Present Security to Executive Stakeholders

Learn how to communicate security effectively to obtain support from decision makers.

Analyst Perspective

Build and deliver an effective security communication to your executive stakeholders.

As a security leader, you’re tasked with various responsibilities to ensure your organization can achieve its goals while its most important assets are being protected. However, when communicating security to executive stakeholders, challenges can arise in determining what topics are pertinent to present. Changes in the security threat landscape coupled with different business goals make identifying how to present security more challenging. Having a communication framework for presenting security to executive stakeholders will enable you to effectively identify, develop, and deliver your communication goals while obtaining the support you need to achieve your objectives. Ahmad Jowhar Research Specialist, Security & Privacy Info-Tech Research Group

Executive Summary

Info-Tech Insight

Security presentations are not a one-way street. The key to a successful executive security presentation is having a goal for the presentation and verifying that you have met your goal.

Your challenge

As a security leader, you need to communicate security effectively to executive stakeholders in order to obtain support for your security objectives.

• When it comes to presenting security to executive stakeholders, many security leaders find it challenging to convey the necessary information in order to obtain support for security objectives.
• This is attributed to various factors, such as an increase in the threat landscape, changes to industry regulations and standards, and new organizational goals that security has to align with.
• Furthermore, with the limited time to communicate with executive stakeholders, both in frequency and duration, identifying the most important information to address can be challenging.

76% of security leaders struggle in conveying the effectiveness of a cybersecurity program.

62% find it difficult to balance the risk of too much detail and need-to-know information.

41% find it challenging to communicate effectively with a mixed technical and non-technical audience.

Source: Deloitte, 2022

Common obstacles

There is a disconnect between security leaders and executive stakeholders when it comes to the security posture of the organization:

• Executive stakeholders are not confident that their security leaders are doing enough to mitigate security risks.
• The issue has been amplified, with security threats constantly increasing across all industries.
• However, security leaders don’t feel that they are in a position to make themselves heard.
• The lack of organizational security awareness and support from cross-functional departments has made it difficult to achieve security objectives (e.g. education, investments).
• Defining an approach to remove that disconnect with executive stakeholders is of utmost importance for security leaders, in order to improve their organization’s security posture.

9% of boards are extremely confident in their organization’s cybersecurity risk mitigation measures.

77% of organizations have seen an increase in the number of attacks in 2021.

56% of security leaders claimed their team is not involved when leadership makes urgent security decisions.

Source: EY, 2021

Info-Tech’s methodology for presenting security to executive stakeholders

Develop a structured process for communicating security to your stakeholders

Security presentations are not a one-way street
The key to a successful executive security presentation is having a goal for the presentation and verifying that you have met your goal.

Identifying your goals is the foundation of an effective presentation
Defining your drivers and goals for communicating security will enable you to better prepare and deliver your presentation, which will help you obtain your desired outcome.

Harness the power of data
Leveraging data and analytics will help you provide quantitative-based communication, which will result in a more meaningful and effective presentation.

Take your audience on a journey
Developing a storytelling approach will help engage with your audience.

Win your audience by building a rapport
Establishing credibility and trust with executive stakeholders will enable you to obtain their support for security objectives.

Tactical insight
Conduct background research on audience members (i.e. professional background) to help understand how best to communicate with them and overcome potential objections.

Tactical insight
Verifying your objectives at the end of the communication is important, as it ensures you have successfully communicated to executive stakeholders.

Project deliverables

This blueprint is accompanied by a supporting deliverable which includes five security presentation templates.

Report on Security Initiatives Template showing how to inform executive stakeholders of security initiatives.		Security Metrics Template showing how to inform executive stakeholders of current security metrics that would help drive future initiatives.
Security Incident Response & Recovery Template showing how to inform executive stakeholders of security incidents, their impact, and the response plan.		Security Funding Request Template showing how to inform executive stakeholders of security incidents, their impact, and the response plan.

Key template:

Template showing how to inform executive stakeholders of proactive security and risk initiatives.

Blueprint benefits

Measure the value of this blueprint

* The financial figure depicts the annual salary of a CISO in 2022

Source: Chief Information Security Officer Salary.” Salary.com, 2022

Info-Tech offers various levels of support to best suit your needs

DIY Toolkit

“Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

Guided Implementation

“Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

Workshop

“We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

Consulting

“Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

Diagnostics and consistent frameworks used throughout all four options

Phase 1

Identify communication goals

This phase will walk you through the following activities:

• Understanding the different drivers for communicating security to executive stakeholders
• Identifying different communication goals

This phase involves the following participants:

• Security leader

1.1. Identify drivers for communicating to executive stakeholders

As a security leader, you meet with executives and stakeholders with diverse backgrounds, and you aim to showcase your organization’s security posture along with its alignment with the business’ goals.

However, with the constant changes in the security threat landscape, demands and drivers for security could change. Thus, understanding potential drivers that will influence your communication will assist you in developing and delivering an effective security presentation.

39% of organizations had cybersecurity on the agenda of their board’s quarterly meeting.

Source: EY, 2021.

Info-Tech Insight

Not all security presentations are the same. Keep your communication strategy and processes agile.

Know your drivers for security presentations

By understanding the influences for your security presentations, you will be able to better plan what to present to executive stakeholders.

• These meetings, which are usually held once per quarter, provide you with less than one hour of presentation time.
• Hence, it is crucial to know why you need to present security and whether these drivers are similar across the other presentations.

Understanding drivers will also help you understand how to present security to executive stakeholders.

• These drivers will shape the structure of your presentation and help determine your approach to communicating your goals.
• For example, financial-based presentations that are driven by budget requests might create a sense of urgency or assurance about investment in a security initiative.

Identify your communication drivers, which can stem from various initiatives and programs, including:

• Results from internal or external audit reports.
• Upcoming budget meetings.
• Briefing newly elected executive stakeholders on security.

When it comes to identifying your communication drivers, you can collaborate with subject matter experts, like your corporate secretary or steering committees, to ensure the material being communicated will align with some of the organizational goals.

Examples of drivers for security presentations

Audit
Upcoming internal or external audits might require updates on the organization’s compliance

Organizational restructuring
Restructuring within an organization could require security updates

Merger & Acquisition
An M&A would trigger presentations on organization’s current and future security posture

Cyber incident
A cyberattack would require an immediate presentation on its impact and the incident response plan

Ad hoc
Provide security information requested by stakeholders

1.2. Define your goals for communicating to executives

After identifying drivers for your communication, it’s important to determine what your goals are for the presentation.

• Communication drivers are mainly triggers for why you want to present security.
• Communication goals are the potential outcomes you are hoping to obtain from the presentation.
• Your communication goals would help identify what data and metrics to include in your presentation, the structure of your communication deck, and how you deliver your communication to executive stakeholders.

Identifying your communication goals could require the participation of the security team, IT leadership, and other business stakeholders.

• As a group, brainstorm the security goals that align with your business goals for the coming year.
  • Aim to have at least two business goals that align with each security goal.
• Identify what benefits and value the executive stakeholders will gain from the security goal being presented.
  • E.g. Increased security awareness, updates on organization's security posture.
• Identify what the ask is for this presentation.
  • E.g. Approval for increasing budget to support security initiatives, executive support to implement internal security programs.

Info-Tech Insight

There can be different reasons to communicate security to executive stakeholders. You need to understand what you want to get out of your presentation.

Examples of security presentation goals

Educate
Educate the board on security trends and/or latest risks in the industry

Update
Provide updates on security initiatives, relevant security metrics, and compliance posture

Inform
Provide an incident response plan due to a security incident or deliver updates on current threats and risks

Investment
Request funding for security investments or financial updates on past security initiatives

Ad hoc
Provide security information requested by stakeholders

Phase 2

Collect information to support goals

This phase will walk you through the following activities:

• Understanding what types of data to include in your security presentations
• Defining where and how to retrieve data

This phase involves the following participants:

• Security leader
• Network/security analyst

2.1 Identify data to collect

After identifying drivers and goals for your communication, it’s important to include the necessary data to justify the information being communicated.

• Leveraging data and analytics will assist in providing quantitative-based communication, which will result in a more meaningful and effective presentation.
• The data presented will showcase the visibility of an organization’s security posture along with potential risks and figures on how to mitigate those risks.
• Providing analysis of the quantitative data presented will also showcase further insights on the figures, allow the audience to better understand the data, and show its relevance to the communication goals.

Identifying data to collect doesn’t need to be a rigorous task; you can follow these steps to help you get started:

• Work with your security team to identify the main type of data applicable to the communication goals.
  • E.g. Financial data would be meaningful to use when communicating a budget presentation.
• Identify supporting data linked to the main data defined.
  • E.g. If a financial investment is made to implement a security initiative, then metrics on improvements to the security posture will be relevant.
• Show how both the main and supporting data align with the communication goals.
  • E.g. Improvement in security posture would increase alignment with regulation standards, which would result in additional contracts being awarded and increased revenue.

Info-Tech Insight

Understand how to present your information in a way that will be meaningful to your audience, for instance by quantifying security risks in financial terms.

Examples of data to present

Educate
Number of organizations in industry impacted by data breaches during past year; top threats and risks affecting the industries

Update
Degree of compliance with standards (e.g. ISO-27001); metrics on improvement of security posture due to security initiatives

Inform
Percentage of impacted clients and disrupted business functions; downtime; security risk likelihood and financial impact

Investment
Capital and operating expenditure for investment; ROI on past and future security initiatives

Ad hoc
Number of security initiatives that went over budget; phishing test campaign results

2.2 Plan how to retrieve the data

Once the data that is going to be used for the presentation has been identified, it is important to plan how the data can be retrieved, processed, and shared.

• Most of the data leveraged for security presentations are structured data, which are highly organized data that are often stored in a relational and easily searchable database.
  • This includes security log reports or expenditures for ongoing and future security investments.
• Retrieving the data, however, would require collaboration and cooperation from different team members.
• You would need to work with the security team and other appropriate stakeholders to identify where the data is stored and who the data owner is.

Once the data source and owner has been identified, you need to plan how the data would be processed and leveraged for your presentation

• This could include using queries to retrieve the relevant information needed (e.g. SQL, Microsoft Excel).
• Verify the accuracy and relevance of the data with other stakeholders to ensure it is the most appropriate data to be presented to the executive stakeholders.

Info-Tech Insight

Using a data-driven approach to help support your objectives is key to engaging with your audience.

Plan where to retrieve the data

Identifying the relevant data sources to retrieve your data and the appropriate data owner enables efficient collaboration between departments collecting, processing, and communicating the data and graphics to the audience.

Examples of where to retrieve your data

Phase 3

Develop communication

This phase will walk you through the following activities:

• Identifying a communication strategy for presenting security
• Identifying security templates that are applicable to your presentation

This phase involves the following participants:

• Security leader

3.1 Plan communication: Know who your audience is

• When preparing your communication, it's important to understand who your target audience is and to conduct background research on them.
• This will help develop your communication style and ensure your presentation caters to the expected audience in the room.

Examples of two profiles in a boardroom

3.1.1 Know what your audience cares about

• Understanding what your executive stakeholders value will equip you with the right information to include in your presentations.
• Ensure you conduct background research on your audience to assist you in knowing what their potential interests are.
• Your background research could include:
  • Researching the audience’s professional background through LinkedIn.
  • Reviewing their comments from past executive meetings.
  • Researching current security trends that align with organizational goals.
• Once the values and risks have been identified, you can document them in notes and share the notes with subject matter experts to verify if these values and risks should be shared in the coming meetings.

A board’s purpose can include the following:

• Sustaining and expanding the organization’s purpose and ability to execute in a competitive market.
• Determining and funding the organization’s future and direction.
• Protecting and increasing shareholder value.
• Protecting the company’s exposure to risks.

Examples of potential values and risks

• Business impact
• Financial impact
• Security and incidents

Info-Tech Insight
Conduct background research on audience members (e.g. professional background on LinkedIn) to help understand how best to communicate to them and overcome potential objections.

Understand your audience’s concerns

• Along with knowing what your audience values and cares about, understanding their main concerns will allow you to address those items or align them with your communication.
• By treating your executive stakeholders as your project sponsors, you would build a level of trust and confidence with your peers as the first step to tackling their concerns.
• These concerns can be derived from past stakeholder meetings, recent trends in the industry, or strategic business alignments.
• After capturing their concerns, you’ll be equipped with the necessary understanding on what material to include and prioritize during your presentations.

Examples of potential concerns for each profile of executive stakeholders

Build your presentation to tackle their main concerns

Your presentation should be well-rounded and compelling when it addresses the board’s main concerns about security.

Checklist:

• Research your target audience (their backgrounds, board composition, dynamics, executive team vs. external group).
• Include value and risk language in your presentation to appeal to your audience.
• Ensure your content focuses on one or more of the board’s main concerns with security (e.g. business impact, investments, or risk).
• Include information about what is in it for them and the organization.
• Research your board’s composition and skillsets to determine their level of technical knowledge and expertise. This helps craft your presentation with the right amount of technology vs. business-facing information.

Info-Tech Insight
The executive stakeholder’s main concerns will always boil down to one important outcome: providing a level of confidence to do business through IT products, services, and systems – including security.

3.1.2 Take your audience through a security journey

• Once you have defined your intended target and their potential concerns, developing the communication through a storytelling approach will be the next step to help build a compelling presentation.
• You need to help your executive stakeholders make sense of the information being conveyed and allow them to understand the importance of cybersecurity.
• Taking your audience through a story will allow them to see the value of the information being presented and better resonate with its message.
• You can derive insights for your storytelling presentation by doing the following:
  • Provide a business case scenario on the topic you are presenting.
  • Identify and communicate the business problem up front and answer the three questions (why, what, how).
  • Quantify the problems in terms of business impact (money, risk, value).

Info-Tech Insight
Developing a storytelling approach will help keep your audience engaged and allow the information to resonate with them, which will add further value to the communication.

Identify the purpose of your presentation

You should be clear about your bottom line and the intent behind your presentation. However, regardless of your bottom line, your presentation must focus on what business problems you are solving and why security can assist in solving the problem.

Examples of communication goals

Info-Tech Insight
Nobody likes surprises. Communicate early and often. The board should be pre-briefed, especially if it is a difficult subject. This also ensures you have support when you deliver a difficult message.

Gather the right information to include in your boardroom presentation

Once you understand your target audience, it’s important to tailor your presentation material to what they will care about.

Typical IT boardroom presentations include:

• Communicating the value of ongoing business technology initiatives.
• Requesting funds or approval for a business initiative that IT is spearheading.
• Security incident response/Risk/DRP.
• Developing a business program or an investment update for an ongoing program.
• Business technology strategy highlights and impacts.
• Digital transformation initiatives (value, ROI, risk).

Info-Tech Insight
You must always have a clear goal or objective for delivering a presentation in front of your board of directors. What is the purpose of your board presentation? Identify your objective and outcome up front and tailor your presentation’s story and contents to fit this purpose.

Info-Tech Insight
Telling a good story is not about the message you want to deliver but the one the executive stakeholders want to hear. Articulate what you want them to think and what you want them to take away, and be explicit about it in your presentation. Make your story logically flow by identifying the business problem, complication, the solution, and how to close the gap. Most importantly, communicate the business impacts the board will care about.

Structure your presentation to tell a logical story

To build a strong story for your presentation, ensure you answer these three questions:

Examples:

Scenario 1: The company has experienced a security incident.

Intent: To inform/educate the board about the security incident.

Scenario 2: Security is recommending investments based on strategic priorities.

Intent: To reach a decision with the board – approve investment proposal.

Time plays a key role in delivering an effective presentation

What you include in your story will often depend on how much time you have available to deliver the message.

Consider the following:

• Presenting to executive stakeholders often means you have a short window of time to deliver your message. The average executive stakeholder presentation is 15 minutes, and this could be cut short due to other unexpected factors.
• If your presentation is too long, you risk overwhelming or losing your audience. You must factor in the time constraints when building your board presentation.
• Your executive stakeholders have a wealth of experience and knowledge, which means they could jump to conclusions quickly based on their own experiences. Ensure you give them plenty of background information in advance. Provide your presentation material, a brief, or any other supporting documentation before the meeting to show you are well prepared.
• Be prepared to have deep conversations about the topic, but respect that the executive stakeholders might not be interested in hearing the tactical information. Build an elevator pitch, a one-pager, back-up slides that support your ask and the story, and be prepared to answer questions within your allotted presentation time to dive deeper.

Navigating through Q&A

Use the Q&A portion to build credibility with the board.

• It is always better to say, “I’m not certain about the answer but will follow up,” than to provide false or inaccurate information on the spot.
• When asked challenging or irrelevant questions, ensure you have an approach to deflect them. Questions can often be out of scope or difficult to answer in a group. Find what works for you to successfully navigate through these questions:
  • “Let’s work with the sub-committee to find you an answer.”
  • “Let’s take that offline to address in more detail.”
  • “I have some follow-up material I can provide you to discuss that further after our meeting.”
• And ensure you follow up! Make sure to follow through on your promise to provide information or answers after the meeting. This helps build trust and credibility with the board.

Info-Tech Insight
The average board presentation is 15 minutes long. Build no more than three or four slides of content to identify the business problem, the business impacts, and the solution. Leave five minutes for questions at the end, and be prepared with back-up slides to support your answers.

Storytelling checklist

Checklist:

• Tailor your presentation based on how much time you have.
• Find out ahead of time how much time you have.
• Identify if your presentation is to inform/educate or reach a decision.
• Identify and communicate the business problem up front and answer the three questions (why, what, how).
• Express the problem in terms of business impact (risk, value, money).
• Prepare and send pre-meeting collateral to the members of the board and executive team.
• Include no more than 5-6 slides for your presentation.
• Factor in Q&A time at the end of your presentation window.
• Articulate what you want them to think and what you want them to take away – put it right up front and remind them at the end.
• Have an elevator speech handy – one or two sentences and a one-pager version of your story.
• Consider how you will build your relationship with the members outside the boardroom.

3.1.3 Build a compelling communication document

Once you’ve identified your communication goals, data, and plan to present to your stakeholders, it’s important to build the compelling communication document that will attract all audiences.

A good slide design increases the likelihood that the audience will read the content carefully.

• Bad slide structure (flow) = Audience loses focus
  • You can have great content on a slide, but if a busy audience gets confused, they’ll just close the file or lose focus. Structure encompasses horizontal and vertical logic.
• Good visual design = Audience might read more
  • Readers will probably skim the slides first. If the slides look ugly, they will already have a negative impression. If the slides are visually appealing, they will be more inclined to read carefully. They may even use some slides to show others.
• Good content + Good structure + Visual appeal = Good presentation
  • A presentation is like a house. Good content is the foundation of the house. Good structure keeps the house strong. Visual appeal differentiates houses.

Slide design best practices

Leverage these slide design best practices to assist you in developing eye-catching presentations.

• Easy to read: Assume reader is tight on time. If a slide looks overwhelming, the reader will close the document.
• Concise and clear: Fewer words = more skim-able.
• Memorable: Use graphics and visuals or pithy quotes whenever you can do so appropriately.
• Horizontal logic: Good horizontal logic will have slide titles that cascade into a story with no holes or gaps.
• Vertical logic: People usually read from left to right, top to bottom, or in a Z pattern. Make sure your slide has an intuitive flow of content.
• Aesthetics: People like looking at visually appealing slides, but make sure your attempts to create visual appeal do not detract from the content.

Your presentation must have a logical flow

Vertical logic should be intuitive

The audience is unsure where to look and in what order.	The audience knows to read the heading first. Then look within the pie chart. Then look within the white boxes to the right.

Horizontal and vertical logic checklists

Make it easy to read

Unnecessary coloring makes it hard on the eyes Margins for title at top is too small Content is not skim-able (best to break up the slide)	Increase skim-ability: Emphasize the subheadings Bold important words Make it easier on the eyes: Declutter and add sections Have more white space

Be concise and clear

1. Write your thoughts down
   • This gets your content documented.
   • Don’t worry about clarity or concision yet.
2. Edit for clarity
   • Make sure the key message is very clear.
   • Find your thesis statement.
3. Edit for concision
   • Remove unnecessary words.
   • Use the active voice, not passive voice (see below for examples).

Be memorable

Easy to read, but hard to remember the stats.	The visuals make it easier to see the size of the problem and make it much more memorable. Remember to: Have some kind of visual (e.g. graphs, icons, tables). Divide the content into sections. Have a bit of color on the page.

Aesthetics

This draft slide is just content from the outline document on a slide with no design applied yet.	Have some kind of visual (e.g. graphs, icons, tables) as long as it’s appropriate. Divide the content into sections. Have a bit of color on the page. Bold or italicize important text.

Why use visuals?

How graphics affect us

Cognitively

• Engage our imagination
• Stimulate the brain
• Heighten creative thinking
• Enhance or affect emotions

Emotionally

• Enhance comprehension
• Increase recollection
• Elevate communication
• Improve retention

Visual clues

• Help decode text
• Attract attention
• Increase memory

Persuasion

• 43% more effective than text alone

Source: Management Information Systems Research Center

Presentation format

Often stakeholders prefer to receive content in a specific format. Make sure you know what you require so that you are not scrambling at the last minute.

• Is there a standard presentation template?
• Is a hard-copy handout required?
• Is there a deadline for draft submission?
• Is there a deadline for final submission?
• Will the presentation be circulated ahead of time?
• Do you know what technology you will be using?
• Have you done a dry run in the meeting room?
• Do you know the meeting organizer?

Checklist to build compelling visuals in your presentation

Leverage this checklist to ensure you are creating the perfect visuals and graphs for your presentation.

Checklist:

• Do the visuals grab the audience’s attention?
• Will the visuals mislead the audience/confuse them?
• Do the visuals facilitate data comparison or highlight trends and differences in a more effective manner than words?
• Do the visuals present information simply, cleanly, and accurately?
• Do the visuals display the information/data in a concentrated way?
• Do the visuals illustrate messages and themes from the accompanying text?

3.2 Security communication templates

Once you have identified your communication goals and plans for building your communication document, you can start building your presentation deck. These presentation templates highlight different security topics depending on your communication drivers, goals, and available data. Info-Tech has created five security templates to assist you in building a compelling presentation. These templates provide support for presentations on the following five topics: Security Initiatives Security & Risk Update Security Metrics Security Incident Response & Recovery Security Funding Request Each template provides instructions on how to use it and tips on ensuring the right information is being presented. All the templates are customizable, which enables you to leverage the sections you need while also editing any sections to your liking.

Download the Security Presentation Templates

Security template example

It’s important to know that not all security presentations for an organization are alike. However, these templates would provide a guideline on what the best practices are when communicating security to executive stakeholders.

Below is an example of instructions to complete the “Security Risk & Update” template. Please note that the security template will have instructions to complete each of its sections.

The first slide following the title slide includes a brief executive summary on what would be discussed in the presentation. This includes the main security threats that would be addressed and the associated risk mitigation strategies.	This slide depicts a holistic overview of the organization’s security posture in different areas along with the main business goals that security is aligning with. Ensure visualizations you include align with the goals highlighted.

Security template example (continued)

This slide displays any top threats and risks an organization is facing. Each threat consists of 2-3 risks and is prioritized based on the negative impact it could have on the organization (i.e. red bar = high priority; green bar = low priority). Include risks that have been addressed in the past quarter, and showcase any prioritization changes to those risks.

This slide follows the “Top Threats & Risks” slide and focuses on the risks that had medium or high priority. You will need to work with subject matter experts to identify risk figures (likelihood, financial impact) that will enable you to quantify the risks (Likelihood x Financial Impact). Develop a threshold for each of the three columns to identify which risks require further prioritization, and apply color coding to group the risks.

