At the end of 2003, we invited industry leaders to participate in a roundtable discussion on strategic developments from the past 12 months and to take a look ahead to 2004. Joining Computing Canada editor Patricia MacInnis and assistant editor Jennifer Brown were (from left) Robert Garigue, chief
information security officer, Bank of Montreal; Elroy Jopling, principal analyst, Gartner; Dan McLean, director, strategic partnering and alliances research, IDC Canada, Toronto; Rosaleen Citron, CEO, Whitehat Inc., Burlington, Ont.; Guy Mills, assistant vice-president, information services, Manulife Financial, Toronto; Garth Issett, vice-president of strategic outsourcing, IBM, North York, Ont.; Peter Smith, vice-president, PeopleSoft Global Services, Toronto.
What’s the up side/down side of all the consolidation among vendors?
Garigue: It’s a very interesting issue because it appears on the surface that it’s all about technology, but that’s the easy part. What I see happening is a modularization of the organization. Some of what I call the horizontal economics – legacy systems and services — that are embedded in technology are being rationalized. The economics of this vertical rationalization are the ones that are going to be looked at first for the outsourcing. Economics drive you to a business model. It’s a good rationale when you take into consideration how tech cost drivers and efficiencies and standardization occurs. The more difficult part is what I called the semantic organization and aligning the semantics of the outsourcer with the business organization. Somewhere along the line there are some translations that have to occur. Let’s say your outsource some HR. It’s not about the database; it’s about the culture and how people are being managed in the organization. The syntax of the technology has to align with the semantics of the organization. This is where some of the risks occur. You dislocate the semantics of the org.
The challenges are there because we’re not basing ourselves on the notion of servers being integrated. Vertical economics are trying to align workflows that are horizontal economics. Those two create a lot of tension.
Mills: Manulife has been doing a lot of acquisitions recently. From the IT perspective, there’s very little time when you’re looking at a potential target to assess their IT infrastructure. Decision to acquire a company has already been made before there’s been any thorough analysis of the IT infrastructure. It’s hard to believe when people say ‘we acquired this company because of their technology.
We’ve outsourced some of our infrastructure operations in North America and we’re just doing it in Asia. In some ways, it’s made it a little easier to integrate the organizations because having gone through the infrastructure outsourcing processing, you tend to have a lot better information about what you have and where it is. You have contracts in place that help.
Issett: We see clients who are in acquisition mode for a number of years and inherited a large variety of IT environments. Faced with the current economic environment and continued competitiveness, leads to . . . take costs out, to get more efficient. As a result of that, clients are turning to the services community for consulting assistance. . . to transform their business into the one they really want it to me.
We continue to see astute clients anticipate these problems and say, “”this is a really good time to outsource because the outsourcer can help us integrate the two companies, optimize our assets.
Maclean: The cons are always around trying to integrate the organizations. Where it can be extremely challenging is where your have organizations that come together through consolidation that have fundamentally different cultures. That’s among the most difficult things to get over in any consolidation or acquisition. We’ve seen this throughout the years. This year, relative to last year, it’s been a slower year for that sort of activity, at least with respect to the vendors. In terms of IBM and PWC and HP and Compaq.
Jopling: From the vendors’ perspective, consolidation hasn’t ended. If you look at the telecommunications industry, what you have is firstly bankruptcy has really become a right of passage. If you look in the wireless field, one of the four, Microcell has led to bankruptcy. If you took the five national carriers, three of them went through bankruptcy. You have to wonder is there going to be more consolidation and the answer is yes; it’s just a matter of when. On the security side, the vendors again are consolidating, acquiring a more holistic suite of products. You’ll see more acquisitions and mergers within the security field.
Citron: We’re dealing with security vendors all the time and about to see about 12 or 13 acquisitions take place, probably before March. We’re seeing some large corporations grabbling a lot of security products. They’re not grabbing what we call best of breed; they just want to make sure they cover every area. But it doesn’t mean the products are perfect and it doesn’t mean they can interact with one another. That’s probably the largest problem we have. We have to watch who’s being acquired and how they’re going to position the products. But Dan, you’re right. The culture clash that goes on, especially in the deep technology companies is destroying a lot of the good products that are out there. We see products that don’t have lot of backing that are excellent products, but then you have other products with tons of backing, but I wouldn’t put them in anybody’s place.
Garigue: The regulatory environment that is merging in the government’s environment that is pushing a lot of the expectations around mergers and acquisitions and outsourcing around the notion of how do you control the content. Because although the operation might be somewhere else, the content and the accountability is in a different organization, and that’s where some of these questions will be arising.
Smith: There’s a trend in consolidation you don’t often see talked about or written up. The tech industry is one that leapfrogs. Every vendor leapfrogs one another and that is how innovation has been introduced into the industry. As we consolidate down to the number of firms, each firm that gets consolidated into someone else, that’s one less firm that’s going to leapfrog their area of expertise. It’s a bit of a troubling trend, because you have to find the balance because if you’re not fiscally viable, you’re not going to be around anyway, but there are many small firms that have excellent products and excellent innovation; they just don’t have the financial wherewithal to be successful. It’s important not to lose sight of the innovation, and as firms are acquired, there has to be a commitment to the acquiring firm not to just pick them up and sunset them from a competition point of view, but really to take that innovation forward.
We acquired JD Edwards because we saw them participating in an area of the business we didn’t. Their product line was very strong in asset-intensive industries. Ours is strong in service-intensive industries. So, it’s really complementary.
Jopling: The scary part is as you consolidate and in this financial community where we are today with venture capital funds, you don’t have the young start-ups coming as quickly as they normally would. Where is the innovation coming from because it’s often coming from those small firms.
Security has emerged as one of the most important issues of 2003. Looking to next year, it will again be a priority for all CIOs. With that in mind, in the last 12 months, what has emerged as the overwhelming failing of the security industry?
Garigue: I don’t think failure had anything to do with the security industry. I think the security industry has been the missionary in the desert saying, “”it’s coming, it’s coming.”” For a long time I saw people talk about what we have experienced in the last year.
The focus has never been on the notion of integrated governance in the organization. Security was all around the shared pipes and containers. The reality is that is table stakes now – so, it’s not even a security issue now – perimeter protection, firewalls, intrusion detection. That’s table stakes. That doesn’t mean that’s where the risk is anymore. The risk has migrated to other parts of the organization. So, the things we’ve seen are the organizations that have had the cold shower around the fact this is a harsh environment and the technology can only take you so far. The rest of it is up to the governance of the organization.
There are some technologies that need to be managed appropriately with the tempo of the risk. The other portion of the equation is the organizations have to accept and acknowledge that those are now requirements under which they operate. This is the great awareness of the last couple of years. This is business as usual.
Mills: I think this year we kind of meshed together security with business continuity type issues. Certainly at the senior levels of the company, they looked at SARS and power outages and virus attacks as the same kind of thing. It’s all completely different solutions to each of those problems. Our focus has been on high-level business continuity planning. On the technology front, one of the biggest problems we’ve had is not just the bread and butter security infrastructure; it’s actually executing the things you need to do to remain current. So, it’s doing things like patching the operating system – very difficult, very expensive and they’re coming every day. That’s been the biggest problem for us: how to keep our desktops current. Manulife deals with security specifically; it’s decentralized. It’s the responsibility of the business units to have their own business continuity plans because it often involves people in (the specific geography). We have a small central security office that really communicates the policies.
CC: Ensuring a healthy return on technology investments has become the mantra of the CIO. But security is one area where ROI is difficult to measure. As CEOs, what’s the best way to explain the ongoing nature of the security spend to another CEO?
Citron: What we’ve found in the last 18 months, ever since privacy became a big issue, board members and CEOs – all of those requirements now are causing.
I was taking to the CSO of Bank of America the other day and she was telling me as long as you need compliance, you can find budget. If there is a liability restriction, believe me, the board will find money. It’s when there’s no liability, they say, “”Why should I do it?”” The problem in our industry is when we do our job right, nothing happens. Unfortunately there’s always that weakest link out there, so there’s always going to be someone looking to break it. Generally, when I’m going to talk to people, we talk about the liability they have downstream. The Bank of America says (security) is .05 per cent of every dollar spent. It’s not that much really.
It’s corporate governance, it’s understanding the marketplace and protecting your brand. Can you imagine being hacked and having your shareholders know you didn’t do your due diligence?
Smith: We’re seeing the smaller and medium-sized businesses wanting to participate in everything that they can do now on the Net and really get into an environment where they can be directly connected to suppliers and customers, and yet the security overheads are sometimes daunting to them.
