Insurance Leader AIG Drives Business Transformation and Service Performance Through Center of Excellence Model

Transcript of a BriefingsDirect podcast with AIG and HP on the challenges and solutions involved in managing a global center of excellence for IT performance.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: HP.

Dana Gardner: Hello, and welcome to the next edition of the HP Discover Performance Podcast Series. I'm Dana Gardner, Principal Analyst at Interarbor Solutions, your moderator for this ongoing discussion of IT innovation and how it’s making an impact on people’s lives.

Dana Gardner

Once again, we're focusing on how IT leaders are improving performance of their services to deliver better experiences and payoffs for businesses and end-users alike.

We're now joined by our co-host and moderator, Chief Software Evangelist at HP, Paul Muller. Welcome, Paul, how are you?

Paul Muller: I'm great Dana. How are you doing?

Gardner: I'm excellent. Where are you coming from today?

Muller: I'm coming from sunny San Francisco. It’s unseasonably warm, and I'm really looking forward to today’s discussions. It should be fun. [Disclosure: HP is a sponsor of BriefingsDirect podcasts.]

Gardner: We have a fascinating show. We're going to be learning about global insurance leader American International Group, or AIG, and how their Global Performance Architecture Group has leveraged a performance center of excellence (COE) to help drive business transformation.

So let me introduce our guest from AIG. We're here with Abe Naguib, Senior Director of AIG’s Global Performance Architecture Group. Welcome back, Abe.

Naguib: Hi, Dana. Hi, Paul. How are you?

Gardner: We're excellent. We've talked before, Abe, and I'm really delighted to have you back. I want to start at a high level. Many organizations are now focusing more on the user experience and the business benefits and less on pure technology, and for many, it's a challenge. From a very high level, how do you perceive the best way to go about a cultural shift, or an organizational shift, from a technology focus more towards this end-user experience focus?

The CIO has to keep his eye forward to periodically change tracks, ensuring that the customers are getting the best value for their money.

Naguib: Well, Paul and Dana, there are several paradigms involved from the COO and CFO’s push on innovation and efficiency. A lot of the tooling that we use, a lot of the products we use help to fully diversify and resolve some of the challenges we have. That’s to keep change running.

Abe Naguib

The CIO has to keep his eye forward to periodically change tracks, ensuring that the customers are getting the best value for their money. That’s a tall order and, he has to predict benefit, gauge value, maintain integrity, socialize, and evolve the strategy of business ideas on how technology should run.

We have to manage quite a few challenges from the demand of operating a global franchise. Our COE looks at various levels of optimization and one key target is customer service, and factors that drive the value chain.

That’s aligning DevOps to business, reducing data-center sprawl, validating and making sense of vendors, products, and services, increasing the return on investment (ROI) and total cost of ownership (TCO) of emerging technologies, economy of scale, improving services and hybrid cloud systems, as we isolate and identify the cascading impacts on systems. These efforts help to derive value across the chain and eventually help improve customer value.

Gardner: Paul Muller, does this jibe with what you're seeing in the field? Do you see an emphasis that’s more on this sort of process level, when it comes to IT with of course more input from folks like the COO and the chief financial officer?

Level of initiatives

Muller: As I was listening to Abe's description I was thinking that you really can tell the culture of an organization by the level of initiatives and thinking that it has. In fact, you can't change one without changing the other. What I've just described is a very high level of cultural maturity.

Paul Muller

We do see it, but we see it in maybe 10 to 15 percent of organization that have gone through the early stages of understanding the performance and quality of applications, optimizing it for cost and performance, but then moving through to the next stage, reevaluating the entire chain, and looking to take a broader perspective with lots of user experience. So it's not unique, but it's certainly used among the more mature in terms of observational thinking.

Gardner: For the benefit of our audience, Abe, tell us a little bit about AIG, its breadth, and particularly the business requirements that your Global Performance Architecture Group is tasked with meeting?

Naguib: Sure, Dana. AIG is a leading international insurance organization, across 130 countries. AIG’s companies serving commercial, institutional, individual customers, through one of the world’s most extensive property/casualty networks, are leading providers of life insurance and retirement services in the US.

Among the brand pillars that we focused on are integrity, innovation, and market agility across the variety of products that we offer, as well as customer service.

Bringing together our business-critical and strategic drivers across IT’s various segments fosters alignment, agility, and eventually unity.

Gardner: And how about the Global Performance Architecture Group? How do you fit into that?

Naguib: With AIG’s mantra of "better, faster, cheaper," my organization’s people, strategy, and comprehensive tools help us to bridge these gaps that a global firm faces today. There are many technology objectives across different organizations that we align, and we utilize various HP solutions to drive our objectives, which is getting the various IT delivery pistons firing in the same direction and at the right time.

These include performance, application lifecycle management (ALM), and business service management (BSM), as well as project and portfolio management (PPM). Over time our Global Performance organization has evolved, and our senior manager realized our strategic benefit and capability to reduce cost, risk, and mitigate production and risk.

Our role eventually moved out of quality assurance's QA’s functional testing area to focus on emphasizing application performance, architecture design patterns, emerging technologies, infrastructure and consolidation strategies, and risk mitigation, as well increasing ROI and economy of scale. With the right people, process, and tools, our organization enabled IT transparency and application tuning, reduced infrastructure consumption, and accelerated resolution of any system performances in dev and production.

The key is bringing together our business-critical and strategic drivers across IT’s various segments fosters alignment, agility, and eventually unity. Now, our leaders seek our guidance to help tune IT at some degree of financial performance to unlock optimal business value.

Culture of IT

Gardner: What's interesting to me, Paul, about what Abe just said is the evolution of this from test and dev in QA to a broader set of first IT, then operations, and then ultimately even through that culture of IT generally. Is that a pattern you're seeing that the people in QA are in the sense breaking out of just an application performance level and moving more into what we could call IT performance level?

Muller: As I was listening to Abe talk through that, there were a couple of keywords that jumped out that are indicators of maturity. One of them is the recognition that, rather than being a group-sized task, things like application, quality performance, and user experience actually are a discipline that can be leveraged consistently across multiple organizational units and, whether you centralize it or make it uniform across the organization is an important part of what you just described.

Maturity of operational and strategic alignment is something that requires a significant investment on business’s and IT’s behalf to prove early returns by doing a good job on some of the smaller projects. This shows a proven return on investment before the organization is typically going to be willing to invest in creating a centralized and an uniform architecture group.

Gardner: Abe, do you have some response to that?

Naguib: Yes, more-and-more, in the last six or seven years, there's less focus on just basic performance optimization. The focus is now on business strategy impact on infrastructure CAPEX, and OPEX. Correlating business use cases to impact on infrastructure is the golden grail.

I always say that software drives the hardware.

Once you start communicating to CIOs the impact of a system and the cost of hosting, licensing, headcount, service sprawl, branding, and services that depend on each other, we're more aligning DevOps with business.

Muller: You can compare the discussion that I just had with a conversation I had not three weeks ago with a financial institution in another part of the world. I asked who is responsible for your end-to-end business process -- in this case I think it was mortgage origination -- and the entire room looked at each other, laughed, and said "We don't know."

So you've really got this massive gap in terms of not just IT process maturity, but you also have business-process maturity, and it's very challenging, in my experience, to have one without having the other.

Gardner: I think we have to recognize too that most businesses now realize that software is such an integral part of their business success. Being adept at software, whether it's writing it, customizing it, implementation and integration, or just overall lifecycle has become kind of the lifeblood of business, not just an element of IT. Do you sense that, Abe, that software is given more clout in your organization?

Naguib: Absolutely Dana. I truly believe that. I've been kind of an internal evangelist on this, but I always say that software drives the hardware. Whether I communicate with the enterprise architects, the dev teams, the infrastructure teams, software frankly does drive the hardware.

That's really the key point here. If you start managing your root cost and performance from a software perspective and then work your way out, you’ve got the key to unlocking everything from efficiencies to optimizing your ROI and to addressing TCO over time. It's all business driven. Know your use cases. Know how it impacts your software, which impacts your infrastructure.

Converged infrastructure

Gardner: Of course, these days we’re hearing more about software-defined networking, software-defined data centers, and converged infrastructure. It really does start to come together, so that you can control, manage, and have a data-driven approach to IT, and that fits into ITIL and some of the other methodologies. It really does seem to be kind of a golden age for how IT can improve as performance, as productivity, and of course as a key element to the overall business. Is that what you’re finding too, Abe?

Naguib: Absolutely. It's targeting software performance, and software-as-a-service (SaaS) applications that depend on each other.