Security template example (continued)

This slide showcases further details on the top risks along with their business impact. Be sure to include recommendations for the risks and indicate whether further action is required from the executive stakeholders.	The last slide of the “Security Risk & Update” template presents a timeline of when the different initiatives to mitigate security risks would begin. It depicts what initiatives will be completed within each fiscal year and the total number of months required. As there could be many factors to a project’s timeline, ensure you communicate to your executive stakeholders any changes to the project.

Phase 4

Deliver communication

This phase will walk you through the following activities:

• Identifying a strategy to deliver compelling presentations
• Ensuring you follow best practices for communicating and obtaining your security goals

This phase involves the following participants:

• Security leader

4.1 Deliver a captivating presentation

You’ve gathered all your data, you understand what your audience is expecting, and you are clear on the outcomes you require. Now, it’s time to deliver a presentation that both engages and builds confidence.

Follow these tips to assist you in developing an engaging presentation:

• Start strong: Give your audience confidence that this will be a good investment of their time. Establish a clear direction for what’s going to be covered and what the desired outcome is.
• Use your time wisely: Odds are, your audience is busy, and they have many other things on their minds. Be prepared to cover your content in the time allotted and leave sufficient time for discussion and questions.
• Be flexible while presenting: Do not expect that your presentation will follow the path you have laid out. Anticipate jumping around and spending more or less time than you had planned on a given slide.

Keep your audience engaged with these steps

• Be ready with supporting data. Don’t make the mistake of not knowing your content intimately. Be prepared to answer questions on any part of it. Senior executives are experts at finding holes in your data.
• Know your audience. Who are you presenting to? What are their specific expectations? Are there sensitive topics to be avoided? You can’t be too prepared when it comes to understanding your audience.
• Keep it simple. Don’t assume that your audience wants to learn the details of your content. Most just want to understand the bottom line, the impact on them, and how they can help. More is not always better.
• Focus on solving issues. Your audience members have many of their own problems and issues to worry about. If you show them how you can help make their lives easier, you’ll win them over.

Info-Tech Insight
Establishing credibility and trust with executive stakeholders is important to obtaining their support for security objectives.

Be honest and straightforward with your communication

• Be prepared. Being properly prepared means not only that your update will deliver the value that you expect, but also that you will have confidence and the flexibility you require when you’re taken off track.
• Don’t sugarcoat it. These are smart, driven people that you are presenting to. It is neither beneficial nor wise to try to fool them. Be open and transparent about problems and issues. Ask for help.
• No surprises. An executive stakeholder presentation is not the time or the place for a surprise. Issues seen as unexpected or contentious should always be dealt with prior to the meeting with those most impacted.

Hone presentation skills before meeting with the executive stakeholders

Checklist for presentation logistics

Optimize the timing of your presentation:

• Less is more: Long presentations are detrimental to your cause – they lead to your main points being diluted. Keep your presentation short and concise.
• Keep information relevant: Only present information that is important to your audience. This includes the information that they are expecting to see and information that connects to the business.
• Expect delays: Your audience will likely have questions. While it is important to answer each question fully, it will take away from the precious time given to you for your presentation. Expect that you will not get through all the information you have to present.

Script your presentation:

• Use a script to stay on track: Script your presentation before the meeting. A script will help you present your information in a concise and structured manner.
• Develop a second script: Create a script that is about half the length of the first script but still contains the most important points. This will help you prepare for any delays that may arise during the presentation.
• Prepare for questions: Consider questions that may be asked and script clear and concise answers to each.
• Practice, practice, practice: Practice your presentation until you no longer need the script in front of you.

Checklist for presentation logistics (continued)

Other considerations:

• After the introduction of your presentation, clearly state the objective – don’t keep people guessing and consequently lose focus on your message.
• After the presentation is over, document important information that came up. Write it down or you may forget it soon after.
• Rather than create a long presentation deck full of detailed slides that you plan to skip over during the presentation, create a second, compact deck that contains only the slides you plan to present. Send out the longer deck after the presentation.

Checklist for delivering a captivating presentation

Leverage this checklist to ensure you are prepared to develop and deliver an engaging presentation.

Checklist:

• Start with a story or something memorable to break the ice.
• Go in with the end state in mind (focus on the outcome/end goal and work back from there) – What’s your call to action?
• Content must compliment your end goal, filter out any content that doesn’t compliment the end goal.
• Be prepared to have less time to speak. Be prepared with shorter versions of your presentation.
• Include an appendix with supporting data, but don’t be data heavy in your presentation. Integrate the data into a story. The story should be your focus.

Checklist for delivering a captivating presentation (continued)

• Be deliberate in what you want to show your audience.
• Ensure you have clean slides so the audience can focus on what you’re saying.
• Practice delivering your content multiple times alone and in front of team members or your Info-Tech counselor, who can provide feedback.
• How will you handle being derailed? Be prepared with a way to get back on track if you are derailed.
• Ask for feedback.
• Record yourself presenting.

4.2 Obtain and verify support on security goals

Once you’ve delivered your captivating presentation, it’s imperative to communicate with your executive stakeholders.

• This is your opportunity to open the floor for questions and clarify any information that was conveyed to your audience.
• Leverage your appendix and other supporting documents to justify your goals.
• Different approaches to obtaining and verifying your goals could include:
  • Acknowledgment from the audience that information communicated aligns with the business’s goals.
  • Approval of funding requests for security initiatives.
  • Written and verbal support for implementation of security initiatives.
  • Identifying next steps for information to communicate at the next executive stakeholder meeting.

Info-Tech Insight
Verifying your objectives at the end of the presentation is important, as it ensures you have successfully communicated to executive stakeholders.

Checklist for obtaining and verify support on security goals

Follow this checklist to assist you in obtaining and verifying your communication goals.

Checklist:

• Be clear about follow-up and next steps if applicable.
• Present before you present: Meet with your executive stakeholders before the meeting to review and discuss your presentation and other supporting material and ensure you have executive/CEO buy-in.
• “Be humble, but don’t crumble” – demonstrate to the executive stakeholders that you are an expert while admitting you don’t know everything. However, don’t be afraid to provide your POV and defend it if need be. Strike the right balance to ensure the board has confidence in you while building a strong relationship.
• Prioritize a discussion over a formal presentation. Create an environment where they feel like they are part of the solution.

Summary of Accomplishment

Problem Solved

A better understanding of security communication drivers and goals

• Understanding the difference between communication drivers and goals
• Identifying your drivers and goals for security presentation

A developed a plan for how and where to retrieve data for communication

• Insights on what type of data can be leveraged to support your communication goals
• Understanding who you can collaborate with and potential data sources to retrieve data from

A solidified communication plan with security templates to assist in better presenting to your audience

• A guideline on how to prepare security presentations to executive stakeholders
• A list of security templates that can be customized and used for various security presentations

A defined guideline on how to deliver a captivating presentation to achieve your desired objectives

• Clear message on best practices for delivering security presentations to executive stakeholders
• Understanding how to verify your communication goals have been obtained

If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

Contact your account representative for more information.

workshops@infotech.com

1-888-670-8889

Related Info-Tech Research

Build an Information Security Strategy
This blueprint will walk you through the steps of tailoring best practices to effectively manage information security.

Build a Security Metrics Program to Drive Maturity
This blueprint will assist you in identifying security metrics that can tie to your organizational goals and build those metrics to achieve your desired maturity level.

Bibliography

Bhadauriya, Amit S. “Communicating Cybersecurity Effectively to the Board.” Metricstream. Web.
Booth, Steven, et al. “The Biggest Mistakes Made When Presenting Cyber Security to Senior Leadership or the Board, and How to Fix Them.” Mandiant, May 2019. Web.
Bradford, Nate. “6 Slides Every CISO Should Use in Their Board Presentation.” Security Boulevard, 9 July 2020. Web.
Buckalew, Lauren, et al. “Get the Board on Board: Leading Cybersecurity from the Top Down.” Newsroom, 2 Dec. 2019. Web.
Burg, Dave, et al. “Cybersecurity: How Do You Rise above the Waves of a Perfect Storm?” EY US - Home, EY, 22 July 2021. Web.
Carnegie Endowment for International Peace. Web.
“Chief Information Security Officer Salary.” Salary.com, 2022. Web.
“CISO's Guide to Reporting to the Board - Apex Assembly.” CISO's Guide To Reporting to the Board. Web.
“Cyber Security Oversight in the Boardroom” KPMG, Jan. 2016. Web.
“Cybersecurity CEO: My 3 Tips for Presenting in the Boardroom.” Cybercrime Magazine, 31 Mar. 2020. Web.
Dacri , Bryana. Do's & Don'ts for Security Professionals Presenting to Executives. Feb. 2018. Web.
Froehlich, Andrew. “7 Cybersecurity Metrics for the Board and How to Present Them: TechTarget.” Security, TechTarget, 19 Aug. 2022. Web.
“Global Board Risk Survey.” EY. Web.
“Guidance for CISOs Presenting to the C-Suite.” IANS, June 2021. Web.
“How to Communicate Cybersecurity to the Board of Directors.” Cybersecurity Conferences & News, Seguro Group, 12 Mar. 2020. Web.
Ide, R. William, and Amanda Leech. “A Cybersecurity Guide for Directors” Dentons. Web.
Lindberg, Randy. “3 Tips for Communicating Cybersecurity to the Board.” Cybersecurity Software, Rivial Data Security, 8 Mar. 2022. Web.
McLeod, Scott, et al. “How to Present Cybersecurity to Your Board of Directors.” Cybersecurity & Compliance Simplified, Apptega Inc, 9 Aug. 2021. Web.
Mickle, Jirah. “A Recipe for Success: CISOs Share Top Tips for Successful Board Presentations.” Tenable®, 28 Nov. 2022. Web.
Middlesworth, Jeff. “Top-down: Mitigating Cybersecurity Risks Starts with the Board.” Spiceworks, 13 Sept. 2022. Web.
Mishra, Ruchika. “4 Things Every CISO Must Include in Their Board Presentation.” Security Boulevard, 17 Nov. 2020. Web.
O’Donnell-Welch, Lindsey. “CISOs, Board Members and the Search for Cybersecurity Common Ground.” Decipher, 20 Oct. 2022. Web.

Bibliography

“Overseeing Cyber Risk: The Board's Role.” PwC, Jan. 2022. Web.
Pearlson, Keri, and Nelson Novaes Neto. “7 Pressing Cybersecurity Questions Boards Need to Ask.” Harvard Business Review, 7 Mar. 2022. Web.
“Reporting Cybersecurity Risk to the Board of Directors.” Web.
“Reporting Cybersecurity to Your Board - Steps to Prepare.” Pondurance ,12 July 2022. Web.
Staynings, Richard. “Presenting Cybersecurity to the Board.” Resource Library. Web.
“The Future of Cyber Survey.” Deloitte, 29 Aug. 2022. Web.
“Top Cybersecurity Metrics to Share with Your Board.” Packetlabs, 10 May 2022. Web.
Unni, Ajay. “Reporting Cyber Security to the Board? How to Get It Right.” Cybersecurity Services Company in Australia & NZ, 10 Nov. 2022. Web.
Vogel, Douglas, et al. “Persuasion and the Role of Visual Presentation Support.” Management Information Systems Research Center, 1986.
“Welcome to the Cyber Security Toolkit for Boards.” NCSC. Web.

Research Contributors

• Fred Donatucci, New-Indy Containerboard, VP, Information Technology
• Christian Rasmussen, St John Ambulance, Chief Information Officer
• Stephen Rondeau, ZimVie, SVP, Chief Information Officer

Develop and Implement a Security Incident Management Program

Create a scalable incident response program without breaking the bank.

ANALYST PERSPECTIVE

Security incidents are going to happen whether you’re prepared or not. Ransomware and data breaches are just a few top-of-mind threats that all organizations deal with. Taking time upfront to formalize response plans can save you significantly more time and effort down the road. When an incident strikes, don’t waste time deciding how to remediate. Rather, proactively identify your response team, optimize your response procedures, and track metrics so you can be prepared to jump to action.

Céline Gravelines,
Senior Research Analyst
Security, Risk & Compliance Info-Tech Research Group

Céline Gravelines,
Senior Research Analyst
Security, Risk & Compliance Info-Tech Research Group

Our understanding of the problem

This Research is Designed For

• A CISO who is dealing with the following:
• Inefficient use of time and money when retroactively responding to incidents, negatively affecting business revenue and workflow.
• Resistance from management to adequately develop a formal incident response plan.
• Lack of closure of incidents, resulting in being re-victimized by the same vector.

This Research Will Help You

• Develop a consistent, scalable, and usable incident response program that is not resource intensive.
• Track and communicate incident response in a formal manner.
• Reduce the overall impact of incidents over time.
• Learn from past incidents to improve future response processes.

This Research Will Also Assist

• Business stakeholders who are responsible for the following:
• Improving workflow and managing operations in the event of security incidents to reduce any adverse business impacts.
• Ensuring that incident response compliance requirements are being adhered to.

This Research Will Help Them

• Efficiently allocate resources to improve incident response in terms of incident frequency, response time, and cost.
• Effectively communicate expectations and responsibilities to users.

Executive Summary

Situation

• Security incidents are inevitable, but how they’re dealt with can make or break an organization. Poor incident response negatively affects business practices, including workflow, revenue generation, and public image.
• The incident response of most organizations is ad hoc at best. A formal management plan is rarely developed or adhered to, resulting in ineffective firefighting responses and inefficient allocation of resources.

Complication

• Tracked incidents are often classified into ready-made responses that are not necessarily applicable to the organization. With so many classifications, tracking becomes inefficient and indigestible, allowing major incidents to fall through the cracks.
• Outcomes of incident response tactics are not formally tracked or communicated, resulting in a lack of comprehensive understanding of trends and patterns regarding incidents, leading to being revictimized by the same vector.
• Having a formal incident response document to meet compliance requirements is not useful if no one is adhering to it.

Resolution

• Effective and efficient management of incidents involves a formal process of preparation, detection, analysis, containment, eradication, recovery, and post-incident activities.
• This blueprint will walk through the steps of developing a scalable and systematic incident response program relevant to your organization.

Info-Tech Insight

• You will experience incidents. Don’t rely on ready-made responses. They’re too broad and easy to ignore. Save your organization response time and confusion by developing your own specific incident use cases.
• Analyze, track, and review results of incident response regularly. Without a comprehensive understanding of incident trends and patterns, you can be re-victimized by the same attack vector.
• Establish communication processes and channels well in advance of a crisis. Don’t wait until a state of panic. Collaborate and exchange information with other organizations to stay ahead of incoming threats.

Data breaches are resulting in major costs across industries

Per capita cost by industry classification of benchmarked companies (measured in USD)

Average data breach costs per compromised record hit an all-time high of $148 (in 2018).
(Source: IBM, “2018 Cost of Data Breach Study)”

Source: Cisco, “Cisco 2017 Annual Cybersecurity Report”

Defining what is security incident management

IT Incident

Any event not a part of the standard operation of a service which causes, or may cause, the interruption to, or a reduction in, the quality of that service.

Security Event:

A security event is anything that happens that could potentially have information security implications.

• A spam email is a security event because it may contain links to malware.
• Organizations may be hit with thousands or perhaps millions of identifiable security events each day.
• These are typically handled by automated tools or are simply logged.

Security Incident:

A security incident is a security event that results in damage such as lost data.

• Incidents can also include events that don't involve damage but are viable risks.
• For example, an employee clicking on a link in a spam email that made it through filters may be viewed as an incident.

It’s not a matter of if you have a security incident, but when

The increasing complexity and prevalence of threats have finally caught the attention of corporate leaders. Prepare for the inevitable with an incident response program.

1. A formalized incident response program reduced the average cost of a data breach (per capita) from $148 to $134, while third-party involvement increased costs by $13.40.
2. US organizations lost an average of $7.91 million per data breach as a result of increased customer attrition and diminished goodwill. Canada and the UK follow suit at $1.57 and $1.39 million, respectively.
3. 73% of breaches are perpetrated by outsiders, 50% are the work of criminal groups, and 28% involve internal actors.
4. 55% of companies have to manage fallout, such as reputational damage after a data breach.
5. The average cost of a data breach increases by $1 million if left undetected for > 100 days.

(Sources: IBM, “2018 Cost of Data Breach Study”; Verizon, “2017 Data Breach Investigations Report”; Cisco, “Cisco 2018 Annual Cybersecurity Report”)

Threat Actor Examples

• Organized Crime Groups
• Lone Cyber Criminals
• Competitors
• Nation States
• Hacktivists
• Terrorists
• Former Employees
• Domestic Intelligence Services
• Current Employees (malicious and accidental)

Benefits of an incident management program

Effective incident management will help you do the following:

Improve efficacy
Develop structured processes to increase process consistency across the incident response team and the program as a whole. Expose operational weak points and transition teams from firefighting to innovating.

Improve threat detection, prevention, analysis, and response
Enhance your pressure posture through a structured and intelligence-driven incident handling and remediation framework.

Improve visibility and information sharing
Promote both internal and external information sharing to enable good decision making.

Create and clarify accountability and responsibility
Establish a clear level of accountability throughout the incident response program, and ensure role responsibility for all tasks and processes involved in service delivery.

Control security costs
Effective incident management operations will provide visibility into your remediation processes, enabling cost savings from misdiagnosed issues and incident reduction.

Identify opportunities for continuous improvement
Increase visibility into current performance levels and accurately identify opportunities for continuous improvement with a holistic measurement program.

Impact

• Streamlined security incident management program.
• Formalized and structured response process.
• Comprehensive list of operational gaps and initiatives.
• Detailed response runbooks that predefine necessary operational protocol.
• Compliance and audit adherence.

• Reduced incident costs and remediation time.
• Increased operational collaboration between prevention, detection, analysis, and response efforts.
• Enhanced security pressure posture.
• Improved communication with executives about relevant security risks to the business.
• Preserved reputation and brand equity.

Incident management is essential for organizations of any size

Your incidents may differ, but a standard response ensures practical security.

Certain regulations and laws require incident response to be a mandatory process in organizations.

Security incident management is applicable to all verticals

• Finance
• Insurance
• Healthcare
• Public administration
• Education services
• Professional services
• Scientific and technical services

Maintain a holistic security operations program

Legacy security operations centers (SOCs) fail to address gaps between data sources, network controls, and human capital. There is limited visibility and collaboration between departments, resulting in siloed decisions that do not support the best interests of the organization.

Security operations is part of what Info-Tech calls a threat collaboration environment, where members must actively collaborate to address cyberthreats affecting the organization’s brand, business operation, and technology infrastructure on a daily basis.

Info-Tech’s incident response blueprint is one of four security operations initiatives

Understand how incident response ties into related processes

Develop and Implement a Security Incident Management Program – project overview

Workshop overview

Contact your account representative or email Workshops@InfoTech.com for more information.

Measured value for Guided Implementations

Engaging in GIs doesn’t just offer valuable project advice – it also results in significant cost savings.

Insurance company put incident response aside; executives were unhappy

Organization implemented ITIL, but formal program design became less of a priority and turned more ad hoc.

Situation

• Ad hoc processes created management dissatisfaction around the organization’s ineffective responses to data breaches.
• Because of the lack of formal process, an entirely new security team needed to be developed, costing people their positions.

Challenges

• Lack of criteria to categorize and classify security incidents.
• Need to overhaul the long-standing but ineffective program means attempting to change mindsets, which can be time consuming.
• Help desk is not very knowledgeable on security.
• New incident response program needs to be in alignment with data classification policy and business continuity.
• Lack of integration with MSSP’s ticketing system.

Next steps:

• Need to get stakeholder buy-in for a new program.
• Begin to establish classification/reporting procedures.

Follow this case study to Phase 1

Phase 1

Prepare

Develop and Implement a Security Incident Management Program

Phase 1: Prepare

This phase walks you through the following activities:

1.1 Establish the drivers, challenges, and benefits.
1.2 Examine the security incident landscape and trends.
1.3 Understand your security obligations, scope, and boundaries.
1.4 Gauge your current process to identify gaps.
1.5 Formalize a security incident management charter.
1.6 Identify key players and develop a call escalation tree.
1.7 Develop a security incident management policy.

This phase involves the following participants:

• CISO
• Security team
• IT staff
• Business leaders

Outcomes of this phase

• Formalized stakeholder support.
• Security incident management policy.
• Security incident management charter.
• Call escalation tree.

Phase 1 outline

Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

Ice breaker: What is a security incident for your organization?

1.1 Whiteboard Exercise – 60 minutes

How do you classify various incident types between service desk, IT/infrastructure, and security?

• Populate sticky notes with various incidents and assign them to the appropriate team.
• Who owns the remediation? When are other groups involved? What is the triage/escalation process?
• What other groups need to be notified (e.g. cyber insurance, Legal, HR, PR)?
• Are there dependencies among incidents?
• What are we covering in the scope of this project?

Mitigate the Risk of Cloud Downtime and Data Loss

Resilience and disaster recovery in an increasingly Cloudy and SaaSy world.

Analyst Perspective

Use this blueprint to expand your DRP and BCP to account for cloud services

As more applications are migrated to cloud-based services, disaster recovery (DR) and business continuity plans (BCP) must include an understanding of cloud risks and actions to mitigate those risks. This includes evaluating vendor and service reliability and resilience, security measures, data protection capabilities, and technology and business workarounds if there is a cloud outage or incident.

Use the risk assessments and cloud service incident response plans developed through this blueprint to supplement your DRP and BCP as well as further inform your crisis management plans (e.g. account for cloud risks in your crisis communication planning).

Executive Summary

Info-Tech Insight

Asking vendors about their DRP, BCP, and overall resilience has become commonplace. Expect your vendors to provide answers so you can assess risk. Furthermore, your vendor may have additional offerings to increase resilience or recommendations for third parties who can further assist your goals of improving cloud service resilience.

Key deliverable

Cloud Services Resilience Summary

Provide leadership with a summary of cloud risk, downtime workarounds implemented, and additional data protection.

Additional tools and templates in this blueprint

This blueprint will step you through the following actions to evaluate and mitigate cloud services risk

1. Assess your cloud risk

• Review your cloud services to determine potential impact of downtime/data loss, vendor SLA gaps, and vendor’s current resilience.

• Explore your cloud vendor’s resilience offerings, third-party solutions, DIY recovery options, and business workarounds.

• Document your cloud risk mitigation strategy and incident response plan, which might include a failover strategy, data protection, and/or business continuity.

Cloud Risk Mitigation

Identify options to mitigate risk

Create an incident response plan

Assess risk

Phase 1: Assess your cloud risk

Cloud does not guarantee uptime

Public cloud services (e.g. Azure, GCP, AWS) and popular SaaS solutions experience downtime every year.

A few cloud outage examples:

• Microsoft Azure AD outage, March 15, 2022:
  Many users could not log into O365, Dynamics, or the Azure Portal.
  Cause: software change.
• Three AWS outages in December 2021: December 7 (Netflix and others impacted), December 15 (Duo, Zoom, Slack, others), December 20 (Slack, Epic Games, others). Cause: network issues, power outage.
• Salesforce outage, May 12, 2022: Users could not access the Lightning platform. Cause: expired certificate.

Cloud availability

• Migrating to cloud services can improve availability, as they typically offer more resilience than most organizations can afford to implement themselves.
• However, having multiple data centers, zones, and regions doesn’t prevent all outages, as we see every year with even the largest cloud vendors.

DR challenges for IaaS, PaaS, and cloud-native

While there are limits to what you control, often traditional “failover” DR strategy can apply.

High-level challenges and resilience options:

• IaaS: No control over the hardware, but you can failover to another region. This is fairly similar to traditional DR.
• PaaS: No control over the software platform (e.g. SQL server as a service), but you can back up your data and explore vendor options to replicate your environment.
• Cloud-native applications: As with PaaS, you can back up your data and explore vendor options to replicate your environment.

