Build an Information Security Strategy

Create value by aligning your strategy to business goals and business risks.

Analyst Perspective

Set your security strategy up for success.

“Today’s rapid pace of change in business innovation and digital transformation is a call to action to information security leaders.

Too often, chief information security officers find their programs stuck in reactive mode, a result of years of mounting security technical debt. Shifting from a reactive to proactive stance has never been more important. Unfortunately, doing so remains a daunting task for many.

While easy to develop, security plans premised on the need to blindly follow ‘best practices’ are unlikely to win over many stakeholders. To be truly successful, an information security strategy needs to be holistic, risk-aware, and business-aligned.”

Kevin Peuhkurinen

Research Director – Security, Risk & Compliance

Info-Tech Research Group

Executive summary

Your Challenge

• Many security leaders struggle to decide how best to prioritize their scarce information security resources.
• The need to move from a reactive approach to security toward a strategic planning approach is clear. The path to getting there is less clear.

Common Obstacle

• Developing a security strategy can be challenging. Complications include:
  • Performing an accurate assessment of your current security program can be extremely difficult when you don’t know what to assess or how.
  • Determining the appropriate target state for security can be even more challenging. A strategy built around following best practices is unlikely to garner significant support from business stakeholders.

Info-Tech’s Approach

• Info-Tech has developed a highly effective approach to building an information security strategy, an approach that has been successfully tested and refined for 7+ years with hundreds of organizations.
• This unique approach includes tools for:
  • Ensuring alignment with business objectives.
  • Assessing organizational risk and stakeholder expectations.
  • Enabling a comprehensive current state assessment.
  • Prioritizing initiatives and building out a security roadmap.

Info-Tech Insight

The most successful information security strategies are:

• Holistic. They consider the full spectrum of information security, including people, processes, and technologies.
• Risk-Aware. They understand that security decisions should be made based on the security risks facing their organization, not just on best practice.
• Business-Aligned. They demonstrate an understanding of the goals and strategies of the organization, and how the security program can support the business.

It’s not a matter of if you have a security incident, but when

Organizations need to prepare and expect the inevitable security breach.

Fifty-eight percent of companies surveyed that experienced a breach were small businesses.

Eighty-nine percent of breaches have a financial or espionage motive.

Source: Ponemon Institute, “2019 Global Cost of Data Breach Study”

An information security strategy can help you prepare for incidents

Organizations need to expect the inevitable security breach.

90%

of businesses have experienced an external threat in the last year.

50%

of IT professionals consider security to be their number one priority.

53%

of organizations claimed to have experienced an insider attack in the previous 12 months. ¹

46%

of businesses believe the frequency of attacks is increasing. ²

Effective IT leaders approach their security strategy from an understanding that attacks on their organization will occur. Building a strategy around this assumption allows your security team to understand the gaps in your current approach and become proactive instead of being reactive.

Sources: 1 Kaspersky Lab, “Global IT Security Risks Survey”; 2 CA Technologies, “Insider Threat 2018 Report”

Persistent Issues

Evolving Ransomware

• Continual changes in types and platforms make ransomware a persistent threat. The frequency of ransomware attacks was reported to have increased by 67% in the past five years. ¹

Phishing Attacks

• Despite filtering and awareness, email remains the most common threat vector for phishing attacks (94%) and an average of 3% of participants in phishing campaigns still click on them. ²

Insider Privilege and Misuse

• Typically, 34% of breaches are perpetrated by insiders, with 15% involving privilege misuse. Takeaway: Care less about titles and more about access levels. ³

Denial of Service

• The median amount of time that an organization is under attack from DDoS attack is three days.

Emerging Trends

Advanced Identity and Access Governance

• Using emerging technologies in automation, orchestration, and machine learning, the management and governance of identities and access has become more advanced.

Sources: ¹ Accenture, “2019 The Cost of Cyber Crime Study”; ^2,3 Verizon, “2019 Data Breach Investigations Report”

New threat trends in information security aren’t new.

Previously understood attacks are simply an evolution of prior implementations, not a revolution.

Traditionally, most organizations are not doing a good-enough job with security fundamentals, which is why attackers have been able to use the same old tricks.

However, information security has finally caught the attention of organizational leaders, presenting the opportunity to implement a comprehensive security program.

Cyberattacks have a significant financial impact

Global average cost of a data breach: $3.92 Million

Source: Ponemon Institute, “2019 Cost of a Data Breach Study: Global Overview”

Primary incident type (with a confirmed data breach)

1. Leading incident type is Denial of Service attacks (DoS), taking up to 70% of all incidents.
2. When it comes to data breaches, we see that the use of stolen credentials leads to the most cases of confirmed breaches, accounting for 29%.

Personal records tend to be the most compromised data types, while databases tend to be the most frequently involved asset in breaches.

Source: Verizon, “2019 Data Breach Investigations Report”

Security threats are not going away

We continue to see and hear of security breaches occurring regularly.

An attacker must be successful only once. The defender – you – must be successful every time.

Info-Tech’s approach

Maturing from reactive to strategic information security

Indicates Info-Tech tools included in this blueprint.

The Info-Tech difference:

1. A proven, structured approach to mature your information security program from reactive to strategic.
2. A comprehensive set of tools to take the pain out of each phase in the strategy building exercise.
3. Visually appealing templates to communicate and socialize your security strategy and roadmap to your stakeholders.

Info-Tech’s Security Strategy Model

The Info-Tech difference:

An information security strategy model that is:

1. Business-Aligned. Determines business context and cascades enterprise goals into security alignment goals.
2. Risk-Aware. Understands the security risks of the business and how they intersect with the overall organizational risk tolerance.
3. Holistic. Leverages a best-of-breed information security framework to provide comprehensive awareness of organizational security capabilities.

Info-Tech’s best-of-breed security framework

Info-Tech’s approach

Creating an information security strategy

The Info-Tech difference:

Evolve the security program to be more proactive by leveraging Info-Tech’s approach to building a security strategy.

• Dive deep into security obligations and security pressures to define the business context.
• Conduct a thorough current state and future state analysis that is aligned with a best-of-breed framework.
• Prioritize gap-closing initiatives to create a living security strategy roadmap.

Use Info-Tech’s blueprint to save one to three months

Iterative benefit

Over time, experience incremental value from your initial security strategy. Through continual updates your strategy will evolve but with less associated effort, time, and costs.

These estimates are based on experiences with Info-Tech clients throughout the creation of this blueprint.

Key deliverable:

Information Security Strategy Communication Deck (PPT)

Present your findings in a prepopulated document that can summarizes all key findings of the blueprint.

Blueprint deliverables

Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

Information Security Requirements Gathering Tool

Define the business, customer, and compliance alignment for your security program.

Information Security Pressure Analysis Tool

Determine your organization’s security pressures and ability to tolerate risk.

Information Security Program Gap Analysis Tool

Use our best-of-breed security framework to perform a gap analysis between your current and target states.

Information Security Charter

Ensure the development and management of your security policies meet the broader program vision.

Info-Tech offers various levels of support to best suit your needs

DIY Toolkit

“Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

Guided Implementation

“Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

Workshop

“We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

Consulting

“Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

Diagnostic and consistent frameworks are used throughout all four options.

Guided Implementation

What does a typical Guided Implementation on this topic look like?

Guided Implementation #1 - Assess security requirements

• Call #1 - Introduce project and complete pressure analysis.

Guided Implementation #2 - Build a gap initiative strategy

• Call #1 - Introduce the maturity assessment.
• Call #2 - Perform gap analysis and translate into initiatives.
• Call #3 - Consolidate related gap initiatives and define, cost, effort, alignment, and security benefits.

Guided Implementation #3 - Prioritize initiatives and build roadmap

• Call #1 - Review cost/benefit analysis and build an effort map.
• Call #2 - Build implementation waves and introduce Gantt chart.

Guided Implementation #4 - Execute and maintain

• Call #1 - Review Gantt chart and ensure budget/buy-in support.
• Call #2 - Three-month check-in: Execute and maintain.

A Guided Implementation is series of calls with an Info-Tech analyst to help implement our best practices in your organization.

A typical Guided Implementation is between 2-12 calls over the course of 4 to 6 months.

Workshop Overview

Contact your account representative for more information, or contact workshops@infotech.com or 1-888-670-8889.

Executive Brief Case Study

Credit Service Company

Industry: Financial Services

Source: Info-Tech Research group

Founded over 100 years ago, Credit Service Company (CSC)^* operates in the United States with over 40 branches located across four states. The organization services over 50,000 clients.

Situation

Increased regulations, changes in technology, and a growing number of public security incidents had caught the attention of the organization’s leadership. Despite awareness, an IT and security strategy had not been previously created. Management was determined to create a direction for the security team that aligned with their core mission of providing exceptional service and expertise.

Solution

During the workshop, the IT team and Info-Tech analysts worked together to understand the organization’s ideal state in various areas of information security. Having a concise understanding of requirements was a stepping stone to beginning to develop CSC’s prioritized strategy.

Results

Over the course of the week, the team created a document that concisely prioritized upcoming projects and associated costs and benefits. On the final day of the workshop, the team effectively presented the value of the newly developed security strategy to senior management and received buy-in for the upcoming project.

^*Some details have been changed for client privacy.

Phase 1

Assess Security Requirements

Phase 1

• 1.1 Define goals & scope
• 1.2 Assess risks
• 1.3 Determine pressures
• 1.4 Determine risk tolerance
• 1.5 Establish target state

Phase 2

• 2.1 Review Info-Tech’s security framework
• 2.2 Assess your current state
• 2.3 Identify gap closure actions

Phase 3

• 3.1 Define tasks & initiatives
• 3.2 Perform cost/benefit analysis
• 3.3 Prioritize initiatives
• 3.4 Build roadmap

Phase 4

• 4.1 Build communication deck
• 4.2 Develop a security charter
• 4.3 Execute on your roadmap

This phase will walk you through the following activities:

1.1 Define goals and scope of the security strategy.

1.2 Assess your organization’s current inherent security risks.

1.3 Determine your organization’s stakeholder pressures for security.

1.4 Determine your organization’s risk tolerance.

1.5 Establish your security target state.

1.1.1 Record your business goals

Once you have identified your primary and secondary business goals, as well as the corresponding security alignment goals, record them in the Information Security Requirements Gathering Tool. The tool provides an activity status that will let you know if any parts of the tool have not been completed.

1. Record your identified primary and secondary business goals in the Goals Cascade tab of the Information Security Requirements Gathering Tool.

Use the drop-down lists to select an appropriate goal or choose “Other.” If you do choose “Other,” you will need to manually enter an appropriate business goal.

2. For each of your business goals, select one to two security alignment goals. The tool will provide you with recommendations, but you can override these by selecting a different goal from the drop-down lists.

A common challenge for security leaders is how to express their initiatives in terms that are meaningful to business executives. This exercise helps to make an explicit link between what the business cares about and what security is trying to accomplish.

1.1.2 Review your goals cascade

Estimated Time: 15 minutes

1. When you have completed the goals cascade, you can review a graphic diagram that illustrates your goals. The graphic is found on the Results tab of the Information Security Requirements Gathering Tool.
   • Security must support the primary business objectives. A strong security program will enable the business to compete in new and creative ways, rather than simply acting as an obstacle.
   • Failure to meet business obligations can result in operational problems, impacting the organization’s ability to function and the organization’s bottom line.
2. Once you have reviewed the diagram, copy it into the Information Security Strategy Communication Deck.

Identify your compliance obligations

Most conventional regulatory obligations are legally mandated legislation or compliance obligations, such as:

Sarbanes-Oxley Act (SOX)

Applies to public companies that have registered equity or debt securities within the SEC to guarantee data integrity against financial fraud.

Payment Card Industry Data Security Standard (PCI DSS)

Applies to any organization that processes, transmits, or stores credit card information to ensure cardholder data is protected.

Health Insurance Portability and Accountability Act (HIPAA)

Applies to the healthcare sector and protects the privacy of individually identifiable healthcare information.

Health Information Technology for Economic and Clinical Health (HITECH)

Applies to the healthcare sector and widens the scope of privacy and security protections available under HIPAA.

Personal Information Protection and Electronic Documents Act (PIPEDA)

Applies to private sector organizations that collect personal information in Canada to ensure the protection of personal information in the course of commercial business.

Compliance obligations also extend to voluntary security frameworks:

NIST

National Institute of Standards and Technology; a non-regulatory agency that develops and publicizes measurement

CIS – 20 CSC

Center for Internet Security – 20 Critical Security Controls; foundational set of effective cybersecurity practices.

ISO 27001

An information security management system framework outlining policies and procedures.

COBIT 5

An information technology and management and governance framework.

HITRUST

A common security framework for organizations that use or hold regulated personal health information.

1.1.3 Record your compliance obligations

Estimated Time: 30 minutes

1. Identify your compliance obligations. Most organizations have compliance obligations that must be adhered to. These can include both mandatory and voluntary obligations. Mandatory obligations include:
   • Laws
   • Government regulations
   • Industry standards
   • Contractual agreements
   Voluntary obligations include standards that the organization has chosen to follow for best practices and any obligations that are required to maintain certifications. Organizations will have many different compliance obligations. For the purposes of your security strategy, include only those that have information security or privacy requirements.
2. Record your compliance obligations, along with any notes, in your copy of the Information Security Requirements Gathering Tool.

Establish your scope and boundaries

It is important to know at the outset of the strategy: what are we trying to secure?

This includes physical areas we are responsible for, types of data we care about, and departments or IT systems we are responsible for.

This also includes what is not in scope. For some outsourced services or locations, you may not be responsible for their security. In some business departments, you may not have control of security processes. Ensure that it is made explicit at the outset what will be included and what will be excluded from security considerations.

Physical Scope and Boundaries

• How many offices and locations does your organization have?
• Which locations/offices will be covered by your information security management system (ISMS)?
• How sensitive is the data residing at each location?
• You may have many physical locations, and it is not necessary to list every one. Rather, list exceptional cases that are specifically in or out of scope.

IT Systems Scope and Boundaries

• There may be hundreds of applications that are run and maintained in your organization. Some of these may be legacy applications. Does your ISMS need to secure all your programs or a select few?
• Is the system owned or outsourced?
• Where are we accountable for security?
• How sensitive is the data that each system handles?

Organizational Scope and Boundaries

• Will your ISMS cover all departments within your organization? For example, do certain departments (e.g. Operations) not need any security coverage?
• Do you have the ability to make security decisions for each department?
• Who are the key stakeholders/data owners for each department?

Organizational scope considerations

Many different groups will fall within the purview of the security strategy. Consider these two main points when deciding which departments will be in scope:

1. If a group/user has access to data or systems that can impact the organization, then securing that group/user should be included within scope of the security strategy.
2. If your organization provides some work direction to a group/user, they should be included within scope of the security strategy.

1. Identify your departments and business groups
   • Start by identifying departments that provide some essential input or service to the organization or departments that interact with sensitive data.
2. Break out different subsidiaries or divisions
   • Subsidiaries may or may not be responsible for securing themselves and protecting their data, but either way they are often heavily reliant on corporate for guidance and share IT resourcing support.
3. Identify user groups
   • Many user groups exist, all requiring different levels of security. For example, from on-premises to remote access, from full-time employees to part-time or contractors.

Physical scope considerations

List physical locations by type

Offices

The primary location(s) where business operations are carried out. Usually leased or owned by the business.

Regional Offices

These are secondary offices that can be normal business offices or home offices. These locations will have a VPN connection and some sort of tenant.

Co-Locations

These are redundant data center sites set up for additional space, equipment, and bandwidth.

Remote Access

This includes all remaining instances of employees or contractors using a VPN to connect.

Clients and Vendors

Various vendors and clients have dedicated VPN connections that will have some control over infrastructure (whether owed/laaS/other).

List physical locations by nature of the location

Core areas within physical scope

These are many physical locations that are directly managed. These are high-risk locations with many personal and services, resulting in many possible vulnerabilities and attack vectors.

Locations on the edge of control

These are on the edge of the physical scope, and thus, in scope of the security strategy. These include remote locations, remote access connections, etc.

Third-party connections

Networks of third-party users are within physical scope and need defined security requirements and definitions of how this varies per user.

BYOD

Mostly privately owned mobile devices with either on-network or remote access.

It would be overkill and unhelpful to list every single location or device that is in scope. Rather, list by broad categories as suggested above or simply list exceptional cases that are in/out of scope.

IT systems scope considerations

Consider identifying your IT systems by your level of control or ownership.

Fully owned systems

These are systems that are wholly owned or managed by your organization.

IT is almost always the admin of these systems. Generally they are hosted on premises. All securitization through methods such as patching or antivirus is done and managed by your IT department.

Cloud/remote hosted (SaaS)

These are systems with a lot of uncertainties because the vendor or service provided is either not known or what they are doing for security is not fully known.

These systems need to be secured regardless, but supplier and vendor relationship management becomes a major component of how to manage these systems. Often, each system has varying levels of risk based on vendor practices.

Hybrid owned (IaaS/PaaS)

You likely have a good understanding of control for these systems, but they may not be fully managed by you (i.e. ownership of the infrastructure). These systems are often hosted by third parties that do some level of admin work.

A main concern is the unclear definition of responsibility in maintaining these systems. These are managed to some degree by third parties; it is challenging for your security program to perform the full gamut of security or administrative functions.

Unknown/unowned systems

There are often systems that are unowned and even unknown and that very few people are using. These apps can be very small and my not fall under your IT management system framework. These systems create huge levels of risk due to limited visibility.

For example, unapproved (shadow IT) file sharing or cloud storage applications would be unknown and unowned.

1.1.4 Record your scope and boundaries

Estimated Time: 30-60 minutes

1. Divide into groups and give each group member a handful of sticky notes. Ask them to write down as many items as possible for the organization that could fall under one of the scope buckets.
2. Collect each group’s responses and discuss the sticky notes and the rationale for including them. Discuss your security-related locations, data, people, and technologies, and define their scope and boundaries.
   • Careful attention should be paid to any elements of the strategy that are not in scope.
3. Discuss and aggregate all responses as to what will be in scope of the security strategy and what will not be. Record these in the Information Security Requirements Gathering Tool.

1.2 Conduct a risk assessment

Estimated Time: 1-3 hours

1. As a group, review the questions on the Risk Assessment tab of the Information Security Pressure Analysis Tool.
2. Gather the required information from subject matter experts on the following risk elements:
   • Threats
   • Assets
   • Vulnerabilities (people, systems, supply chain)
   • Historical security incidents

Input

• List of organizational assets
• Historical data on information security incidents

Output

• Completed risk assessment

Materials

• Information Security Pressure Analysis Tool

Participants

• Security Team
• IT Leadership
• Risk Management

Download the Information Security Pressure Analysis Tool

1.2.1 Complete the risk assessment questionnaire

Estimated Time: 60-90 minutes

1. Review each question in the questionnaire and provide the most appropriate response using the drop-down list.
   • If you are unsure of the answer, consult with subject matter experts to obtain the required data.
   • Otherwise, provide your best estimation
2. When providing responses for the historical incident questions, only count incidents that had a sizeable impact on the business.

Info-Tech Insight

Understanding your organization’s security risks is critical to identifying the most appropriate level of investment into your security program. Organizations with more security risks will need more a mature security program to mitigate those risks.

1.2.2 Review the results of the risk assessment

Estimated Time: 30 minutes

1. Once you have completed the risk assessment, you can review the output on the Results tab.
2. If required, the weightings of each of the risk elements can be customized on the Weightings tab.
3. Once you have reviewed the results, copy your risk assessment diagram into the Information Security Strategy Communication Deck.

It is important to remember that the assessment measures inherent risk, meaning the risk that exists prior to the implementation of security controls. Your security controls will be assessed later as part of the gap analysis.

1.3 Conduct pressure analysis

Estimated Time: 1-2 hours

1. As a group, review the questions on the Pressure Analysis tab of the Information Security Pressure Analysis Tool.
2. Gather the required information from subject matter experts on the following pressure elements:
   • Compliance and oversight
   • Customer expectations
   • Business expectations
   • IT expectations

Input

• Information on various pressure elements within the organization

Output

• Completed pressure analysis

Materials

• Information Security Pressure Analysis Tool

Participants

• Security Team
• IT Leadership
• Business Leaders
• Compliance

Download the Information Security Pressure Analysis Tool

Risk tolerance considerations

At this point, we want to frame risk tolerance in terms of business impact. Meaning, what kinds of impacts to the business would we be able to tolerate and how often? This will empower future risk decisions by allowing the impact of a potential event to be assessed, then compared against the formalized tolerance. We will consider impact from three perspectives:

F

Functional Impact

The disruption or degradation of business/organizational processes.

