Thursday, April 2, 2015

Strategic IT Transformation at Accenture Case Analysis

1.           Case Name: Strategic IT Transformation at Accenture
2.           Problem Statement
        The main problem of the case is:
         When Accenture split from Arthur Andersen in 2001 and wanted to build their IT infrastructure,           whether they
·         Should continue managing IT platforms with a decentralized approach or take a mixed or a centralized approach?
·         Should retain its conception of IT as a cost center or should it regard IT as a service provision center?
3.           Background
a.            Describe the company/department
1)           History
      i   Accenture, previous called as Anderson consulting, was formed due to the split of Arthur Anderson accounting firm into two separate entities.
        ii  At its inception in 2001, Accenture was a large organization with 75000 employees, 50 offices around the world and 11 billion in revenues.
2)           Conditions
        i  Prior to 2001, technology platforms are managed with a decentralized approach with divisions in each country chose their own IT systems and have an autonomy to run them.
        ii   75% of the Accenture’s employees work outside Accenture offices, mainly at client locations.
       iii  IT infrastructure is a key in the global integration of Accenture.
      iv   Internal IT systems are treated as cost centers with an assigned budget. They are largely run by tech-savvy engineers with little management involvement.
     v    IT expenditures are prioritized based on the high ranking of the stakeholders’ and few minor decisions were made by offices at different countries with little input from firm-wide experts.
     vi      Arthur Anderson’s legacy systems do not interconnect readily and cannot be accessed through internet. Expensive networks are needed to do interconnect various systems and sometimes had to be manually compiled to aggregate data from various offices
    vii  It was very complex to get whole organization’s status due to the individual accounting and HR systems in the Anderson’s offices around the world.
4.           Issues faced by Accenture
     Issue #1: Opting for “best-of-breed” approach or “one-platform” approach
          Issue #2: Forming a centralized, single system approach
          Issue #3: Managing applications
5.           Strategy followed by Accenture in resolving these issues:
   a.     Changing its IT Philosophy/ IT management’s new vision:
     i   Accenture’s IT management followed a different approach of considering IT as a business within a business rather than a cost center.
   ii   They designed IT in such a way that the products and services will be
 iii  Created and developed IT tools that provide different levels of services for a particular technology.
  iv  They Monitored prices with third-party providers to ensure that IT services were delivered at fair price and at a world class level.
  v      IT spending determined by a panel of c-level executives from different realms of business
b.           Best-of-breed vs One-platform
1)           Best-of-breed strategy:
    i       Strengths:
        (i)          Would acquire best available tools in the market
       (ii)        Would make internal stakeholders very happy
      (iii)      Would provide more in-depth knowledge than peer applications
      (iv)      Companies which provide applications can incorporate latest technology and process trends
   ii             Weakness:
       (i)          Ends up with a variety of applications that do not necessary “communicate with each other”
      (ii)        Not cost-effective
     (iii)      Requires multiple specialists which increases the training costs and IT personnel count
     (iv)      Might affect the ability to consolidate and share information
      (v)        Might cause costly maintenance issues and staffing issues
2)           One-platform approach:
    i    Strengths:
      (i)          Applications will be compatible with one another and allow the seamless flow in a real-time
      (ii)        Resolves the problem of Pareto effect
    (iii)      Possibility to extract best terms in license agreements and have deeper discounts for cost-effectiveness
     (iv)      Effectively operate with less IT staff, reducing training costs
      (v)        Leveraging economies of scale through the establishment of global support centers
ii             Weakness:          
      (i)          They acquired applications might not necessarily be best in the class
     (ii)        Might lower the negotiating power of Accenture
    (iii)      If the vendor is not financially strong, Accenture can have a risk of vendor failure.
Conclusion: They analyzed the pros and cons of both the approaches and finally chose the one-platform approach.
3)           Managing Applications: 
They believed that having a single platform and common global applications would help reduce overall expenditures and allow for flexibility and scalability
   i      To run most of the back-end operations and to provide basic communication, Accenture chose Microsoft as a partner.
  ii     Accenture chose SAP as its worldwide application provider for financial and human resources solutions.
  iii      Accenture chose HP for its computers and servers and Cisco for its network-related equipment
4)           Leveraging Global Presence/ Outsourcing:
   i   Accenture placed 68% of its IT staff in lower-cost regions such as India, China and Latin America
  ii They also shifted to a core-light personnel strategy with only 14% of the Accenture’s IT staff worked directly and remaining 86% through GDN and IO groups
 iii Accenture outsourced data-center management, storage, hardware maintenance and the development of most of its IT applications
   iv    Project management and functionality guidance were maintained in-house
   v    Accenture decided to outsource its data storage and backup needs and to appoint a third party to run its network infrastructure
Conclusion: They followed a centralized approach and managed everything globally. They also made use their global presence successfully by moving various activities to different countries to reduce costs
5)           Big-Bang, Single Instance Approach:
    i     Accenture identified two principles in implementing this single-platform application, which are
        ·         Implementing the upgrades based on the mission critical basis.
       ·      Ensuring that right projects were taken at right time through an approval process driven by ROI and business benefits
   ii     They chose SAP’s business technology for their finance management to manage its 200 different financial applications.
  iii They implemented SAP using Microsoft technologies and reduced technology costs and gained better integration across its financial environment
6.           Conclusion:
Accenture’s new strategy is a success and was quite logical at every level. The management team of Accenture focused highly on their important customers and their applications. They considered the split from Arthur Anderson as an opportunity to improve the company technologically and in a collaborative way. The company mainly reduced their costs while improving their profits and customer satisfaction.


I wouldn’t give any new recommendations as the approach seems correct and was fairly successful. 

Tuesday, March 18, 2014

SECURITY BREACH AT TJX - Analysis

Problem Statement

 The main problem of the case is:
·         How should TJX improve and strengthen its IT security? What should be its short-term and long-term goals in-order to achieve this goal of strengthening its IT security?
Inorder to solve this problem, TJX should identify and solve the following issues:
·         What are the people, work processes and technology failure points that require attention?
·    What practices led to the security breach in TJX and why did such a smart and profitable organization as TJX face such a situation?
·         Was TJX a victim of ingenious cyber crooks or did it create risk by cutting corners?

 Background

        a.     Describe the company/department

            History

    1. TJX was the largest apparel and home fashion retailer in United States in the off-price segment and is ranked 138th in fortune 500 companies in 2006.
    2.  TJX sold brand apparels at prices 20 to 70% lower than department or specialty stores
    3. TJX has eight independent businesses under a common umbrella. They had over 2400 stores and about 125,000 associates.

           Conditions

    1. Operational efficiency, vendor relationships and scale, which are crucial to an off-price store, are well maintained in TJX.
    2. Quality of internal IT systems was crucial to maintain margins and to stay competitive.
    3.  IT systems help TJX connect people, places and information in the value chain.
    4. TJX buys merchandise from manufacturers throughout the year irrespective of seasonality and trends.

 Strengths

    1. Vendors, buyers, merchandisers, customers, store associates and financial institutions are well connected through TJX’s IT networks.
    2. In-store technologies such as kiosks and hand-held price/inventory barcode helped in their customer services and differentiated them from their competitors.
    3. They have also invested in CRM to increase revenues by targeting most profitable customers.

            Weaknesses

    1. PCI DSS has showed that TJX had not met nine of the twelve requirements covering encryption, access controls and firewalls.
    2. Their auditors failed to identify three key problems with TJX systems i.e. absence of network monitoring, absence of logs and presence of unencrypted data stored on their systems.
    3. TJX has retained customer data years after it should have been purged.
    4. TJX doesn’t have a CSO till 2006, which indicate their low responsibility towards their IT security

            Storage Systems:

    1.  TJX currently have two main storage systems i.e. Framingham system and Watford system.
    2. Watford system processed and stored information related to payment card transactions at T.J.Maxx in UK and Ireland. Framingham system processed and stored information pertaining to debit and credit card transactions of customers from all the other locations
    3. TJX stored the driver’s license numbers and ID numbers such as SSN along with names and addresses of customers who had returned goods.

               Financial Losses and related remedies:

    1. TJX had booked a cost of $168 million for the data breach it had announced in February 2007.
    2. $21 million is projected as a possible hit for 2008.
    3. Three years of credit monitoring and identity theft insurance coverage for all the customers, whose identification information was compromised.
    4. Offer vouchers to customers who shopped at TJX during security violation and who had incurred certain costs as a result of intrusion.

b.    Describe the industry situation

           Customers

    1.  Many customers use credit and debit cards for their shopping.
    2. Customers take security issues very seriously and file class actions in the court against the company in any such critical situations.

           Traditional Competitors

    1. Department and specialty stores.

            Opportunities

    1. Strong customer base and loyalty.
    2. Availability of feasibility of IT systems helped rapid delivery of data, facilitating quick decisions at different levels.
    3. CRM technologies helped retailers in increasing their revenues through focusing on most profitable customers.

                  Threats

    1.  Security intrusions could lead to heavy loss to the company.
    2. Customer loyalty is a driving force for profits and any security breaches would create a huge impact on it.
    3. Wireless is a popular means of attacking retail chains.

Key Issues

   a.            Issue #1: Cause of technology Failures and computer intrusions.

            Sub issue: Wireless attacks

   b.           Issue #2: Identifying the issues/ drawbacks related to work processes.

   c.            Issue #3: Increasing the awareness of employees towards these security violations.

            Sub Issue: Digital Eavesdropping

 Relevant Areas, Facts, Conclusions

   a.            Relevant areas for Issue #1

      1)           Encryption Techniques

    1. The encryption algorithm (WES) used by TJX is very weak. WES decryption is available online via simple google searches
    2. They also recognized a window of time in which the credit card numbers are decrypted and during that time duration of less than a second, captured all the required data.

              Conclusion: TJX had an encryption system which is outdated and is prone to security risks.

      2)           Wireless Attacks

    1. Thieves used telescope-shaped antennas and decoded data streaming through the air between hand-held price-checking devices, cash registers and the store’s computers.
    2. They also captured the IP addresses, captured lots of data and used that data to crack the encryption code.

          Conclusion: Even though wireless is known as popular means of attacking, TJX has not taken            proper precautions to make its security systems strong.

   b.           Relevant areas for Issue #2

      1)           USB drives at in-store kiosks:

    1. The people who started the breach has started with in-store kiosks.
    2. They opened back of those terminals and used USB drives to load softwares. They turned these computer kiosks into remote terminals that connected into TJX’s networks.
    3. Mainly, Firewalls are not set to defend any traffic from kiosks.

           Conclusion:  TJX has not firewalled all the devices that are connected to their network.

      2)        Processing Logs:

    1. TJX did not maintain any log data of their customer transactions, which was very crucial to identify the no. of cards at risk.
    2. These logs usually provide information about files on the system, when they had been added, changed, accessed, the format of contents and so on.

         Conclusion: Logs are very important to track any previous transactions and TJX has not taken          care to monitor them properly.

      3)           Compliance and auditing Practices

    1. Court documents showed that TJX had not met nine of the dozen requirements covering encryption, access controls and firewalls.
    2. The auditors has failed in noting three main issues i.e. absence of network monitoring, absence of logs and presence of unencrypted data.
    3. TJX has also retained its customer data years after it should have been purged

       Conclusion: TJX’s auditing team is very bad as they could not monitor the major issues pertaining in TJX.

   c.            Relevant areas for Issue #3

      1)           Digital Eavesdropping

    1. The hackers digitally eavesdropped on employees logging into TJX’s central database.
    2. They used these details to create their own accounts and were also able to access TJX systems from any computer on the internet

         Conclusion: TJX haven’t educated its employees regarding the security violations and has                 also not monitored them.

Recommendations

   a.         Recommendations for Issue #1:

    1. TJX should improve its encryption techniques and test them under various circumstances. TJX should employ companies which encrypt data and completely modify their current techniques.
    2. They should firewall their wireless networks properly and monitor them from any external intrusions.

  b.     Recommendation for Issue #2:

    1. TJX should make sure that all the devices, especially their in-store kiosks, which are connected to their main network is firewalled and monitored regularly.
    2. TJX should log all the transactions happening in their stores and save them into their databases with proper authentication.
    3. TJX should delete all the unwanted data and make sure that they maintain the PCI DSS standards.

  c.    Recommendation for Issue #3: TJX should train its employees regarding the security violations and monitor them so that any of their credentials will not be leaked outside TJX. They should also employ proper IT security team and monitor their traffic regularly.


    d.           In a short term, TJX should eliminate all the issues pertaining their IT security and in a long term, they should gain their customers confidence and make sure that their IT systems are working properly, firewalled and are reliable for any customer transactions.