Garigue: The risk has moved, but the solution is not necessarily in the security realm. It’s in the good diligence and good performance of the various (business units). When you move to the next level up and you’re into client level, it’s really around due consent, but that’s not a security issue. It becomes a security issue if you don’t do it. Here again, when they talk about that .05 per cent, with security they’re only talking about the associated perimeter protection – hardware, access control around connecting the pipes together. It doesn’t necessarily mean they’re dealing with the issues of control. Security is seen as a plumbing issue, but it’s really a risk management framework that integrates availability, integrity, and confidentiality. That’s what the board wants to manage. They don’t want to manage security. When the auditors come in, they’re asking questions that start with, “”Show me your firewalls logs,”” all the way up to “”Can you prove to me that the employees you let go are not now part of your access controls.””
The way we talked about security in the past is a language that refers to that technology control; the risks have moved into access management, identity management, remote access, content management and content identification.
Information management is about how you manage the value of the content in the different frames, not about security as simply making sure the firewalls are up.
Citron: The large corporations have pretty much got their act together, but it’s the smaller companies – 200 to 300 people – they’re running Internet storefronts with no firewalls, no intrusion detection, and no anti-virus. I see this every day. I get a call saying, “”I think I’ve been attacked.”” How do you know? “”Well, there are credit card numbers all over the front of our Web site.””
Our challenge is to talk to the smaller companies, getting them ready for privacy because everyone’s affected. You can have security without privacy, but you can’t have privacy without security.
It’s hard enough people are seeing a 400 to 600 per cent increase in insurance policies this year, for small companies, it’s very hard. Putting in a firewall for $5,000, they may not have that.
Jopling: I don’t think the larger companies have it under control. With Wi-Fi, do they have rogue access points looked after? When their employee goes out to Starbucks, do they have a VPN?
Garigue: What’s the value of the content that’s being transmitted? That should be driving the management framework. People have a technology management framework and they have good mature practices around that, but they don’t have the same maturity frameworks around the content management. All the focus has been around the technology management. The person is called the CIO, but what he’s really managing is technology. The CIO should be the chief information officer and the chief technology officer should be managing the technology. The two are really the yin and yang of the organization to make sure the content and containers are in sync.
It’s the good practices approach that hasn’t been incorporated into our culture, whether it’s a large organization or a small one.
Smith: We had one client chasing viruses for a week. They had to shut down a project because the resources that should have been working on the project had to get pulled in to keep the operation going. They’re starting to say, “”How many hats can I ask a person to wear and do I need to get a partner so they have the increased bandwidth to deal with some of these issues.
Issett: We’re living through a cycle of maturity in our industry and we’re talking about a lot of the symptoms: people’s degree of awareness, availability of budget dollars, the knowledge of the impact and the corporate governance. In our outsourcing business, we also have the responsibility to manage all IBM’s internal computing, so our internal standards keep driving up and up and up. We see it from the perspective of having to protect our customers’ assets. We bring the level of responsibility to our clients, no matter whether they’re large or small. It helps gets the smaller clients up to the level of the larger clients, just from us being responsible for their information assets.
The next piece is people are going to realize when you have an evolving threat that’s innovating very quickly and an insurance policy that appears to be getting bigger and bigger over time, not just it’s cost, but it’s impact on resources and scarcity of skills, it’s a natural for managed services. Patch management is a perfect example. Go back to Slammer. Ninety per cent of the major clients didn’t have the patch that was available for more than six months. Slammer really wasn’t a problem child. All it did was replicate itself.
McLean: What this discussion says, among so many other things, is that security is an issue that has so many arms and legs to it. You try to wrestle with one set and another set comes around and grabs you. It’s a technical discussion; it’s an organizational discussion; it’s a discussion about people. It’s a discussion about business. It’s no wonder everyone heads for the hills when the issue of security comes into play because most organizations don’t even know where to begin. You try to take a lot of business issues and parlay that down through the organization and says, “”OK, this is what we have to be doing a business with respect to security. Then it starts branching out and that’s where it goes all haywire. It’s so hard to connect that entire process throughout the organization to the business requirements. The point that resonates for me is what is going to drive security. What the industry believes is when people are required to do due diligence; when there is legislation that says this is what you have to do as a business. You’re on the hook. If you’re not taking care of your security, you’re on the hook.
