legacy bank it a mountain to climb for future...
TRANSCRIPT
computerweekly.com 30 June-6 July 2015 1
Home
News
The hidden complexity that awaits the next generation of banking IT leaders
Is HMRC making tax more taxing for analogue taxpayers?
Royal Free hospital trust digitises patient records using OpenText
University of Dundee director of technology calls for diversity in IT
Editor’s comment
Opinion
Buyer’s guide to DevOps
Why CIOs should loosen their grip on enterprise IT
Facing the inevitable: Death, taxes and data security audits
Downtime
computerweekly.com
XX-XX MONTH 2015
t
30 JUNE-6 JULY 2015
SERG
EYN
IVEN
S/FO
TOLI
A
Legacy bank IT a mountain to climb for future CIOsFinance systems present a formidable challenge for the next generation of IT leaders
computerweekly.com 30 June-6 July 2015 2
Home
News
The hidden complexity that awaits the next generation of banking IT leaders
Is HMRC making tax more taxing for analogue taxpayers?
Royal Free hospital trust digitises patient records using OpenText
University of Dundee director of technology calls for diversity in IT
Editor’s comment
Opinion
Buyer’s guide to DevOps
Why CIOs should loosen their grip on enterprise IT
Facing the inevitable: Death, taxes and data security audits
Downtime
MP warns of nationalisation risk to UK citizens’ personal dataLabour MP Chi Onwurah aired concerns about how the push to digitise government services could result in the “nationalisation” of the personal data the public sec-tor holds on UK citizens. Speaking at the Cloud World Forum event in London, shadow Cabinet Office minister Onwurah said that as an increasing number of government services move online, work needs to be done to ensure the privacy rights of citizens are protected.
Goldman Sachs datacentre deal sees IO open first European siteInvestment banking firm Goldman Sachs has been named as the first customer to move into US data-centre operator IO’s newly opened facility on the Slough Trading Estate. The 20MW datacentre fea-tures a modular design and is the second the firm has opened outside of North America, with the first being in Singapore.
Members of Tech City Future Fifty boost workforce by 30%Members of Tech City UK’s Future Fifty initiative have increased the size of their workforce by 30% in the past 12 months, well above the national average of 5.4%. The Future Fifty programme aims to make it as easy as possible for companies to list on the UK stock market. It provides tailored sup-port on issues such as immigration, exports and international trade, from a mixture of government and private sector experts.
Negotiators finalise talks on EU data protection regulationEuropean Parliament negotiators have finalised talks on the pro-posed European Union (EU) data protection legislation, paving the way to a single EU digital market worth up to €415bn a year. In June, the European Council of Ministers approved a version of the EU General Data Protection Regulation to replace the 1995 directive.
GDS insists Verify safe despite claims of vulnerabilitiesThe Government Digital Service (GDS) has insisted its Gov.uk Verify scheme is safe, despite an academic paper claiming its infrastructure is riddled with vulnerabilities. The paper highlights the Gov.uk Verify system uses a central hub through which the identity providers and services providers communicate. If this central hub were to be hacked, it could be used for “undetected mass surveillance” through user impersonation, it said.
❯Catch up with the latest IT news online
THE WEEK IN IT
GO
V.U
K
computerweekly.com 30 June-6 July 2015 3
Home
News
The hidden complexity that awaits the next generation of banking IT leaders
Is HMRC making tax more taxing for analogue taxpayers?
Royal Free hospital trust digitises patient records using OpenText
University of Dundee director of technology calls for diversity in IT
Editor’s comment
Opinion
Buyer’s guide to DevOps
Why CIOs should loosen their grip on enterprise IT
Facing the inevitable: Death, taxes and data security audits
Downtime
Legacy systems holding back 90% of businessesLegacy applications IT leaders would like to rip out and start again with
THE WEEK IN IT
Digital-only Atom Bank gets UK banking licence ahead of launchAtom Bank has been granted a banking licence by the Bank of England and is set to launch later this year. The digital-only bank, which is the latest challenger bank to get permission from the regula-tor, will deliver its products and services through an app for mobile devices and desktop computers.
Cumbria Constabulary issues Samsung smartphones to officers Cumbria Constabulary has part-nered with EE to provide Samsung Galaxy Note smartphones to police officers working on the front line. More than 1,000 officers will be issued with the devices.
Box ties up with IBM to boost enterprise credibility and reachIBM and Box plan to work across industries as part of a global part-nership, offering cloud-based con-tent collaboration integrated with IBM’s Watson analytics engine.
Cyber attackers prefer to encrypt communications, report showsCyber attackers are using encryp-tion to hide their communications, a study by Vectra Networks has revealed. A comparison of hid-den tunnels in encrypted traffic compared with clear traffic shows attackers favour HTTPS over HTTP for hidden tunnels, according to the latest Post-Intrusion Report.
Adoption of hybrid devices tipped to soar post-Windows 7The enterprise should start prepar-ing for the end of extended sup-port for Microsoft Windows 7 by investigating how to include hybrid devices into their wider IT strate-gies, Gartner has advised.
5G networks could hit 20GbpsA roadmap has been established for the development of 5G mobile net-works, setting out the overall goals, process and timeline for the move to 5G, which will henceforth be offi-cially designated as IMT-2020. n
.❯ IT pros give Windows 10 Start button the thumbs up.
❯ Innovate Finance dubs UK a fintech diversity hub.
❯ Oracle goes after AWS and Hana with cloud add-ons.
❯ Former TalkTalk CIO to lead Police ICT Company.
❯Catch up with the latest IT news online
Source: Hitachi Consulting/Vanson Bourne
CRM
Cus
tom
er
data
base
s
Doc
umen
t m
anag
emen
t
20%
22%
25%
26%
ERP
28%
BI a
nd
anal
ytic
s
18%
18%
Payr
oll
Acc
ount
ing
soft
war
e
computerweekly.com 30 June-6 July 2015 4
Home
News
The hidden complexity that awaits the next generation of banking IT leaders
Is HMRC making tax more taxing for analogue taxpayers?
Royal Free hospital trust digitises patient records using OpenText
University of Dundee director of technology calls for diversity in IT
Editor’s comment
Opinion
Buyer’s guide to DevOps
Why CIOs should loosen their grip on enterprise IT
Facing the inevitable: Death, taxes and data security audits
Downtime
The hidden complexity that awaits the next generation of banking IT leadersNewcomers to high street banks expecting to fight off the digital challengers are in for a shock, writes Karl Flinders
The banking industry is at a turning point and its next gen-eration of IT leaders are likely to be the ones to take on the legacy systems – but the challenge is not getting easier.
Earlier in the month RBS was in the news once again after an IT failure prevented payments reaching customers’ accounts. RBS said it had identified the problem, but would not tell Computer Weekly what that was.
That 600,000 payments – including tax credits and disability living allowance disbursements – did not arrive when expected has grave ramifications for many customers.
This follows a £56m fine by the Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA) in relation to a substantial IT outage in 2012, when RBS’s CA-7 batch pro-cess scheduler froze 12 million accounts. Customers were unable to access funds for a week or more as staff at RBS, NatWest and Ulster Bank manually updated account balances.
The regulators showed they are prepared to impose fines for IT-related problems that affect customers – but these are only part of the high street banks’ problems. With fresh competition
from new challengers in the finance sector, it is now easier than ever for customers to vote with their feet.
Banks need to address the legacy IT systems they regularly blame for outages. But the next generation of banking IT profes-sionals – with dreams of ripping out legacy systems and replacing it with the latest and greatest technologies used by the likes of Google and Amazon – are in for a shock.
The diagram on the next page was picked up at a Computer Weekly event recently. It depicts all the individual processing components and their interdependencies of a single mortgage system at a large, full-service retail bank.
Big banks have thousands of systems providing current accounts, savings accounts, mortgages, loans and many more. All have a similar diagram to describe their IT apparatus. Some sys-tems at banks are now only understood by a few people – most of them retired – and newcomers to finance IT are not prepared.
One IT professional in the banking sector said schematic dia-grams such as these are the “bread and butter of describing any system”, likening them to a “wiring diagram of a car showing all
ANALYSIS
computerweekly.com 30 June-6 July 2015 5
Home
News
The hidden complexity that awaits the next generation of banking IT leaders
Is HMRC making tax more taxing for analogue taxpayers?
Royal Free hospital trust digitises patient records using OpenText
University of Dundee director of technology calls for diversity in IT
Editor’s comment
Opinion
Buyer’s guide to DevOps
Why CIOs should loosen their grip on enterprise IT
Facing the inevitable: Death, taxes and data security audits
Downtime
ANALYSIS
IMA
GE
CRE
DIT
IT complexity in a single mortgage system at a high street retail bank
computerweekly.com 30 June-6 July 2015 6
Home
News
The hidden complexity that awaits the next generation of banking IT leaders
Is HMRC making tax more taxing for analogue taxpayers?
Royal Free hospital trust digitises patient records using OpenText
University of Dundee director of technology calls for diversity in IT
Editor’s comment
Opinion
Buyer’s guide to DevOps
Why CIOs should loosen their grip on enterprise IT
Facing the inevitable: Death, taxes and data security audits
Downtime
the components and wiring between them”. These diagrams are created during design and maintained over the years as part of the operational documentation, he said.
The boxes are typically applica-tions, functions, databases and services, and the wires represent interfaces (read/write of data). “In addition to this would be a hardware view showing what mainframes, servers, network kit and locations are being used,” he said.
“An application usually has an inventory showing upstream and downstream dependencies for each component part, and there can be thousands of parts in a system and thousands of systems in a global bank. That’s why IT people in banks should get paid well. It’s fiendishly complex and has a huge impact if something goes wrong.
“Rocket science is probably easier.”
Addressing complexity in legAcy bAnk itBut banks must take on this challenge or face threats from more agile competitors targeting financial services. So what can they do? Here are the options outlined by a senior banking IT executive:n Forget changing systems and remove complexity. This is what often happens when the decision-makers are near retirement or can’t stomach a multi-year, multibillion-pound project.
n Buy a modern core banking plat-form off the shelf, get it working, connect it and migrate everything from legacy systems.n Acquire one of the growing num-ber of challenger banks with their state-of-the-art IT and move the whole bank onto these modern systems, which can be tailored to the bank’s needs.n Spend money on a state-of-the-art system and make it pay through
acquiring other banks and moving them to the platform.n Artificial intelligence (AI) could solve complexity issues. For example, IPSoft’s AI customer service platform, known as Amelia, can read all instruction manuals and automated fixes and could possibly support legacy transformation.
Jean Louis Bravard, IT outsourcing consultant and former CIO at JP Morgan, said: “Nobody has the balls to replace legacy systems at the big banks.” Although RBS has worked out the problem, he said recovering from it will involve painstaking manual work to ensure no mistakes.
Legacy systems can be replaced, but big banks are not taking it on because they are led by people who don’t understand the technology. “The root cause of this is that banks are being man-aged by former traders,” said Bravard. “Under this leadership, no big bank is going to invest huge sums of money over five years with no return on it.” n
“The rooT cause is ThaT banks are managed by former Traders. no big bank is going To invesT huge sums of money over five
years wiTh no reTurn”Jean Louis Bravard, former Cio at JP morgan
ANALYSIS
❯
❯Businesses are being held back by their reliance on legacy applications
computerweekly.com 30 June-6 July 2015 7
Home
News
The hidden complexity that awaits the next generation of banking IT leaders
Is HMRC making tax more taxing for analogue taxpayers?
Royal Free hospital trust digitises patient records using OpenText
University of Dundee director of technology calls for diversity in IT
Editor’s comment
Opinion
Buyer’s guide to DevOps
Why CIOs should loosen their grip on enterprise IT
Facing the inevitable: Death, taxes and data security audits
Downtime
Is HMRC making tax more taxing for non-digital taxpayers?Her Majesty’s Revenue & Customs is making tax data accessible online with its Personal Tax Account, writes Clare McDonald – but how should it cater for those unable (or unwilling) to use digital services?
Her Majesty’s Revenue & Customs (HMRC) is one of the largest central government departments, looking after over 29 million taxpayers and processing thousands of
tax returns each year. The department is now developing an online portal – the
Personal Tax Account – to allow users to check all their deal-ings with HMRC. Taxpayers can use the Personal Tax Account to update relevant information and use private chat to talk to HMRC advisors on the department’s helpline.
Proponents including chancellor of the exchequer George Osborne have called the online platform “the end of the tax return” – but an estimated 10 million users will need assistance using the digital services, due to a lack of internet access, disabili-ties or other problems.
The system needs to take into account who its assisted digital users are and what their needs will be, said Robin Williamson, technical director of the low incomes tax reform group for the Charted Institute of Taxation.
“It’s a spectrum – from those who have never used digital and who never will be able to; right up to those who are reasonably competent with most forms of digital, but face challenges in this particular form,” he said.
HMRC must then take into account how it will give these users access to the same service to meet their needs – through meth-ods such as phone calls or paper forms.
cAsting off the ‘digitAlly impAired’Williamson referred to a tribunal case from 2013, between HMRC and the LH Bishop Electrical Company, in which LH Bishop appealed against HMRC’s insistence that the contrac-tor organisation filed VAT returns online, other than in excep-tional circumstances.
The LH Bishop case eventually led to HMRC changing the guidelines surrounding VAT returns. Williamson drew compari-sons between this case and the ongoing need to include those he referred to as “the digitally impaired”.
ANALYSIS
computerweekly.com 30 June-6 July 2015 8
Home
News
The hidden complexity that awaits the next generation of banking IT leaders
Is HMRC making tax more taxing for analogue taxpayers?
Royal Free hospital trust digitises patient records using OpenText
University of Dundee director of technology calls for diversity in IT
Editor’s comment
Opinion
Buyer’s guide to DevOps
Why CIOs should loosen their grip on enterprise IT
Facing the inevitable: Death, taxes and data security audits
Downtime
“The main concern of not providing proper assistance to those who can’t go digital is that those 10 million will be disenfran-chised,” Williamson said.
“You will have this system which – once it’s up and running – will be able to produce, and give you access to, a lot of information about your rights and obligations for the tax system, which may not be available to those without that digital access.”
But he said Whitehall departments often make claims they intend to help users but fail to explain how, leading to confusion.
problems with digitAl by defAultHMRC is one of the largest and most heavily used government departments to have moved its services online. It trialled the Gov.uk Verify personal identification system, allowing thou-sands of users to file their tax returns online.
Earlier this month, HMRC found cause to deny that the Gov.uk Verify system was causing problems for users, after many com-plained they were unable to use the service because they did not have the correct documentation needed for verification.
HMRC encourages users to attempt to use digital services first, saying they will find out in minutes whether or not they can con-tinue and, if not, will be directed elsewhere.
But this causes problems for those unable to attempt the online services as a first port of call, and could put a strain on the depart-ment’s helplines.
“There’s always that danger that any kind of follow-through will be done online, because they will lapse back into default mode,” said Williamson.
ANALYSIS
ISTO
CK
/STO
CK
NSH
ARE
S
The tribunal case between HMRC and the LH Bishop
Electrical Company led HMRC to backtrack on its
insistence that VAT returns be filed online
computerweekly.com 30 June-6 July 2015 9
Home
News
The hidden complexity that awaits the next generation of banking IT leaders
Is HMRC making tax more taxing for analogue taxpayers?
Royal Free hospital trust digitises patient records using OpenText
University of Dundee director of technology calls for diversity in IT
Editor’s comment
Opinion
Buyer’s guide to DevOps
Why CIOs should loosen their grip on enterprise IT
Facing the inevitable: Death, taxes and data security audits
Downtime
This digital by default strategy – led by the Government Digital Service (GDS) – has troubled other departments too. Earlier in 2015, the rural payments digital service – designed to provide EU subsidies to farmers – had to be withdrawn, due to poor perfor-mance just weeks before the payment deadline.
gds identifies need for testingGDS has highlighted the need for significant provisions and funding for HMRC to include the assisted digital user base dur-ing beta testing, as part of its latest assessment of the progress on developing the personal tax account system.
Preliminary user-needs research for the personal tax account found that, although users were wary of engaging with the depart-ment, they wanted one single profile to assess all their tax needs.
Although the testing identifies a need for all of an individual’s tax services to be in one place, GDS said there was a lack of con-textual and ethnographic research, “which means there may be gaps or inappropriate emphases in the user needs statements”.
HMRC’s user-needs research failed to incorporate several sig-nificant demographic types, which could lead to the system’s development neglecting the needs of some assisted digital users, said GDS.
“The Personal Tax Account will link through to other HMRC ‘products’ where users can take action, for example paying tax or applying for a refund,” said the GDS report.
The GDS team’s assessment of the project found that, although several assisted digital user types had been identified, there had not been sufficient testing to register their needs. GDS said the system needed “substantial work” to focus on the needs of this type of user.
“Due to the estimated number of assisted digital users, it’s important this work is done promptly during development of the service,” the assessment report said.
“The plan for beta testing sounds reasonable, but there is a lot of work to do and the team needs to be further ahead with their understanding of assisted digital user needs for this service.” n
ANALYSIS
❯An academic paper suggests the Verify system could be used as a spy network
ISTO
CK
/RA
WPI
XEL
LTD
computerweekly.com 30 June-6 July 2015 10
Home
News
The hidden complexity that awaits the next generation of banking IT leaders
Is HMRC making tax more taxing for analogue taxpayers?
Royal Free hospital trust digitises patient records using OpenText
University of Dundee director of technology calls for diversity in IT
Editor’s comment
Opinion
Buyer’s guide to DevOps
Why CIOs should loosen their grip on enterprise IT
Facing the inevitable: Death, taxes and data security audits
Downtime
Royal Free hospital trust digitises patient records using OpenTextRoyal Free London NHS Foundation Trust digitises records as part of modernisation programme. Brian McKenna reports
The Royal Free London NHS Foundation Trust has digitised patient records as a stage in its modernisation programme.
According to trust director of information management and technology Will Smart, it hopes to move into “higher-end analytics” using the new trove of electronic content.
The Royal Free has used technology from OpenText Content Suite to carry out the digitisation of paper case notes and central-ise new patient data as and when it is recorded.
The deployment went live on 12 November 2014 across all clinical services at the trust’s main site in Hampstead. It plans to extend the implementation to its two other sites, Barnet Hospital and Chase Farm Hospital, near Enfield in north London.
The Royal Free was founded in 1828 and was the first hospi-tal in England to provide medical care for free. The trust employs 10,000 staff, has an annual budget of £950m and has 1.6 million “patient events” to record every year.
OpenText has provided a central repository for the trust to store, manage and make available 913,000 patient records, amounting to 10 million pages.
CASE STUDY
The Royal Free has used technology from OpenText to carry out
the digitisation of paper case notes
MAT
TBRO
WN
/FLI
CK
R
computerweekly.com 30 June-6 July 2015 11
Home
News
The hidden complexity that awaits the next generation of banking IT leaders
Is HMRC making tax more taxing for analogue taxpayers?
Royal Free hospital trust digitises patient records using OpenText
University of Dundee director of technology calls for diversity in IT
Editor’s comment
Opinion
Buyer’s guide to DevOps
Why CIOs should loosen their grip on enterprise IT
Facing the inevitable: Death, taxes and data security audits
Downtime
“We are reducing paper storage costs, it is secure and we are freeing up space for patient care,” says Smart. “Paper is very expensive to run and organise. We have been employing several people whose only job is to go looking for case notes.
“Paper case notes can only be in one place at a time. With digi-tal case notes, there are benefits around patient care, at the point of care.”
At present, health workers at the Royal Free use dual screens, showing the Cerner electronic patient record (EPR) system and the new digitised case notes.
“There is always that anxiety that IT will get in the way of the consultation between clinician and patient,” says Smart. “We are in the early stages of a journey. Doctors don’t yet have the same ease of use as they have with paper.”
So far, about 330,000 case notes have been scanned, he says, which is about one-third of a two-year job to be done.
choosing opentextSmart says the trust chose OpenText for two reasons. “It is not all about the medical records. There is a danger of having frag-mented document management systems. We wanted a platform for staff records too,” he says.
“Secondly, from an analytics perspective we wanted the future possibility of doing semantic analysis on the content, which could help with medical research.
“OpenText gave us the platform we wanted. There are lots of UK government instances of OpenText and US health reference customers as well.”
CASE STUDY
Smart: “There is always that anxiety that IT will
get in the way of the consultation between clinician and patient”
computerweekly.com 30 June-6 July 2015 12
Home
News
The hidden complexity that awaits the next generation of banking IT leaders
Is HMRC making tax more taxing for analogue taxpayers?
Royal Free hospital trust digitises patient records using OpenText
University of Dundee director of technology calls for diversity in IT
Editor’s comment
Opinion
Buyer’s guide to DevOps
Why CIOs should loosen their grip on enterprise IT
Facing the inevitable: Death, taxes and data security audits
Downtime
As the project has progressed, says Smart, clinicians have been asking for data over and above that which had been captured pre-viously in paper case notes, such as some correspondence and test results. “We are continuing to add content,” he says.
OpenText Content Suite will be integrated with the trust’s Cerner EPR system. “We are making the access as flexible as possible,” says Smart. “You can get at the content through Cerner and directly.”
The business case for the project indicates return on investment within seven years, Smart explains. “But we are also improving the experience of patients and using our clinician resources more efficiently because of this system,” he says.
“Our partnership with OpenText means that we have been able to draw on its extensive experience of similar deployments globally, including in some of the world’s largest health sys-tems, and access resources to ensure we maximise the value from OpenText.” n
CASE STUDY
❯ NHS England plans to offer full patient records online and free Wi-Fi everywhere
KOKU
U/I
STO
CK
“our parTnership wiTh openTexT means ThaT we have been able To
draw on iTs exTensive experience”WiLL smart, royaL free London
nHs foundation trust
computerweekly.com 30 June-6 July 2015 13
Home
News
The hidden complexity that awaits the next generation of banking IT leaders
Is HMRC making tax more taxing for analogue taxpayers?
Royal Free hospital trust digitises patient records using OpenText
University of Dundee director of technology calls for diversity in IT
Editor’s comment
Opinion
Buyer’s guide to DevOps
Why CIOs should loosen their grip on enterprise IT
Facing the inevitable: Death, taxes and data security audits
Downtime
University of Dundee director of technology calls for diversity in IT Paul Saunders talks to Cliff Saran about the cultural differences between the US and the UK in business attitudes
Paul Saunders has spent most of his working life in the US, but he now lives in an old blacksmith’s cottage in Scotland and works at the University of Dundee as director
of technology.Saunders joined the university two years ago. “When I was
offered an interview I had to look on a map to find out where Dundee was,” he says. And his broadband is almost non-existent: “I get 0.2Mbps digital subscriber line connection.” Computer Weekly met up with Saunders at the recent Box World Tour event in London, where he participated on a customer panel.
The CEO of Box, Aaron Levie, is under 30 – so what is there to stop UK entrepreneurs? From his experience of the US, Saunders says: “I like to compare the difference between the US and Birmingham. In the US, If you were going to leave your job and start your own company, people would say, ‘Best of luck.’ If you tried that in Birmingham – where I grew up in the 1970s and 1980s – they would say, ‘I wouldn’t bother mate, you’ll be on the dole in six months.’ Why don’t we have the same mentality as the US?” he asks.
INTERVIEW
Saunders says a lot of innovation comes from the US, while the UK needs to
address a cultural inertia to entrepreneurship
computerweekly.com 30 June-6 July 2015 14
Home
News
The hidden complexity that awaits the next generation of banking IT leaders
Is HMRC making tax more taxing for analogue taxpayers?
Royal Free hospital trust digitises patient records using OpenText
University of Dundee director of technology calls for diversity in IT
Editor’s comment
Opinion
Buyer’s guide to DevOps
Why CIOs should loosen their grip on enterprise IT
Facing the inevitable: Death, taxes and data security audits
Downtime
A lot of innovation comes from US companies, says Saunders, who believes the UK needs to address a cultural inertia to entre-preneurship. But there is progress. For instance, the Digital Scotland initiative aims to encourage and foster startups; but Saunders argues: “We need this across the UK.”
In fact, he says, the UK needs to make science, technology, engi-neering and mathematics subjects more attractive, and this goes beyond giving children the skills to build the next Facebook – IT needs people from a broader background. “We must absolutely drive diversity into technology,” says Saunders.
Speaking about his panel discussion at the Box World Tour, he adds: “We were a panel of middle-class, white men. I am not talk-ing about this from a colour or sex point of view – it is about the diversity of our backgrounds. If the same people design software, nothing will change.”
Disruptive suppliers are driving very different ways of doing things, but Saunders says startups face major hurdles when trying
to sell into the public sector. “We still have very antiquated pro-curement rules that don’t allow us to engage in an entrepreneur-ial, innovative way,” he says. Referring to a recent Digital Scotland event, Saunders says he was speaking to one entrepreneur who wanted to work with the public sector, but was put off by a 60-page request for proposals.
chAnging the fAce of itWith the introduction of university fees, academia has become more like business. In many ways, this shift is similar to the changes taking place in IT departments, as they evolve to focus more on service.
“There is a huge debate in universities as to whether students are customers. I don’t think you should treat someone any differ-ent if they pay for something. It is about how we view customer service,” says Saunders.
“We are trying to change how we deliver IT from system to ser-vice, which is a complete mindset change.”
Saunders argues that this is tough for many people in IT, who became IT specialists because they like technology. “Some peo-ple got into IT because they don’t like people, but we are starting to see that the role of IT is to deliver services and solutions that aid the business. It is not about how well we can patch a system or how well we can design a network,” he says.
Such areas of IT are commodities, Saunders argues: “Our value is about what we can do to improve the student experience.” At Dundee this may translate to how IT can enable the university to remain number one for life sciences.
INTERVIEW
“we musT absoluTely drive diversiTy inTo Technology. if The
same people design sofTware, noThing will change”
PauL saunders, university of dundee
computerweekly.com 30 June-6 July 2015 15
Home
News
The hidden complexity that awaits the next generation of banking IT leaders
Is HMRC making tax more taxing for analogue taxpayers?
Royal Free hospital trust digitises patient records using OpenText
University of Dundee director of technology calls for diversity in IT
Editor’s comment
Opinion
Buyer’s guide to DevOps
Why CIOs should loosen their grip on enterprise IT
Facing the inevitable: Death, taxes and data security audits
Downtime
While in the 1960s and 1970s IT people worked on mainframes and minicomputers that churned out reports to help people make better business decisions, Saunders says today both the business and IT should question the rationale for producing such reports. “Are we doing these reports to make better business decisions or to justify the decisions we have already made?” he asks.
Just because IT enabled the business to get the reports it asked for, that should not necessarily be considered job done for IT. Saunders is working at changing how IT measures success. “Before we used to ask if a system was live, had it been rolled out?” he says. But such criteria was IT-centric, in that IT did not assess how well the system met people’s needs or how well the service desk coped with helping users. “Everyone in IT does a stint on the service desk,” says Saunders. “You get to experience what it is like for people who are not too thrilled with your software.”
In Saunders’ experience, IT’s communication with the organisa-tion is usually when something goes wrong: “We don’t do a great job tooting our horn, showing how we have aided the university. We also don’t show people how to do things better and we confuse people,” he says.
IT has finite resources, so it needs to work out how to improve without incurring major expenditure, according to Saunders. “When we were looking at file synchronisation and sharing, the price I am paying for Box was less than if I designed and built a file-sharing service myself, and there is no value in doing this,” he says. It is the same for email. “We moved to Microsoft Office 365 and it works really well,” he says.
Reflecting how IT has changed, Saunders concludes: “If you just focus on patching servers and building nice networks, this is not the world we live in any more.” n
INTERVIEW
❯Diversity is not just vital in a tech organisation, it is a crucial competitive advantage
@D
UN
DEE
UN
IV
Saunders says the role of IT at the University of Dundee is to improve the
student experience
computerweekly.com 30 June-6 July 2015 16
Home
News
The hidden complexity that awaits the next generation of banking IT leaders
Is HMRC making tax more taxing for analogue taxpayers?
Royal Free hospital trust digitises patient records using OpenText
University of Dundee director of technology calls for diversity in IT
Editor’s comment
Opinion
Buyer’s guide to DevOps
Why CIOs should loosen their grip on enterprise IT
Facing the inevitable: Death, taxes and data security audits
Downtime
Computer Weekly, 2nd Floor, 3-4a Little Portland Street, London W1W 7JB
General enquiries 020 7186 1400
Editor in chief: Bryan Glick 020 7186 1424 | [email protected]
Managing editor (technology): Cliff Saran 020 7186 1421 | [email protected]
Head of premium content: Bill Goodwin 020 7186 1418 | [email protected]
Services editor: Karl Flinders 020 7186 1423 | [email protected]
Security editor: Warwick Ashford 020 7186 1419 | [email protected]
Networking editor: Alex Scroxton 020 7186 1413 | [email protected]
Special projects editor: Kayleigh Bateman 020 7186 1415 | [email protected]
Datacentre editor: Caroline Donnelly 020 7186 1411 | [email protected]
Storage editor: Antony Adshead 07779 038528 | [email protected]
Business applications editor: Brian McKenna 020 7186 1414 | [email protected]
Business editor: Clare McDonald 020 7186 1426 | [email protected]
Production editor: Claire Cormack 020 7186 1417 | [email protected]
Senior sub-editor: Jason Foster 020 7186 1420 | [email protected]
Sub-editor: Ben Whisson 020 7186 1478 | [email protected]
Sub-editor: Jaime Lee Daniels 020 7186 1417 | [email protected]
Sales director: Brent Boswell 07584 311889 | [email protected]
Group events manager: Tom Walker 0207 186 1430 | [email protected]
Make losing legacy IT your personal legacy
The term “legacy IT” is, in reality, something of a misnomer. It’s recognised by every IT leader to represent the old software and hardware in their infrastructure, especially where it has since been superseded by newer technologies. Some 90% of IT chiefs say legacy IT is holding them back and hindering their adoption of digital strategies.
But in effect, every bit of kit or new application becomes “legacy” the day after it goes live – at least, under traditional IT manage-ment methods. Legacy IT is sunk cost. Hopefully it’s an investment, one that no matter how much it seems out of date, cumbersome or complex, is still delivering a return. Otherwise, why not just turn it off?
As the big retail banks have found, legacy IT still runs the business, and the cost and risk of replacing it still just about outweighs the risk of keep-ing it going. There are ways to extend the useful life of legacy IT – not least by wrapping it in a layer of application programming interfaces (as dis-cussed in our feature on page 23) – but the ultimate goal for any IT leader has to be to eliminate legacy IT completely.
That’s not as daft an idea as it sounds.Ask yourself this question: Can you invest in technology that doesn’t become a legacy? If you were starting from a greenfield site
today – as startups do – you would design legacy out of your IT architecture. You would use cloud services widely if not exclusively. There would be no more worries about hardware getting old. You would develop software iteratively using agile methods, and man-age your infrastructure using DevOps principles, so that corporate applications are constantly updated and never become legacy. If you encourage staff to use their own mobiles and laptops at work too, then you avoid the need for regular user device updates.
Of course, it’s never quite as easy as that, and we’re a long way from reaching a point where everything in your IT infrastructure is constantly refreshed. But it’s increasingly feasible to move your IT strategy in that direction.
Instead of dealing with the problems of legacy IT, how about making the elimination of legacy IT your personal legacy as an IT leader? n
Bryan Glick, editor in chief
❯Read the latest Computer Weekly blogs
EDITOR’S COMMENTHome
The ulTimaTe goal for any iT leader has To be To eliminaTe
legacy iT compleTely
computerweekly.com 30 June-6 July 2015 17
Home
News
The hidden complexity that awaits the next generation of banking IT leaders
Is HMRC making tax more taxing for analogue taxpayers?
Royal Free hospital trust digitises patient records using OpenText
University of Dundee director of technology calls for diversity in IT
Editor’s comment
Opinion
Buyer’s guide to DevOps
Why CIOs should loosen their grip on enterprise IT
Facing the inevitable: Death, taxes and data security audits
Downtime
The NIS Directive is aimed at harmonising cyber security laws and improving pan-European co-ordination on cyber secu-rity incidents. This is no small feat when brokering an agree-ment among 28 countries. A recent analysis from the Business Software Alliance (BSA) charts just how big a task officials have before them.
The BSA EU Cyber Security Dashboard examines national cyber security laws and policies across the EU, and finds an unhelpful patchwork exists when it comes to cyber preparedness. While some countries have strong cyber security legal frameworks – the UK, Germany and Estonia, for example – others still have much work to do.
There are also considerable discrepancies between countries’ operational capabilities when it comes to cyber threats. The result is gaps and fragmentation that put the entire European market at risk.
Encouragingly, most countries recognise cyber security should be a national priority, with a particular focus on ensuring the cyber resilience of critical infrastructure. Truly critical services, such as transport, energy and banking, are where disruption from cyber incidents could do the most harm.
Yet, more than half of EU member states have yet to go through the process of assessing and establishing priorities for providers of critical services and infrastructure.
lAck of co-operAtionAmong other gaps the report highlights is a lack of co-operation between governments and the private sector on cyber security.
OPINION
Closing the gaps in EU cyber securityInconsistent approaches to cyber security across Europe are undermining attempts to harmonise policy and preparedness in the European Union, writes Thomas Boué
B olstering cyber security is a challenge facing boardrooms and government officials around the world. While technology is enabling us to be smarter about how we
communicate, create and solve problems, it has also introduced risks that must be managed.
European officials, including representatives from the UK, are closing in on negotiations for a European Union (EU) Network and Information Security (NIS) Directive, which is the EU’s first attempt at crafting cyber security legislation.
computerweekly.com 30 June-6 July 2015 18
Home
News
The hidden complexity that awaits the next generation of banking IT leaders
Is HMRC making tax more taxing for analogue taxpayers?
Royal Free hospital trust digitises patient records using OpenText
University of Dundee director of technology calls for diversity in IT
Editor’s comment
Opinion
Buyer’s guide to DevOps
Why CIOs should loosen their grip on enterprise IT
Facing the inevitable: Death, taxes and data security audits
Downtime
This issue was similarly called out by US president Barack Obama in February, when he signed an executive order aimed at encouraging better information sharing between US public and private sectors about cyber attacks.
Likewise in Europe, most infrastructure is owned by the private sector, making public-private co-operation essential. Yet only a handful of European countries have an established framework for public-private partnerships on cyber security. The more communication and co-ordination taking place between EU, national governments and the private sector, the more resilient all of us will be in the face of evolving cyber security threats.
There are fundamental elements of a strong legal cyber security framework. These range from establishing strong legal foundations and a comprehensive and regularly updated cyber security strategy, to engendering trust, working in partnership and promoting cyber security education. These building blocks provide valuable guidance for national governments that are ultimately responsible for implementing cyber security rules and policies.
protectionist rulesBut there are also worrying developments around the world, as some governments use cyber security as justification for protectionist rules that reduce choice and undermine cyber protections.
Policymakers should avoid country-specific cyber security standards, obligations to disclose sensitive information – such as source code or encryption keys – data localisation requirements,
or preferences for indigenous providers, among other unhelpful policies. Such policies undercut cyber security rather than improving it. They also impose unfair market access barriers on global producers and service providers, whether intended or not.
As the UK and other EU member states attempt to complete work on the NIS Directive and agree on common language with the European Parliament and the European Commission over the coming months, harmonisation should be top of mind.
The aim of the directive should be to establish a foundation of cyber security preparedness, with harmonised rules grounded in a risk-based approach and focused on providers of truly critical infrastructure and services.
Cyber threats take no notice of national borders. The sooner we raise the level of cyber resilience across all European Union member states – particularly for Europe’s most critical infrastructure – the closer we’ll be to securing our governments, citizens and businesses against malicious cyber attacks. We’re much stronger if we’re in it together. n
OPINION
Thomas Boué is director of government affairs at BSA.
computerweekly.com 30 June-6 July 2015 19
The topic of DevOps has dominated discussions at many of the major IT conferences this year, with suppliers and analysts lining up to warn enterprises about the busi-ness risks of failing to adopt a more agile approach to
software development.Enterprises that want to maintain their competitive edge,
it’s often claimed, can no longer afford to embark on large and lengthy software development and testing cycles, presided over by disparate groups of developers and IT operations staff.
Instead, software should be created in a more collaborative way with developers and operations working in small teams to test and release updates and new products at a faster rate than ever before, using automation and monitoring tools.
But, for enterprises entrenched in the old way of software devel-opment, adopting a DevOps style of working isn’t going to be easy for CIOs without buy-in from the whole IT department.
“On the face of it, DevOps sounds brilliantly straightforward, but the worlds of ‘development’ and ‘operations’ hide a variety of job functions. Moreover, the teams in these camps have tradi-tionally had very little interaction with one another,” says Gautam Mitra, founder of IT training company Unicom Seminars.
OvercOming the business and technOlOgy barriers tO
devOps adOptiOnThe benefits of DevOps are well documented, says Caroline Donnelly –
but what steps should the enterprise take in adopting this approach to software development and delivery?
BUYER’S GUIDE TO DEVOPS | PART 3 OF 3
ISTO
CK
/TC
MA
KE_
PHO
TO “iT’s easy To puT The righT Tools and processes in place – buT you
can’T ignore culTure”gautam mitra, uniCom seminars
Home
computerweekly.com 30 June-6 July 2015 20
Home
News
The hidden complexity that awaits the next generation of banking IT leaders
Is HMRC making tax more taxing for analogue taxpayers?
Royal Free hospital trust digitises patient records using OpenText
University of Dundee director of technology calls for diversity in IT
Editor’s comment
Opinion
Buyer’s guide to DevOps
Why CIOs should loosen their grip on enterprise IT
Facing the inevitable: Death, taxes and data security audits
Downtime
“It’s relatively easy to put the right tools and pro-cesses in place, but you can’t ignore culture – and getting these two camps to work together and col-laborate calls for a big change.”
Jumping in witH DevopsOrdnance Survey, while famed for the production of paper-based maps, also develops software for its in-house teams of cartographers and surveyors, government agencies, utility companies and building firms.
Keith Watson, agile delivery manager at Ordnance Survey, has gone down the DevOps route as part of a wider push to improve communication and collaboration between its various teams.
In the past Ordnance Survey ran a software infrastructure team and a second team for building the environments required.
“There was a degree of customer dissatisfaction with the ser-vice we provided, in the sense that we couldn’t keep up with the demand from developers, which meant there were long lead times in providing them with environments; and they were created in a manual way with semi-automated scripts,” says Watson.
“So, not only did it take us a long time to provide these individual environments, sometimes they weren’t always the same.”
This often led to disagreements between the software develop-ment and infrastructure building teams, as the environments they delivered didn’t always quite fit the bill.
To rectify this, Watson created small groups of developers and infrastructure architects, while doing away with the ticketing sys-tem used to communicate requests between these groups.
“After they got into the teams, the value of sitting everyone next to each other became apparent very quickly – not only in understanding their require-ments but they all got to see that the developers and the environment team were real people and they got on quite well,” explains Watson.
cHanging tHe tecHnology gameEmbracing a DevOps way of working may sometimes require the overhaul of a company’s IT infrastructure, and many organisa-tions advocate moving to the cloud as an important first move.
Cloud services – such as Amazon Web Services EC2 – can pro-vide DevOps teams with quick, on-demand access to the com-puting resources required, affording them a level of agility they might not get from on-premise technologies.
“Cloud, much like DevOps, emerged as a way to improve flex-ibility in organisations, helping projects react more quickly to changing circumstances,” Unicom’s Mitra explains.
“There’s some debate about whether cloud is driving/facilitat-ing DevOps or if DevOps is prompting the need for cloud. No two implementations will be the same so, depending on the case in hand, either scenario could hold true – but what is clear is that DevOps and cloud are intricately linked.”
But that’s not to say cloud is a necessity for DevOps success, says Jon Cowie, staff operations engineer at online marketplace Etsy, which has taken a DevOps approach to software delivery since 2009. Cowie says the approach allows it to update the site every 20 minutes with no loss of service for its 20.8 million users.
BUYER’S GUIDE
❯How it works: DevOps done well can lead to a continuous loop where teams plan, code,
build, test, release, deploy, operate and monitor software
computerweekly.com 30 June-6 July 2015 21
Home
News
The hidden complexity that awaits the next generation of banking IT leaders
Is HMRC making tax more taxing for analogue taxpayers?
Royal Free hospital trust digitises patient records using OpenText
University of Dundee director of technology calls for diversity in IT
Editor’s comment
Opinion
Buyer’s guide to DevOps
Why CIOs should loosen their grip on enterprise IT
Facing the inevitable: Death, taxes and data security audits
Downtime
While he admits the cloud has its place in some DevOps deploy-ments, his firm’s operations are underpinned by on-premise infra-structure in its own datacentre.
“Because of the way our site traffic works, we don’t have to deal with bursts of traffic, because our traffic pattern follows relatively predictable seasonal trends, and we are actually able to predict with a high degree of accuracy what our traffic is going to look like at any given point,” he says.
“If we were dealing with bursty traffic like Netflix and sudden peaks in demand, it’d be a much different story.”
BUYER’S GUIDE
Getting started with DevOps: Show results to overcome managerial scepticism
Barry Crist, CEO of IT automation vendor Chef, says the best way to get started with DevOps is to line up a small but non-trivial project that would lend itself well to the DevOps approach – and instruct the team to get stuck in.
“It’s difficult to change a way of thinking sometimes, as it involves altering how people interact with technology so they can adopt this high-velocity, small-batch approach,” he says.
“That’s why the best way to drive change is, instead of hav-ing a very conceptual conversation about things, to get people from across the whole IT stack and get them working on one thing. The results and benefits will become readily apparent.”
This approach is also crucial for winning over sceptics in
senior management fearful about the impact of the change on the rest of the organisation.
“The funny thing with large enterprises is, a lot of organisa-tions will tell you that ‘Big Bang’ IT projects do not work – and yet a lot of organisations persist in doing it,” says Crist.
“But the benefit of DevOps is that – with the help of auto-mation – you can simultaneously increase quality, the rate of innovation and then pick up other things, such as better consistency in your products.
“Imagine being an executive at a company trying to argue against achieving all those things. It’s a completely redundant discussion.” he adds.
ISTO
CK
/YU
RI_A
RCU
RS
computerweekly.com 30 June-6 July 2015 22
Home
News
The hidden complexity that awaits the next generation of banking IT leaders
Is HMRC making tax more taxing for analogue taxpayers?
Royal Free hospital trust digitises patient records using OpenText
University of Dundee director of technology calls for diversity in IT
Editor’s comment
Opinion
Buyer’s guide to DevOps
Why CIOs should loosen their grip on enterprise IT
Facing the inevitable: Death, taxes and data security audits
Downtime
appraise aims before investing in DevopsIn Ordnance Survey’s case, there wasn’t much in the way of technology preparation, recalls Watson, as the organisation was already using internal clouds, side-by-side with Microsoft Azure and Amazon Web Services, in developing software.
Even if they weren’t, Simon Parkes, an infrastructure architect at Ordnance Survey, says that wouldn’t have stood in the way of the organisation’s DevOps push.
“There is a danger – particularly when you look at other case studies on DevOps – that technology can end up being a barrier to getting going, because it requires a lot of upfront technology investments in building out cloud capabilities,” says Parkes.
“Because ours was a cultural and working practice change, first and foremost, we took the view of just finding a project and get-ting started straightaway, instead of getting too bogged down in the technology groundwork.”
Clearly, going down the DevOps route requires a lot of business and technology preparation – and it’s not necessarily a way of working that will suit every organisation.
“There’s not a definitive end to DevOps – it’s a way of approach-ing development – but have a good idea about what you hope to achieve before implementing the change, as the investment can be high,” cautions Mitra.
“In other words, don’t do it just because everyone else is.” n
BUYER’S GUIDE
ISTO
CK
/JO
HN
NY
GRE
IG
computerweekly.com 30 June-6 July 2015 23
B lue-chip companies are facing major disruption to their business models, the like of which has not been seen since Amazon rewrote retail.
Web startups are using IT to add customer value, threatening established business models.
The old ways of running IT may be hampering the ability for older businesses to innovate. IT departments should be adopting agile methodologies, splitting quick-win projects from the multi-year major IT programmes.
But this is only part of the answer. Uber, Airbnb and Alibaba are among the technology-driven pioneers taking on the old ways of doing business.
Such companies are delivering value by providing conveni-ence, ease of use and an overall better customer experience than the traditional methods of booking taxis and hotels or sourcing suppliers.
They also do much more, extending their reach beyond their core business proposition to attain more customers by operating as part of an affiliate network, enhancing someone else’s unique selling point.
These companies represent a competitive threat to many of the business models created before the turn of the century – but IT can make a difference.
consumerising business neeDsRoss Mason, founder of MuleSoft, a company that provides application programming interface (API) management technol-ogy, says enterprise IT needs to adapt.
Why ciOs shOuld lOOsen their grip On enterprise it
CIOs need to decentralise IT systems and provide the business with access through APIs, writes Cliff Saran
IT MANAGEMENT
Home
VARI
JAN
TA/I
STO
CK
computerweekly.com 30 June-6 July 2015 24
Home
News
The hidden complexity that awaits the next generation of banking IT leaders
Is HMRC making tax more taxing for analogue taxpayers?
Royal Free hospital trust digitises patient records using OpenText
University of Dundee director of technology calls for diversity in IT
Editor’s comment
Opinion
Buyer’s guide to DevOps
Why CIOs should loosen their grip on enterprise IT
Facing the inevitable: Death, taxes and data security audits
Downtime
The old ways of running IT do not reflect a reality where a busi-ness needs to act on threats and opportunities as quickly as pos-sible to gain a competitive edge or limit the impact of a rival.
Speaking to Computer Weekly at the MuleSoft Summit 2015 in London, he said: “There is a change in the role of IT.”
According to Mason, IT previously believed everything was technology related. “IT touches every part of the business,” he says.
This is not just about the consumeri-sation of IT, but the consumerisation of enterprise IT – the sacred cow of the IT department.
So rather than attempt to manage and support the enterprise IT systems, Mason recommends IT provides the business with managed access through defined interfaces, namely APIs.
“IT cannot own all the applications. Not every request for infor-mation should end up being an IT project,” he says.
Mason urges CIOs to decentralise access to enterprise systems and provide self-service through defined APIs so user depart-ments can build their own applications.
“Most pieces of data should be opened up internally,” he adds. This data, trapped in back-end systems, can be used by the
business to drive greater customer satisfaction.
bimoDal itIT outside of the IT department is already happening. Salesforce.com and other software-as-a-service (SaaS)
applications are being purchased directly by the business; mar-keting spends more on IT than the CIO; and mobile apps are often developed by web and mobile design agencies with or
without the IT department’s knowledge.As a result, the CIO needs to change
the way IT is organised and look at the broader role of the IT function in the business.
In the past, the CIO may have had a grand vision to link enterprise IT sys-tems together using a service-oriented architecture, exposing web services on
an enterprise service bus to provide unified access to the under-lying systems. But, according to Mason, even though web ser-vices were meant to modernise IT systems, they were never opened up to non-IT departments.
Mason urges IT departments to stop trying to control access to enterprise systems and accept that some enterprise applications will be developed by other departments. The CIO should give the business freedom to do its own IT to enable customer-facing departments to optimise the customer experience they offer.
This leads to two types of IT: one focused on managing and maintaining the mission-critical systems of record, the core back-end systems; while the other works in an agile way to cre-ate business value quickly.
According to research analyst Gartner, a system of record is essential to how a company operates, and does not provide competitive advantage.
IT MANAGEMENT
AK
IND
O/I
STO
CK
“noT every requesT for informaTion should end up
being an iT projecT”ross mason, muLesoft
computerweekly.com 30 June-6 July 2015 25
Home
News
The hidden complexity that awaits the next generation of banking IT leaders
Is HMRC making tax more taxing for analogue taxpayers?
Royal Free hospital trust digitises patient records using OpenText
University of Dundee director of technology calls for diversity in IT
Editor’s comment
Opinion
Buyer’s guide to DevOps
Why CIOs should loosen their grip on enterprise IT
Facing the inevitable: Death, taxes and data security audits
Downtime
Projects based on a system of record tend to have clear out-comes and approaches to achieving these results, which ulti-mately amounts to doing the process as well as any competitor, says Gartner.
On the other hand, enhancing the usability of the company’s e-commerce site, building a service around intelligent, internet-enabled devices or the convenience of a mobile app are differentiators. Mobile apps and internet of things projects usually require a different approach to IT, since the business cannot usually afford the time to run months of formal specification, development and testing often associated with traditional enterprise IT projects.
Many of these apps are developed outside of IT. However, without a connection to the system of record, such apps are somewhat limited and arguably lack a fulfilling customer experience.
According to analyst Forrester, since a huge amount of intelligence about customers, products and history is tied up in back-end transaction systems, CIOs should consider unlocking these systems to make the data available to mobile and web developers.
“CIOs will have to invest in APIs that service-enable existing systems. In doing so, the IT department can potentially eliminate redundant systems and enable a single view of the enterprise to support the entire customer journey,” the analyst notes in its Close the experience gaps with the right business technology report.
Rentokil is an example of one organisation that has begun to open up the APIs of its core IT systems to other parts of the business (see panel: Rentokil opens up ERP APIs to the business). Over time, some of these APIs will extend to Rentokil customers, creating an API economy where Rentokil and its customers are
able to derive value from sharing APIs.This is a phenomenon web startups
have mastered. On his trip to London, Mason said he
booked through the Kayak flight search site, which connects to Priceline’s travel site, which in turn links to the global tick-eting systems for travel bookings that ultimately connects to the airline, with payment then taken through PayPal.
Each service adds to the overall customer experience offered by Kayak, but equally, each gains from a successful transaction.
make apis public to extenD value In 2014, Uber released an API, allowing systems such as OpenTable and Google Maps to use its service to offer visitors online taxi bookings, and so improve their overall customer experience.
“Wherever you want to go, you can connect into Uber,” says Mason.
Connecting to Uber potentially adds value to the websites by offering a more complete customer experience, while Uber gains valuable new channels to market.
IT MANAGEMENT
“cios will have To invesT in apis ThaT service‑enable
exisTing sysTems”forrester
computerweekly.com 30 June-6 July 2015 26
Home
News
The hidden complexity that awaits the next generation of banking IT leaders
Is HMRC making tax more taxing for analogue taxpayers?
Royal Free hospital trust digitises patient records using OpenText
University of Dundee director of technology calls for diversity in IT
Editor’s comment
Opinion
Buyer’s guide to DevOps
Why CIOs should loosen their grip on enterprise IT
Facing the inevitable: Death, taxes and data security audits
Downtime
There is clearly a risk opening up APIs. Access to the back-end core IT systems needs to be managed. Who has access to which API, what data can they view and what data can they change? Some systems such as commercial enterprise resource plan-ning (ERP) or SaaS may incur additional software licences or
pay-per-use charges. The finely tuned core IT system could be swamped by external requests.
But while organisations need to give careful consideration over how to make APIs work externally, Mason believes affiliate net-works of APIs can drive value and improve customer experience. n
IT MANAGEMENT
Rentokil opens up ERP APIs to the business
Rentokil’s IT function has created a set of APIs available to other departments in the company, enabling them to create their own applications that communicate directly with the core ERP system, without IT having to get involved.
ServiceTrack, a mobile application for field staff, is one of the first apps developed using these APIs to provide mobile access to the core ERP. The app provides mapping and alerts, and enables the technician to see which jobs are next. It is also possible to book jobs directly from the device. Additionally, users can email an issue, which is uploaded onto Amazon Web Services.
The app is being deployed on £100 mobile devices to technicians in Asia, a considerable saving compared with the £1,000 ruggedised devices deployed in the UK.
Rentokil Initial director of enterprise delivery Antony Meadows says: “The business is starting to have capabilities to create IT.”
One of the key benefits for Meadows is that the app was developed outside the IT department, using MuleSoft to manage the APIs, exposing functionality to the developers in the business.
“With the API layer opened up, the business does not need to go to IT,” he says.
While ServiceTrack is internally focused to improve efficiency, Rentokil is also working on customer system integration, to integrate directly with the facility management IT systems used by its larger customers.
In terms of improving customer experience, Meadows says the system will remove “thousands of hours of admin”. This will be achieved by reducing the need for the customer to re-key information into its own systems.
For Meadows, opening up the mission-critical enterprise IT APIs has been a blessing. “We are moving from a pure provider of IT to helping the business create value,” he says.
computerweekly.com 30 June-6 July 2015 27
Many view death, taxes and data security audits in the same light, but while there is little or nothing to be done about the first two, business can take the sting out of audits, in preparation and response.
This is particularly true of data security audits, when informa-tion security professionals have an important role to play in han-dling any uncomfortable truths that may emerge.
The key is to view audits as an opportunity to improve security, not as a personal threat: “Any security professional worth their salt should embrace the gaps found by auditors, with open arms,” says Tim Holman, board director at the Information Systems Security Association and CEO at security consultancy 2-sec.
“They certainly should not try to brush it under the carpet in the hope their bosses will not find out, as this cover-up behaviour leads to data breaches and people losing their jobs.”
It is about acceptance and attitude – accepting that auditors will almost always find something that needs attention and having the attitude that this is an opportunity to do a better job of pro-tecting the organisation’s data assets.
Far from regarding an auditor’s fault-finding in a negative light, Holman says that, if an external auditor does not find anything that needs fixing, you should find another who offers better value for money by providing the opportunity to improve.
In the real world, things such as payment card industry data security standard audits have annual deadlines that can result in battles between qualified security assessors (QSAs) unwilling to sign off systems that are not compliant and information security professionals tasked with meeting the deadline.
death, taxes and data security audits
Benjamin Franklin said nothing is certain except death and taxes – but security audits should be added to the list, says Warwick Ashford
SECURITY AUDITS
ISTO
CK
/NIC
KYLA
RSO
N97
4
Home
computerweekly.com 30 June-6 July 2015 28
Home
News
The hidden complexity that awaits the next generation of banking IT leaders
Is HMRC making tax more taxing for analogue taxpayers?
Royal Free hospital trust digitises patient records using OpenText
University of Dundee director of technology calls for diversity in IT
Editor’s comment
Opinion
Buyer’s guide to DevOps
Why CIOs should loosen their grip on enterprise IT
Facing the inevitable: Death, taxes and data security audits
Downtime
avoiDing surprisesHolman – a QSA himself – says information secu-rity professionals should engage with auditors early so there are no surprises and there is enough time to fix any gaps.