I

Informational Impact

The breach of confidentiality, privacy, or integrity of data/information.

R

Recoverability Impact

The disruption or degradation of the ability to return to conditions prior to a security incident.

Consider these questions:

ANALYST PERSPECTIVE

It is crucial to keep in mind that you care about a risk scenario impact to the main business processes.

For example, imagine a complete functional loss of the corporate printers. For most businesses, even the most catastrophic loss of printer function will have a small impact on their ability to carry out the main business functions.

On the flip side, even a small interruption to email or servers could have a large functional impact on business processes.

Risk tolerance descriptions

High

• Organizations with high risk tolerances are often found in industries with limited security risk, such as Construction, Agriculture and Fishing, or Mining.
• A high risk tolerance may be appropriate for organizations that do not rely on highly sensitive data, have limited compliance obligations, and where their customers do not demand strong security controls. Organizations that are highly focused on innovation and rapid growth may also tend towards a higher risk tolerance.
• However, many organizations adopt a high risk tolerance by default simply because they have not adequately assessed their risks.

Moderate

• Organizations with medium risk tolerances are often found in industries with moderate levels of security risk, such as Local Government, Education, or Retail and Wholesale
• A medium risk tolerance may be appropriate for organizations that store and process some sensitive data, have a modest number of compliance obligations, and where customer expectations for security tend to be implicit rather than explicit.

Low

• Organizations with low risk tolerances are often found in industries with elevated security risk, such as Financial Services, Federal Governments, or Defense Contractors.
• A low risk tolerance may be appropriate for organizations that store very sensitive data, process high-value financial transactions, are highly regulated, and where customers demand strong security controls.
• Some organizations claim to have a low risk tolerance, but in practice will often allow business units or IT to accept more security risk than would otherwise be permissible. A strong information security program will be required to manage risks to an acceptable level.

1.4.1 Complete the risk tolerance questionnaire

Estimated Time: 30-60 minutes

1. In a group discussion, review the low-, medium-, and high-impact scenarios and examples for each impact category. Ensure that everyone has a consistent understanding of the scenarios.
2. For each impact type, use the frequency drop-down list to identify the maximum frequency that the organization could tolerate for the event scenarios, considering:
   • The current frequency with which the scenarios are occurring in your organization may be a good indication of your tolerance. However, keep in mind that you may be able to tolerate these incidents happening more frequently than they do.
   • Hoping is not the same as tolerating. While everyone hopes that high-impact incidents never occur, carefully consider whether you could tolerate them occurring more frequently.

1.4.2 Review the results of the risk tolerance analysis

Estimated Time: 30 minutes

1. Once you have completed the risk tolerance exercise, you can review the output on the Results tab.
2. If required, the weightings of each of the impact types can be customized on the Weightings tab.
3. Once you have reviewed the results, copy your risk tolerance diagram into the Information Security Strategy Communication Deck.

A low risk tolerance will require a stronger information security program to ensure that operational security risk in the organization is minimized. If this tool reports that your risk tolerance is low, it is recommended that you review the results with your senior stakeholders to ensure agreement and support for the security program.

1.5 Establish your target state

Estimated Time: 30-60 minutes

1. As a group, review the overall results of the requirements gathering exercise:
   • Business goals cascade
   • Compliance obligations
   • Scope
2. Review the overall results of the risk assessment, pressure analysis, and risk tolerance exercises.
3. Conduct a group discussion to arrive at a consensus of what the ideal target state for the information security program should look like.
   • Developing mission and vision statements for security may be useful for focusing the group.
   • This discussion should also consider the desired time frame for achieving the target state.

Download the Information Security Pressure Analysis Tool

Input

• Information security requirements (goals cascade, compliance obligations, scope)
• Risk assessment
• Pressure analysis
• Risk tolerance

Output

• Completed information security target state

Materials

• Information Security Pressure Analysis Tool

Participants

• Security Team
• IT Leadership
• Risk Management
• Business Leaders
• Compliance

Understanding security target states

Maturity models are very effective for determining information security target states. This table provides general descriptions for each maturity level. As a group, consider which description most accurately reflects the ideal target state for information security in your organization.

1. AD HOC

   Initial/Ad hoc security programs are reactive. Lacking strategic vision, these programs are less effective and less responsive to the needs of the business.

2. DEVELOPING

   Developing security programs can be effective at what they do but are not holistic. Governance is largely absent. These programs tend to rely on the talents of individuals rather than a cohesive plan.

3. DEFINED

   A defined security program is holistic, documented, and proactive. At least some governance is in place, however, metrics are often rudimentary and operational in nature. These programs still often rely on best practices rather than strong risk management.

4. MANAGED

   Managed security programs have robust governance and metrics processes. Management and board-level metrics for the overall program are produced. These are reviewed by business leaders and drive security decisions. More mature risk management practices take the place of best practices.

5. OPTIMIZED

   An optimized security program is based on strong risk management practices, including the production of key risk indicators (KRIs). Individual security services are optimized using key performance indicators (KPIs) that continually measure service effectiveness and efficiency.

1.5.1 Review the results of the target state recommendation

Estimated Time: 30-60 minutes

1. Based upon your risk assessment, pressure analysis, and risk tolerance, the Information Security Pressure Analysis Tool will provide a recommended information security target state.
2. With your group, review the recommendation against your expectations.
3. If required, the weightings of each of the factors can be customized on the Weightings tab.
4. Once you have reviewed the results, copy your target state diagram into the Information Security Strategy Communication Deck.

Info-Tech Insight

Higher target states require more investment to attain. It is critical to ensure that all key stakeholders agree on the security target state. If you set a target state that aims too high, you may struggle to gain support and funding for the strategy. Taking this opportunity to ensure alignment from the start will pay off dividends in future.

1.5.2 Review and adjust risk and pressure weightings

Estimated Time: 30 minutes

1. If the results of your risk assessment, pressure analysis, risk tolerance, or target state do not match your expectations, you may need to review and adjust the weightings for the elements within one or more of these areas.
2. On the Weightings tab, review each of the strategic categories and adjust the weights as required.
   • Each domain is weighted to contribute to your overall pressure score based on the perceived importance of the domain to the organization.
   • The sum of all weights for each category must add up to 100%.

Case Study

Credit Service Company

Industry: Financial Services

Source: Info-Tech Research group

Below are some of the primary requirements that influenced CSC’s initial strategy development.

External Pressure

Pressure Level: High

• Highly regulated industries, such as Finance, experience high external pressure.

• Security pressure was anticipated to increase over the following three years due to an increase in customer requirement.

Obligations

Regulatory: Numerous regulations and compliance requirements as a financial institution (PCI, FFIEC guidance).

Customer: Implicitly assumes personal, financial, and health information will be kept secure.

Risk Tolerance

Tolerance Level: Low

1. Management: Are risk averse and have high visibility into information security.
2. Multiple locations controlled by a central IT department decreased the organization’s risk tolerance.

Summary of Security Requirements

Define and implement dynamic information security program that understands and addresses the business’ inherent pressure, requirements (business, regulatory, and customer), and risk tolerance.

Phase 2

Build a Gap Initiative Strategy

Phase 1

• 1.1 Define goals & scope
• 1.2 Assess risks
• 1.3 Determine pressures
• 1.4 Determine risk tolerance
• 1.5 Establish target state

Phase 2

• 2.1 Review Info-Tech’s security framework
• 2.2 Assess your current state
• 2.3 Identify gap closure actions

Phase 3

• 3.1 Define tasks & initiatives
• 3.2 Perform cost/benefit analysis
• 3.3 Prioritize initiatives
• 3.4 Build roadmap

Phase 4

• 4.1 Build communication deck
• 4.2 Develop a security charter
• 4.3 Execute on your roadmap

This phase will walk you through the following activities:

• 2.1 Review Info-Tech’s framework.
• 2.2 Assess your current state of security against your target state.
• 2.3 Identify actions required to close gaps.

2.1 Review the Info-Tech framework

Estimated Time: 30-60 minutes

1. As a group, have the security team review the security framework within the Information Security Gap Analysis Tool.
2. Customize the tool as required using the instructions on the following slides.

Input

• Information security requirements
• Security target state

Output

• Customized security framework

Materials

• Information Security Gap Analysis Tool

Participants

• Security Team

Download the Information Security Gap Analysis Tool

Understand the Info-Tech framework

Info-Tech’s security framework uses a best-of-breed approach to leverage and align with most major security standards, including:

• ISO 27001/27002
• COBIT
• Center for Internet Security (CIS) Critical Controls
• NIST Cybersecurity Framework
• NIST SP 800-53
• NIST SP 800-171

A best-of-breed approach ensures holistic coverage of your information security program while refraining from locking you in to a specific compliance standard.

2.1.1 Configure the Information Security Gap Analysis Tool

Estimated Time: 30 minutes

Review the Setup tab of the Information Security Gap Analysis Tool. This tab contains several configurable settings that should be customized to your organization. For now, the three settings you will need to modify are:

• The security target state. Enter the target state from your Information Security Pressure Analysis Tool. If you do not enter a target state, the tool will default to a target of 3 (Defined).
• Your Security Alignment Goals (from your Information Security Requirements Gathering Tool).
• The starting year for your security roadmap.

2.2 Assess current state of security

Estimated Time: 8-16 hours

1. Using the Information Security Gap Analysis Tool, review each of the controls in the Gap Analysis tab.
2. Follow the instructions on the next slides to complete your current state and target state assessment.
3. For most organizations, multiple internal subject matter experts will need to be consulted to complete the assessment.

Input

• Security target state
• Information on current state of security controls, including sources such as audit findings, vulnerability and penetration test results, and risk registers

Output

• Gap analysis

Materials

• Information Security Gap Analysis Tool

Participants

• Security Team
• Subject Matter Experts From IT, HR, Legal, Facilities, Compliance, Audit, Risk Management

Download the Information Security Gap Analysis Tool

Example maturity levels

To help determine appropriate current and target maturity levels, refer to the example below for the control “Email communication is filtered for spam and potential malicious communications.”

AD HOC 01

There is no centrally managed spam filter. Spam may be filtered by endpoint email clients.

DEVELOPING 02

There is a secure email gateway. However, the processes for managing it are not documented. Administrator roles are not well defined. Minimal fine-tuning is performed, and only basic features are in use.

DEFINED 03

There is a policy and documented process for email security. Roles are assigned and administrators have adequate technical training. Most of the features of the solution are being used. Rudimentary reports are generated, and some fine-tuning is performed.

MANAGED 04

Metrics are produced to measure the effectiveness of the email security service. Advanced technical features of the solution have been implemented and are regularly fine-tuned based on the metrics.

OPTIMIZED 05

There is a dedicated email security administrator with advanced technical training. Custom filters are developed to further enhance security, based on relevant cyber threat intelligence. Email security metrics feed key risk indicators that are reported to senior management.

2.2.1 Conduct current state assessment

Estimated Time: 8-16 hours

1. Carefully review each of the controls in the Gap Analysis tab. For each control, indicate the current maturity level using the drop-down list.
   • You should only use “N/A” if you are confident that the control is not required in your organization.
   For example, if your organization does not perform any software development then you can select “N/A” for any controls related to secure coding practices.
2. Provide comments to describe your current state. This step is optional but recommended as it may be important to record this information for future reference.
3. Select the target maturity for the control. The tool will default to the target state for your security program, but this can be overridden using the drop-down list.

2.2.1 Conduct current state assessment

Estimated Time: 8-16 hours

1. Carefully review each of the controls in the Gap Analysis tab. For each control, indicate the current maturity level using the drop-down list.
   • You should only use “N/A” if you are confident that the control is not required in your organization. For example, if your organization does not perform any software development then you can select “N/A” for any controls related to secure coding practices.
2. Provide comments to describe your current state. This step is optional but recommended as it may be important to record this information for future reference.
3. Select the target maturity for the control. The tool will default to the target state for your security program, but this can be overridden using the drop-down list.

Review the Gap Analysis Dashboard

Use the Gap Assessment Dashboard to map your progress. As you fill out the Gap Analysis Tool, check with the Dashboard to see the difference between your current and target state.

Use the color-coded legend to see how large the gap between your current and target state is. The legend can be customized further if desired.

Security domains that appear white have not yet been assessed or are rated as “N/A.”

2.2.3 Identify actions required to close gaps

Estimated Time: 4-8 hours

1. Using the Information Security Gap Analysis Tool, review each of the controls in the Gap Analysis tab.
2. Follow the instructions on the next slides to identify gap closure actions for each control that requires improvement.
3. For most organizations, multiple internal subject matter experts will need to be consulted to complete the assessment.

Input

• Security control gap information

Output

• Gap closure action list

Materials

• Information Security Gap Analysis Tool

Participants

• Security Team
• Subject Matter Experts From IT, HR, Legal, Facilities, Compliance, Audit, Risk Management

Download the Information Security Gap Analysis Tool

2.3.1 Identify gap closure actions

Estimated Time: 4-8 hours

1. For each of the controls where there is a gap between the current and target state, a gap closure action should be identified:
   • Review the example actions and copy one or more of them if appropriate. Otherwise, enter your own gap closure action.
2. Identify whether the action should be managed as a task or as an initiative. Most actions should be categorized as an initiative. However, it may be more appropriate to categorize them as a task when:
   1. They have no costs associated with them
   2. They require a low amount of initial effort to implement and no ongoing effort to maintain
   3. They can be accomplished independently of other tasks

Considerations for gap closure actions

• In small groups, have participants ask, “what would we have to do to achieve the target state?” Document these in the Gap Closure Actions column.
• The example gap closure actions may be appropriate for your organization, but do not simply copy them without considering whether they are right for you.
• Not all gaps will require their own action. You can enter one action that may address multiple gaps.
• If you find that many of your actions are along the lines of “investigate and make recommendations,” you should consider using the estimated gap closure percentage column to track the fact that these gaps will not be fully closed by the actions.

2.3.2 Define gap closure action effectiveness

Estimated Time: 1-2 hours

For each of the gap closure actions, optionally enter an estimated gap closure percentage to indicate how effective the action will be in fully closing the gap.

• For instance, an action to “investigate solutions and make recommendations” will not fully close the gap.
• This is an optional step but will be helpful to understand how much progress towards your security target state you will make based on your roadmap.
• If you do not fill in this column, the tool will assume that your actions will fully close all gaps.

Completing this step will populate the “Security Roadmap Progression” diagram in the Results tab, which will provide a graphic illustration of how close to your target state you will get based upon the roadmap.

Phase 3

Prioritize Initiatives and Build Roadmap

Phase 1

• 1.1 Define goals & scope
• 1.2 Assess risks
• 1.3 Determine pressures
• 1.4 Determine risk tolerance
• 1.5 Establish target state

Phase 2

• 2.1 Review Info-Tech’s security framework
• 2.2 Assess your current state
• 2.3 Identify gap closure actions

Phase 3

• 3.1 Define tasks & initiatives
• 3.2 Perform cost/benefit analysis
• 3.3 Prioritize initiatives
• 3.4 Build roadmap

Phase 4

• 4.1 Build communication deck
• 4.2 Develop a security charter
• 4.3 Execute on your roadmap

This phase will walk you through the following activities:

• 3.1 Define tasks and initiatives.
• 3.2 Define cost, effort, alignment, and security benefit of each initiative.
• 3.3 Prioritize initiatives.
• 3.4 Build the prioritized security roadmap

3.1 Define tasks and initiatives

Estimated Time: 2-4 hours

1. As a group, review the gap actions identified in the Gap Analysis tab.
2. Using the instructions on the following slides, finalize your task list.
3. Using the instructions on the following slides, review and consolidate your initiative list.

Input

• Gap analysis

Output

• List of tasks and initiatives

Materials

• Information Security Gap Analysis Tool

Participants

• Security Team
• Subject Matter Experts From IT, HR, Legal, Facilities, Compliance, Audit, Risk Management
• Project Management Office

Download the Information Security Gap Analysis Tool

3.1.1 Finalize your task list

Estimated Time: 1-2 hours

1. Obtain a list of all your task actions by filtering on the Action Type column in the Gap Analysis tab.
2. Paste the list into the table on the Task List tab.
   • Use Paste Values to retain the table formatting
3. Enter a task owner and due date for each task. Without accountability, it is too easy to fall into complacency and neglect these tasks.

Info-Tech Insight

Tasks are not meant to be managed to the same degree that initiatives will be. However, they are still important. It is recommended that you develop a process for tracking these tasks to completion.

3.1.2 Consolidate your gap closure actions into initiatives

Estimated Time: 2-3 hours

1. Once you have finalized your task list, you will need to consolidate your list of initiative actions. Obtain a list of all your initiative actions by filtering on the Action Type column in the Gap Analysis tab.
2. Create initiatives on the Initiative List tab. While creating initiatives, consider the following:
   • As much as possible, it is recommended that you consolidate multiple actions into a single initiative. Reducing the total number of initiatives will allow for more efficient management of the overall roadmap.
   • Start by identifying areas of commonality between gap closure actions, for instance:
     • Group all actions within a security domain into a single initiative.
     • Group together similar actions, such as all actions that require updating policies.
     • Consider combining actions that have inter-dependencies.
   • While it is recommended that you consolidate actions as much as possible, some actions should become initiatives on their own. This will be appropriate when:
     • The action is time sensitive and consolidating it with other actions will cause scheduling issues.
     • Actions that could otherwise be consolidated have different business sponsors or owners and need to be kept separate for funding or accountability reasons.
3. Link the initiative actions on the Gap Analysis tab using the drop-down list in the Initiative Name column.

Initiative consolidation example

In the example below, we see three gap closure actions within the Security Culture and Awareness domain being consolidated into a single initiative “Develop security awareness program.”

We can also see one gap closure action within the same domain being grouped with two actions from the Security Policies domain into another initiative “Update security policies.”

Info-Tech Insight

As you go through this exercise, you may find that some actions that you previously categorized as tasks could be consolidated into an initiative.

3.1.3 Finalize your initiative list

Estimated Time: 30 minutes

1. Review your final list of initiatives and make any required updates.
2. Optionally, add a description or paste in a list of the individual gap closure actions that are associated with the initiative. This will make it easier to perform the cost and benefit analysis.
3. Use the drop-down list to indicate which of the security alignment goals most appropriately reflects the objectives of the initiative. If you are unsure, use the legend next to the table to find the primary security domain associated with the initiative and then select the recommended security alignment goal.
   • This step is important to understand how the initiative supports the business goals identified earlier.

3.2 Conduct cost/ benefit analysis

Estimated Time: 1-2 hours

1. As a group, define the criteria to be used to conduct the cost/benefit analysis, following the instructions on the next slide.
2. Assign costing and benefits information for each initiative.
3. Define dependencies or business impacts if they will help with prioritization.

Input

• Gap analysis
• Initiative list

Output

• Completed cost/benefit analysis for initiative list

Materials

• Information Security Gap Analysis Tool

Participants

• Security Team
• Subject Matter Experts From IT, HR, Legal, Facilities, Compliance, Audit, Risk Management
• Project Management Office

Download the Information Security Gap Analysis Tool

3.2.1 Define costing criteria

Estimated Time: 30 minutes

1. On the Setup tab of the Information Security Gap Analysis Tool, enter high, medium, and low ranges for initial and ongoing costs and efforts.
   1. Initial costs are one-time, upfront capital investments (e.g. hardware and software costs, project-based consulting fees, training).
   2. Ongoing cost is any annually recurring operating expenses that are new budgetary costs (e.g. licensing, maintenance, subscription fees).
   3. Initial staffing in hours is total time in person hours required to complete a project. It is not total elapsed time but dedicated time. Consider time required to gather requirements and to design, test, and implement the solution.
   4. Ongoing staffing in FTEs is the ongoing average effort required to support that initiative after implementation.
2. In addition to ranges, provide an average for each. These will be used to calculate estimated total costs for the roadmap.

Make sure that your ranges allow for differentiation between initiatives to enable prioritization. For instance, if you set your ranges too low, all your initiatives will be assessed as high cost, providing no help when you must prioritize them.

3.2.2 Define benefits criteria

Estimated Time: 30 minutes

1. On the Setup tab of the Information Security Gap Analysis Tool, enter high, medium, and low values for the Alignment with Business Benefit.
   • This variable is meant to capture how well each initiative aligns with organizational goals and objectives.
   • By default, this benefit is linked directly to business goals through the primary and secondary security alignment goals. This allows the tool to automatically calculate the benefit based on the security alignment goals associated with each initiative.
   • If you change these values, you may need to override the calculated values in the prioritization tab.
2. Enter a high, medium, and low value for the Security Benefit.
   • This variable is meant to capture the relative security benefit or risk reduction being provided by the gap initiative.
   • By default, this benefit is linked to security risk reduction.

