. So assessing with MessageStats is the only way to go.

Then once we understood it, we said, "Now that the process is moving, let's figure out what type of device is right for what type of user." And this is where we turned to vWorkspace, which enabled us to determine which of the users and scenarios are best suited for the virtual desktops in the data center.

In addition, it provided a critical insight as to which virtual desktop technologies provide the best fit for each user, based on their needs. So vWorkspace allows us to not only put a desktop in the data center, but it lets us do things like application streaming and publishing. It really enables us to have that broad spectrum of functionality with just that one tool.

Once we were up and running, we stepped into the management and governance aspect of the project. This can probably be one of the most problematic areas, when you think about the pure nature of BYOD. Multiple devices for a given user, each acting very differently, and if not managed, could destroy any governance policy put in place.

Understanding the individual

This is where we truly must raise the issue up from the device to the individual, understanding that role of that person and understanding what security rights, regardless of the device they need to have in place. And this is where Quest’s One Identity Management came into play.

It gave the IT team the ability to rely on one point of control for an individual and all their devices. This is the product we count on to pass the audits, and most importantly, to ensure that our employees have that right level of access needed to get their job done.

The final key point on this is that it takes IT out of the mix and automates that very cumbersome process of provisioning, moving employees amongst departments, and then finally de-provisioning, when that employee leaves.

This is a very powerful product that makes it so that in our environment, once an employee is entered into the HR system, through automation, it automatically provisions them, gives them the rights to applications, sets them up inside of those applications -- all without IT involved in that process. So no more passing help-desk tickets.

One other piece that I wanted to touch on is a product called Webthority that we have been using, not only for our internal users, but also during the M and A process. This is a great product, because it provides a portal for the employees to come into. Once again, it's secured via that same network log-on that they use when they walk in the door in the morning.

This is anywhere, any device. It's simply a portal. They come in, they use their network log on, and bam, they're shown all the applications that they have visibility into and access to. They can go in, without having to log on again, almost like a single sign-on effect, which allows them to access the applications via two-factor authentication as well. It's a great product that helps out in many ways.
Remember, the key to any IT success is through the happiness and satisfaction of the customers.

And then that final aspect of an environment is, of course, the support and monitoring. Remember, the key to any IT success is through the happiness and satisfaction of the customers. We recognize that supporting and monitoring their experience and performance is most important, especially when you talk about VDI, which is what you and I have been talking so much about.

Our job is to ensure that the end-users are getting the same type of performance that they would on a standalone PC or if their desktop was in the data center. Because without that consistently great performance, your end-users will fight giving up their desktops every time.

For this, we turned to monitoring that user experience with Foglight for Virtual Desktops. Being able to quickly determine which users are impacted by performance problems helps us to proactively take action for those users, before the users feel the pain.

Understanding the trends in the virtual environment -- how many people are connecting at any given time, what applications are they using, etc. -- helps us determine when we might need to add additional servers to that server farm, and to meet the load. Or we can even look at a desktop or an end-user and say, "You know what? I don't think these folks should be virtualized at all. Perhaps they should go back to being physical" -- for whatever reason.

Empirical data

You can't correct what you don't know and you need that empirical data to make an educated move. Foglight gives us that data, ensuring we are consistently improving the environment for the end-users. It's a great set of products that touch on all three phases of an environment or a team that's trying to solve this BYOD issue.

Gardner: As we learn more about how you've done this there, let’s also explain to our listeners that Dell recently acquired Quest Software, and you were at Quest before that. So tell me a little bit about how the confluence of these two companies also comes to bear on this issue of BYOD?

Fawcett: Let’s start with Quest Software. Where our sweet spot was, and still is, was that we are the IT management software provider that offers a broad selection of software solutions to simplify and solve the most common -- and most challenging -- IT problems for all areas of an IT environment -- from infrastructure, to applications, front-end to back-end, physical or virtual, or even out in the cloud, for that matter.

Dell was looking for a company whose tools could and would complement and expand their own software product offerings in the four strategic areas that they were focused on, which Quest obviously aligned with. Those were systems management, security, business intelligence (BI) and applications.

So you can really see why the partnership between Quest and Dell is such a great partnership and offers so much to the industry.
It's about individuals that are using different devices accessing a set of applications inside your data center or under your control.

Gardner: If I were a CIO at another firm and I wanted to learn something from your experience about moving to the support of multiple devices, what’s something that you might offer in terms of what to think about early on?

Fawcett: As you approach the subject you have to really level-set with the team that this is not about devices that an individual will want to use, but instead it's about individuals that are using different devices accessing a set of applications inside your data center or under your control.

This individual, obviously, should have only one set of access rights across all the environments, based on what that person's role is within the company. The different devices that they use should really be an afterthought. Regardless of the device, their access rights need to remain consistent.

If I'm on a desktop, a laptop, or I bring in a tablet, or if I'm using my phone to get email, it shouldn't matter. I should have that same, consistent UI and the same, consistent security rights to get where I need to go to do my job.

Don't get me wrong -- and we know this; we hear it at every conference we go to -- IT will struggle with the management of the many devices, no doubt. The only thing I can really suggest there is something we did.

Different devices

We took that gigantic list that's out there and we said, "Where are we going to offer different devices?" We're going to pick maybe 10 or 20 different devices, the most common ones that people are bringing in, to support going forward, with the hope that you will be able to satisfy about 80 percent of the employed population.

It does, however, all go to the user experience. You have to keep coming back to that, making sure they have the ability to get to the right data and the right applications, with the correct security rights for their job.

Story of adoption

As I mentioned before, for us, it was not about the devices. We tried to turn that around, and it was kind of handy, because the whole consumerization of IT started to come into the industry more and more. So we started to piggyback on that.
Think about it. A device is simply a means of accessing the apps and the data. Our vision instead turned into trying to figure out a way to provide employees with a world-class overall user experience, from beginning to end, encouraging the culture of openness and innovation.

In the end, our goal is to offer our end-users that ability to use a flexible set of tools and toolsets with a familiar interface that allows for secure access anywhere, anytime. We want them to be comfortable with those tools, as this will make them obviously more productive at doing their jobs.

At Quest, we have some wonderful tools that help us understand this environment and help us recognize who is bringing in devices and how they're being used. We're getting a better sense of what's in our environment so that we can start answering these.

Gardner: Let's look at this through the lens of IT. You decided that you're going to support BYOD with the blessing of IT. What does this get for you? Are there some additional benefits other than empowering the end-user or giving them choice? What’s there for you in terms of better support for your centralized operations, applications, data, and then some of those backup and support functions that we all should be doing regularly?