Internal audit often undertakes a crucial assur-ance role in an organisation, with particular atten-tion to risk management and control, says Isaca international vice-president and Vodafone technology risk, com-pliance and assurance leader, Steven Babb.
“Given the connected world that we live and conduct business in, cyber security typically holds a key spot in an organisation’s risk profile and, consequently, is a key area of focus for internal audit,” he says. “It should therefore be seen – and treated – as a business partner, with increased reliance placed on it to make a significant governance contribution.”
But considering the rapid rate of change, Babb says this requires that security risks are assessed regularly and for mitigation to take place. “The truths that are often uncovered can be wide-ranging, from faulty processes, legacy infrastructure and end-of-life systems, the lack of patching and ineffective supplier manage-ment programmes, through to weaknesses in the management of customer and employee data,” he says.
articulating risks witH executivesThe role of information security professionals continues to evolve, with increased demands on them to act as business leaders. The expectation is that they should identify and assess
security risks, and put in place plans to appropri-ately mitigate these. But this requires investment, with the board often having to balance investment in security maintenance programmes with invest-ment in more direct revenue-generating activities.
“It is therefore increasingly important for infor-mation security professionals to be able to articu-late these risks in clear business-focused lan-
guage,” says Babb.“The reality is that both functions need to work closely together,
supporting each other in ensuring that key security-related mes-sages are presented appropriately and at the right level, thus ensuring the necessary levels of support and buy-in are achieved.”
But the relationship between information security professionals and auditors may not always be a comfortable one. “This can, in part, be due to communication issues or styles,” says The Security Institute director of cyber research and security Mike Gillespie. “It is not always easy to be effective and meet an audience’s needs when rushing to get a point across.”
Gillespie says auditors may also not have a security or informa-tion security-risk background and so information security profes-sionals also have to apply a nuanced approach to an audit to cap-ture the real picture of what is happening with the audit.
“The audit is, after all, a tool,” he says. “It is a means to under-stand how we are performing against a defined set of criteria. It is not the goal itself. Add these elements together and you get the perfect storm for frustration, misunderstanding and a potentially toxic cocktail of obfuscation and back-protecting, leading to a
SECURITY AUDITS
❯Preparation the best way to avoid awkward security audits: The role of information security
professionals in handling uncomfortable truths about data
security from auditors.
computerweekly.com 30 June-6 July 2015 29
Home
News
The hidden complexity that awaits the next generation of banking IT leaders
Is HMRC making tax more taxing for analogue taxpayers?
Royal Free hospital trust digitises patient records using OpenText
University of Dundee director of technology calls for diversity in IT
Editor’s comment
Opinion
Buyer’s guide to DevOps
Why CIOs should loosen their grip on enterprise IT
Facing the inevitable: Death, taxes and data security audits
Downtime
lack of real progress or improvement – which is the real objective of the audit.”
Information security professionals keep security measures pro-portionate, says Gillespie, which may mean a layer of interpreta-tion or common sense needs to be applied when it comes to an effective audit and communication of the findings. The event of a non-conformity may not be a bad thing if the risk mitigation in place is proportionate, he adds.
“For example, if someone is working in a sensitive environment but does not keep their office door locked at all times when they are working,” says Gillespie. “If there is sufficient perimeter secu-rity in an appropriate place, such as a door entry system to an outer office area with no unauthorised staff entering, then it may be part of a nuanced approach to accept the small risk of working in an unlocked office.”
But if the auditor sees only non-conformity and cannot accept that acceptable and proportionate steps have been taken and the risk is acceptable, Gillespie says the spirit of policy has been missed and the information security professional will see only a non-conformity mark. This puts them in an uncomfortable situa-tion when it comes to reporting back to the organisation because it makes them look bad or somehow lacking in expertise or appli-cation skills. “This brings us back to the need to understand what we are being told and apply it to our organisational needs” says Gillespie. “The audit is a tool – tools are useful and meant to work for our benefit, not to make life harder or less productive.”
According to Gillespie, viewing an audit as a means to an end is a better way to interact with an auditor and the findings of an
SECURITY AUDITS
ISTO
CL/
LEPR
O
Non-conformity – for example, leaving an
office door unlocked – may not be a bad thing if the risk mitigation in place is proportionate
computerweekly.com 30 June-6 July 2015 30
Home
News
The hidden complexity that awaits the next generation of banking IT leaders
Is HMRC making tax more taxing for analogue taxpayers?
Royal Free hospital trust digitises patient records using OpenText
University of Dundee director of technology calls for diversity in IT
Editor’s comment
Opinion
Buyer’s guide to DevOps
Why CIOs should loosen their grip on enterprise IT
Facing the inevitable: Death, taxes and data security audits
Downtime
audit. “After all, everyone should be on the same page: protecting information assets. If the audit is well done it can provide invalu-able insight into what is being done well and can therefore be repeated in other areas, as well as what needs improvement and what needs to stop,” he says.
The audit is also a means by which the information security profes-sional can communicate with senior management or boardroom, says Gillespie. “It can provide evidence for business cases to be built for greater budgets, to prove return on investment in key areas, and to build confidence in the capabilities and approach of the security team.”
Gillespie says the best possible result is that the audit provides information security professionals with confirmation of what they do well, where they need to review or improve, and where additional resource or budget is required. “Security professionals have a duty to engage with auditors and, if necessary, help to educate them and ultimately to accept their findings in a non-protectionist manner. We are stronger together as a team,” he says.
builD a relationsHip witH tHe auDit teamHowever, chief information security officers (CISOs) that get lots of audit points may need to take a slightly different approach, says (ISC)2 European managing director Adrian Davis.
“They should build a relationship with the audit team to under-stand how they have come to their conclusions and why they have raised those audit points,” he says.
“It is impossible to work hand in glove with internal audit teams, but by developing a good working relationship with them it becomes easier to discuss the details behind problems and more of a collabora-tive effort.”
To ensure that an audit results in progress towards better security, Davis says CISOs should determine the scope of the problem and whether the points are limited to a department or are enterprise-wide. From there, he says, use the audit
points as a metric of progress where they can demonstrate pro-gress to management and the board.
“But audits can also be used to set out the case for more per-sonnel and give cyber security a seat in the boardroom, since audits can highlight how the whole organisation is susceptible to security threats and it is not just an issue for the IT depart-ment,” says Davis.
If security audits are regarded in a positive light and approached in a positive way, while they will remain as inevitable and unavoid-able as death and taxes, the outcome will be much better, and the information security professional has a key role to play in ensuring this positive outcome. n
SECURITY AUDITS
“audiTs can be used To seT ouT The case for more personnel
and give cyber securiTy a seaT in The boardroom”
adrian davis, (isC)2
computerweekly.com 30 June-6 July 2015 31
Home
News
The hidden complexity that awaits the next generation of banking IT leaders
Is HMRC making tax more taxing for analogue taxpayers?
Royal Free hospital trust digitises patient records using OpenText
University of Dundee director of technology calls for diversity in IT
Editor’s comment
Opinion
Buyer’s guide to DevOps
Why CIOs should loosen their grip on enterprise IT
Facing the inevitable: Death, taxes and data security audits
Downtime
Hot sauce QR code too hot for some Heinz went red in the face recently as one of its consumers pointed out a quick response (QR) code on the back of its tomato ketchup bottles pointed towards a porn site.
The brand had set up the interactive codes to allow customers to design their own label for the new Heinz Tomato Ketchup Hot, but where the QR code pointed turned out to be a little too hot for a customer in Germany who discovered the mistake.
The QR code was directing users to the saucy adult website because the Hot Sauce promotion had ended and
the licence for the link had expired, leaving the condiments firm in a pickle.
The company said it is taking steps to make sure the incident does not happen again in the future. n
“pull quoTe here pull biTTer bold small caps 22pT xx
xxxxxxxxxx xxxxxxxxxx”
DOWNTIME
❯Read more on the Downtime blog
07_AV/ISTOCK HEI
NZ