Plan for resilience

• Include DR requirements when designing cloud service implementation. For example, for IaaS solutions, identify what data would need to be replicated and what services may need to be “always on” (e.g. database services where high-availability is demanded).
• Similarly, for PaaS and cloud-native solutions, consult your vendor regarding options to build in resilience options (e.g. ability to failover to another environment).

DR challenges for SaaS solutions

SaaS is the biggest challenge because you have no control over any part of the base application stack.

High-level challenges and resilience options:

• No control over the hardware (or the facility, maintenance processes, and so on).
• No control over the base application (control is limited to configuration settings and add-on customizations or integrations).
• Options to back up your data will depend on the service.

Note: The rest of this blueprint is focused primarily on SaaS resilience due to the challenges listed here. For other cloud services, leverage traditional DR strategies and vendor management to mitigate risk (as summarized on the previous slides).

Focus on what you can control

• For SaaS solutions in particular, you must toss out traditional DR. If Salesforce has an outage, you won’t be involved in recovering the system.
• Instead, DR for SaaS needs to focus on improving resilience where you do have control and implementing business workarounds to bridge the gap.

Evaluate your cloud services to clarify your specific risks

Time and money is limited, so focus first on cloud services that are most critical and evaluate the vendors’ SLA and existing resilience capabilities.

The activities on the next two slides will evaluate risk through two approaches:

Activity 1: Quantify potential impact and prioritize cloud services using a business impact analysis (BIA)

1-3 hours

1. Download the latest version of our DRP BIA: DRP Business Impact Analysis Tool. The tool includes instructions.
2. Include the cloud services you want to assess in the list of applications/systems (see the tool excerpt below), and follow the BIA methodology outlined in the Create a Right-Sized Disaster Recovery Plan blueprint.
3. Use the results to quantify potential impact and prioritize your efforts on the most-critical cloud services.

Activity 2: Review your key cloud vendors’ SLAs, incident preparedness, and data protection strategy

1-3 hours

Use the Cloud Services Incident Risk and Mitigation Review Tool as follows:

1. Send the Vendor Questionnaire tab to your cloud vendors to gather input, and review your existing agreements.
2. Copy the vendor responses into the tool (see the instructions in the tool) and evaluate. See the example excerpt below.
3. Identify action items to clarify gaps or address risks. Some action items might not be defined yet and will need to wait until you have had a chance to further explore risk mitigation options.

Phase 2: Identify options to mitigate risk

Consult your vendor to identify options to improve resilience, as a starting point

Your vendor might also be able to suggest third parties that offer additional support, backup, or service continuity options.

• The Vendor Questionnaire tab in the Cloud Services Incident Risk and Mitigation Review Tool includes a section at the bottom where your vendor can name additional options to improve resilience (e.g. premium support packages, potentially their own DR services).
• If your vendor has not completed that part of the questionnaire, meet with them to discuss this. Asking service vendors about resilience has become commonplace, so they should be prepared to answer questions about their own offerings and potentially can name trusted third-party vendors who can further assist you.
• Leverage Info-Tech’s advisory services to evaluate options outlined by your vendor and potential third-party options (e.g. enterprise backup solutions that support backing up SaaS data).

Some SaaS solutions have plenty of resilience options; others not so much

• The pervasiveness of O365 has led vendors to close the service continuity gap, with options to send and receive email during an outage and back up your data.
• With many SaaS solutions, there isn’t going to be a third-party service continuity option, but you might still be able to at least back up your data and implement business process workarounds to close the service gap.

Example SaaS risk and mitigation: O365

Example SaaS risk and mitigation: Salesforce

Establish a baseline standard for risk mitigation, regardless of cloud service

At a minimum, set a goal to review vendor risk at least annually, define standard processes for monitoring outages, and review options to back up your SaaS data.

Example baseline standard for cloud risk mitigation

• Review vendor risk at least annually. This includes reviewing SLAs, vendor’s incident preparedness (e.g. do they have a current DRP, BCP, and Security IRP?), and the vendor’s data protection strategy.
• Incident response plans must include, at a minimum, steps to monitor vendor outage and communicate status to relevant stakeholders. Where possible, business process workarounds are defined to bridge the service gap.
• For critical data (based on your BIA and an evaluation of risk), maintain your own backups of SaaS data for additional protection.

Embed risk mitigation standards into existing IT operations

• Include specific SLA requirements, including incident management processes, in your RFP process and annual vendor review.
• Define cloud incident response in your incident management procedures.
• Include cloud data considerations in your backup strategy reviews.

Phase 3: Create an incident response plan

Activity 1: Review the example incident response workflows and case studies as a starting point

1-3 hours

Review the SaaS Incident Response Workflows examples. The examples illustrate different approaches to incident response depending on the criticality of the service and options available. Review the case studies on the next few slides, which further illustrate the resilience and incident response solutions implemented. Note the key elements: Detection Assessment Monitoring status / contacting the vendor Communication with key stakeholders Invoking workarounds, if applicable	Example SaaS Incident Response Workflow Excerpt	Materials
		SaaS Incident Response Workflows examples
		Participants
		Core group of IT management and staff tasked with evaluating and improving cloud services’ resilience. Relevant business process owners to provide input and define business workarounds, where applicable.

Case Study 1: Recovery plan for critical fundraising event

If either critical SaaS dependency fails, the following plan is executed:

1. Donors are redirected to a predefined alternate donation page hosted by a different service. The alternate page connects to the backup payment processing service (with predefined integrations).
2. Marketing communications support the redirect.
3. While the backup solution doesn’t gather as much data, the payment details provide enough information to follow up with donors where necessary.

Criticality justified a failover option

The Annual Day of Giving generates over 50% of fundraising for the year. It’s critically dependent on two SaaS solutions that host the donation page and payment processing.

To mitigate the risk, the organization implemented the ability to failover to an alternate “environment” – much like a traditional DR solution – supported by workarounds to manage data collection.

Case Study 2: Protecting customer data

Daily exports from a SaaS-hosted donations site reduce potential data loss:

1. Daily exports to a CRM support donor profile updates and follow-ups (tax receipts, thank-you letters, etc.).
2. The exports also mitigate the risk of data loss due to an incident with the SaaS-hosted donation site.
3. This company is exploring more-frequent exports to further reduce the risk of data loss.

Protecting your data gives you options

For critical data, do you want to rely solely on the vendor’s default backup strategy?

If your SaaS vendor is hit by ransomware or if their backup frequency doesn’t meet your needs, having your own data backup gives you options.

It can also support business process workarounds that need to access that data while waiting for SaaS recovery.

Case Study 3: Recovery plan for payroll

To enable a more accurate payroll workaround, the following is done:

1. After each payroll run, export the payroll data from the SaaS solution to a secure location.
2. If there is a SaaS outage when payroll must be submitted, the exported data can be modified and converted to an ACH file.
3. The ACH file is submitted to the bank, which has preapproved this workaround.

BCP can bridge the gap

When leadership looks to IT to mitigate cloud risk, include BCP in the discussion.

Payroll is a good example where the best recovery option might be a business continuity workaround.

IT often still has a role in business continuity workarounds, as in this case study: specifically, providing a solution to modify and convert the payroll data to an ACH file.

Activity 2: Run tabletop planning exercises as a starting point to build your incident response plan

1-3 hours

Activity 3: Summarize cloud services resilience to inform senior leadership of current risks and mitigation efforts

1-3 hours

Use the Cloud Services Resilience Summary example as a template to capture the following: The results of your vendor review (i.e. incident management SLAs, incident response preparedness, data protections strategy). The current state of your downtime workarounds and additional data loss protection. Your baseline standard for cloud services risk mitigation. Summary of resilience, risks, workarounds, and data loss protection for each individual cloud service that you have reviewed. Present the results to senior leadership to: Highlight risks to inform business decisions to mitigate or accept those risks. Summarize actions already taken to mitigate risks. Communicate next steps (e.g. action items to address remaining risks).	Cloud Services Resilience Summary – Table of Contents	Materials
		Cloud Services Resilience Summary
		Participants
		Core group of IT management and staff tasked with evaluating and improving cloud services’ resilience. Review results with relevant business process owners to provide input and define business workarounds where applicable.

Summary: For cloud services, after evaluating risk, IT must adapt how they approach risk mitigation

1. Identify failover options where possible

• A failover strategy is possible for many cloud services (e.g. IaaS replication to another region, or failing over SaaS to an alternate solution as in case study 1).

• Explore supplementary backup options to protect against ransomware, data corruption, or data loss and support business continuity workarounds (see case study 2).

• This doesn’t absolve IT of its role in mitigating cloud incident risk, but business process workarounds can bridge the gap where IT options are limited (see case study 3).

Related Info-Tech Research

IT DRP Maturity Assessment

Get an objective assessment of your DRP program and recommendations for improvement.

Create a Right-Sized Disaster Recovery Plan

Close the gap between your DR capabilities and service continuity requirements.

Develop a Business Continuity Plan

Streamline the traditional approach to make BCP development manageable and repeatable.

Implement Crisis Management Best Practices

Don’t be another example of what not to do. Implement an effective crisis response plan to minimize the impact on business continuity, reputation, and profitability.

Establish Effective Data Stewardship

Leverage your organization's business subject matter experts to drive impactful data use and handling.

Analyst perspective

Leverage your organization's business subject matter experts to drive impactful data use and handling.

Data stewards bring valuable expertise and knowledge about their business areas: priorities, business capabilities and processes, and challenges and opportunities with respect to data. Because this knowledge cannot be easily replicated, going outside your organization to hire a data steward is not the most effective route.

While it may seem difficult, organizing internally to harvest the already existing institutional knowledge of your business subject matter experts (SMEs) will give a better – and faster – return when setting up and formalizing data stewardship.

The role must be well defined and communicated. We cannot expect SMEs to wear a hat without understanding the expectations for their role. They must be set up for success – they must be empowered, recognized, and rewarded.

Crystal Singh
Director, Research and Advisory, Data and Analytics Practice
Info-Tech Research Group

Phase breakdown

Phase 1: Data Stewardship Value Proposition

• Define the value of data stewardship and data governance, their importance, and the relationship between them.
• Determine where data stewards fit in the bigger data governance operating structure. The data steward role will not be effective without the other data governance roles.
• Highlight the gains of effective data stewardship: e.g. data quality management, data definition, data sharing, and the ethical use and handling of data.

Phase breakdown

Phase 2: Data Steward Role Design

• Who makes a good data steward? Important knowledge and skills include subject area expertise, institutional knowledge, collaborative skills, interpersonal, and political skills, an understanding of your organization's culture, and the ability to build good partnerships across business functions and with data management.
• Seek out SMEs from within your organization. This may require you to mold and shape individuals to step up and into the role. An external hire will give capacity but will be more difficult (and time consuming) to ramp up.
• Consult internally in your organization. For example, consult and liaise with Human Resources (HR) to determine if job descriptions need to be updated, if there would be any impact to compensation, etc.
• Determine if this role needs to be a full-time role.
• Demystify the role. Clarify that this is not an IT role and therefore will not require IT skills.
• Leverage Info-Tech data governance patterns:
  • Data Stewardship in Action – Sample Data Quality Issue Resolution Process Template and Business Term and Data Definitions
  • Sample Data Steward (and Data Owner) to Data Domain Mapping

Phase breakdown

Phase 3: Strategies for Data Stewardship Success

• Establish a solid data governance foundation in your organization.
• Develop data stewardship onboarding: e.g. literacy and training, and frequently asked questions (FAQs).
• Gain support from data owners, the director general (DG) committee, data leadership, and executive leaders/champions.
• Set up rewards and recognition for the role.
• Establish a feedback loop/mechanism for data stewards so the stewardship program can be adjusted accordingly.
• Establish communication and create awareness of the role.

Establishing effective data stewardship

Leverage your organization's business SMEs to drive impactful data use and handling.

Unlock the value of data through people.

Data Steward Value Proposition
Clearly articulate the data stewardship value proposition. What's in it for the person, their line of business or mandate, and your organization as a whole.

Data Steward Role Design
Formally design and define the role of a data steward, including the functions and capabilities.

Strategies for Success
Set up your data stewards for success. Having a detailed role definition on paper is not enough. Ensure that you go the extra mile to deliver the relevant training, such as data stewardship onboarding and an awareness program.

Executive summary

Info-Tech Insight
Effective data governance requires a solid foundation. Data stewards provide the foundation for data governance. The time and effort to define this role properly will yield sound data governance return.

Phase 1: Data Stewardship Value Proposition

What is the VALUE of a DATA STEWARD?

Value of a Data Steward

Improved Data Quality Management

Clear and Consistent Data Definition

Increased Data Sharing and Collaboration

Ethical Handling of Data

Define the strategic value of data in your organization

Harness the value of data to power intelligent and transformative organizational performance.

Optimize the way you serve your stakeholders.

Respond to industry disruption.

Develop products and services to meet ever-evolving needs.

Manage operations and mitigate risk.

Data governance is an enabling framework of decision rights, responsibilities, and accountabilities for data assets across an organization.

Data governance is:

• Executed according to agreed-upon models that describe who can take what actions with what information, when, and using what methods (CIO.com, 2021).
• True business-IT collaboration that leads to increased consistency and confidence in data to support decision making

If done correctly, data governance is not:

• An annoying, finger-waving roadblock in the way of getting things done
• An inhibitor or impediment to using and sharing data

Data governance is about putting guard rails in place to better support the use and handling of your organization's data.

Is there a clear definition of data accountability and responsibility in your organization?

CIO Priorities 2023

Engage cross-functional leadership to seize opportunity while protecting the organization from volatility.

Analyst Perspective

Take a full view of the board and use all your pieces to win.

In our Tech Trends 2023 report, we called on CIOs to think of themselves as chess grandmasters. To view strategy as playing both sides of the board, simultaneously attacking the opponent's king while defending your own. In our CIO Priorities 2023 report, we'll continue with that metaphor as we reflect on IT's capability to respond to trends.

If the trends report is a study of the board state that CIOs are playing with, the priorities report is about what move they should make next. We must consider all the pieces we have at our disposal and determine which ones we can afford to use to seize on opportunity. Other pieces are best used by staying put to defend their position.

In examining the different capabilities that CIOs will require to succeed in the year ahead, it's apparent that a siloed view of IT isn't going to work. Just like a chess player in a competitive match would never limit themselves to only using their knights or their rooks, a CIO's responsibility is to deploy each of their pieces to win the day. While functional leaders may only see their next move, as head of the organization with a complete view of all the pieces, the CIO has full awareness of the board state.

It's up to them to assess their gaps, consider the present scenario, and then make their next move.

Brian Jackson
Principal Research Director, Research – CIO
Info-Tech Research Group

CIO Priorities 2023 is informed by Info-Tech's primary research data of surveys and benchmarks

Info-Tech's Tech Trends 2023 report and State of Hybrid Work in IT: A Trend Report inform the externalities faced by organizations in the year ahead. They imply opportunities and risks that organizations face. Leadership must determine if they will respond and how to do so. CIOs then determine how to support those responses by creating or improving their IT capabilities. The priorities are the initiatives that will deliver the most value across the capabilities that are most in demand. The CIO Priorities 2023 report draws on data from several different Info-Tech surveys and diagnostic benchmarks.

2023 Tech Trends and Priorities Survey; N=813 (partial), n=521 (completed)
Info-Tech's Trends and Priorities 2023 Survey was conducted between August 9 and September 9, 2022. We received 813 total responses with 521 completed surveys. More than 90% of respondents work in IT departments. More than 84% of respondents are at a manager level of seniority or higher.

2023 The State of Hybrid Work in IT Survey; N=518
The State of Hybrid Work in IT Survey was conducted between July 11 and July 29 and received 518 responses. Nine in ten respondents were at a manager level of seniority or higher.

Every organization will have its own custom list of priorities based on its internal context. Organizational goals, IT maturity level, and effectiveness of capabilities are some of the important factors to consider. To provide CIOs with a starting point for their list of priorities for 2023, we used aggregate data collected in our diagnostic benchmark tools between August 1, 2021, and October 31, 2022.

Info-Tech's CEO-CIO Alignment Program is intended to be completed by CIOs and their supervisors (CEO or other executive position [CxO]) and will provide the average maturity level and budget expectations (N=107). The IT Management and Governance Diagnostic will provide the average capability effectiveness and importance ranking to CIOs (N=271). The CIO Business Vision Diagnostic will provide stakeholder satisfaction feedback (N=259).

The 2023 CIO priorities are based on that data, internal collaboration sessions at Info-Tech, and external interviews with CIOs and subject matter experts.

Build IT alignment

Assess your IT processes

Determine stakeholder satisfaction

Most IT departments should aim to drive outcomes that deliver better efficiency and cost savings

Slightly more than half of CIOs using Info-Tech's CEO-CIO Alignment Program rated themselves at a Support level of maturity in 2022. That aligns with IT professionals' view of their organizations from our Tech Trends and Priorities Survey, where organizations are rated at the Support level on average. At this level, IT departments can provide reliable infrastructure and support a responsive IT service desk that reasonably satisfies stakeholders.

In the future, CIOs aspire to attain the Transform level of maturity. Nearly half of CIOs select this future state in our diagnostic, indicating a desire to deliver reliable innovation and lead the organization to become a technology-driven firm. However, we see that fewer CxOs aspire for that level of maturity from IT. CxOs are more likely than CIOs to say that IT should aim for the Optimize level of maturity. At this level, IT will help other departments become more efficient and lower costs across the organization.

Whether a CIO is aiming for the top of the maturity scale in the future or not, IT maturity is achieved one step at a time. Aiming for outcomes at the Optimize level will be a realistic goal for most CIOs in 2023 and will satisfy many stakeholders.

Current and future state of IT maturity

Trends indicate a need to focus on leadership and change management

Trends imply new opportunities and risks that an organization must decide on. Organizational leadership determines if action will be taken to respond to the new external context based on its importance compared to current internal context. To support their organizations, IT must use its capabilities to deliver on initiatives. But if a capability's effectiveness is poor, it could hamper the effort.

To determine what capabilities IT departments may need to improve or create to support their organizations in 2023, we conducted an analysis of our trends data. Using the opportunities and risks implied by the Tech Trends 2023 report and the State of Hybrid Work in IT: A Trend Report, we've determined the top capabilities IT will need to respond. Capabilities are defined by Info-Tech's IT Management and Governance Framework.

Tier 1: The Most Important Capabilities In 2023

Enterprise Application Selection & Implementation Manage the selection and implementation of enterprise applications, off-the-shelf software, and software as a service to ensure that IT provides the business with the most appropriate applications at an acceptable cost.
Leadership, Culture, and Values Ensure that the IT department reflects the values of your organization. Improve the leadership skills of your team to generate top performance.
Data Architecture Manage the business' databases, including the technology, the governance processes, and the people that manage them. Establish the principles, policies, and guidelines relevant to the effective use of data within the organization.
Organizational Change Management Implement or optimize the organization's capabilities for managing the impact of new business processes, new IT systems, and changes in organizational structure or culture.
External Compliance Ensure that IT processes and IT-supported business processes are compliant with laws, regulations, and contractual requirements.

Info-Tech's Management and Diagnostic Benchmark

Tier 2: Other Important Capabilities In 2023

Ten more capabilities surfaced as important compared to others but not as important as the capabilities in tier 1.

Asset Management Track IT assets through their lifecycle to make sure that they deliver value at optimal cost, remain operational, and are accounted for and physically protected. Ensure that the assets are reliable and available as needed.
Business Intelligence and Reporting Develop a set of capabilities, including people, processes, and technology, to enable the transformation of raw data into meaningful and useful information for the purpose of business analysis.
Business Value Secure optimal value from IT-enabled initiatives, services, and assets by delivering cost-efficient solutions and services and by providing a reliable and accurate picture of costs and benefits.
Cost and Budget Management Manage the IT-related financial activities and prioritize spending through the use of formal budgeting practices. Provide transparency and accountability for the cost and business value of IT solutions and services.
Data Quality Put policies, processes, and capabilities in place to ensure that appropriate targets for data quality are set and achieved to match the needs of the business.
Enterprise Architecture Establish a management practice to create and maintain a coherent set of principles, methods, and models that are used in the design and implementation of the enterprise's business processes, information systems, and infrastructure.
IT Organizational Design Set up the structure of IT's people, processes, and technology as well as roles and responsibilities to ensure that it's best meeting the needs of the business.
Performance Measurement Manage IT and process goals and metrics. Monitor and communicate that processes are performing against expectations and provide transparency for performance and conformance.
Stakeholder Relations Manage the relationship between the business and IT to ensure that the stakeholders are satisfied with the services they need from IT and have visibility into IT processes.
Vendor Management Manage IT-related services provided by all suppliers, including selecting suppliers, managing relationships and contracts, and reviewing and monitoring supplier performance.

Defining the CIO Priorities for 2023

Understand the CIO priorities by analyzing both how CIOs respond to trends in general and how a specific CIO responded in the context of their organization.

The Five CIO Priorities for 2023

Engage cross-functional leadership to seize opportunity while protecting the organization from volatility.

1. Adjust IT operations to manage for inflation
   • Business Value
   • Vendor Management
   • Cost and Budget Management
2. Prepare your data pipeline to train AI
   • Business Intelligence and Reporting
   • Data Quality
   • Data Architecture
3. Go all in on zero-trust security
   • Asset Management
   • Stakeholder Relations
   • External Compliance
4. Engage employees in the digital age
   • Leadership, Culture, and Values
   • Organizational Change Management
   • Enterprise Architecture
5. Shape the IT organization to improve customer experience
   • Enterprise Application Selection & Implementation
   • Performance Measurement
   • IT Organizational Design

Adjust IT operations to manage for inflation

Priority 01

• APO06 Cost and Budget Management
• APo10 Vendor Management
• EDM02 Business Value

Recognize the relative impact of higher inflation on IT's spending power and adjust accordingly.

Inflation takes a bite out of the budget

Two-thirds of IT professionals are expecting their budgets to increase in 2023, according to our survey. But not every increase is keeping up with the pace of inflation. The International Monetary Fund forecasts that global inflation rose to 8.8% in 2022. It projects it will decline to 6.5% in 2023 and 4.1% by 2024 (IMF, 2022).

CIOs must account for the impact of inflation on their IT budgets and realize that what looks like an increase on paper is effectively a flat budget or worse. Applied to our survey takers, an IT budget increase of more than 6.5% would be required to keep pace with inflation in 2023. Only 40% of survey takers are expecting that level of increase. For the 27% expecting an increase between 1-5%, they are facing an effective decrease in budget after the impact of inflation. Those expecting no change in budget or a decrease will be even worse off.

Looking ahead to 2023, how do you anticipate your IT spending will change compared to spending in 2022?

Global inflation estimates by year

International Monetary Fund, 2022

CIOs are more optimistic about budgets than their supervisors

Data from Info-Tech's CEO-CIO Alignment Diagnostic benchmark also shows that CIOs and their supervisors are planning for increases to the budget. This diagnostic is designed for a CIO to use with their direct supervisor, whether it's the CEO or otherwise (CxO). Results show that on average, CIOs are more optimistic than their supervisors that they will receive budget increases and headcount increases in the years ahead.

While 14% of CxOs estimated the IT budget would see no change or a decrease in the next three to five years, only 3% of CIOs said the same. A larger discrepancy is seen in headcount, where nearly one-quarter of CXOs estimated no change or decrease in the years ahead, versus only 10% of CIOs estimating the same.

When we account for the impact of inflation in 2023, this misalignment between CIOs and their supervisors increases. When adjusting for inflation, we need to view the responses projecting an increase of between 1-5% as an effective decrease. With the inflation adjustment, 26% of CXOs are predicting IT budgets to stay flat or see a decrease compared to only 10% of CIOs.

CIOs should consider how inflation has affected their projected spending power over the past year and take into account projected inflation rates over the next couple of years. Given that the past decade has seen inflation rates between 2-3%, the higher rates projected will have more of an impact on organizational budgets than usual.