Regular backups

Fawcett: One thing that really helps out IT is the thing you just mentioned, which is making sure that laptops are being backed up on a regular basis. We know today, and I'm sure many of us on this podcast are thinking, "How many of us actually back up our laptops on a regular basis?"

Those who do it are saying, "Well, doesn’t everyone do that?" But you could guess that inside of a large organization, probably the majority are not responsible enough to do it, because it’s just not in the forefront of their minds.

When you talk about VDI and having a desktop in the data center, it's a guaranteed thing, because it's in the data center. Everything in the data center is backed up. That's one real positive -- making sure that the data is secured. Obviously, when it comes to DR, we could quickly recover an environment. So that's a great thing for IT. And I think that, in general, the end-users would love that as well, as they get into this world more often.

Gardner: Looking a little bit to the future, more organizations are adopting software-as-a-service (SaaS) applications for non-core business type applications. We're seeing more interest in cloud, consuming applications from a public cloud environment or the hybrid environment, whether it's public or private. Is there something about your support of applications as centralized to multiple devices that will enable you to exploit SaaS, cloud and hybrid services to a greater extent?

Fawcett: Most definitely. It goes back to the tools that you're using to assess, manage, and govern and then support the end-users. IT has to make sure they have those tools in order to make sure they're supporting the end-users regardless of where their data lives.
It's a given that inside your data center you have virtualized as much as possible.

Certainly, the cloud and the SaaS environments are adding extra buzz in the industry. We're very interested in how to capitalize on that. How do we make sure that we're looking at elastic computing, and where can it benefit us? Everybody is scrambling to understand this new technology trend better and how it can help an IT organization.

But it does go back to the tools that an IT organization has in order to match those three things that we should always be doing, which is assessing what the users and the environment need, managing it, making sure it's secure, and then making sure again that we're able to support those end-users to their fullest and the way they expect to be supported.

Gardner: My thinking just a couple of years ago was that BYOD was going to be the exception, not the rule. You would support some sort of a fringe category or two of your workers with this capability, perhaps those out on the road, more often than not.

But now, as I hear you, it sounds that the direction that most IT is going to go in, hybrid services, delivering and consumption and management, and a more centralized control over data, IP, and management of apps and delivering desktops themselves as services, are all going to be making BYOD, or at least the blocking and tackling that you would need to do anyway, something that comes together in such a way that this might become more the norm than the exception. Do you think that’s what’s happening?

Fawcett: Absolutely. It's like when virtualization was first there. There was a wave of “how much could you virtualize inside your data center?” Fast forward, and now it's a given. It's a given that inside your data center you have virtualized as much as possible, so that you can ensure that your data center is being used the most it can be and the most efficiently.

The way it's going

This is the same way this is going to be. Just talk to your kids. Try to find a child walking down the street and isn't texting or who doesn't have a tablet and can probably manage it better than their parents.

I'm not talking about just young children but generations to come. I'm talking about the kids who are coming in now, in their 20s and 30s. it's a given that they want to use whatever device they choose in the corporate world, just like they do at home. It's a right. It's no longer considered a luxury.

From that view, it will be up with the internal IT teams to ensure they have the access to everything they need, with the right security in place to protect them, as well as protect the company. That's why when you think about some of the tools that we've been using here, you really want to make sure you bring in some of those tools, so that you can, in fact, assess, manage and support the end-users to the best of their ability, for not only the end-user, but also for the company.

Gardner: It really strikes me too that this isn't really about devices, but it's about the data center, the tools, the management, the governance, all of which are probably things that are good IT best practices anyway. It almost sounds as if BYOD is forcing discipline, governance, automation; some of the basics of good, advanced and modern IT. Is that sort of what you are seeing, is BYOD a catalyst to better data-center management?

Fawcett: It can definitely be used that way, because it does all go back to how an individual in a given role gets access to the applications they need to get their job done. It shouldn't matter which device they are using. It's all about which application access they should have to get their job done.

Gardner: Of course when you put in the best practices, when you have the backups and you have the scheduling and the automation, this all will end up being an economic benefit as well, because you won't suffer terrible outages, you won't have issues of discovery for data when you need it and how you need it.

Of course, you can start to look at your total cost for your data center and tweak and manage for energy, facilities, capacity and utilization. It sounds as if not only is BYOD a catalyst for better data center practices, but it could be some significant means of reducing your total cost of operation.
It's all about containing the IT budget through best practices and automation.

Fawcett: Absolutely. We've always looked at containing IT budgets as a means to an end. When you sit back and think about it, the only way to do that is through simplification, standardization and automation.

If you don't have that last piece, that automation piece, and you're simply throwing heads to solve an issue, your IT expenses are going to go through the roof. And you're going to have unhappy customers in the end, because processes are going to be overcomplicated. It's all about containing the IT budget through best practices and automation.
Listen to the podcast. Find it on iTunes. Read a full transcript or download a copy. Sponsor: Quest Software.

You may also be interested in:

Thomas Duryea’s journey to the cloud: Part one

Listen to the podcast. Find it on iTunes. Read a full transcript or download a copy. Sponsor: VMware.

The next BriefingsDirect IT leadership discussion focuses on how leading Australian IT services provider Thomas Duryea Consulting made a successful journey to cloud computing as a business.

We'll learn why a cloud-of-clouds approach is providing new types of IT services to Thomas Duryea’s many Asia-Pacific region customers.

Our discussion kicks off a three-part series on how Thomas Duryea (TD) designed, built, and commercialized a vast cloud infrastructure to provide services to their clients. The first part of our series here addresses the rationale and business opportunity for TD to create their cloud-services portfolio built on VMware.

To learn more about implementing the best cloud technology to deliver and commercialize an adaptive and reliable cloud services ecosystem, please join Adam Beavis, General Manager of Cloud Services at Thomas Duryea in Melbourne, Australia. The interview is conducted by Dana Gardner, Principal Analyst at Interarbor Solutions. [Disclosure: VMware is a sponsor of BriefingsDirect podcasts.]

Here are some excerpts:
Gardner: Why cloud services for your consulting and business customers now? Have they been asking for it

Beavis: Certainly, the customers are the big driver while we are moving into cloud services. Being a traditional IT integrator, we've been very successful showing a lot of data-center solutions to our customers, but more and more we're seeing customers finding it harder to get CAPEX and new projects and they are really starting to look at the cloud alternative.