Some organizations prefer to use the “Security Benefit” criteria to demonstrate how well each initiative supports specific compliance goals.

3.2.3 Complete the cost/benefit analysis

Estimated Time: 1-2 hours

1. On the Prioritization tab, use the drop-down lists to enter the estimated costs and efforts for each initiative, using the criteria defined earlier.
   • If you have actual costs available, you can optionally enter them under the Detailed Cost Estimates columns.
2. Enter the estimated benefits, also using the criteria defined earlier.
   • The Alignment with Business benefit will be automatically populated, but you can override this value using the drop-down list if desired.

3.2.4 Optionally enter detailed cost estimates

Estimated Time: 30 minutes

1. For each initiative, the tool will automatically populate the Detailed Cost Estimates and Detailed Staffing Estimates columns using the averages that you provided in steps 3.2.1 and 3.2.2. However, if you have more detailed data about the costs and effort requirements for an initiative, you can override the calculated data by manually entering it into these columns. For example:
   • You are planning to subscribe to a security awareness vendor, and you have a quote from them specifying that the initial cost will be $75,000.
   • You have defined your “Medium” cost range as being “$10-100K”, so you select medium as your initial cost for this initiative in step 3.2.3. As you defined the average for medium costs as being $50,000, this is what the tool will put into the detailed cost estimate.
   • You can override this average by entering $75,000 as the initial cost in the detailed cost estimate column.

Case Study

Credit Service Company

Industry: Financial Services

Source: Info-Tech Research Group

3.3 Prioritize initiatives

Estimated Time: 2-3 hours

1. As a group, review the results of the cost/benefit analysis. Optionally, complete the Other Considerations columns in the Prioritization tab:
   • Dependencies can refer to other initiatives on the list or any other dependency that relates to activities or projects within the organization.
   • Business impacts can be helpful to document as they may require additional planning and communication that could impact initiative timelines.
2. Follow step 3.3.1 to create an effort map with the results of the cost/benefit analysis.
3. Follow step 3.3.2 to assign initiatives into execution waves.

Input

• Gap analysis
• Initiative list
• Cost/benefit analysis

Output

• Prioritized list of initiatives

Materials

• Information Security Gap Analysis Tool
• Whiteboard

Participants

• Security Team
• IT Leadership
• Project Management Office

Download the Information Security Gap Analysis Tool

3.3.1 Create effort map

Estimated Time: 30 minutes

1. On a whiteboard, draw the quadrant diagram shown.
2. Create sticky notes for each initiative on your initiative list.
3. For each initiative, use the “Cost/Effort Rating” and the “Benefit Rating” calculated on the Prioritization tab to place the corresponding sticky note onto the diagram.

An effort map is a tool used for the visualization of a cost/benefit analysis. It is a quadrant output that visually shows how your gap initiatives were prioritized. In this example, the initiative “Update Security Policies” was assessed as low cost/effort (3) and high benefit (10).

3.3.2 Assign initiatives to execution waves

Estimated Time: 60 minutes

1. Using sticky flip chart sheets, create four sheets and label them according to the four execution waves:
   • MUST DO – These are initiatives that need to get moving right away. They may be quick wins, items with critical importance, or foundational projects upon which many other initiatives depend.
   • SHOULD DO – These are important initiatives that need to get done but cannot launch immediately due to budget constraints, dependencies, or business impacts that require preparation.
   • COULD DO – Initiatives that have merit but are not a priority.
   • WON’T DO – Initiatives where the costs outweigh the benefits.
2. Using the further instructions on the following slides, move the initiative sticky notes from your effort map into the waves.

Considerations for prioritization

• Starting from the top right of the effort map, begin pulling stickies off and putting them in the appropriate roadmap category.
• Keep dependencies in mind. If an important initiative depends on a low-priority one being completed first, then pull dependent initiatives up the list.
• It may be helpful to think of each wave as representing a specific time frame (e.g. wave 1 = first year of your roadmap, wave 2 = year two, wave 3 = year three).

Info-Tech Insight

Use an iterative approach. Most organizations tend to put too many initiatives into wave 1. Be realistic about what you can accomplish and take several passes at the exercise to achieve a balance.

3.3.3 Finalize prioritization

Estimated Time: 30 minutes

1. Once you have completed placing your initiative sticky notes into the waves, update the Prioritization tab with the Roadmap Wave column.
2. Optionally, use the Roadmap Sub-Wave column to prioritize initiatives within a single wave.
   • This will allow you more granular control over the final prioritization, especially where dependencies require extra granularity.

Any initiatives that are currently in progress should be assigned to Wave 0.

3.4 Build roadmap

Estimated Time: 1-3 hours

1. As a group, follow step 3.4.1 to create your roadmap by scheduling initiatives into the Gantt chart within the Information Security Gap Analysis Tool.
2. Review the roadmap for resourcing conflicts and adjust as required.
3. Review the final cost and effort estimates for the roadmap.

Input

• Gap analysis
• Cost/benefit analysis
• Prioritized initiative list
• (Optional) List of other non-security IT and business projects

Output

• Security strategic roadmap

Materials

• Information Security Gap Analysis Tool

Participants

• Security Team
• IT Leadership
• Project Management Office

Download the Information Security Gap Analysis Tool

3.4.1 Schedule initiatives using the Gantt chart

Estimated Time: 1-2 Hours

1. On the Gantt Chart tab for each initiative, enter an owner (the individual who will be primarily responsible for execution).
2. Additionally, enter a start month and year for the initiative and the expected duration in months.
   • You can filter the Wave column to only see specific waves at any one time to assist with the scheduling.
   • You do not need to schedule Wave 4 initiatives as the expectation is that these initiatives will not be done.

Info-Tech Insight

Use the Owner column to help identify resourcing constraints. If a single individual is responsible for many different initiatives that are planned to start at the same time, consider staggering those initiatives.

3.4.2 Review your roadmap

Estimated Time: 30-60 minutes

1. When you have completed the Gantt chart, as a group review the overall roadmap to ensure that it is reasonable for your organization. Consider the following:
   • Do you have other IT or business projects planned during this time frame that may impact your resourcing or scheduling?
   • Does your organization have regular change freezes throughout the year that will impact the schedule?
   • Do you have over-subscribed resources? You can filter the list on the Owner column to identify potential over-subscription of resources.
   • Have you considered any long vacations, sabbaticals, parental leaves, or other planned longer-term absences?
   • Are your initiatives adequately aligned to your budget cycle? For instance, if you have an initiative that is expected to make recommendations for capital expenditure, it must be completed prior to budget planning.

3.4.3 Review your expected roadmap progression

Estimated Time: 30 minutes

1. If you complete the optional exercise of filling in the Estimated Gap Closure Percentage column on the Gap Analysis tab, the tool will generate a diagram showing how close to your target state you can expect to get based on the tasks and initiatives in your roadmap. You can review this diagram on the Results tab.
   • Remember that this Expected Maturity at End of Roadmap score assumes that you will complete all tasks and initiatives (including all Wave 4 initiatives).
2. Copy the diagram into the Information Security Strategy Communication Deck.

Info-Tech Insight

Often, internal stakeholders will ask the question “If we do everything on this roadmap, will we be at our target state?” This diagram will help answer that question.

3.4.4 Review your cost/effort estimates table

Estimated Time: 30 minutes

1. Once you have completed your roadmap, review the total cost/effort estimates. This can be found in a table on the Results tab. This table will provide initial and ongoing costs and staffing requirements for each wave. This also includes the total three-year investment. In your review consider:
   • Is this investment realistic? Will completion of your roadmap require adding more staff or funding than you otherwise expected?
   • If the investment seems unrealistic, you may need to revisit some of your assumptions, potentially reducing target levels or increasing the amount of time to complete the strategy.
   • This table provides you with the information to have important conversations with management and stakeholders
2. When you have completed your review, copy the table into the Information Security Strategy Communication Deck.

Phase 4

Execute and Maintain

Phase 1

• 1.1 Define goals & scope
• 1.2 Assess risks
• 1.3 Determine pressures
• 1.4 Determine risk tolerance
• 1.5 Establish target state

Phase 2

• 2.1 Review Info-Tech’s security framework
• 2.2 Assess your current state
• 2.3 Identify gap closure actions

Phase 3

• 3.1 Define tasks & initiatives
• 3.2 Perform cost/benefit analysis
• 3.3 Prioritize initiatives
• 3.4 Build roadmap

Phase 4

• 4.1 Build communication deck
• 4.2 Develop a security charter
• 4.3 Execute on your roadmap

This phase will walk you through the following activities:

• 4.1 Build your security strategy communication deck.
• 4.2 Develop a security charter.
• 4.3 Execute on your roadmap.

4.1 Build your communication deck

Estimated Time: 1-3 hours

1. As a group, review the Information Security Strategy Communication Deck.
2. Follow the instructions within the template and on the next few slides to customize the template with the results of your strategic roadmap planning.

Input

• Completed Security Requirements Gathering Tool
• Completed Security Pressure Analysis Tool
• Completed Security Gap Analysis Tool

Output

• Information Security Strategy Communication Deck

Materials

• Information Security Strategy Communication Deck

Participants

• Security Team
• IT Leadership

Download the Information Security Gap Analysis Tool

4.1.1 Customize the Communication Deck

Estimated Time: 1-2 hours

1. When reviewing the Information Security Strategy Communication Deck, you will find slides that contain instructions within green text boxes. Follow the instructions within the boxes, then delete the boxes.
   • Most slides only require that you copy and paste screenshots or tables from your tools into the slides.
   • However, some slides require that you customize or add text explanations that need to reflect your unique organization.
   • It is recommended that you pay attention to the Next Steps slide at the end of the deck. This will likely have a large impact on your audience.
2. Once you have customized the existing slides, you may wish to add additional slides. For instance, you may wish to add more context to the risk assessment or pressure analysis diagrams or provide details on high-priority initiatives.

Consider developing multiple versions of the deck for different audiences. Senior management may only want an executive summary, whereas the CIO may be more interested in the methodology used to develop the strategy.

Communication considerations

Developing an information security strategy is only half the job. For the strategy to be successful, you will need to garner support from key internal stakeholders. These may include the CIO, senior executives, and business leaders. Without their support, your strategy may never get the traction it needs. When building your communication deck and planning to present to these stakeholders, consider the following:

• Gaining support from stakeholders requires understanding their needs. Before presenting to a new audience, carefully consider their priorities and tailor your presentation to address them.
• Use the communication deck to clarify the business context and how your initiatives that will support business goals.
• When presenting to senior stakeholders, anticipate what questions they might ask and be sure to prepare answers in advance. Always be prepared to speak to any data point within the deck.
• If you are going to present your strategy to a group and you anticipate that one or more members of that group may be antagonistic, seek out an opportunity to speak to them before the meeting and address their concerns one on one.

If you have already fully engaged your key stakeholders through the requirements gathering exercises, presenting the strategy will be significantly easier. The stakeholders will have already bought in to the business goals, allowing you to show how the security strategy supports those goals.

Info-Tech Insight

Reinforce the concept that a security strategy is an effort to enable the organization to achieve its core mission and goals and to protect the business only to the degree that the business demands. It is important that stakeholders understand this point.

4.2 Develop a security charter

Estimated Time: 1-3 hours

1. As a group, review the Information Security Charter.
2. Customize the template as required to reflect your information security program. It may include elements such as:
   • A mission and vision statement for information security in your organization
   • The objectives and scope of the security program
   • A description of the security principles upon which your program is built
   • High-level roles and responsibilities for information security within the organization

Input

• Completed Security Requirements Gathering Tool
• Completed Security Pressure Analysis Tool
• Completed Security Gap Analysis Tool

Output

• Information security charter

Materials

• Information Security Charter

Participants

• Security Team

Download the Information Security Gap Analysis Tool

4.2.1 Customize the Information Security Charter

Estimated Time: 1-3 hours

1. Involve the stakeholders that were present during Phase 1 activities to allow you to build a charter that is truly reflective of your organization.
2. The purpose of the security charter is too:
   • Establish a mandate for information security within the organization.
   • Communicate executive commitment to risk and information security management.
   • Outline high-level responsibilities for information security within the organization.
   • Establish awareness of information security within the organization.

A security charter is a formalized and defined way to document the scope and purpose of your security program. It will define security governance and allow it to operate efficiently through your mission and vision.

4.3 Execute on your roadmap

1. Executing on your information security roadmap will require coordinated effort by multiple teams within your organization. To ensure success, consider the following recommendations:
   1. If you have a project management office, leverage them to help apply formal project management methodologies to your initiatives.
   2. Develop a process to track the tasks on your strategy task list. Because these will not be managed as formal initiatives, it will be easy to lose track of them.
   3. Develop a schedule for regular reporting of progress on the roadmap to senior management. This will help hold yourself and others accountable for moving the project forward.
2. Plan to review and update the strategy and roadmap on a regular basis. You may need to add, change, or remove initiatives as priorities shift.

Input

• Completed Security Gap Analysis Tool

Output

• Execution of your strategy and roadmap

Materials

• Information Security Gap Analysis Tool
• Project management tools as required

Participants

• Security Team
• Project Management Office
• IT and Corporate Teams, as required

Info-Tech Insight

Info-Tech has many resources that can help you quickly and effectively implement most of your initiatives. Talk to your account manager to learn more about how we can help your strategy succeed.

Summary of Accomplishment

Knowledge Gained

• Knowledge of organizational pressures and the drivers behind them
• Insight into stakeholder goals and obligations
• A defined security risk tolerance information and baseline
• Comprehensive knowledge of security current state and summary initiatives required to achieve security objectives

Deliverables Completed

• Information Security Pressure Analysis Tool
• Information Security Requirements Gathering Tool
• Information Security Program Gap Analysis Tool
• Information Security Strategy Communication Deck

If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

Contact your account representative for more information.

workshops@infotech.com
1-888-670-8889

Additional Support

If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.

Info-Tech analysts will join you and your team at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.

The following are sample activities that will be conducted by Info-Tech analysts with your team:

Information Security Program Gap Analysis Tool

Use our best-of-breed security framework to perform a gap analysis between your current and target states.

Information Security Requirements Gathering Tool

Define the business, customer, and compliance alignment for your security program.

Related Info-Tech Research

Develop a Security Operations Strategy

A unified security operations process actively transforms security events and threat information into actionable intelligence, driving security prevention, detection, analysis, and response processes, addressing the increasing sophistication of cyberthreats, and guiding continuous improvement.

This blueprint will walk through the steps of developing a flexible and systematic security operations program relevant to your organization.

Implement a Security Governance and Management Program

Your security governance and management program needs to be aligned with business goals to be effective.

This approach also helps to provide a starting point to develop a realistic governance and management program.

This project will guide you through the process of implementing and monitoring a security governance and management program that prioritizes security while keeping costs to a minimum.

Align Your Security Controls to Industry Frameworks for Compliance

Don’t reinvent the wheel by reassessing your security program using a new framework.

Instead, use the tools in this blueprint to align your current assessment outcomes to required standards.

Bibliography

“2015 Cost of Data Breach Study: United States.” Sponsored by IBM. Ponemon Institute, May 2015. Web.

“2016 Cost of Cyber Crime Study & the Risk of Business Innovation.” Ponemon Institute, Oct. 2016. Web. 25 Oct. 2016.

“2016 Cost of Data Breach Study: Global Analysis.” Ponemon Institute, June 2016. Web. 26 Oct. 2016.

“2016 Data Breach Investigations Report.” Verizon, 2016. Web. 25 Oct. 2016.

“2016 NowSecure Mobile Security Report.” NowSecure, 2016. Web. 5 Nov. 2016.

“2017 Cost of Cyber Crime Study.” Ponemon Institute, Oct. 2017. Web.

“2018 Cost of Data Breach Study: Global Overview.” Ponemon Institute, July 2018. Web.

“2018 Data Breach Investigations Report.” Verizon, 2018. Web. Oct. 2019.

“2018 Global State of Information Security Survey.” CSO, 2017. Web.

“2018 Thales Data Threat Report.” Thales eSecurity, 2018. Web.

“2019 Data Breach Investigations Report.” Verizon, 2020. Web. Feb. 2020.

“2019 Global Cost of a Data Breach Study.” Ponemon Institute, Feb. 2020. Web.

“2019 The Cost of Cyber Crime Study.” Accenture, 2019. Web Jan 2020.

“2020 Thales Data Threat Report Global Edition.” Thales eSecurity, 2020. Web. Mar. 2020.

Ben Salem, Malek. “The Cyber Security Leap: From Laggard to Leader.” Accenture, 2015. Web. 20 Oct. 2016.

“Cisco 2017 Annual Cybersecurity Report.” Cisco, Jan. 2017. Web. 3 Jan. 2017.

“Cyber Attack – How Much Will You Lose?” Hewlett Packard Enterprise, Oct. 2016. Web. 3 Jan. 2017.

“Cyber Crime – A Risk You Can Manage.” Hewlett Packard Enterprise, 2016. Web. 3 Jan. 2017.

“Global IT Security Risks Survey.” Kaspersky Lab, 2015. Web. 20 October 2016.

“How Much Is the Data on Your Mobile Device Worth?” Ponemon Institute, Jan. 2016. Web. 25 Oct. 2016.

“Insider Threat 2018 Report.” CA Technologies, 2018. Web.

“Kaspersky Lab Announces the First 2016 Consumer Cybersecurity Index.” Press Release. Kaspersky Lab, 8 Sept. 2016. Web. 3 Jan. 2017.

“Kaspersky Lab Survey Reveals: Cyberattacks Now Cost Large Businesses an Average of $861,000.” Press Release. Kaspersky Lab, 13 Sept. 2016. Web. 20 Oct. 2016.

“Kaspersky Security Bulletin 2016.” Kaspersky Lab, 2016. Web. 25 Oct. 2016.

“Managing Cyber Risks in an Interconnected World: Key Findings From the Global State of Information Security Survey 2015.” PwC, 30 Sept. 2014. Web.

“Measuring Financial Impact of IT Security on Business.” Kaspersky Lab, 2016. Web. 25 Oct. 2016.

“Ponemon Institute Releases New Study on How Organizations Can Leapfrog to a Stronger Cyber Security Posture.” Ponemon Institute, 10 Apr. 2015. Web. 20 Oct. 2016.

“Predictions for 2017: ‘Indicators of Compromise’ Are Dead.” Kaspersky Lab, 2016. Web. 4 Jan. 2017.

“Take a Security Leap Forward.” Accenture, 2015. Web. 20 Oct. 2016.

“Trends 2016: (In)security Everywhere.” ESET Research Laboratories, 2016. Web. 25 Oct. 2016.

Research Contributors

• Peter Clay, Zeneth Tech Partners, Principal
• Ken Towne, Zeneth Tech Partners, Security Architect
• Luciano Siqueria, Road Track, IT Security Manager
• David Rahbany, The Hain Celestial Group, Director IT Infrastructure
• Rick Vadgama, Cimpress, Head of Information Privacy and Security
• Doug Salah, Wabtec Corp, Manager of Information Security and IT Audit
• Peter Odegard, Children’s Hospitals and Clinics, Information Security Officer
• Trevor Butler, City of Lethbridge, Information Technology General Manager
• Shane Callahan, Tractor Supply, Director of Information Security
• Jeff Zalusky, Chrysalis, President/CEO
• Candy Alexander, Independent Consultant, Cybersecurity and Information Security Executive
• Dan Humbert, YMCA of Central Florida, Director of Information Technology
• Ron Kirkland, Crawford & Co, Manager ICT Security & Customer Service
• Jason Bevis – FireEye, Senior Director Orchestration Product Management - Office of the CTO
• Joan Middleton, Village of Mount Prospect, IT Director
• Jim Burns, Great America Financial Services, Vice President Information Technology
• Ryan Breed, Hudson’s Bay, Information Security Analyst
• James Fielder, Farm Credit Services – Central Illinois, Vice President of Information Systems

Into the Metaverse

How IT can prepare for the new digital world.

Analyst Perspective

The metaverse is still a vision of the future.

On October 28, 2021, Mark Zuckerberg got up on stage and announced Facebook's rebranding to Meta and its intent to build out a new business line around the metaverse concept. Just a few days later, Microsoft's CEO Satya Nadella put forward his own idea of the metaverse at Microsoft Ignite. Seeing two of Silicon Valley's most influential companies pitch a vision of avatar-driven virtual reality collaboration sparked our collective curiosity. At the heart of it lies the question, "What is the metaverse, anyway?“

If you strip back the narrative of the companies selling you the solutions, the metaverse can be viewed as technological convergence. Years of development on mixed reality, AI, immersive digital environments, and real-time communication are culminating in a totally new user experience. The metaverse makes the digital as real as the physical. At least, that's the vision.