Isset: The surprise element is disappearing. There’s one person whose job is at risk if this goes on and impacts the organization and that’s the CIO or the CTO. There’s been a period of amnesty. We went through a period where people didn’t know who to blame. Those issues are not going to show up in the CIO’s office. No. 1 on the CIO wish list for 2004 is improved IT security.
Smith: The next step you’ll see is large firms starting to look at their supply chain and the vulnerability in the supply chain. We started to see that with Y2K and we have to see that with security as well.
Garigue: The way I get the business units to connect to the issue is to talk about the value of the content. Tell me what your business is worth when you talk about it as an information asset. Security drivers are all around managing the content. When was the last time people did a review around access management from an HR perspective saying, ‘do the users on our email list correspond with the number of pay cheques we send out?”” There are some fundamental questions around good governance that talk to operational issues, not to security issues. Security issues I see as an exception management process. When you have a failure, they’re the firemen, they’re the police.
Isset: I just had a conversation with a client last week around who are my users versus who are my employees and the debate about where is the central record. Their conclusion was the HR system has to be the central record.
Jopling: Business continuity if probably one of the major changes. SARS was one of the first one where human factor came in. Before, you were worried about the technology not being there; now you were worried about the people not being there. You had all those groups that could react that had all the tactics for business continuity, but SARS was different. At the beginning of March, there was one death. Three death a few days later. Then the World Health Organization came in and so on and so on. When do you make your decision to react? That was unique in that most organizations do not have that infrastructure, which is HR, to react. You might find today, that only one in five large organizations has a plant to address a similar thing.
Smith: We were working on a project at a major hospital in Toronto. The plan was being developed on the fly. They split the project in half and put two different teams in two buildings; they couldn’t talk to each other, other than by phone.
Garigue: We had contingency teams working offsite and we were able to modularize the routines, but it came as a surprise, that to be able to operate and react to those situations, you have to have spare cycles; not just in the bandwidth, or the cycles of the computer, but also in the HR. You realize you have lots of people, but a couple of them are critical single points of knowledge. That’s not good enough anymore. You have to have that knowledge available; it has to be institutionalized, and it can’t be just in one individual; it has to be in the team. How do you identify single points of knowledge? When was the last time an audit was done around individuals who are single points of knowledge? We’ve done that review; we found 47 people that have single points of knowledge and we’re putting in place a whole management structure to make sure we’re addressing that as part of the HR process, not as part of the security or business continuity process.
Mills: One of the reasons why we’ve decentralized accountability to the business units rather than a central office is as businesses are embarking on new things – outsourcing for example – they have to think about security as well as business continuity and the various “”what if”” scenarios. It’s hard to separate it out into a separate discipline. To Dan’s point about what’s going to force organizations to do (something), I think the liability is there and although there hasn’t to my knowledge been any high-profile prosecutions. For us, the more immediate thing that captures the attention of the board is availability. Is your business going to get interrupted by some security event that causes you to chop the pipes.
Garigue: We’re living on borrowed time and I guarantee you someone will go to jail – and very soon. Last year, for the first time, we had a crossover virus, which was seen as a home PC thing. It shut down ATM machines on the west coast. This is something people in corporate organizations never thought could happen. It had a cascading affect across linkages of multiple systems that had an impact on the business. Someone is going to be held accountable when an organization goes down. And it’s going to be a hospital, and it’s going to be let’s say emergency response. The source of it is going to be something that is seen as a home PC problem.
Citron: If life and limb are represented in that, someone will go to jail. In Canada, until we start getting the law a lot tighter, people don’t feel like they have any liability. You’re not dealing with the same level of severity in Canada as you are in the U.S.
One of the issues we see with security that is a problem is you have some companies out there who I think are in very good shape – hard and crispy on the outside – but they are dealing with other companies who are not secure. Things come in from the smallest supplier to the largest company.
Isset: Risk is getting higher as time goes on. This is a complex business problem that touches technology, it touches how we manage IT, it touches how we manage the whole corporation, and you need to look for partners who can at least frame the problem.
Citron: Let me add one thing: The partner must trusted. There are an awful lot of outsourcing and service companies out there that I wouldn’t let my dog work with, and yet they’re out there getting some very large corporations, because they have slick sales people, but I would not go there.
CC: How much of a headache is licensing becoming for corporations?
Mills: I’m seeing how I can answer without insulting anyone in the room. There are a number of angles to this. I’ll give you one example. Often with a large company, we’re always trying to get a better deal any time we’re negotiating with our suppliers. Sometimes, we’ve got ourselves into a position where software licensing has prevented us from doing the right thing or making some progress.
We have a demand within our company for a lightweight desktop. We have maybe 15,000 desktops around the world and maybe 2,000 or 3,000 of those people don’t need MS Office. They don’t really need Windows. They just need a Web browser. And in many ways, by restricting the desktop, we could make them more efficient.
But we found it impossible to make that work, by and large, because these large enterprise licences are designed to make it difficult for you to move off onto something else. Things such as asset management, having gone through an outsourcing process, we essentially delegated that responsibility. Everything we buy has to be tracked.
Smith: We’ve taken a dramatically different route from most other software vendors. I think the most common trend in software licensing is a per seat arrangement where there are complex, medium and light. In the 90s, we had that kind of environment and found two things: It’s an administrative burden both on us and on our customers. Second, as we saw technology moving towards the Net, we didn’t want to be a constraint on our customers as to how they chose to deploy it. So we tried to find a different way. We license on the metrics of an organization. Within that context, the client can choose to deploy it however they wish.
Garigue: A lot of the licensing frameworks are from the book publishing world. The reality is that’s not the life of an IT organization. Currency becomes a dominant quality of software. That evolutionary process. There’s a symbiotic relationship between the vendor and the people who are the host.
We buy from certain vendors the whole suite of products, but do you know if all the people are using all the components of that product, and if they are, you’d like to know who they are. You might realize those portions aren’t appropriate for the enterprise and you’d like to have something more modular, maybe on a utilization framework. Even micropayments might be something you want to look at with your suppliers.
Citron: We’re doing a lot of that now. The federal government started it. They will not take out contracts that go any longer than three to six months if a company doesn’t have more than $100 million behind it. We’re seeing this entire change in how licensing is being done and we’re going monthly, quarterly, semi-annually. Some companies need to lease. With our really large customers, we urge them to do a licence consolidation every year because we offer maintenance contracts. In the last year we have found so much software that is sitting on a shelf that is not being used and year after year, the customer has been paying maintenance.
CC: Tracking IT assets is becoming more challenging with many companies undergoing mergers and/or acquisitions. Is this an issue that’s taken seriously at the enterprise level?
Issett: I think every customer has aspirations to improve in this area, but I don’t see mismanagement at all. Everyone is doing the best they can. . . There’s a direct correlation between support costs and standardization. The more standardization you can drive, the easier it should be to get a handle on your assets.
Mills: That creates an interesting problem. From a customer’s point of view, the ideal situation is a metered type of licensing arrangement. You’re in control of your costs. If I’m a business unit leader, I can actually see my bill and say, “”If I make this change, my costs will go down by X dollars.”” So you want some variability and control in your software consumption.
But Garth’s point about standardization sometimes mitigates against that in that IBM or anyone else will tell us the fewer (varieties) of software on the desktop, the cheaper it is to support. And maybe that can fixed with some smarts in the way software is licensed, but the two kind of go against each other in some ways.
CC: Autonomic/utility computing, or self-healing computers, is being heralded as the next big thing in computing by many of the major vendors, but NASA recently came out and said there are many big hurdles to be overcome before that’s a reality. At what point will we see an autonomic data center?
Isset: Utility computing is about resiliency. It’s about an IT environment that scales, anticipates problems, that reacts to problems, so you get not just utility-like scalability, but you get utility like availability. In terms of how we get there, hardware is just one component. It relates all the way through every layer of your IT environment, including the management processes.
Smith: You need to step back and look at what the business issue is you’re trying to solve. We came to the conclusion towards the end of next year if we don’t fundamentally change something in how enterprise software is implemented, operated and maintained, our customers will basically be spending more and more of their resources maintaining what they have instead of advancing their agenda. We took a hard look at it and decided we needed to take some of the costs out of operating enterprise software. If you use the analogy of a PC 15 years ago, you had to get a technician to help you install software. Today, you drop the CD in, a wizard comes up and you’re live. We need to drive some of those costs out of enterprise software by automating it. Otherwise, our customers are going to be spending all their resources maintaining the status quo.
Garigue: The resilience of the infrastructure is something that’s getting addressed. My concern as I look at where the risks are is ‘where is the content.’ The issue is the availability of the content. How do you make sure that availability is there.
I run four computers at the same time. The reason I do this is because it’s almost like putting a grid framework into place. I have a way of synching all the systems together. The data is replicated and available, and even if I go to a system that isn’t mine and download the application, I get access to my information.
Jopling: Two words there are nearly contradictory: resiliency and access. There’s resiliency in the corporate infrastructure internally, however as soon as you go external, you have more mobile people with a greater number of appliances and it’s becoming more complex. And now you nearly have to run after the user.
CC: Linux has been heralded this year as a savior for companies, but what are the challenges Linux brings when introduced into the enterprise?
Garigue: The first challenge is cultural. When I brought Linux into the Armed Forces 15 years ago, the reaction was, “”So who supports this?”” It gave an organization an opportunity to move into computing spaces that weren’t available to them at the time because of some of the economics and restrictions. The first reaction is one of (people asking) to prove it has legs; that it’s not another Be OS. If you go to Yahoo, you’re going to find 500 operating systems to download for free, so why did this one take off? It found a combination of critical success factors. One was the development tempo and the cycles around the open source culture. Another was that graduates coming out of university couldn’t afford to buy Solaris, they couldn’t afford AIX. The couldn’t afford a Unix system, but they needed one. And so this was available to them. From the fringe, it becomes the core. Linux now is institutionalized. Most organizations have Linux; they just don’t know it. It’s in the appliances or the firewall routers.
Isset: But that’s a big change. We’re conditioned in IT to think about operating systems, and we need to stop and ask ourselves why. Do we really need to worry about that degree of value add with everything else that’s going on? It’s an unstoppable force. It has a good balance between opportunity and risk. The economic opportunities are fantastic. IBM supports it so dramatically because it addresses the needs of this industry for continued cost improvement.
Mills: In our organization, Linux has come in completely unnoticed. No decision was made to support it or not; it just arrived — mainly in the server room. IBM was a big part of that, bundling it with other things we’re doing. One of the more interesting speculations is what’s going to happen on the desktop and if it has a chance at all. Was City of Munich an aberration?
Garigue: The United Nations and the World Trade Organization are saying don’t use pirated software; go to open source. It’s not an aberration. The economics are good. It’s going to be around for a long time.
Citron: Open source has been the skeleton in the closet for years, ever since I was working with mainframes. It was always around, but nobody ever talked about it. All of a sudden it started getting respectability. Then the large manufacturers came out supporting it. Then you have this whole wave going across the world where everybody hates Microsoft because it’s all their vulnerabilities. Every software package in the world has a vulnerability. But if you’re a hacker and you want to make a splash, you go for the biggest target.
Mills: Who’s going to make a prediction then on the first Fortune 500 or 100 company to switch their desktops.
Garigue: I’d love it to be us, but . . . a big freighter takes a long time to turn around. All our firewalls are appliance firewalls, which means they’re embedded Linux. Things like that are not something that are visible, but they’re happening. Then the fringe becomes to core, and that’s where a lot of organizations such as IBM are positioning themselves.
CC: Have you been able to roll out wireless apps within the enterprise — are there still hurdles in having a seamless operation?
Garigue: The issue is not a wireless application. We had VIVE – wireless access to online systems three years ago. Were we ahead of our time? Wireless services are naturally going to happen; the issues are always going to be the content we’re dealing with. BlackBerry is using the elliptical curve encryption that has been developed to ensure there’s privacy. All the cell phones are frequency hopping. You’re always going to have risk with certain technologies, but the advantages of wireless are tremendous. Wireless will be offered everywhere . . . but who’s at risk? That’s a question the owner of the content is going to have to answer.
Mills: Whether you like it or not, any company that has a Web site and provides their employees with VPN access to their e-mail or files, it’s a fact of life. Virtually every portable device now can be wireless. We’re not going out of our way to create wireless apps specifically; it’s just another flavour of exposing information to the outside world. If anything, it makes us more aware of the need to apply the best practices for security.
In the early days of our e-commerce activity, we didn’t always apply the very latest security (techniques). It’s resurfacing some of those debates and making us more diligent about applying policies.
Isset: It’s a natural evolution. We’re naturally wireless; it’s the wires that are unnatural. In our business, we’re probably on our third or fourth generation of wireless in support services. The business case for us, in addition to improved satisfaction for the customer, is that these people don’t have to find a phone to figure out what to do when they get to (the client site). They close the problem log on their BlackBerry and they get their next dispatch. So, there’s no going back to the office to check e-mail, picking up the phone to call in. It collapses the time cycle dramatically and generates tangible business results.
There’s been a lot of capital sunk into wireless, but the killer app . . . it’s arisen in field force management. It arose first in Japan with SMS, not because it had business value, but because it had entertainment value.
Wi-Fi will hit us next with the most dramatic adoption rate.
Smith: Wireless is just pushing along what we’re calling the real-time enterprise. We’re seeing it continue to punch holes in what we used to call front office/back office. If you have a service person out there and now they’re connected real-time, the first question you ask is what’s the customer’s entitlement to service? Is it part of warranty? Is it part of maintenance? Then you’re into your back office system. It’s forcing you to take a look at how the system is flowing.
Isset: This is a war between convenience and risk, and this is just one more battlefield.
STATE OF THE INDUSTRY
CC: Will 2004 be the year of the rebound in IT?
Isset: We’re starting to see some realization that the closed purses on significant corporate investments cannot continue much longer. So, we’re starting to see the early stages of project-based recovery. We’re very cautious; only the tightest of business cases (are approved). The bulk of activity for us continues to be working with clients to find ways to reduce their costs in their existing environment, which then frees up capital to allow them to invest in new opportunities.:
Jopling: It’s difficult to forecast; there will be disparate results in different industries. The traction is beginning. Enterprises are beginning to look further a field; they’re beginning to spend dollars. However, businesses have learned that ROI is big. They’ve become pragmatic because of what they went through and that’s going to be here for another two to three years. Investments are going to have to have a have a (solid) business case. You won’t see explosions in any market, per se. I think everyone believes there’s an upturn coming.
Garigue: I don’t see any increase in IT investments, but I’ll see displacements. At the infrastructure level, you’re going to see substantial improvements in productivity through the standardization, rationalization and best practices. Where the money (displaced from the infrastructure) will go from those savings will be the investment in to the info-structure. More value-added processes, data warehousing, data mining that talks to some of the problems of the business at hand.
Maclean: Depends on where you’re looking. Look at the two areas that are kind of suffering now: software and hardware. There are issues around lack of capital dollars, around the fact that people don’t buy technology because it’s way cool. People are focused on more pragmatic things. What’s been interesting over the last couple of years is the activity that’s been happening in services. That’s the sustaining area of the market right now in that a lot of companies looked at services as a means of saying, “”OK, we have all these processes in place within our companies and how is it that we’re going to get better mileage out of those things? How are we going to reduce costs because that’s always been a traditional motivator around services. But there have been new ideas that have come into play around the whole notion of business transformation and adoption of newer technologies.
The next stage we’re seeing within services is making that link between the software, the hardware and the services – building that whole package. What you’re seeing in the services market is not just the traditional stuff around outsourcing, implementation, consulting and operational services. But the newer technologies, in terms of how they’re being brought to market, in many ways has that package of things that includes the application piece, the business process piece, tied to the infrastructure and delivered as that service.
Smith: We’re at the beginning of the turnaround; it’s going to be cautious. The concept of the tech infrastructure having depreciated; I think organizations are realizing that. With every year that passes, their infrastructure gets another year older. There is a gap between what they have and what technology is providing as an opportunity with some of the advances we’re seeing. But we’re definitely seeing projects being smaller, more focused, more tightly defined, shorter payback. But definitely what goes up has to come down and what goes down has to come up. As business fundamentals improve, the project that was just below the hurdle will move above the hurdle.
Mills: Our overall IT spend next year is not going to be any different to what it was this year. What I’ve observed over the last few years is we’ve generally gotten a lot more disciplined over both the infrastructure side of things and the project side of things. Our big focus next year continue to be . . . custom self-service Web sites and the other big focus of investment is in integration. There’s a lot of money spent just consolidating systems, and those are fairly easy to write business cases for. New project spend is creeping up this year, but total spending will be flat.
Citron: We’re seeing the specialization for services coming back – more so than we even expected. We are seeing a trend upwards, but it’s been a very down summer. Nobody wanted anyone on their sites when SARS was around and it’s been one thing after another. We are realizing a lot of companies better start opening their purse strings soon because they’ve gone a little too long in some cases without certain types of security. We’re in a well-positioned spot because people know the first thing they have to do is make sure they’re secure. You can’t do a project if you can’t afford the security.