A Tiger on the Prowl
- From CIO Digest, April 2010 Issue ( Download This Entire Issue in PDF)
The ramifications of the 2008-09 financial crisis have been far-reaching, and the impact will play out over many years to come. For the financial services sector, the landscape will never look the same—with permanent changes such as the disappearance of institutional stalwarts, extensive consolidation, and new regulations. In addition, repercussions of the financial crisis are creating a geo-power shift from Europe and North America to Asia Pacific.
With firms in Europe and North America overextended and focused on managing down risks rather than capitalizing on their existing investments and expanding into new markets, those in Asia Pacific are faring much better. For example, while the number of banks worldwide will shrink by four percent by 2010, projections for Asia Pacific point to more banks rather than fewer, according to Financial Insights.1
And while a number of financial institutions from Europe and North America are selling their operations and divesting their shareholdings, Asia Pacific firms are becoming more aggressive in pursuing intra-regional opportunities. As a result, new market leaders are emerging in certain parts of Asia Pacific—through both market expansion and mergers and acquisitions. The young tiger has been released, and the Asia Pacific financial services sector will never be the same.
IT portfolio, eye of the tiger
IT is an important underlying enabler of this transformation, and the focus of IT is evolving as part of this process. Increased risk management capabilities and a renewed interest on customercentric initiatives are prompting IT leaders to recalibrate their priorities and refine their engagement models.
They weathered the 2008-09 storm by “optimizing IT assets, consolidating infrastructure, and focusing on ROI,” according to Cyrus Daruwala, managing director of Asia Pacific for Financial Insights, an IDC company. Rather than cutting back on budgets, many Asia Pacific financial services firms reinvested in their IT organizations. For example, Malaysian financial services leader CIMB Group did not reduce its IT budget during the crisis. “We thought it was the best time to spend on transforming ourselves into a next-generation bank,” says Iswaraan Suppiah, the head of Group Information and Operations. “Our strategic investment in IT put us in a stronger competitive position as the global markets emerge from the financial crisis.”
And now, with the storm clouds dissipating, the priorities for IT organizations are changing. Risk management is at the forefront, with customer-centered initiatives gaining greater focus as IT organizations “gear up for an all-out ‘land grab’ for customers,” observes Financial Insights’ Daruwala. “Everything in 2009 was geared around reducing costs and raising efficiencies,” adds Alex Kwiatkowski, principal analyst, Financial Services Technology, at Ovum, part of the Datamonitor Group. “There are some subtle changes to these priorities in 2010, including a greater focus on customer satisfaction and top-line business issues, particularly in Asia Pacific.”
Focus on the management of risks is prompting IT leaders “to plan for and understand risk outside of their institutions and the sensitivity of their business models to it,” Daruwala explains. Tolerance for risk is significantly less than it was 18 months ago, and information security and compliance have risen to the forefront of priorities for many IT leaders. Risk management is not something that will go away any time in the near future. “I think we’re going to be living with the consequences of the financial crisis for the next three years, possibly the next five years,” Kwiatkowski notes.
Renewed focus on risk mitigation and cross-functional business alignment is sparking further integration of IT and the business. IT leaders are assuming greater P&L responsibilities, and chief financial officers are taking a more pivotal and visible role in plotting IT decisions. “This is changing the KPIs (key performance indicators) of CIOs,” Daruwala says. He goes on to explain that they are now “incentivized on the profitability and growth of each line of business.”
Governance and business process optimization (BPO) are becoming increasingly important in this transition. In particular, business processes for financial institutions become more efficient through BPO and governance models, according to Ovum’s Kwiatkowski. “Risk management and governance cannot exist in pockets and isolation,” he explains. “IT governance, risk management, and compliance have a much more important seat at the table now than before the financial crisis.”
As IT governance and BPO models evolve, “there will be a degree of standardization and automation,” adds Financial Insights’ Daruwala. “Mergers and acquisitions are exacerbating the situation around different systems and formats. Multiple endpoints and exit points, a multitude of standards, and numerous data files and formats are a nightmare for a CIO to manage.”
Business and IT alignment enable customer focus
In its State of the CIO 2010 Report,2 CIO Magazine reports that customercentric initiatives have surpassed alignment of the business with IT as the number one priority for CIOs. This approach is nothing new to the IT organization at Taipei, Taiwan-based Fubon Financial Holding Company. Thomas Liang, the managing director and CEO at Fubon Bank (Hong Kong) who previously served as the president of Retail Banking at Fubon Financial Holding Company explains: “IT exists to provide services to customers—both internal and external. And whenever we think about delivering IT services, we always focus on two issues—quality and then total cycle time for services.”
While the focus of attention has become more customer-centric, alignment of IT and business remains the key lynchpin in fulfilling these priorities. To facilitate interaction between the business and IT, Liang created a framework whereby IT relationship managers have counterparts in each of the business units. “I actually copied the idea from IT companies,” Liang quips. The relationship managers then feed business requirements from the business stakeholders back to the IT organization, which relies on cross-fertilization to formulate new IT initiatives, evolve existing IT programs, and establish SLAs with individual business owners.
“Once you have your business roadmap put together, you need to overlay that map onto the existing IT infrastructure and roadmap to develop your IT strategy,” explains Ovum’s Kwiatkowski. This is the approach taken by CIMB’s Suppiah. “As we develop a service-delivery model, we directly work with our different stakeholders to develop SLAs,” he says. “What they really care about is the price at which the service is delivered and whether it meets their requirements. The underlying technology is transparent to them.”
Information security is a key concern
After the events of the past 18 months, information security and compliance have become some of the primary business issues facing IT organizations. Concerns regarding security lapses and lack of trust in compliance with regulatory measures are driving IT to launch new programs around data loss prevention, endpoint security, and compliance reporting and management.
Information security is a top priority for both CIMB Group and Fubon Financial. “We’re talking about the financial data of customers,” Fubon Financial’s Liang says. “Because the financial data of customers is always in purview, information security is more important in financial services versus other industry sectors.”
“Every endpoint carries a risk as well as a reward,” Financial Insights’ Daruwala observes. “Very few financial services firms have cracked the code, understanding who can and cannot access data and what sort of flags should be identified, and those who have done so are succeeding.” Based on these parameters, CIMB has figured out the right combination, implementing an integrated security program that combines endpoint security and encryption, data loss prevention, endpoint management, and messaging security. “It is very important for us to ensure that customer data is well protected and there is no data leakage,” Suppiah says. “We designed and implemented a comprehensive, integrated information security program.”
Something “new” and something “old”
Smaller IT budgets, growing carbon footprints, and limited energy resources are driving IT organizations to look at Green IT, though Asia Pacific, in comparison to Europe and North America, has been slow to the game. An important piece to the larger Green IT puzzle is utility-based computing; everything from virtualization, to cloud computing, to performance-based outsourcing arrangements. “Utility-based computing provides IT organizations with a means for results-based principles in IT spending,” Ovum’s Kwiatkowski notes. “While social responsibility is a noble aim, it will not be what drives Green IT. The business is what will prompt IT organizations, particularly those in financial services, to embrace Green IT.”
Standardization, consolidation, and virtualization will remain an important part of the vocabulary of IT organizations in the Asia Pacific. “Twenty-five to thirty percent of our RFPs from last year were related [to these areas],” notes Financial Insights’ Daruwala, “and I don’t anticipate this ratio will change in the next couple years.” Indeed, the move toward virtualization is still a work in progress according to Ovum’s Kwiatkowski: “Our research shows that approximately one in four financial services’ institutions in Asia Pacific plan to increase their investments in virtualization in 2010.”
And while still early in the adoption cycle, cloud computing is beginning to gain greater interest in the Asia Pacific, though early adopters are in the minority, with only 11.2 percent claiming to have cloud-based solutions in place.3 And financial services firms are moving even more slowly than their counterparts in other industry segments. Concerns about data security and privacy are inhibiting factors. With this in mind, Fubon Financial’s Liang argues that “it would be prudent for those in financial services to wait for further maturation before moving forward.”
CIMB’s Suppiah indicates they evaluate new technologies and services such as cloud computing through two lenses. The first is data security and confidentiality. The second is system performance. “We are evaluating cloud computing options, and we likely will adopt private clouds initially,” Suppiah says. He cites two areas of primary interest: the ability to do metering and chargebacks to end users, and to provision resources in real time.
Emerging and disruptive technologies are not the only focus of IT organizations, however. “Almost half of the banks globally are waking up to the fact that they have end-of-life systems that were procured 10 or 12 years ago,” says Financial Insights’ Daruwala. And this is just as true for financial services firms in Asia Pacific. “Applications have been patched and enhanced but are no longer able to scale to meet business requirements and need to be replaced,” he says. “The underlying infrastructure such as server and storage management tools and information security will play an important role in this transformation; these will be refreshed at the same time.”
Mapping the new territory
Business priorities are shifting. Market dominance is changing. The old is diminishing and the new is emerging. A young tiger is on the prowl and is in the process of altering the boundaries of the Asia Pacific financial services landscape. Two thousand and ten—the Year of the Tiger4 —is poised to become a “Year of Transformation” for many financial institutions in Asia Pacific.
Certainty was affixed to much of the financial landscape prior to the 2008-09 economic crisis. This has been replaced with a spirit of innovation and transformation and changing market boundaries. The old reign has ended, and a new reign has begun.5
1“Business Strategy Top Ten Strategic IT Initiatives for Asia/Pacific Banks in 2010—Investing for the Comeback,” Financial Insights, January 2010.
2“2010 State of the CIO Survey,” CIO Magazine, January 2010.
3 “Asia/Pacific End-User Cloud Computing Study,” IDC, January 2009.
42010 is the Year of the Tiger in the Chinese Zodiac Calendar (which consists of 12 different characters).
5The Chinese character for tiger also denotes king in Chinese.
The “Vedanta” of Business
Iswaraan Suppiah is an avid student of Vedanta, an ancient scientific philosophy that delineates eternal principles of life. At work, he has proven himself to be both an outstanding student and practitioner of business, overseeing operations and IT for Malaysian-based financial services leader CIMB Group.
Responsible for both operations and IT for the consumer and investment banking segments, Suppiah explains there is a significant difference in addressing the needs of both customer bases. “Investment banking is low volume with a high value of transactions,” he says. “Consumer banking is high volume but has relatively low value.” Operational and IT challenges are thus different for each business segment, and Suppiah and his team must account for them—individually and collectively.
He elaborates: “For example, email is not a critical requirement for consumer banking, but it is a business-critical function for the investment bank. When email goes down for the consumer banking staff, the repercussions are less severe. However, if email goes down in the investment bank, we are paralyzed.”
Strategic in-sourcing and outsourcing
When Suppiah was appointed the head of Group Information and Operations in 2005, he led an effort to reevaluate the company’s outsourcing agreement and determined to reconfigure it. Specifically, as the cost of outsourcing of application development and management was not any less than managing it in-house, they opted to bring that IT function in-house while continuing to outsource IT infrastructure management.
“There simply aren’t enough financial services firms from Malaysia that engaged the outsourcing firm, and thus the cost of delivery remained high,” Suppiah notes. “I believe in outsourcing, but it simply didn’t make sense in this case. In addition, we wanted to enhance our ability to address changes in the business to quickly pursue new opportunities.”
Preventing data loss
Suppiah also initiated an annual health check audit when he was named head of Group Information and Operations. “In line with good practices, we engaged one of the large consulting firms to conduct penetration testing and to certify our Internet sites and banking systems each year,” he says. This proactive approach allows the CIMB team to pinpoint areas requiring remediation.
Data loss prevention is one of the key areas the annual health check audit identified as requiring attention. The implications for the commercial and investment banking sides of the house are different. In the case of the commercial bank, breach of customer confidentially affects brand reputation and diminishes customer confidence. And data loss with the investment bank could have immediate financial implications. “We have price-sensitive information on things such as Initial Public Offerings that could affect the markets.” Suppiah explains.
With these business issues in mind, Suppiah and his IT team oversaw an effort to select and implement a data loss prevention program last year. “In addition to supporting an inventory of different policies, we sought an unobtrusive solution with minimal impact to end users,” Suppiah says. After evaluating several different solutions, Suppiah and his team elected to deploy Symantec Data Loss Prevention. They began with a risk assessment of their environment conducted by Symantec Consulting Services. “It allowed us to see what type of data we have, what was being transferred, and the different connecting points between each data transfer,” Suppiah observes.
After settling on Symantec Data Loss Prevention as the basis for the solution, the CIMB team completed a proof of concept and then worked with Symantec Consulting Services to identify and define the policies for discovery, monitoring, management, and enforcement—for both data at rest and in motion. The team was able to leverage the built-in policy templates in Symantec Data Loss Prevention to expedite time to deployment. Implementation began with the discovery module, and the IT team is in the midst of adding monitoring, management, and enforcement modules.
Returns on endpoint security
Data encryption was also an issue Suppiah and his team sought to address. “We have a number of users who are mobile,” he reports, “and this added risk and complexity in protecting data. We sought a solution that would encrypt data at the source while running seamlessly in the background with minimal impact to end users.” They ultimately chose Symantec Endpoint Encryption and are in the midst of rolling it out, initially targeting hard drives of all laptops.
Proliferation of endpoints and managing security on each endpoint are significant challenges for an organization the size of CIMB—with more than 36,000 staff and hundreds of servers. “We wanted a solution that would be easy to manage and selected Symantec Endpoint Protection,” Suppiah says. “The centralized console provides us with the ability to quickly troubleshoot issues and remediate security issues.” The team relies on antivirus and antispyware across all of their clients and data center servers and selectively uses intrusion prevention and personal firewall, depending on the risk profile of the endpoint in question.
Managing endpoints—from clients to the data center
The CIMB team recently deployed an HP-based thin client solution that dramatically reduced energy consumption and corresponding heat generation for 963 clients. And to manage provisioning and patching across the different backend servers, they rely on Altiris Server Management Suite. “We’re able to manage our thin clients centrally, which enhances security and streamlines operational efficiencies,” Suppiah says.
The IT team is also in the process of implementing Altiris Client Management Suite to manage patching and provisioning across all of their clients. The integration points with their Symantec Endpoint Protection deployment will allow them to gain even tighter control of their endpoints.
Investing in messaging security consolidation
CIMB previously had a blended messaging security solution consisting of multiple products. However, it was time consuming to manage, was not catching all of the incoming spam and malware, and was producing too many false positives. “We also had a requirement for multiple language support, as we conduct operations in 11 different countries, many of which speak different languages,” Suppiah says.
After evaluating several different solutions, Suppiah and his team opted to standardize messaging security on Symantec Brightmail Gateway 8300 appliances. The results were impressive. IT staff recaptured valuable time previously spent helping end users to address email spam- and malware-related issues, email storage requirements were reduced, and the productivity of end users was enhanced, as they spend less time dealing with spam. In addition, the CIMB IT team shaved the amount of time they spend managing messaging security while cutting their messaging security infrastructure costs.
Integration of the different security solutions from Symantec provides CIMB with extended functionality. For example, using Data Loss Prevention and the Brightmail Gateway appliances, the CIMB IT team is able to flag outgoing email that violates the data policies they identified with different business owners and then encrypt the email using Endpoint Encryption, or even stop the email altogether if needed.
“Project One” Enlists Passion and Dedication
The history of Fubon Financial Holding Company is filled with passion and dedication. Born in 1961 as Cathay Insurance, the first private property and casualty insurance company in Taiwan, Fubon Financial has evolved and grown into a market leader through unwavering passion and dedication. These two characteristics underpin Thomas Liang’s career. “My teams and I have succeeded over the years because of immense passion and dedication,” he says. Indeed, these largely intangible traits are essential ingredients for success—whether for individuals or organizations. With this framework as a professional lens, Liang, who previously served as the president of Retail Banking at Fubon Financial Holding Company and is currently the managing director and CEO at Fubon Bank (Hong Kong), has spearheaded initiatives in consecutive positions in IT and operations at Citibank and most recently Fubon Financial Holding Company. Some of these, such as his involvement in “Project One,” have had far-reaching impact.
Formally launched in September 2005, Project One was a corporate reengineering campaign. It reconfigured the company into six major groups: Corporate & Investment Banking, Financial Markets, Consumer Finance, Wealth Management, Investment Management, and Insurance. A Corporate Center and IT Operations Division was subsequently established in 2007 to incorporate the management, information, and operations units of the company’s subsidiaries. Project One consisted of three phases: restructuring based on function and personnel; formulation of a standard operating procedure; and establishment of a governance model for managing work-in-progress.
As part of this corporate initiative, the IT organization was given the charter to consolidate the IT infrastructure and systems for eight major subsidiaries into one integrated entity. “The advantages boiled down to operational efficiencies—one infrastructure and set of applications versus eight— and the ability to share resources across the entire the IT organization,” Liang says. Customers—internal and external—form the basis of measurements for the Fubon Financial IT team: the first measure is quality, and the second is the cycle time for services.
The IT Operations team, formed as part of Project One, was comprised of four groups: core business applications, application integration, organization efficiency, and technical support. “We determined that technology standardization should be at the core of our efforts,” Liang says. “We prioritized different IT functional areas and pinpointed data center infrastructure software and information security as two of the top priorities.”
|< Previous Page||Page||8||of||8|
Optimizing data center operations
Optimization of the data center encompassed a number of different initiatives. “In general, we sought to implement a common toolset,” Liang says. Heterogeneous support was critical, as Fubon Financial maintains a diverse server, storage, and application environment.
Symantec storage management and high availability technologies played a role on several different fronts for Liang and his team. Historically, the IT team used a variety of different software tools for backup and recovery. In late 2004, they consolidated data protection for the company’s Microsoft Windows, UNIX (HP-UX, IBM AIX, and Sun Solaris), and Red Hat Enterprise Linux server environments running a number of different database technologies onto Symantec NetBackup. Data integrity was a principal concern for Liang and his team. Backups had been inconsistent and unreliable, with as many as 50 percent of data center servers not backed up on a given night.
In addition to rectifying the issues with backup failures, Liang and his team have a next-generation solution that is scaling to support growing backup volumes, which burgeoned from 5.5 terabytes in 2004 to 53.5 terabytes in 2009. And despite this rapid growth, the Fubon Financial IT team has been able to avoid adding more backup administrators.
At about the same time as the NetBackup implementation, Liang and his team added Veritas Storage Foundation for Oracle RAC—initially for its Sun Solaris-based environment in 2004 and then its HP Integrity Superdome environment in early 2007. This removed input-output bottlenecks and thus improved system performance. For file system and volume management of its different UNIX platforms, the team added Veritas Storage Foundation HA. The solution shaved 20 percent off the time required to manage storage volumes, saving 2,300 hours of staff time annually.
In conjunction with the Storage Foundation HA deployment, the team rolled out Veritas Cluster Server for high-availability clustering on business-critical servers. Then, seeking to address the time required to recover servers, the team added Symantec Backup Exec System Recovery, which cut the time required to recover servers by nearly 350 hours annually. The benefits also extend to system downtime, as servers can be reimaged in as little as 10 minutes, compared to up to four hours with the prior solution.
Demarcating the security roadmap
For security, the team began work on ISO 27001 certification in late 2006 and created a three-stage information security roadmap to guide the certification process. The initial stage involved the establishment of a single security policy across the entire holding company and all of its divisions. Liang and his team then identified 18 methods and from those created approximately 500 different standard operating procedures. The latter included issues such as processes for open system patch management. On a similar note, ISO 27001 certification was broken into two phases: the first phase addressed the data center, which was completed in March 2007, and the second phase encompasses the entire computing environment, which was completed in March 2009.
Fubon Financial’s relationship with Symantec dates back to 2001 when the IT team rolled out an endpoint security solution from Symantec. The team subsequently extended its security investment with Symantec when they added Symantec Enterprise Security Manager and Symantec Security Information Manager for security management. Seeking to gain a better understanding of the IT infrastructure and security policies, a joint team from Symantec Consulting Services, IBM, and Fubon Financial developed a Symantec Security Blueprint; it served as a guide in the development of an overall data center security strategy.
To guard key system processes by controlling access to systems and files on business-critical servers in the data center, the IT team added Symantec Critical System Protection. In addition, as part of the process of converting its ATM network to standards-based Internet Protocol (IP) devices, the Fubon Financial team extended Critical System Protection to approximately 1,400 ATM machines.
For messaging security, the IT team standardized on Symantec Brightmail Gateway appliances for incoming and outgoing mail. In excess of 99.9 percent of incoming spam are now blocked, saving more than $70,000 USD in storage annually. And end users have gained back an average of 15 minutes of time each day previously spent deleting spam from their inboxes.
Patrick E. Spencer (Ph.D.) is the editor in chief for CIO Digest and The Confident SMB and author of a book and various articles and reviews published by Continuum Books and Sage Publications, among others.