Gardner: Why then have you looked at moving toward cloud services as a commercial offering, rather than going yourself to a public cloud and then availing yourself of their services? Why build it yourself?

Beavis: We reviewed all the possibilities and looked at moving to some of the larger cloud providers, but we've got a strong skill set, a strong heritage, and good relationships with our customers, and they forced our hand in many ways to move down that path.

They were concerned about telcos looking after some of their cloud services. They really wanted to maintain the relationship that they had with us. So we reviewed it and understood that, because of the skill sets we have and the experience in this area, it would work both commercially and then relationship-wise. The best move for us was to leverage the existing relationships we have with the vendors and build out our own cloud.

Gardner: So who are these eager customers? Could you describe them? Do they fall into a particular category, like a small to medium-size business (SMB) type of clientele? Is it a vertical industry? Where is the sweet spot in the market?

No sweet spot

Beavis: That’s probably the one thing that surprised me the most. As we've been out talking to customers and selling the cloud, there really is no sweet spot. Organizations that you talk to will be doing it for different reasons. Some of them might be doing it for environmental insurance reasons, because having their data center in their building is costing them money, and there are now viable opportunity to move it out.

Adam Beavis
But if I were to identify one or two, the first one would be independent software vendors (ISVs). Cloud solutions are bringing to ISVs something they've looked for for a long time, and that’s the ability to run test and development environments. Once they've done that, they can host their applications out of a service provider and not have to worry about the underlying infrastructure, which is something, as a application developer, they're not interested in.

So we're seeing them, and we're working with quite a few. One, an Oracle partner, will actually run their tests in their environments in a cloud, and then be able to deliver those services back to some of their customers. In other cases they'll run up the development in their cloud and then import that to an on-premise cloud afterward.

The other area is with SMBs. We're certainly seeing them, for a financial reasons, want to shift to cloud. It's the same old story of OPEX versus CAPEX, reduced budgets, and trying to do more with less.

The cloud is now in a position where it can offer that to SMB customers. So we're seeing great opportunities appear, where not only are we taking their infrastructure into the cloud, but also adding on top of that managed-service capability, where we will be managing all the way up to the application.
We see us being able to provide it to anyone, from a small reseller to an ISV, someone who develops their own applications.

Gardner: Based on this mixture of different types of uses, it sounds like you're going to be able to grow your offerings right along with what this market demands. Perhaps some of those ISVs might be looking for a platform-as-a-service (PaaS) direction, others more of a managed services, just for specific applications. Was that important for you to have that sort of Swiss Army knife for cloud advancement?

Beavis: Exactly right, Dana. Each one is addressing a different pain point. For example, some of them are coming to us for disaster recovery (DR) as a service, because the cost of renewing their DR site or managing or putting that second site out is too expensive. Others, as you said, are just looking for a platform to develop applications on. So the whole PaaS concept is something near and dear to us on our roadmap.

Each one continues to evolve, and it's usually the customers that start to drive you as a cloud provider to look at your own service catalog. That’s probably something that’s quite exciting -- how quickly you need to evolve as a service provider. Because it's still quite a new area for a lot of people, and customers do ask for varying things that they expect the cloud to be or what a cloud is. We're constantly evolving and looking at new offerings to add into our service catalog.

We see it being more than just one offering in our eyes. We see us being able to provide it to anyone, from a small reseller to an ISV, someone who develops their own applications. Or, it's someone who works specifically with applications and they're not just interested anymore in running their own infrastructure on their site or caring for it. They just want to provide that platform for their developers to be able to work hassle-free.
Gardner: So this means that you've got to come up with an infrastructure that can support many different type of uses, grow, scale, and increase adaptability to the market. What were some of the requirements, when you started looking at the vendors that you were going to partner with to create this cloud offering?

Understanding customer needs

Beavis: The first thing that was important for us was, as you said, understanding our customers’ needs initially and then matching that to what they required. Once we had that, those words you mentioned, scale and everything, had to come into play. Also the cost to build these things certainly doesn’t come cheap. So we had to make sure we could use the existing resources we had.

We really went in the end with the VMware product, because we have existing skill sets in that area. We knew we would have a lot of support, with their being a tier-1 vendor and us being a tier-1 partner for them. We needed someone that could provide us with that support from both a services perspective, sales, marketing, and really come on the journey with us to build that cloud.

And then obviously our other vendors underneath, like EMC, who are also incredibly supportive of us, integrate very well with those products, and Cisco as well.

It had to be something that we could rapidly build, I won't say out of the box, because it’s a lot that goes around building a cloud, but something that we knew had a strong roadmap and was familiar to all our customers as well.

The move to cloud is something that is new to them, it's stressful, and they're wondering how to do it. In Australia, 99 percent of customers have some sort of VMware in their data center. To be able to move to a platform that they were familiar with and had used in the past makes a big difference, rather than saying, "You're moving to cloud, and here is a whole new platform, interface, and something that you've never seen before."
Needless to say, we're very good partners with some of the other providers as well. We did review them all, but it was a maturity thing and also a vision thing.

The story of the hybrid cloud was something we sat down and saw had a lot of legs: The opportunity for people to stick their toe in the water and get used to being in the cloud environment. And VMware’s hybrid cloud model, connecting your on-premise into the public cloud, was also a big win for us. That’s really a very strong go-to-market for us.

Gardner: As a systems integrator for some time, you're very familiar with the other virtualization offerings in the market. Was there anything in particular that led you away from them and more toward VMware?

Beavis: It was definitely a maturity thing. We remember when Paul Maritz got on stage four years ago and defined the cloud operating system. The whole industry followed after that. VMware led in this path. So being a market leader certainly helped.

Needless to say, we're very good partners with some of the other providers as well. We did review them all, but it was a maturity thing and also a vision thing. The vision of a software-defined datacenter really came into play as we were building Cloud 2.0 and that was a big winner for us. That vision that they have now around that is certainly something that we believe in as well.

Gardner: Of course, they've announced new and important additions to their vCloud Suite, and a lot of that seems to focus on folks like yourself who need to create clouds as a business to be able to measure, meter, build, manage access, privacy, and security issues. Was there anything about the vCloud Suite that attractive you in terms of being able to run the cloud as a business itself?

Product integration

Beavis: The fact it was packing stuff as a suite was a big one for us. The integration of the products now is something that’s happening a lot more rapidly, and as a provider, that’s what we like to see. The concept of needing different modules for billings, operations, even going back 12 months ago, made it quite difficult.

In the last 12 months with the Suite, it has come a long way. We've used the component around Chargeback, vCenter Operations Management, and Capacity Management. The concept now of software-defined security, firewalls, and networking, has become very, very exciting for us, to be able to all of a sudden manage that through a single console, rather than having many different point solutions doing different things. As a service provider that’s committed to that VMware product, we find it very, very important.

Gardner: Margins can be a little tricky with this business. As you say, you had a lot of investment in this. How do you know when you are succeeding? Is there a benchmark that you set for yourself that would say, "We know we're doing this well when "blank?" Or is this a bit more of a crawl, walk, run approach to this overall cloud business?

Beavis: Obviously that comes with a lot of the back-end work we're doing. We take a lot of time. It’s probably the most important part. Before we even go and build the cloud, it’s getting all that right. You know your direction. You know what your forecast needs to be. You know what numbers you need to hit. We certainly have numbers and targets in mind.

That’s from a financial perspective, but also customers are coming into the cloud, because just like physical to virtual, people will come, initially, just with small environment and then they'll continue to grow.
If you provide good service within your cloud, and they see that risk reduced, cost reduced, and it’s more comfortable, they will continue to move workloads into your cloud

If you provide good service within your cloud, and they see that risk reduced, cost reduced, and it’s more comfortable, they will continue to move workloads into your cloud, which obviously increases your bottom line.

Initially it’s not just, "Let’s go out and sell as much as we can to one or two customers, whatever it might be." It’s really getting as many logos into the cloud as we can, and then really work on those relationships, building up that trust, and then over time start to migrate more and more workloads into the cloud.

Gardner: Adam, help us understand for those listening who might want to start exploring your services, when do these become available? When are you announcing them, and is there any roadmap that you might be able to tease us with a little bit about what might be coming in the future?

Beavis: We've got Cloud 1.0 running at the moment, which is a cloud where we provide cloud services to customers. We have the automation level that we are putting in Cloud 2.0. Our backup services, where people no longer have to worry about tapes and things on site, backup as a service where they can just point to our data center and backup files, is available now.

Also DR as a service is probably our biggest number one seller cloud service at the moment, where people who don’t want to run those second sites, can just deploy or move those workloads over into our data center, and we can manage their DR for them.

New cloud suite

But there's a big one we're talking about. We're on stage at vForum on Wednesday, Nov. 14, here in Australia, launching our new cloud suite built on VMware vCloud Director 5.1.

Then on the roadmap, the areas that are starting to pop up now are things like desktop as a service. We're exploring quite heavily with big data on the table, business intelligence as a service, and the ability for us to do something with all that data that we're collecting from our customers. When we talk about IT as a service, that's lifting us up to that next level again.

As I said earlier, it's continuously changing and new ideas evolve, and that’s the great thing working with an innovative company. There are always plenty of people around driving new concepts and new ideas into the cloud business.

Gardner: This discussion kicks off a three-part series on how TD designed, built and commercialized an adaptive and reliable cloud services ecosystem. Look for the next installment in our sponsored series when we delve more deeply into the how and what behind Thomas Duryea Consulting's cloud infrastructure journey.
Listen to the podcast. Find it on iTunes. Read a full transcript or download a copy. Sponsor: VMware.

You may also be interested in:

Wednesday, November 7, 2012

Collaboration-enhanced procurement and AP automation maximize productivity and profit gains in networked economy, says Ariba's Drew Hofler

Listen to the podcast. Find it on iTunes. Read a full transcript or download a copy. Sponsor: Ariba.

When the bottom line needs to grow (even when the top line does not), then businesses must exploit open collaboration advances in procurement and finance to produce new types of productivity benefits, say an industry analyst and Ariba executive.

And the benefits of improved data integration and the process efficiencies of cloud computing are additionally helping companies refine their finances through tighter collaboration with all elements of their procurement and supply chain networks.

To uncover how these trends are fostering improved processes in accounts payable (AP) automation and spend management, BriefingsDirect recently sat down with Drew Hofler, Senior Solutions Marketing Manager of Financial Solutions at Ariba, an SAP company, and Vishal Patel, Research Director and Vice President of Client Services at Ardent Partners. The discussion was moderated by Dana Gardner, Principal Analyst at Interarbor Solutions. [Disclosure: Ariba is a sponsor of BriefingsDirect podcasts.]

Here are some excerpts:
Gardner: Today’s landscape for AP and collaborating across business is driving some new processes, new approaches, and you have some new research. Tell us why you did the research now, and what found out.

Patel: We completed this E-Payables 2012 research study in June of this year. It was comprised of approximately 220 AP, finance, and procurement professionals. Our intent was to get a sense of the current state of AP operations, the usage of AP solutions, and to capture some of the key strategies, processes, and performances that these organizations are able to achieve. Also, to determine how best-in-class companies are leveraging AP automation.

Gardner: And what's changed? What's new now or different from say two or three years ago?

Patel: Traditionally, we saw AP as having a very tactical focus. We asked the survey participants, "What do you think AP can do for you?" The responses ranged from payroll and reviewing invoices to responding to supplier inquiries. But in 2012, we're beginning to see a little bit of a shift more toward strategic activities and the introduction of automation in the process.

Vishal Patel
If we compare procurement and AP, AP traditionally is lagging behind procurement in terms of transformation and improvement of performance in their groups. AP is currently at the point where it's trying to improve efficiency and trying to focus staff members on more strategic activities, instead of responding to supplier inquiries.

That's the general trend we've been seeing, and also just being able to connect the various processes within the procure-to-pay cycle.

New efficiencies

Gardner: Drew Hofler, we've seen an emphasis over the past several years, particularly in a tough economy, on seeking out new efficiencies. We've seen that in procurement and supply chain. Is this now AP's day in the sun, so speak, to grow more efficient?

Hofler: I would say that it is. It's probably the last bastion of paper processing in most organizations right now, typically seen, as Vishal mentioned, in the past as a back office tactical organization. They're seeing now that there are benefits that can be had by automating -- and not just automating the process and getting rid of paper -- but automating that on a network platform.

Drew Hofler
That allows visibility into key strategic data that drive decision-making throughout the organization and across their firewall to their suppliers as well. These are things like visibility into shipments, when they're coming in, visibility into line-item invoice data on the procurement side, so that they can do better analysis of their spend.

It's driving more strategic procurement on the supplier’s visibility into invoice status and payment timing, so they can manage their working capital and even access opportunities for getting paid early in exchange for discounts.

All of this stuff flows out of automation, and I think companies are really seeing how AP can now drive some of these strategic activities. So, I think it is their time in the sun.

Gardner: When we actually have an automation across the spectrum of these different activities, it seems to me that we're not going to be just collecting data and be able to proactively seek out new efficiencies or processes. It allows us to have more of an ad hoc, real-time benefit of being adept and even proactive. How is that important now, when you look at this entire spectrum of economic activity?

Hofler: That’s extremely important. Everybody needs to be nimble right now. The big deal is being able to adjust to the circumstances that are just crazy right now. It's having visibility into where you're spending specifically and when you're getting paid. Also, visibility into automating the invoice cycle and the AP process so that now you can do something with that with an early paid invoice that is approved maybe 45 days before it's due.

This opens up working-capital opportunities, where companies are offering early pay discounts to their suppliers. Suppliers who don't have the same access to cash flow that they had pre-2008 are accessing that, saying thank you, and are willingly giving up a discount so that they are lowering their days sales outstanding (DSO).

Buying organizations are getting something for their cash that they're certainly not getting with that cash sitting in bank accounts earning zero percent right now. Both sides are winning, and all of that's really made possible by automation.

Gardner: Vishal, this notion of being nimble, is that something that came up in your recent research and how important is that for companies to once again push the needle on efficiency?

Impact of AP

Patel: It's very important, especially when you start thinking about the impact that AP can have on other parts of the organization like procurement and finance. When you look at the P2P process, it's one transaction that all of these different stakeholders are connected to. But all the stakeholders are not connected to each other necessarily, and that's where automation comes in. That's when you get the added value of collaboration between the P2P cycle.

If you think about the manual environment where you're receiving paper invoices, paper purchase orders (POs). It's a difficult, really tedious work to get the right level of information at the right time, and then make decisions about how to most appropriately utilize cash.
One of the interesting things we found the research was that when we asked the survey participants what some of the biggest drivers are for the AP groups, the top one was improving processing efficiency, which is as expected, and it's been the same way for the last several years.

But the following two were the ones that were surprising. Number two and number three on the list were improving cash and working capital and improving days payable outstanding (DPO). Previously, we wouldn’t even have seen those on the list, but these are much higher on the list in 2012.
Any organization that can have visibility into their opportunities, into their process, and control over that process benefits from this.

Gardner: Drew, we recognize that large companies that are moving lots of goods that have a lot of capital involved are deeply incentivised to do this, but what about smaller organizations? Is this now something that is attainable by them, and are they starting to see benefits there, too?

Hofler: Absolutely. Any organization that can have visibility into their opportunities, into their process, and control over that process benefits from this. Smaller organizations on the buyer side are most definitely seeing the value of this. Lots of smaller organizations on the invoice sending and payment receiving side, what we would traditionally call the supplier side, the seller side, are seeing huge benefits from this.

For example, one of the suppliers on the Ariba network company called Mediafly, invoices with a very large entertainment company. They're a small company, they're a startup, and they're in growth mode. They have a full visibility into when they're paid and their CFO has told us that it's just like gold being able to see that.

So Mediafly has visibility into not only when their invoice is going to get paid, so that they can forecast on that, but also the ability to accelerate that payment on demand. They can literally click a button and get paid when they want.

They have told us that that has allowed them to hire, to accelerate their production of their products by hiring new developers, so that they can actually get a product out the door. They told us an example where they were able to get a new product out the door before they had planned, and they were scheduled to get paid on that original invoice.

Accelerated growth

And so it accelerated their growth. They've been able to avoid using credit lines because they have access to this through this kind of networked economy effect. They're able to see what's going on, and have the capability to make a strategic decision to accelerate cash, and it has really helped them as a small company.

Patel: In general within organizations, collaboration is a theme nowadays, with the workforce being quite diversified in terms of location. People are relying on collaborative efforts to help improve performance overall across the enterprise. And I think that's no different between procurement, AP, and treasury. Their collaborative efforts are going to improve each of their processes and the visibility they all have into the procure-to-pay process.

For example, procurement because of e-invoicing and supplier networks and just the visibility that AP is providing procurement, can improve their monitoring and measurement of supplier performance with invoice accuracy, how the're doing on payments, this helps them understand the total cost of working with a supplier.

That's one example of how procurement and AP can work together. But with treasury being able to understand what invoices are coming due, when they're coming due, when is the best time to make a payment, AP is able to deliver this kind of information in an accurate and real-time way, and that enhances their collaboration as well.
Their collaborative efforts are going to improve each of their processes and the visibility they all have into the procure-to-pay process.

Gardner: Drew, of course we're seeing lots of advancements in the field around cloud computing, mobile devices, and social networks, where people are becoming more accustomed to having an input and saying what's going on along the way. Technically, how is collaboration being driven into what Ariba is doing specifically around this AP automation?

Hofler: It all revolves around visibility into information, and as you said, access to make decisions based on that from across silos inside of organizations. For example, one of our customers, Maxim Healthcare, had very little visibility into procurement, across AP, and into their suppliers. All three of these stakeholders had very little visibility into what was happening, once a PO went out the door and once an invoice came in. There were spot processes that happened, but they were in a black box.

They had no way to enforce compliance to contracts. So an invoice comes in but it's not connected to the original document which is essentially a contract that enforces, say, volume discounts on widgets or whatever it might be. By automating the P2P process, by bringing all of these things into a kind of a network solution, the various stakeholders are able to see what's going on.

From the procurement side, they can see the line items on the invoice, so they can do better spend management and better analysis on their spend.

From a contract compliance perspective, the AP department can automatically connect the data in the invoice to that contract, to ensure that they're actually paying what they should be paying, and not too much.

Increased visibility

And from a supplier perspective, they benefit both from being able to see their invoice approval status, and when they're planning on getting paid. They're also able to access early payment, as I mentioned. One of the interesting benefits of this to Maxim was actually an increase in their DPO, a working-capital metric.

Procurement and AP typically may not have an impact on working-capital metrics that's usually a treasury and finance function. But when they had full visibility into their invoices and their payment terms, Maxim found that they were actually able to pay suppliers on time, rather than the practice of paying them early, because they just didn't have visibility into when they were supposed to pay them.

For a lot of my customers, we find that when we look at their vendor master, they often will have a lot of immediate terms with suppliers that they didn't realize they had, and their DPO was low as a result. So just getting visibility into all that gives them the ability to enforce the terms that they already have, and the net of that is to increase their DPO as Maxim saw.

Gardner: Now of course, we're in the networked economy. We've been talking about this in the context of an individual enterprise or a small business, but when more visibility data and accessed information along with collaboration is perhaps exploited at an industry or vertical level, there are some other benefits.

So does collaboration go beyond just what we're doing as an internal process? What about getting more data about what's going on in the whole industry and applying that to some of these business activities and decisions?
That's definitely huge and I would agree that it's right over the horizon.

Patel: When you have trading partners on a network and a whole cluster of them in a specific industry, there’s tons and tons of data that can be collected on invoicing, payments, purchase orders, spending habits, spending behaviors, and certain commodities.

There is a whole host of data that's collected, that's maybe the next phase of where the supplier networks go and how they make use of information. To date, I think it's still a matter of getting the scale and getting the network to a size where that information is available and makes sense. That's probably the next phase of it.

Hofler: I definitely agree with that. It's really the promise of the network, as Vishal pointed too. As you get the network effect and you get the massive amounts of data, there is just a tremendous amount of data flowing through on a daily basis on the Ariba network.

That's one of the things that's very exciting about our recent acquisition by SAP. There’s a big data program called HANA that they're developing and pushing. That's going to blow out the market. The amount of data that we can bring into that, and then slice and dice to the various different uses that's required to get intelligence into some of the things that Vishal was talking about. That's definitely huge and I would agree that it's right over the horizon.

Metrics of success

Most of the companies that come onto the Ariba network to do invoice automation, we call it Smart Invoicing, are able to set up certain parameters so that by the time an invoice gets to them, it's very clean. The suppliers give an immediate feedback on things that need to be fixed, as the invoice is being submitted, and then they get it very clean.
The result of that is that we have many customers who have 95 percent, 98 percent straight-through processing. Invoice comes through, it goes straight into their back end system and it's scheduled for payment and they're ready to go.

One of our customers, Ecolab Inc., has employed this. They had a couple of big problems, for example, where they had no visibility into their shipment information from the supplier on the front end of the process and their suppliers again had no visibility into payment on the back end of the process.
There are benefits to thinking more long term about the entire process.

A very interesting thing happened. When they weren't able to get visibility into shipment, they couldn't invoice their customer until they knew they had received the shipment that was going to be part of what they are invoicing their customer for from their supplier.

That led to an extended DSO, which is not a positive. By getting visibility into this, they were able to invoice on shipment and lower their DSO. Traditionally procurement and AP would not play in terms of DSO, but now they're able to contribute to the more strategic level of the company by impacting DSO in a positive way.

Additionally, they had risk in their supply chain from their suppliers not knowing when they were going to get paid, and sometimes threatening to and carrying through withholding shipment until they received payment on a particular thing. Now, their suppliers can see exactly when they're going to get paid and that has increased satisfaction and lowered the risk for them as well.

Just by automating the process and approving invoices in time, Ecolab increased their capture of contracted early-pay discounts from somewhere around 25 percent or 30 percent that they were able to capture before, to upwards of 95 percent. So that's a huge benefit to them as well.

Gardner: Vishal, in closing out, how do organizations get started on this? What are some typical steps that they should take in order to avail themselves of some of these benefits that we've been discussing?

Patel: One of the key things is, when looking at an automation initiative in the procure-to-pay process, to think about the process holistically, instead of focusing on automating one part, one process in AP or in procurement. There are benefits to thinking more long term about the entire process, how it's going to integrate, what technologies are going to be used for each part of the process, and whether that's all done at once or over phases.

Best practices

Gardner: Drew any thoughts from your perspective on getting started, best practices, or even where to get more information?

Hofler: For more information, come to ariba.com and look at all of our solution pieces. For getting started, I would agree with Vishal. In the networked economy, it's all about sharing information across silos, across stakeholders, and doing so in an automated fashion.

There are a lot of pieces to that and a lot of steps and processes along the way, where that information can be captured and shared across these parties.

A lot of people take it all at once in P2P process. Other people will automate POs and then invoice automation and then early payment discounting. I say look at where your communication breaks down internally over these processes, and let's target that first with some automation that can bring visibility into that.
Listen to the podcast. Find it on iTunes. Read a full transcript or download a copy. Sponsor: Ariba.

You may also be interested in:

Tuesday, November 6, 2012

Liberty Mutual Insurance melds regulatory compliance and security awareness to better protect assets, customers, and employees

Listen to the podcast. Find it on iTunes. Read a full transcript or download a copy. Sponsor: HP.

Welcome to the latest edition of the HP Discover Performance Podcast Series. Our next discussion examines how Liberty Mutual Insurance is effectively building security more deeply into its overall business practices.

We'll see how the requirements of compliance and regulatory governance are aligning with security best practices to attain the higher goals of enterprise resiliency, and deliver greater responsiveness to all varieties of risk.

Here to explore these and other security-related enterprise IT issues, we're joined by our co-host Raf Los, Chief Security Evangelist at HP Software, and special guest John McKenna, Vice President and Chief Information Security Officer (CISO) for Liberty Mutual Insurance, based in Boston. The chat is moderated by Dana Gardner, Principal Analyst at Interarbor Solutions. [Disclosure: HP is a sponsor of BriefingsDirect podcasts.]

Here are some excerpts:
Gardner: Why is security so important to your business now, and in what ways are you investing?

McKenna: It’s pretty clear to us that the world has changed in terms of the threats and in terms of the kinds of technologies that we're using these days to enable our business. Certainly, there's an obligation there, a responsibility to protect our customers’ information as well as making sure that our business operations can continue to support those customers.

John McKenna
So, as I said, it's the realization that we need to make sure we’re as secure as we need to be, and we can have a very deep discussion about how secure we need to be.

In addition to that, we have our own employees, who we feel we need to protect to enable them to work and get the job done to support our customers, while doing so in a very secure workplace environment.

Gardner: How do you think things are different now than, say, four or five years ago?

McKenna: I'll start with just the technology landscape itself. From mobility platforms and social networking to cloud computing, all of those are introducing different attack vectors, different opportunities for the bad guys to take advantage of.

Reducing the threat

We need to make sure that we can use those technologies and enable our business to use them effectively to grow our business and service our customers, while at the same time, protecting them so that we reduce the threat. We will never eliminate it, but we can reduce the opportunities for the bad guys to take advantage.

Los: John, you talk about for your customers. From a security perspective, your customers are your external customers as well as internal, correct?

