Cybersecurity is a Necessity, Not an Option, in the Face of Global Security Threats, Says CSC

Transcript of a BriefingDirect podcast on the growing need for cybersecurity as an important organizational goal for businesses and government agencies.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: HP.

Dana Gardner: Hello, and welcome to the next edition of the HP Discover Performance Podcast Series. I'm Dana Gardner, Principal Analyst at Interarbor Solutions, your moderator for this ongoing discussion of IT innovation and how it’s making an impact on people’s lives.

Gardner

Once again, we're focusing on how IT leaders are improving security and reducing risks as they adapt to the new harsh realities of doing business online.

We have a fascinating discussion today, because we're joined for Part 2 of our series with HP strategic partner and IT services and professional services global powerhouse CSC. We'll be exploring how CSC itself has improved its own cybersecurity posture.

With that, please join me in welcoming our guests, Dean Weber, the Chief Technology Officer for CSC Global Cybersecurity. Welcome back, Dean.

Dean Weber: Thank you.

Gardner: We're also here with Sam Visner, Vice President and General Manager for CSC Global Cybersecurity. Welcome back to you too, Sam.

Sam Visner: Thanks, Dana, for this opportunity to discuss this topic.

Gardner: As you recall, in Part 1 of our series, we examined the tough challenges facing companies and how they need to adjust their technology and security operations. We saw how they were all now facing a "weapons-grade threat," as we put it, with big commercial incentives for online attacks and also a proliferation of more professional attackers. [Disclosure: HP is a sponsor of BriefingsDirect podcasts.]

We also learned how older IT security methods have proven inadequate to the escalating risks that are also expanding beyond corporate networks to include critical infrastructure, supply chains, and even down to devices and sensors.

So today, we'd like to take a deeper dive into how CSC itself is going beyond just technology and older methods to understand a better path to improve cybersecurity.

Let me start with you, Sam. What's the most impactful thing that CSC has done in the past several years, perhaps in concert with HP, that's proven to be a major contributor to a more secure environment?

Visner: There are three things to which I'd point. In the course of any conversation about three things, I'll think of a fourth, a fifth, a sixth, and a seventh in due course, but let me start with three things.

The first is the recognition that cybersecurity is an important issue for any organization today, whether they're a Global 1000 company, a Fortune 500 company, or a government agency, and everybody has a stake in cybersecurity.

Same question

The first thing is that, because everybody has this stake, there has been a recognition that the cybersecurity of the commercial world and the cybersecurity of the public sector are really the same question.

Visner

The commercial world provides the technology on which governments depend. Governments express the interest that the public has and the cybersecurity of those parts of the private sector that manage energy, transportation, critical manufacturing, aerospace, defense, chemicals, banking, healthcare, and any other thing that we call critical infrastructure.

In our company, where we serve both the public sector and private sector, we recognized early on that it made sense to address commercial and public sector cybersecurity from a common strategy. That's the first thing.

The second thing is that we then built a unified capability, a unified P&L, a unified line of business and delivery capability for cybersecurity that brings together our commercial and our public-sector business. We're end to end. So from consulting and assessments, then education, through managed cybersecurity services and systems integration, all the way through incident response, we make our full portfolio available to all our customer set, not just part of our customer set.

And the third thing is -- and I am going to ask Dean Weber to comment on this, because more than anyone else he has been the motivating powerhouse here -- a lot of people think about cybersecurity as tools. What's my firewall? What's my user provisioning? What's my password policy? How am I handling passwords? What should I be doing about endpoint protection?

That's a recipe for disaster, because you're always playing catch up against the problem and you don't even know if the tools work together.

That's a recipe for disaster, because you're always playing catch up against the problem and you don't even know if the tools work together. You certainly don't have the means to take the information that these tools generate, put them together, analyze them and give yourself the big picture that allows you to be effective in understanding the total threat you face and the total situation that you have internal in your organization.

The third thing that has been important is moving from a tools-based perspective to an architecture-based perspective, one in which before we buy tools or develop tools, or even in which we define offerings, we define the architecture of our offerings.

What are we trying to do? How will these offerings fit together in accruing information outside of our enterprise about the global threat environment and inside of an enterprise about everything that affects the security of an organization, from their smartphone, all the way down to their industrial control systems on the shop floor?

What are the offerings that, when knit together, give you a total capability? Then, what are the specific technologies that are pertinent to each of those offerings? So taking an architectural approach as opposed to a product-specific approach is the third basic development.

Again, the public sector and commercial sector have to be approached in a common strategy, the need to build a common organization serving all our customers across the CSC space, and approaching our solutions from an architectural perspective where you fit everything together in terms of offerings, capabilities, and technology. Those would be the three things to which I'd point.

Architectural level

Gardner: Dean Weber, let's get some more input on the shift from a tools perspective or a tactical perspective to that architectural level?

Weber: As Sam pointed out, the idea here is that we need an integrated capability to combat the current and emerging threats. You do that based on a global ability to detect and defer the threats, remediate as quickly as possible from threats that have manifested themselves, and recover.

Weber

Not only are we a services provider of managed security services to enterprise and government, we also consume those services ourselves on the inside. There's no difference. We drink our own champagne, or eat our own dog food, or however you want to put it.

But at the end of the day we have made this very security operations center (SOC)-centric offering, where we have elected to use a common technology framework across the globe. All of our SOCs worldwide use the same security and information event management -- SIEM technology, in this case HP ArcSight.

That allows us to deliver the same level of consistency and maturity, and given some of the advanced capabilities of ArcSight, it has allowed us to interconnect them using a concept we call the global logical SOC, where for data protection and data privacy purposes, data has to reside in the region or country of its origin, but we still need to share threat intelligence, both internally generated and externally applied. The ArcSight platform allows us to build on that basis.

Separate and apart from that, any other tools that we want to bring to bear, whether that's antivirus or vulnerability scanning, all the way up the stack to application security lifecycle, with a product like Fortify, we can plug all of that into the managed framework regardless of where it's delivered on the globe and we can take advantage of that appropriately and auditably across the entire hemisphere or across the entire planet.

The idea here is that we need an integrated capability to combat the current and emerging threats.

Visner: Dean mentioned HP Fortify. As you may know, we're bringing out an application security testing-as-a-service component of our portfolio. It’s an offering. That was done very deliberately. It's a portfolio of offerings that comprise a total capability. Each offering goes through offering lifecycle management to ensure that it conforms to the architecture, and then trade studies to determine which technologies, in this case the HP Fortify technology, are pertinent to that offering.

As we move out on this, what people should expect is not that somebody is going to show up and say, "Buy our tool." Instead, what we're going to be doing is soliciting requirements for tools and technologies, some of which we'll buy or license and some which we'll develop ourselves that conform to the total architectural approach that Dean described. What we're doing with HP Fortify is a perfect example of that very deliberate and methodical approach.

