At the end of 2003, we invited industry leaders to participate in a roundtable discussion on strategic developments from the past 12 months and to take a look ahead to 2004. Joining Computing Canada editor Patricia MacInnis and assistant editor Jennifer Brown were (from left) Robert Garigue, chief
information security officer, Bank of Montreal; Elroy Jopling, principal analyst, Gartner; Dan McLean, director, strategic partnering and alliances research, IDC Canada, Toronto; Rosaleen Citron, CEO, Whitehat Inc., Burlington, Ont.; Guy Mills, assistant vice-president, information services, Manulife Financial, Toronto; Garth Issett, vice-president of strategic outsourcing, IBM, North York, Ont.; Peter Smith, vice-president, PeopleSoft Global Services, Toronto.
The complete transcript of the roundtable discussion can be viewed online at www.itbusiness.ca/CC/roundtable2004.asp.
CC: What’s the up side/down side of all the consolidation the industry has endured in the last couple of years?
Robert Garigue: It’s a very interesting issue because it appears on the surface that it’s all about technology, but that’s the easy part. What I see happening is a modularization of the organization. Some of what I call the horizontal economics — legacy systems and services — that are embedded in technology are being rationalized. Economics drive you to a business model. Somewhere along the line there are some translations that have to occur. Let’s say you outsource some HR. It’s not about the database; it’s about the culture and how people are being managed in the organization.
Guy Mills: Manulife has been doing a lot of acquisitions recently. From the IT perspective, there’s very little time when you’re looking at a potential target to assess their IT infrastructure. The decision to acquire a company has already been made before there’s been any thorough analysis of the IT infrastructure. It’s hard to believe when people say ‘we acquired this company because of their technology.
We’ve outsourced some of our infrastructure operations in North America and we’re just doing it in Asia. In some ways, it’s made it a little easier to integrate the organizations because having gone through the infrastructure outsourcing process, you tend to have a lot better information about what you have and where it is.
Garth Issett: We see clients who are in acquisition mode for a number of years and inheriting a large variety of IT environments. Faced with the current economic environment and continued competitiveness, it leads them to take costs out, get more efficient. As a result of that, clients are turning to the services community for consulting assistance . . . to transform their business into the one they really want it to be.
Dan McLean: The cons are always around trying to integrate the organizations. Where it can be extremely challenging is when you have organizations that come together through consolidation that have fundamentally different cultures. This year, relative to last year, it’s been a slower year for (merger) activity.
Elroy Jopling: From the vendors’ perspective, consolidation hasn’t ended. If you look at the telecommunications industry, what you have is firstly bankruptcy has really become a rite of passage. If you look in the wireless field, one of the four, Microcell has (declared) bankruptcy. If you took the five national carriers, three of them went through bankruptcy. You have to wonder is there going to be more consolidation and the answer is yes; it’s just a matter of when.
Rosaleen Citron: We’re dealing with security vendors all the time and are about to see about 12 or 13 acquisitions take place, probably before March. We’re seeing some large corporations grabbing a lot of security products. They’re not grabbing what we call best of breed; they just want to make sure they cover every area. But it doesn’t mean the products are perfect and it doesn’t mean they can interact with one another. That’s probably the largest problem we have. We have to watch who’s being acquired and how they’re going to position the products. But the culture clash that goes on, especially in the deep technology companies, is destroying a lot of the good products out there.
Peter Smith: There’s a trend in consolidation you don’t often see talked about. The tech industry is one that leapfrogs. Every vendor leapfrogs another and that is how innovation has been introduced into the industry. As we consolidate down the number of firms, that’s one less firm that’s going to leapfrog their area of expertise. It’s a bit of a troubling trend, because you have to find the balance, because if you’re not fiscally viable, you’re not going to be around anyway. But there are many small firms that have excellent products and excellent innovation; they just don’t have the financial wherewithal to be successful.
CC: Security has emerged as one of the most important issues of 2003. In the last 12 months, what has emerged as the overwhelming failing of the security industry?
Garigue: I don’t think failure had anything to do with the security industry. I think the security industry has been the missionary in the desert saying, “”it’s coming, it’s coming.”” For a long time I saw people talk about what we have experienced in the last year.
The focus has never been on the notion of integrated governance in the organization. Security was all around the shared pipes and containers. The reality is those are table stakes now — so, it’s not even a security issue now — perimeter protection, firewalls, intrusion detection. The risk has migrated to other parts of the organization. So, the things we’ve seen are the organizations that have had the cold shower around the fact this is a harsh environment and the technology can only take you so far. The rest of it is up to the governance of the organization.
Mills: I think this year we kind of meshed together security with business continuity type issues. Certainly at the senior levels of the company, they looked at SARS and power outages and virus attacks as the same kind of thing. It’s all completely different solutions to each of those problems. Our focus has been on high-level business continuity planning.
On the technology front, one of the biggest problems we’ve had is not just the bread and butter security infrastructure; it’s actually executing the things you need to do to remain current. So, it’s doing things such as patching the operating system — very difficult, very expensive and (the patches are) coming every day. Manulife deals with security specifically; it’s decentralized. It’s the responsibility of the business units to have their own business continuity plans. We have a small central security office that really communicates the policies.
CC: Ensuring a healthy return on tech investments has become the mantra of the CIO. What’s the best way to explain the nature of the security spend to a CEO?
Citron: I was taking to the CSO of Bank of America the other day and she was telling me as long as you need compliance, you can find budget. If there is a liability restriction, believe me, the board will find money. It’s when there’s no liability they say, “”Why should I do it?”” The problem in our industry is when we do our job right, nothing happens. Unfortunately there’s always that weakest link out there, so there’s always going to be someone looking to break it. Generally, when I’m going to talk to people, we talk about the liability they have downstream. Can you imagine being hacked and having your shareholders know you didn’t do your due diligence?
Garigue: The risk has moved, but the solution is not necessarily in the security realm. It’s in the good diligence and good performance of the various (business units). When they talk about that .05 per cent, with security they’re only talking about the associated perimeter protection — hardware, access control around connecting the pipes together. It doesn’t necessarily mean they’re dealing with the issues of control. It’s really a risk management framework.
Citron: The large corporations have pretty much got their act together, but it’s the smaller companies — 200 to 300 people — they’re running Internet storefronts with no firewalls, no intrusion detection, and no anti-virus. I see this every day.
Jopling: I don’t think the larger companies have it under control. With Wi-Fi, do they have rogue access points looked after? When their employee goes out to Starbucks, do they have a VPN?
Smith: We had one client chasing viruses for a week. They had to shut down a project because the resources that should have been working on the project had to get pulled in to keep the operation going. They’re starting to say, “”How many hats can I ask a person to wear and do I need to get a partner so they have the increased bandwidth to deal with some of these issues.””
McLean: Security is an issue that has so many arms and legs to it. You try to wrestle with one set and another set comes around and grabs you. It’s a technical discussion; it’s an organizational discussion; it’s a discussion about people. It’s a discussion about business. It’s no wonder everyone heads for the hills when the issue of security comes into play because most organizations don’t even know where to begin. You try to take a lot of business issues and parlay that down through the organization and say, ‘OK, this is what we have to be doing in a business with respect to security.’ The industry believes (things will change) when people are required to do due diligence; when there is legislation that says this is what you have to do as a business.
Issett: The surprise element is disappearing. There’s one person whose job is at risk if this goes on and impacts the organization and that’s the CIO or the CTO. We went through a period where people didn’t know who to blame. No. 1 on the CIO wish list for 2004 is improved IT security.
Smith: The next step you’ll see is large firms starting to look at their supply chain and the vulnerability there. We started to see that with Y2K and we have to see that with security as well.
Mills: One of the reasons we’ve decentralized accountability to the business units rather than a central office is as businesses are embarking on new things — outsourcing for example — they have to think about security as well as business continuity and the various “”what if”” scenarios. It’s hard to separate it out into a separate discipline. To Dan’s point about what’s going to force organizations to do (something), I think the liability is there, although there hasn’t to my knowledge been any high-profile prosecutions. For us, the more immediate thing that captures the attention of the board is availability. Is your business going to get interrupted by a security event?
Garigue: We’re living on borrowed time and I guarantee you someone will go to jail — and very soon. Last year, for the first time, we had a crossover virus, which was seen as a home PC thing. It shut down ATM machines on the West Coast. This is something people in corporate organizations never thought could happen. It had a cascading affect across linkages of multiple systems that had an impact on the business.
CC: How much of a headache is licensing for corporations?
Mills: Often with a large company, we’re always trying to get a better deal any time we’re negotiating with suppliers. Sometimes, we’ve got ourselves into a position where software licensing has prevented us from doing the right thing or making some progress.
We have a demand within our company for a lightweight desktop. We have maybe 15,000 desktops around the world and maybe 2,000 or 3,000 of those people don’t need MS Office. They don’t really need Windows. They just need a Web browser. And in many ways, by restricting the desktop, we could make them more efficient. But we found it impossible to make that work, by and large, because these large enterprise licences are designed to make it difficult for you to move off onto something else.
Smith: We’ve taken a dramatically different route from most other software vendors. I think the most common trend in software licensing is a per seat arrangement where there are complex, medium and light (types). In the ’90s, we had that kind of environment and found two things: It’s an administrative burden, both on us and on our customers.
Second, as we saw technology moving towards the ‘Net, we didn’t want to be a constraint on our customers as to how they chose to deploy it. So we license on the metrics of an organization.
Garigue: A lot of the licensing frameworks are from the book publishing world. The reality is that’s not the life of an IT organization. We buy from certain vendors the whole suite of products, but do you know if all the people are using all the components of that product, and if they are, you’d like to know who they are. You might realize those portions aren’t appropriate for the enterprise and you’d like to have something more modular, maybe on a utilization framework.
Citron: We’re seeing this entire change in how licensing is being done and we’re going monthly, quarterly, semi-annually. Some companies need to lease. In the last year we have found so much software is sitting on a shelf, not being used, year after year, and the
customer has been paying maintenance all the while.
CC: Linux has been heralded this year as a saviour, but what are the challenges it brings to the enterprise?
Garigue: The first challenge is cultural. When I brought Linux into the Armed Forces 15 years ago, the reaction was, “”So who supports this?”” It gave an organization an opportunity to move into computing spaces that weren’t available at the time because of some of the economics and restrictions.
The first reaction is one of (people asking) to prove it has legs; that it’s not another Be OS. So why did this one take off? It found a combination of critical success factors. One was the development tempo and the cycles around the open source culture. Another was that graduates coming out of university couldn’t afford to buy Solaris, they couldn’t afford AIX.
They couldn’t afford a Unix system, but they needed one. And so this was available to them. From the fringe, it becomes the core. Linux now is institutionalized. Most organizations have Linux; they just don’t know it. It’s in the appliances or the firewall routers, but it’s there.
Issett: But that’s a big change. We’re conditioned in IT to think about operating systems, and we need to stop and ask ourselves why. Do we really need to worry about that degree of value-add with everything else that’s going on? It’s an unstoppable force. It has a good balance between opportunity and risk. The economic opportunities are fantastic.
Mills: In our organization, Linux has come in completely unnoticed. No decision was made to support it or not; it just arrived — mainly in the server room. IBM was a big part of that, bundling it with other things we’re doing.
One of the more interesting speculations is what’s going to happen on the desktop and if it has a chance at all. Was the City of Munich an aberration?
Garigue: The United Nations and the World Trade Organization are saying don’t use pirated software; go to open source. It’s not an aberration. Linux is here to stay.
Citron: Open source has been the skeleton in the closet for years, ever since I was working with mainframes. It was always around, but nobody ever talked about it. All of a sudden it started getting respectability. Then the large manufacturers came out supporting it. Then you have this whole wave going across the world where everybody hates Microsoft because all of its vulnerabilities.
Mills: Who’s going to make a prediction then on the first Fortune 500 or 100 company to switch their desktops to open source?
Garigue: I’d love it to be us, but . . . a big freighter takes a long time to turn around. All our firewalls are appliance firewalls, which means they’re embedded Linux. Things like that are not something that are visible, but they’re happening.
CC: Will 2004 be the year of the rebound in the Canadian IT industry?
Issett: We’re starting to see some realization that the closed purses on significant corporate investments cannot continue much longer.
Jopling: Enterprises are beginning to look further afield; they’re beginning to spend dollars. However, businesses have learned that ROI is big. They’ve become pragmatic because of what they went through and that’s going to be here for another two to three years.
Garigue: I don’t see any increase in IT investments, but I see displacements. At the infrastructure level, you’re going to see substantial improvements in productivity through the standardization, rationalization and best practices. Where the money (displaced from the infrastructure) will go from those savings will be the investment in to the info-structure. More value-added processes, data warehousing, data mining that talks to some of the problems of the business at hand.
McLean: People are focused on more pragmatic things. What’s been interesting over the last couple of years is the activity that’s been happening in services. That’s the sustaining area of the market right now in that a lot of companies looked at services as a means of saying, “”OK, we have all these processes in place within our companies and how is it that we’re going to get better mileage out of those things?
Smith: We’re at the beginning of the turnaround; it’s going to be cautious. The concept of the tech infrastructure having depreciated; I think organizations are realizing that. With every year that passes, their infrastructure gets another year older.
Mills: Our overall IT spend next year is not going to be any different to what it was this year. What I’ve observed over the last few years is we’ve generally gotten a lot more disciplined over both the infrastructure side of things and the project side of things.
Our big focus next year continues to be custom self-service Web sites and the other big focus of investment is in integration. New project spend is creeping up this year, but total spending will be flat.