More and more, it's a domino effect. If you don't identify the root cause, isolate it, and resolve it, the impact does have a cascading effect, on optimization, delivery, and even cost, as we’ve seen repeatedly in the last couple of years. That’s how we communicate to our C-level community.

Gardner: Of course we have to recognize it. Just being performant, optimized, and productive for its own sake isn’t good enough in this economy. We have to show real benefits, and you have to measure those benefits. Maybe you have some way to translate how this actually does benefit your customers. Any metrics of success you can share with us, Abe?

Naguib: Yes, during our initial requirements-gathering phase with our business leaders, we start defining appropriate test-modeling strategy, including volumetrics, and managing and understanding the deployment pattern with subscriber demographics and user roles. We start aligning DevOps organizations with business targets which improves delivery expectations, ROI, TCO, and capacity models.

The big transformation taking place right now is that our organization is connecting different silos of IT delivery, in particular development, quality, and operations.

Then, before production, our Application Performance Engineering (APE) team identifies weak spots to provide the production team with a reusable script setting thresholds on exact hotspots in a system, so that eventually in production, they can take appropriate productive measures. Now, this is value add.

Gardner: Paul, do you have any thoughts in terms of how that relates to the larger software field, the larger enterprise performance field?

Muller: As we’re seeing across the planet at the moment, there's a recognition that to bring great software and information is really a function of getting Layers 1 through 7 in the technology stack working, but it's also about getting Layer 8 working. Layer 8, in this case, is the people. Unfortunately, being technologists, we often forget about the people in this process.

What Abe just described is a great representation of the importance of getting not just a functional part of IT, in this case quality and performance working well, but it's about recognizing the software will one day be delivered to operational staff to internally monitor and manage it in a production setting.

The big transformation taking place right now is that our organization is connecting different silos of IT delivery, in particular development, quality, and operations, to help them accelerate the release of quality applications, and to automate things like threshold setting, and optimize monitoring of metrics ahead of time. Rather than discovering that an application might fail to perform in a production setting, where you've got users screaming at you, you get all of that work done ahead of time.

Sharing and trust

You create a culture of sharing and trust between development, quality, and operations that frankly doesn’t exist in a lot of process where the relationship between development and operations is pretty strained.

Gardner: Abe, how do you measure this? We recognized the importance of the metrics, but is there a new coin of the realm in terms of measurement? How do you put this into a standardized format that you’re going to take to your CFO and your COO and say here’s what's really happening?

Naguib: That's a good question. Tying into what Paul was saying, nobody cared about whether we improved performance by three seconds or two seconds. You care at the front end, when you hear users grumbling. The bottom line is how the application behaves, translating that into business impact as well as IT impact.

Business impact is what are the dollar values to make key use cases and transactions that don't scale. Again, software drives the hardware. If an application consumes more hardware, the hardware is cheap now-a-days, but licenses aren’t. You have database and you have middleware products running in that environment, whether it's on-premise or in the cloud.

The point is that impact should be measured, and that's how we started communicating results through our organization. That's when we started seeing C-level officers tuning in and realizing the impact of performance of both to the bottom line, even to the top line.

We were able to leverage consistent dashboards across different IT solutions internally, then target weak spots and help drive optimization.

Gardner: It strikes me, Abe, that this is going to set you up to be in a better position to move to cloud models, consume more SaaS services, as you mentioned earlier, and to become more of a hybrid services delivery shop or have that capability. Does that make sense? Do you feel more prepared for what this next level of compute architecture you seem to be heading toward as a result of the investments you've made?

Naguib: Absolutely Dana. Our role is to provide more insight earlier and quicker to the right people at the right time.

Leveraging HP’s partnership and solutions helped us to address technologies, whether Web 2.0, client-server, legacy systems, Web, cloud-based, or hybrid models. We were able to leverage consistent dashboards across different IT solutions internally, then target weak spots and help drive optimization, whether on premise or cloud.

Gardner: Paul Muller, thoughts about how this is working more generally in the market, how people who get a grasp on global performance architecture issues like AIG are then in a better position to leverage and exploit the newer and far more productive types of computing models?

Muller: In the enterprise today, it's all about getting your ideas out of your head and making them a reality. As Abe just described, most of the best ideas today that are on their way into business processes you can ultimately turn into software. So success is really all about having the best applications and information possible.

Understand maturity

The challenge is understanding how the technology, the business process and the benefits come together and then orchestrating that the delivery of that benefit to your organization. It's not something that can be done without a deliberate focus on process. Again, the challenge is always understanding your organization's maturity, not just from an IT standpoint, but importantly from a broader standpoint.

Naguib: What's the common driver for all? Money talks. Translating things into a dollar value started to bring groups together to understand what we can do better to improve our process.

Gardner: Abe, it strikes me that you guys are really fulfilling this value epicenter role there and expanding the value of that role outside the four walls of IT into the larger organization. Tell me how HP is joining you in a partnership to do that? What is it that you're bringing to the table to improve that value for the epicenter of value benefit?

Naguib: Dana, what we're seeing more is that it's not just internal dev and ops that we're aligning with, or even our business service level expectations. It's also partnerships with key vendors that have opened up the roadmap to align our technologies, requirements, and our challenges into those solutions.

The gains we make are simple. They can be boiled down into three key benefits: savings, performance, and business agility. Leveraging HP's ALM solutions helps us drive IT and business transformation and unlock resources and efficiencies. That helps streamline delivery and an increased reliability of our mission critical systems.

After we've dealt with tuning, we can help activate post-production monitoring using the same script, understanding where the weak spots are.

My favorite has always been HP's LoadRunner Performance Center. It’s basically our Swiss Army Knife to support diverse platform technologies and align business use cases to the impact on IT and infrastructure via SiteScope, HP SiteScope.

We're able to deep dive into the diagnostics, if needed. And the best part is, after we've dealt with tuning, we can help activate post-production monitoring using the same script, understanding where the weak spots are.

So the tools are there. The best part is integrated, and actually work together very well.

Gardner: It really sounds like you've grabbed onto this system-of-record concept for IT, almost enterprise resource planning (ERP) for IT. Is that fair?

Naguib: That's a good way to put it.

Muller: One of the questions I get a lot from organizations is how we measure and reflect the benefit. What hard data have you managed to get?

Three-month study

Naguib: IDC came in and did an extensive three-month study, and it was interesting what they have found. We've realized a saving of more than $11 million annually for the past five years by increasing our economy of scale. Scale on a system allows more applications on the same host.

It's an efficiency from both hardware and software. They also found that our using solutions from HP increased staff productivity by over $300,000 a year. Instead of fighting fires, we're actually now focusing on innovation, and improving business reliability by over $600,000 a year.

So all that together shows a recoup, a five-year ROI, about 577 percent. I was very excited about that study. They also showed that we resolved mean time resolution over 70 percent through production debugging, root cause, and resolution efforts.

So what we found, and technologists would agree with me, is that today, with hardware being cheaper than software, there is a hidden cost associated with hosting an application. The bottom line, if we don’t test and tune our applications holistically, either the architecture, code, infrastructure, and shared services, these performance issues can quickly degrade quality of service, uptime, and eventually IT value.

I have a saying, which is that quality costs money but bad quality costs more.

Muller: I have a saying, which is that quality costs money but bad quality costs more. There you go.

Gardner: Abe, any recommendations that you might have for other organizations that are thinking of moving in this direction and that want to get more mature, as Paul would say. What are some good things to keep in mind as you start down this path?

Naguib: Besides software drives the hardware -- and I can't stress that enough -- are all the ways to understand business impact and translate whatever you're testing into the business model.

What happens to the scenarios such as outages? What happens when things are delayed? What is the impact on business operability, productivity, liability, customer branding. There are so many details that stem from performance. We used to be dealing with the "Google factor" of two-second response time, but now, we're getting more like millisecond response, because there are so many interdependencies between our systems and services.

Another fact is that a lot of products come into our doors on a daily basis. Modern technologies come in with a lot of promises and a lot of commitments.

Identify what works

So it's being able to weed through the chaff, identify what works, how the interdependencies work, and then, being able to partner with vendors of those solutions and services. Having tools that add transparency into their products and align with our environment helps bring things together more. Treating IT like a business by translating the impact into dollar value, helps to get lined up and responsive.

Gardner: Very good. Last word to you, Paul. Any thoughts about getting started? Are there principles that you are seeing in common, threads or themes for organizations, as they begin to get the maturity model in place and extend quality and process performance assurance improvements even more generally into their business?

Muller: It might be a little controversial here, but the first step is look in the mirror and understand your organization and its level of maturity. You really need to assess that very self-critically before you start. Otherwise, you're going to burn a lot of capital, a lot of time, and a lot of credibility trying to make a change to an organization from state A to state B. If you don’t understand the level of maturity of your present state before you start working on the desired state, you can waste a lot of time and money. It's best to look in the mirror.

The second step is to make sure that, before you even begin that process, you create that alignment and that desired state in the construct of the business. Make sure that your maturity aligns to the business's maturity and their goal. I just described the ability to measure the business impact in terms of revenue of IT services. Many companies can’t even do something as fundamental as that. It can be really hard to drive alignment, unless you’ve got business-IT alignment ahead of time.

I have said this so many times. The technology is a manageable problem, Layers 1 through 7, including management software to a certain degree, have solved problems the most time. Solving the problem of Layer 8 is tough. You can reboot the server, but you can’t reboot a person.

Solving the problem of Layer 8 is tough. You can reboot the server, but you can’t reboot a person.

I always recommend bringing along some sort of management of organizational change function. In our case, we actually have a number of trained organizational psychologists working for us who understand what it takes to get several hundred, sometimes several thousand, people to change the way they behave, and that’s really important. You’ve got to bring the people along with it.

Gardner: Well we have to take a hint from you, Paul. Maybe our next topic will be The Psychology of IT, but we won’t be able to get to that today. I am afraid we'll have to leave it there and I have to thank our co-host Paul Muller, the Chief Software Evangelist at HP. Thanks so much for joining us.

Muller: Always a pleasure.

Gardner: And like to thank our supporter for this series, HP Software, and remind our audience to carry on the dialogue with Paul and other experts there at HP through the Discover Performance Group on LinkedIn.

You can gain more insights and information on the best of IT performance management at www.hp.com/go/discoverperformance. And you can always access this in other episodes of our HP Discover Performance podcast series at hp.com and on iTunes under BriefingsDirect.

Of course, we also extend a big thank you to our guest. Abe Naguib, Senior Director of AIG’s Global Performance Architecture Group. Thanks so much, Abe.

Naguib: Thank you, Dana, thank you, Paul. I really appreciate the opportunity.

Gardner: Again, a last thank you to our audience for joining us for this special HP Discover Performance podcast discussion. I'm Dana Gardner, Principal Analyst at Interarbor Solutions, your co-host for this ongoing series of HP-sponsored business success story. Thanks again for joining and come back next time.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: HP.

Transcript of a BriefingsDirect podcast with AIG and HP on the challenges and solutions involved in managing a global center of excellence for IT performance. Copyright Interarbor Solutions, LLC, 2005-2012. All rights reserved.

You may also be interested in:

• HP BSM software newly harnesses big-data analysis to better predict, prevent, and respond to IT issues
• Right-sizing security and information assurance, a core-versus-context journey at Lake Health
• HP Discover Performance Podcast: McKesson Redirects IT to Become a Services Provider That Delivers Fuller Business Solutions
• Investing Well in IT With Emphasis on KPIs Separates Business Leaders from Business Laggards, Survey Results Show
• Expert Chat with HP on How Better Understanding Security Makes it an Enabler, Rather than Inhibitor, of Cloud Adoption
• Expert Chat with HP on How IT Can Enable Cloud While Maintaining Control and Governance

Right-Sizing Security and Information Assurance, a Core-versus-Context Journey at Lake Health

Transcript of a BriefingsDirect podcast on how healthcare provider Lake Health ensures that its internal systems continue to serve patient care, while protecting against outside threats.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: HP.

Dana Gardner: Hello, and welcome to the next edition of the HP Discover Performance Podcast Series. I'm Dana Gardner, Principal Analyst at Interarbor Solutions, your moderator for this ongoing discussion of IT innovation and how it’s making an impact on people’s lives.

Dana Gardner

Once again, we're focusing on how IT leaders are improving performance of their services to deliver better experiences and payoffs for businesses and end-users alike. We're now joined by our co-host for this sponsored podcast series, Chief Software Evangelist at HP, Paul Muller. Hello, Paul, welcome back.

Paul Muller: Dana, it's good to be back. How are you?

Gardner: I'm well. Are you still in San Francisco?

Muller: Still in San Francisco, and it’s another lovely day.

Gardner: Very good. We're also here with Raf Los. He is the Chief Security Evangelist at HP. Welcome back, Raf, how are you? [Disclosure: HP is a sponsor of BriefingsDirect podcasts.]

Raf Los: I'm well. Thank you.

Gardner: And where are you joining us from today?

Los: I'm in Houston, Texas, today.

Gardner: We have a fascinating show today, because we're going to learn how regional healthcare services provider Lake Health in Ohio has matured from deploying security technologies to becoming more of a comprehensive risk-reduction practice provider internally for its own consumers.

We're going to learn how Lake Health's Information Security Officer has been expanding the breadth and depth of risk management there to a more holistic level, and we're even going to discuss how they've gone about deciding for which risk and compliance services to seek outside providers and which to retain and keep inside, or on premises.

With that, please join me in welcoming our special guest, Keith Duemling. He is the Information Security Officer at Lake Health. Welcome, Keith.

Keith Duemling: Hi. How are you guys doing today?

Gardner: We're doing very well.

Keith, let me begin our discussion with a high level, almost a philosophical, question for you. Many people are practicing IT security and they're employing products and technologies. They're putting in best practices and methods, of course, but it seems to me that you have a different take.

You've almost abstracted this up to information assurance -- even quality assurance -- for knowledge, information, and privacy. Tell me how that higher abstraction works, and why you think it's more important or more successful than just IT security?

Duemling: If you look at the history of information security at Lake Health, we started like most other organizations. We were very technology focused, implementing one or two point solutions to address specific issues. As our program evolved, we started to change how we looked at it and considered it less of a pure privacy issue and more of a privacy and quality issue.

Go back to the old tenets of security, with confidentiality, integrity, and availability. We started thinking that, of those three, we really focused on the confidentiality, but as an industry, we haven't focused that much on the integrity, and the integrity is closely tied to the quality.

Information assurance

So we wanted to transform our program into an information-assurance program, so that we could allow our clinicians and other caregivers to have the highest level of assurance that the information they're making decisions based on is accurate and is available, when it needs to be, so that they feel comfortable in what they are doing.

So it's not just protecting information from being disclosed, but it's protecting information so that it's the right information, at the right time, for the right patient, for the right plan of care. From a high level, the program has evolved from simple origins to more of a holistic type of analysis, where we look at the program and how it will impact patient care and the quality of that patient care.

Gardner: It sounds like what I used to hear -- and it shows how long I have been around -- in the manufacturing sector. I covered that 20 years ago. They talked about a move towards quality, and rather than just looking at minute or specific parts of a process, they had to look at it in total. It was a maturity move on behalf of the manufacturers, at that time.

Raf Los, do you see this as sort of a catching up for IT and for security practices that are maybe 20 years behind where manufacturing was?

Los: More or less, Dana. Where Keith’s group is going, and where many organizations are evolving to, is a practice that focuses less on “doing security” and more on enabling the enterprise and keeping quality high. After all, security is simply a function, one of the three pillars of quality. We look at does it perform, does it function, and is it secure?

Raf Los

So it's a natural expansion of this, sort of a Six Sigma-esque approach to the business, where IT is catching up, as you’ve aptly put it. So I tend to agree with it.

Gardner: Of course, compliance is really important in the healthcare field. Keith, tell us how your approach may also be benefiting you, not just in the quality of the information, but helping you with your regulatory and compliance requirements too?

Duemling: In the approach that we’ve taken, we haven’t tried to change the dynamics that significantly. We've just tried to look at the other side of the coin, when it comes to security. We find that a lot of the controls that we put in place for security benefit from an assurance standpoint, and the same controls for assurance also benefit from a security standpoint.

As long as we align what we're doing to industry-accepted frameworks, whether it’d be NIST or ISO, and then add the healthcare-specific elements on top of that, we find that that gives us a good architecture to continue our program and be mindful of the assurance aspect as well as the security side.

In doing so, we're able to implement controls that span multiple compliance elements, so that we are not duplicating our efforts, missing something, or trying to reinvent the wheel. Obviously, we're not the first healthcare provider, and we certainly won't be the last one, to go through the challenges of compliance in the United States -- and how it's ever changing.

Add-on benefits

Gardner: Are there some other ancillary or add-on benefits from your approach? I am thinking of being able to be proactive, rather than reactive, on certain elements of your requirements. Or do you have an ability to compress the amount of time that you can react, so that you can be more real time in how you adjust. What are the other benefits to your approach?

Duemling: One of the other benefits of the approach is that we look at the data itself or the business function and try to understand the risks associated with it and the importance of those functions and the availability of the data. When we put the controls and the protective measures around that, we typically find that if we're looking specifically at what the target is when we implement the control, our controls will last better and they will defend from multiple threats.

So we're not putting in a point solution to protect against the buzzword of the day. We're trying to put in technologies and practices that will improve the process and make it more resilient from both what the threats are today and what they are in the future.

Gardner: Paul Muller, any thoughts about what you're hearing and how this might relate to the larger marketplace that you're familiar with from some of the other clients and enterprises that you're talking to?

Muller: A couple of observations. The first is that we need to be really careful when we think about compliance. It's something of a security blanket, not so much for security executives. I think InfoSec security executives understand the role of compliance, but it can give business leaders a false sense of security to say, "Hey, we passed our audit, so we're compliant."

Paul Muller

There was a famous case of a very large financial-services institution that had been through five separate audits, all of which gave them a very clear bill of health. But it was very clear from some of the honey pots they put in place in terms of certain data that they were leaking data through to a market-based adversary. In other words, somebody was selling their data, and it wasn’t until the sixth audit that it uncovered the source of the problem.

So we need to be really careful. Compliance is actually the low bar. We're dealing with a market-based adversary. That is, someone will make money from your data. It's not the nation-state that we need to worry about so much as the people who are looking to exploit the value of your information.

Of course, once money and profit enter the equation, there are a lot of people very interested in automating and mechanizing their attack against your defense, and that attack surface is obviously constantly increasing.

The challenge, particularly in examples such as the one that Keith is talking about, comes in the mid-sized organizations. They've got all of the compliance requirements, the complexity, and the fascinating, or interesting, data from the point of view from a market-based adversary. They have all of that great data, but don't necessarily have the scale and the people to be able to protect that.

Balancing needs

It's a question of how you balance the needs of a large enterprise with the resources of a mid-sized organization. I don't know, Keith, whether you've had any experience of that problem.

Duemling: I have all too many times experienced that problem that you’re defining right there. We find that technology that helps us to automate our situational awareness is something that's key for us. We can take the very small staff that we have and make it so that we can respond to the threats and have the visibility that we need to answer those tough questions with confidence, when we stand in front of the board or senior management. We're able to go home and sleep at night and not be working 24×7.

Los: Keith, let me throw a question at you, if you don't mind. We mentioned automation, and everybody that I have with this conversation with tends to -- I don't want to say oversimplify -- but can have an over-reliance on automation technology.

In an organization of your size, you’re right smack in the middle of that, too big not to be a target, too small to have all the resources you've ever wanted to defend yourself. How do you keep from being overrun by automation -- too many dashboards, too many red lights blinking at you, so you can actually make sense of any of this?

Duemling: That's actually one of the reasons we selected ArcSight. We had too many dashboards for our very small staff to manage, and we didn’t want Monday to be the dashboard for Product A, Tuesday for Product B, and things of that nature.

So we figured we would aggregate them and create the master dashboard, which we could use to have a very high-level, high-altitude view, drill down into the specific events, and then start referring them to subject-matter experts. We wanted to have just those really sensitive events bubble up to the surface, so that we could respond to them and they wouldn’t get lost in the maze of dashboards.

We wanted to have just those really sensitive events bubble up to the surface, so that we could respond to them and they wouldn’t get lost in the maze of dashboards.

Gardner: Keith, before we go any further, for the benefit of our listeners, please tell us a bit about Lake Health, the size of your organization, the types of services you provide, and even the nature of your organization. Are you non-profit, publicly-traded, that sort of thing?

Duemling: Sure. Lake Health is a not-for-profit healthcare system. We’re about 45 minutes outside of Cleveland, Ohio. We have two freestanding hospitals and approximately 16 satellite sites of different sizes that provide healthcare to the citizens of the county that we’re in and three adjacent counties.

We have three freestanding 24×7 emergency rooms (ERs), which treat all kinds of injuries, from the simple broken fingers to severe car accidents, heart-attacks, things of that nature.

We also have partnerships with a number of very large healthcare systems in the region, and organizations of that size. We send some of our more critically injured patients to those providers, and they will send some of their patients to us for more localized, smaller care closer to their place of residence.

We’ve grown from a single, small community hospital to the organization that we have now.

Career path

Gardner: And how about you? What's been your trajectory in terms of how long you've worked there and the career path that you followed?

Duemling: I've been with Lake Health for a little under eight years now. I started as a systems administrator, managing a set of Windows servers, and evolved to my current position over time.

Typically, when I started, an individual was assigned a set of projects to work on, and I was assigned a series of security projects. I had a security background that I came to the organization with. Over time, those projects congealed into the security program that we have now, and if I am not mistaken, it's in its third iteration right now. We seem to be on a three-year run for our security program, before it goes through a major retrofit.

Gardner: How did you unify all of these different elements under what you call a program for security? What were some of the steps you needed to take? We heard a little bit about the dashboard issue, but I'm trying to get a larger perspective on how you unified culture around this notion of information assurance?

Duemling: We started within the information and technology department where we had to really do an evaluation of what technologies we had in place? What are different individuals responsible for, and who do they report to? Once we found that there was this sprinkling of technology and responsibilities throughout the department, we had to put together a plan to unify that all into one program that has one set of objectives, is under one central leadership, and has its clear marching orders.

We have to improve our relationship with compliance and we have to improve our relationship with physical security.

Then once we accomplished that, we started to do the same thing across the entire organization. We improved our relationship within IT, not just with sub-departments within IT, but then we also started to look outside and said, "We have to improve our relationship with compliance and we have to improve our relationship with physical security."

So we’re unifying our security program under the mantra of risk, and that's bringing all the different departments that are related to risk into the same camp, where we can exchange notes and drive towards a bigger enterprise focused set of objectives.

Gardner: Raf, this sounds a bit like the resiliency concepts that you've been talking about in the past few months. Is what we're hearing from Keith enterprise resiliency or is there a difference that we should appreciate?

Los: No, he's dead-on. At the end of the day, what security is chartered with, along with most of the rest of IT, as I said earlier, is empowering the organization to do its work. Lake Health does not exist for the sole purpose of security, and clearly they get that.

That's step one on this journey of understanding what the purpose of an IT security organization is. Along the broader concept of resiliency, one of the things that we look at in terms of security and its contribution to the business is, can the organization take a hit and continue, get back up to speed, and continue working?

Not if, but when

Most organization technologists by now know it’s not a question of if you’re going to be hacked or attacked, but a question of when, and how you’re going to respond to that by allowing the intelligent use of automation, the aligning towards business goals, and understanding the organization, and what's critical in the organization.

They rely on critical systems, critical patient-care system. That goes straight to the enterprise resiliency angle. If you get hacked and your network goes down, IT security is going to be fighting that hack. At the same time, we need to realize how we separate the bad guys from the patient and the critical-care system, so that our doctors and nurses and support professionals can go back to saving lives, and making people’s lives better, while we contain the issue and eradicate it from our system.

So that's perfectly along those lines, and as you pointed out, I've been hearing a lot about that lately. It's more than just about security, and that's a fantastic revelation to wake up to every morning.

Gardner: Keith, before we go and learn more about how you examine all of the things that you need to do in this program and then perhaps start thinking about what's core, what's context, and how to best source those, I’d like to hear a little bit about the payoffs.

You've been doing this, as you pointed, out for several years. Are there some lessons that you can point to in terms of payback? Clearly, if you are operating well and you've got good data and privacy, that's a reward in its own. But, are there some other returns on investment (ROI), maybe it's a softer return like an innovation benefit or being able to devote more staff to innovation. Maybe you can line-up a few of the paybacks when this goes as it should?

As an organization, we were able to wage that war, for lack of a better term, while the business continued to function

Duemling: I'd probably put forward two paybacks. One is about some earlier comments I heard. We, as an organization, did suffer a specific event in our history, where we were fighting a threat, while it was expected that our facilities would continue operating. Because of the significant size of that threat, we had degraded services, but we were able to continue -- patients were able to continue coming in, being treated, things of that nature.

That happened earlier in our program, but it didn’t happen to the point where we didn’t have a program in place. So, as an organization, we were able to wage that war, for lack of a better term, while the business continued to function.

Although those were some challenging times for us, and luckily there was no patient data directly or indirectly involved with that, it was a good payoff that we were able to continue to fight the battle while the operations of the organization continued. We didn't have to shut down the facilities and inconvenience the patients or potentially jeopardize patient safety and/or care.

A second payoff is, if we fast forward to where we are now, lessons learned, technologies put in place, and things of that nature. We have a greater ability to answer those questions, when people put them to us, whether it's a middle manager, senior manager, or the board. What are some of the threats we're seeing? How are we defending ourselves? What is the volume of the challenge? We're able to answer those questions with actual answers as opposed to, "I don't know," or "I'll get back to you."

So we can demonstrate more of an ROI through an improvement in situational awareness and security intelligence that we didn't have three, four, or five years earlier in the program’s life. And tools like ArcSight and some of the other technologies that we have, that aggregate that for us, get rid of the noise, and just let us hone in on the crown jewels of the information are really helpful for us to answer those questions.

System of record

Gardner: How about looking at this through the lens of a system of record perspective, an architectural term perhaps, has that single view, that single pane of glass, allowed you to gain the sense that you have a system of record or systems of record. Has that been your goal, or has that been perhaps even an unintended consequence?

Duemling: It's actually kind of both. One, it retains information that sometimes you wish you didn't retain, but that's the fact of what the device and the technology are in the solution and it’s meeting its objective.

But it is nice to have that historical system of record, to use your term, where you can see the historical events as they unfold and explain to someone, via one dashboard or one image, as a situation evolves.

Then, you can use that for forensic analysis, documentation, presentation, or legal to show the change in the threat landscape related to a specific incident, or from a higher level, a specific technology that's providing its statistical information into ArcSight, but you can then do trending and analysis on.

It is also good to get towards a single unified dashboard where you can see all of the security events that are occurring in the environment or outside the environment that you are pulling in, like edit from a disaster recovery (DR) site. You have that single dashboard where if you think there's a problem, you can go to that, start drilling down, and answer that question in a relatively short period of time.

Let's not undervalue the value of confidence -- not having to second guess not just the integrity of your systems and your applications.

Muller: I'll go back to Keith’s opening comments as well. Let's not undervalue the value of confidence -- not having to second guess not just the integrity of your systems and your applications, but to second guess the value of information. It's one thing when we're talking about the integrity of the bank balance of a customer. Let's be clear that that's important, but it can also be corrected just as easily as it can be modified.

When you're talking about confidence in patient data, medical imaging, drug dispensations, and so forth, that’s the sort of information you can't afford to lack confidence in, because you need to make split-second decisions that will obviously have an impact on somebody’s life.

Duemling: I would add to that. Like you were saying, you can undo an incorrect or a fraudulent bank transfer, but you cannot undo something such as the integrity of your blood bank. If your blood bank has values that randomly change or if you put the wrong type of blood into a patient, you cannot undo those without there being a definitely negative patient outcome.

Los: Keith, along those lines, do you have separate critical systems that you have different levels of classifications for that are defended and held to a different standard of resilience, or do you have a network wide classification? I am just curious how you figure out what gets the most attention or what gets the highest concentration of security?

Duemling: The old model of security in healthcare environments was to have a very flat type of architecture, from both networking, support, and a security standpoint. As healthcare continues to modernize for multiple reasons, there's a need to build islands or castles. That’s the term we use internally, "castles," to describe it. You put additional controls, monitoring, and integrity checks in place around specific areas, where the data is the most valuable and the integrity is the most critical, because there are systems in a healthcare environment that are more critical than others.

Obviously, as we talked about earlier, the ones that are used for clinical decision making are technically more critical than the ones that are used for financial compensation as it results from treating patients. So although it's important to get paid, it's more important that patient safety is maintained at all times.

Limited tools

We can't necessarily defend all of our vast resources with the limited set of tools that we have. So we've tried to pick the ones that are the most critical to us and that's where we've tried to put all the hardening steps in place from the beginning, and we will continue to expand from there.

Gardner: Keith, let's take this now to that question about managing your resources. Obviously, because you are in that Goldilocks position, as Raf pointed out -- not too big, not too little -- you have to be choosy. You don't have unlimited resources, but you have a very serious and significant responsibility.

Have you been starting to look at what is core and what is context, what should be either outsourced or provided through some managed services of some sort and what you would really like to retain control over? How does that thought process about that problem pan out?

Duemling: Absolutely, we look at every security project with the mindset of how we can do this the most effectively and with the least amount of resources that are diverted from the clinical environment to the information security program.

That being said, security as a service, cloud-based technology, outsourcing, whatever term you would like use, is definitely something that we consider on a regular basis, when it comes to different types of controls or processes that we have to be responsible for. Or professional services in the events of things like forensics, where you don’t do it on a regular basis, so you may not consider yourself an expert.

Some initiatives have gone premise-based and some have gone security-as-a-service based. We are kind of a mix.

We tend to do an evaluation of the likelihood of the threat materializing or dependence on the technology, what offerings are out there, both as a service and premise-based, what it would take from an internal resource standpoint to adequately support and use a technology. Then, we try and articulate that into a high-level summary of the different options, with cost, pros and cons related to each.

Then, typically our senior management will discuss all of those, and we'll try and come to the decision that we think makes best for our organizations, not just for that point, but for the next three to five years. So some initiatives have gone premise-based and some have gone security-as-a-service based. We are kind of a mix.

Gardner: Paul Muller, as a cloud follower, a close follower, you've seen hybrid services delivery arise in many different forms. I guess we're talking here about hybrid security delivery. How do they come together in your mind?

Muller: Exactly the same way. It is about what Keith described as understanding particularly where, for example, there is a high degree of specialization or skill required that is in short supply, particularly in your geography.

It's particularly true of security professionals that the bigger targets -- the banking institutions, defense, to a certain extent telecoms -- are able to offer a price premium to some of these people and it can make it hard to find the best quality stuff, particularly in mid-sized organizations. Therefore, it sometimes makes more sense to procure those staff and the services alongside them from outside of the organization.

Core intellectual property

Having said that, there are times when there is core intellectual property (IP) of your organization, core capabilities, particularly around industry vertical processes, where that level of expertise is not widely understood.

It's too generic to be of value. Healthcare is a great example, where the compliance requirement, plus the particular or specific patient management systems, would be too specific for a general-purpose service provider to add much value. It's a question of blending that right to the capabilities.

I want to add that it's interesting that the security world tends to have a somewhat schizophrenic view of software as a service (SaaS). They will typically be okay with the idea of putting all of your sales pipeline and your customer data into a customer relationship management (CRM) system in the cloud, but will often have a negative reaction if you say let's use security SaaS.

So often you will find that it's actually more palatable for the organization culturally, when looked at maybe as a managed service, rather than treating it as a SaaS, knowing, in other words, that there's people behind it as well as software. I don't know. Raf, what are your thoughts?

Los: Well, Paul, eloquently put. There's still that stigma of cloud somehow magically meaning less secure, and I work with that trepidation almost daily, like you do.

The one aspect we need to make sure that we emphasize and understand is that there are  people behind all of this.

The one aspect we need to make sure that we emphasize and understand is that there are  people behind all of this. This isn’t just some automated scan, script, or thing. There are people behind a lot of this, and the broad sense of why security really matters is the human element of it.

So these hybrid types of services make sense, because there are a lot of things and -- going back to that comment about the size of the organization -- you can't do it all yourselves. If you can, you can't do it well, whether you're a massive company or a small one.

Knowing that fact, acknowledging that, and being able to consume security services intelligently can be the difference between getting lost in "dashboard hell" and having the right information at the right time to make the right decision, based on partnerships with the correct organizations.

I think you summed it up well, but I just felt like I would add a little bit of color to that, because that's a little bit of what I have been seeing.

Gardner: It's interesting that a common thread for successful organizations is knowing yourself well. It's also an indicator of maturity, of course. I know that Paul is talking about this, and Raf as well, that those organizations that know themselves well can better plot their future architecturally and across comprehensive services. But it also sounds as if this is really important, when it comes to deciding what services to retain total control over or retain the resources that deploy them and another set of choices.

Back to you, Keith. It sounds like you have a good level of maturity. You have had a good opportunity to know yourself and then to track your progress. Is that helping you make these decisions about what's core or context in the design of your risk-mitigation activities?

What you do well

Duemling: Yes, it is. You have to know what you do well and also you have to know the areas where you, as an organization, are not going to be able to invest the time or the resources to get to a specific comfort level that you would feel would be adequate for what you are trying to achieve. Those are some of the things where we look to use security as a service.

We don't want to necessarily become experts on spam filtering, so we know that there are companies that specialize in that. We will leverage their investment, their technology, and their IP to help defend us from email-borne threats and things of that nature.

We're not going to try and get into the business of having a program or to create an event-correlation engine. That's why we're going to go out and look for the best-of-breed technologies out there to do it for us.

We'll pick those different technologies, whether it's as a service or premise-based and we'll implement those. That will allow us to invest in the people that know our environment the best and intimately and who can make decisions based on what those tools and those managed services tell them.

They can be the boots on the ground, for lack of a better term, making the decisions that are effective at the time, with all the situational awareness that they need to resolve the problem right then and there.

Security is more than just technology. It really is the people, the process, and the technology.

Gardner: Keith, you've got a little bit of 20/20 hindsight, having done this. For those of our listeners who are perhaps at that level, where they are juggling quite a few security products or technologies and they would like to move into this notion of a program and would like to have a unified view, any thoughts about getting started, any lessons learned that you could share?

Duemling: I would say just a couple of bullet points. Security is more than just technology. It really is the people, the process, and the technology. You have to understand the business that you are trying to protect. You have to understand that security is there to support the business, not to be the business.

Probably most importantly, when you want to evolve your security and set up projects into an actual security program, you have to be able to talk the language of the business to the people who run the business, so that they understand that it’s a partnership and you are there to support them, not to be a drain on their valuable resources.

Gardner: Raf, any thoughts to amplify or extend that?

Los: I think he has put it brilliantly just now. IT security is a resource and also a potential drain on resources. So the less we can take away from anything else the organization is doing, while enabling them to basically be better, deliver better, deliver smarter, and save more lives and make people healthier, that is ultimately the goal.

If there's nothing else that anybody takes away from a conversation like this, IT security is just another enabler in the business and we should really continue to treat it that way and work towards that goal.

Lessons learned

Gardner: All right, last word to you today, Paul Muller. What sort of lessons learned or perhaps perceptions from the example of Lake Health would you amplify or extend?

Muller: I will just go back to some of my earlier comments, which is, let’s remember that our adversary is increasingly focused on the market opportunity of exploiting the data that we have inside our organizations -- data in all of its forms. Where there is profit, as I said, there will be a drive for automation and best practices. They are also competing to hire the best security people in the world.

But as a result of that, and mixed in with the fact that we have this ever-increasing attack surface, the vulnerabilities are increasing dramatically. The statistic I saw from just October is that the cost of cyber crime has risen by 40 percent and the attack frequency has doubled in the last 12 months. This is very real proof that this market forces are at work.

The challenge that we have is educating our executives that compliance is important, but it is the low bar. It is table stakes, when we think about information and security. And particularly in the case of mid-sized enterprises, as Raf pointed out, they have all of the attractiveness as a target of a large enterprise, but not necessarily the resources to be able to effectively detect and defend against those sorts of attacks.

You need to find the right mix of services, whether we call it hybrid, whether we call it cloud or managed services, combined with your own on-premises services to make sure that you're able to defend yourself responsibly.

Cyber crime has risen by 40 percent and the attack frequency has doubled in the last 12 months. This is very real proof that this market forces are at work.

Gardner: Very good. I am afraid we'll have to leave it there. I want to thank our co-hosts today. We have been joined by Paul Muller, the Chief Software Evangelist at HP. Thank you, Paul.

Muller: Great having been here again, Dana. Good to talk to you.

Gardner: And also Raf Los. He is the Chief Security Evangelist at HP. Thank you so much, Raf.

Los: Thanks for having me, Dana. And Keith, it has been a pleasure having the conversation.

Gardner: And I'd like to thank our supporter for this series, HP Software, and remind our audience to carry on the dialogue with Paul Muller through the Discover Performance Group on LinkedIn, and also to follow Raf on his popular blog, Following the White Rabbit.

You can also gain more insights and information on the best of IT performance management at http://www.hp.com/go/discoverperformance.

And you can always access this and other episodes in our HP Discover Performance Podcast Series at hp.com and on iTunes under BriefingsDirect.

And of course I want to thank our very special guest today, with a very impressive story, Keith Duemling; he is the Information Security Officer there at Lake Health. Thank you so much, Keith.

Duemling: Thank you for the opportunity to share the information.

Gardner: And lastly, I would like to thank our audience for joining us for this special HP Discover Performance Podcast discussion. I am Dana Gardner, Principal Analyst at Interarbor Solutions, your host for this ongoing series of HP sponsored business success stories.

We appreciate your listening, and do come back next time.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: HP

Transcript of a BriefingsDirect podcast on how healthcare provider Lake Health ensures that its internal systems continue to serve patient care, while protecting against outside threats. Copyright Interarbor Solutions, LLC, 2005-2012. All rights reserved.

You may also be interested in:

• HP Discover Performance Podcast: McKesson Redirects IT to Become a Services Provider That Delivers Fuller Business Solutions
• Investing Well in IT With Emphasis on KPIs Separates Business Leaders from Business Laggards, Survey Results Show
• Expert Chat with HP on How Better Understanding Security Makes it an Enabler, Rather than Inhibitor, of Cloud Adoption
• Expert Chat with HP on How IT Can Enable Cloud While Maintaining Control and Governance
• Expert Chat on How HP Ecosystem Provides Holistic Support for VMware Virtualized IT Environments

For Steria, Cloud Not So Much a Technology as a Catalyst to Responsive and Agile Business

Transcript of a sponsored BriefingsDirect podcast on how IT service delivery company Steria standardizes processes in the cloud for improved delivery.

Listen to the podcast. Find it on iTunes/iPod. Download the transcript. Sponsor: HP.

Dana Gardner: Hello, and welcome to the next edition of the HP Discover Performance podcast series. I'm Dana Gardner, Principal Analyst at Interarbor Solutions, your co-host and moderator for this ongoing discussing of IT innovation and how it's making an impact on people’s life.

Once again, we're focusing on how IT leaders are improving performance of their services to deliver better experiences and payoffs for businesses and end users alike. [Disclosure: HP is a sponsor of BriefingsDirect podcasts.]

Now, we're joined by our co-host for this sponsored podcast series, Chief Evangelist at HP, Paul Muller. Welcome, Paul. Where are you coming from today?

Paul Muller: Hi, Dana. Today, I'm in a fortunate position. I've been at home now for nearly two weeks running, which is something of a record. I'm down here in Melbourne, Australia.

Gardner: I am glad you can join us from home. We have a fascinating show today, because we are going to learn about how a prominent European IT-enabled business services provider, Steria, is leveraging cloud services to manage complexity and better services to customers. Getting more from cloud services seems to be a huge part of the IT landscape these days.

Paul, is that what you are finding -- that the cloud model is starting to impact this whole notion of effective performance across services in total?

Muller: This is a conversation I've been having a lot lately. The word cloud gets thrown around a lot, but when I drill into the topic, I find that customers are really talking about services and integrating different services, whether they are on-premises, in the public cloud arena, or even that gray land, which is called outsourcing. [Follow Paul on Twitter.]

It's the ability to integrate those different supply models -- internal, external, publicly sourced cloud services -- that really differentiate some of the more forward-leaning organizations from those who are still trying to come to grips with what it means to adopt a cloud service.

Gardner: Maybe a year or two ago, we were focused on the "how" with cloud, and now we seem to be moving beyond that to the "what," what you get regardless of how you do it. Does that sound about right?

Muller: You couldn’t have put it better. The way I had it described to me recently is that it’s moving away from talking about the plumbing to talking about what you're trying to produce. That that’s really the fundamental change that has occurred in the last 18 months.

Business opportunity

We've all come to realize that cloud isn’t so much a technology issue, as it is a business opportunity. It’s an opportunity to improve agility and responsiveness, while also increasing flexibility of cost models, which is incredibly important, especially given the uncertain economic outlook that not only different countries have, but even different segments within different countries.

Take something like the minerals and resources areas within my own country, which are booming right now. Whereas, if you look at other areas of business, perhaps media, or particularly print media, right now, they're going through the opposite type of revolution. They're trying to work out how to adjust their cost to declining demand.

Gardner: With that, let’s get to our guest. He's been a leading edge adopter for improving IT service delivery for many years, most recently as the IT Service Management (ITSM) Solution Manager at Steria, based near Paris.

Please join me in welcoming Jean-Michel Gatelais. Welcome to BriefingsDirect, Jean-Michel.

Jean-Michel Gatelais: Thank you very much. Yes, at Steria, I'm in charge of the Central ITSM Solution we provide for our customers, and I am in-charge of the Global ITSM Program Roadmap, including the ongoing integration from ServiceCenter 6 to Service Manager 9. I'm also responsible for the quality of service that we deliver with this solution, and of the transition of new customers on this platform.

Gardner: Let’s start at a high level, Jean-Michel. Because you've been doing this for quite some time with a focus on IT service delivery and ITSM, has this changed quite a bit in just the past few years? If so, what’s different now about IT service delivery than just say few years ago?

Gatelais: It has changed a lot. In fact, few years ago it was something that was very atomic, with different processes and with people running the service with different tools. About three to five years ago, people began to homogenize the processes to run the service, and we saw that in Steria.

In Steria, we bought some companies and we grew. We needed to establish common processes to proceed by a common platform, and that what’s what we did with Service Manager. Now, the way we deliver service is much more mature for all the processes and for the ITSM processes.

Gardner: Paul Muller, how does that jibe with what you're seeing? It sounds like he's very representative of the market in total.

Muller: The desire to standardize processes is a really big driver for organizations as they look to improve efficiency and effectiveness. So it's very similar what we're seeing. In fact, I was going to ask Jean-Michel a question. When you talk about homogenizing processes or improving consistently, how does that help the organization? How does that help Steria and its customers perform better?

IT provider

Gatelais: This allows us to deliver the service, whatever the location or organization, because we're an IT provider. We provide services for our customers that can be offshore, nearshore, in Steria local premises, and even in the plant premises. All the common processes and the solution allow us to do to this independently of the customer. Today with this process, we're able to run services for more than 200 customers.

Gardner: I suppose we should learn a bit more about Steria. You are primarily in Europe and the UK. Tell us a bit about your business, who your customers are, and perhaps some of the high-level goals and strategies that you're pursuing.

Gatelais: Steria is an IT service provider. We are about a little more than 40 years old. Our business is mainly in system integration, application management, business process outsourcing, and infrastructure management services.

We have big customers in all sectors of industry and services, such as public sector, banking, industry, telecom, and so on. We have customers both in France and UK mainly, but in the whole of Europe also. For example, we have British Telecom, Orange, and the public sector in the UK, with police etc.

Gardner: I see among your services that you are delivering cloud Workplace on Command, for example, Infrastructure On Command. Is this a bigger part of your business now? Do you find that servicing your cloud customers is dominating some of your strategic thinking?

We have an industrialized solution, allowing our customers to order infrastructure in a couple of minutes.

Gatelais: Yes. Actually, it’s growing day after day. We launched our cloud offering about 18 months ago. Now we can say that we have an industrialized solution, allowing our customers to order infrastructure in a couple of minutes. And this is really integrated with the whole service management solution and the underlying infrastructure.

Gardner: I suppose this gets to this self-service mentality that we are seeing, Paul. End users are seeking a self-service type of approach. They know that they can get services quite easily through a variety of consumer-based means. They're looking for similar choice and enablement in their business dealings.

It seems that an organization like Steria is at the forefront of attracting that sense of enablement and empowerment and then delivering it through a cloud infrastructure. They're interesting on two levels: one, they're delivering cloud and enablement, but they are also using cloud to power their own ability to do so.

Muller: I don’t know if Jean-Michel has seen this, but we see almost a contradiction within enterprise users of cloud. We see groups that will quite readily go out and adopt cloud services. The so-called consumerization trend is quite prevalent, especially with what I would describe as simple services. For example, office automation tools, collaboration tools, etcetera.

Yet, simultaneously, we see reluctance sometimes, particularly for the IT organization, to let go and cloud source services and applications. I sometimes refer to them as "application huggers" or "server huggers."

Relinquish control

In other words, if they can’t see it or touch it, they're reluctant to relinquish control. The most fascinating part for me is that you can often find those two behaviors inside the very same organization. Sometimes, the same person can have diametrically opposed views about the respective merits of those two approaches. Does that make sense?

Gardner: We should put the question directly to Jean-Michel. Are you selling and delivering cloud services to the IT department or others? Maybe we could call that shadow IT?

Gatelais: We do both. In fact, the cloud today is used both for internal organizations and also for our customers. Then, the cloud offering set-up asks to study a business model to study the way we will sell such service. For us, at the central level at Steria, there is no difference between internal delivery and delivery for our customers.

Gardner: That’s pretty interesting. Do you find that you've had to tailor your services for those non-IT users? Is there something about billing, invoicing, or self-serve that you've put in place in order to better accommodate the non-IT part of the market?

Gatelais: No. In fact, what we're trying to do is to standardize, as much as possible, the basic offering we propose. On top of that, we have additional requests from our customers. Then, we try to adapt our offering to the specific request.

Providing infrastructure services is not so difficult, but providing platform-as-a-service (PaaS) features can be.

Providing infrastructure services is not so difficult, but providing platform-as-a-service (PaaS) features can be. Even software as a service (SaaS) can be simpler than PaaS, because you provide some package services, startup services, instead for platform services. It’s very consumer specific.

Gardner: So you have the opportunity to go with a fairly standardized approach, but then you can customize on top of that. I'd like to hear some more about your different services. I understand that there’s something called Steria Advanced Remote Services or STARS. How does that fit into the mix, Jean-Michel?

Gatelais: STARS is the ITSM platform Steria rolled out about five years ago, and today this is a framework. It's mainly based on HP products, because it's running on HP Service Manager online, Business Service Manager (BSM), and Operations Orchestration.

We see this platform as a service enabler, both service support platform and the service enabler, because we use it to manage and activate the services we propose to our customer, including cloud services, security services, and our new offering, Workplace On Command services.

STARS is the solution to manage value-added services Steria is offering to its customers.

Muller: I have a question for Jean-Michel. When a customer thinks about taking services that maybe they used to run internally and moving those services to Steria, how important is it for them to maintain visibility and control, as they are thinking about moving to cloud?

Depends on the customers

Gatelais: It depends on the customers. You have some customers that are ready to use the services you provide on a common environment, but you also have customers requiring more specific solutions that we can give to them. Steria is developing some facilities to roll out and to instantiate the platforms for dedicated environments.

For example, the STARS solution, with Service Manager in the solution, we can deploy it, instantiate it, when the customer requires it.

Muller: Just following on from that, there's a perception that when you move to cloud services, people don’t really care about visibility, metrics, and service-level reports, because that’s all part of the service-level agreement (SLA). Do you find that customers actually want to see, how their service is performing -- what's the availability and level of security? Do they look for that level of reporting from you?

Gatelais: It depends on the customers. Some are really outsourcing the services. They would only complain if they met some problems on the services.

But other customers want to have the visibility on the quality of service that is delivered by Steria. That means that we need to be able to publish the SLA we have for our offering, but also to publish monthly, for example, the key performance indicators (KPIs) of this platform.

It’s the KPI discussion that is of such great interest to enterprises today.

Muller: And that is certainly a perfect question, because, Dana, it’s the KPI discussion that is of such great interest to enterprises today.

Gardner: Right, and I'm impressed that Steria can manage this variety and be able to provide to each of these customers what they want on their own terms, which is, as you point out, is really what they're calling for.

For you as a provider, that must really amount to quite a bit of complexity. How do you get a handle on that ability to maintain your own profitability while dealing with this level of variability and the different KPIs and giving the visibility to them?

Gatelais: One of the advantages of the cloud structure is that you have to ask these questions in advance. That means that when Steria is designing a new offering, we first design the business model. In fact, that will allow us either to propose some shared services, or for the client that has requested it, some visibility to the services, but based on standard platforms. We try to remain standard in what we propose, and the flexibility is in the configuration of what we propose.

Gardner: How about providing the visibility so that the sense of confidence, which is also so important in these early years of cloud adoption, is maintained? Do you provide specific views, insights, dashboards? What is it that you can provide to your customers so that they feel themselves in control even though they are no longer in a sense running these systems?

Gatelais: We provide the KPIs that are published for the service offering. This will include such information as service availability rates, outage problems, change management, and also activity reporting.

Strategic decisions

Gardner: Let’s look at this for a moment through the eyes of some of your customers, Jean-Michel. They're able to make their own strategic decisions better, knowing what they can do on-premises and what they can do to outsourcing models. They can make determinations about what is core and what’s context for their own capabilities and differentiation. What has that meant for them?

Do you have any anecdotes or insights into some of the benefits to their overall business that they have been able to make, because they can look to an organization like Steria and say, "Here, you do it. We're going to focus on something else?"

Gatelais: Yes. The example I can give is the flexibility the service offering can give to the customers in the software development area.

For example, it allows you to set up some development platforms for a limited period of time, allowing product development. With the service we offer, when the project is finished and you enter into the application management mode, the plant is able to say, "I stopped the server." It's backed up, and if six months later the customer wants to develop a new release of this software, then we would restore his environment. In the meantime, he won't have the use of the platform, but he'll be able to continue his development. This is very flexible.

Gardner: Paul, you must be seeing a lot of this that for many adopters with the test dev, quality assurance, the need for elasticity for those builds and environments around the test and development lifecycle. This sort of provides the killer use case for cloud.

The notion of tying all of that capital equipment up and leaving it idle for that period of time is simply not tenable.

Muller: Yes, but on and off-premises. The interesting part is that the development and test process is such a resource-intensive process, while you are in the middle of that process. But the minute you are done with it, you go from being almost 100 percent busy and consuming 100 percent of the resources, to, in some cases, doing nothing, as Jean-Michel said, for months, possibly, even years, depending on the nature of the project.

The notion of tying all of that capital equipment up and leaving it idle for that period of time is simply not tenable. The idea of moving all of that into a flex up-flex down model is probably one of the single most commonly pursued use cases for both public and private cloud today.

The other one, as Jean-Michel has already spoken to, is that the idea of more discrete services, particularly that of helpdesk, is just going crazy in terms of adoption by customers.

Gardner: Jean-Michel, how about some of the different sectors of the market? Do government clients of yours in Europe and the UK approach this any differently than the private sector? And, do small-to-medium-size businesses (SMBs) seem to be approaching your services or have different requirements than the larger enterprises?

Gatelais: The main difference between government and the private sector is the security issue. Most of governments ask for more confidentiality. They're very often reluctant to share their data or their business, with others. For such clients, we need to have a dedicated offering.

Dedicated offering

For example, in the UK, a customer from government didn’t want to run their services on shared platforms and asked for a dedicated environment. Because the whole ITSM offering from Steria is running on just one environment, we were able to instantiate such services only for their use.

Muller: That’s an interesting topic right there, Dana. I don’t know whether you're seeing this a lot in your interactions with clients, but the whole idea that cloud is a shared resource pool works brilliantly on paper.

But as Jean-Michel said, practically speaking, for reasons of data sovereignty, for reasons of security, and in some cases for regulatory reasons, the customer will insist that the service be effectively a hosted solution. It’s not that different from almost a traditional outsourcing situation, would you say, Jean-Michel?

Gatelais: Yes.

Gardner: One of the things I am seeing is some of the vision in terms of cloud a few years ago was that one size would fit all, or that it’s cookie cutter, and that there won’t be a need for high variability. But I think what we are actually seeing in practice, and Jean-Michel is certainly highlighting this, is that the KPIs are going to be different for organizations.

There are going to be different requirements for public and private, large and small, jurisdiction by jurisdiction, regulation and compliance. You really need to be able to have the flexibility, not just at the level of infrastructure, but at the level of the types of services, the way that they're built, invoiced, and measured and delivered.

They're interesting for small organizations, because they don’t have to heavily invest in solutions, and we're able to propose shared solutions.

Gatelais: The way we propose the services is they're interesting for small organizations, because they don’t have to heavily invest in solutions, and we're able to propose shared solutions. This is SaaS, this is cloud, and for them it’s very interesting, because it is much more cheaper.

Gardner: Well, we are going to be coming close to the end of our time. Jean-Michel, I wonder if you have any thoughts for those who might be embarking on something like a STARS capability.

They will be thinking about what they should put in place in order to accommodate the complexity, the security, being able to have granular services that they can deliver regardless of location to the variety of different types of clients. What do you advise others who would be pursuing a similar objective?

Gatelais: With such offerings you have to design and think much more than before, to think before running out your solution. You need to be clear on what you want to propose to what kind of customers, where is the market, and then to design your offering according to this. Then, build your business model according to those assumptions.

Gardner: In North America, we might say that that’s skating to where the hockey puck is going to be, rather than where it is.

Gatelais: Yes.

KPIs that matter

Muller: A question from me, Dana, for Jean-Miche. Right now, I've got a couple of metrics, a couple of KPIs, that matter to me really deeply. From your perspective, are there one or two KPIs that you're looking at at the moment that either make you really happy or that are a cause for concern for you, as you think about business and delivering your services. What are the KPIs that matter to you?

Gatelais: What is very difficult for new services is to evaluate the actual return on investment (ROI). You can establish a business model, a business plan to see if what you will do, you will make some profit with it, but it's much more difficult is to evaluate the ROI.

If I don’t buy this service, it would cost me an amount; if I buy this service, okay, it will cost the service fee, but what would I spend next to that. This is very difficult to measure.

Muller: And it's probably one of the most important KPIs in business, wouldn’t you say, Dana?

Gardner: Absolutely, yes.

Gatelais: It may be basic, but you should take the configuration management process. That is very important, even in cloud offerings. It's very difficult to make evident that if you do some configuration management, you will have higher a ROI than if you don’t do it.

It's very difficult to make evident that if you do some configuration management, you will have higher a ROI than if you don’t do it.

Muller: The cost justification of the investment is the challenge?

Gatelais: Exactly. Today, even internally in Steria, it's much more difficult to get approval to develop and to improve configuration management, because people don’t see the interest, as you don’t sell it directly. It's just a medium to improve your service.

Muller: That’s such a good point. And Dana, it's one of the great benefits. This is going to sound a little bit like an infomercial, but it's worth stating. One of the reasons we've been moving so much of our own management software to the cloud is because it's behind the scenes. It's often seen as plumbing, and people are reluctant to invest often in infrastructure and plumbing, until it has proven its benefit.

It's one of the reasons we've moved to a more variable cost model, or at least have made it available for organizations who might want to dip their toe in the water and show some benefits before they invest more heavily over time.

Distinct line

Gardner: Historically, Paul, it's been difficult to draw a distinct line between technology investments and business payoffs and paybacks, even though we have general productivity numbers to support it.

But now, with that greater insight into the management capabilities along the way, when you do everything as a service, you can meter, you can measure, and you can pay as you go. You're really starting to put in place the mechanisms for determining quite distinctly what the payoffs are from investments in IT at that critical business payoff level. So I think that’s a very interesting development in the market.

Muller: The transparency improves, and because you have a variable cost model, it lowers the pain threshold in terms of people being willing to experiment with an idea, see if it works, see if it has that payoff, that ROI. If it doesn’t, stop doing it, and if it does, do more of it. It's really, really very simple.

Gardner: Right, much less of an art and a bit more of a science, but in a good way.

Muller: Absolutely.

Gardner: I'm afraid we are going to have to leave it there. I'd like to thank you all for joining our discussion, and of course, I'd like to thank our supporter for this series, HP Software, and remind our audience that they can carry on this dialogue with Paul Muller through the Discover Performance Group on LinkedIn.

You can also gain more insights and gather more information on the best of IT performance management at www.hp.com/go/discoverperformance.

And with that, please join me in thanking today's guests, our co-host, Chief Evangelist at HP, Paul Muller. Thanks so much, Paul.

Muller: Good talking to you again, Dana.

Gardner: And also a huge thanks to Jean-Michel Gatelais, IT Service Management Solution Manager at Steria, based near Paris. Thanks so much, Jean-Michel.

Gatelais: You're welcome. It was a pleasure.

Gardner: I'm Dana Gardner, Principal Analyst at Interarbor Solutions, your co-host, and moderator for this ongoing discussion of IT innovation and how it's making an impact on people’s lives. Thanks again for listening, and come back next time.

Listen to the podcast. Find it on iTunes/iPod. Download the transcript. Sponsor: HP.

Transcript of a sponsored BriefingsDirect podcast on how IT service delivery company Steria standardizes processes in the cloud for improved delivery. Copyright Interarbor Solutions, LLC, 2005-2012. All rights reserved.

You may also be interested in:

• Where cloud computing takes us: Hybrid services delivery of essential information across all types of applications
  
• With CMS 10, HP puts workload configuration data newly in hands of those who can best use it to manage services delivery
  
• Investing Well in IT With Emphasis on KPIs Separates Business Leaders from Business Laggards, Survey Results Show
• Expert Chat with HP on How Better Understanding Security Makes it an Enabler, Rather than Inhibitor, of Cloud Adoption
• Expert Chat with HP on How IT Can Enable Cloud While Maintaining Control and Governance
• Continuous Improvement and Flexibility Are Keys to Successful Data Center Transformation, Say HP Experts