Gardner: It sounds as if an important pillar of those three items you brought up, Sam, the common strategy, unified capability, and architecture, is to know yourself as an organization, to deeply understand where you are, and then be dynamic in terms of tracking that. Do the HP Fortify and HP ArcSight technologies come to bear on that aspect of self-awareness?

Visner: The way I would put it is this. We have to deal with a situation in which we have a broad set of industries that we serve from a cybersecurity perspective. I'm going to take a look at the ArcSight situation here more particularly, because the ArcSight situation is one that had to serve CSC and its customers on a global basis.

Wide range of environments

We do cybersecurity for public-sector organizations, but we also do it for chemical companies, banks, aerospace and defense companies, manufacturing companies, and companies in the healthcare space.

We have to be able to bring together data across a very wide range of environments. Although there are some great global threats out there, some of those threats are being crafted to be specific to some of the industries and some of the government’s activities that we try to safeguard.

Therefore, in the case of ArcSight, we needed an environment that would allow us to use a broad range of tools, some of which may have to be selected to be fit for purpose for a specific customer environment and yet to accrue data in a common environment and use that common environment for correlation and analysis.

This is a way in which our self-awareness as a company that does cybersecurity across many sectors of the private sector, as well as a broad range of public sector organizations, told us that we needed an environment that could accrue a wide range of data and allow us to do correlation.

In terms of what we're doing with Fortify and application security testing,  one of the things we've learned about ourselves is that we're going to support organizations that have very specific applications requirements. In some cases, these requirements will relate to things like healthcare or banking. In some cases, it will be for transactions. In some cases, it will be specific workflows associated with these industries.

We are trying to raise the bar globally to one, high, common level of application security testing.

What’s common to this, we have learned, is the need for secure applications. What’s also common is that globally the world isn’t doing enough in terms of testing the security of applications. This is something we found we could do that would be of value to a broad range of CSC customers. Again, that's based on our own self-awareness of what those customers need in our history.

Remember, our company has been doing independent IT and software work since 1959. One of the things we've learned over 54 years is that there is a wide variety of things that organizations do in terms of making their software really useful, and there is a wide variety in the attention they pay to testing that software from the perspective of security.

We are trying to raise the bar globally to one, high, common level of application security testing. So that’s a way that we are working with it. That’s what the Fortify tool will help us do.

Gardner: Dean Weber, to Sam’s point about the amount of data required to track, understand, and follow, do you consider this a big-data function? We hear, of course, a lot about that in the marketplace these days. How important would general-data and/or big-data capabilities be in a good secure organization? Are they hand in hand?

Weber: They are absolutely hand in hand. As we generate more data across our grids, both sensor data and event data, and as we combine our information technology networks with our operational technology networks, we have an exploding data problem. No longer is it finding a needle in a haystack. It’s finding a needle amongst needles in a haystack.

Big-data problem

The problem is absolutely a big-data problem. Choosing technologies like ArcSight that allow us to pinpoint technology aberrations from a log, alert, or an event perspective, as well as from a historical trending perspective, is absolutely critical to trying to stay ahead of the problem. At the end of the day, it’s all about identity, access, and usage data. That's where we find the indicators of these advanced threats.

As the trade craft of our opponents gets better, as Sam likes to put it, we have to respond, and it’s not easy to respond at that level. One of the reasons that Fortify is going to become one of the cornerstones of our offering is because as we get better at securing infrastructure using the technologies we've already talked about, the next low-hanging fruit is the application vulnerabilities themselves.

Recently, Android announced that they have a vulnerability in their crypto product. There are 900 million Android products that are affected by that. While Google has released a patch for that particular crypto vulnerability, all the rest of the vendors who use an Android platform are still struggling with how to patch, when to patch, where to patch, how do they know they patched.

Visner: And who is responsible for the patch?

Weber: And who is responsible for the patch, absolutely true.

It’s not enough to know that I have got good governance, risk, and compliance (GRC) enterprise-wide password maintenance and password reset.

Gardner: That brings us to this. When you talk about responsibility and tracking, who is doing what and how it’s getting done? We started to talk about key performance indicators (KPIs). How much of a shift have you had to go about there at CSC to put in place the ability to track metrics of success and KPIs? How do you measure and gauge these efforts?

Visner: I'm going to ask Dean to cleanup on my answer, but a lot of people are paying attention to global threat intelligence and threat attribution. That’s really important, but I think what’s even more important is not knowing where the threat came from, or what the motivations are. That’s useful to know, because it can help characterize other aspects of the threat and what you can expect from the threat actor to do, not just in terms of one piece of malware, but an integrated approach.

The other piece of this is understanding yourself. That is to say it’s not enough to know that I have patched my desktop. It’s not enough to know that I have got good governance, risk, and compliance (GRC) enterprise-wide password maintenance and password reset.

I have to know everything about my enterprise today, all the way down to the industrial control systems on the shop floor, the supervisory control and data acquisition systems that coordinate my enterprise, the enterprise databases and applications that I use for global transactions, as well as individual desktops and smartphones.

What we're really talking about is a level of awareness that people are not used to having. They're really not. People don’t worry about what goes on beyond their own computer. Even CIOs haven’t really worried about the cybersecurity of computers that are embedded in manufacturing systems or control systems. Now, I think they have to be.

Swinging back to the awareness question, this is required of us and of any other enterprise to go beyond the status of an individual device to treat the status of the entire enterprise as important corporate knowledge. That's important corporate knowledge.

Holistic global view

Think of it this way, this is an organization that needs to know globally what its credit worthiness is, where its lines of credit are, and how it’s using those lines of credit and its cash instruments globally to manage its cash flow. That’s important corporate knowledge, and it has to be dealt with on a holistic global view. Otherwise it’s worthless.

The same thing is true with cybersecurity, knowing what the effect is. Cybersecurity of a specific server is interesting, but it's actually not nearly as useful as knowing the state of cybersecurity throughout your entire enterprise. That's global corporate knowledge and that's the difference between a piece of information which is interesting and corporate knowledge which is vital, important, and very valuable.

We have to treat the state of cybersecurity in an organization with the same seriousness, and consider it to be the same level of resource and asset, as the global cash flow of a global organization. It's the same thing.

Gardner: Dean Weber, the opportunity to bring big-data capabilities to bear on this problem is one thing that we've addressed, but there is also the operations and organizational side of having reports, delivering reports, measuring those reports, and being able to act on it.

We have to treat the state of cybersecurity in an organization with the same seriousness, and consider it to be the same level of resource and asset, as the global cash flow of a global organization.

What have you done there to allow for a KPI-oriented or a results-oriented organizational approach that leverages of course all the data?

Weber: You've just touched on the value proposition for a global managed security services provider (MSSP) in the fact that we have data sources that span the planet. While CSC as a 90-plus thousand person organization is considered a large scale organization, it pales in comparison to the combined total of CSC's customer base.

Being able to combine intelligence and operational knowledge from multiple enterprises spanning multiple countries and geographic regions with differing risk postures and business models, sometimes even with differing technologies employed in those models, gives us a real opportunity to see what the global threat looks like.

From the distribution of that threat perspective our ability to, within the laws appropriate across the globe and auditable against those laws, share that threat intelligence without rushing up against or breaking those laws is very important to an organization. This ultimately keys to the development of the value proposition of why do business with the global MSSP in the first place.

Gardner: It was interesting to me when Sam said that there's no difference between understanding your financial situation and your security posture. Is there some opportunity for security and cybersecurity to be a driver for even better business practices?

Now, you might start employing these technologies and putting in place these operational capabilities because of an existential threat to your security, but in doing so, it seems to me that you're becoming a far better organization along the way. Have any customers, or have you yourself, been able to demonstrate that taking the opportunity to improve your cyber posture also improves your business posture?

Not well managed

Weber: That's becoming evident. Not everybody gets it yet, but more and more people do. The general proposition is that an organization that doesn't understand, for example, its financial position is not well-managed and isn't a good investment. It probably can't mobilize its resources to support its customers.

It isn't in a position to bring new products to market and probably can't support those products. Or it might find that those product lines are stolen, manufactured at a lower standard by somebody else, and not properly supported, so that the customer suffers, the company suffers, and everybody but the cyber thief suffers.

A financial organization that can't take care of their own financial position can't serve their customers, just as an organization that doesn't understand its cybersecurity posture can't preserve value for shareholders and deliver value for its customers.

Gardner: Dean, looking at this same benefit, what you do for cybersecurity benefits extend to other business benefits, is there a return on investment (ROI) impact where you could measure the investments made for extensive security but then leverage those capabilities in other ways that offset the price. Has that been the case for you or are you aware of anyone that's done the bean counting in such a fashion?

Where the rubber hits the road is more along the lines of keeping the CEO and the CFO out of jail when they have to sign off on things like Sarbanes–Oxley.

Weber: There absolutely is an ROI in security. In fact, there is actually a concept of return on security investment (ROSI), but I would say generally that most people don't really understand what those calculations mean.

Where the rubber hits the road is more along the lines of keeping the CEO and the CFO out of jail when they have to sign off on things like Sarbanes–Oxley. Or the fact that you don't have to make an SEC filing as a result of financial-systems breach that impacts your ability to keep revenues that you may have already attained.

The real return on investment is less measured in savings than it is in -- as Sam likes to say -- keeping us off the front page of "The Wall Street Journal" above the fold, because the real impact to these things traditionally is not in the court of law, but in the court of public opinion.

They tend to look at organizations that can't manage themselves well and end up in the news at not managing themselves well, less favorably than they do for companies that do manage their operations well.

Visner: What is a pound of cybersecurity worth? I'll put it to you this way. What is a pound of stolen intellectual property worth? That that intellectual property means that somebody else is stealing patient data, manufacturing your products, or undermining your power grid.

One way of thinking is that it's not the value of the cybersecurity so much, but the diminished value of the assets that you would lose that you could no longer protect.

Measuring ROI

That’s as good a place as any to measure that ROI. If you do measure that ROI, the question is not how much are you spending on cybersecurity. The question is what would you lose if you didn’t make that spend. That’s where you see the positive return on investment for cybersecurity, because for any organization, the spend on cybersecurity is almost insignificant compared to the value that would be lost if you didn’t make that spend.

When you think about what it cost to bring to market a product, a new pharmaceutical, a new aircraft design, a new jet engine, and what happens if somebody gets there first or undermines your intellectual property, the value of that intellectual property towards what people are prepared to spend and protect is worth it.

Gardner: As we take the lessons internally, can you offer some recommendations for how others could proceed? Are there any aspects of what you've done with HP internally at CSC that maybe provide some stepping stones? What would you recommend in terms of first steps, initial steps, or lessons learned that others might benefit from in terms of what you've done?

Visner: The real question is not what we've done internally, but the internal process we used, for example, in deciding to work with a specific strategic partner. We recognized early on that this is not a one company problem.

This is a problem where we are dealing with weapons grade threats from organized criminals who have vast resources at their disposal.

This is a problem where we are dealing with weapons grade threats from nations-state. This is a problem where we are dealing with weapons grade threats from organized criminals who have vast resources at their disposal. This is a problem of intellect, and therefore, no one organization is going to have sufficient intellect to be able to deal with this problem globally.

As a company, CSC tends to seek out partners to whom we can couple our intellect and get a synergistic result. In this case, the process of making that relationship real when it flows through defining our portfolio, defining the services that comprise the portfolio, managing the development of those services through our offering lifecycle management process, and then choosing companies whose technology provides the needed strength for each one of those offerings, each one of the elements of that portfolio.

In this case, that process serves us well, because we're going to need a wide range of technology. Nobody is in a position to confront this problem on their own -- absolutely nobody. Everybody needs partners here. But the question is whom?

We have people show up on our doorstep with ideas and technologies and products every day. But the real issue is, what is a good organizing principle? That organizing principle has two components. One, you need a wide range of capabilities, and two, you need to choose from among the wide range of technologies you need for that wide range of capabilities. You need a process that’s disciplined and well-ordered.

Believe me, we have people show up and ask why it takes so long, why it's such an elaborated process, and can't you see that our product is absolutely the right one.

The answer is that it's like a single hero going out onto the battlefield. They maybe a very effective fighter, but they're not going to be able to master the entirety of the battlefield. That can't be done. They're going to need partners. They're going to need mates in the field. They're going to need to be working alongside other people they trust.

Strategic partner

So in working with HP and the ArcSight tool as our security information and management player of our global logical SOC, our global logical managed cybersecurity service, and in working with HP Fortify we chose a partner we thought -- and we think correctly -- is a strong long-term strategic partner.

It's somebody with whom we can work. HP recognizes that we do. They're not going to solve this problem on their own. What one company is going to solve a problem on their own when they are up against the global environment of nation-state and trade actors? We all need these partnerships.

Our company is unique in that we've always looked to our partner relations for key technologies to enable offerings in our portfolio.

We've always believed that you go to market and you serve your customers with strategic partners, because we've always believed that every problem that had to be solved would require not only our abilities as an integrator, but the abilities of our partners to help in the development of some of this technology. That’s what makes the most sense.

For a company like CSC that is largely technology-independent, it gives us access to a wide range of technology partners. But as a company, we're smart about the partners that we choose because of the technologies that we have. Although there's a wide range of potential partners, we work with companies that we think are going to be long-term strategic partners against high-value problems and challenges -- in this case HP and cybersecurity respectively.

Gardner: Last word to you, Dean. Just based on your experiences, as the Chief Technical Officer increasing and improving your security posture, are there any lessons learned that you could share for others that are seeking the same path?

Although there's a wide range of potential partners, we work with companies that we think are going to be long-term strategic partners against high-value problems and challenges.

Weber: I'll leave you with two thoughts. One is again the value proposition of doing business with a global business MSSP. We do have those processes and processes in our background where we are trying to bring the best price-performance products to market.

There maybe higher-priced solutions that are fit for purpose in a very small scale, or there may be some very low-price solutions which are fit for purpose in a very large scale, but don't solve for the top-end problems. The juggling act that we do internally is something that the customer doesn't have to do, whether that’s the CSC internal account or any of our outside paying customers.

The second thing is the rigor with which we apply the evaluation process through an offering lifecycle or product lifecycle management program is really part and parcel of the strength of our ability to bring the correct product to market in the correct timeframe and with the right amount of background to deliver that at a level of maturity that an organization can consume well.

Gardner: Well, great. I'm afraid we'll have to leave it there. We've been exploring how IT leaders are improving security and reducing risks as they adapt to the new and often harsh realities of doing business online and we've been learning through the example of CSC itself.

I’d like to offer a huge thanks to our guests. We've been here with Dean Weber, Chief Technology Officer for CSC Global Cybersecurity. Thank you, Dean.

Weber: Thank you.

Gardner: And also Sam Visner, Vice President and General Manager for CSC Global Cybersecurity. Thank you so much, Sam.

Visner: It's been a pleasure. Thank you for having us.

Gardner: And you can gain more insights and information on the best of IT performance management at www.hp.com/go/discoverperformance. And you can always access this and other episodes of our HP Discover Performance podcast series on iTunes under BriefingsDirect.

I'm Dana Gardner, Principal Analyst at Interarbor Solutions, your host and moderator for this ongoing discussion of IT innovation and how it's making an impact on people’s lives.  Thanks again for listening, and come back next time.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: HP.

Transcript of a BriefingDirect podcast on the growing need for cybersecurity as an important organizational goal for businesses and government agencies. Copyright Interarbor Solutions, LLC, 2005-2013. All rights reserved.

You may also be interested in:

• CSC and HP team up to define the new state needed for comprehensive enterprise cybersecurity
• The Open Group July conference seeks to better contain cybersecurity risks with FAIR structure
• HP Vertica General Manager Sets Sights on Next Generation of Anywhere Analytics Platforms
• Liberty Mutual Insurance melds regulatory compliance and security awareness to better protect assets, customers, and employees
• HP Vertica Architecture Gives Massive Performance Boost to Toughest BI Queries for Infinity Insurance
• Right-sizing security and information assurance, a core-versus-context journey at Lake Health
• HP-Fueled Application Delivery Transformation Pays Ongoing Dividends for McKesson
• Podcast recap: HP Experts analyze and explain the HAVEn big data news from HP Discover
• HP's Project HAVEn rationalizes HP's portfolio while giving businesses a path to total data analysis
• Insurance leader AIG drives business transformation and IT service performance through center of excellence model

VMware vCloud Hybrid Service Powers Journey to Zero-Cost Applications Support for City of Melrose

Transcript of a BriefingsDirect podcast on how one municipality has broadened its own IT infrastructure to become a managed-service provider for other cities and towns.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: VMware.

Dana Gardner: Hi, this is Dana Gardner, Principal Analyst at Interarbor Solutions, and you're listening to BriefingsDirect.

Gardner

Today, we present a sponsored podcast discussion on how a small city outside of Boston has embraced hybrid cloud computing to host not only its own applications, but also those of nearby communities. In doing so, the City of Melrose, Massachusetts, plans to reduce the cost of supporting its applications to perhaps zero -- and maybe even generate revenue -- as a specialized managed-services provider.

To learn more about this early adopter municipality approach to cloud computing, and how they transitioned from nearly 100 percent server virtualization to a novel cloud capability built on VMware vCloud Hybrid Service (vCHS), please join me now in welcoming our guests. We're here with Jorge Pazos, the Chief Information Officer in the City of Melrose. Welcome, Jorge. [Disclosure: WMware is a sponsor of BriefingsDirect podcasts.]

Jorge Pazos: Thank you.

Gardner: We're also here with Colby Cousens, IT System Administrator in the City of Melrose. Welcome, Colby.

Colby Cousens: Thank you.

Gardner: Jorge, let me start with you. As you looked to extend the benefits of server virtualization, what were some of the top requirements as a CIO for moving to cloud and hybrid-cloud infrastructure?

Pazos: A lot of this is driven by both challenges that we face and opportunities that we see. Like you said, we're an IT department for a mid-size town in Massachusetts. We offer services to all of our internal departments and we're beginning to grow out into a managed-service provider. Part of what we're looking to do internally is grow that managed-service provider part of the business, but then also take care of a lot of the day-to-day stuff.

Pazos

If you think about building a data center, which is what we did about three or four years ago, it was a top-to-bottom upgrade of our data center. One of the things that you immediately start to think about is your disaster recovery (DR). When you're a small municipality with five square miles, where do you put a DR site that gives you diverse power providers, and geographical diversity?

It doesn't make sense to invest heavily in a DR site that’s somewhere within the same town. So we were really looking to cloud-service providers to provide that for us. That was one of the big drivers for us, and we really didn't feel comfortable growing the business too much without having at least that capability somewhere, as part of our service offering.

Gardner: When you were looking for a DR capability that opened up your eyes to what hybrid cloud was capable of. Was that the beginning of seeing more than the virtualization benefits of being able to replicate workloads and have elasticity and look to optimization benefits beyond your on-premises server?

DR site

Pazos: We really wanted to have a fully functional DR site, and we looked at a lot of the cloud service providers. This isn’t a point-in-time perspective. This is something that we've been doing over the last three or four years.

Three or four years ago, there weren’t a whole lot of cloud-service providers that we felt could do what we were looking to do. So when we had this opportunity to participate in the beta for the vCHS, we were really excited. There was quite a bit of promise in it for us in terms of things that we felt were important, like interoperability, security,  performance, and things like that.

And after the launch actually one of the things that we are pretty excited about that we didn't see in the past was cost predictability, which we don't really see a whole lot from a lot of the other service providers.

Gardner: I'm sure if you are going to embrace a hybrid-cloud model, and test and evaluate a product like be vCHS, you might recognize that if you do this first, you've learned the lessons and acquired skills. How did that idea come about to take this into this extension of what other municipalities would be seeking?

Pazos: It’s not that big of a stretch, when you think about it. What we're doing is providing services to other cities and towns. That is what we do on a day-to-day basis in one municipality. The way that municipalities are run, especially from an IT perspective, there isn’t a great deal of diversity. We could pretty much run IT for almost any city or town, because the apps are very similar and the business processes are all very similar.

It’s not that big of a stretch to get to that point where you say, "I can do this for another city or town." That was actually the thought process several years ago, as we started to do our own internal consolidation. The idea was that if we do it for ourselves, why can’t we do it for others. It’s not that much of a leap to get there.

Cousens

Cousens: We can get some practice consolidating city and school networks and data centers and realize it's the same thing. We could do it with other the municipalities as well.

Gardner: Colby, that was going to be my question. What requirements did you have in terms of what was needed in order to make this possible if you were going to integrate and consolidate with the cloud infrastructure approach for different divisions within your town? Sure, you can extend that to other municipalities, but what was important for you to be able to do that in terms of the solutions available?

Cousens: Compatibility was the biggest issue for me. I didn’t want to run into any roadblocks with software or hardware that wouldn't work with each other, so we would have had to drop the project just because two things wouldn't connect.

Gardner: Let’s get a sense of what we're dealing with here in terms of your scale and your size. Tell me about Melrose, the applications, the number of users, and your infrastructure. What are we talking about in terms of IT organization?

Modest deployment

Pazos: It is a fairly modest deployment by service provider standards, but I think by municipal standards, we're decent size. Currently, we're at about 70 virtual machines (VMs) with 30 terabytes of storage. We connect our regional partners the way that we connect these communities, Essex is about 30 miles away, and Saugus is a direct neighbor. To connect these guys back to our data centers, we use an ENS circuit, which is basically a Layer 2 connection between the two sites that can be ramped up.

They come up in base of 10 Mbps and then they can go straight up to a 10 Gbps . We run several SQL databases, which includes our financial system. We run Microsoft Exchange, Public Safety Dispatch. There is a CAD, Computer Aided Dispatch/Records Management application, and database. We also have virtual desktops. Our entire emergency dispatch operations are all running on virtual desktops, as well as point of sale for virtual desktops.

So we run quite a few different apps, many of which are obviously pretty mission critical, and the demand is growing. We are going to be on-boarding Saugus through the summer and into the fall. So we'll be experiencing some growth through that process as well.

Gardner: Just for our audience, Essex and Saugus are also municipalities in Massachusetts, and you have been experimenting and bringing them on, so that they become paying customers to you. Do you think it is possible at some point that you're going to cover your IT cost by doing this managed-service provider business.

I also think that the services we offer to the city are better because of our equipment.

Pazos: Early on, it got to a point where we couldn't do it, but it looks to me like now we're potentially going to be in a position where maybe five or six additional clients get us to the point where we are revenue neutral to the city. That's looking a little bit more realistic for us in terms of both getting people to warm to the idea and also being able to support it.

Revenue neutral would be absolutely fantastic. If you're taxpayer in the City of Melrose and you can have a department that offers all of its services internally and be completely revenue neutral, I would be ecstatic about that.

Cousens: I also think that the services we offer to the city are better because of our equipment. Our refresh schedule is better. The stuff that we're using is more enterprise grade, because we're using it in the hosting environment and providing to a number of partners.

Gardner: Let's look at the equation of how the economics of this work from the perspective of your client municipalities, for lack of a better word. When Essex and Saugus evaluate this, are they going to be able to get their IT services from you cheaper and with a higher performance than they would have been able to do it themselves?

Pazos: There are two ways to look at that. Town of Essex has reduced their IT expenditures by 33 percent year over year. So they're immediately seeing savings every year. The story in the Town of Saugus was a little bit different. They had an IT department that had inherited infrastructure that was getting old and needed to be refreshed. They were able to buy into the service and not have to incur a large upfront cost of doing a forklift upgrade of their entire IT infrastructure.

Year-to-year savings

They're saving, year one, somewhere in the vicinity of about $80,000 or just north of $75,000. Then, there's the year-over-year savings that they're seeing. So for this three-year agreement, they feel like they're saving quite a bit of money.

Gardner: Colby, given that you had a very strong set of requirements around compatibility of being able to move from your on-premises infrastructure into a hybrid cloud model, what about Essex and Saugus? Were they also highly virtualized in their servers and workloads, and how did the compatibility from them work, moving toward your vCloud Hybrid Service set up?

Cousens: That wasn’t as much of an issue for us, because they weren't really virtualized yet at all. So part of the on-boarding process for them is virtualizing all of their servers and doing some virtual-desktop offerings, too. We got to start fresh with virtualization onsite for their services.

Gardner: I suppose you could look at that as another added value. You're actually modernizing them or guiding them into a more optimized IT infrastructure with a higher utilization. You're also helping them decide which of their services to get from the source, in this case the one that you are managing, versus perhaps a cloud provider that would not have the expertise in the customization that they're looking for.

Not only are we saving them money, but we're able to provide them services that they weren’t providing for themselves.

Pazos: Absolutely. Not only are we saving them money, but we're able to provide them services that they weren’t providing for themselves. A lot of these guys didn’t have offsite data replication.

They didn't have DR site capability. It was a pretty traditional small data center, a server room type set up in a building. Everything was a single point of failure. We're not only saving them money, but we're providing a higher level of service than they would have ordinarily been able to achieve.

Cousens: Again, in the case of Essex, the town manager is doing the IT work too. So besides the financial piece, he was having a hard time focusing on his IT stuff as well.

Pazos: I think it's important for anyone listening to the podcast that to understand that, a lot of these are small governments scattered around the state. The $75,000 that Saugus is saving this year is very big money in small town government.

In the case of Essex, quite often, people are doing double duty. They're the town accountant and the IT person, or the town administrator and the IT person. So they are also gaining from freeing themselves up to focus on their primary roles. In the town of Essex, he's able to focus on being the town administrator. That’s life in small town government in Massachusetts.

Gardner: As time goes on, it sounds like you want on-board other municipalities making them a good deal, where everybody feels like they're improving the situation at a good cost, compared to what they would have been paying otherwise. Over the next two or three years, what are you going to be looking for in terms of cloud capabilities?

There is, of course, the infrastructure, and you want the compatibility that we heard about. What about public-cloud services? Are there costs, compatibility issues, location or compliance issues? What do you think about when you look down the road towards the public-cloud components within a hybrid cloud deployment?

Competition important

Pazos: One of the important things is competition and, hopefully, as everything matures, that cost will come down. Again, for small town government, that’s extremely important. I think a lot these towns wouldn’t have this as an option, because the costs simply are just too much for them. So we would like to see to the cost come down.

Gardner: That would be a function of choice, of having a marketplace, right?

Pazos: Absolutely, yes, and with competition, hopefully that will come to be. One of the reasons that we invested the time into vCHS beta was that we really felt it was important to focus on that. We went through Beta 1 and 2, we would have done the Early Adopter Program (EAP) as well, except that we were in the midst of on-boarding Saugus.

We really committed some time to do Beta 1 and Beta 2, because I think the promise of the service offering was fantastic. We really felt like there was an opportunity there to play with a product that was extending our existing data center out into the cloud, and it blurred the lines between what was on-premises, and what was out in the cloud.

One of the primary reasons that we're looking at this is DR and business continuity.

Ideally, that's what we would like to see. When you're your managing a pool of resources, you're not really managing on-premises stuff and cloud stuff. We would like it be one large pool of resources that you are managing. I think that would be ideal.

Gardner: To circle back to some of your earlier reasons for going about this, you get that business continuity benefit. You know that your resources are going to be available, and if something goes wrong along the line within your organization, you have someone covering your back.

Pazos:  One of the primary reasons that we're looking at this is DR and business continuity. I need that diversity in being able to have different geographical zones, having somebody out in Nevada, California or wherever. That’s a diversity that is, otherwise, really impossible for me to get. So that's an important thing.

Gardner: How about some 20/20 hindsight, for those who are listening and reading about your story and experience. What might have you had done differently? Do you have any advice for those who might be also considering adopting a hybrid cloud or maybe even pursuing the notion of being either a consumer or provider of these managed services?

Pazos: When we look back at this, it’s surprising to me how we were very fortunate with timing. A lot of the things that we needed seem to have been rolling out at right around the time we needed it, which was fantastic for us.

What I would say is, whatever you've been waiting for, don’t wait. It's to the point where you just want to move ahead, and for some of this, you're going to have to adapt and sort of figure out as you go and as things evolve.

There were times early on, where we were frankly a little hesitant to do some things, because, to be honest with you, we spoke to a lot of folks in other cities and towns who just sort of cocked their heads a little bit and looked at us and said, "Really? Why are you doing this? Why would you want to do this? This seems sort of crazy." So there was a little bit of hesitation at times as we moved forward.

Solid idea

But the idea seemed solid, and we went ahead with it. That's the advice for folks -- don't really wait. Do your research, do your homework, understand what it is that you're getting yourself into, but certainly move ahead, because I really feel like this is the way we're going to be doing business. I know we are doing businesses right now, but I think a lot of folks are going to be doing business this way at some point in the near future.

Gardner: Colby what about you?

Cousens: Experimentation is key. A lot of the technologies are complicated to just look at or read about. Get in there and do an evaluation or download trial versions of different products, like we did with the Beta, with vCHS. You just have to try it out and play with it. Then you start to realize the true value as you apply it to actual use cases.

Experimentation is key. . . . Get in there and do an evaluation or download trial versions of different products.

Gardner: Well, great. I am afraid we will have to leave it there. We've been talking about how a small city outside of Boston has embraced the hybrid-cloud computing to host not only its own applications, but those of nearby communities as well.

We learned how the City of Melrose, Massachusetts, plans to reduce the cost of supporting its application down to zero by transitioning from high server virtualization to revenue making managed services built on a cloud capability, and they have been so far using VMware vCloud Hybrid Service as a beta user to experiment and perfect this approach.

Thank you very much to our guests, Jorge Pazos, the CIO, the Chief Information Officer at the City of Melrose. Thank you, Jorge.

Pazos: Thank you.

Gardner: And also, we have been here with Colby Cousens, the IT Systems Administrator there in Melrose. Thank you so much, Colby.

Cousens: Thank you also.

Gardner: This is Dana Gardner, Principal Analyst at Interarbor Solutions. Thanks, also to all audience for joining, and don’t forget to come back next time.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: VMware.

Transcript of a BriefingsDirect podcast on how one municipality has broadened its own IT infrastructure to become a managed-service provider for other cities and towns. Copyright Interarbor Solutions, LLC, 2005-2013. All rights reserved.

You may also be interested in:

• Millennium Pharmacy Takes SaaS Model to New Heights VIA Policy-Driven Operations Management and Automation
• Thomas Duryea Consulting provides insights into how leading adopters successfully solve cloud risks
• Indiana health care provider goes fully virtualized, gains head start on BYOD and DR benefits
• AT&T Cloud Services Built on VMware Cloud Datacenter Meet Evolving Business Demands for Advanced IaaS
• VMware-Powered Cloud Adoption Delivers Bevy of Data and Performance Benefits for Revlon, Says CIO David Giambruno
• Services Provider BancVue Leverages VMware Server Virtualization to Generate Private-Cloud Benefits and Increased Business Agility

Case Study: MSP InTechnology Improves Network Services Via Automation and Consolidation of Management Systems

Transcript of a BriefingsDirect podcast discussion on how InTechnology uses network management automation to improve delivery and service performance for network and communications services.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Sponsor: HP.

Dana Gardner: Hi, this is Dana Gardner, Principal Analyst at Interarbor Solutions, and you're listening to BriefingsDirect.

Today, we present a sponsored podcast discussion on a UK-based managed service provider’s journey to provide better information and services for its network, voice, VoIP, data, and storage customers. Their benefits have come from an alignment of many service management products into an automated lifecycle approach to overall network operations.

We'll hear how InTechnology has implemented a coordinated, end-to-end solution using HP solutions that actually determine the health of its networks by aligning their tools to ITIL methods. And, by using their system-of-record approach with a configuration management database, InTechnology is better serving its customers with lean resources by leveraging systems over manual processes. [Disclosure: HP is a sponsor of BriefingsDirect podcasts.]

We're here with an operations manager from InTechnology to learn about their choices and outcomes when it comes to better operations and better service for their hundreds of enterprise customers.

Please join me now in welcoming Ed Jackson, Operational System Support Manager at InTechnology. Welcome, Ed.

Ed Jackson: Thanks. Hi.

Gardner: Your organization is a managed service provider (MSP) for both large enterprises and small to medium-sized companies, and you've been facing an awful lot of growth over the past several years. But you have also been dealing with heterogeneity in terms of many different products in place for network operations. It sounds like you've tried to tackle two major things at once: growth and complexity. How has that worked out?

Jackson: In terms of our network growth, we've basically been growing exponentially year over year. In the past four years, we've grown our network about 75 percent. In terms of our product set, we've basically tripled that in size, which obviously leads to major complexity on both our network and how we manage the product lifecycle.

Previously, we didn’t have anything that could scale as well as the systems that we have in place now. We couldn’t hope to manage 8,000 or 9,000 network devices, plus being able to deliver a product lifecycle, from provisioning to decommission, which is what we have now.

Gardner: So our audience better understands the hurdles and challenges you've faced, you're providing voice, both VoIP and traditional telephone, and telephony services. You have data, managed Microsoft Exchange, managed servers, and virtual hosting. You're providing storage, backup and restore, and of course a variety of network services. So this is a really full set of different services and a whole lot of infrastructure to support that.

Jackson: Yeah. It's pretty massive in terms of the technologies involved. A lot of them are cutting-edge. We have many partners. And you are right, our suite of cloud services is very diverse and comprises what we believe is the UK’s most complete and "joined-up"set of pay-monthly voice and data services.

Their own pace

In practice what we aim to do is help our customers engage with the cloud at a pace that works for them. First, we provide connectivity to our nationwide network ring – our cloud. Once their estate is connected they can then cherry pick services from our broad pay-as-you-go (PAYG) menu.

For example, they might be considering replacing their traditional "tin" PBXs with hosted IP telephony. We can do that and demonstrate massive savings. Next we might overlay our hosted unified communications (UC) suite providing benefits such as "screen sharing," "video calling," and "click-to-dial." Again, we can demonstrate huge savings on planes, trains and automobiles.

Next we might overlay our exciting new hosted call recording package -- Unity Call Recording (UC) -- which is perfect if they are in a regulated industry and have a legal requirement to record calls. It’s got some really neat features including the ability to tag and bookmark calls to help easy searching and playback.

While we're doing this, we might also explore the data path. For example our new FlexiStor service provides what we think is the UK’s most straightforward PAYG service designed to manage data by its business "value" and not just as one big homogenous lump of data.

It treats data as critical, important or legacy and applies an appropriate storage process to each ... saving up to 40 percent against traditional data management methods. There’s much more of course, but that gives you a flavor, I hope.

Due to the HP product set that we have, we've been able to utilize all the integrations and have a fully managed, end-to-end lifecycle of the service.

Imagine trying to manage this disparate set of systems. It would be pretty impossible. But due to the HP product set that we have, we've been able to utilize all the integrations and have a fully managed, end-to-end lifecycle of the service, the devices, and the product sets that we have as a company.

Gardner: I have to imagine too that customer service and support is a huge part of what you do, day in and day out. You also have had to manage the help desk and provide automated alerts, fixes, and notifications, so that the manual help desk, which is of course quite costly, doesn’t overwhelm you. Can you address what you've attempted to do and what you have managed to do when it comes to automated support?

Jackson: In terms of our service and support, we've basically grown the network massively, but we haven’t increased any headcount for managing the network. Our 24/7 guys are the same as they were four or five years ago in terms of headcount.

We get on average around 5,000 incidents a month automatically generated from our systems and network devices. Of these incidents, only about 560 are linked to customer facing Interactions using our Service Desk Module in the Service Manager application.

Approximately 80 percent of our total incidents are generated automatically. They are either proactively raised, based on things like CPU and memory of network devices or virtual devices or even physical servers in our data centers, or reactively raised based on for example device or interface downs.

Massive burden

When you've got like 80 percent of all incidents raised automatically, it takes a massive burden off the 24/7 teams and the customer support guys, who are not spending the majority of their time creating incidents but actually working to resolve them.

Gardner: Let's back it up. Five years ago, when you didn't have any integrated systems and you were dealing with lots of data, perhaps spurious data, what did you think? I know that you're an ITIL shop and so you had to bring in that service management mindset, but what did you do in order to bring these products together or even add more products, but without them being also unwieldy in terms of management?

Jackson: It was spurred by really bad data that we had in the systems. We couldn't effectively go forward. We couldn't scale anymore. So, we got the guys at HP to come in and design us a solution based on products that we already had, but with full integration, and add in additional products such as HP Asset Manager and device Discovery and Dependency Mapping Inventory (DDMI).

With the systems that we already had in place, we utilized mainly HP Service Desk. So we decided to take the bold leap to go to Service Manager, which then gave us the ability to integrate it fully into the Operations Manager product and our Network Node Manager product.

Since we had the initial integrations, we've added extra integrations like Universal Configuration Management Database (UCMDB), which gives us a massive overview on how the network is progressing and how it's developing. Coupled with this, we've got Release Control, and we've just upgraded to the latest version of Service Manager 9.2.

For any auditor that comes in, we have a documented set of reports that we can give them. That will hopefully help us get this compliance and maintain it.

So it has given us a huge benefit in terms of process control, how ITIL is related. More importantly, one of the main things that we are going for at the moment is payment card industry (PCI) and ISO 27001 compliance.

For any auditor that comes in, we have a documented set of reports that we can give them. That will hopefully help us get this compliance and maintain it. One of the things as an MSP is that we can be compliant for the customer. The customer can have the infrastructure outsourced to us with the compliance policy in that. We can take the headache of compliance away from our customers.

Gardner: Having that full view and the ability to manage also discreetly is not only good business, but it sounds like it's an essential ingredient for the way in which you go to market?

Jackson: More and more these days, we have a lot of solicitors and law firms on our books, and we're getting "are you compliant" as a request before they place business with us. We're finding all across the industry that compliance is a must before any contract is won. So to keep one step ahead of the game, this is something that we're going to have to achieve and maintain, and the HP product set that we have is key in that.

Gardner: I suppose too that a data flow application like Connect-It 4.1 provides an opportunity to not only pull together disparate products and give that holistic view, but also provides that validation for any audits or compliance issues?

Recently upgraded

Jackson: We recently upgraded Connect-It from 4.1 to 9.3, and with that, we upgraded Asset Manager System to 9.3. Connect-It is the glue that holds everything together. It's a fantastic application that you can throw pretty much any data at, from a CSV file, to another database, to web services, to emails, and it will formulate it for you. You can do some complex integrations in that. It will give you the data that you want on the other side and it cleanses and parses, so that you can pass it on to other systems.

From our DDMI system, right through to our Service Manager, then into our Network Node Manager, we now have a full set of solutions that are held together by Connect-It.

We can discover the device on the network. We can then propagate it into Service Manager. We can add lots of financial details to it from other financial systems outside of the HP product set, but which are easy to integrate. We can therefore provision the circuit and provision the device and add to monitoring automatically, without any human intervention, just by the fact that the device gets shipped to the site.

It gets loaded up with the configuration, and then it's good to go. It's automatically managed right through to the decommissioning stage, or the upgrade stage, where it's replaced by another device. HP systems give us that capability.

Gardner: So these capabilities really do allow you to take on a whole new level of business and service. It sounds like the maintenance of the network, the integrity, and then the automation really helps you go to market in a whole new way than you could have just several years ago.

I don’t know of many other MSPs that have such an automated set of technology tools to help them manage the service that they provide to their customers.

Jackson: Definitely. One of the key benefits is it gives us a unique calling card for our potential customers. I don’t know of many other MSPs that have such an automated set of technology tools to help them manage the service that they provide to their customers.

Five years ago, this wasn't possible. We had disparate systems and duplicate data held in multiple areas So it wasn’t possible to have the integration and the level of support that we give our customers now for the new systems and services that we provide.

Gardner: Of course, HP has been engineering more integration into its product and you have been aggressive in adopting some of the newer versions, which is an important element of that, but I have to imagine that there is also a systems integrations function here or professional services. Have you employed any professional services or relied on HP for that?

Jackson: When we originally decided to take the step to upgrade from Service Desk to Service Manager and to get the network discovery product set in, we used HP’s Professional Services to effectively design the solution and help us implement it.

Within six months, we had Service Desk upgraded to Service Manager. We had an asset manager system that was fully integrated with our financials, our stock control. And we also had a Network Discovery toolset that was inventorying our estate. So we had a fully end-to-end solution.

Automatic incidents

Into that, we have helped to develop the Network Operations Management Solution into being able to generate automatic incidents. HP PS services provided a pivotal role in providing us with the kind of solutions that we have now.

Since then, we took that further, because we have very good in-house knowledgeable guys that really understand the HP systems and services. So we've taken it bit of a step further, and most of the stuff that we do now in terms of upgrades and things are done in-house.

Gardner: It's a very compelling story. I wonder if we have more than just the show-and-tell here. Do we have any metrics of success? Have you been able to point to faster time to resolution, maintaining service-level agreements (SLAs), or something along those lines, that we could help people appreciate what this does, not only functionally in terms of bringing new services to your customers, but also in terms of how you operate and some important metrics that affect your bottom line?

Jackson: Mean time to restore has come down significantly, by way over 15 percent. As I said, there has been zero increase in headcount over our systems and services. We started off with a few thousand network devices and only three or four different products, in data, storage, networks and voice. Now we've got 16 different kinds of product sets, with about 8,000, 9,000 network devices.

In terms of cost saving, and increased productivity, this has been huge. Our 24/7 teams and customer support teams are more proactive in using knowledge bases and Level 1 triage. Resolution of incidents has gone up by 25 percent by customer support teams and level 1 engineers; this enables the level 3 engineers to concentrate on more complex issues.

In terms of SLAs, we manage the availability of network devices. It gives us a lot more flexibility in how we give these availability metrics to the customers.

If you take a Priority 3, Priority 4 incident70 percent of those are now fixed by Level 1 engineers, which was unheard of five or six years ago. Also, we now have a very good knowledge base in the Service Manager tool that we can use for our Level 1 engineers.

In terms of SLAs, we manage the availability of network devices. It gives us a lot more flexibility in how we give these availability metrics to the customers. Because we're business driven by other third party suppliers, we can maintain and get service credits from them. We've also got a fully documented incident lifecycle. We can tell when the downtime has been on these services, and give our suppliers a bit of an ear bashing about it, because we have this information to hand them. We didn’t have that five or six years ago.

Gardner: So, by having event correlation and data to back up your assertions there's much less finger pointing. You know exactly who had dropped the ball.

Jackson: Exactly. With event correlation, we reduced our operations browsers down to just meaningful incidents, we filtered our events from over 100,000 a month to less than 20,000 many of these are duplicated and are correlated together. Most events are associated with knowledge base articles in Service Manager and contain instructions to escalate or how to resolve the event, increasingly by a level 1 engineer.

We can also run automatic actions from these events, and we can send the information to the relevant parties, and also raise an incident and send it directly to the correct assignment groups or teams that are involved in looking after that.

Internal SLA

For Priority 1 incidents, which by an internal SLA we have 15 minutes to communicate to the customer, we can do that now within two minutes, because the group that’s been assigned the incident are on the ball straight away and they can contact the customer and let them know of the potential or actual problem.

Contacting customers within agreed SLAs and how we can drive our suppliers to provide better service is fantastic because of the information that is available in the systems now. It gives us a lot more heads up on what’s happening around the network.

Gardner: And now that you have had this in place, this integrated lifecycle, end-to-end approach, you've got your UCMDB, is there now, in hindsight, an opportunity to do some analytics, perhaps even refine what you requirements are, and therefore cut your total cost at some level?

Jackson: We're building a lot of information, taken from our financial systems and placing it into our UCMDB and CMDB databases to give us the breakdown of cost per device, cost per month, because now this information is available.

We have a couple of data centers. One of our biggest costs is power usage. Now, we can break down by use of collecting the power information, using NNMi -- how much our power is costing per rack by terms of how many amps have been used over a set period of time, say a week or a month. where previously we had no way of determining how our power usage was being spent or how much was actually costing us per rack or per unit.

From this performance information, we can also give our customers extra value reports and statistics that we can charge as a value added managed solution for them.

It's given us a massive information boost, and we can really utilize the information, especially in UCMDB, and because it’s so flexible, we can tailor it to do pretty much whatever we want. From this performance information, we can also give our customers extra value reports and statistics that we can charge as a value added managed solution for them.

Gardner: For the benefit of our listeners, now that you've gone through this process, are there any lessons learned, anything you could relay in terms of, "If I had to do this again, I might do blank?" What would you offer to those who would now be testing the waters and embarking on such a journey?

Jackson: One of the main things is to have a clear goal in mind before you start. Plan everything, get it all written down, and have the processes looked at before you start implementing this, because it’s fairly hard to re-engineer if you decided that one of the actual solutions or one of the processes that you have implemented isn’t going to work. Because of the integration of all the systems, you might tend to find that reverse engineering them is a difficult task.

As a company, we decided to go for a clean start and basically said we'd filter all the data, take the data that we actually really required, and start off from scratch. We found that doing it that way, we didn’t get any bad data in there. All the data that we have now is pretty much been cleansed and enriched by the information that we can get from our automated systems, but also by utilizing the extra data that people have put in.

Gardner: Thanks so much. You've been listening now to a sponsored podcast discussion on a UK-based managed service provider, InTechnology, and their journey to provide better information and services for their voice, data, and storage customers. They've employed an automated lifecycle approach and it has benefited them in a number of levels.

Thanks to Ed Jackson, the Operational System Support Manager at InTechnology. Ed, we really appreciated your input.

Jackson: Okay. No problem.

Gardner: And this is Dana Gardner, Principal Analyst at Interarbor Solutions. Thanks to our audience, and come back next time.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Sponsor: HP.

Transcript of a BriefingsDirect podcast discussion on how InTechnology uses network management automation to improve delivery and service performance for network and communications services. Copyright Interarbor Solutions, LLC, 2005-2011. All rights reserved.

You may also be interested in:

• HP delivers applications appliance solutions that leverage converged infrastructure for virtualization, data management
• HP delivers NMC 9.1 as new demands on network management require secure, integrated, and automated response
  
• New HP Service Manager tackles time and cost associated with help desk productivity
• HP's IT Performance Suite empowers IT leaders with unified view into total operations, costs
  
• HP takes plunge on dual cloud bursting: public and-or private apps support comes of age
  
• HP rolls out EcoPOD modular data center, provides high-density converged infrastructure with extreme energy efficiency