It will be years yet before the metaverse visions pitched to us from Silicon Valley stages are realized. In the meantime, understanding the individual technologies contributing to that vision can help CIOs realize business value today. Join me as we delve into the metaverse.

Brian Jackson
Research Director, CIO
Info-Tech Research Group

From pop culture to Silicon Valley

Sci-fi visionaries are directly involved in creating the metaverse concept

The term “metaverse” was coined by author Neal Stephenson in the 1992 novel “Snow Crash.” In the novel, main character Hiro Protagonist interacts with others in a digitally defined space. Twenty-five years after its release, the cult classic is influential among Silicon Valley's elite. Stephenson has played some key roles in Silicon Valley firms. He became the first employee at Blue Origin, the space venture founded by Jeff Bezos, in 2006, and later became chief futurist at augmented reality firm Magic Leap in 2014. Stephenson also popularized the Hindu concept "avatar" in his writing, paving the way for people to embody digitally rendered models to participate in the metaverse (Vanity Fair, 2017).

Even earlier concepts of the metaverse were examined in the 1980s, with William Gibson’s “Neuromancer” exploring the same idea as cyberspace. Gibson's novel was influenced by his time in Seattle, where friend and Microsoft executive Eileen Gunn took him to hacker bars where he'd eavesdrop on "the poetics of the technological subculture" (Medium, 2022). Other visions of a virtual reality mecca were brought to life in the movies, including the 1982 Disney release “Tron,” the 1999 flick “The Matrix,” and 2018’s “Ready Player One.”

There's a common set of traits among these sci-fi narratives that help us understand what Silicon Valley tech firms are now set to commercialize: users interact with one another in a digitally rendered virtual world, with a sense of presence provided through the use of a head-mounted display.

Image courtesy nealstephenson.com

Meta’s view of the metaverse

CEO Mark Zuckerberg rebranded Facebook to make his intent clear

Mark Zuckerberg is all in on the metaverse, announcing October 28, 2021, that Facebook would be rebranded to Meta. The new brand took effect on December 1, and Facebook began trading under the new stock ticker MVRS on certain exchanges. On February 15, 2022, Zuckerberg announced at a company meeting that his employees will be known as Metamates. The company's new values are to live in the future, build awesome things, and focus on long-term impact. Its motto is simply "Meta, Metamates, me" (“Out With the Facebookers. In With the Metamates,” The New York Times, 2022).

Meta's Reality Labs division will be responsible for developing its metaverse product, using Meta Quest, its virtual reality head-mounted displays. Meta's early metaverse environment, Horizon Worlds, rolled out to Quest users in the US and Canada in early December 2021. This drove a growth in its monthly user base by ten times, to 300,000 people. The product includes Horizon Venues, tailored to attending live events in VR, but not Horizon Workrooms, a VR conferencing experience that remains invite-only. Horizon Worlds provides users tools to construct their own 3D digital environments and had been used to create 10,000 separate worlds by mid-February 2022 (“Meta’s Social VR Platform Horizon Hits 300,000 Users,“ The Verge, 2022).

In the future, Meta plans to amplify the building tools in its metaverse platform with generative AI. For example, users can give speech commands to create scenes and objects in VR. Project CAIRaoke brings a voice assistant to an augmented reality headset that can help users complete tasks like cooking a stew. Zuckerberg also announced Meta is working on a universal speech translator across all languages (Reuters, 2022).

Investment in the metaverse:
$10 billion in 2021

Key People:
CEO Mark Zuckerberg
CTO Andrew Bosworth
Chief Product Officer Chris Cox

(Source: “Meta Spent $10 Billion on the Metaverse in 2021, Dragging Down Profit,” The New York Times, 2022)

Microsoft’s view of the metaverse

CEO Satya Nadella showcased a mixed reality metaverse at Microsoft Ignite

In March 2021 Microsoft announced Mesh, an application that allows organizations to build out a metaverse environment. Mesh is being integrated into other Microsoft hardware and software, including its head-mounted display, the HoloLens, a mixed reality device. The Mesh for HoloLens experience allows users to collaborate around digital content projected into the real world. In November, Microsoft announced a Mesh integration with Microsoft Teams. This integration brings users into an immersive experience in a fully virtual world. This VR environment makes use of AltspaceVR, a VR application Microsoft first released in May 2015 (Microsoft Innovation Stories, 2021).

Last Fall, Microsoft also announced it is rebranding its Dynamics 365 Connected Store solution to Dynamics 365 Connected Spaces, signaling its expansion from retail to all spaces. The solution uses cognitive vision to create a digital twin of an organization’s physical space and generate analytics about people’s behavior (Microsoft Dynamics 365 Blog, 2021).

In the future, Microsoft wants to make "holoportation" a part of its metaverse experience. Under development at Microsoft Research, the technology captures people and things in photorealistic 3D to be projected into mixed reality environments (Microsoft Research, 2022). It also has plans to offer developers AI-powered tools for avatars, session management, spatial rendering, and synchronization across multiple users. Open standards will allow Mesh to be accessed across a range of devices, from AR and VR headsets, smartphones, tablets, and PCs.

Microsoft has been developing multi-user experiences in immersive 3D environments though its video game division for more than two decades. Its capabilities here will help advance its efforts to create metaverse environments for the enterprise.

Investment in the metaverse:
In January 2022, Microsoft agreed to acquire Activision Blizzard for $68.7 billion. In addition to acquiring several major gaming studios for its own gaming platforms, Microsoft said the acquisition will play a key role in the development of its metaverse.

Key People:
CEO Satya Nadella
CEO of Microsoft Gaming Phil Spencer
Microsoft Technical Research Fellow Alex Kipman

Current state of metaverse applications from Meta and Microsoft

Current providers of an “enterprise metaverse”

Other providers designing mixed reality or digital twin tools may not have used the “metaverse” label but provide the same capabilities via platforms

NVIDIA Omniverse “The metaverse for engineers,” Omniverse is a developer toolset to allow organizations to build out their own unique metaverse visions. Omniverse Nucleus is the platform database that allows clients to publish digital assets or subscribe to receive changes to them in real-time. Omniverse Connectors are used to connect to Nucleus and publish or subscribe to individual assets and entire worlds. NVIDIA’s core physics engine provides a scalable and physically accurate world simulation.

TeamViewer’s Remote as a Service Platform Initially focusing on providing workers remote connectivity to work desktops, devices, and robotics, TeamViewer offers a range of software as a service products. Recent acquisitions to this platform see it connecting enterprise workflows to frontline workers using mixed reality headsets and adding more 3D visualization development tools to create digital twins. Clients include Coca-Cola and BMW.

“The metaverse matters in the future. TeamViewer is already making the metaverse tangible in terms of the value that it brings.” (Dr. Hendrik Witt, Chief Product Officer, TeamViewer)

The metaverse is a technological convergence

The metaverse is a platform combining multiple technologies to enable social and economic activity in a digital world that is connected to the physical world.

Info-Tech Insight

A metaverse experience must combine the three P’s: user presence is represented, the world is persistent, and data is portable.

Mixed reality provides the user experience (UX) for the metaverse

Both virtual and augmented reality will be part of the picture

Mixed reality encompasses both virtual reality and augmented reality. Both involve allowing users to immerse themselves in digital content using a head-mounted device or with a smartphone for a less immersive effect. Virtual reality is a completely digital world that is constructed as separate from the physical world. VR headsets take up a user's entire field of vision and must also have a mechanism to allow the user to interact in their virtual environment. Augmented reality is a digital overlay mapped on top of the real world. These headsets are transparent, allowing the user to clearly see their real environment, and projects digital content on top of it. These headsets must have a way to map the surrounding environment in 3D in order to project digital content in the right place and at the right scale.

Meta’s Plans

Meta acquired virtual reality developer Oculus VR Inc. and its set of head-mounted displays in 2014. It continues to develop new hardware under the Oculus brand, most recently releasing the Oculus Quest 2. Oculus Quest hardware is required to access Meta's early metaverse platform, Horizon Worlds.

Microsoft’s Plans

Microsoft's HoloLens hardware is a mixed reality headset. Its visor that can project digital content into the main portion of the user's field of vision and speakers capable of spatial audio. The HoloLens has been deployed at enterprises around the world, particularly in scenarios where workers typically have their hands busy. For example, it can be used to view digital schematics of a machine while a worker is performing maintenance or to allow a remote expert to "see through the eyes" of a worker.

Microsoft's Mesh metaverse platform, which allows for remote collaboration around digital content, was demonstrated on a HoloLens at Microsoft Ignite in November 2021. Mesh is also being integrated into AltspaceVR, an application that allows companies to hold meetings in VR with “enterprise-grade security features including secure sign-ins, session management and privacy compliance" (Microsoft Innovation Stories, 2021).

Immersive digital environments provide context in the metaverse

The interactive environment will be a mix of digital and physical worlds

If you've played a video game in the past decade, you've experienced an immersive 3D environment, perhaps even in a multiplayer environment with many other users at the same time. The video game industry grew quickly during the pandemic, with users spending more time and money on video games. Massive multiplayer online games like Fortnite provide more than a gaming environment. Users socialize with their friends and attend concerts featuring famous performers. They also spend money on different appearances or gestures to express themselves in the environment. When they are not playing the game, they are often watching other players stream their experience in the game. In many ways, the consumer metaverse already exists on platforms like Fortnite. At the same time, gaming developers are improving the engines for these experiences and getting closer to approximating the real world both visually and in terms of physics.

In the enterprise space, immersive 3D environments are also becoming more popular. Manufacturing firms are building digital twins to represent entire factories, modeling their real physical environments in digital space. For example, BMW’s “factory of the future” uses NVIDIA Omniverse to create a digital twin of its assembly system, simulated down to the detail of digital workers. BMW uses this simulation to plan reconfiguration of its factory to accommodate new car models and to train robots with synthetic data (“NVIDIA Omniverse,” NVIDIA, 2021).

Meta’s Plans

Horizon Workrooms is Meta's business-focused application of Horizon Worlds. It facilitates a VR workspace where colleagues can interact with others’ avatars, access their computer, use videoconferencing, and sketch out ideas on a whiteboard. With the Oculus Quest 2 headset, passthrough mode allows users to add their physical desk to the virtual environment (Oculus, 2022).

Microsoft’s Plans

AltspaceVR is Microsoft's early metaverse environment and it can be accessed with Oculus, HTC Vive, Windows Mixed Reality, or in desktop mode. Separately, Microsoft Studios has been developing digital 3D environments for its Xbox video game platform for yeas. In January 2022, Microsoft acquired games studio Activision Blizzard for $68.7 billion, saying the games studio would play a key role in the development of the metaverse.

Real-time communications allow for synchronous collaboration

Project your voice to a room full of avatars for a presentation or whisper in someone’s ear

If the metaverse is going to be a good place to collaborate, then communication must feel as natural as it does in the real world. At the same time, it will need to have a few more controls at the users’ disposal so they can focus in on the conversation they choose. Audio will be a major part of the communication experience, augmented by expressive avatars and text.

Mixed reality headsets come with integrated microphones and speakers to enable voice communications. Spatial audio will also be an important component of voice exchange in the metaverse. When you are in a videoconference conversation with 50 participants, every one of those people will sound as though they are sitting right next to you. In the metaverse, each person will sound louder or quieter based on how distant their avatar is from you. This will allow large groups of people to get together in one digital space and have multiple conversations happening simultaneously. In some situations, there will also be a need for groups to form a “party” as they navigate the metaverse, meaning they would stay linked through a live audio connection even if their avatars were not in the same digital space. Augmented reality headsets also allow remote users to “see through the eyes” of the person wearing the headset through a front-facing camera. This is useful for hands-on tasks where expert guidance is required.

People will also need to communicate with people not in the metaverse. More conventional videoconference windows or chat boxes will be imported into these environments as 2D panels, allowing users to integrate them into the context of their digital space.

Meta’s Plans

Facebook Messenger is a text chat and video chat application that is already integrated into Facebook’s platform. Facebook also owns WhatsApp, a messaging platform that offers group chat and encrypted messaging.

Microsoft’s Plans

Microsoft Teams is Microsoft’s application that combines presence-based text chat and videoconferencing between individuals and groups. Dynamics 365 Remote Assist is its augmented reality application designed for HoloLens wearers or mobile device users to share their real-time view with experts.

Generative AI will fill the metaverse with content at the command of the user

No-code and low-code creation tools will be taken to the next level in the metaverse

Metaverse platforms provide users with no-code and low-code options to build out their own environments. So far this looks like playing a game of Minecraft. Users in the digital environment use native tools to place geometric shapes and add textures. Other metaverse platforms allow users to design models or textures with tools outside the platform, often even programming behaviors for the objects, and then import them into the metaverse. These tools can be used effectively, but it can be a tedious way to create a customized digital space.

Generative AI will address that by taking direction from users and quickly generating content to provide the desired metaverse setting. Generative AI can create content that’s meaningful based on natural inputs like language or visual information. For example, a user might give voice commands to a smart assistant and have a metaverse environment created or take photos of a real-world object from different angles to have its likeness digitally imported.

Synthetic data will also play a role in the metaverse. Instead of relying only on people to create a lot of relevant data to train AI, metaverse platform providers will also use simulated data to provide context. NVIDIA’s Omniverse Replicator engine provides this capability and can be used to train self-driving cars and manipulator robots for a factory environment (NVIDIA Newsroom, 2021).

Meta’s Plans

Meta is planning to use generative AI to allow users to construct their VR environments. It will allow users to describe a world to a voice assistant and have it created for them. Users could also speak to each other in different languages with the aid of a universal translator. Separately, Project CAIRaoke combines cognitive vision with a voice assistant to help a user cook dinner. It keeps track of where the ingredients are in the kitchen and guides the user through the steps (Reuters, 2022).

Microsoft’s Plans

Microsoft Mesh includes AI resources to help create natural interactions through speech and vision learning models. HoloLens 2 already uses AI models to track users’ hands and eye movements as well as map content onto the physical world. This will be reinforced in the cloud through Microsoft Azure’s AI capabilities (Microsoft Innovation Stories, 2021).

Blockchain will provide a way to manage digital identity and assets across metaverse platforms

Users will want a way to own their metaverse identity and valued digital possessions

Blockchain technology provides a decentralized digital ledger that immutably records transactions. A specific blockchain can either be permissioned, with one central party determining who gets access, or permissionless, in which anyone with the means can transact on the blockchain. The permissionless variety emerged in 2008 as the foundation of Bitcoin. It's been a disruptive force in the financial industry, with Bitcoin inspiring a long list of offshoot cryptocurrencies, and now even central banks are examining moving to a digital currency standard.

In the past couple of years, blockchain has spurred a new economy around digital assets. Smart contracts can be used to create a token on a blockchain and bind it to a specific digital asset. These assets are called non-fungible tokens (NFTs). Owners of NFTs can prove their chain of ownership and sell their tokens to others on a variety of marketplaces.

Blockchain could be useful in the metaverse to track digital identity, manage digital assets, and enable data portability. Users could register their own avatars as NFTs to prove they are the real person behind their digital representation. They may also want a way to verify they own a virtual plot of land or demonstrate the scarcity of the digital clothing they are wearing in the metaverse. If users want to leave a certain metaverse platform, they could export their avatar and digital assets to a digital wallet and transfer them to another platform that supports the same standards.

In the past, centralized platforms that create economies in a virtual world were able to create digital currencies and sell specific assets to users without the need for blockchain. Second Life is a good example, with Linden Labs providing a virtual token called Linden Dollars that users can exchange to buy goods and services from each other within the virtual world. Second Life processes 345 million transactions a year for virtual goods and reports a GDP of $650 million, which would put it ahead of some countries (VentureBeat, 2022). However, the value is trapped within Second Life and can't be exported elsewhere.

Meta’s Plans

Meta ended its Diem project in early 2022, winding down its plan to offer a digital currency pegged to US dollars. Assets were sold to Silvergate Bank for $182 million. On February 24, blockchain developer Atmos announced it wanted to bring the project back to life. Composed of many of the original developers that created Diem while it was still a Facebook project, the firm plans to raise funds based on the pitch that the new iteration will be "Libra without Facebook“ (CoinDesk, 2022).

Microsoft’s Plans

Microsoft expanded its team of blockchain developers after its lead executive in this area stated the firm is closely watching cryptocurrencies and NFTs. Blockchain Director York Rhodes tweeted on November 8, 2021, that he was expanding his team and was interested to connect with candidates "obsessed with Turing complete, scarce programmable objects that you can own & transfer & link to the real world through a social contract.”

The enterprise metaverse holds implications for IT across several functional areas

Improve maturity in these four areas first Infrastructure & Operations Lay the foundation Security & Risk Mitigate the risks Apps Deploy the precursors Data & BI Prepare to integrate

Infrastructure & Operations

Make space for the metaverse

Security & Risk

Mitigate metaverse risks before they take root

Apps

Deploy to your existing touchpoints

Data & BI

Deploy to your existing touchpoints

More Info-Tech research to explore

CIO Priorities 2022
Priorities to compete in the digital economy.

Microsoft Teams Cookbook
Recipes for best practices and use cases for Microsoft Teams.

Run Better Meetings
Hybrid, virtual, or in person – set meeting best practices that support your desired meeting norms.

Double Your Organization’s Effectiveness With a Digital Twin
Digital twin: A living, breathing reflection.

Contributing experts

Dr. Hendrik Witt Chief Product Officer, TeamViewer

Kevin Tucker Principal Research Director, Industry Practice, INFO-TECH RESEARCH GROUP

Bibliography

Cannavò, Alberto, and F. Lamberti. “How Blockchain, Virtual Reality and Augmented Reality Are Converging, and Why.” IEEE Consumer Electronics Magazine, vol. 10, no. 5, Sept. 2020, pp. 6-13. IEEE Xplore. Web.

Culliford, Elizabeth. “Meta’s Zuckerberg Unveils AI Projects Aimed at Building Metaverse Future.” Reuters, 24 Feb. 2022. Web.

Davies, Nahla. “Cybersecurity and the Metaverse: Pioneering Safely into a New Digital World.” GlobalSign Blog, 10 Dec. 2021. GlobalSign by GMO. Web.

Doctorow, Cory. “Neuromancer Today.” Medium, 10 Feb. 2022. Web.

Heath, Alex. “Meta’s Social VR Platform Horizon Hits 300,000 Users.” The Verge, 17 Feb. 2022. Web.

“Holoportation™.” Microsoft Research, 22 Feb. 2022. Microsoft. Accessed 3 March 2022.

Isaac, Mike. “Meta Spent $10 Billion on the Metaverse in 2021, Dragging down Profit.” The New York Times, 2 Feb. 2022. Web.

Isaac, Mike, and Sheera Frenkel. “Out With the Facebookers. In With the Metamates.” The New York Times, 15 Feb. 2022. Web.

Langston, Jennifer. “‘You Can Actually Feel like You’re in the Same Place’: Microsoft Mesh Powers Shared Experiences in Mixed Reality.” Microsoft Innovation Stories, 2 Mar. 2021. Microsoft. Web.

“Maple Leaf Sports & Entertainment and AWS Team Up to Transform Experiences for Canadian Sports Fans.” Amazon Press Center, 23 Feb. 2022. Amazon.com. Accessed 24 Feb. 2022. Web.

Marquez, Reynaldo. “How Microsoft Will Move To The Web 3.0, Blockchain Division To Expand.” Bitcoinist.com, 8 Nov. 2021. Web.

Metinko, Chris. “Securing The Metaverse—What’s Needed For The Next Chapter Of The Internet.” Crunchbase News, 6 Dec. 2021. Web.

Metz, Rachel Metz. “Why You Can’t Have Legs in Virtual Reality (Yet).” CNN, 15 Feb. 2022. Accessed 16 Feb. 2022.

“Microsoft to Acquire Activision Blizzard to Bring the Joy and Community of Gaming to Everyone, across Every Device.” Microsoft News Center, 18 Jan. 2022. Microsoft. Web.

Nath, Ojasvi. “Big Tech Is Betting Big on Metaverse: Should Enterprises Follow Suit?” Toolbox, 15 Feb. 2022. Accessed 24 Feb. 2022.

“NVIDIA Announces Omniverse Replicator Synthetic-Data-Generation Engine for Training AIs.” NVIDIA Newsroom, 9 Nov. 2021. NVIDIA. Accessed 9 Mar. 2022.

“NVIDIA Omniverse - Designing, Optimizing and Operating the Factory of the Future. 2021. YouTube, uploaded by NVIDIA, 13 April 2021. Web.

Peters, Jay. “Disney Has Appointed a Leader for Its Metaverse Strategy.” The Verge, 15 Feb. 2022. Web.

Robinson, Joanna. The Sci-Fi Guru Who Predicted Google Earth Explains Silicon Valley’s Latest Obsession.” Vanity Fair, 23 June 2017. Accessed 13 Feb. 2022.

Scoble, Robert. “New Startup Mixes Reality with Computer Vision and Sets the Stage for an Entire Industry.” Scobleizer, 17 Feb. 2022. Web.

Seward, Zack. “Ex-Meta Coders Raising $200M to Bring Diem Blockchain to Life: Sources.” CoinDesk, 24 Feb. 2022. Web.

Shrestha, Rakesh, et al. “A New Type of Blockchain for Secure Message Exchange in VANET.” Digital Communications and Networks, vol. 6, no. 2, May 2020, pp. 177-186. ScienceDirect. Web.

Sood, Vishal. “Gain a New Perspective with Dynamics 365 Connected Spaces.” Microsoft Dynamics 365 Blog, 2 Nov. 2021. Microsoft. Web.

Takahashi, Dean. “Philip Rosedale’s High Fidelity Cuts Deal with Second Life Maker Linden Lab.” VentureBeat, 13 Jan. 2022 Web.

“TeamViewer Capital Markets Day 2021.” TeamViewer, 10 Nov. 2021. Accessed 22 Feb. 2022.

VR for Work. Oculus.com. Accessed 1 Mar. 2022.

Wunderman Thompson Intelligence. “New Trend Report: Into the Metaverse.” Wunderman Thompson, 14 Sept. 2021. Accessed 16 Feb. 2022.

Mitigate Key IT Employee Knowledge Loss

Transfer IT knowledge before it’s gone.

EXECUTIVE BRIEF

Executive Summary

Info-Tech Insight

Seventy-four percent of organizations do not have a formal process for capturing and retaining knowledge which, when lost, results in decreased productivity, increased risk, and money out the door.1

1 McLean & Company, 2016, N=120

Stop your knowledge from walking out the door

Today, the value of an organization has less to do with its fixed assets and more to do with its intangible assets. Intangible assets include patents, research and development, business processes and software, employee training, and employee knowledge and capability.

People (and their knowledge and capabilities) are an organization’s competitive advantage and with the baby boomer retirement looming, organizations need to invest in capturing employee knowledge before the employees leave. Losing employees in key roles without adequate preparation for their departure has a direct impact on the bottom line in terms of disrupted productivity, severed relationships, and missed opportunities.

Knowledge Transfer (KT) is the process and tactics by which intangible assets – expertise, knowledge, and capabilities – are transferred from one stakeholder to another. A well-devised knowledge transfer plan will mitigate the risk of knowledge loss, yet as many as 74%2 of organizations have no formal approach to KT – and it’s costing them money, reputation, and time.

84%of all enterprise value on the S&P 500 is intangibles.3

$31.5 billion lost annually by Fortune 500 companies failing to share knowledge. 1

74% of organizations have no formal process for facilitating knowledge transfer. 2

1 Shedding Light on Knowledge Management, 2004, p. 46

2 McLean & Company, 2016, N=120

3 Visual Capitalists, 2020

Losing knowledge will undermine your organization’s strategy in four ways

In a worst-case scenario, key employees leaving will result in the loss of valuable knowledge, core business relationships, and profits.

Are you part of the 74% of organizations with no knowledge transfer planning in place? Can you afford not to have it?

Consider this:

A system failure to a mainframe could be disastrous for organizations that haven’t effectively transferred key knowledge. Now think past the mainframe to key processes, customer/vendor relationships, legal requirements, home grown solutions etc. in your organization.

What would knowledge loss cost you in terms of financial and reputational loss?

Source: 1 Big Tech Problem as Mainframes Outlast Workforce

Source: 2 IT's most wanted: Mainframe programmers

Source: 3The State of the Mainframe, 2022

Case Study

Insurance organization fails to mitigate risk of employee departure and incurs costly consequences – in the millions

INDUSTRY: Insurance

SOURCE: ITRG Member

Forward thinking organizations use knowledge transfer not only to avoid risks, but to drive IT innovation

IT knowledge transfer is a process that, at its most basic level, ensures that essential IT knowledge and capabilities don’t leave the organization – and at its most sophisticated level, drives innovation and customer service by leveraging knowledge assets.

Common obstacles

In building your knowledge transfer roadmap, the size of your organization can present unique challenges

How you build your knowledge transfer roadmap will not change drastically based on the size of your organization; however, the scope of your initiative, tactics you employ, and your communication plan for knowledge transfer may change.

How knowledge transfer projects vary by organization size:

Capture both explicit and tacit knowledge

Knowledge transfer is not a one-size-fits-all project

	No formal knowledge transfer program exists; knowledge transfer is ad hoc, or may be conducted through an exit interview only. 74% of organizations are at level 0.1
	At level one, knowledge transfer is focused around ensuring that high risk, explicit knowledge is covered for all high-risk stakeholders.
	Organizations have knowledge transfer plans for all high-risk knowledge to ensure redundancies exist and leverage this to drive process improvements, effectiveness, and employee engagement.
	Increase end-user satisfaction and create a knowledge value center by leveraging the collective knowledge to solve repeat customer issues and drive new product innovation.

1 Source: McLean & Company, 2016, N=120

Assess your fit for this blueprint by considering the following statements

I’m an IT Leader who…

This blueprint can help you build a roadmap to resolve each of these pain points. However, not all organizations need to have a knowledge culture. In the next section, we will walk you through the steps of selecting your target maturity model based on your knowledge goals.

Case Study

Siemens builds a knowledge culture to drive customer service improvements and increases sales by $122 million

INDUSTRY: Electronics Engineering

SOURCE: KM Best Practices

Info-Tech’s approach

Five steps to future-proof your IT team

The Info-Tech difference:

1. Successfully build a knowledge transfer roadmap based on your goals, no matter what market segment or size of business.
2. Increase departmental efficiencies through increased collaboration.
3. Retain key IT knowledge.
4. Improve junior employee engagement by creating development opportunities.

Use Info-Tech tools and templates

Info-Tech’s methodology to mitigate key IT employee knowledge loss

Blueprint deliverables

Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

IT Knowledge Transfer Project Charter Establish a clear project scope, decision rights, and executive sponsorship for the project.		IT Knowledge Transfer Risk Assessment Tool Identify and assess the knowledge and individual risk of key knowledge holders.
IT Knowledge Identification Interview Guide Extract information about the type of knowledge sources have.		IT Knowledge Transfer Roadmap Presentation Communicate IT knowledge transfer recommendations to stakeholders to gain buy-in.

Key deliverable:

IT Knowledge Transfer Plan

Track knowledge activities, intended recipients, and appropriate transfer tactics for each knowledge source.

Blueprint benefits

Info-Tech offers various levels of support to best suit your needs

DIY Toolkit

“ Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

Guided Implementation

“Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

Workshop

“We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

Consulting

“Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

Diagnostics and consistent frameworks used throughout all four options

Guided Implementation

What does a typical GI on this topic look like?

A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization. A typical GI is five to six calls.

Workshop Overview

Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889

Phase #1

Initiate your IT knowledge transfer project

This phase will walk you through the following activities:

• Hold a working session with key stakeholders.
• Identify your current state of maturity for knowledge transfer.
• Identify your target state of maturity for knowledge transfer.
• Define key knowledge transfer metrics.
• Identify your project team and their responsibilities.
• Build the project charter and obtain approval.

This phase involves the following participants:

• IT Leadership
• Other key stakeholders

Step 1.1

Obtain Approval for Your IT Knowledge Transfer Project

Activities

1.1.1 Hold a Working Session With Key Stakeholders

1.1.2 Conduct a Current and Target State Analysis.

1.1.3 Identify Key Metrics

1.1.4 Identify Your Project Team

1.1.5 Populate an RACI

1.1.6 Build the Project Charter and Obtain Approval

Initiate Your IT Knowledge Transfer Project

The primary goal of this section is to gain a thorough understanding of the reasons why your organization should invest in knowledge transfer and to identify the specific challenges to address.

Outcomes of this step

Organizational benefits and current pain points of knowledge transfer

Hold a working session with the key stakeholders to structure the project

Don’t build your project charter in a vacuum. Involve key stakeholders to determine the desired knowledge transfer goals, target maturity and KPIs, and ultimately build the project charter.

Building the project charter as a group will help you to clarify your key messages and help secure buy-in from critical stakeholders up-front, which is key.

In order to execute on the knowledge transfer project, you will need significant involvement from your IT leadership team. The trouble is that knowledge transfer can be inherently stressful for employees as it can cause concerns around job security. Members of your IT leadership team will also be individuals who need to participate in knowledge transfer, so get them involved upfront. The working session will help stakeholders feel more engaged in the project, which is pivotal for success.

You may feel like a full project charter isn’t necessary, and depending on your organizational size, it might not be. However, the exercise of building the charter is important regardless. No matter your current climate, some level of socializing the value and plans for knowledge transfer will be necessary.

Meeting Agenda

1. Short project introduction

Led by: Project Sponsor

• Why the project was initiated.

Led by: Project Manager

• Current state: What project does the project address?
• Future state: What is our target state of maturity?

Led by: Project Manager

• How will success be measured?

Led by: Project Manager

• Description of planned project approach.
• Stakeholder assessment.
• What is required of the sponsor and stakeholders?

Led by: Project Manager

1.1.1 Key Stakeholder Working Session

Identify the pain points you’re experiencing with knowledge transfer and some of the benefits which you’d like to see from a program to determine the key objectives By doing so, you’ll get a holistic view of what you need to achieve.

Collect this information by:

1. Asking the working group participants (as a whole or in smaller groups) to discuss pain points created by ineffective knowledge transfer practices.

• Challenges related to stakeholders.
• Challenges created by process issues.
• Issues achieving the intended outcome due to ineffective knowledge transfer.
• Difficulties improving knowledge transfer practices.

Examples of Possible Pain Points

1.1.2 Conduct a Current and Target State Analysis

Identify your current and target state of maturity

How to determine your current and target state of maturity:

1. Provide the previous two slides with the details of the maturity assessment to the group, to review.
2. Ask each participant to individually determine what they think is the IT team’s current state of maturity. After a few minutes, discuss as a group and come to an agreement.
3. Review each of the benefits and timing for each of the maturity levels. Compare the benefits listed to those that you named in the previous exercise and determine which maturity level best describes your target state.
4. Discuss as a group and agree on one maturity level.
5. Review the other levels of maturity and determine what is in and out of scope for the project (hint: higher level benefits would be considered out of scope). Document this in the IT Knowledge Transfer Project Charter template.

IT Knowledge Transfer Project Charter Template

Info-Tech’s Knowledge Transfer Maturity Model

Depending on the level of maturity you are trying to achieve, a knowledge transfer project could take weeks, months, or even years. Your maturity level depends on the business goal you would like to achieve, and impacts who and what your roadmap targets.

Info-Tech Insight

The maturity levels build on one another; if you start with a project, it is possible to move from a level 0 to a level 1, and once the project is complete, you can advance to a level 2 or 3. However, it’s important to set clear boundaries upfront to limit scope creep, and it’s important to set appropriate expectations for what the project will deliver.

Knowledge Transfer Maturity Level: Accidental and Stabilize

Knowledge Transfer Maturity Level: Proactive and Knowledge Culture

Select project-specific KPIs

Use the selected KPIs to track the value of knowledge transfer

You need to ensure your knowledge transfer initiatives are having the desired effect and adjust course when necessary. Establishing an upfront list of key performance indicators that will be benchmarked and tracked is a crucial step.

Many organizations overlook the creation of KPIs for knowledge transfer because the benefits are often one step removed from the knowledge transfer itself. However, there are several metrics you can use to measure success.

Hint: Metrics will vary based on your knowledge transfer maturity goals.

Metrics For Knowledge Transfer

Creating KPIs for knowledge transfer is a crucial step that many organizations overlook because the benefits are often one step removed from the knowledge transfer itself. However, there are several qualitative and quantitative metrics you can use to measure success depending on your maturity level goals.

Stabilize

• Number of high departure risk employees identified.
• Number of high-risk employees without knowledge transfer plans.
• Number of post-retirement knowledge issues.

Be Proactive

• Number of issues arising from lack of redundancy.
• Percentage of high-risk knowledge items without transfer plans.
• Time required to get new employees up to speed.

Promote Knowledge Culture

• Percentage of returned deliverables for rework.
• Percentage of errors repeated in reports.
• Number of employees mentoring their colleagues.
• Number of issues solved through knowledge sharing.
• Percentage of employees with knowledge transfer/development plans.

1.1.3 Identify Key Metrics

Identify key metrics the organization will use to measure knowledge transfer success

How to determine knowledge transfer metrics:

1. Assign each participant 1-4 of the desired knowledge transfer benefits and pain points which you identified as priorities.
2. Independently have them brainstorm how they would measure the success of each, and after 10 minutes, present their thoughts to the group.
3. Write each of the metric suggestions on a whiteboard and agree to 3-5 benefits which you will track. The metrics you choose should relate to the key pain points you have identified and match your desired maturity level.

Identify knowledge transfer project team

Determine Project Participants	Pick a Project Sponsor
The project participants are the IT managers and directors whose day-to-day lives will be impacted by the knowledge transfer roadmap and its implementation. These individuals will be your roadmap ream and will help with planning. Most of these individuals should be in the workshop, but ensure you have everyone covered. Some examples of individuals you should consider for your team are: Director/Manager Level: Applications Infrastructure Operations Service Delivery Managers Business Relationship Managers	The project sponsor should be a member of your IT department’s senior executive team whose goals and objectives will be impacted by knowledge transfer implementation. This is the person you will get to sign-off on the project charter document.
The project sponsor is the main catalyst for the creation of the roadmap. They will be the one who signs off on the project roadmap. The Project Participants are the key stakeholders in your organization whose input will be pivotal to the creation of the roadmap. The project stakeholders are the senior executives who have a vested interest in knowledge transfer. Following completion of this workshop, you will present your roadmap to these individuals for approval.

1.1.4 Identify Your Project Team

How to define the knowledge transfer project team:

1. Through discussion, generate a complete list of key stakeholders, considering each of the roles indicated in the chart on the Key Project Management Stakeholders slide. Write their names on a whiteboard.
2. Using the quadrant template on the next slide, draw the stakeholder power map.
3. Evaluate each stakeholder on the list based on their level of influence and support of the project. Write the stakeholder’s name on a sticky note and place it in the appropriate place on the grid.
4. Create an engagement plan based on the stakeholder’s placement.
5. Use Info-Tech’s Project Stakeholder Register Template to identify and document your project management stakeholders.

Project Stakeholder Register Template

Have a strategic approach for engaging stakeholders to help secure buy-in

If your IT leadership team isn’t on board, you’re in serious trouble! IT leaders will not only be highly involved in the knowledge transfer project, but they also may be participants, so it’s essential that you get their buy-in for the project upfront.

Document the results in the Project Stakeholder Register Template; use this as a guide to help structure your communication with stakeholders based on where they fall on the grid.

How to Manage:	Focus on increasing these stakeholders’ level of support! Have a one-on-one meeting to seek their views on critical issues and address concerns. Identify key pain points they have experienced and incorporate these in the project goal statements. Where possible, leverage KT champions to help encourage support.		Capitalize on champions to drive the project/change. Use them for internal PR of the objectives and benefits. Ask them what other stakeholders can be leveraged. Involve them early in creating project documents.	How to Manage:
How to Manage:	Pick your battles – focus on your noise makers first, and then move on to your blockers. Determine the level of involvement the blockers will have in the project (i.e. what you will need from them in the future) and determine next steps based on this (one-on-one meeting, group meeting, informal communication, or leveraging helpers/ champions to encourage them).		Leverage this group where possible to help socialize the program and to help encourage dissenters to support. Mention their support in group settings. Focus on increasing their understanding via informal communication.	How to Manage:

Key Project Management Stakeholders

Ensure coverage of all project tasks

Populate a Project RACI (Responsible, Accountable, Consulted, Informed) chart

1.1.5 Populate an RACI

Populate a RACI chart to identify who should be responsible, accountable, consulted, and informed for each key activity.

How to define RACI for the project team:

1. Write out the list of all stakeholders along the top of a whiteboard. Write out the key project steps along the left-hand side (use this list as a starting point).
2. For each initiative, identify each team member’s role. Are they:

Responsible: The one responsible for getting the job done.

Accountable: Only one person can be accountable for each task.

Consulted: Involvement through input of knowledge and information.

Informed: Receiving information about process execution and quality.

3. As you proceed through the project, continue to add tasks and assign responsibility to the RACI chart on the next slide.

1.1.6 Build the Project Charter and Obtain Sign-off

Complete the IT knowledge transfer project charter.

Build the project charter and obtain sign-off from your project sponsor. Use your organization’s project charter if one exists. If not, customize Info-Tech’s IT Knowledge Transfer Project Charter Template to suit your needs.

IT Knowledge Transfer Project Charter Template

Step 1.2

Identify Your Knowledge and Stakeholder Risks

Activities

1.2.1 Identify Knowledge Sources

1.2.2 Complete a Knowledge Risk Assessment

1.2.3 Review the Prioritized List of Knowledge Sources

The primary goal of this section is to identify who your primary risk targets are for knowledge transfer.

Outcomes of this step

• A list of your high-risk knowledge sources
• Departure analysis
• Knowledge risk analysis

Prioritize your knowledge transfer initiatives

Throughout this section, we will walk through the following 3 activities in the tool to determine where you need to focus attention for your knowledge transfer roadmap based on knowledge value and likelihood of departure.

1. Identify Knowledge Sources

Create a list of knowledge sources for whom you will be conducting the analysis, and identify which sources currently have a transfer plan in place.

2. Value of Knowledge

Consider the type of knowledge held by each identified knowledge source and determine the level of risk based on the knowledge:

1. Criticality
2. Availability

3. Likelihood of Departure

Identify the knowledge source’s risk of leaving the organization based on their:

1. Age cohort
2. Engagement level

This tool contains sensitive information. Do not share this tool with knowledge sources. The BA and Project Manager, and potentially the project sponsor, should be the only ones who see the completed tool.

Focus on key roles instead of all roles in IT

Identify Key Roles

Hold a meeting with your IT Leadership team, or meet with members individually, and ask these questions to identify key roles:

• What are the roles that have a significant impact on delivering the business strategy?
• What are the key differentiating roles for our IT organization?
• Which roles, if vacant, would leave the organization open to non-compliance with regulatory or legal requirements?
• Which roles have a direct impact on the customer?
• Which roles, if vacant, would create system, function, or process failure for the organization?

Key roles include:

• Strategic roles: Roles that give the greatest competitive advantage. Often these are roles that involve decision-making responsibility.
• Core roles: Roles that must provide consistent results to achieve business goals.
• Proprietary roles: Roles that are tied closely to unique or proprietary internal processes or knowledge that cannot be procured externally. These are often highly technical or specialized.
• Required roles: Roles that support the department and are required to keep it moving forward day-to-day.
• Influential roles: Positions filled by employees who are the backbone of the organization, i.e. the go-to people who are the corporate culture.

Info-Tech Insight

This step is meant to help speed up and simplify the process for large IT organizations. IT organizations with fewer than 30 people, or organizations looking to build a knowledge culture, can opt to skip this step and include all members of the IT team. This way, everyone is considered and you can prioritize accordingly.

1.2.1 Identify Key Knowledge Sources

1. Identify key roles, as shown on the previous slide. This can be done by brainstorming names on sticky notes and placing them on a whiteboard.
2. Document using IT Knowledge Transfer Risk Assessment Tool Tab 2. Input with first name, last name, department/ IT area, and manager of each identified Knowledge Source.
3. Also answer the question of whether the Knowledge Source currently has a knowledge transfer plan in place.

• Not in place
• Partially in place
• In place

IT Knowledge Transfer Risk Assessment Tool

Document key knowledge sources (example)

Use information about the current state of knowledge transfer plans in your organization to understand your key risks and focus areas.

Legend:

1. Document knowledge source information (name, department, and manager).

2. Select the current state of knowledge transfer plans for each knowledge source.

Once you have identified key roles, conduct a sanity check and ask – “did we miss anybody?” For example:

• There are three systems administrators. One of them, Joe, has been with the organization for 15 years.
• Joe’s intimate systems knowledge and long-term relationship with one of the plant systems vendors has made him a go-to person during times of operational systems crisis and has resulted in systems support discounts.
• While the systems administrator role by itself is not considered key (partly due to role redundancy), Joe is a key person to flag for knowledge transfer activities as losing him would make achieving core business goals more difficult.

Case Study

Municipal government learns the importance of thorough knowledge source identification after losing key stakeholder

INDUSTRY: Government

Identify employees who may be nearing retirement and flag them as high risk

Info-Tech Insight

150% of an employee’s base salary and benefits is the estimated cost of turnover according to The Society of Human Resource Professionals.1

1McLean & Company, Make the Case for Employee Engagement

Identify disengaged employees who may be preparing to leave the organization

Info-Tech Insight

Engaged employees are five times more likely than disengaged employees to agree that they are committed to their organization.1

1Source: McLean & Company, N = 13683

The level of risk of the type of information is defined by criticality and availability

1.2.2 Complete a Knowledge Risk Assessment

Complete a Tab 3 assessment for each of your identified Knowledge Sources. The Knowledge Source tab will pre-populate with information from Tab 2 of the tool. For each knowledge source, you will determine their likelihood of departure and degree of knowledge risk.

Likelihood of departure:

1. Document the age cohort risk for each knowledge source on Tab 3 of the IT Knowledge Transfer Risk Assessment Tool. Age Cohort: Under 50, 51-55, 56-60, or over 60.
2. Document the engagement risk for each knowledge source on Tab 3, “Assessment”, of the IT Knowledge Transfer Risk Assessment Tool. Engagement level: Engaged, Almost engaged, Indifferent employees, Disengaged.

Degree of knowledge risk is based on:

3. Document the knowledge type risk for each stakeholder on Tab 3, “Assessment” in the IT Knowledge Transfer Risk Assessment Tool.

• Criticality: Would the role, if vacant, create system, function, or process failure for the organization?
• Availability: Does this individual have specialized, unique, or proprietary expertise? Are there internal redundancies?

IT Knowledge Transfer Risk Assessment Tool

Results matrix

Determine where to focus your efforts

The IT Knowledge Transfer Map on Tab 5 helps you to determine where to focus your knowledge transfer efforts

Knowledge sources have been separated into the three maturity levels (Stabilize, Proactive, and Knowledge Culture) and prioritized within each level.

Focus first on your stabilize groups, and based on your target maturity goal, move on to your proactive and knowledge culture groups respectively.

1.2.3 Review the Prioritized List

Review results

Identify knowledge sources to focus on for the knowledge transfer roadmap. Review the IT Knowledge Transfer Map on Tab 5 to determine where to focus your knowledge transfer efforts

1. Show the results from the assessment tool.
2. Discuss matrix and prioritized list.

• Does it match with maturity goals?
• Do prioritizations seem correct?

IT Knowledge Transfer Risk Assessment Tool

Phase #2

Design your knowledge transfer plans

This phase will walk you through the following activities:

• Building knowledge transfer plans for all prioritized knowledge sources.
• Understanding which transfer tactics are best suited for different knowledge types.
• Identifying opportunities to leverage collaboration tools for knowledge transfer.

This phase involves the following participants:

• IT Leadership
• Other key stakeholders
• Knowledge sources

Determine knowledge transfer tactics

Determine tactics for each stakeholder based on qualities of their specific knowledge.

This tool is built to accommodate up to 30 knowledge items; Info-Tech recommends focusing on the top 10-15 items.

1. Send documents to each manager. Include:

• a copy of this template.
• interview guide.
• tactics booklet.

These steps should be completed by the BA or IT Manager. The BA is helpful to have around because they can learn about the tactics and answer any questions about the tactics that the managers might have when completing the template.

IT Knowledge Transfer Plan Template

Step 2.1

Build Your Knowledge Transfer Plans

Activities

2.1.1 Interview Knowledge Sources to Uncover Key Knowledge Items

2.1.2 Identify When to use Knowledge Transfer Tactics

2.1.3 Build Individual Knowledge Transfer Plans

The primary goal of this section is to build an interview guide and interview knowledge sources to identify key knowledge assets.

Outcomes of this step

• Knowledge Transfer Interview Guide
• Itemized knowledge assets
• Completed knowledge transfer plans

2.1.1 Interview Knowledge Sources

Determine key knowledge items

The first step is for managers to interview knowledge sources in order to extract information about the type of knowledge the source has.

Meet with the knowledge sources and work with them to identify essential knowledge. Use the following questions as guidance:

1. What are you an expert in?
2. What do others ask you for assistance with?
3. What are you known for?
4. What are key responsibilities you have that no one else has or knows how to do?
5. Are there any key systems, processes, or applications which you’ve taken the lead on?
6. When you go on vacation, what is waiting for you in your inbox?
7. If you went on vacation, would there be any systems that, if there was a failure, you would be the only one who knows how to fix?
8. Would you say that all the key processes you use, or tools, codes etc. are documented?

IT Knowledge Identification Interview Guide Template

2.1.2 Understand Knowledge Transfer Tactics

Understand when and how to use different knowledge transfer tactics

1. Break the workshop participants into teams. Assign each team two to four knowledge transfer tactics and provide them with the associated handout(s) from the following slides. Using the material provided, have each team brainstorm around the following questions:
1. What types of information can the technique be used to collect?
2. What are examples of good use cases for the technique?
3. Why would you use this technique over others?
4. Is this technique suitable for all projects? When wouldn’t you use it?
2. Have each group present their findings from the brainstorming to the group.
3. Once everyone has presented, have the groups select which tactics they would be interested in using and which ones they would not want to use by putting green and red dots on each.
4. As a group, confirm the list of tactics you would be interested in using and disqualify the others.

Knowledge Transfer Tactics:

Interviews

Interviews provide an opportunity to meet one-on-one with key stakeholders to document key knowledge assets. Interviews can be used for explicit and tacit information, and in particular, capture processes, rules, coding information, best practices, etc.

Benefits:

• Good bang-for-your-buck interviews are simple to conduct and can be used for all types of knowledge.
• Interviews can obtain a lot of information in a relatively short period of time.
• Interviews help make tacit knowledge more explicit through effective questioning.
• They have highly flexible formatting as interviews can be conducted in person, over the phone, or by email.

How to get started:

1. Have the business analyst (BA) review the employee’s knowledge transfer plan and highlight the areas to be discussed in the interview.
2. The BA will then create an interview guide detailing key questions which would need to be asked to ascertain the information.
3. Schedule a 30-60 minute interview. When complete, document the interview and key lessons learned. Send the information back to the interviewee for validation of what was discussed.

Knowledge Transfer Tactics:

Process Mapping

Business process mapping refers to building a flow chart diagram of the sequence of actions which defines what a business does. The flow chart defines exactly what a process does and the specific succession of steps including all inputs, outputs, flows, and linkages. Process maps are a powerful tool to frame requirements in the context of the complete solution.

Benefits:

• They are simple to build and analyze; most organizations and users are familiar with flow diagrams, making them highly usable.
• They provide an end-to-end picture of a process.
• They’re ideal for gathering full and detailed requirements of a process.
• They include information around who is responsible, what they do, when, where it occurs, triggers, to what degree, and how often it occurs.
• They’re great for legacy systems.

How to get started:

1. Have the BA prepare beforehand by doing some preliminary research on the purpose of the process, and the beginning and end points.
2. With the knowledge holder, use a whiteboard and identify the different stakeholders who interact with the process, and draw swim lanes for each.
3. Together, use sticky notes and/or dry erase markers etc. to draw out the process.
4. When you believe you’re complete, start again from the beginning and break the process down to more details.

Knowledge Transfer Tactics:

Use Cases

Use case diagrams are a common transfer tactic where the BA maps out step-by-step how an employee completes a project or uses a system. Use cases show what a system or project does rather than how it does it. Use cases are frequently used by product managers and developers.

Benefits:

• Easy to draw and understand.
• Simple way to digest information.
• Can get very detailed.
• Should be used for documenting processes, experiences etc.
• Initiation and brainstorming.
• Great for legacy systems.

How to get started:

1. The BA will schedule a 30-60 minute in-person meeting with the employee, draw a stick figure on the left side of the board, and pose the initial question: “If you need to do X, what is your first step?” Have the stakeholder go step-by-step through the process until the end goal. Draw this process across the whiteboard. Make sure you capture the triggers, causes of events, decision points, outcomes, tools, and interactions.
2. Starting at the beginning of the diagram, go through each step again and ask the employee if the step can be broken down into more granular steps. If the answer is yes, break down the use case further.
3. Ask the employee if there are any alternative flows that people could use, or any exceptions. If there are, map these out on the board.

Knowledge Transfer Tactics:

Job Shadow

Job shadowing is a working arrangement where the “knowledge receiver” learns how to do a job by observing an experienced employee complete key tasks throughout their normal workday.

Benefits:

• Low cost and minimal effort required.
• Helps employees understand different elements of the business.
• Helps build relationships.
• Good for knowledge holders who are not great communicators.
• Great for legacy systems.

How to get started:

1. Determine goals and objectives for the knowledge transfer, and communicate these to the knowledge source and receiver.
2. Have the knowledge source identify when they will be performing a particular knowledge activity and select that day for the job shadow. If the information is primarily experience, select any day which is convenient.
3. Ask the knowledge receiver to shadow the source and ask questions whenever they have them.
4. Following the job shadow, have the knowledge receiver document what they learned that day and file that information.

Knowledge Transfer Tactics:

Peer Assist

Meeting or workshop where peers from different teams share their experiences and knowledge with individuals or teams that require help with a specific challenge or problem.

Benefits:

• Improves productivity through enhanced problem solving.
• Encourages collaboration between teams to share insight, and assistance from people outside your team to obtain new possible approaches.
• Promotes sharing and development of new connections among different staff, and creates opportunities for innovation.
• Can be combined with Action Reviews.

How to get started:

1. Create a registry of key projects that different individuals have solved. Where applicable, leverage the existing work done through action reviews.
2. Create and communicate a process for knowledge sources and receivers to reach out to one another. Email or social collaboration platforms are the most common.
3. The source may then reply with documentation or a peer can set up an interview to discuss.
4. Information should be recorded and saved on a corporate share drive with appropriate metadata to ensure ease of search.
5. See Appendix for further details.

Knowledge Transfer Tactics:

Transition Workshop

A half- to full-day exercise where an outgoing leader facilitates a knowledge transfer of key insights they have learned along the way and any high-profile knowledge they may have.

Benefits:

• Accelerates knowledge transfer following a leadership change.
• Ensures business continuity.
• New leader gets a chance to understand the business drivers behind team decisions and skills of each member.
• The individuals on the team learn about the new leader’s values and communication styles.

How to get started:

1. Outgoing leader organizes a one-time session where they share information with the team (focus on tacit knowledge, such as team successes and challenges) and team can ask questions.
2. Incoming leader and remaining team members share information about norms, priorities, and values.
3. Document the information.

Knowledge Transfer Tactics:

Action Review

Action Review is a team-based discussion at the end of a project or step to review how the activity went and what can be done differently next time. It is ideal for transferring expertise and skills.

Benefits:

• Learning is done during and immediately after the project so that knowledge transfer happens quickly.
• Results can be shared with other teams outside of the immediate members.
• Makes tacit knowledge explicit.
• Encourages a culture where making mistakes is OK, but you need to learn from them.

How to get started:

1. Hold an initial meeting with IT teams to inform them of the action reviews. Create an action review goals statement by working with IT teams to discuss what they hope to get out of the initiative.
2. Ask project teams to present their work and answer the following questions:
1. What was supposed to happen?
2. What actually happened?
3. Why were there differences?
4. What can we learn and do differently next time?
3. Have each individual or group present, record the meeting minutes, and send the details to the group for future reference. Determine a share storage place on your company intranet or shared drive for future reference.

Knowledge Transfer Tactics:

Mentoring

Mentoring can be a formal program where management sets schedules and expectations. It can also be informal through an environment for open dialogue where staff is encouraged to seek advice and guidance, and to share their knowledge with more novice members of the organization.

Benefits:

• Speeds up learning curves and helps staff acclimate to the organizational culture.
• Communicates organizational values and appropriate behaviors, and is an effective way to augment training efforts.
• Leads to higher engagement by improving communication among employees, developing leadership, and helping employees work effectively.
• Improves succession planning by preparing and grooming employees for future roles and ensuring the next wave of managers is qualified.

How to get started:

1. Have senior management define the goals for a mentorship program. Depending on your goals, the frequency, duration, and purpose for mentorship will change. Create a mission statement for the program.
2. Communicate the program with mentors and mentees and define what the scope of their roles will be.
3. Implement the program and measure success.

Creating a mentorship program is a full project in itself. For full details on how to set up a mentorship program, see McLean & Company’s Build a Mentoring Program.

Knowledge Transfer Tactics:

Story Telling

Knowledge sources use anecdotal examples to highlight a specific point and pass on information, experience, and ideas through narrative.

Benefits:

• Provides context and transfers expertise in a simple way between people of different contexts and background.
• Illustrates a point effectively and makes a lasting impression.
• Helps others learn from past situations and respond more effectively in future ones.
• Can be completed in person, through blogs, video or audio recordings, or case studies.

How to get started:

1. Select a medium for how your organization will record stories, whether through blogs, video or audio recordings, or case studies. Develop a template for how you’re going to record the information.
2. Integrate story telling into key activities – project wrap-up, job descriptions, morning meetings, etc.
3. Determine the medium for retaining and searching stories.

Knowledge Transfer Tactics:

Job Share

Job share exists when at least two people share the knowledge and responsibilities of two job roles.

Benefits:

• Reduces the risk of concentrating all knowledge in one person and creating a single point of failure.
• Increases the number of experts who hold key knowledge that can be shared with others, i.e. “two heads are better than one.”
• Ensures redundancies exist for when an employee leaves or goes on vacation.
• Great for getting junior employees up to speed on legacy system functionality.
• Results in more agile teams.
• Doubles the amount of skills and expertise.

How to get started:

1. Determine which elements of two individuals’ job duties could be shared by two people. Before embarking on a job share, ensure that the two individuals will work well together as a team and individually.
2. Establish a vision, clear values, and well-defined roles, responsibilities, and reporting relationships to avoid duplication of effort and confusion.
3. Start with a pilot group of employees who are in support of the initiative, track the results, and make adjustments where needed.

Knowledge Transfer Tactics:

Communities of Practice

Communities of practice are working groups of individuals who engage in a process of regularly sharing information with each other across different parts of the organization by focusing on common purpose and working practices. These groups meet on a regular basis to work together on problem solving, to gain information, ask for help and assets, and share opinions and best practices.

Benefits:

• Supports a collaborative environment.
• Creates a sense of community and positive working relationships, which is a key driver for engagement.
• Encourages creative thinking and support of one another.
• Facilitates transfer of wide range of knowledge between people from different specialties.
• Fast access to information.
• Multiple employees hear the answers to questions and discussions, resulting in wider spread knowledge.
• Can be done in person or via video conference, and is best when supported by social collaboration tools.

How to get started:

1. Determine your medium for these communities and ensure you have the needed technology.
2. Develop training materials, and a rewards and recognition process for communities.
3. Have a meeting with staff, ask them to brainstorm a list of different key “communities,” and ask staff to self select into communities.
4. Have the communities determine the purpose statement for each group, and set up guidelines for functionality and uses.

The effectiveness of each knowledge transfer tactic varies based on the type of knowledge you are trying to transfer

This table shows the relative strengths and weaknesses of each knowledge transfer tactic compared to four different knowledge types.

Not all techniques are effective for types of knowledge; it is important to use a healthy mixture of techniques to optimize effectiveness.

Very strong = Very effective

Strong = Effective

Medium = Somewhat effective

Weak = Minimally effective

Very weak = Not effective

Consider your stakeholders’ level of engagement prior to selecting a knowledge transfer tactic

When considering which tactics to employ, it’s important to consider the knowledge holder’s level of engagement. Employees whom you would identify as being disengaged may not make good candidates for job shadowing, mentoring, or other tactics where they are required to do additional work or are asked to influence others.

Knowledge transfer can be controversial for all employees as it can cause feelings of job insecurity. It’s essential that motivations for knowledge transfer are communicated effectively.

Pay particular attention to your communication style with disengaged and indifferent employees, communicate frequently, and tie communication back to what’s in it for them.

Putting disengaged employees in a position where they are mentoring others can be a risk. Their negativity could influence others not to participate as well or negate the work you’re doing to create a positive knowledge sharing culture.

Consider using collaboration tools as a medium for knowledge transfer

There is a wide variety of different collaboration tools available to enable interpersonal and team connections for work-related purposes. Familiarize yourself with all types of collaboration tools to understand what is available to help facilitate knowledge transfer.

For more information on Collaboration Tools and how to use them, see Info-Tech’s Establish a Communication and Collaboration System Strategy.

Identify potential knowledge receivers

Hold a meeting with your IT leaders to identify who would be the best knowledge receivers for specific knowledge assets

• Before deciding on a successor, determine how the knowledge asset will be used in the future. This will impact who the receiver will be and your tactic. That is, if you are looking to upgrade a technology in the future, consider who would be taking on that project and what they would need to know.
• Prior to the meeting, each manager should send a copy of the knowledge assets they have identified to the other managers.
• Participants should come equipped with names of members of their teams and have an idea of what their career aspirations are.
• Don’t assume that all employees want a career change. Be sure to have conversations with employees to determine their career aspirations.

Ask how effectively the potential knowledge receiver would serve in the role today.

• Review their competencies in terms of:
  • Relationship-building skills
  • Business skills
  • Technical skills
  • Industry-specific skills or knowledge
• Consider what competencies the knowledge receiver currently has and what must be learned.
• Finally, determine how difficult it will be for the knowledge receiver to acquire missing skills or knowledge, whether the resources are available to provide the required development, and how long it will take to provide it.

Info-Tech Insight

Wherever possible, ask employees about their personal learning styles. It’s likely that a collaborative compromise will have to be struck for knowledge transfer to work well.

Using the IT knowledge transfer plan tool

We will use the IT Knowledge Transfer Plans as the foundation for building your knowledge transfer roadmap.

2.1.3 Complete Knowledge Transfer Plans

Complete one plan template for each of the knowledge sources

1. Fill in the top with the knowledge source’s name. Remember that one template should be filled out for each source.
2. List their key knowledge activities as identified through the interview.
3. For each knowledge activity, identify and list the most appropriate recipient of this knowledge.
4. For each knowledge activity, use the drop-down options to identify the type of knowledge that it falls under.
5. Depending on the type of knowledge, different tactic drop-down options are available. Select which tactic would be most appropriate for this knowledge as well as the people involved in the knowledge transfer.

The Strength Level column will indicate how well matched the tactic is to the type of knowledge.

IT Knowledge Transfer Plan Template

Step 2.2

Build Your Knowledge Transfer Roadmap

Activities

2.2.1 Merge Your Knowledge Transfer Plans

2.2.2 Define Knowledge Transfer Initiatives’ Timeframes

The goal of this step is to build the logistics of the knowledge transfer roadmap to prepare to communicate it to key stakeholders.

Outcomes of this step

• Prioritized sequence based on target state maturity goals.
• Project roadmap.

Plan and monitor the knowledge transfer project

Depending on the desired state of maturity, the number of initiatives your organization has will vary and there could be a lengthy number of tasks and subtasks required to reach your organization knowledge transfer target state. The best way to plan, organize, and manage all of them is with a project roadmap.

Project Planning & Monitoring Tool

Steps to use the project planning and monitoring tool:

1. Begin by identifying all the project deliverables in scope for your organization. Review the previous content pertaining to specific people, process, and technology deliverables that your organization plans on creating.
2. Identify all the tasks and subtasks necessary to create each deliverable.
3. Arrange the tasks in the appropriate sequential order.
4. Assign each task to a member of the project team.
5. Estimate the day the task will be started and completed.
6. Specify any significant dependencies or prerequisites between tasks.
7. Update the project roadmap throughout the project by accounting for injections and entering the actual starting and ending dates.
8. Use the project dashboard to monitor the project progress and identify risks early.

Project Planning & Monitoring Tool

Prioritize your tactics to build a realistic roadmap

Initiatives should not and cannot be tackled all at once;

• At this stage, each of the identified stakeholders should have a knowledge transfer plan for each of their reports with rough estimates for how long initiatives will take.
• Simply looking at this raw list of transition plans can be daunting. Logically bundle the identified needs into IT initiatives to create the optimal IT Knowledge Transfer Roadmap.
• It’s important not to try to do too much too quickly. Focus on some quick wins and leverage the success of these initiatives to drive the project forward.

Populate the task column of the Project Planning and Monitoring Tool. See the following slides for more details on how to do this.

Some techniques require a higher degree of effort than others

Consider each tactic’s dependencies as you build your roadmap

2.2.1 Merge Your Knowledge Transfer Plans

Populate the task column of the Project Planning and Monitoring Tool

1. Take an inventory of all the tactics and techniques which you plan to employ. Eliminate redundancies where possible.
2. Start your implementation with your highest risk group using explicit knowledge transfer tactics. Interviews, use cases, and process mapping will give you some quick wins and will help gain momentum for the project.
3. Proactive and knowledge culture should then move forward to other tactics, the majority of which will require training and process design. Pick one to two other key tactics you would like to employ and build those out.
4. Once you get more advanced, you can continue to grow the number of tactics you employ, but in the beginning, less is more. Keep growing your implementation roadmap one tactic at a time and track key metrics as you go.

Project Planning & Monitoring Tool

2.2.2 Define Initiatives’ Timeframes

Populate the estimated start and completion date and task owner columns of the Project Planning and Monitoring Tool.

1. Define the time frame: time frames will depend on several factors. Consider the following while defining timelines for your knowledge transfer tactics:

• Tactics you choose to employ
• Availability of resources to implement the initiative
• Technology requirements

• Planned
• In progress
• Completed

• Engage all required stakeholders at appropriate stages of the project.
• Engage all required resources to implement the process and make sure that communication channels are open and available between all relevant parties.

Project Planning & Monitoring Tool

Once you start the implementation, leverage the Project Planning and Monitoring Tool for ongoing status updates

Track your progress

• Update your project roadmap as you complete the project and keep track of your progress by completing the “Actual Start Date” and “Actual Completion Date” as you go through your project.
• Use the Progress Report tab in project team meetings to update stakeholders on which tasks have been completed on schedule, for an analysis of tasks to date, and project time management.

Phase #3

Implement your knowledge transfer plans and roadmap

This phase will walk you through the following activities:

• Preparing a key stakeholder communication presentation.

This phase involves the following participants:

• IT Leadership
• Other key stakeholders

Step 3.1

Communicate Your Knowledge Transfer Roadmap to Stakeholders

Activities

3.1.1 Prepare IT Knowledge Transfer Roadmap Presentation

The goal of this step is to be ready to communicate the roadmap with the project team, project sponsor, and other key stakeholders.

Outcomes of this step

• Key stakeholder communication deck.

Use Info-Tech’s template to communicate with stakeholders

Obtain approval for the IT Knowledge Transfer Roadmap by customizing Info-Tech’s IT Knowledge Transfer Roadmap Presentation Template designed to effectively convey your key messages. Tailor the template to suit your needs.

It includes:

• Project Context
• Project Scope and Objectives
• Knowledge Transfer Roadmap
• Next Steps

Info-Tech Insight

The support of IT leadership is critical to the success of your roadmap roll-out. Remind them of the project benefits and impact them hard with the risks/pain points.

IT Knowledge Transfer Roadmap Presentation Template

3.1.1 Prepare a Presentation for Your Project Team and Sponsor

Now that you have created your knowledge transfer roadmap, the final step of the process is to get sign-off from the project sponsor to begin the planning process to roll-out your initiatives.

Know your audience:

1. Revisit your project charter to determine the knowledge transfer project stakeholders who will be included in your presentation audience.
2. You want your presentation to be succinct and hard-hitting. Management’s time is tight, and they will lose interest if you drag out the delivery. Impact them hard and fast with the pains and benefits of your roadmap.
3. The presentation should take no more than an hour. Depending on your audience, the actual presentation delivery could be quite short (12-13 slides). However, you want to ensure adequate time for Q & A.

IT Knowledge Transfer Roadmap Presentation Template

Related Info-Tech Research

Build an IT Succession Plan

Train Managers to Handle Difficult Conversations

Lead Staff Through Change

Bibliography

Babcock, Pamela. “Shedding Light on Knowledge Management.” HR Magazine, 1 May 2004.

King, Rachael. "Big Tech Problem as Mainframes Outlast Workforce." Bloomberg, 3 Aug. 2010. Web.

Krill, Paul. “IT’s Most Wanted: Mainframe Programmers.” IDG Communications, Inc. 1 December 2011.

McLean & Company. “Mitigate the Risk of Baby Boomer Retirement with Scalable Succession Planning.” 7 March 2016.

McLean & Company. “Make the Case For Employee Engagement.” McLean and Company. 27 March 2014.

PwC. “15th Annual Global CEO Survey: Delivering Results Growth and Value in a Volatile World.” PwC, 2012.

Rocket Software, Inc. “Rocket Software 2022 Survey Report: The State of the Mainframe.” Rocket Software, Inc. January 2022. Accessed 30 April 2022.

Ross, Jenna. “Intangible Assets: A Hidden but Crucial Driver of Company Value.” Visual Capitalist, 11 February 2020. Accessed 2 May 2022.

Data and Analytics Trends Report 2023

SOONER OR LATER, YOU WILL BE IN THE DATA BUSINESS!

Nine Data Trends for 2023

In this report, we explore nine data use cases for emerging technologies that can improve on capabilities needed to compete in the data-driven economy. Use cases combine emerging data trends and modernization of existing capabilities.

1. VOLUME
   • Data Gravity
2. VELOCITY

• Democratizing Real-Time Data

• Augmented Data Management

• Identity Authenticity

• Data Monetization

• Adaptive Data Governance

• AI-Driven Storytelling & Augmented Analytics

• Data Marketplace

• DevOps – DataOps – XOps

VOLUME

Data Gravity

Trend 01 Demand for storage and bandwidth continues to grow

When organizations begin to prioritize data, they first consider the sheer volume of data, which will influence data system design. Your data systems must consider the existing and growing volume of data by assessing industry initiatives such as digital transformation, Industry 4.0, IoT, consumer digital footprint, etc.

VOLUME

Data Gravity

Data attracts more data and an ecosystem of applications and services

SharePoint, OneDrive, Google Drive, and Dropbox offer APIs and integration opportunities for developers to enhance their products.

Social media platforms thought about this early by allowing for an ecosystem of filters, apps, games, and effects that engage their users with little to no additional effort from internal resources.

VOLUME

Data Gravity

Focus on data gravity and avoid cloud repatriation

Data gravity is the tendency of data to attract applications, services, and other data. A growing number of cloud migration decisions will be made based on the data gravity concept. It will become increasingly important in data strategies, with failure potentially resulting in costly cloud repatriations.

Emerging technologies and capabilities:

Data Lakehouse, Data Mesh, Data Fabric, Hybrid Data, Cloud Data, Edge Computing

Source: CIO, 2022

VOLUME

Data Gravity

What worked for terabytes is ineffective for petabytes

When compared to on-premises infrastructure, cloud computing is less expensive and easier to implement. However, poor data replication and data gravity can significantly increase cloud costs to the point of failure. Data gravity will help organizations make better cloud migration decisions.

It is also critical to recognize changes in the industry landscape. The goal of data processing and analytics is to generate the right data for users to act on. In most cases, the user is a human being, but in the case of autonomous driving (AD), the car takes on the role of the user (DXC Technology).

To avoid cloud repatriation, it will become prudent for all organizations to consider data gravity and the timing of cloud migration.

VELOCITY

Democratizing Real-Time Data

Trend 02 Real-time analytics presents an important differentiator

The velocity element of data can be assessed from two standpoints: the speed at which data is being generated and how fast the organization needs to respond to the incoming information through capture, analysis, and use. Traditionally data was processed in a batch format (all at once or in incremental nightly data loads). There is a growing demand to process data continuously using streaming data-processing techniques.

Emerging technologies and capabilities:

Edge Computing

VELOCITY

Democratizing Real-Time Data

Make data accessible to everyone in real time

• 90% of an organization’s data is replicated or redundant.
• Build API and web services that allow for live access to data.
• Most social media platforms, like Twitter and Facebook, have APIs that offer access to incredible amounts of data and insights.

VELOCITY

Democratizing Real-Time Data

Trend in Data Velocity

Data democratization means data is widely accessible to all stakeholders without bottlenecks or barriers. Success in data democratization comes with ubiquitous real-time analytics. Google highlights a need to address democratization in two different frames:

1. Democratizing stream analytics for all businesses to ensure real-time data at the company level.
2. Democratizing stream analytics for all personas and the ability of all users to generate real-time insights.

Emerging technologies and capabilities:

Data Lakehouse, Streaming API Ecosystem, Industry 4.0, Zero-Copy Cloning

Nearly 70% of all new vehicles globally will be connected to the internet by 2023.

Source: “Connected light-duty vehicles,” Statista, 2022

VELOCITY

Democratizing Real-Time Data

Enable real-time processing with API

In the past, data democratization has largely translated into a free data set and open data portals. This has allowed the government to freely share data with the public. Also, the data science community has embraced the availability of large data sets such as weather data, stock data, etc. In the future, more focus will be on the combination of IoT and steaming analytics, which will provide better responsiveness and agility.

Many researchers, media companies, and organizations now have easy access to the Twitter/Facebook API platform to study various aspects of human behavior and sentiments. Large technology companies have already democratized their data using real-time APIs.

Thousands of sources for open data are available at your local municipalities alone.

6G will push Wi-Fi connectivity to 1 terabyte per second! This is expected to become commercially available by 2030.

VARIETY

Augmented Data Management

Trend 03 Need to manage unstructured data

The variety of data types is increasingly diverse. Structured data often comes from relational databases, while unstructured data comes from several sources such as photos, video, text documents, cell phones, etc. The variety of data is where technology can drive business value. However, unstructured data also poses a risk, especially for external data.

VARIETY

Augmented Data Management

Employ AI to automate data management

New tools will enhance many aspects of data management:

• Data preparation, integration, cataloging, and quality
• Metadata management
• Master data management

Enabling AI-assisted decision-making tools

VARIETY

Augmented Data Management

Trend in Data Variety

Augmented data management will enhance or automate data management capabilities by leveraging AI and related advanced techniques. It is quite possible to leverage existing data management tools and techniques, but most experts have recognized that more work and advanced patterns are needed to solve many complex data problems.

Emerging technologies and capabilities:

Data Factory, Data Mesh, Data Fabric, Artificial Intelligence, Machine Learning

VARIETY

Augmented Data Management

Data Fabric vs. Data Mesh: The Data Journey continues at an accelerated pace

More Unstructured Data

95% of businesses cite the need to manage unstructured data as a problem for their business.

VERACITY

Identity Authenticity

Trend 04 Veracity of data is a true test of your data capabilities

Data veracity is defined as the accuracy or truthfulness of a data set. More and more data is created in semi-structured and unstructured formats and originates from largely uncontrolled sources (e.g. social media platforms, external sources). The reliability and quality of the data being integrated should be a top concern. The veracity of data is imperative when looking to use data for predictive purposes. For example, energy companies rely heavily on weather patterns to optimize their service outputs, but weather patterns have an element of unpredictability.

VERACITY

Identity Authenticity

Veracity of data is a true test of your data capabilities

• Stop creating your own identity architectures and instead integrate a tried-and-true platform.
• Aim for a single source of truth for digital identity.
• Establish data governance that can withstand scrutiny.
• Imagine a day in the future where verified accounts on social media platforms are available.
• Zero-trust architecture should be used.

VERACITY

Identity Authenticity

Trend in Data Veracity

Veracity is a concept deeply linked to identity. As the value of the data increases, a greater degree of veracity is required: We must provide more proof to open a bank account than to make friends on Facebook. As a result, there is more trust in bank data than in Facebook data. There is also a growing need to protect marginalized communities.

Emerging technologies and capabilities:

Zero Trust, Blockchain, Data Governance, IoT, Cybersecurity

VERACITY

Identity Authenticity

The identity discussion is no longer limited to people or organizations. The development of new technologies, such as the IoT phenomenon, will lead to an explosion of objects, from refrigerators to shipping containers, coming online as well. If all these entities start communicating with each other, standards will be needed to establish who or what they are.

The IoT market is expected to grow 18% to 14.4 billion in 2022 and 27 billion by 2025.

Source: IoT Analytics, 2022

VALUE

Data Monetization

Trend 05 Not Many organization know the true value of their data

Data can be valuable if used effectively or dangerous if mishandled. The rise of the data economy has created significant opportunities but also has its challenges. It has become urgent to understand the value of data, which may vary for stakeholders based on their business model and strategy. Organizations first need to understand ownership of their data by establishing a data strategy, then they must improve data maturity by developing a deeper understanding of data value.

VALUE

Data Monetization

Start developing your data business

• Blockbuster ran its business well, but Netflix transformed the video rental industry overnight!
• Big players with data are catching up fast.
• You don’t have to be a giant to monetize data.
• Data monetization is probably closer than you think.
• You simply need to find it, catalog it, and deliver it.

VALUE

Data Monetization

Trend in Data Value

Data monetization is the transformation of data into financial value. However, this does not imply selling data alone. Monetary value is produced by using data to improve and upgrade existing and new products and services. Data monetization demands an organization-wide strategy for value development.

Emerging technologies and capabilities:

Data Strategy, Data Monetization Strategy, Data Products

Netflix uses big data to save $1 billion per year on customer retention.

Source: Logidots, 2021

VALUE

Data Monetization

Data is a strategic asset

Data is beyond currency, assets, or commodities and needs to be a category
of its own.

• Data always outlives people, processes, and technology. They all come and go while data remains.
• Oil is a limited resource. Data is not. Unlike oil, data is likely to grow over time.
• Data is likely to outlast all other current popular financial instruments, including currency, assets, or commodities.
• Data is used internally and externally and can easily be replicated or combined.

Data monetization is currently in the speculative territory, which is unacceptable. It should instead be guided by sound data management theory.

VIRTUE

Adaptive Data Governance

Trend 06 Five Core Virtues: Resilience, Humility, Grit, Liberal Education, Empathy (Forbes, 2020)

We have become more and more dependent on data, analytics, and organizational protection policies. Data virtue is about leveraging data securely and ethically. This topic has become more critical with the advent of GDPR, the right to be forgotten, and related regulations. Data governance, which seeks to establish an oversight framework that manages the creation, acquisition, integrity, security, compliance, and quality of data, is essential for any organization that makes decisions about data.

VIRTUE

Adaptive Data Governance

Encourage noninvasive and automated data governance

• Data governance affects the entire organization, not just data.
• The old model for data governance was slow and clumsy.
• Adaptive data governance encourages faster decision making and a more collaborative approach to governance.
• Agile data governance allows for faster and more flexible decision making.
• Automated data governance will simplify execution across the organization.
• It is great for compliance, quality, impact tracking, and cross-referencing and offers independence to data users.

VIRTUE

Adaptive Data Governance

Trend in Data Virtue

Adaptive data governance encourages a flexible approach that allows an organization to employ multiple data governance strategies depending on changing business situations. The other aspect of adaptive data governance is moving away from manual (and often slow) data governance and toward aggressive automation.

Emerging technologies and capabilities:

AI-Powered Data Catalog and Metadata Management,
Automated Data Policy Enforcement

VIRTUE

Data Governance Automation

Simple and easy Data Governance

Tools are not the ultimate answer to implementing data governance. You will still need to secure stakeholders' buy-in and engagement in the data process. Data governance automation should be about simplifying the execution of roles and responsibilities.

“When you can see where your data governance strategy can be improved, it’s time to put in place automation that help to streamline processes.”

Source: Nintex, 2021

VISUALIZATION

AI-Driven Storytelling & Augmented Analytics

Trend 07 Automated and augmented data storytelling is not that far away

Today, data storytelling is led by the user. It’s the manual practice of combining narrative with data to deliver insights in a compelling form to assist decision makers in engaging with data and analytics. A story backed by data is more easily consumed and understood than a dashboard, which can be overwhelming. However, manual data storytelling has some major shortcomings.

Problem # 1: Telling stories on more than just the insights noticed by people

Problem # 2: Poor data literacy and the limitations of manual self-service

Problem # 3: Scaling data storytelling across the business

VISUALIZATION

AI-Driven Storytelling & Augmented Analytics

Use AI to enhance data storytelling

• Tableau, Power BI, and many other applications already use
  AI-driven analytics.
• Power BI and SharePoint can use AI to generate visuals for any SharePoint list in a matter of seconds.

VISUALIZATION

AI-Driven Storytelling & Augmented Analytics

Trend in Data Visualization

AI and natural language processing will drive future visualization and data storytelling. These tools and techniques are improving rapidly and are now designed in a streamlined way to guide people in understanding what their data means and how to act on it instead of expecting them to do self-service analysis with dashboards and charts and know what to do next. Ultimately, being able to understand how to translate emotion, tropes, personal interpretation, and experience and how to tell what’s most relevant to each user is the next frontier for augmented and automated analytics

Emerging technologies and capabilities:

AI-Powered Data Catalog and Metadata Management,
Automated Data Policy Enforcement

VISUALIZATION

Data Storytelling

Augmented data storytelling is not that far away

Emotions are a cornerstone of human intelligence and decision making. Mastering the art of storytelling is not easy.

Industry experts predict the combination of data storytelling with augmented and automated techniques; these capabilities are more than capable of generating and automating parts of a data story’s creation for end users.

The next challenge for AI is translating emotion, tropes, personal interpretation, and experience into what is most essential to end users.

Source: Yellowfin, 2021

VIRALITY

Data Marketplace

Trend 08 Missing data marketplace

Data virality measures data spread and popularity. However, for data virality to occur, an ecosystem comparable to that of traditional or modern digital marketplaces is required. Organizations must reevaluate their data strategies to ensure investment in appropriate data domains by understanding data virality. Data virality is the exact opposite of dark data.

Dark data is “all the information companies collect in their regular business processes, don’t use, have no plans to use, but will never throw out.”

Source: Forbes, 2019

VIRALITY

Data Marketplace

Make data easily accessible

• Making data accessible to a broader audience is the key to successful virality.
• Data marketplaces provide a location for you to make your data public.
• Why do this? Contributing to public data marketplaces builds credibility, just like contributing to public GitHub projects.
• Big players like Microsoft, Amazon, and Snowflake already do this!
• Snowflake introduced zero-copy cloning, which allows users to interact with source data without compromising the integrity of the original source.

VIRALITY

Data Marketplace

Trend in Data Virality

The data marketplace can be defined as a dynamic marketplace where users decide what has the most value. Companies can gauge which data is most popular based on usage and decide where to invest. Users can shop for data products within the marketplace and then join these products with other ones they’ve created to launch truly powerful data-driven projects.

Emerging technologies and capabilities:

AI-Powered Data Catalog and Metadata Management,
Automated Data Policy Enforcement

“Data is like garbage. You’d better know what you are going to do with it before you collect it.”

– Mark Twain

VIRALITY

Data Marketplace

Journey from siloed data platforms to dynamic data marketplaces

Data remains a complex topic due to many missing foundational components and infrastructure. Interoperability, security, quality, discoverability, speed, and ease are some of those missing foundational components that most organizations face daily.

Data lacks an ecosystem that is comparable to those of traditional assets or commodities. Data must be available in open or closed data marketplaces to measure its value. These data marketplaces are still in their infancy.

“Data markets are an important component of the data economy that could unleash the full potential of data generated by the digital economy and human activity in general.”

Source: ITU Journal, 2018

VISCOSITY

DevOps – DataOps – XOps

Trend 09 Increase efficiency by removing bottlenecks

Compared to water, a fluid with a high viscosity flows more slowly, like honey. Data viscosity measures the resistance to flow in a volume of data. The data resistance may come from other Vs (variety, velocity, etc.).

VISCOSITY

DevOps – DataOps – XOps

Increase efficiency by removing bottlenecks

Consider XOps for a second. It makes no difference what X is. What's important is matching operational requirements to enterprise capabilities.

• For example, Operations must meet the demands of Sales – hence SalesOps
  or S&Op.
• Development resources must meet the demands of Operations – hence DevOps.
• Finally, Data must also meet the demand of Operations.

These Operations guys are demanding!!

VISCOSITY

DevOps – DataOps – XOps

Trend in Data Viscosity

The merger of development (Dev) and IT Operations (Ops) started in software development with the concept of DevOps. Since then, new Ops terms have formed rapidly (AIOps, MLOps, ModelOps, PlatformOps, SalesOps, SecOps, etc.). All these methodologies come from Lean manufacturing principles, which seek to identify waste by focusing on eliminating errors, cycle time, collaboration, and measurement. Buzzwords are distractions, and the focus must be on the underlying goals and principles. XOps goals should include the elimination of errors and improving efficiencies.

Emerging technologies and capabilities:

Collaborative Data Management, Automation Tools

VISCOSITY

DataOps → Data Observability

Data observability, a subcomponent of DataOps, is a set of technical practices, cultural norms, and architecture that enables low error rates. Data observability focuses on error rates instead of only measuring data quality at a single point in time.

What’s next? Go beyond the buzzwords.

Avoid following trends solely for the sake of following them. It is critical to comprehend the concept and apply it to your industry. Every industry has its own set of problems and opportunities.

Highlight the data trends (or lack thereof) that have been most beneficial to you in your organizations. Follow Info-Tech’s approach to building a data practice and platform to develop your data capabilities through the establishment of data goals.

Research Authors

Rajesh Parab Director, Research & Advisory Data and Analytics	Chris Dyck Research Lead Data and Analytics

“Data technologies are rapidly evolving. Understanding what’s possible is critical. Adapting to these upcoming data trends requires a solid data management foundation.”

– Rajesh Parab

Contributing Experts

Carlos Thomas Executive Counselor Info-Tech Research Group	John Walsh Executive Counselor Info-Tech Research Group

Bibliography

Bean, Randy. “Why Becoming a Data-Driven Organization Is So Hard.” Harvard Business Review, 24 Feb. 2022. Accessed Oct. 2022.
Brown, Annie. “Utilizing AI And Big Data To Reduce Costs And Increase Profits In Departments Across An Organization.” Forbes, 13 April 2021.
Accessed Oct. 2022.
Burciaga, Aaron. “Five Core Virtues For Data Science And Artificial Intelligence.” Forbes, 27 Feb. 2020. Accessed Aug. 2022.
Cadwalladr, Carole, and Emma Graham-Harrison. “Revealed: 50 million Facebook profiles harvested for Cambridge Analytica in major data breach.”
The Guardian, 17 March 2018. Accessed Aug. 2022.
Carlier, Mathilde. “Connected light-duty vehicles as a share of total vehicles in 2023.” Statista, 31 Mar. 2021. Accessed Oct. 2022.
Carter, Rebekah. “The Ultimate List of Big Data Statistics for 2022.” Findstack, 22 May 2021. Accessed Oct. 2022.
Castelvecchi, Davide. “Underdog technologies gain ground in quantum-computing race.” Nature, 6 Nov. 2023. Accessed Feb. 2023.
Clark-Jones, Anthony, et al. “Digital Identity:” UBS, 2016. Accessed Aug 2022.
“The Cost of Bad Data – Infographic.” Pragmatic Works, 25 May 2017. Accessed Oct. 2022.
Demchenko, Yuri, et al. “Data as Economic Goods: Definitions, Properties, Challenges, Enabling Technologies for Future Data Markets.“ ITU Journal: ICT Discoveries, Special Issue, no. 2, vol. 23, Nov. 2018. Accessed Aug 2022.
Feldman, Sarah. ”20 Years of Quantum Computing Growth.” Statista, 6 May 2019. Accessed Oct. 2022.
“Genomic Data Science.” NIH, National Human Genome Research Institute, 5 April 2022. Accessed Oct. 2022.

Bibliography

Hasbe, Sudhir, and Ryan Lippert. “The democratization of data and insights: making real-time analytics ubiquitous.” Google Cloud, 15 Jan. 2021.
Accessed Aug. 2022.
Helmenstine, Anne. “Viscosity Definition and Examples.” Science Notes, 3 Aug. 2021. Accessed Aug. 2022.
“How data storytelling and augmented analytics are shaping the future of BI together.” Yellowfin, 19 Aug. 2021. Accessed Aug. 2022.
“How Netflix Saves $1B Annually using AI?” Logidots, 24 Sept. 2021. Accessed Oct. 2022
Hui, Kenneth. “The AWS Love/Hate Relationship with Data Gravity.” Cloud Architect Musings, 30 Jan. 2017. Accessed Aug 2022.
ICD. “The Growth in Connected IoT Devices Is Expected to Generate 79.4ZB of Data in 2025, According to a New IDC Forecast.” Business Wire, 18 June 2019. Accessed Oct 2022.
Internet of Things (IoT) and non-IoT active device connections worldwide from 2010 to 2025” Statista, 27 Nov. 2022. Accessed Nov. 2022.
Koch, Gunter. “The critical role of data management for autonomous driving development.” DXC Technology, 2021. Accessed Aug. 2022.
Morris, John. “The Pull of Data Gravity.” CIO, 23 Feb. 2022. Accessed Aug. 2022.
Nield, David. “Google's Quantum Computer Is 100 Million Times Faster Than Your Laptop.” ScienceAlert, 9 Dec. 2015. Accessed Oct. 2022.
Redman, Thomas C. “Seizing Opportunity in Data Quality.” MIT Sloan Management Review, 27 Nov. 2017. Accessed Oct. 2022.
Segovia Domingo, Ana I., and Álvaro Martín Enríquez. “Digital Identity: the current state of affairs.” BBVA Research, 2018. Accessed Aug. 2022.

Bibliography

“State of IoT 2022: Number of connected IoT devices growing 18% to 14.4 billion globally.” IOT Analytics, 18 May 2022. Accessed. 14 Nov. 2022.
Strod, Eran. “Data Observability and Monitoring with DataOps.” DataKitchen, 10 May 2021. Accessed Aug. 2022.
Sujay Vailshery, Lionel. “Edge computing market value worldwide 2019-2025.” Statista, 25 Feb. 2022. Accessed Oct 2022.
Sujay Vailshery, Lionel. “IoT and non-IoT connections worldwide 2010-2025.” Statista, 6 Sept. 2022. Accessed Oct. 2022.
Sumina, Vladimir. “26 Cloud Computing Statistics, Facts & Trends for 2022.” Cloudwards, 7 June 2022. Accessed Oct. 2022.
Taulli, Tom. “What You Need To Know About Dark Data.” Forbes, 27 Oct. 2019. Accessed Oct. 2022.
Taylor, Linnet. “What is data justice? The case for connecting digital rights and freedoms globally.“ Big Data & Society, July-Dec 2017. Accessed Aug 2022.
“Twitter: Data Collection With API Research Paper.” IvyPanda, 28 April 2022. Accessed Aug. 2022.
“Using governance automation to reduce data risk.” Nintex, 15 Nov. 2021. Accessed Oct. 2022
“Volume of data/information created, captured, copied, and consumed worldwide from 2010 to 2020, with forecasts from 2021 to 2025.” Statista, 8 Sept. 2022. Accessed Oct 2022.
Wang, R. “Monday's Musings: Beyond The Three V's of Big Data – Viscosity and Virality.” Forbes, 27 Feb. 2012. Accessed Aug 2022.
“What is a data fabric?” IBM, n.d. Accessed Aug 2022.
Yego, Kip. “Augmented data management: Data fabric versus data mesh.” IBM, 27 April 2022. Accessed Aug 2022.

Take Advantage of Big Tech Layoffs

Simple tactics to secure the right talent in times of economic uncertainty.

Why are the layoffs making the news?

After three years of record low unemployment rates in IT and organizations struggling to hire IT talent into their organization, the window appears to be opening with tens of thousands layoffs from Big Tech employers.

Big brand organizations such as Microsoft, Alphabet, Amazon, Twitter, Netflix, and Meta have been hitting major newswires, but these layoffs aren't exclusive to the big names. We've also seen smaller high-growth tech organizations following suit. In fact, in 2022, it's estimated that there were more than 160,997 layoffs across over 1,045 tech organizations. This trend has continued into 2023. By mid-February 2023, there were already 108,754 employees laid off at 385 tech companies (Layoffs.fyi).(1)

While some of these layoffs have been openly connected to economic slowdown, others are pointing to the layoffs being a correction for over-hiring during the pandemic. It is also important to note that many of these workers were not IT employees, as these organizations also saw cuts across other areas of the business such as sales, marketing, recruitment, and operations.

(1)This global database is constantly being updated, and these numbers are changing on an ongoing basis. For up-to-date statistics, see https://layoffs.fyi

While tech layoffs have been making the news, so far many of these layoffs have been a correction to over-hiring, with most employees laid off finding work, if they want it, within three months.

IT leaders need to determine their response – wait and see the impact of the recession on budgets and candidate expectations or dive in and secure great talent to execute today on strategic needs.

This research is designed to help IT leaders understand the talent market and provide winning strategies to those looking to take advantage of the layoffs to fill their hiring needs.

Three key drivers for Big Tech layoffs

Economic uncertainty

Globally, economists are predicting an economic slowdown, though there is not a consistent prediction on the impact. We have seen an increase in interest rates and inflation, as well as reduced investment budgets.

Over-hiring during the pandemic

High growth and demand for digital technologies and services during the early pandemic led to over-hiring in the tech industry. Many organizations overestimated the future demand and had to rebalance staffing as a result.

New automation investments

Many tech organizations that have conducted layoffs are still in a growth mindset. This is demonstrated though new tech investments by these companies in products like chatbots and RPA to semi-automate processes to reduce the need for certain roles.

Despite layoffs, the labor market remains competitive

There were at least 160,997 layoffs from more than 1,045 tech companies last year (2022). (Layoffs.fyi reported as of Feb 21/2023)

But just because Big Tech is laying people off doesn't mean the IT job market has cooled.

Between January and October 2022 technology- focused job postings rose 25% compared to the same period in 2021, and there were more than 375,000 tech jobs posted in October of 2022.
(Dice: Tech Jobs Report.)

Info-Tech Insight

The "where has the talent gone?" puzzle has been solved. Many tech firms over-hired and were able to outcompete everyone, but it wasn't sustainable. This correction won't impact unemployment numbers in the short term – the job force is just in flux right now.

So far, many of the layoffs have been a market correction

Tech Layoffs Since COVID-19

Source: Layoffs.fyi - Tech Layoff Tracker and Startup Layoff Lists

Tech Companies Layoffs vs. Early Pandemic Hiring # of People

Source: Yahoo Finance. Q4 '19 to Q3 '22

Tech Layoffs between 2020 Q3- 2022 Q1 remained very low across the sector. In fact, outside of the initial increase at the start of the pandemic, layoffs have remained at historic low levels of around 1% (HBR, 2023). While the layoffs look significant in isolation, when you compare these numbers to pandemic hiring and growth for these organizations, the figures are relatively small.

The first question IT leaders need to ask is whether now is the time to act

The big gamble many CIOs face is whether to strike now to secure talent or to wait to better understand the impact of the recession. While two-thirds of IT professionals are still expecting their budgets to increase in 2023, CIOs must account for the impact of inflation and the recession on their IT budgets and staffing decisions (see Info-Tech's CEO-CIO Alignment Program).

Ultimately, while unemployment is low today, it's common to see unemployment numbers drop right before a recession. If that is the case, then we will see more talent entering the market, possibly at more competitive salaries. But organizations that wait to hire risk not having the staff they need to execute on their strategy and finding themselves in a hiring freeze. CIOs need to decide on how to approach the economic uncertainty and where to place their bets.

Looking ahead to 2023, how do you anticipate your IT spending will change compared to spending in 2022?

Info-Tech's CEO-CIO Alignment Program

Organizations ready to take advantage will need to act fast when layoffs happen

Organizations looking to fill hiring needs or grow their IT/digital organization will need to be strategic and efficient when it comes to recruitment. Regardless of the number of layoffs, it continues to be an employee market when it comes to IT roles.

While it is likely that the recession will impact unemployment rates, so far, the market remains hot, and the number of open roles continues to grow. This means that organizations that want to take advantage need to act quickly when news hits.

Leaders not only need to compete with other organizations for talent, but the other challenge hiring organizations will need to compete with is that many in tech received generous severance packages and will be considering taking time off. To take advantage, leaders need to establish a plan and a clear employee value proposition to entice these highly skilled workers to get off the bench.

Why you need to act fast:

• Unemployment rates remain low:
  • Tech unemployment's rates in the US dropped to 1.5% in January 2023 (CompTIA), compared to overall unemployment which is at 3.4% in the US as of January 2023 (Yahoo Finance). While the layoffs look significant, we can see that many workers have been rehired into the labor market.
• Long time-to-hire results in lost candidates:
  • According to Info-Tech's IT Talent Trend Report, 58% of IT leaders report time-to-hire is longer than two months. This timing increases for tech roles which require unique skills or higher seniority. IT leaders who can increase the timeline for their requirement process are much more likely to be able to take advantage of tech layoffs.

IT must take a leading role in IT recruitment to take advantage of layoffs

A personal connection is the differentiator when it comes to talent acquisition

There is a statistically significant relationship between IT leadership involvement in talent acquisition and the effectiveness of this process in the IT department. The more involved they are, the higher the effectiveness.(1)

More IT leadership involvement

Higher recruitment effectiveness

Involved leaders see shorter times to hire

There is a statistically significant relationship between IT leadership involvement in the talent acquisition process and time to fill vacant positions. The more involved they are, the shorter the time to hire.(2)

Involved leaders are an integral part of effective IT departments

There is a statistically significant relationship between IT leadership involvement in talent acquisition and overall IT department effectiveness. Those that are more involved have higher levels of effectiveness.(3)

Increased IT Leadership in Recruitment Is Directly Correlated to Recruitment Effectiveness.

Focus your layoff recruitment strategy on critical and strategic roles

If you are ready to take advantage of tech layoffs, focus hiring on critical and strategic roles, rather than your operational backfills. Roles related to security, cloud migration, data and analytics, and digital transformation are more likely to be shielded from budget cuts and are logical areas to focus on when looking to recruit from Big Tech organizations.

Additionally, within the IT talent market, scarcity is focused in areas with specialized skill sets, such as security and architecture, which are dynamic and evolving faster than other skill sets. When looking to recruit in these areas, it's critical that you have a targeted recruitment approach; this is why tech layoffs represent a strong opportunity to secure talent in these specialized areas.

ROLES DIFFICULT TO FILL

Info-Tech Talent Trends 2022 Survey

Four quick tactics to take advantage of Big Tech layoffs

TALENT ACQUISITION PROCESS TO TAKE ADVANTAGE OF LAYOFFS

Guided Implementation

What does a typical GI on this topic look like?

A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

A typical GI is 8 to 12 calls over the course of 4 to 6 months.

Tactics to take advantage of tech layoffs

Activities

1.1 Spot check your employee value proposition
1.2 Update job advertisements
1.3 Document your talent acquisition process
1.4 Refine your talent acquisition process

This step involves the following participants:

• IT executive leadership
• IT hiring manager
• Human resources
• Marketing/public relations

Outcomes of this step

Streamlined talent acquisition process tailored to take advantage of tech layoffs.

Requisition: update job ads and secure approval to hire

Critical steps:

1. Ensure you have secured budget and hiring approval.
2. Identify an IT recruitment partner within the IT organization who will be accountable for working with HR throughout the process and who will actively track and scan for recruitment opportunities.
3. Update your IT job descriptions.
4. Spot check your employee value proposition (EVP) to appeal to targeted candidates (Exercise 1.1).
5. Write employee job ads for relevant skills and minimum viable experience (Exercise 1.2).
6. Work with HR to develop your candidate outreach messages – ensure that your outreach is empathetic, aligns with your EVP, and focuses on welcoming them to apply to a role.

The approval process to activate a requisition can be one of the longest stages in the talent acquisition process. Ensure all your roles are up to date and approved so you can trigger outreach as soon as news hits; otherwise, you'll be late before you've even begun.

Your employee value proposition (EVP) is a key tool for attracting and retaining talent

Any updates to your EVP need to be a genuine reflection of the employee experience at your organization – and should resonate internally and externally.

Internal (retention) perspective: These characteristics help to retain new and existing talent by ensuring that new hires' expectations are met and that the EVP is experienced throughout the organization.

External (attraction) perspective: These characteristics help to attract talent and are targeted so the right candidates are motivated to join, while those who aren't a good fit will self-select out.

McLean & Company's Employee Value Proposition Framework

Source: McLean & Company

1.1 Spot check your EVP

1-3 hours

1. Review your existing IT employee value proposition. If you do not have an EVP, see Info-Tech's comprehensive research Improve the IT Recruitment Process to draft a new EVP.
2. Invite a representative group of employees to participate in a working group to improve your employee value proposition. Ask each participant to brainstorm the top five things they value most about working at the organization.
3. Consider the following categories: work environment, career advancement, benefits, and ESG and diversity impact. Brainstorm as a group if there is anything unique your organization offers with regard to these categories.
4. Compare your notes to your existing EVP, identify up to four key statements to focus on for the EVP, ensuring that your EVP speaks to at least one of the categories above. Remove any statements that no longer speak to who you are as an organization or what you offer.

Input

• Existing employee value proposition
• Employee Engagement Surveys (If Available)

Output

• Updated employee value proposition

Materials

• Whiteboard/flip charts
• Job ad template

Participants

• Representative group of internal employees.
• HR
• Marketing/PR (if possible)

Four critical factors considered by today's job seeker

1. Be specific about remote work policies: Include verbiage about whether there is an option to work hybrid or remote. 81% of job seekers stated that whether a job is remote, hybrid, or in-person was a top factor in whether they'd accept an offer (Benefits Canada, 2022).
2. Career advancement and stability: "37% of Gen Z employees and 25% of millennial employees are currently looking for a job that offers career progression transparency — or, in other words, a job with clear opportunities for growth. This is significantly higher than our findings for older generations Gen X (18%) and baby boomers (7%)," (Lattice, 2021).
3. Unique benefits: Consider your unique benefits – it's not the Big Tech "fun perks" like slides and ping pong that drive interest. Employees are increasingly looking for roles with long-term benefits programs. 90% of job seekers consider higher pension contributions to be a key factor, and 85% are considering bonuses/profit sharing" (Benefits Canada, 2022). Candidates may accept lower total compensation in exchange for flexibility, culture, work/life balance that was lacking in the start-up scene or the mega-vendors' fast-paced world.
4. ESG and diversity impact: Include details of how the candidate will make a societal impact through their role, and how the company is acting on climate and sustainability. "Nearly two in five [Gen Z's and millennials] say they have rejected a job or assignment because it did not align with their values," (Deloitte Global, 2022).

Update or establish job ads for candidate outreach

Take the time up front to update your IT job descriptions and to write effective job advertisements. A job advertisement is an external-facing document that advertises a position with the intent of attracting job applicants. It contains key elements from the job description as well as information on the organization and its EVP. A job description informs a job ad, it doesn't replace it.
When updating job descriptions and job ads, it's critical that your requirements are an accurate representation of what you need in the position. For the job ads especially, focus on the minimum requirements for the role, highlight your employee value proposition, and ensure that they are using inclusive language.
Don't be lulled into using a job description as a posting when there's a time crunch to fill a position – use your preparation time to complete this key step.

Three tips to consider when building a job ad

Include the minimum desired requirements

Include the required skills, responsibilities, and certifications required. Instead of looking for a unicorn, look for what you need and a demonstrated ability to learn. 70% of business executives say they are getting creative about sourcing for skills rather than just considering job experience (Deloitte Insights, 2022).

Strategically include certifications

When including certifications, ensure you have validated the process to be certified – i.e. if you are hiring for a role with 3-5 years' experience, ensure that the certification does not take 5-10 years of experience be eligible.

Use inclusive language

Consider having a review group within your IT organization to ensure the language is inclusive, that the responsibilities don't read as overly complex, and that it is an accurate representation of the organization's culture.

1.2 Update or build job ads

1-3 hours

1. Begin with a copy of the job ad you are looking to fill, if you haven't begun to draft the role, start with Info-Tech's Job Description Library and Info-Tech's Job Ad Template.
2. Review the job accountabilities, rank each responsibility based on its importance and volume of work. Determine if there are any responsibilities that are uncommon to be executed by the role and remove unnecessary responsibilities.
3. For each of the job accountabilities, identify if there is a level of experience, knowledge or competency that would be the minimum bar for a candidate. Remove technical skills, specific technologies, and competencies that aren't directly relevant to the role, responsibilities or values.
4. Review the education and requirements, and ensure that any certification or educational background is truly needed or suggested.
5. Use the checklist on the following tab to review and update your job ad.

Input

• Job description
• Employee value proposition
• Job ad template

Output

• Completed job ad

Materials

• Whiteboard/flip charts
• Web share

Participants

• Representative group of internal employees.
• HR
• Marketing/PR (if possible)

1.2 Job ad checklist:

A job ad needs to be two things: effective and inclusive.