McKenna: We absolutely have our internal customer as well. We have partners, vendors, agencies, and brokers that we're doing business with. They're all part of the supply chain. We have an obligation to make sure that whatever tools and technologies we are enabling them with, we’re protecting that as well.

Gardner: Liberty Mutual, of course, is a large and long-time leader in insurance. Help us understand the complexity that you're managing when it comes to bringing security across this full domain.

McKenna: We're a global company in the Fortune 100 list. We have $35 billion in revenue and we have about 45,000 employees worldwide. We offer products across the personal and commercial lines products, or P&C, and life insurance products. We’ve got somewhere in the range of 900-plus offices globally.

So we have lots of people. We have lots of connections and we have a lot of customers and suppliers who are all part of this business. It’s a very complex business operation, and there are a lot of challenges to make sure that we're supporting the customers, the business, and also the projects that are continually trying to build new technology and new capabilities.
In the past, security was really something that was delegated and was an afterthought in some respect.

Gardner: Raf, when we talk about what’s different in companies, one of the things is that in the past security was really something that was delegated and was an afterthought in some respect.

But security is now thought through right at the very beginning of planning for new services. Is that the case in your travels?

Los: That’s what I'm seeing, and there's still the maturation that’s happening across the enterprise spectrum where a lot of the organizations -- believe it or not, in 2012 -- are still standing up formalized security organizations.

Not a given

So security is not a given yet, where that the department exists, is well-funded, well-staffed, and well-respected.You're getting to that state where security is not simply an afterthought or as it was in an organization in my past job history a decade ago or so. In those types of companies, they would get it done and the say, "By the way, security, if you take a look at this before we launch it, make sure it’s given virtual thumbs up. You’ve got about 20 minutes to go."

Raf Los
If you can get away from that, it’s really about security teams stepping up and demonstrating that they understand the business model and that they're there to serve the organization, rather than simply dictate policy. It’s really a process of switching from this tight iron-grip on control to more of a risk model.

It's sort of a cliché, but IT technology risks understanding acceptance and guidance. I think that’s where it’s starting to win over the business leaders. It’s not that people don’t care about security. They do. They just don’t know they do. It’s up to us to make sure that they understand the context of their business.

Gardner: John, is that ringing true for you at Liberty Mutual?

McKenna: It absolutely is. It goes from the top on down. Our board certainly is reading the headlines every day. Where there are new breaches, their first question is, "Can this happen to us?"
As we're rolling out new capabilities, we have a responsibility to protect the brand and the reputation.

So it certainly starts there, but I think that there absolutely is an appreciation at our strategic business units, the leadership, as well as the IT folks that are supporting them, that as we're rolling out new capabilities, we have a responsibility to protect the brand and the reputation. So they're always thinking first about exactly what the threats and the vulnerabilities might be and what we have to do about it.

We’ve got a lot of programs under way in our security program to try to train our developers how to develop application, secure coding practices, and what those need to be. We’ve got lots of work related to our security awareness program, so that the entire population of 45,000 employees has an understanding of what their responsibilities are to protect our company's information assets.

I will use a term used by a colleague that Raf and I know. Our intent is not to secure the company 100 percent. That’s impossible, but we intend to provide responsible defenses to make sure that we are protecting the right assets in the right way.

Los: That’s very interesting. You mentioned something about how the board reads the headlines, and I want to get your take on this. I'm going to venture a guess. It’s not because you’ve managed to get them enough paper, reams of paper with reports that say we have a thousand vulnerabilities. It’s not why they care.

Quite a challenge

McKenna: Absolutely right. When I say they're reading the headlines, they're reading what’s happening to other companies. They're asking, "Can that happen to us?" It's quite a challenge -- a challenge to give them the view, the visibility that is right, that speaks to exactly what our vulnerabilities are and what we are going about it. At the same time, I'm not giving them a report of a hundred pages that lists every potential incident or vulnerability that we uncovered.

Los: In your organization, whose job is it? We’ve had triangulation between the technical nomenclature, technical language, the bits and bytes, and then the stuff at the board actually understands. I'm pretty sure SQL injection is not something that a board member would understand.

McKenna: It's my job and it's working with my CIO to make sure that we are communicating at the right levels and very meaningfully, and that we’ve, in fact, got the right perspective on this ourselves. You mentioned risk and moving to more of a risk model. We're all a bit challenged on maturing, what that model, that framework, and those metrics are.

When I think about how we should be investing in security at Liberty Mutual and making the business case, sometimes it's very difficult, but I think about it at the top level. If you think about any business model, one approach is a product approach, where you get specific products and you develop go-to-market strategies around those.

If you think about the bad guys and their products, either they're looking to steal customer information, they are looking to steal intellectual property (IP), or they're looking to just shut down systems and disable services. So at the high level, we need to figure out exactly where we fit in that food chain? How much bigger risk are we at at that product level?
It's working with my CIO to make sure that we are communicating at the right levels and very meaningfully.

Gardner: I've seen another on-ramp to getting the attention and creating enough emphasis on the importance of security through the compliance and regulation side of things, and certainly the payment card industry (PCI) comes to mind. Has this been something that's worked for you at Liberty Mutual, or you have certain compliance issues that perhaps spur along behaviors and patterns that can lead to longer-term security benefit?

McKenna: We're a highly-regulated industry, and PCI is perhaps a good example. For our personal insurance business unit, we've just achieved compliance through QSA. We’ve worked awfully hard at that. It’s been a convenient step for us to address some of these foundational security improvements that we needed to make.

We're not done yet. We need to extend that and now we're working on that, so that our entire systems have the same level of protections and controls that are required by PCI, but even beyond PCI. We're looking to extend those to all personal identifiable information, any sensitive information in the company, making sure that those assets have the same protections, the same controls that are essential.

Gardner: Raf, do you see that as well that the compliance issues are really on-ramp, or an accelerant, to some of these better security practices that we've been talking about?

Los: Absolutely. You can look at compliance in one of two ways. You can either look at a compliance from a peer’s security perspective and say compliance is hogwash, just a checkbox exercise. There’s simply no reason that it's ever going to improve security.

Being an optimist

Or you can be an optimist. I choose to be an optimist, and take my cue from a mentor of mine and say, "Look, it's a great way to demonstrate that you can do the minimum due diligence, satisfy the law and the regulation, while using it as a springboard to do other things."

And John has been talking about this too. Foundationally, I see things like PCI and other regulations, HIPAA, taking things that security would not ordinarily get involved in. For, example, fantastic asset management and change management and organization.