Expect headcount to stay flat or decline over 3-5 years

IT budget expectations to stay flat or decrease before inflation

IT budget expectations to stay flat or decrease adjusted for inflation

Info-Tech's CEO-CIO Alignment Program

Opportunities

Appoint a "cloud economist"

Organizations that migrated from on-premises data centers to infrastructure as a service shifted their capital expenditures on server racks to operational expenditures on paying the monthly service bill. Managing that monthly bill so that it is in line with desired performance levels now becomes crucial. The expected benefit of the cloud is that an organization can turn the dial up to meet higher demand and turn it down when demand slows. In practice this is sometimes more difficult to execute than anticipated. Some IT departments realize their cloud-based data flows aren't always connected to the revenue-generating activity seen in the business. As a result, a "cloud economist" is needed to closely monitor cloud usage and adjust it to financial expectations. Especially during any recessionary period, IT departments will want to avoid a "bill shock" incident.

Partner with technology providers

Keep your friends close and your vendors closer. Look for opportunities to create leverage with your strategic vendors to unlock new opportunities. Identify if a vendor you work with is not entrenched in your industry and offer them the credibility of working with you in exchange for a favorable contract. Offering up your logo for a website listing clients or giving your own time to speak in a customer session at a conference can go a long way to building up some goodwill with your vendors. That's goodwill you'll need when you ask for a new multi-year contract on your software license without annual increases built into the structure.

Demonstrate IT projects improve efficiency

An IT department that operates at the Optimize level of Info-Tech's maturity scale can deliver outcomes that lower costs for other departments. IT can defend its own budget if it's able to demonstrate that its initiatives will automate or augment business activities in a way that improves margins. The argument becomes even more compelling if IT can demonstrate it is supporting a revenue-generating initiative or customer-facing experience. CIOs will need to find business champions to vouch for the important contributions IT is making to their area.

Risks

Imposition of non-financial reporting requirements

In some jurisdictions, the largest companies will be required to start collecting information on carbon emissions emitted as a result of business activities by the end of next year. Smaller sized organizations will be next on the list to determine how to meet new requirements issued by various regulators. Risks of failure include facing fines or being shunned by investors. CIOs will need to support their financial reporting teams in collecting the new required data accurately. This will incur new costs as well.

Rising asset costs

Acquiring IT equipment is becoming more expensive due to overall inflation and specific pressures around semiconductor supply chains. As a result, more CIOs are extending their device refresh policies to last another year or two. Still, demands for new devices to support new hybrid work models could put pressure on budgets as IT teams are asked to modernize conferencing rooms. For organizations adopting mixed reality headsets, cutting-edge capabilities will come at a premium. Operating costs of devices may also increase as inflation increases costs of the electricity and bandwidth they depend on.

CASE STUDY
Leverage your influence in vendor negotiations

Denise Cornish, Associate VP of IT and Deputy COO,
Western University of Health Sciences

Since taking on the lead IT role at Western University in 2020, Denise Cornish has approached vendor management like an auditable activity. She evaluates the value she gets from each vendor relationship and creates a list of critical vendors that she relies upon to deliver core business services. "The trick is to send a message to the vendor that they also need us as a customer that's willing to act as a reference," she says. Cornish has managed to renegotiate a contract with her ERP vendor, locking in a multi-year contract with a very small escalator in exchange for presenting as a customer at conferences. She's also working with them on developing a new integration to another piece of software popular in the education space.

Western University even negotiated a partnership approach with Apple for a program run with its College of Osteopathic Medicine of the Pacific (COMP) called the Digital Doctor Bag. The partnership saw Apple agree to pre-package a customer application developed by Western that delivered the curriculum to students and facilitated communications across students and faculty. Apple recognized Western as an Apple Distinguished School, a program that recognizes innovative schools that use Apple products.

"I like when negotiations are difficult.
I don't necessarily expect a zero-sum game. We each need to get something out of this and having the conversation and really digging into what's in it for you and what's in it for me, I enjoy that. So usually when I negotiate a vendor contract, it's rare that it doesn't work out."

CASE STUDY
Control cloud costs with a simplified approach

Jim Love, CIO, IT World Canada

As an online publisher and a digital marketing platform for technology products and services companies, IT World Canada (ITWC) has observed that there are differences in how small and large companies adopt the cloud as their computing infrastructure. For smaller companies, even though adoption is accelerating, there may still be some reluctance to fully embrace cloud platforms and services. While larger companies often have a multi-cloud approach, this might not be practical for smaller IT shops that may struggle to master the skills necessary to effectively manage one cloud platform. While Love acknowledges that the cloud is the future of corporate computing, he also notes that not all applications or workloads may be well suited to run in the cloud. As well, moving data into the cloud is cheap but moving it back out can be more expensive. That is why it is critical to understand your applications and the data you're working with to control costs and have a successful cloud implementation.

"Standardization is the friend of IT. So, if you can standardize on one platform, you're going to do better in terms of costs."

From priorities to action

Go deeper on pursuing your priorities by improving the associated capabilities.

Improve Cost and Budget Management

Take control of your cloud costs by providing central financial oversight on the infrastructure-as-a-service provider your organization uses. Create visibility into your operational costs and define policies to control them. Right-size the use of cloud services to stay within organizational budget expectations.

Take Control of Cloud Costs on AWS

Take Control of Cloud Costs on Microsoft Azure

Improve Business Value

Reduce the funds allocated to ongoing support and impose tougher discipline around change requests to lighten your maintenance burden and make room for investment in net-new initiatives to support the business.

Free up funds for new initiatives

Improve Vendor Management

Lay the foundation for a vendor management process with long-term benefits. Position yourself as a valuable client with your strategic vendors and leverage your position to improve your contract terms.

Elevate Your Vendor Management Initiative

Prepare your data pipeline to train AI

Priority 02

• ITRG06 BUSINESS INTELLIGENCE AND REPORTING
• ITRG07 DATA ARCHITECTURE
• ITRG08 DATA QUALITY

Keep pace as the market adopts AI capabilities, and be ready to create competitive advantage.

Today's innovation is tomorrow's expectation

During 2022, some compelling examples of generative-AI-based products took the world by storm. Images from AI-generating bots Midjourney and Stable Diffusion went viral, flooding social media and artistic communities with images generated from text prompts. Exchanges with OpenAI's ChatGPT bot also caught attention, as the bot was able to do everything from write poetry, to provide directions on a cooking recipe and then create a shopping list for it, to generate working code in a variety of languages. The foundation models are trained with AI techniques that include generative adversarial networks, transformers, and variational autoencoders. The end result is an algorithm that can produce content that's meaningful to people based on some simple direction. The industry is only beginning to come to grips with how this sort of capability will disrupt the enterprise.

Slightly more than one-third of IT professionals say their organization has already invested in AI or machine learning. It's the sixth-most popular technology to have already invested in after cloud computing (82%), application programming interfaces (64%), workforce management solutions (44%), data lakes (36%), and next-gen cybersecurity (36%). It's ahead of 12 other technologies that IT is already invested in.

When we asked what technologies organizations planned to invest in for next year, AI rocketed up the list to second place, as it's selected by 44% of IT professionals. It falls behind only cloud computing. This jump up the list makes AI the fastest growing technology for new investment from organizations.

Many AI capabilities seem cutting edge now, but organizations are prioritizing it as a technology investment. In a couple of years, access to foundational models that produce images, text, or code will become easy to access with a commercial license and an API integration. AI will become embedded in off-the-shelf software and drive many new features that will quickly become commonplace.

To stay even with the competition and meet customer expectations, organizations will have to work to at least adopt these AI-enhanced products and services. For those that want to create a competitive advantage, they will have to build a data pipeline that is capable of training their own custom AI models based on their unique data sets.

Which of the following technology categories has your organization already invested in?

Which of those same technologies does your organization plan to invest in by the end of 2023?

Tech Trends 2023 Survey

Data quality and governance will be critical to customize generative AI

Data collection and analysis are on the minds of both CIOs and their supervisors. When asked what technologies the business should adopt in the next three to five years, big data (analytics) ranked as most critical to adopt among CIOs and their supervisors. Big data (collection) ranked fourth out of 11 options.

Organizations that want to drive a competitive advantage from generative AI will need to train these large, versatile models on their own data sets. But at the same time, IT organizations are struggling to provide clean data. The second-most critical gap for IT organizations on average is data quality, behind only organizational change management. Organizations know that data quality is important to support analytics goals, as algorithms can suffer in their integrity if they don't have reliable data to work with. As they say, garbage in, garbage out.

Another challenge to overcome is the gap seen in IT governance, the sixth largest gap on average. Using data toward training custom generative models will hold new compliance and ethical implications for IT departments to contend with. How user data can be leveraged is already the subject of privacy legislation in many different jurisdictions, and new AI legislation is being developed in various places around the world that could create further demands. In some cases, users are reacting negatively to AI-generated content.

Biggest capability gaps between rated importance and effectiveness

IT Management and Governance Diagnostic

Most critical technologies to adopt rated by CIOs and their supervisors

CEO-CIO Alignment Program

Opportunities

Enterprise content discovery

Many organizations still cobble together knowledgebases in SharePoint or some other shared corporate drive, full of resources that no one quite knows how to find. A generative AI chatbot holds potential to be trained on an organization's content and produce content based on an employee's queries. Trained properly, it could point employees to the right resource they need to answer their question or just provide the answer directly.

Supply chain forecasts

After Hurricane Ian shut down a Walmart distribution hub, the retailer used AI to simulate the effects on its supply chain. It rerouted deliveries from other hubs based on the predictions and planned for how to respond to demand for goods and services after the storm. Such forecasts would typically take a team of analysts days to compose, but thanks to AI, Walmart had it done in a matter of hours (The Economist, 2022).

Reduce the costs of AI projects

New generative AI models of sufficient scale offer advantages over previous AI models in their versatility. Just as ChatGPT can write poetry or dialogue for a play or perhaps a section of a research report (not this one, this human author promises), large models can be deployed for multiple use cases in the enterprise. One AI researcher says this could reduce the costs of an AI project by 20-30% (The Economist, 2022).

Risks

Impending AI regulation

Multiple jurisdictions around the world are pursuing new legislation that imposes requirements on organizations that use AI, including the US, Europe, and Canada. Some uses of AI will be banned outright, such as the real-time use of facial recognition in public spaces, while in other situations people can opt out of using AI and work with a human instead. Regulations will take the risk of the possible outcomes created by AI into consideration, and organizations will often be required to disclose when and how AI is used to reach decisions (Science | Business, 2022). Questions around whether creators can prevent their content from being used for training AI are being raised, with some efforts already underway to collect a list of those who want to opt out. Organizations that adopt a generative AI model today may find it needs to be amended for copyright reasons in the future.

Bias in the algorithms

Organizations using a large AI model trained by a third party to complete their tasks or as a foundation to further customize it with their own data will have to contend with the inherent bias of the algorithm. This can lead to unintended negative experiences for users, as it did for MIT Technology Review journalist Melissa Heikkilä when she uploaded her images to AI avatar app Lensa, only to have it render a collection of sexualized portraits. Heikkilä contends that her Asian heritage overly influenced the algorithm to associate her with video-game characters, anime, and adult content (MIT Technology Review, 2022).

Convincing nonsense

Many of the generative AI bots released so far often create very good responses to user queries but sometimes create nonsense that at first glance might seem to be accurate. One example is Meta's Galactica bot – intended to streamline scientific research discovery and aid in text generation – which was taken down only three days after being made available. Scientists found that it generated fake research that sounded convincing or failed to do math correctly (Spiceworks, 2022).

CASE STUDY
How MLSE enhances the Toronto Raptors' competitiveness with data-driven practices

Christian Magsisi, Vice President of Venue and Digital Technology, MLSE

At the Toronto Raptors practice facility, the OVO Athletic Centre, a new 120-foot custom LG video screen towers over the court. The video board is used to playback game clips so coaches can use them to teach players, but it also displays analytics from algorithmic models that are custom-made for each player. Data on shot-making or defensive deflections are just a couple examples of what might inform the players.

Vice President of Digital Technology Christian Magsisi leads a functional Digital Labs technical group at MLSE. The in-house team builds the specific data models that support the Raptors in their ongoing efforts to improve. The analytics are fed by Noah Analytics, which uses cognitive vision to provide real-time feedback on shot accuracy. SportsVU is a motion capture system that represents how players are positioned on the court, with detail down to which way they are facing and whether their arms are up or down. The third-party vendors provide the solutions to generate the analytics, but it's up to MLSE's internal team to shape them to be actionable for players during a practice.

"All the way from making sure that a specific player is achieving the results that they're looking for and showing that through data, or finding opportunities for the coaching staff. This is the manifestation of it in real life. Our ultimate goal with the coaches was to be able to take what was on emails or in a report and sometimes even in text message and actually implement it into practice."

Read the full story on Spiceworks Insights.

How MLSE enhances the Toronto Raptors' competitiveness with data-driven practices (cont.)

Humza Teherany, Chief Technology Officer, MLSE

MLSE's Digital Labs team architects its data insights pipeline on top of cloud services. Amazon Web Services Rekognition provides cognitive vision analysis from video and Amazon Kinesis provides the video processing capabilities. Beyond the court, MLSE uses data to enhance the fan experience, explains CTO Humza Teherany. It begins with having meaningful business goals about where technology can provide the most value. He starts by engaging the leadership of the organization and considering the "art of the possible" when it comes to using technology to unlock their goals.

Humza Teherany (left) and Christian Magsisi lead MLSE's digital efforts for the pro sports teams owned by the group, including the Toronto Raptors, Toronto Maple Leafs, and Toronto Argonauts. (Photo by Brian Jackson).

Read the full story on Spiceworks Insights.

"Our first goal in the entire buildup of the Digital Labs organization has been to support MLSE and all of our teams. We like to do things first. We leverage our own technology to make things better for our fans and for our teams to complete and find incremental advantages where possible."
Humza Teherany,
Chief Technology Officer, MLSE

From priorities to action

Go deeper on pursuing your priorities by improving the associated capabilities.

Improve Data Quality

The performance of AI-assisted tools depends on mature IT operations processes and reliable data sets. Standardize service management processes and build a knowledgebase of structured content to prepare for AI-assisted IT operations.

Prepare for Cognitive Service Management

Improve Business Intelligence and Reporting

Explore the enterprise chatbots that are available to not only assist with customer interactions but also help your employees find the resources they need to do their jobs and retrieve data in real time.

Explore the best chatbots software

Improve Data Architecture

Understand if you are ready to embark on the AI journey and what business use cases are appropriate for AI. Plan around the organization's maturity in people, tools, and operations for delivering the correct data, model development, and model deployment and managing the models in the operational areas.

Create an Architecture for AI

Go all in on zero-trust security

Priority 03

• BAI09 ASSET MANAGEMENT
• APO08 STAKEHOLDER RELATIONS
• MEA03 EXTERNAL COMPLIANCE

Adopt zero-trust architecture as the new security paradigm across your IT stack and from an organizational risk management perspective.

Putting faith in zero trust

The push toward a zero-trust security framework is becoming necessary for organizations for several different reasons over the past couple of years. As the pandemic forced workers away from offices and into their homes, perimeter-based approaches to security were challenged by much wider network footprints and the need to identify users external to the firewall. Supply-chain security became more of a concern with notable attacks affecting many thousands of firms, some with severe consequences. Finally, the regulatory pressure to implement zero trust is rising following President Joe Biden's 2021 Executive Order on Improving the Nation's Cybersecurity. It directs federal agencies to implement zero trust. That will impact any company doing business with the federal government, and it's likely that zero trust will propagate through other government agencies in the years ahead. Zero-trust architecture can also help maintain compliance around privacy-focused regulations concerned about personal data (CSO Online, 2022).

IT professionals are modestly confident that they can meet new government legislation regarding cybersecurity requirements. When asked to rank their confidence on a scale of one to five, the most common answer was 3 out of 5 (38.5%). The next most common answer was 4 out of 5 (33.3%).

Zero-trust barriers:
Talent shortage and lack of leadership involvement

Out of a list of challenges, IT professionals are most concerned with talent shortages leading to capacity constraints in cybersecurity. Fifty-four per cent say they are concerned or very concerned with this issue. Implementing a new zero-trust framework for security will be difficult if capacity only allows for security teams to respond to incidents.

The next most pressing concern is that cyber risks are not on the radar of executive leaders or the board of directors, with 46% of IT pros saying they are concerned or very concerned. Since zero-trust requires that organizations take an enterprise risk management approach to cybersecurity and involve top decision makers, this reveals another area where organizations may fall short of achieving a zero-trust environment.

How confident are you that your organization is prepared to meet current and future government legislation regarding cybersecurity requirements?

Zero trust mitigates risk while removing friction

A zero-trust approach to security requires organizations to view cybersecurity risk as part of its overall risk framework. Both CIOs and their supervisors agree that IT-related risks are a pain point. When asked to rate the severity of pain points, 58% of CIOs rated IT-related business risk incidents as a minor pain or major pain. Their supervisors were more concerned, with 61% rating it similarly. Enterprises can mitigate this pain point by involving top levels of leadership in cybersecurity planning.

Organizations can be wary about implementing new security measures out of concern it will put barriers between employees and what they need to work. Through a zero-trust approach that focuses on identity verification, friction can be avoided. Overall, IT organizations did well to provide security without friction for stakeholders over the past 18 months. Results from Info-Tech's CIO Business Vision Diagnostic shows that stakeholders almost all agree friction due to security practices are acceptable. The one area that stands to be improved is remote/mobile device access, where 78.3% of stakeholders view the friction as acceptable.

A zero-trust approach treats user identity the same regardless of device and whether it is inside or outside of the corporate network. This can remove friction when workers are looking to connect remotely from a mobile device.

IT-related business risk incidents viewed as a pain point

Business stakeholders rate security friction levels as acceptable

CIO Business Vision Diagnostic, N=259

Opportunities

Move to identity-driven access control

Today's approach to access control on the network is to allow every device to exchange data with every other device. User endpoints and servers talk to each other directly without any central governance. In a zero-trust environment, a centralized zero-trust network access broker provides one-to-one connectivity. This allows servers to rest offline until needed by a user with the right access permissions. Users verify their identity more often as they move throughout the network. The user can access the resources and data they need with minimal friction while protecting servers from unauthorized access. Log files are generated for analysis to raise alerts about when an authorized identity has been compromised.

Protect data with just-in-time authentication

Many organizations put process in place to make sure data at rest is encrypted, but often when users copy that data to their own devices, it becomes unencrypted, allowing attackers opportunities to exfiltrate sensitive data from user endpoints. Moving to a zero-trust environment where each data access is brokered by a central broker allows for encryption to be preserved. Parties accessing a document must exchange keys to gain access, locking out unauthorized users that don't have both sets of keys to decrypt the data (MIT Lincoln Laboratory, 2022).

Harness free and open-source tools to deploy zero trust

IT teams may not be seeing a budget infusion to invest in a new approach to security. By making use of the many free and open-source tools available, they can bootstrap their strategy into reality. Here's a list to get started:

PingCastle Wrangle your Active Directory and find all the domains that you've long since forgotten about and manage the situation appropriately. Also builds a spoke-and-hub map of your Active Directory.

OpenZiti Create an overlay network to enable programmable networking that supports zero trust.

Snyk Developers can automatically find and fix vulnerabilities before they commit their code. This vendor offers a free tier but users that scale up will need to pay.

sigstore Open-source users and maintainers can use this solution to verify the code they are running is the code the developer intended. Works by stitching together free services to facilitate software signing, verify against a transparent ledger, and provide auditable logs.

Microsoft's SBOM generation tool A software bill of materials is a requirement in President Biden's Executive Order, intended to provide organizations with more transparency into their software components by providing a comprehensive list. Microsoft's tool will work with Windows, Linux, and Mac and auto-detect a longlist of software components, and it generates a list organized into four sections that will help organizations comprehend their software footprint.

Risks

Organizational culture change to accommodate zero trust

Zero trust requires that top decision makers get involved in cybersecurity by treating it as an equal consideration of overall enterprise risk. Not all boards will have the cybersecurity expertise required, and some executives may not prioritize cybersecurity despite the warnings. Organizations that don't appoint a chief information security officer (CISO) role to drive the cybersecurity agenda from the top will be at risk of cybersecurity remaining an afterthought.

Talent shortage

No matter what industry you're in or what type of organization you run, you need cybersecurity. The demand for talent is very high and organizations are finding it difficult to hire in this area. Without the talent needed to mature cybersecurity approaches to a zero-trust model, the focus will remain on foundational principles of patch management to eliminate vulnerabilities and intrusion prevention. Smaller organizations may want to consider a "virtual CISO" that helps shape the organizational strategy on a part-time basis.

Social engineering

Many enterprise security postures remain vulnerable to an attack that commandeers an employee's identity to infiltrate the network. Hosted single sign-on models provide low friction and continuity of identity across applications but also offer a single point of failure that hackers can exploit. Phishing scams that are designed to trick an employee into providing their credentials to a fake website or to just click on a link that delivers a malware payload are the most common inroads that criminals take into the corporate network. Being aware of how user behavior influences security is crucial.

CASE STUDY
Engage the entire organization with cybersecurity awareness

Serge Suponitskiy, CIO, Brosnan Risk Consultants

Brosnan provides private security services to high-profile clients and is staffed by security experts with professional backgrounds in intelligence services and major law enforcement agencies. Safe to say that security is taken seriously in this culture and CIO Serge Suponitskiy makes sure that extends to all back-office staff that support the firm's activities. He's aware that people are often the weakest link in a cybersecurity posture and are prone to being fooled by a phishing email or even a fraudulent phone call. So cybersecurity training is an ongoing activity that takes many forms. He sends out a weekly cybersecurity bulletin that features a threat report and a story about the "scam of the week." He also uses KnowBe4, a tool that simulates phishing attacks and trains employees in security awareness. Suponitskiy advises reaching out to Marketing or HR for help with engaging employees and finding the right learning opportunities.

"What is financially the best solution to protect yourself? It's to train your employees. … You can buy all of the tools and it's expensive. Some of the prices are going up for no reason. Some by 20%, some by 50%, it's ridiculous. So, the best way is to keep training, to keep educating, and to reimagine the training. It's not just sending this video that no one clicks on or posting a poster no one looks at. … Given the fact we're moving into this recession world, and everyone is questioning why we need to spend more, it's time to reimagine the training approach."

CASE STUDY
Focus on micro-segmentation as the foundation of zero trust

David Senf, National Cybersecurity Strategist, Bell

As a cybersecurity analyst and advisor that works with Bell's clients, David Senf sees zero-trust security as an opportunity for organizations to put a strong set of mitigating controls in place to defend against the thorny challenge of reducing vulnerabilities in their software supply chain. With major breaches being linked to widely used software in the past couple of years, security teams might find it effective to focus on a different layer of security to prevent certain breaches. With security policy being enforced at a narrow point/perimeter, attacks are in essence blocked from exploiting application vulnerabilities (e.g. you can't exploit what you can see). Organizations must still ensure there is a solid vulnerability management program in place, but surrounding applications with other controls is critical. One aspect of zero trust, micro-segmentation, which is an approach to network management, can limit the damage caused by a breach. The solutions help to map out and protect the different connections between applications that could otherwise be abused for discovery or lateral movement. Senf advises that knowing your inventory of software and the interdependencies between applications is the first step on a zero-trust journey, before putting protection and detection in place.

"Next year will be a year of a lot more ZTNA, zero-trust network access, being deployed. So, I think that will give organizations more of an understanding of what zero trust is as well, from a really basic perspective. If I can just limit what applications you can see and no one can even see that application, it's undiscoverable because I've got that ZTNA solution in place. … I would see that as a leading area of deployment and coming to understand what zero trust is in 2023."

From priorities to action

Go deeper on pursuing your priorities by improving the associated capabilities.

Improve Asset Management

Enable reduced friction in the remote user experience by underpinning it with a hardware asset management program. Creating an inventory of devices and effectively tracking them will aid in maintaining compliance, result in stronger policy enforcement, and reduce the harm of a lost or stolen device.

Implement Hardware Asset Management

Improve Stakeholder Relations

Communicate the transition from a perimeter-based security approach to an "Always Verify" approach with a clear roadmap toward implementation. Map key protect surfaces to business goals to demonstrate the importance of zero-trust security in helping the organization succeed. Help the organization's top leadership build awareness of cybersecurity risk.

Build a Zero Trust Roadmap

Improve External Compliance

Manage the challenge of meeting new government requirements to implement zero-trust security and other data protection and cybersecurity regulations with a compliance program. Create a control environment that aligns multiple compliance regimes, and be prepared for IT audits.

Build a Security Compliance Program

Engage employees in the digital age

Priority 04

• ITRG02 LEADERSHIP, CULTURE, AND VALUES
• BAI05 ORGANIZATIONAL CHANGE MANAGEMENT
• APO03 ENTERPRISE ARCHITECTURE

Lead a strong culture through digital means to succeed in engaging the hybrid workforce.

The new deal for employers in a hybrid work world

Necessity is the mother of innovation.

The pandemic's disruption for non-essential workers looks to have a long-lasting, if not permanent, effect on the relationship between employer and employee. The new bargain for almost all organizations is a hybrid work reality, with employees splitting time between the office and working remotely, if not working remotely full-time. IT is in a unique position in the organization as it must not only contend with the shift to this new deal with its own employees but facilitate it for the entire organization.

With 90% of organizations embracing some form of hybrid work, IT leaders have an opportunity to shift from coping with the new work reality to finding opportunities to improve productivity. Organizations that embrace a hybrid model for their IT departments see a more effective IT department. Organizations that offered no remote work for IT rated their IT effectiveness on average 6.2 out of 10, while organizations with at least 10% of IT roles in a hybrid model saw significantly higher effectiveness. At minimum, organizations with between 50%-70% of IT roles in a hybrid model rated their effectiveness at 6.9 out of 10.

IT achieved this increase in effectiveness during a disruptive time that often saw IT take on a heavier burden. Remote work required IT to support more users and be involved in facilitating more work processes. Thriving through this challenging time is a win that's worth sharing with the rest of the organization.

IT's effectiveness compared to % working hybrid or remotely

High effectiveness doesn't mean high engagement

Despite IT's success with hybrid work, CIOs are more concerned about their staff sufficiency, skill, and engagement than their supervisors. Among clients using our CEO-CIO Alignment Diagnostic, 49% of CIOs considered this issue a major pain point compared to only 32% of CXOs. While IT staff are more effective than ever, even while carrying more of a burden in the digital age, CIOs are still looking to improve staff engagement.

Info-Tech's State of Hybrid Work Survey illuminates further details about where IT leaders are concerned for their employee engagement. About four in ten IT leaders say they are concerned for employee wellbeing, and almost the same amount say they are concerned they are not able to see signs that employees are demotivated (N=518).

Boosting IT employees' engagement levels to match their effectiveness will require IT leaders to harness all the tools at their disposal. Communicating culture and effectively managing organizational change in the digital age is a real test of leadership.

Staff sufficiency, skill, and engagement issues as a major pain point

CEO-CIO Alignment Diagnostic

Opportunities

Drive effectiveness with a hybrid environment

IT leaders concerned about the erosion of culture and connectedness due to hybrid work can mitigate those effects with increased and improved communication. Among highly effective IT departments, 55% of IT leaders made themselves highly available through instant messaging chat. Another 54% of highly effective leaders increased team meetings (State of Hybrid Work Survey, n=213). The ability to adapt to the team's needs and use a number of tactics to respond is the most important factor. The greater the number of tactics used to overcome communication barriers, the more effective the IT department (State of Hybrid Work Survey, N=518).

Modernize the office conference room

A hybrid work approach emphasizes the importance of not only the technology in the office conference room but the process around how meetings are conducted. Creating an equal footing for all participants regardless of how they join is the goal. In pursuit of that, 63% of organizations say they have made changes or upgrades to their conference room technology (n=496). The conferencing experience can influence employee engagement and work culture and enhance collaboration. IT should determine if the business case exists for upgrades and work to decrease the pain of using legacy solutions where possible (State of Hybrid Work in IT: A Trend Report).

Understand the organizational value chain

Map out the value chain from the customer perspective and then determine the organizational capabilities involved in delivering on that experience. It is a useful tool for helping IT staff understand how they're connected to the customer experience and organizational mission. It's crucial to identify opportunities to resolve pain points and create more efficiency throughout the organization.

Risks

Talent rejects the working model

Many employees that experienced hybrid work over the past couple of years are finding it's a positive development for work/life balance and aren't interested in a full-time return to the office. Organizations that insist on returning all employees to the office all the time may find that employees choose to leave the organization. Similarly, it could be hard to hire IT talent in a competitive market if the position is required to be onsite every day. Most organizations are providing flexible options to employees and finding ways to manage work in the new digital age.

Wasted expense on facilities

Organizations may choose to keep their physical office only to later realize that no one is going to work there. While providing an office space can help foster positive culture through valuable face time, it has to be used intentionally. Managers should plan for specific days that their teams will meet in the office and make sure that work activities take advantage of everyone being in the same place at the same time. Asking everyone to come in so that they can be on a videoconference meeting in their cubicle isn't the point.

Isolated employees and teams

Studies on a remote work environment show it has an impact on how many connections each employee maintains within the company. Employees still interact well within their own teams but have fewer interactions across departments. Overall, workers are likely to collaborate just as often as they did when working in the office but with fewer other individuals at the company. Keep the isolating effect of remote work in mind and foster collaboration and networking opportunities across different departments (BBC News, 2022).

CASE STUDY
Equal support of in-office and remote work

Roberto Eberhardt, CIO, Ontario Legislative Assembly

Working in the legislature of the Ontario provincial government, CIO Roberto Eberhardt's staff went from a fully onsite model to a fully remote model at the outset of the pandemic. Today he's navigating his path to a hybrid model that's somewhere in the middle. His approach is to allow his business colleagues to determine the work model that's needed but to support a technology environment that allows employees to work from home or in the office equally. Every new process that's introduced must meet that paradigm, ensuring it will work in a hybrid environment. For his IT staff, he sees a culture of accountability and commitment to metrics to drive performance measurement as key to the success of this new reality.

"While it's good in a way, the challenge for us is it became a little more complex because you have to account for all those things in the office environment and in the remote work approach. Everything you do now, you have to say OK well how is this going to work in this world and how will it work in the other world?"

Creating purpose for IT through strategy

Mike Russell, Virginia Community College System

At the Virginia Community College System (VCCS), CIO Mike Russell's IT team supports an organization that governs and delivers services to all community colleges in the state. Russell sees his IT team's purpose as being driven by the organization's mission to ensure success throughout the entire student journey, from enrolment to becoming employed after graduation. That customer-focused mindset starts from the top-level leadership, the chancellor, and the state governor. The VCCS maintains a six-year business plan that informs IT's strategic plan and aligns IT with the mission, and both plans are living documents that get refreshed every two years. Updating the plans provides opportunities for the chancellor to engage the organization and remind everyone of the purpose of their work.

"The outcome isn't the degree. The outcome we're trying to measure is the job. Did you get the job that you wanted? Whether it's being re-employed or first-time employment, did you get what you were after?"

From priorities to action

Go deeper on pursuing your priorities by improving the associated capabilities.

Improve Leadership, Culture, and Values

Help leaders manage their teams effectively in a hybrid environment by providing them with the right tools and tactics to manage the challenges of hybrid work. Focus on promoting teamwork and fostering connection.

Prepare People Leaders for the Hybrid Work Environment

Improve Organizational Change Management

Assign accountability for managing the changes that the organization is experiencing in the digital age. Make a people-centric approach that takes human behavior into account and plans to address different needs in different ways. Be proactive about change.

Master Organizational Change Management Practices

Improve Enterprise Architecture

Develop a foundation for aligning IT's activities with business value by creating a right-sized enterprise architecture approach that isn't heavy on bureaucracy. Drive IT's purpose by illustrating how their work contributes to the overall mission and the customer experience.

Create a Right-Sized Enterprise Architecture Governance Framework

Shape the IT organization to improve customer experience

PRIORITY 05

• BAI03 ENTERPRISE APPLICATION SELECTION & IMPLEMENTATION
• MEA01 PERFORMANCE MEASUREMENT
• ITRG01 IT ORGANIZATIONAL DESIGN

Tightly align the IT organization with the organization's value chain from a customer perspective.

IT's value is defined by faster, better, bigger

The pandemic motivated organizations to accelerate their digital transformation efforts, digitalizing more of their tasks and organizing the company's value chain around satisfying the customer experience. Now we see organizations taking their foot off the gas pedal of digitalization and shifting their focus to extracting the value from their investments. They want to execute on the digital transformation in their operations and realize the vision they set out to achieve.

In our Trends Report we compared the emphasis organizations are putting on digitalization to last year. Overall, we see that most organizations shifted fewer of their processes to digital in the past year.

We also asked organizations what motivated their push toward automation. The most common drivers are to improve efficiency, with almost seven out of ten organizations looking to increase staff on high-level tasks by automating repetitive tasks, 67% also wanting to increase productivity without increasing headcount, and 59% wanting to reduce errors being made by people. In addition, more than half of organizations pursued automation to improve customer satisfaction.

What best describes your main motivation to pursue automation, above other considerations?

Tech Trends 2023 Survey

To what extent did your organization shift its processes from being manually completed to digitally completed during past year?

With the shift in focus from implementing new applications to support digital transformation to operating in the new environment, IT must shift its own focus to help realize the value from these systems. At the same time, IT must reorganize itself around the new value chain that's defined by a customer perspective.

IT struggles to deliver business value or support innovation

Many current IT departments are structured around legacy processes that hinder their ability to deliver business value. CIOs are trying to grapple with the misalignment between the modern business structure and keep up with the demands for innovation and agility.

Almost nine in ten CIOs say that business frustration with IT's failure to deliver value is a pain point. Their supervisors have a slightly more favorable opinion, with 76% agreeing that it is a pain point.

Similarly, nine in ten CIOs say that IT limits affecting business innovation and agility is a pain point, while 81% of their supervisors say the same.

Supervisors say that IT should "ensure benefits delivery" as the most important process (CEO-CIO Alignment Program). This underlines the need to achieve alignment, optimize service delivery, and facilitate innovation. The pain points identified here will need to be resolved to make this possible.

IT departments will need to contend with a tight labor market and economic volatility in the year ahead. If this drives down resource capacity, it will be even more critical to tightly align with the organization.

Views business frustration with IT failure to deliver value as a pain point

Views IT limits affecting business innovation and agility as a pain point

CEO-CIO Alignment Program

Opportunities

Define IT's value by its contributions to enterprise value

Communicate the performance of IT to stakeholders by attributing positive changes in enterprise value to IT initiatives. For example, if a digital channel helped increase sales in one area, then IT can claim some portion of that revenue. If optimization of another process resulted in cost savings, then IT can claim that as a contribution toward the bottom line. CIOs should develop their handle on how KPIs influence revenues and costs. Keeping tabs on normalized year-over-year revenue comparisons can help demonstrate that IT contributions are making an impact on driving profitability.

Go with buy versus build if it's a commodity service

Most back-office functions common to operating a company can be provided by cloud-based applications accessed through a web browser. There's no value in having IT spend time maintaining on-premises applications that require hosting and ongoing maintenance. Organizations that are still accruing technical debt and are unable to modernize will increasingly find it is negatively impacting employee experience, as users expect their working experience to be similar to their experience with consumer applications. In addition, IT will continue to have capacity challenges as resources will be consumed by maintenance. As they seek to outsource some applications, IT will need to consider the geopolitical risk of certain jurisdictions in selecting a provider.

Redefine how employee performance is tracked

The concept of "clocking in" for a shift and spending eight hours a day on the job doesn't help guide IT toward its objectives or create any higher sense of purpose. Leaders must work to create a true sense of accountability by reaching consensus on what key performance indicators are important and tasking staff to improve them. Metrics should clearly link back to business outcomes and IT should understand the role they play in delivering a good customer experience.

Risks

Lack of talent available to drive transformation

CIOs are finding it difficult to hire the talent needed to create the capacity they need as digital demands of their organizations increase. This could slow the pace of change as new positions created in IT go unfilled. CIOs may need to consider reskilling and rebalancing workloads of existing staff in the short term and tap outsourcing providers to help make up shortfalls.

Resistance to change

New processes may have been given the official rubber stamp, but that doesn't mean staff are adhering to them. Organizations that reorganize themselves must take steps to audit their processes to ensure they're executed the way they intend. Some employees may feel they are being made obsolete or pushed out of their jobs and become disengaged.

Short-term increased costs

Restructuring the organization can come with the need for new tools and more training. It may be necessary to operate with redundant staff for the transitional period. Some additional expenses might be incurred for a brief period as the new structure is being put in place.

Emphasize the value of IT in driving revenue

Salman Ali, CIO, McDonald's Germany

As the new CIO to McDonald's Germany, Salman Ali came on board with an early mandate to reorganize the IT department. The challenge is to merge two organizations together: one that delivers core technology services of infrastructure, security, service desk, and compliance and one that delivers customer-facing technology such as in-store touchscreen kiosks and the mobile app for food delivery. He is looking to organize this new-look department around the technology in the hands of both McDonald's staff and its customers. In conversations with his stakeholders, Ali emphasizes the value that IT is driving rather than discussing the costs that go into it. For example, there was a huge cost in integrating third-party meal delivery apps into the point-of-sales system, but the seamless experience it delivers to customers looking to place an order helps to drive a large volume of sales. He plans to reorganize his department around this value-driven approach. The organization model will be executed with clear accountability in place and key performance indicators to measure success.

"Technology is no longer just an enabler. It's now a strategic business function. When they talk about digital, they are really talking about what's in the customers' hands and what do they use to interact with the business directly? Digital transformation has given technology a new front seat that's really driving the business."

CASE STUDY
Overhauling the "heartbeat" of the organization

Ernest Solomon, Former CIO, LAWPRO

LAWPRO is a provider of professional liability insurance and title insurance in Canada. The firm is moving its back-office applications from a build approach to a buy approach and focusing its build efforts on customer-facing systems tied to revenue generation. CIO Ernest Solomon says his team has been developing on a legacy platform for two decades, but it's time to modernize. The firm is replacing its legacy platform and moving to a cloud-based system to address technical debt and improve the experience for staff and customers. The claims and policy management platform, the "heartbeat" of the organization, is moving to a software-as-a-service model. At the same time, the firm's customer-facing Title Plus application is being moved to a cloud-native, serverless architecture. Solomon doesn't see the need for IT to spend time building services for the back office, as that doesn't align with the mission of the organization. Instead, he focuses his build efforts on creating a competitive advantage.

"We're redefining the customer experience, which is how do we move the needle in a positive direction for all the lawyers that interact with us? How do we generate that value-based proposition and improve their interactions with our organization?"

From priorities to action

Go deeper on pursuing your priorities by improving the associated capabilities.

Improve Enterprise Application Selection & Implementation

Help leaders manage their teams effectively in a hybrid environment by providing them with the right tools and tactics to manage the challenges of hybrid work. Focus on promoting teamwork and fostering connection.

Embrace Business-Managed Applications

Improve Performance Measurement

Drive the most important IT process in the eyes of supervisors by defining business value and linking IT spend to it. Make benefits realization part of your IT governance.

Maximize Business Value From IT Through Benefits Realization

Improve IT Organizational Design

Showcase IT's value to the business by aligning IT spending and staffing to business functions. Provide transparency into business consumption of IT and compare your spending to your peers'.

IT Spend & Staffing Benchmarking

The Five Priorities

Engage cross-functional leadership to seize opportunity while protecting the organization from volatility.

1. Adjust IT operations to manage for inflation
2. Prepare your data pipeline to train AI
3. Go all in on zero-trust security
4. Engage employees in the digital age
5. Shape the IT organization to improve customer experience

Expert Contributors

In order of appearance

Denise Cornish, Associate VP of IT and Deputy COO, Western University of Health Sciences

Jim Love, CIO, IT World Canada

Christian Magsisi, Vice President of Venue and Digital Technology, MLSE

Humza Teherany, Chief Technology Officer, MLSE

Serge Suponitskiy, CIO, Brosnan Risk Consultants

David Senf, National Cybersecurity Strategist, Bell

Roberto Eberhardt, CIO, Ontario Legislative Assembly

Mike Russell, Virginia Community College System

Salman Ali, CIO, McDonald's Germany

Ernest Solomon, Former CIO, LAWPRO

Bibliography

Anderson, Brad, and Seth Patton. "In a Hybrid World, Your Tech Defines Employee Experience." Harvard Business Review, 18 Feb. 2022. Accessed 12 Dec. 2022.
"Artificial Intelligence Is Permeating Business at Last." The Economist, 6 Dec. 2022. Accessed 12 Dec. 2022.
Badlani, Danesh Kumar, and Adrian Diglio. "Microsoft Open Sources Its Software Bill
of Materials (SBOM) Generation Tool." Engineering@Microsoft, 12 July 2022. Accessed
12 Dec. 2022.
Birch, Martin. "Council Post: Equipping Employees To Succeed In Digital Transformation." Forbes, 9 Aug. 2022. Accessed 7 Dec. 2022.
Bishop, Katie. "Is Remote Work Worse for Wellbeing than People Think?" BBC News,
17 June 2022. Accessed 7 Dec. 2022.
Carlson, Brian. "Top 5 Priorities, Challenges For CIOs To Recession-Proof Their Business." The Customer Data Platform Resource, 19 July 2022. Accessed 7 Dec. 2022.
"CIO Priorities: 2020 vs 2023." IT PRO, 23 Sept. 2022. Accessed 2 Nov. 2022.
cyberinsiders. "Frictionless Zero Trust Security - How Minimizing Friction Can Lower Risks and Boost ROI." Cybersecurity Insiders, 9 Sept. 2021. Accessed 7 Dec. 2022.
Garg, Sampak P. "Top 5 Regulatory Reasons for Implementing Zero Trust."
CSO Online, 27 Oct. 2022. Accessed 7 Dec. 2022.
Heikkilä, Melissa. "The Viral AI Avatar App Lensa Undressed Me—without My Consent." MIT Technology Review, 12 Dec. 2022. Accessed 12 Dec. 2022.
Jackson, Brian. "How the Toronto Raptors Operate as the NBA's Most Data-Driven Team." Spiceworks, 1 Dec. 2022. Accessed 12 Dec. 2022.
Kiss, Michelle. "How the Digital Age Has Transformed Employee Engagement." Spiceworks,16 Dec. 2021. Accessed 7 Dec. 2022.
Matthews, David. "EU Hopes to Build Aligned Guidelines on Artificial Intelligence with US." Science|Business, 22 Nov. 2022. Accessed 12 Dec. 2022.
Maxim, Merritt. "New Security & Risk Planning Guide Helps CISOs Set 2023 Priorities." Forrester, 23 Aug. 2022. Accessed 7 Dec. 2022.
Miller, Michael J. "Gartner Surveys Show Changing CEO and Board Concerns Are Driving a Different CIO Agenda for 2023." PCMag, 20 Oct. 2022. Accessed 2 Nov. 2022.
MIT Lincoln Laboratory. "Overview of Zero Trust Architectures." YouTube,
2 March 2022. Accessed 7 Dec. 2022.
MIT Technology Review Insights. "CIO Vision 2025: Bridging the Gap between BI and AI." MIT Technology Review, 20 Sept. 2022. Accessed 1 Nov. 2022.
Paramita, Ghosh. "Data Architecture Trends in 2022." DATAVERSITY, 22 Feb. 2022. Accessed 7 Dec. 2022.
Rosenbush, Steven. "Cybersecurity Tops the CIO Agenda as Threats Continue to Escalate - WSJ." The Wall Street Journal, 17 Oct. 2022. Accessed 2 Nov. 2022.
Sacolick, Isaac. "What's in the Budget? 7 Investments for CIOs to Prioritize." StarCIO,
22 Aug. 2022. Accessed 2 Nov. 2022.
Singh, Yuvika. "Digital Culture-A Hurdle or A Catalyst in Employee Engagement." International Journal of Management Studies, vol. 6, Jan. 2019, pp. 54–60. ResearchGate, https://doi.org/10.18843/ijms/v6i1(8)/08.
"Talent War Set to Become Top Priority for CIOs in 2023, Study Reveals." CEO.digital,
8 Sept. 2022. Accessed 7 Dec. 2022.
Tanaka, Rodney. "WesternU COMP and COMP-Northwest Named Apple Distinguished School." WesternU News. 10 Feb. 2022. Accessed 12 Dec. 2022.
Wadhwani, Sumeet. "Meta's New Large Language Model Galactica Pulled Down Three Days After Launch." Spiceworks, 22 Nov. 2022. Accessed 12 Dec. 2022.
"World Economic Outlook." International Monetary Fund (IMF), 11 Oct. 2022. Accessed
14 Dec. 2022.

The First 100 Days As CIO

Partner with Info-Tech for success in this crucial period of transition.

Analyst Perspective

The first 100 days refers to the 10 days before you start and the first three months on the job.

“The original concept of ‘the first 100 days’ was popularized by Franklin Delano Roosevelt, who passed a battery of new legislation after taking office as US president during the Great Depression. Now commonly extended to the business world, the first 100 days of any executive role is a critically important period for both the executive and the organization.

But not every new leader should follow FDR’s example of an action-first approach. Instead, finding the right balance of listening and taking action is the key to success during this transitional period. The type of the organization and the mode that it’s in serves as the fulcrum that determines where the point of perfect balance lies. An executive facing a turnaround situation will want to focus on more action more quickly. One facing a sustaining success situation or a realignment situation will want to spend more time listening before taking action.” (Brian Jackson, Research Director, CIO, Info-Tech Research Group)

Executive summary

Situation

• You’ve been promoted from within to the role of CIO.
• You’ve been hired externally to take on the role of CIO.

Complication

Studies show that two years after a new executive transition, as many as half are regarded as failures or disappointments (McKinsey). First impressions are hard to overcome, and a CIO’s first 100 days are heavily weighted in terms of how others will assess their overall success. The best way to approach this period is determined by both the size and the mode of an organization.

Resolution

• Work with Info-Tech to prepare a 100-day plan that will position you for success.
• Collaborate to collect the details needed to identify the right mode for your organization and determine how it will influence your plan.
• Use Info-Tech’s diagnostic tools to align your vision with that of business executives and form a baseline for future reference.

Info-Tech Insight

1. Foundational understanding must be achieved before you start.
   Hit the ground running before day one by using company documents and initial discussions to pin down the company’s type and mode.
2. Listen before you act (usually).
   In most situations, executives benefit from listening to peers and staff before taking action.
3. Identify quick wins early and often.
   Fix problems as soon as you recognize them to set the tone for your tenure.

The First 100 Days: Roadmap

Concierge service overview

Organize a call with your executive advisor every two weeks during your first 100 days. Info-Tech recommends completing our diagnostics during this period. If you’re not able to do so, instead complete the alternative activities marked with (a).

Call 1

Before you start: Day -10 to Day 1

Interview your predecessor

Interviewing your predecessor can help identify the organization’s mode and type.

Before reaching out to your predecessor, get a sense of whether they were viewed as successful or not. Ask your manager. If the predecessor remains within the organization in a different role, understand your relationship with them and how you'll be working together.

During the interview, make notes about follow-up questions you'll ask others at the organization.

Ask these open-ended questions in the interview:

• Tell me about the team.
• Tell me about your challenges.
• Tell me about a major project your team worked on. How did it go?
• Who/what has been helpful during your tenure?
• Who/what created barriers for you?
• What do your engagement surveys reveal?
• Tell me about your performance management programs and issues.
• What mistakes would you avoid if you could lead again?
• Why are you leaving?
• Could I reach out to you again in the future?

Learn the corporate structure

Identify the organization’s corporate structure type based on your initial conversations with company leadership. The type of structure will dictate how much control you'll have as a functional head and help you understand which stakeholders you'll need to collaborate with.

To Do:

• Review the organization’s structure list and identify whether the structure is functional, prioritized, or a matrix. If it's a matrix organization, determine if it's a strong matrix (project manager holds more authority), weak matrix (functional manager holds more authority), or balanced matrix (managers hold equal authority).

This organization is a ___________________ type.

Presentation Deck, slide 6

Determine the mode of the organization: STARS

Based on your interview process and discussions with company leadership, and using Michael Watkins’ STARS assessment, determine which mode your organization is in: startup, turnaround, accelerated growth, realignment, or sustaining success.

Knowing the mode of your organization will determine how you approach your 100-day plan. Depending on the mode, you'll rebalance your activities around the three categories of assess, listen, and deliver.

To Do:

• Review the STARS table on the right.

Based on your situation, prioritize activities in this way:

• Startup: assess, listen, deliver
• Turnaround: deliver, listen, assess
• Accelerated Growth: assess, listen, deliver
• Realignment: listen, assess, deliver
• Sustaining success: listen, assess, deliver

This organization is a ___________________ type.

(Source: Watkins, 2013.)

Presentation Deck, slide 6

Determine the mode of the organization: STARS

Satya Nadella's listen, lead, and launch approach

CASE STUDY

Industry Software
Source Gregg Keizer, Computerworld, 2014

When Satya Nadella was promoted to the CEO role at Microsoft in 2014, he received a Glassdoor approval rating of 85% and was given an "A" grade by industry analysts after his first 100 days. What did he do right? Created a sense of urgency by shaking up the senior leadership team. Already understood the culture as an insider. Listened a lot and did many one-on-one meetings. Established a vision communicated with a mantra that Microsoft would be "mobile-first, cloud-first." Met his words with actions. He launched Office for iPad and made many announcements for cloud platform Azure.

Satya Nadella, CEO, Microsoft Corp. (Image source: Microsoft)

Listen to 'The First 100 Days' podcast – Alan Fong

Create a one-page introduction sheet to use in communications

As a new CIO, you'll have to introduce yourself to many people in the organization. To save time on communicating who you are as a person outside of the office, create a brief one-pager that includes a photo of you, where you were born and raised, and what your hobbies are. This helps make a connection more quickly so your conversations can focus on the business at hand rather than personal topics.

For your presentation deck, remove the personal details and just keep it professional. The personal aspects can be used as a one-pager for other communications. (Source: Personal interview with Denis Gaudreault, Country Lead, Intel.)

Presentation Deck, slide 5

Call 2

Day 1 to Day 15

Introduce yourself to your team

Prepare a 20-second pitch about yourself that goes beyond your name and title. Touch on your experience that's relevant to your new role or the industry you're in. Be straightforward about your own perceived strengths and weaknesses so that people know what to expect from you. Focus on the value you believe you'll offer the group and use humor and humility where you're comfortable. For example:

“Hi everyone, my name is John Miller. I have 15 years of experience marketing conferences like this one to vendors, colleges, and HR departments. What I’m good at, and the reason I'm here, is getting the right people, businesses, and great ideas in a room together. I'm not good on details; that's why I work with Tim. I promise that I'll get people excited about the conference, and the gifts and talents of everyone else in this room will take over from there. I'm looking forward to working with all of you.”

Have a structured set of questions ready that you can ask everyone.

For example:

• How well is the company performing based on expectations?
• What must the company do to sustain its financial performance and market competitiveness?
• How do you foresee the CIO contributing to the team?
• How have past CIOs performed from the perspective of the team?
• What would successful performance of this role look like to you? To your peers?
• What challenges and obstacles to success am I likely to encounter? What were the common challenges of my predecessor?
• How do you view the culture here and how do successful projects tend to get approved?
• What are your greatest challenges? How could I help you?

Get to know your sphere of influence: prepare to connect with a variety of people before you get down to work

Your ability to learn from others is critical at every stage in your first 100 days. Keep your sphere of influence in the loop as you progress through this period.

Write down the names, or at least the key people, in each segment of this diagram. This will serve as a quick reference when you're planning communications with others and will help you remember everyone as you're meeting lots of new people in your early days on the job.

• Everyone knows their networks are important.
• However, busy schedules can cause leaders to overlook their many audiences.
• Plan to meet and learn from all people in your sphere to gain a full spectrum of insights.

Presentation Deck, slide 29

Identify how your competitors are leveraging technology for competitive advantage

Competitor identification and analysis are critical steps for any new leader to assess the relative strengths and weaknesses of their organization and develop a sense of strategic opportunity and environmental awareness.

Today’s CIO is accountable for driving innovation through technology. A competitive analysis will provide the foundation for understanding the current industry structure, rivalry within it, and possible competitive advantages for the organization.

Surveying your competitive landscape prior to the first day will allow you to come to the table prepared with insights on how to support the organization and ensure that you are not vulnerable to any competitive blind spots that may exist in the evaluations conducted by the organization already.

You will not be able to gain a nuanced understanding of the internal strengths and weaknesses until you are in the role, so focus on the external opportunities and how competitors are using technology to their advantage.

Info-Tech Best Practice

For a more in-depth approach to identifying and understanding relevant industry trends and turning them into insights, leverage the following Info-Tech blueprints:

• Think Like a Futurist
• CIO Trend Report 2019

Presentation Deck, slide 9

Assess the external competitive environment

INPUT: External research

OUTPUT: Competitor array

1. Conduct a broad analysis of the industry as a whole. Seek to answer the following questions:
   1. Are there market developments or new markets?
   2. Are there industry or lifestyle trends, e.g. move to mobile?
   3. Are there geographic changes in the market?
   4. Are there demographic changes that are shaping decision making?
   5. Are there changes in market demand?
2. Create a competitor array by identifying and listing key competitors. Try to be as broad as possible here and consider not only entrenched close competitors but also distant/future competitors that may disrupt the industry.
3. Identify the strengths, weaknesses, and key brand differentiators that each competitor brings to the table. For each strength and differentiator, brainstorm ways that IT-based innovation enables each. These will provide a toolkit for deeper conversations with your peers and your business stakeholders as you move further into your first 100 days.

Complete the CEO-CIO Alignment Program

INPUT: CEO-CEO Alignment Program (recommended)

OUTPUT: Desired and target state of IT maturity, Innovation goals, Top priorities

Materials: Presentation Deck, slides 11-13

Participants: CEO, CIO

Introduce the concept of the CEO-CIO Alignment Program using slide 10 of your presentation deck and the brief email text below.

Talk to your advisory contact at Info-Tech about launching the program. More information is available on Info-Tech’s website.

Once the report is complete, import the results into your presentation:

• Slide 11, the CEO’s current and desired states
• Slide 12, IT innovation goals
• Slide 13, top projects and top departments from the CEO and the CIO

Include any immediate recommendations you have.

Hello CEO NAME,

I’m excited to get started in my role as CIO, and to hit the ground running, I’d like to make sure that the IT department is aligned with the business leadership. We will accomplish this using Info-Tech Research Group’s CEO-CIO Alignment Program. It’s a simple survey of 20 questions to be completed by the CEO and the CIO.

This survey will help me understand your perception and vision as I get my footing as CIO. I’ll be able to identify and build core IT processes that will automate IT-business alignment going forward and create an effective IT strategy that helps eliminate impediments to business growth.

Research shows that IT departments that are effectively aligned to business goals achieve more success, and I’m determined to make our IT department as successful as possible. I look forward to further detailing the benefits of this program to you and answering any questions you may have the next time we speak.

Regards,
CIO NAME

New KPIs for CEO-CIO Alignment — Recommended

Info-Tech CEO-CIO Alignment Program

Info-Tech's CEO-CIO Alignment Program is set up to build IT-business alignment in any organization. It helps the CIO understand CEO perspectives and priorities. The exercise leads to useful IT performance indicators, clarifies IT’s mandate and which new technologies it should invest in, and maps business goals to IT priorities.

Benefits

Master the Basics Cut through the jargon. Take a comprehensive look at the CEO perspective.	Target Alignment Identify how IT can support top business priorities. Address CEO-CIO differences.	Start on the Right Path Get on track with the CIO vision. Use correct indicators and metrics to evaluate IT from day one.

Additional materials are available on Info-Tech’s website.

The desired maturity level of IT — Alternative

Step 1: Where are we today? Determine where the CEO sees the current overall maturity level of the IT organization. Step 2: Where do we want to be as an organization? Determine where the CEO wants the IT organization to be in order to effectively support the strategic direction of the business.

Presentation Deck, slide 11

Tim Cook's powerful use of language

CASE STUDY

Industry Consumer technology
Source Carmine Gallo, Inc., 2019

Apple CEO Tim Cook, an internal hire, had big shoes to fill after taking over from the late Steve Jobs. Cook's ability to control how the company is perceived is a big credit to his success. How does he do it? His favorite five words are “The way I see it..." These words allow him to take a line of questioning and reframe it into another perspective that he wants to get across. Similarly, he'll often say, "Let me tell you the way I look at it” or "To put it in perspective" or "To put it in context." In your first two weeks on the job, try using these phrases in your conversations with peers and direct reports. It demonstrates that you value their point of view but are independently coming to conclusions about the situation at hand.

Tim Cook, CEO, Apple Inc. (Image source: Apple)

Listen to 'The First 100 Days' podcast – Denis Gaudreault

Inform your team that you plan to do an IT Management & Governance Diagnostic survey

Run the diagnostic program or use the alternative activities to complete your presentation

INPUT: IT Management & Governance Diagnostic (recommended)

OUTPUT: Process to improve first, Processes important to the business

Materials: Presentation Deck, slides 19-20

Participants: CIO, IT staff

Introduce the IT Management & Governance Diagnostic survey that will help you form your IT strategy.

Explain that you want to understand current IT capabilities and you feel a formal approach is best. You’ll also be using this approach as an important metric to track your department’s success. Tell them that Info-Tech Research Group will be conducting the survey and it’s important to you that they take action on the email when it’s sent to them.

Example email:

Hello TEAM,

I appreciate meeting each of you, and so far I’m excited about the talents and energy on the team. Now I need to understand the processes and capabilities of our department in a deeper way. I’d like to map our process landscape against an industry-wide standard, then dive deeper into those processes to understand if our team is aligned. This will help us be accountable to the business and plan the year ahead. Advisory firm Info-Tech Research Group will be reaching out to you with a simple survey that shouldn’t take too long to complete. It’s important to me that you pay attention to that message and complete the survey as soon as possible.

Regards,
CIO NAME

Call 3

Day 16 to Day 30

Leverage team interviews as a source of determining organizational culture

Info-Tech recommends that you hold group conversations with your team to uncover their opinions of the current organizational culture. This not only helps build transparency between you and your team but also gives you another means of observing behavior and reactions as you listen to team members’ characterizations of the current culture.

Note: It is inherently difficult for people to verbalize what constitutes a culture – your strategy for extracting this information will require you to ask indirect questions to solicit the highest value information.

Questions for Discussion:

• What about the current organizational environment do you think most contributes to your success?
• What barriers do you experience as you try to accomplish your work?
• What is your favorite quality that is present in our organization?
• What is the one thing you would most like to change about this organization?
• Do the organization's policies and procedures support your efforts to accomplish work or do they impede your progress?
• How effective do you think IT’s interactions are with the larger organization?
• What would you consider to be IT’s top three guiding principles?
• What kinds of people fail in this organization?

See Info-Tech’s Cultural Archetype Calculator.

Use the Competing Values Framework to define your organization’s cultural archetype

THE COMPETING VALUES FRAMEWORK (CVF):

CVF represents the synthesis of academic study of 39 indicators of effectiveness for organizations. Using a statistical analysis, two polarities that are highly predictive of differences in organizational effectiveness were isolated: Internal focus and integration vs. external focus and differentiation. Stability and control vs. flexibility and discretion. By plotting these dimensions on a matrix of competing values, four main cultural archetypes are identified with their own value drivers and theories of effectiveness.

Presentation Deck, slide 16

Create a cultural adjustment plan

Now that you've assessed the cultural archetype, you can plan an appropriate approach to shape the culture in a positive way. When new executives want to change culture, there are a few main options at hand:

Autonomous evolution: Encourage teams to learn from each other. Empower hybrid teams to collaborate and reward teams that perform well.

Planned and managed change: Create steering committee and project-oriented taskforces to work in parallel. Appoint employees that have cultural traits you'd like to replicate to hold responsibility for these bodies.

Cultural destruction: When a toxic culture needs to be eliminated, get rid of its carriers. Putting new managers or directors in place with the right cultural traits can be a swift and effective way to realign.

Each option boils down to creating the right set of incentives and deterrents. What behaviors will you reward and which ones will you penalize? What do those consequences look like? Sometimes, but not always, some structural changes to the team will be necessary. If you feel these changes should be made, it's important to do it sooner rather than later. (Source: “Enlarging Your Sphere of Influence in Your Organization,” MindTools Corporate, 2014.)

As you're thinking about shaping a desired culture, it's helpful to have an easy way to remember the top qualities you want to espouse. Try creating an acronym that makes it easy for staff to remember. For example: RISE could remind your staff to be Responsive, Innovative, Sustainable, and Engaging (RISE). Draw upon your business direction from your manager to help produce desired qualities (Source: Jennifer Schaeffer).

Presentation Deck, slide 17

Gary Davenport’s welcome “surprise”

CASE STUDY

Industry Telecom
Source Interview with Gary Davenport

After Gary Davenport was hired on as VP of IT at MTS Allstream, his first weekend on the job was spent at an all-executive offsite meeting. There, he learned from the CEO that the IT department had a budget reduction target of 25%, like other departments in the company. “That takes your breath away,” Davenport says. He decided to meet the CEO monthly to communicate his plans to reduce spending while trying to satisfy business stakeholders. His top priorities were: Stabilize IT after seven different leaders in a five-year period. Get the IT department to be respected. To act like business owners instead of like servants. Better manage finances and deliver on projects. During Davenport’s 7.5-year tenure, the IT department became one of the top performers at MTS Allstream.

Gary Davenport’s first weekend on the job at MTS Allstream included learning about a 25% reduction target. (Image source: Ryerson University)

Listen to 'The First 100 Days' podcast – David Penny & Andrew Wertkin

Initiate IT Management & Governance Diagnostic — Recommended

Info-Tech Management & Governance Diagnostic

Talk to your Info-Tech executive advisor about launching the survey shortly after informing your team to expect it. You'll just have to provide the names and email addresses of the staff you want to be involved. Once the survey is complete, you'll harvest materials from it for your presentation deck. See slides 19 and 20 of your deck and follow the instructions on what to include.

Benefits

Explore IT Processes Dive deeper into performance. Highlight problem areas.	Align IT Team Build consensus by identifying opposing views.	Ownership & Accountability Identify process owners and hold team members accountable.

Additional materials available on Info-Tech’s website.

Conduct a high-level analysis of current IT capabilities — Alternative

INPUT: Interviews with IT leadership team, Capabilities graphic on next slide

OUTPUT: High-level understanding of current IT capabilities

Run this activity if you're not able to conduct the IT Management & Governance Diagnostic.

Schedule meetings with your IT leadership team. (In smaller organizations, interviewing everyone may be acceptable.) Provide them a list of the core capabilities that IT delivers upon and ask them to rate them on an effectiveness scale of 1-5, with a short rationale for their score.

• 1. Not effective (NE)
• 2. Somewhat Effective (SE)
• 3. Effective (E)
• 4. Very Effective (VE)
• 5. Extremely Effective (EE)

Presentation Deck, slide 21

Use the following set of IT capabilities for your assessment

Quick wins: CEO-CIO Alignment Program

Complete this while waiting on the IT M&G survey results. Based on your completed CEO-CIO Alignment Report, identify the initiatives you can tackle immediately.

If you are here...	And want to be here...	Drive toward...	Innovate around...
Business Partner	Innovator	Leading business transformation	Emerging technologies Analytical capabilities Risk management Customer-facing tech Enterprise architecture
Trusted Operator	Business Partner	Optimizing business process and supporting business transformation	IT strategy and governance Business architecture Projects Resource management Data quality
Firefighter	Trusted Operator	Optimize IT processes and services	Business applications Service management Stakeholder management Work orders
Unstable	Firefighter	Reduce use disruption and adequately support the business	Network and infrastructure Service desk Security User devices

Call 4

Day 31 to Day 45

Inform your peers that you plan to do a CIO Business Vision survey to gauge your stakeholders’ satisfaction

Run the diagnostic program or use the alternative activities to complete your presentation

INPUT: CIO Business Vision survey (recommended)

OUTPUT: True measure of business satisfaction with IT

Materials: Presentation Deck, slide 30

Participants: CIO, IT staff

Meet the business leaders at your organization face-to-face if possible. If you can't meet in person, try a video conference to establish some rapport. At the end of your introduction and after listening to what your colleague has to say, introduce the CIO Business Vision Diagnostic.

Explain that you want to understand how to meet their business needs and you feel a formal approach is best. You'll also be using this approach as an important metric to track your department's success. Tell them that Info-Tech Research Group will be conducting the survey and it’s important to you that they take the survey when the email is sent to them.

Example email:

Hello PEER NAMES,

I'm arranging for Info-Tech Research Group to invite you to take a survey that will be important to me. The CIO Business Vision survey will help me understand how to meet your business needs. It will only take about 15 minutes of your time, and the top-line results will be shared with the organization. We will use the results to plan initiatives for the future that will improve your satisfaction with IT.

Regards,
CIO NAME

Gain feedback on your initial assessments from your IT team

There are two strategies for gaining feedback on your initial assessments of the organization from the IT team:

1. Review your personal assessments with the relevant members of your IT organization as a group. This strategy can help to build trust and an open channel for communication between yourself and your team; however, it also runs the risk of being impacted by groupthink.
2. Ask for your team to complete their own assessments for you to compare and contrast. This strategy can help extract more candor from your team, as they are not expected to communicate what may be nuanced perceptions of organizational weaknesses or criticisms of the way certain capabilities function.

Who you involve in this process will be impacted by the size of your organization. For larger organizations, involve everyone down to the manager level. In smaller organizations, you may want to involve everyone on the IT team to get an accurate lay of the land.

Areas for Review:

• Strategic Document Review: Are there any major themes or areas of interest that were not covered in my initial assessment?
• Competitor Array: Are there any initiatives in flight to leverage new technologies?
• Current State of IT Maturity: Does IT’s perception align with the CEO’s? Where do you believe IT has been most effective? Least effective?
• IT’s Key Priorities: Does IT’s perception align with the CEO’s?
• Key Performance Indicators: How has IT been measured in the past?

Info-Tech Best Practice

You need your team’s hearts and minds or you risk a short tenure. Overemphasizing business commitment by neglecting to address your IT team until after you meet your business stakeholders will result in a disenfranchised group. Show your team their importance.

Susan Bowen's talent maximization

CASE STUDY

Industry Infrastructure Services
Source Interview with Susan Bowen

Susan Bowen was promoted to be the president of Cogeco Peer 1, an infrastructure services firm, when it was still a part of Cogeco Communications. Part of her mandate was to help spin out the business to a new owner, which occurred when it was acquired by Digital Colony. The firm was renamed Aptum and Bowen was put in place as CEO, which was not a certainty despite her position as president at Cogeco Peer 1. She credits her ability to put the right talent in the right place as part of the reason she succeeded. After becoming president, she sought a strong commitment from her directors. She gave them a choice about whether they'd deliver on a new set of expectations – or not. She also asks her leadership on a regular basis if they are using their talent in the right way. While it's tempting for directors to want to hold on to their best employees, those people might be able to enable many more people if they can be put in another place. Bowen fully rounded out her leadership team after Aptum was formed. She created a chief operating officer and a chief infrastructure officer. This helped put in place more clarity around roles at the firm and put an emphasis on client-facing services.

Susan Bowen, CEO, Aptum (Image source: Aptum)

Listen to 'The First 100 Days' podcast – Susan Bowen

Initiate CIO Business Vision survey – new KPIs for stakeholder management — Recommended

Info-Tech CIO Business Vision

Be sure to effectively communicate the context of this survey to your business stakeholders before you launch it. Plan to talk about your plans to introduce it in your first meetings with stakeholders. When ready, let your executive advisor know you want to launch the tool and provide the names and email addresses of the stakeholders you want involved. After you have the results, harvest the materials required for your presentation deck. See slide 30 and follow the instructions on what to include.

Benefits

Key Stakeholders Clarify the needs of the business.	Credibility Create transparency.	Improve Measure IT’s progress.	Focus Find what’s important.

Additional materials are available on Info-Tech’s website.

Create a catalog of key stakeholder details to reference prior to future conversations — Alternative

Only conduct this activity if you’re not able to run the CIO Business Vision diagnostic.

Use the Organizational Catalog as a personal cheat sheet to document the key details around each of your stakeholders, including your CEO when possible.

The catalog will be an invaluable tool to keep the competing needs of your different stakeholders in line, while ensuring you are retaining the information to build the political capital needed to excel in the C-suite.

Note: It is important to keep this document private. While you may want to communicate components of this information, ensure your catalog remains under lock and (encryption) key.

Info-Tech Insight

While profiling your stakeholders is important, do not be afraid to profile yourself as well. Visualizing how your interests overlap with those of your stakeholders can provide critical information on how to manage your communications so that those on the receiving end are hearing exactly what they need.

Activity: Conduct interviews with your key business stakeholders — Alternative

1. Once you have identified your key stakeholders through your interviews with your boss and your IT team, schedule a set of meetings with those individuals.
2. Use the meetings to get to know your stakeholders, their key priorities and initiatives, and their perceptions of the effectiveness of IT.
   1. Use the probative questions to the right to elicit key pieces of information.
   2. Refer to the Organizational Catalog tool for more questions to dig deeper in each category. Ensure that you are taking notes separate from the tool and are keeping the tool itself secure, as it will contain private information specific to your interests.
3. Following each meeting, record the results of your conversation and any key insights in the Organizational Catalog. Refer to the following slide for more details.

Questions for Discussion:

• Be indirect about your personal questions – share stories that will elicit details about their interests, kids, etc.
• What are your most critical/important initiatives for the year?
• What are your key revenue streams, products, and services?
• What are the most important ways that IT supports your success? What is your satisfaction level with those services?
• Are there any current in-flight projects or initiatives that are a current pain point? How can IT assist to alleviate challenges?
• How is your success measured? What are your targets for the year on those metrics?

Presentation Deck, slide 34

Call 5

Day 46 to Day 60

Inform your team that you plan to do an IT staffing assessment

Introduce the IT Staffing Assessment that will help you get the most out of your team

INPUT: Email template

OUTPUT: Ready to launch diagnostic

Materials: Email template, List of staff, Sample of diagnostic

Participants: CIO, IT staff

Explain that you want to understand how the IT staff is currently spending its time by function and by activity. You want to take a formal approach to this task and also assess the team’s feelings about its effectiveness across different processes. The results of the assessment will serve as the foundation that helps you improve your team’s effectiveness within the organization.

Example email:

Hello PEER NAMES,

The feedback I've heard from the team since joining the company has been incredibly useful in beginning to formulate my IT strategy. Now I want to get a clear picture of how everyone is spending their time, especially across different IT functions and activities. This will be an opportunity for you to share feedback on what we're doing well, what we need to do more of, and what we're missing. Expect to receive an email invitation to take this survey from Info-Tech Research Group. It's important to me that you complete the survey as soon as you're can. Attached you’ll find an example of the report this will generate. Thank you again for providing your time and feedback.

Regards,
CIO NAME

Wayne Berger's shortcut to solve staffing woes

CASE STUDY

Industry Office leasing
Source Interview with Wayne Berger

Wayne Berger was hired to be the International Workplace Group (IWG) CEO for Canada and Latin America in 2014. Wayne approached his early days with the office space leasing firm as a tour of sorts, visiting nearly every one of the 48 office locations across Canada to host town hall meetings. He heard from staff at every location that they felt understaffed. But instead of simply hiring more staff, Berger actually reduced the workforce by 33%. He created a more flexible approach to staffing: Employees no longer just reported to work at one office; instead, they were ready to go to wherever they were most needed in a specific geographic area. He centralized all back-office functions for the company so that not every office had to do its own bookkeeping. Finally, he changed the labor profile to consist of full-time staff, part-time staff, and time-on-demand workers.

Wayne Berger, CEO, IWG Plc (Image source: IWG)

Listen to 'The First 100 Days' podcast – Wayne Berger

Initiate IT Staffing Assessment – new KPIs to track IT performance — Recommended

Info-Tech IT Staffing Assessment

Info-Tech’s IT Staffing Assessment provides benchmarking of key metrics against 4,000 other organizations. Dashboard-style reports provide key metrics at a glance, including a time breakdown by IT function and by activity compared against business priorities. Run this survey at about the 45-day mark of your first 90 days. Its insights will be used to inform your long-term IT strategy.

Benefits

Right-Size IT Headcount Find the right level for stakeholder satisfaction.	Allocate Staff Correctly Identify staff misalignments with priorities.	Maximize Teams Identify how to drive staff.

Additional materials are available on Info-Tech’s website.

Quick wins: Make recommendations based on IT Management & Governance Framework

Complete this exercise while waiting on the IT Staffing Assessment results. Based on your completed IT Management & Governance report, identify the initiatives you can tackle immediately. You can conduct this as a team exercise by following these steps:

1. Create a shortlist of initiatives based on the processes that were identified as high need but scored low in effectiveness. Think as broadly as possible during this initial brainstorming.
2. Write each initiative on a sticky note and conduct a high-level analysis of the amount of effort that would be required to complete it, as well as its alignment with the achievement of business objectives.
3. Draw the matrix below on a whiteboard and place each sticky note onto the matrix based on its potential impact and difficulty to address.

Call 6

Day 61 to Day 75

Run a start, stop, continue exercise with your IT staff — Alternative

This is an alternative activity to running an IT Staffing Assessment, which contains a start/stop/continue assessment. This activity can be facilitated with a flip chart or a whiteboard. Create three pages or three columns and label them Start, Stop, and Continue.

Hand out sticky notes to each team member and then allow time for individual brainstorming. Instruct them to write down their contributions for each category on the sticky notes. After a few minutes, have everyone stick their notes in the appropriate category on the board. Discuss as a group and see what themes emerge. Record the results that you want to share in your presentation deck (GroupMap).

Gather your team and explain the meaning of these categories:

Start: Activities you're not currently doing but should start doing very soon.

Stop: Activities you're currently doing but aren’t working and should cease.

Continue: Things you're currently doing and are working well.

Presentation Deck, slide 24

Determine the alignment of IT commitments with business objectives

INPUT: Interviews with IT leadership team

OUTPUT: High-level understanding of in-flight commitments and investments

Run this only as an alternative to the IT Management & Governance Diagnostic.

1. Schedule meetings with IT leadership to understand what commitments have been made to the business in terms of new products, projects, or enhancements.
2. Determine the following about IT’s current investment mix:
   1. What are the current IT investments and assets? How do they align to business goals?
   2. What investments in flight are related to which information assets?
   3. Are there any immediate risks identified for these key investments?
   4. What are the primary business issues that demand attention from IT consistently?
   5. What choices remain undecided in terms of strategic direction of the IT organization?
3. Document your key investments and commitments as well as any points of misalignment between objectives and current commitments as action items to address in your long-term plans. If they are small fixes, consider them during your quick-win identification.

Presentation Deck, slide 25

Determine the alignment of IT commitments with business objectives

Run this only as an alternative to the IT Staffing Assessment diagnostic.

Schedule meetings with IT leadership to understand what commitments have been made to the business in terms of new products, projects, or enhancements.

Determine the following about IT’s current investment mix:

• What are the current IT investments and assets?
• How do they align to business goals?
• What in-flight investments are related to which information assets?
• Are there any immediate risks identified for these key investments?
• What are the primary business issues that demand attention from IT consistently?
• What remains undecided in terms of strategic direction of the IT organization?

Document your key investments and commitments, as well as any points of misalignment between objectives and current commitments, as action items to address in your long-term plans. If they are small-effort fixes, consider them during your quick-win identification.

Presentation Deck, slide 25

Make a categorized vendor list by IT process

As part of learning the IT team, you should also create a comprehensive list of vendors under contract. Collaborate with the finance department to get a clear view of how much of the IT budget is spent on specific vendors. Try to match vendors to the IT processes they serve from the IT M&G framework.

You should also organize your vendors based on their budget allocation. Go beyond just listing how much money you’re spending with each vendor and categorize them into either “transactional” relationships or “strategic relationships.” Use the grid below to organize them. Ideally, you’ll want most relationships to be high spend and strategic (Source: Gary Davenport).

Where to source your vendor list:

• Finance department
• Infrastructure managers
• Vendor manager in IT

Further reading: Manage Your Vendors Before They Manage You

Presentation Deck, slide 26

Jennifer Schaeffer’s short-timeline turnaround

CASE STUDY

Industry Education
Source Interview with Jennifer Schaeffer

Jennifer Schaeffer joined Athabasca University as CIO in November 2017. She was entering a turnaround situation as the all-online university lacked an IT strategy and had built up significant technical debt. Armed with the mandate of a third-party consultant that was supported by the president, Schaeffer used a people-first approach to construct her strategy. She met with all her staff, listening to them carefully regardless of role, and consulted with the administrative council and faculty members. She reflected that feedback in her plan or explained to staff why it wasn’t relevant for the strategy. She implemented a “strategic calendaring” approach for the organization, making sure that her team members were participating in meetings where their work was assessed and valued. Drawing on Spotify as an inspiration, she designed her teams in a way that everyone was connected to the customer experience. Given her short timeline to execute, she put off a deep skills analysis of her team for a later time, as well as creating a full architectural map of her technology stack. The outcome is that 2.5 years later, the IT department is unified in using the same tooling and optimization standards. It’s more flexible and ready to incorporate government changes, such as offering more accessibility options.

Jennifer Schaeffer took on the CIO role at Athabasca University in 2017 and was asked to create a five-year strategic plan in just six weeks. (Image source: Athabasca University)

Listen to 'The First 100 Days' podcast – Eric Wright

Call 7

Day 76 to Day 90

Finalize your vision – mission – values statement

A clear statement for your values, vision, and mission will help crystallize your IT strategy and communicate what you're trying to accomplish to the entire organization.

Mission: This statement describes the needs that IT was created to meet and answers the basic question of why IT exists.

Vision: Write a statement that captures your values. Remember that the vision statement sets out what the IT organization wants to be known for now and into the future.

Values: IT core values represent the standard axioms by which the IT department operates. Similar to the core values of the organization as a whole, IT’s core values are the set of beliefs or philosophies that guide its strategic actions.

Further reading: IT Vision and Mission Statements Template

Presentation Deck, slide 42

John Chen's new strategic vision

CASE STUDY

Industry Mobile Services
Source Sean Silcoff, The Globe and Mail

John Chen, known in the industry as a successful turnaround executive, was appointed BlackBerry CEO in 2014 following the unsuccessful launch of the BlackBerry 10 mobile operating system and a new tablet. He spent his first three months travelling, talking to customers and suppliers, and understanding the company's situation. He assessed that it had a problem generating cash and had made some strategic errors, but there were many assets that could benefit from more investment. He was blunt about the state of BlackBerry, making cutting observations of the past mistakes of leadership. He also settled a key question about whether BlackBerry would focus on consumer or enterprise customers. He pointed to a base of 80,000 enterprise customers that accounted for 80% of revenue and chose to focus on that. His new mission for BlackBerry: to transform it from being a "mobile technology company" that pushes handset sales to "a mobile solutions company" that serves the mobile computing needs of its customers.

John Chen, CEO of BlackBerry, presents at BlackBerry Security Summit 2018 in New York City (Image source: Brian Jackson)

Listen to 'The First 100 Days' podcast – Erin Bury

Quick wins: Make recommendations based on the CIO Business Vision survey

Based on your completed CIO Business Vision survey, use the IT Satisfaction Scorecard to determine some initiatives. Focus on areas that are ranked as high importance to the business but low satisfaction. While all of the initiatives may be achievable given enough time, use the matrix below to identify the quick wins that you can focus on immediately. It’s important to not fail in your quick-win initiative.

• High Visibility, Low Risk: Best bet for demonstrating your ability to deliver value.
• Low Visibility, Low Risk: Worth consideration, depending on the level of effort required and the relative importance to the stakeholder.
• High Visibility, High Risk: Limit higher-risk initiatives until you feel you have gained trust from your stakeholders, demonstrating your ability to deliver.
• Low Visibility, High Risk: These will be your lowest value, quick-win initiatives. Keep them in a backlog for future consideration in case business objectives change.

Presentation Deck, slide 27

Create and communicate a post-100 plan

The last few slides of your presentation deck represent a roundup of all the assessments you’ve done and communicate your plan for the months ahead.

Slide 38. Based on the information on the previous slide and now knowing which IT capabilities need improvement and which business priorities are important to support, estimate where you'd like to see IT staff spend their time in the near future. Will you be looking to shift staff from one area to another? Will you be looking to hire staff?

Slide 39. Take your IT M&G initiatives from slide 19 and list them here. If you've already achieved a quick win, list it and mark it as completed to show what you've accomplished. Briefly outline the objectives, how you plan to achieve the result, and what measurement will indicate success.

Slide 40. Reflect your CIO Business Vision initiatives from slide 31 here.

Slide 41. Use this roadmap template to list your initiatives by roughly when they’ll be worked on and completed. Plan for when you’ll update your diagnostics.

Expert Contributors

	Alan Fong, Chief Technology Officer, Dealer-FX
	Andrew Wertkin, Chief Strategy Officer, BlueCat Networks David Penny, Chief Technology Officer, BlueCat Networks
	Susan Bowen, CEO, Aptum

	Erin Bury, CEO, Willful
	Denis Gaudreault, Country Manager, Intel Canada and Latin America
	Wayne Berger, CEO, IWG Plc

	Eric Wright, CEO, LexisNexis Canada
	Gary Davenport, past president of CIO Association” of Canada, former VP of IT, Enterprise Solutions Division, MTS AllStream
	Jennifer Schaeffer, VP of IT and CIO, Athabasca University

Bibliography

Beaudan, Eric. “Do you have what it takes to be an executive?” The Globe and Mail, 9 July 2018. Web.

Bersohn, Diana. “Go Live on Day One: The Path to Success for a New CIO.” PDF document. Accenture, 2015. Web.

Bradt, George. “Executive Onboarding When Promoted From Within To Follow A Successful Leader.” Forbes, 15 Nov. 2018. Web.

“CIO Stats: Length of CIO Tenure Varies By Industry.” CIO Journal, The Wall Street Journal. 15 Feb. 2017. Web.

“Enlarging Your Sphere of Influence in Your Organization: Your Learning and Development Guide to Getting People on Side.” MindTools Corporate, 2014.

“Executive Summary.” The CIO's First 100 Days: A Toolkit. PDF document. Gartner, 2012. Web.

Forbes, Jeff. “Are You Ready for the C-Suite?” KBRS, n.d. Web.

Gallo, Carmine. “Tim Cook Uses These 5 Words to Take Control of Any Conversation.” Inc., 9 Aug. 2019. Web.

Giles, Sunnie. “The Most Important Leadership Competencies, According to Leaders Around the World.” Harvard Business Review, 15 March 2016. Web.

Godin, Seth. “Ode: How to tell a great story.” Seth's Blog. 27 April 2006. Web.

Green, Charles W. “The horizontal dimension of race: Social culture.” Hope College Blog Network, 19 Oct. 2014. Web.

Hakobyan, Hayk. “On Louis Gerstner And IBM.” Hayk Hakobyan, n.d. Web.

Bibliography

Hargrove, Robert. Your First 100 Days in a New Executive Job, edited by Susan Youngquist. Kindle Edition. Masterful Coaching Press, 2011.

Heathfield, Susan M. “Why ‘Blink’ Matters: The Power of Your First Impressions." The Balance Careers, 25 June 2019. Web.

Hillis, Rowan, and Mark O'Donnell. “How to get off to a flying start in your new job.” Odgers Berndtson, 29 Nov. 2018. Web.

Karaevli, Ayse, and Edward J. Zajac. “When Is an Outsider CEO a Good Choice?” MIT Sloan Management Review, 19 June 2012. Web.

Keizer, Gregg. “Microsoft CEO Nadella Aces First-100-Day Test.” Computerworld, 15 May 2014. Web.

Keller, Scott, and Mary Meaney. “Successfully transitioning to new leadership roles.” McKinsey & Company, May 2018. Web.

Kress, R. “Director vs. Manager: What You Need to Know to Advance to the Next Step.” Ivy Exec, 2016. Web.

Levine, Seth. “What does it mean to be an ‘executive’.” VC Adventure, 1 Feb. 2018. Web.

Lichtenwalner, Benjamin. “CIO First 90 Days.” PDF document. Modern Servant Leader, 2008. Web.

Nawaz, Sabina. “The Biggest Mistakes New Executives Make.” Harvard Business Review, 15 May 2017. Web.

Pruitt, Sarah. “Fast Facts on the 'First 100 Days.‘” History.com, 22 Aug. 2018. Web.

Rao, M.S. “An Action Plan for New CEOs During the First 100 Days.” Training, 4 Oct. 2014. Web.

Reddy, Kendra. “It turns out being a VP isn't for everyone.” Financial Post, 17 July 2012. Web.

Silcoff, Sean. “Exclusive: John Chen’s simple plan to save BlackBerry.” The Globe & Mail, 24 Feb. 2014. Web.

Bibliography

“Start Stop Continue Retrospective.” GroupMap, n.d. Web.

Surrette, Mark. “Lack of Rapport: Why Smart Leaders Fail.” KBRS, n.d. Web.

“Understanding Types of Organization – PMP Study.” Simplilearn, 4 Sept. 2019. Web.

Wahler, Cindy. “Six Behavioral Traits That Define Executive Presence.” Forbes, 2 July 2015. Web.

Watkins, Michael D. The First 90 Days, Updated and Expanded. Harvard Business Review Press, 2013.

Watkins, Michael D. “7 Ways to Set Up a New Hire for Success.” Harvard Business Review, 10 May 2019. Web.

“What does it mean to be a business executive?” Daniels College of Business, University of Denver, 12 Aug. 2014. Web.

Yeung, Ken. “Turnaround: Marissa Mayer’s first 300 days as Yahoo’s CEO.” The Next Web, 19 May 2013. Web.

Build Your Enterprise Application Implementation Playbook

Your implementation doesn’t start with technology, but with an effective plan that the team can align on.

Analyst Perspective

Your implementation is not just about technology, but about careful planning, collaboration, and control.

A successful enterprise application implementation requires more than great software; it requires a clear line of sight to the people, processes, metrics, and tools that can help make this happen.

Additionally, every implementation is unique with its own set of challenges. Working through these challenges requires a tailored approach taking many factors into account. Building out your playbook for your implementation is an important initial step before diving head-first into technology.

Regardless of whether you use an implementation partner, a playbook ensures that you don’t lose your enterprise application investment before you even get started!

Ricardo de Oliveira

Research Director,
Application Delivery and Management
Info-Tech Research Group

Executive Summary

Info-Tech Insight

An effective enterprise application implementation playbook is not just a list of steps; it is a comprehensive view of what is necessary to support your implementation. This starts with a people-first approach. Start by asking about sponsors, stakeholders, and goals. Without asking these questions first, the implementation will be set up for failure, regardless of the technology, processes, and tools available.

Insight summary

Building an effective playbook starts with asking the right questions, not jumping straight into the technical details.

• This blueprint provides the steps required to lay out an implementation playbook to align the team on what is necessary to support the implementation.
• Build your Enterprise Application Implementation Playbook by:
  • Aligning and confirming project’s goals, stakeholders, governance and team.
  • Clearly defining what is in and out of scope for the project and the risks involved.
  • Building up a strong change management process.
  • Providing the tools and processes to keep track of the project.
  • Pulling it all together into an actionable playbook.

Lack of planning is the reason that 39% of projects fail. Poor project planning can be disastrous: The consequences are usually high costs and time overruns.

Almost 20% of IT projects can fail so badly that they can become a threat to a company’s existence. Lack of proper planning, poor communication, and poorly defined goals all contribute to the failure of projects.

A PwC study of over 10,640 projects found that a tiny portion of companies – 2.5% – completed 100% of their projects successfully. These failures extract a heavy cost – failed IT projects alone cost the United States $50-$150B in lost revenue and productivity.

Source: Forbes, 2020

Planning and control are key to enterprise project success

An estimated 70% of large-scale corporate projects fail largely due to a lack of change management infrastructure, proper oversight, and regular performance check-ins to track progress (McKinsey, 2015).

“A survey published in HBR found that the average IT project overran its budget by 27%. Moreover, at least one in six IT projects turns into a ‘black swan’ with a cost overrun of 200% and a schedule overrun of 70%. Kmart’s massive $1.2B failed IT modernization project, for instance, was a big contributor to its bankruptcy.”

Source: Forbes, 2020

Sponsor commitment directly improves project success.

Having the right sponsor significantly improves your chances of success across many different dimensions:

1. On-time delivery
2. Delivering within budget
3. Delivered within an agreed-to scope
4. Delivered with sufficient quality.

Source: Info-Tech, PPM Current State Scorecard Diagnostic

Executive Brief Case Study

Chocolate manufacturer implementing a new ERP

INDUSTRY

SOURCE

A successful software implementation provides more than simply immediate business value…

It can build competitive advantage.

• When software projects fail, it can jeopardize an organization’s financial standing and reputation, and in some severe cases, it can bring the company down altogether.
• Rarely do projects fail for a single reason, but by understanding the pitfalls, developing a risk mitigation plan, closely monitoring risks, and self-evaluating during critical milestones, you can increase the probability of delivering on time, on budget, and with the intended benefits.

Benefits are not limited to just delivering on time. Some others include:

• Building organizational delivery competence and overall agility.
• The opportunity to start an inventory of best practices, eventually building them into a center of excellence.
• Developing a competitive advantage by maximizing software value and continuously transforming the business.
• An opportunity to develop a competent pool of staff capable of executing on projects and managing organizational change.

Blueprint deliverables

Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

Your Enterprise Application Implementation Playbook – Timeline Tool

Supporting template that captures the project timeline information, issue log, and follow-up dashboard.

Light Project Change Request Form Template

This tool will help you record the requested change, and allow you to assess the impact of the change and proceed with the approval process.

Key deliverable:

Your Enterprise Application Implementation Playbook

Record the results from the exercises to define the steps for a successful implementation.

Info-Tech’s methodology for Your Enterprise Application Implementation Playbook

Info-Tech offers various levels of support to best suit your needs

DIY Toolkit

"Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."

Guided Implementation

"Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track."

Workshop

"We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."

Consulting

"Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

Diagnostic and consistent frameworks are used throughout all four options.

Guided Implementation

What does a typical GI on this topic look like?

A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization. A typical GI is between 8 to 12 calls over the course of 4 to 6 months.

Workshop Overview

Contact your account representative for more information.

Phase 1

Understand the project

This phase will walk you through the following activities:

1.1 Identify the project sponsor

1.2 Identify project stakeholders

1.3 Review project vision and guiding principles

1.4 Review project objectives

1.5 Establish project governance

This phase involves the following participants:

• Project team
• Operations
• SMEs
• Team lead and facilitators
• IT leaders

Step 1.1

Identify the project sponsor

Activities

1.1.1 Define the project sponsor's responsibilities

1.1.2 Shortlist potential sponsors

1.1.3 Select the project sponsor

This step involves the following participants:

• Project team
• Operations
• SMEs
• Team lead and facilitators
• IT leaders

Outcomes of this step

Selected sponsor.

Sponsor commitment directly improves project success.

Having the right sponsor significantly improves your chances of success across many different dimensions:

1. On-time delivery
2. Delivering within budget
3. Delivered within an agreed-to scope
4. Delivered with sufficient quality.

Source: Info-Tech, PPM Current State Scorecard Diagnostic

Typical project sponsor responsibilities

• Help define the business goals of their projects before they start.
• Provide guidance and support to the project manager and the project team throughout the project management lifecycle.
• Ensure that sufficient financial resources are available for their projects.
• Resolve problems and issues that require authority beyond that of the project manager.
• Ensure that the business objectives of their projects are achieved and communicated.

For further discussion on sponsor responsibilities, use Info-Tech’s blueprint, Drive Business Value With a Right-Sized Project Gating Process

1.1.1 Define the project sponsor’s responsibilities

0.5-1 hour

1. Discuss the minimum requirements for a sponsor at your organization.
2. As a group, brainstorm the criteria necessary for an individual to be a project sponsor:
   1. Is there a limit to the number of projects they can sponsor at one time?
   2. Is there a minimum number of hours they must be available to the project team?
   3. Do they have to be at a certain seniority level in the organization?
   4. What is their role at each stage of the project lifecycle?
3. Document these criteria on a whiteboard.
4. Record the sponsor’s responsibilities in section 1.1 of Info-Tech’s Your Enterprise Application Implementation Playbook.

Download Your Enterprise Application Implementation Playbook

1.1.1 Define the project sponsor’s responsibilities (Continued)

Example

1.1.2 Shortlist potential sponsors

0.5-1 hour

1. Based on the responsibilities defined in Exercise 1.1.1, produce a list of the potential sponsors.
2. Record the sponsor’s shortlist in section 1.2 of Info-Tech’s Your Enterprise Application Implementation Playbook.

Download Your Enterprise Application Implementation Playbook

1.1.2 Shortlist potential sponsors (Continued)

Example

Don’t forget, the project team is there to support the sponsor

Given the burden of the sponsor role, the project team is committed to doing their best to facilitate a successful outcome.

• Follow the framework set out by the governance group at the organization to drive efficiency on the project.
• Ensure stakeholders with proper authority are notified of issues that occur during the project.
• Stay focused on the project tasks to drive quality on the deliverables and avoid rework after the project.
• Communicate within the project team to drive coordination of tasks, complete deliverables, and avoid resource waste.
• Changes are more common than not; the team must be prepared to adjust plans and stay agile to adapt to changes for the project.

Seek the key characteristics of a sponsor

1.1.3 Select the project sponsor

0.5-1 hour

1. Review the characteristics and the list of potential candidates.
2. Assess availability, suitability, and desire of the selected sponsor.
3. Record the selected sponsor in section 1.3 of Info-Tech’s Your Enterprise Application Implementation Playbook.

Download Your Enterprise Application Implementation Playbook

1.1.3 Select the project sponsor (Continued)

Example

Step 1.2

Identify the project stakeholders

Activities

1.2.1 Identify your stakeholders

This step involves the following participants:

• Project team
• Operations
• SMEs
• Team lead and facilitators
• IT leaders

Outcomes of this step

Stakeholders’ management plan

How to find the right stakeholders

Start with the obvious candidates, but keep an open mind.

How to find stakeholders

• Talk to your stakeholders and ask who else you should be talking to, to discover additional stakeholders and ensure you don’t miss anyone.
• Less obvious stakeholders can be found by conducting various types of trace analysis, i.e. following various paths flowing from your initiative through to the path’s logical conclusion.

Create a stakeholder network map for your application implementation

Follow the trail of breadcrumbs from your direct stakeholders to their influencers to uncover hidden stakeholders.

Info-Tech Insight

Your stakeholder map defines the influence landscape your enterprise application operates in. It is every bit as important as the teams who enhance, support, and operate your applications directly.

Use connectors to determine who may be influencing your direct stakeholders. They may not have any formal authority within the organization, but they may have substantial informal relationships with your stakeholders.

Understand how to navigate the complex web of stakeholders

Identify which stakeholders to include and what their level of involvement should be during requirements elicitation based on relevant topic expertise.

Large-scale projects require the involvement of many stakeholders from all corners and levels of the organization, including project sponsors, IT, end users, and business stakeholders. Consider the influence and interest of stakeholders in contributing to the requirements elicitation process and involve them accordingly.

Map the organization’s stakeholders

1.2.1 Identify your stakeholders

1-2 hours

1. As a group, identify all the project stakeholders. A stakeholder may be an individual such as the CEO or CFO, or it may be a group such as front-line employees.
2. Map each stakeholder on the quadrant based on their expected influence and involvement in the project
3. Identify stakeholders and add them to the list.
4. Record the stakeholders list in section 1.4 of Info-Tech’s Your Enterprise Application Implementation Playbook.

Download Your Enterprise Application Implementation Playbook

Input	Output
Types of stakeholders	Your stakeholders initial list
Materials	Participants
Whiteboard/flip charts Your Enterprise Application Implementation Playbook	Project team Operations SMEs Team lead and facilitators IT leaders

1.2.1 Identify your stakeholders(Continued)

Example

Step 1.3

Review project vision and guiding principles

Activities

1.3.1 Align on a project vision

1.3.2 List your guiding principles

This step involves the following participants:

• Project team
• Operations
• SMEs
• Team lead and facilitators
• IT leaders

Outcomes of this step

Project vision and guiding principles

Vision and guiding principles

GUIDING PRINCIPLES

Guiding principles are high-level rules of engagement that help to align stakeholders from the outset. Determine guiding principles to shape the scope and ensure stakeholders have the same vision.

Creating Guiding Principles

Guiding principles should be constructed as full sentences. These statements should be able to guide decisions.

EXAMPLES

• [Organization] is implementing an ERP system to streamline processes and reduce redundancies, saving time and money.
• [Organization] is implementing an ERP to integrate disparate systems and rationalize the application portfolio.
• [Organization] is aiming at taking advantage of industry best practices and strives to minimize the level of customization required in solution.

Questions to Ask

1. What is a strong statement that will help guide decision making throughout the life of the ERP project?
2. What are your overarching requirements for business processes?
3. What do you ultimately want to achieve?
4. What is a statement that will ensure all stakeholders are on the same page for the project?

1.3.1 Align on a project vision

1-2 hours

1. As a group, discuss whether you want to create a separate project vision statement or restate your corporate vision and/or goals.
   1. A project vision statement will provide project-guiding principles, encompass the project objectives, and give a rationale for the project.
   2. Using the corporate vision/goals will remind the business and IT that the project is to implement an enterprise application that supports and enhances the organizational objectives.
2. Record the project vision in section 1.5 of Info-Tech’s Your Enterprise Application Implementation Playbook.

Download Your Enterprise Application Implementation Playbook

1.3.1 Align on a project vision (Continued)

Example

Project Vision

We, [Organization], will select and implement an integrated software suite that enhances the growth and profitability of the organization through streamlined global business processes, real-time data-driven decisions, increased employee productivity, and IT investment protection.

Guiding principles examples

The guiding principles will help guide your decision-making process. These can be adjusted to align with your internal language.

• Support business agility: A flexible and adaptable integrated business system providing a seamless user experience.
• Use best practices: Do not recreate or replicate what we have today; focus on modernization. Exercise customization governance by focusing on those customizations that are strategically differentiating.
• Automate: Take manual work out where we can, empowering staff and improving productivity through automation and process efficiencies.
• Stay focused: Focus on scope around core business capabilities. Maintain scope control. Prioritize demand in line with the strategy.
• Strive for "one source of truth": Unify data model and integrate processes where possible. Assess integration needs carefully.

1.3.2 List your guiding principles

1-2 hours

1. Start with the guiding principles defined during the strategy building.
2. Review each of the sample guiding principles provided and ask the following questions:
   1. Do we agree with the statement?
   2. Is this statement framed in the language we use internally? Does everyone agree on the meaning of the statement?
   3. Will this statement help guide our decision-making process?
3. Record the guiding principles in section 1.6 of Info-Tech’s Your Enterprise Application Implementation Playbook.

Download Your Enterprise Application Implementation Playbook

1.3.2 List your guiding principles (Continued)

Example

Step 1.4

Review project objectives

Activities

1.4.1 Confirm your goals and objectives for the implementation project

This step involves the following participants:

• Project team
• Operations
• SMEs
• Team lead and facilitators
• IT leaders

Outcomes of this step

The objectives of the implementation project

Review the elements of the project charter

Leverage completed deliverables to get project managers started down the path of success.

1.4.1 List your guiding principles

1-2 hours

1. Articulate the high-level objectives of the project. (What are the goals of the project?)
2. Elicit the business benefits the sponsor is committed to achieving. (What are the business benefits of the project?)
3. Record Project goals and objectives in section 1.7 of Info-Tech’s Your Enterprise Application Implementation Playbook.

Download Your Enterprise Application Implementation Playbook

1.4.1 Confirm your goals and objectives for the implementation project (Continued)

Example:

Step 1.5

Establish project governance

Activities

1.5.1 Define the project governance structure

This step involves the following participants:

• Project team
• Operations
• SMEs
• Team lead and facilitators
• IT leaders

Outcomes of this step

Approach to build an effective project governance

1.5.1 List your guiding principles

0.5-1 hour

1. Identify the IT governance structure in place today and document the high-level function of each body (councils, steering committees, review boards, centers of excellence, etc.).
2. Identify and document the existing enterprise applications governance structure, roles, and responsibilities (if any exist).
3. Identify gaps and document the desired enterprise applications governance structure, roles, and responsibilities.
4. Record the project governance structure in section 1.8 of Info-Tech’s Your Enterprise Application Implementation Playbook.

Download Your Enterprise Application Implementation Playbook

Governance is NOT management

Info-Tech Insight

You won’t get engagement unless there is a sense of accountability. Do not leave this vague. Accountability needs to be assigned to specific individuals in your organization to ensure the system development achieves what was intended by your organization and not what your system integrator (SI) intended.

Who is accountable?

Too many assumptions are made that the SI is accountable for all implementation activities and deliverables – this is simply untrue. All activities can be better planned for, and misunderstandings can be avoided, with a clear line of sight on roles and responsibilities and the documentation that will support these assumptions.

• For each role (e.g. executive sponsor, delivery manager, test lead, conversion lead), clearly articulate the responsibilities of the role, who is accountable for fulfillment, and whether it’s a client role, SI role, or both.
• Articulate the purpose of each deliverable clearly, define which individual or team has responsibility for it, and document who is expected to contribute.
• Empower the team by granting them the authority to make decisions. Ease their reluctance to think outside the box for fear of stakeholder or user backlash.
• The implementation cannot and will not be transformative if the wrong people are involved or if the right people have not been given the tools required to succeed in their role.

1.5.2 List your guiding principles

0.5-1 hour

1. Assess the skills necessary for an enterprise implementation. Inventory the competencies required for an enterprise implementation team. Map your internal resources to each competency as applicable.
2. Select your internal implementation team. Determine who needs to be involved closely with the implementation. Key stakeholders should also be considered as members of your implementation team.
3. Identify the number of external consultants/support required for implementation. Consider your in-house skills, timeline, integration environment complexity, and cost constraints as you make your resourcing plan.
4. Record governance team roles and responsibilities in 1.9 section of Info-Tech’s Your Enterprise Application Implementation Playbook.

Download Your Enterprise Application Implementation Playbook

1.5.2 Define governance team roles and responsibilities (Continued)

Example

Phase 2

Set up for success

This phase will walk you through the following activities:

2.1. Review project scope

2.2. Define project metrics

2.3. Prepare for project risks

2.4. Identify the project team

2.5. Define your change management process

This phase involves the following participants:

• Project team
• Operations
• SMEs
• Team lead and facilitators
• IT leaders

Step 2.1

Review project scope

Activities

2.1.1 Gather and review requirements

2.1.2 Confirm your scope for implementation

2.1.3 Formulate a scope statement

This step involves the following participants:

• Project team
• Operations
• SMEs
• Team lead and facilitators
• IT leaders

Outcomes of this step

The project scope

Requirements are key to defining scope

Project scope management includes the processes required to ensure that the project includes all and only the work required to complete the project successfully. Therefore, managing project scope is about defining and controlling what is and is not included in the project.

PMBOK defines requirements as “conditions or capabilities that are to be met by the project or present in the product, service, or result to satisfy an agreement or other formally imposed specification.” Detailed requirements should be gathered and elicited in order to provide the basis for defining the project scope.

Well-executed requirements gathering results in:

• Consistent approach from project to project, resulting in more predictable outcomes.
• Solutions that meet the business need on the surface and under the hood.
• Reduce risk for fast-tracked projects by establishing a right-sized approach.
• Requirements team that can drive process improvement and improved execution.
• Confidence when exploring solution alternatives.

Poorly executed requirements gathering results in:

• IT receiving the blame for any project shortcomings or failures.
• Business needs getting lost in the translation between the initial request and final output.
• Inadequate solutions or cost overruns and dissatisfaction with IT.
• IT losing its credibility as stakeholders do not see the value and work around the process.
• Late projects that tie up IT resources longer than planned, and cost overruns that come out of the IT budget.
• Inconsistent project execution, leading to inconsistent outcomes.

Strong stakeholder satisfaction with requirements results in higher satisfaction in other areas

Note: “High satisfaction” was classified as a score greater or equal to eight, and “low satisfaction” was every organization that scored below eight on the same questions.

2.1.1 Gather and review requirements

1-2 hours

1. Once existing documentation has been gathered, evaluate the effectiveness of the documentation and decide whether you need additional information to proceed to current-state mapping.
2. The initiative team should avoid spending too much time on the discovery phase, as the goal of discovery is to obtain enough information to produce a level-one current-state map.
3. Consider reviewing capabilities, business processes, current applications, integration, and data migration.

Download Your Enterprise Application Implementation Playbook

2.1.1 Requirements list

Example

2.1.2 Confirm your scope for implementation

1-2 hours

1. Based on the requirements, write down features of the product or services, as well as dependencies with other interfaces.
2. Write down exclusions to guard against scope creep.
3. Validate the scope by asking these questions:
   1. Will this scope provide a common understanding for all stakeholders, including those outside of IT, as to what the project will accomplish and what it excludes?
   2. Should any detail be added to prevent scope creep later?
4. Record the project scope in section 2.1 of Info-Tech’s Your Enterprise Application Implementation Playbook.

Download Your Enterprise Application Implementation Playbook

2.1.2 Scope detail

Example

Distill your requirements into a scope statement

Requirements are about the what and the how.
Scope specifies the features of the product or service – what is in and what is out

The Build Your Enterprise Application Implementation Playbook 2.2 Project Scope Statement includes:

• Scope description (features, how it interfaces with other solution components, dependencies).
• Exclusions (what is not part of scope).
• Deliverables (product outputs, documentation).
• Acceptance criteria (what metrics must be satisfied for the deliverable to be accepted).
• Final sign-off (owner).
• Project exclusions (scope item, details).

The scope statement should communicate the breadth of the project

• What are the major coverage points?
• Who will be using the systems?
• How will different users interact with the systems?
• What are the objectives that need to be addressed?
• Where do we start?
• Where do we draw the line?

2.1.3 Formulate a scope statement

1-2 hours

1. Lay out the scope description (features, how it interfaces with other solution components, dependencies).
2. Record the exclusions (what is not part of scope).
3. Fill out the scope statement.
4. Record the scope statement in section 2.2 of Info-Tech’s Your Enterprise Application Implementation Playbook.

Download Your Enterprise Application Implementation Playbook.

2.1.3 Scope statement

Example

Step 2.2

Review project scope

Activities

2.2.1 Define metrics for your project

This step involves the following participants:

• Project team
• Operations
• SMEs
• Team lead and facilitators
• IT leaders

Outcomes of this step

The project metrics

Building leading indicators

Lagging KPIs are relatively simple to identify, whereas leading KPIs can be more elusive.

For example, take the lagging KPI “Customer Satisfaction.” How do you turn that into a leading KPI? One method is to look at sources of customer complaints. In a retail sales system, backordered items will negatively impact customer satisfaction. As a leading indicator, track the number of orders with backordered lines and the percentage of the total order that was backordered.

Performance Metrics

Use leading and lagging metrics, as well as benchmarks, to track the progress of your system.

Leading KPIs: Input-oriented measures:

• Number of active users in the system.
• Time-to-completion for processes that previously experienced efficiency pain points.

Lagging KPIs: Output-oriented measures:

• Faster production times.
• Increased customer satisfaction scores

Benchmarks: A standard to measure performance against:

• Number of days to ramp up new users.

Info-Tech Insight

Leading indicators make the news; lagging indicators report on the news. Focusing on leading indicators allows you to address challenges before they become large problems with only expensive solutions.

2.2.1 Define metrics for your project

1-2 hours

1. Examine outputs from any feedback mechanisms you have (satisfaction surveys, emails, existing SLAs, burndown charts, resourcing costs, licensing costs per sprint, etc.).
2. Look at historical trends and figures when available. However, be careful of frequent anomalies, as these may indicate a root cause that needs to be addressed.
3. Explore the definition of specific metrics across different functional teams to ensure consistency of measurement and reporting.
4. Record the Project Metrics in section 2.3 of Info-Tech’s Your Enterprise Application Implementation Playbook.

Download Your Enterprise Application Implementation Playbook.

2.2.1 Metrics

In addition to delivery metrics and system performance metrics, equip the business with process-based metrics to continuously prove the value of the enterprise software. Review the examples below as a starting point.

Step 2.3

Prepare for project risks

Activities

2.3.1 Build a risk event menu

2.3.2 Determine contextual risks

2.3.3 Determine process risks

2.3.4 Determine business risks

2.3.5 Determine change risks

This step involves the following participants:

• Project team
• Operations
• SMEs
• Team lead and facilitators
• IT leaders

Outcomes of this step

Steps to create your product canvas and product vision statement

All risks are not created equal

For more information on Info-Tech’s Four-Pillar Risk Framework, please see Right-Size Your Project Risk Investment.

Info-Tech’s Four-Pillar Risk Framework

Unusual risks should be detected by finding out how each project is different from the norm. Use this framework to start this process by confronting the risks that are more easily anticipated.

2.3.1 Build a risk event menu

0.5-1 hour

1. Build and maintain an active menu of potential risk events across the four risk categories.
2. Record the risk event menu in section 2.4 of Info-Tech’s Your Enterprise Application Implementation Playbook.

Download Your Enterprise Application Implementation Playbook.

2.3.1 Risk event menu

Example

2.3.2 Determine contextual risks

0.5-1 hour

1. Contextual risk factors are those that operate within the context of your department, organization, and/or community.
2. Fill out contextual risks.
3. Record the contextual risks in section 2.5 of Info-Tech’s Your Enterprise Application Implementation Playbook.

Download

Your Enterprise Application Implementation Playbook.

2.3.2 Contextual risks

Example

2.3.3 Determine process risks

0.5-1 hour

1. Process risks are those that involve project sponsorship, project management, business and functional requirements, work assignment, communication, and/or visibility.
2. Fill out process risks.
3. Record the process risks in section 2.6 of Info-Tech’s Your Enterprise Application Implementation Playbook.

Download

Your Enterprise Application Implementation Playbook.

2.3.3 Process risks

Example

2.3.4 Determine business risks

0.5-1 hour

1. Business risks are those that affect the bottom line of the organization. They usually have implications on revenue, costs, and/or image.
2. Fill out business risks.
3. Record the business risks in section 2.7 of Info-Tech’s Your Enterprise Application Implementation Playbook.

Download

Your Enterprise Application Implementation Playbook.

2.3.4 Business risks

Example

2.3.5 Determine change risks

0.5-1 hour

1. Change risks are those that result from imposing changes on the people and customers of the organization and their daily routines.
2. Fill change risks.
3. Record the change risks in section 2.7 of Info-Tech’s Your Enterprise Application Implementation Playbook.

Download Your Enterprise Application Implementation Playbook.

2.3.5 Change risks

Example

Step 2.4

Identify the project team

Activities

2.4.1 Establish team composition

2.4.2 Identify the team

This step involves the following participants:

• Project team
• Operations
• SMEs
• Team lead and facilitators
• IT leaders

Outcomes of this step

Steps to get your project team ready

Understand the unique external resource considerations for the implementation

Organizations rarely have sufficient internal staffing to resource an enterprise software implementation project entirely on their own. Consider the options for closing the gap in internal resource availability.

The most common project resourcing structures for enterprise projects are:

1. Management consultant
2. Vendor consultant
3. System integrator

When contemplating a resourcing structure, consider:

• Availability of in-house implementation competencies and resources.
• Timeline and cost constraints.
• Integration environment complexity.

CONSIDER THE FOLLOWING

Clearly delineate between internal and external team responsibilities and accountabilities and communicate this to your technology partner upfront.

Internal Vs. External Accountabilities

Accountability is different than responsibility. Your vendor or SI partner may be responsible for completing certain tasks, but be careful not to outsource accountability for the implementation – ultimately, the internal team will be accountable.

Partner Implementation Methodologies

Often vendors and/or SIs will have their own preferred implementation methodology. Consider the use of your partner’s implementation methodology; however, you know what will work for your organization.

Info-Tech Insight

Selecting a partner is not just about capabilities, it’s about compatibility! Ensure you select a partner that has a culture compatible with your own.

2.4.1 Establish team composition

0.5-1 hour

1. Assess the skills necessary for an enterprise implementation.
2. Select your internal implementation team.
3. Identify the number of external consultants/support required for implementation.
4. Document the roles and responsibilities, accountabilities, and other expectations as they relate to each step of the implementation.
5. Record the team composition in section 2.9 of Info-Tech’s Your Enterprise Application Implementation Playbook.

Download

Your Enterprise Application Implementation Playbook.

2.4.1 Team composition

Example

2.4.2 Identify the team

0.5-1 hour

1. Identify a candidate for each role and determine their responsibility in the project and their expected time commitment.
2. The project will require a cross-functional team within IT and business units. Make sure the responsibilities are clearly communicated to the selected project sponsor.
3. Create a RACI matrix for the project.
4. Record the team list in section 2.10 of Info-Tech’s Your Enterprise Application Implementation Playbook.

Download

Your Enterprise Application Implementation Playbook.

2.4.2 Team list

Example

RACI example

Step 2.5

Define your change management process

Activities

2.5.1 Define OCM structure and resources

2.5.2 Define OCM team’s roles and responsibilities

2.5.3 Define requirements for training

2.5.4 Create a communications plan for stakeholder groups, and delivery teams

This step involves the following participants:

• Project team
• Operations
• SMEs
• Team lead and facilitators
• IT leaders

Outcomes of this step

A structure and procedures for an effective organizational change management

Define your change management process to improve quality and adoption

Organizational change management is the practice through which the PMO can improve user adoption rates and maximize project benefits.

“It’s one thing to provide a new technology tool to your end users.

It’s quite another to get them to use the tool, and still different for them to use the new tool proficiently.

When your end users fully use a new technology and make it part of their daily work habits, they have ‘adopted’ the new tool.”

Large projects require organizational change management

Organizational change management (OCM) governs the introduction of new business processes and technologies to ensure stakeholder adoption. The purpose of OCM is to prepare the business to accept the change.

OCM is a separate body of knowledge. However, as a practice, it is inseparable from project management.

In IT, project planning tends to fixate on technology, and it underestimates the behavioral and cultural factors that inhibit user adoption. Whether change is project-specific or continuous, it’s more important to instill the desire to change than to apply specific tools and techniques.

Accountability for instilling this desire should start with the project sponsor. The project manager should support this with effective stakeholder and communication management plans.

For further discussion on organizational change, use Info-Tech’s blueprint, Master Organizational Change Management Practices

Your application implementation will be best served by centralizing OCM

A centralized approach to OCM is most effective, and the PMO is already a centralized project office and is already accountable for project outcomes.

What’s more, in organizations where accountabilities for OCM are not explicitly defined, the PMO will likely already be assumed to be the default change leader by the wider organization.

It makes sense for the PMO to accept this accountability – in the short term at least – and claim the benefits that will come from coordinating and consistently driving successful project outcomes.

In the long term, OCM leadership will help the PMO become a strategic partner with the executive layer and the business side.

Short-term gains made by the PMO can be used to spark dialogues with those who authorize project spending and have the implicit fiduciary obligation to drive project benefits.

Ultimately, it’s their job to explicitly transfer that obligation along with the commensurate resourcing and authority for OCM activities.

For further discussion on organizational change, use Info-Tech’s blueprint, Master Organizational Change Management Practices

2.5.1 Define OCM structure and resources

0.5-1 hour

1. Assess the roles and resources that might be needed to help support these OCM efforts.
2. Record the OCM structure in section 2.11 of Info-Tech’s Your Enterprise Application Implementation Playbook.

Download

Your Enterprise Application Implementation Playbook.

2.5.1 OCM structure and resources

Example

2.5.2 Define OCM team’s roles and responsibilities

0.5-1 hour

1. Assess the tasks required for the team.
2. Determine roles and responsibilities.
3. Record the results in the RACI matrix in section 2.13 of Info-Tech’s Your Enterprise Application Implementation Playbook.

Download

Your Enterprise Application Implementation Playbook.

OCM team’s roles and responsibilities

Example

2.5.3 Define requirements for training

0.5-1 hour

1. Analyze HR requirements to ensure efficient use of HR and project stakeholder time.
2. Outline appropriate HR and training activities.
3. Define training content and make key logistical decisions concerning training delivery for staff and users.
4. Record training requirements in section 2.14 of Info-Tech’s Your Enterprise Application Implementation Playbook.

Download

Your Enterprise Application Implementation Playbook.

2.5.3 Training requirements

Example

Project communication plans must address creation, flow, deposition, and security of project information

A good communication management plan is like the oil that keeps moving parts going. Ensuring smooth information flow is a fundamental aspect of project management.

Project communication management is more than keeping track of stakeholder requirements. A communication management plan must address timely and appropriate creation, flow, and deposition of information about the project – as well as the security of the information.

Create:

• In addition to standardized status reporting elements discussed for level 1 projects, level 2 and 3 projects may require additional information to be disseminated among key stakeholders and the PMO.

Flow:

• The plan must address the methods of communication. Distributed project teams require more careful planning, as they pose additional communication challenges.

Deposit:

• As the volume of information continues to grow exponentially, retrieving information becomes a challenge. The plan for depositing project information must be consistent with your organization’s content management policies.

Security:

• Preventing unauthorized access and information leaks is important for projectsthat are intended to provide the organization with a competitive edge or for projects that deal with confidential data.

2.5.4 Create a communications timeline

0.5-1 hour

1. Base your change communications on your organization’s cultural appetite for change in general.
2. Document communications plan requirements.
3. Create a high-level communications timeline.
4. Tailor a communications strategy for each stakeholder group.
5. Record the communications timeline in section 2.12 of Info-Tech’s Your Enterprise Application Implementation Playbook.

Download

Your Enterprise Application Implementation Playbook.

Example of communications timeline

Project sponsors are the most compelling storytellers to communicate the change

Info-Tech Insight

Communication with stakeholders and sponsors is not a single event, but a continual process throughout the lifecycle of the project implementation – and beyond!

Phase 3

Document your plan

This phase will walk you through the following activities: