Edited excerpts from a web panel discussion on software assurance, a topic of critical relevance, held in association with CAST Software:
Today, software is taking more and more decisions and even human decisions too are conveyed through and executed through software. Software knows more about the organization than any single individual. Yet, how much does the organization know about the software on which it runs? Knowing the health of the software is a precursor to knowing the health of the organization. In the light of this emerging dependency, Banking Frontiers organized a panel discussion among CIOs of leading BFSI organizations to have a better understanding of the core issues.
With disruptive technologies challenging the traditional banking model, banks and BFSI organizations which used to earlier ride on human knowledge for customer information, are now completely dependent on machines and software. This naturally leads to the question – do these financial entities know their software well?
Though banks and NBFCs have taken the step in the right direction, it is imperative for them to understand the apps and the software. There is also an urgent need for them to understand the extent of personal data that can be stored and shared in such apps and software.
Sunil Jain, Sr VP, Business Systems and Technology at HDFC Life, said: “We are more software dependent, not just for employees, but also for our customers. There are several tools which are available for 360 degree-view of them. We have, in the past, done several exercises, one of which is migrating the entire content to the cloud. That forced us to take a call on some of the old software and retired them.”
KRC Murty, Sr Vice President and Head IT Apps – RTB at Kotak Mahindra Bank supplemented this view: “The software understands the organization better than all the teams managing the software. However, it is not correct to say that the organization does not know the setup and mentality or the expertise and information. Definitely, every organization needs to have visibility of the applications it is running. There are mechanisms in place to see the entire application in a single dashboard.”
Digital transformation or modernization also raises the question of escalating costs and also whether to develop the app in-house or bring third party apps into the system.
Sanjeev Kumar, CTO at Pine Labs elaborated: “For the homegrown software, if something goes wrong, you don’t have anybody else to fix it. In case of third-party software, you need to know what kind of software it is. How much is manageable in-house? How much can be supported in warranties? What is the life cycle? How much control do you have? For this, there has to be process-like software for tracking software. So, you are awa re that a certain software is completing its life cycle. There has to be a matrix for the software itself.”
SOFTWARE INTELLIGENCE
Software monitoring the life cycle or a third party announcing the sunset of a running software is chaotic or triggers the panic button. There are examples in the banking industry – Base24 is one such. That leads us to the critical point of having software intelligence in place.
Nilkant Iyer, Sr VP & Country Manager-India at CAST Software pointed out: “Typically the software intelligence tracks the end life of an application to help mitigate the risks associated with it. What you cannot measure, you cannot improve. So how do you measure different parameters for open source or third-party software, where you have no control on the associated risks? Is there a way to capture vulnerability in that case? Is there a way to measure cloud readiness? Which software to be moved to the cloud? How can I build a strategy, which is agnostic of the cloud provider? We worked on these areas to capture the intelligence metrics to be able to build an ROI to see how systems are now and what it should be in the future.”
The cost of moving and maintaining the cloud is probably higher than on premise. Knowing your software is important and from an organizational perspective, it has to be ideally metrics-driven.
LEGACY SYSTEMS VS MODERNIZATION
Legacy software and legacy platforms have been a bone of contention in various large institutes because these software are used in large size operations with huge business dependency. Organizations, at times, are scared to move from one application to another for the fear of failure. Besides this, scalability, concerns about uptime etc also play a significant role in decision making on modernization.
Mahesh Patel, President at AGS Transact Tech, explained: “A large number of banks are still running on the same solution because that’s the trusted solution for them. A change is possible only if there are upgraded features and projects cost effectiveness. Technologies or platforms have moved to open source or much cheaper systems. Cost is definitely an angle. The question is whether an alternative is available with same stability, scalability and security or not.”
Time taken for decision making, evaluation, and implementation will have a direct effect on the modernization process. KRC Murty opined: “The time taken is humongous. The most critical part is planning and executing. There are many products available. How do you choose the best for the organization? Mostly, the non-critical non-banking database applications are being moved to the cloud. I will not want to move any applications, which have critical client related data, into the cloud as of now because of a) strategy b) regulatory controls. There will always be some applications in an organization, which is a white elephant. There are times when vendors don’t keep up to your expectations, and that is when you know that it is time to move to a new product.”
Added Sunil Jain: “Major transformations need to follow a phased approach. In one of the techniques which we did, we replaced the core services into micro services, and then slowly established it.”
“Source code can capture resiliency of the application, agility, technical debt and cloud readiness. And these are metrics, which are fairly easy to capture. When you marry the facts, the qualitative information enables you to make those decisions. The primary thing is for digital transformation, securing the budgets as the Board may not sanction extra budgets,” explained Nilkant Iyer.
While API gateways allowed organizations to collaborate and helped them to understand new technologies, the industry which drove the core banking systems are now talking about platform banking as the next step.
HOMEGROWN / OUTSOURCED
“Picking up a product and getting it customized to your requirements is the fastest way to implement. In case if you plan to develop an app internally, it is time consuming and by the time you deliver the product, it is already obsolete. This is the reason behind organizations looking for third party apps,” said KRC Murty.
Mahesh Patel was in complete agreement with Murty. “Whenever there is a new requirement, we look at readymade products, which offer scope for customization. In the entire development lifecycle, the most challenging aspect is testing – not just functional testing, but also non-functional testing, which is more important. Through non-functional testing, one can gauge scalability, security and stability.”
The organization requires a clearer picture like an MRI scan of the entire layer of applications to probably fast-track the requirements to be agile and adaptable to the environment. When migrations happen, typically the business wants everything in place at the earliest. At the same time, the tech team is forced to meet the expectation of both business team and the CFO who asks them to keep costs under control.
Nilkant Iyer put forth a key point: “When one buys a software, he would know everything about the financials, the customers and the competition. What they don’t know is tech debt. What are you acquiring in terms of technical liabilities?”
API INTEGRATION
Integration of a new app always had its set of hurdles and concerns attached to it. Especially when it comes to third party API integration, evaluating application resilience is key.
KRC Murty added: “We started the API journey 3 years ago; we have a dedicated website where all partners collaborate with us. We also use some legacy applications. There will always be challenges. You need to work around how to do it. Luckily, we don’t have too much of legacy systems. But there are some products which are not able to keep up with the pace of the current requirements.”
Sanjeev Kumar said: “On the payment side, modernizing the apps includes the services exposing the API, in the UI side consumer apps, merchant apps, etc. This is where most of the changes will lie.”
Getting a total 360-degree macro perspective still remains a wish for all the CIOs or all the technology heads. The clearer the vision is, the easier it becomes to strategize the future moves in the technology space.
It can help the organization reduce the cost and the time taken to implement.