When we think security, the first thing that often we hear is probably not a good change management infrastructure. Because of regulations and certain industries being highly regulated, you have to know what's out there. You have to know what shape it's in.

If you know your environment, the changes that are being made, know your assets, your cycles, and where things fall, you can much more readily consider yourself better at security. Do you believe that?

McKenna: It's a great plan. I think a couple of things. First of all, about leveraging compliance, PCI specifically, to make improvements for your entire security posture.
Because of regulations and certain industries being highly regulated, you have to know what's out there. You have to know what shape it's in.

So we stepped back and considered, as a result of PCI mapped against the SANS Top 20 cyber security controls, where we made improvements. Then, we demonstrated that we made improvements in 16 of the 20 across the enterprise. So that's one point. We use compliance to help and improve the overall security posture.

As far as getting involved in other parts of the IT lifecycle, absolutely -- change management, asset management. Part of our method now for any new asset that's been introduced into production, the first question is, is this a PCI-related asset? And that requires certain controls and monitoring that we have to make sure are in place.

Level of sophistication

We're certainly dealing with a higher level of sophistication. We know that. We also know that there is a lot we don't know. We certainly are different from some industries. We don't see that we're necessarily a direct target of nation-states, but maybe an indirect. If we're part of a supply chain that is important, then we might still get targeted.

But my comment to that is that we've recognized the sophistication and we've recognized that we can't do this alone. So we've been very active, very involved in the industry, collaborating with other companies and even collaborating with universities.

An effort we've got underway is the Advanced Cyber Security Center, run out of Boston. It's a partnership across public and private sectors and university systems, trying to develop ways we can share intelligence, share information, and improve the overall talent-base of and knowledge base of our companies and industry.

Los: This is something that's been building. When we started many years ago, hacking was a curiosity. It moved into a mischief. It moved into individual gains and benefits. People were showing off to their girlfriend that they hacked a website and defaced it.
There are entire cultures, entire markets, and strata of organized crime that get into this.

Those elements have not gone away, by the way, but we've moved into a totally new level of sophistication. The reason for that is that organized crime got involved. The risk is a lot higher in person than it is over the Internet. Encrypting somebody's physical hard drive and threatening to never give it back, unless they pay you, is a lot easier when there is nobody physically standing in front of you who can pull a gun on you. It's just how it is.

Over the “Internet,” there is anonymity per se. There is a certain level of perceived anonymity and it's easier to be part of those organized crimes. There are entire cultures, entire markets, and strata of organized crime that get into this. I'm not even going to touch the whole thing on activism and that whole world, because that’s an entirely different ball of wax.

But absolutely, the threat has evolved. It's going to continue to evolve. To use a statement that was made earlier this morning in a keynote by Bruce Schneier, technology is often adapted by the bad guys much faster than it is with good guys.

The bad guys look at it and say, "Ooh, how do we utilize it?" Good guys look at a car and say, "I can procure it, do an RFP, and it will take me x number of months." Bad guys say, "That’s our getaway vehicle." It’s just the way it works. It's opportunity.

Insurance approach

Gardner: I want to go out on a limb a little bit here and only because Liberty Mutual is a large and established insurance company. One of the things that I’ve been curious about in the field of security is when an insurance approach to security might arise?

For example, when fire is a hazard, we have insurance companies that come to a building and say, "We'll insure you, but you have to do x, y and z. You have to subscribe to these practices and you have to put in place this sort of infrastructure. Then, we'll come up with an insurance policy for you." Is such a thing possible with security for enterprises. Maybe you’re not the right person, John, but I am going to try.

McKenna: It’s an interesting discussion, and we had some of that discussion internally. Why aren’t we leveraging some of the practices of our actuarial departments, or risk assessors that are out there working our insurance products?

I recently met with a company that, in fact, brokers cyber insurance, and we're trying to learn from them. This is certainly not a mature product yet or mature marketplace for cyber insurance. Yet they're applying the same types of risk assessments, risk analysis, and metrics to determine exactly what a company’s vulnerabilities might be, what their risk posture might be, and exactly how to price a cyber insurance product. We're trying to learn from that.
The fact that you don’t have the metrics is one side of this. It’s very difficult to price.

Los: As you were talking, I kept thinking that my life insurance company knows how much they charge me based on years and years and years and years of statistical data behind smokers, non-smokers, people who drive fast, people who are sedentary, people who workout, eat well, etc. Do we have enough data in the cyber world? I don’t think so, which means this is a really interesting game of risk.

McKenna: It’s absolutely an interesting point. The fact that you don’t have the metrics is one side of this. It’s very difficult to price. But the fact that they at least know what they should be measuring to come up with that price is part of it. You need to leverage that as a risk model and figure out what kind of assumptions you're making and what evidence can you produce to at least verify or invalidate the model.

Los: On the notion of insurance, I can just think of all the execs that have listened to that, if it’s that insurance,saying, "Great. That means we don’t have to do anything, and if something bad happens the insurance will cover it." I can just see that as a light bulb going on over somebody’s head.

McKenna: We're just trying to learn from it, to understand how we should be assessing our own risk posture and prioritizing where we think the security investment should be.

Away from the silo

Los: Security is going to continue to move away from being a silo in the enterprise. It's something that is fundamental, a thread through the fabric. The notion of a stand-alone security team is definitely becoming outdated. It’s a model that does not work. We demonstrated that it does not work.

It cannot be an afterthought and all the fun clichés to go with it. What you're going to start seeing more and more of are the nontraditional security things. Those include, as I said, like I said change management, log aggregation, getting more involved into business day to day, and actually understanding.

I can't tell you how many security people I talk to that I asked the question, "So what does your company do?" And I get that brief moment of blank stare. If you can’t tell me how your company survives, stays competitive, and makes money, then really what are you doing and what are you protecting, and more importantly, why?

That’s going to continue to evolve, it’s just going to separate the really good folks, like John, that get it from those who are simply pushing buttons and hoping for the best.

Gardner: I'm afraid we will have to leave it there. Please me join me in thanking our co-host, Raf Los, Chief Security Evangelist at HP Software, and our special guest John McKenna, Vice President and CISO for Liberty Mutual. You can gain more insights and information on the best of IT Performance Management at http://www.hp.com/go/discoverperformance.
Listen to the podcast. Find it on iTunes. Read a full transcript or download a copy. Sponsor: HP.

You may also be interested in: