Integrate Physical Security and Information Security

Securing information security, physical security, or personnel security in silos may not secure much

Analyst Perspective

Ensure integrated security success with close and continual collaboration

From physical access control systems (PACS) such as electronic locks and fingerprint biometrics to video surveillance systems (VSS) such as IP cameras to perimeter intrusion detection and prevention to fire and life safety and beyond: physical security systems pose unique challenges to overall security. Additionally, digital transformation of physical security to the cloud and the convergence of operational technology (OT), internet of things (IoT), and industrial IoT (IIoT) increase both the volume and frequency of security threats.

These threats can be safety, such as the health impact when a gunfire attack downed wastewater pumps at Duke Energy Substation, North Carolina, US, in 2022. The threats can also be economic, such as theft of copper wire, or they can be reliability, such as when a sniper attack on Pacific Gas & Electric’s Metcalf Substation in California, US, damaged 17 out of 21 power transformers in 2013.

Considering the security risks organizations face, many are unifying physical, cyber, and information security systems to gain the long-term overall benefits a consolidated security strategy provides.

Ida Siahaan

Research Director, Security and Privacy Practice
Info-Tech Research Group

Executive Summary

Info-Tech Insight

An integrated security architecture, including people, process, and technology, will improve your overall security posture. These benefits are leading many organizations to consolidate their siloed systems into a single platform across physical security, cybersecurity, HR, legal, and compliance.

Existing information security models are not comprehensive

Current security models do not cover all areas of security, especially if physical systems and personnel are involved and safety is also an important property required.

• The CIA triad (confidentiality, integrity, availability) is a well-known information security model that focuses on technical policies related to technology for protecting information assets.
• The US Government’s Five Pillars of Information Assurance includes CIA, authentication, and non-repudiation, but it does not cover people and processes comprehensively.
• The AAA model, created by the American Accounting Association, has properties of authentication, authorization, and accounting but focuses only on access control.
• Donn Parker expanded the CIA model with three more properties: possession, authenticity, and utility. This model, which includes people and processes, is known as the Parkerian hexad. However, it does not cover physical and personnel security.

CIA Triad

Parkerian Hexad

Sources: Parker, 1998; Pender-Bey, 2012; Cherdantseva and Hilton, 2015

Adopt an integrated security model

The security ecosystem is shifting from segregation to integration

Sources: Cisco, n.d.; Preparing for Technology Convergence in Manufacturing, Info-Tech Research Group, 2018

Physical security includes:

• Securing physical access,
  e.g. facility access control, alarms, surveillance cameras
• Securing physical operations
  (operational technology – OT), e.g. programmable logic controllers (PLCs), SCADA

Info-Tech Insight

Why is integrating physical and information security gaining more and more traction? Because the supporting technologies are becoming more matured. This includes, for example, migration of physical security devices to IP-based network and open architecture.

Reactive responses to physical security incidents

April 1995

Target: Alfred P. Murrah Federal Building, Oklahoma, US. Method: Bombing. Impact: Destroyed structure of 17 federal agencies, 168 casualties, over 800 injuries. Result: Creation of Interagency Security Committee (ISC) in Executive Order 12977 and “Vulnerability Assessment of Federal Facilities” standard.
(Source: Office of Research Services, 2017)

April 2013

Target: Pacific Gas & Electric’s Metcalf Substation, California, US. Method: Sniper attack. Impact: Out of 21 power transformers, 17 were damaged. Result: Creation of Senate Bill No. 699 and NERC- CIP-014 standard.
(Source: T&D World, 2023)

Sep. 2022

Target: Nord Stream gas pipelines connecting Russia to Germany, Baltic sea. Method: Detonations. Impact: Methane leaks (~300,000 tons) at four exclusive economic zones (two in Denmark and two in Sweden). Result: Sweden’s Security Service investigation.
(Source: CNBC News, 2022)

Dec. 2022

Target: Duke Energy Substation, North Carolina, US. Method: Gunfire. Impact: Power outages of ~40,000 customers and wastewater pumps in sewer lift stations down. Result: State of emergency was declared.
(Source: CBS News, 2022)

Info-Tech Insight

When it comes to physical security, we have been mostly reactive. Typically the pattern starts with physical attacks. Next, the impacted organization mitigates the incidents. Finally, new government regulatory measures or private sector or professional association standards are put in place. We must strive to change our pattern to become more proactive.

Physical security market forecast and top physical security challenges

Physical security market forecast
(in billions USD)

A forecast by MarketsandMarkets projected growth in the physical security market, using historical data from 2015 until 2019, with a CAGR of 6.4% globally and 5.2% in North America.

Source: MarketsandMarkets, 2022

Top physical security challenges

An Ontic survey (N=359) found that threat data management (40%) was the top physical security challenge in 2022, up from 33% in 2021, followed by physical security threats to the C-suite and company leadership (35%), which was a slight increase from 2021. An interesting decrease is data protection and privacy (32%), which dropped from 36% in 2021.

Source: Ontic Center for Protective Intelligence, 2022

Info-Tech Insight

The physical security market is growing in systems and services, especially the integration of threat data management with cybersecurity.

Top physical security initiatives and operations integration investments

We know the physical security challenges and how the physical security market is growing, but what initiatives are driving this growth? These are the top physical security initiatives and top investments for physical security operations integration:

Top physical security initiatives

A survey by Brivo asked 700 security professionals about their top physical security initiatives. The number one initiative is integrating physical security systems. Other initiatives with similar concerns included data and cross-functional integration.

Source: Brivo, 2022

Top investments for physical security operations integration

An Ontic survey (N=359) on areas of investment for physical security operations integration shows the number one investment is on access control systems with software to identify physical threat actors. Another area with similar concern is integration of digital physical security with cybersecurity.

Source: Ontic Center for Protective Intelligence, 2022

Evaluate security integration opportunities with these guiding principles

Opportunity focus

• Identify the security integration problems to solve with visible improvement possibilities
• Don’t choose technology for technology’s sake
• Keep an eye to the future
• Use strategic foresight

Piece by piece

• Avoid taking a big bang approach
• Test technologies in multiple conditions
• Run inexpensive pilots
• Increase flexibility
• Build a technology ecosystem

Buy-in

• Collaborate with stakeholders
• Gain and sustain support
• Maintain transparency
• Increase uptake of open architecture

Key Recommendations:

Focus on your master plan

Build a technology ecosystem

Engage stakeholders

Info-Tech Insight

When looking for a quick win, consider learning the best internal or external practice. For example, in 1994 IBM reorganized its security operation by bringing security professionals and non-security professionals in one single structure, which reduced costs by approximately 30% in two years.

Sources: Create and Implement an IoT Strategy, Info-Tech Research Group, 2022; Baker and Benny, 2013; Erich Krueger, Omaha Public Power District (contributor); Doery Abdou, March Networks Corporate (contributor)

Case Study

4Wall Entertainment – Asset Owner

4Wall Entertainment is quite mature in integrating its physical and information security; physical security has always been under IT as a core competency.

4Wall Entertainment is a provider of entertainment lighting and equipment to event venues, production companies, lighting designers, and others, with a presence in 18 US and UK locations.

After many acquisitions, 4Wall Entertainment needed to standardize its various acquired systems, including physical security systems such as access control. In its integrated security approach, IT owns the integrated security, but they interface with related entities such as HR, finance, and facilities management in every location. This allows them to obtain information such as holidays, office hours, and what doors need to be accessed as inputs to the security system and to get sponsorship in budgeting.

In the past, 4Wall Entertainment tried delegating specific physical security to other divisions, such as facilities management and HR. This approach was unsuccessful, so IT took back the responsibility and accountability.

Currently, 4Wall Entertainment works with local vendors, and its biggest challenge is finding third-party vendors that can provide nationwide support.

In the future, 4Wall Entertainment envisions physical security modernization such as camera systems that allow more network accessibility, with one central system to manage and IoT device integration with SIEM and MDR.

Results

Lessons learned in integrating security from 4Wall Entertainment include:

• Start with forming relationships with related divisions such as HR, finance, and facilities management to build trust and encourage sponsorship across management.
• Create policies, procedures, and standards to deploy in various systems, especially when acquiring companies with low maturity in security.
• Select third-party providers that offer the required functionalities, good customer support, and standard systems interoperability.
• Close skill gaps by developing training and awareness programs for users, especially for newly acquired systems and legacy systems, or by acquiring expertise from consulting services.
• Complete cost-benefit analysis for solutions on legacy systems to determine whether to keep them and create interfacing with other systems, upgrade them, or replace them entirely with newer systems.
• Delegate maintenance of specific highly regulated systems, such as fire alarms and water sprinklers, to facilities management.

Tracking progress of physical and information security integration

Physical security is often part of facilities management. As a result, there are interdependencies with both internal departments (such as IT, information security, and facilities) and external parties (such as third-party vendors). IT leaders, security leaders, and operational leaders should keep the big picture in mind when designing and implementing integration of physical and information security. Use this checklist as a tool to track your security integration journey.

Plan

• Engage stakeholders and justify value for the business.
• Define roles and responsibilities.
• Establish/update governance for integrated security.
• Identify integrated elements and compliance obligations.

Enhance

• Determine the level of security maturity and update security strategy for integrated security.
• Assess and treat risks of integrated security.
• Establish/update integrated physical and information security policies and procedures.
• Update incident response, disaster recovery, and business continuity plan.

Monitor & Optimize

• Identify skill requirements and close skill gaps for integrating physical and information security.
• Design and deploy integrated security architecture and controls.
• Establish, monitor, and report integrated security metrics on effectiveness and efficiency.

Benefits of the security integration framework

Today’s matured technology makes security integration possible. However, the governance and management of single integrated security presents challenges. These can be overcome using a multi-phased framework that enables a modular, incremental, and repeatable integration process, starting with planning to justify the value of investment, then enhancing the integrated security based on risks and open architecture. This is followed by using metrics for monitoring and optimization.

1. Modular

   • Implementing a consolidated security strategy is complex and involves the integration of process, software, data, hardware, and network and infrastructure.
   • A modular framework will help to drive value while putting in appropriate guardrails.

2. Incremental

   • Integration of physical security and information security involves many components such as security strategy, risk management, and security policies.
   • An incremental framework will help track, manage, and maintain each step while providing appropriate structure.

3. Repeatable

   • Integration of physical security and information security is a journey that can be approached with a pilot program to evaluate effectiveness.
   • A repeatable framework will help to ensure quick time to value and enable immediate implementation of controls to meet operational and security requirements.

Potential risks of the security integration framework

Just as medicine often comes with side effects, our Integration of Physical and Information Security Framework may introduce risks too. However, as John F. Kennedy, thirty-fifth president of the United States, once said, "There are risks and costs to a program of action — but they are far less than the long-range cost of comfortable inaction."

Plan Phase

• Lack of transparency in the integration process can lead to lack of trust among stakeholders.
• Lack of support from leadership results in unclear governance or lack of budget or human resources.
• Key stakeholders leave the organization during the engagement and their replacements do not understand the organization’s operation yet.

Enhance Phase

• The risk assessment conducted focuses too much on IT risk, which may not always be applicable to physical security systems nor OT systems.
• The integrated security does not comply with policies and regulations.

Monitor and Optimize Phase

• Lack of knowledge, training, and awareness.
• Different testing versus production environments.
• Lack of collected or shared security metrics.

Data

• Data quality issues and inadequate data from physical security, information security, and other systems, e.g. OT, IoT.
• Too much data from too many tools are complex and time consuming to process.

Develop an integration of information security, physical security, and personnel security that meets your organization’s needs

Integrate security in people, process, and technology to improve your overall security posture

Having siloed systems running security is not beneficial. Many organizations are realizing the benefits of consolidating into a single platform across physical security, cybersecurity, HR, legal, and compliance.

Plan and engage stakeholders

Assemble the right team to ensure the success of your integrated security ecosystem, decide the governance model, and clearly define the roles and responsibilities.

Enhance strategy and risk management

Strategically, we want a physical security system that is interoperable with most technologies, flexible with minimal customization, functional, and integrated, despite the challenges of proprietary configurations, complex customization, and silos.

Monitor and optimize

Find the most optimized architecture that is strategic, realistic, and based on risk. Next, perform an evaluation of the security systems and program by understanding what, where, when, and how to measure and to report the relevant metrics.

Focus on master plan

Identify the security integration problems to solve with visible improvement possibilities, and don’t choose technology for technology’s sake. Design first, then conduct market research by comparing products or services from vendors or manufacturers.

Build a technology ecosystem

Avoid a big bang approach and test technologies in multiple conditions. Run inexpensive pilots and increase flexibility to build a technology ecosystem.

Deliverables

Each step of this framework is accompanied by supporting deliverables to help you accomplish your goals:

Integrate Physical Security and Information Security Requirements Gathering Tool

Map organizational goals to IT goals, facilities goals, OT goals (if applicable), and integrated security goals. Identify your security integration elements and compliance.

Integrate Physical Security and Information Security RACI Chart Tool

Identify various security integration stakeholders across the organization and assign tasks to suitable roles.

Key deliverable:

Integrate Physical Security and Information Security Communication Deck

Present your findings in a prepopulated document that summarizes the work you have completed.

Plan

Planning is foundational to engage stakeholders. Start with justifying the value of investment, then define roles and responsibilities, update governance, and finally identify integrated elements and compliance obligations.

Plan

Engage stakeholders

• To initiate communication between the physical and information security teams and other related divisions, it is important to identify the entities that would be affected by the security integration and involve them in the process to gain support from planning to delivery and maintenance.
• Possible stakeholders:
  • Executive leadership, Facilities Management leader and team, IT leader, Security & Privacy leader, compliance officer, Legal, Risk Management, HR, Finance, OT leader (if applicable)
• A successful security integration depends on aligning your security integration initiatives and migration plan to the organization’s objectives by engaging the right people to communicate and collaborate.

Info-Tech Insight

It is important to speak the same language. Physical security concerns safety and availability, while information security concerns confidentiality and integrity. Thus, the two systems have different goals and require alignment.

Similarly, taxonomy of terminologies needs to be managed,¹ e.g. facility management with an emergency management background may have a different understanding from a CISO with an information security background when discussing the same term. For example:

In emergency management prevention means “actions taken to eliminate the impact of disasters in order to protect lives, property and the environment, and to avoid economic disruption.”²

In information security prevention is “preventing the threats by understanding the threat environment and the attack surfaces, the risks, the assets, and by maintaining a secure system.”³

Sources: ¹ Owen Yardley, Omaha Public Power District (contributor); ² Translation Bureau, Government of Canada, n.d.; ³ Security Intelligence, 2020

Map organizational goals to integrated security goals

1. As a group, brainstorm organization goals.
   • Review relevant corporate, IT, and facilities strategies.
2. Record the most important business goals in the “Goals Cascade” tab of the Integrate Physical Security and Information Security Requirements Gathering Tool. Try to limit the number of business goals to no more than ten goals. This limitation will be critical to helping focus on your integrated security goals.
3. For each goal, identify one to two security alignment goals. These should be objectives for the security strategy that will support the identified organization goals.

Download the Integrate Physical Security and Information Security Requirements Gathering Tool.

Record organizational goals

Refer to the Integration of Physical and Information Security Framework when filling in the table.

1. Record your identified organizational goals in the “Goals Cascade” tab of the Integrate Physical Security and Information Security Requirements Gathering Tool.
2. For each organizational goal, identify IT alignment goals.
3. For each organizational goal, identify OT alignment goals (if applicable).
4. For each organizational goal, identify Facilities alignment goals.
5. For each organizational goal, select an integrated security goal from the drop-down menu.

Justify value for the business

Facilities in most cases have a team that is responsible for physical security installations such as access key controllers. Whenever there is an issue, they contact the provider to fix the error. However, with smart buildings and smart devices, the threat surface grows to include information security threats, and Facilities may not possess the knowledge and skills required to deal with them. At the same time, delegating physical security to IT may add more tasks to their already-too-long list of responsibilities. Consolidating security to a focused security team that covers both physical and information security can help.1 We need to develop the security integration business case beyond physical security "gates, guns, and guards" mentality.2

An example of a cost-benefit analysis for security integration:

Sources: 1 Andrew Amaro, KLAVAN Security Services (contributor); 2 Baker and Benny, 2013;
Industrial Control System Modernization, Info-Tech Research Group, 2023; Lawrence Berkeley National Laboratory, 2021

Plan

Define roles and responsibilities

Many factors impact an organization’s level of effectiveness as it relates to integration of physical and information security. How the team interacts, what skill sets exist, the level of clarity around roles and responsibilities, and the degree of executive support and alignment are only a few. Thus, we need to identify stakeholders that are:

• Responsible: The person(s) who does the work to accomplish the activity; they have been tasked with completing the activity and/or getting a decision made.
• Accountable: The person(s) who is accountable for the completion of the activity. Ideally, this is a single person and is often an executive or program sponsor.
• Consulted: The person(s) who provides information. This is usually several people, typically called subject matter experts (SMEs).
• Informed: The person(s) who is updated on progress. These are resources that are affected by the outcome of the activities and need to be kept up to date.

Download the Integrate Physical Security and Information Security RACI Chart Tool

Define RACI chart

Define Responsible, Accountable, Consulted, Informed (RACI) stakeholders.

1. Customize the Work Units to best reflect your operation with applicable stakeholders.
2. Customize the Action rows as required.

Sources: ISC, 2015; ISC, 2021

Info-Tech Insight

The roles and responsibilities should be clearly defined. For example, IT Security should be responsible for the installation and configuration of all physical access controllers and devices, and facility managers should be responsible for the physical maintenance including malfunctioning such as access device jammed or physically broken.

Plan

Establish/update governance for integrated security

HR & Finance

HR provides information such as new hires and office hours as input to the security system. Finance assists in budgeting.

Security & Privacy

The security and privacy team will need to evaluate solutions and enforce standards on various physical and information security systems and to protect data privacy.

Business Leaders

Business stakeholders will provide clarity for their strategy and provide input into how they envision security furthering those goals.

IT Executives

IT stakeholders will be a driving force, ensuring all necessary resources are available and funded.

Facilities/ Operations

Operational plans will include asset management, monitoring, and support to meet functional goals and manage throughout the asset lifecycle.

Infrastructure & Enterprise Architects

Each solution added to the environment will need to be chosen and architected to meet business goals and security functions.

Info-Tech Insight

Assemble the right team to ensure the success of your integrated security ecosystem and decide the governance model, e.g. security steering committee (SSC) or a centralized single structure.

Adapted from Create and Implement an IoT Strategy, Info-Tech Research Group, 2022

What does the SSC do?

Ensuring proper governance over your security program is a complex task that requires ongoing care and feeding from executive management to succeed.

Your SSC should aim to provide the following core governance functions for your security program:

1. Define Clarity of Intent and Direction

   How does the organization’s security strategy support the attainment of the business, IT, facilities management, and physical and information security strategies? The SSC should clearly define and communicate strategic linkage and provide direction for aligning security initiatives with desired outcomes.

2. Establish Clear Lines of Authority

   Security programs contain many important elements that need to be coordinated. There must be clear and unambiguous authority, accountability, and responsibility defined for each element so lines of reporting/escalation are clear and conflicting objectives can be mediated.

3. Provide Unbiased Oversight

   The SSC should vet the organization’s systematic monitoring processes to ensure there is adherence to defined risk tolerance levels and that monitoring is appropriately independent from the personnel responsible for implementing and managing the security program.

4. Optimize Security Value Delivery

   Optimized value delivery occurs when strategic objectives for security are achieved and the organization’s acceptable risk posture is attained at the lowest possible cost. This requires constant attention to ensure controls are commensurate with any changes in risk level or appetite.

Adapted from Improve Security Governance With a Security Steering Committee , Info-Tech Research Group, 2018

Plan

Identify integrated elements and compliance obligations

To determine what elements need to be integrated, it’s important to scope the security integration program and to identify the consequences of integration for compliance obligations.

INTEGRATED ELEMENTS

What are my concerns?

Process integrations

Determine which processes need to be integrated and how

• Examples: Security prevention, detection, and response; risk assessment

Software and data integration

Determine which software and data need to be integrated and how

• Examples: Threat management tools, SIEM, IDPS, security event logs

Hardware integration

Determine which hardware needs to be integrated and how

• Examples: Sensors, alarms, cameras, keys, locks, combinations, and card readers

Network and infrastructure

Determine which network and infrastructure components need to be integrated and how

• Example: Network segmentation for physical access controllers.

COMPLIANCE

How can I address my concerns?

Regulations

Adhere to mandatory laws, directives, industry standards, specific contractual obligations, etc.

• Examples: NERC CIP (North American Utilities), Network and Information Security (NIS) Directive (EU), Health and Safety at Work etc Act 1974 (UK), Occupational Safety and Health Act, 1970 (US), Emergency Management Act, 2007 (Canada)

Standards

Adhere to voluntary standards and obligations

• Examples: NIST Cybersecurity Framework (CSF), The Risk Management Process for Federal Facilities: An Interagency Security Committee Standard (US), Cybersecurity Maturity Model Certification (CMMC), Service Organization Control (SOC 1 and 2)

Guidelines

Adopt guidelines that can improve the integrated security program

• Examples: Best Practices for Planning and Managing Physical Security Resources (US Interagency Security Committee), Information Security Manual - Guidelines for Physical Security (Australian Cyber Security Centre), 1402-2021-Guide for Physical Security of Electric Power Substations (IEEE)

Record integrated elements

Refer to the “Scope” tab of the Integrate Physical Security and Information Security Requirements Gathering Tool when filling in the following elements.

1. Record your integrated elements, i.e. process integration, software and data integration, hardware integration, network and infrastructure, and physical scope of your security integration, in the “Scope” tab of the Integrate Physical Security and Information Security Requirements Gathering Tool.
2. For each of your scoping give the rationale for including them in the Comments column. Careful attention should be paid to any elements that are not in scope.

Record your compliance obligations

Refer to the “Compliance Obligations” tab of the Integrate Physical Security and Information Security Requirements Gathering Tool.

1. Identify your compliance obligations. These can include both mandatory and voluntary obligations. Mandatory obligations include:
   • Laws
   • Government regulations
   • Industry standards
   • Contractual agreements
   Voluntary obligations include standards that the organization has chosen to follow for best practices and any obligations that are required to maintain certifications. Organizations will have many different compliance obligations. For the purposes of your integrated security, include those that include physical security requirements.
2. Record your compliance obligations, along with any notes, in your copy of the Integrate Physical Security and Information Security Requirements Gathering Tool.
3. Refer to the “Compliance DB” tab for lists of standards/regulations/ guidelines.

Remediate third-party compliance gaps

If you have third-party compliance gaps, there are four primary ways to eliminate them:

1. Find a New, Compliant Partner

   Terminate existing contract and find another organization to partner with.

2. Bring the Capability In-House

   Expense permitting, this may be the best way to protect yourself.

3. Demand Compliance

   Tell the third party they must become compliant. Make sure you set a deadline.

4. Accept Noncompliance and Assume the Risk

   Sometimes remediation just isn’t cost effective and you have no choice.

Follow Contracting Best Practices to Mitigate the Risk of Future Third-Party Compliance Gaps

1. Perform Initial Due Diligence: Request proof of third-party compliance prior to entering into a contract.
2. Perform Ongoing Due Diligence: Request proof of third-party contractor compliance annually.
3. Contract Negotiation: Insert clauses requesting periodic assertions of compliance.

View a sample contract provided by the US Department of Health and Human Services.

Source: Take Control of Compliance Improvement to Conquer Every Audit, Info-Tech Research Group, 2015

Pitfalls to avoid when planning security integration

• No Resources Lineups

  Integration of security needs support from leadership, proper planning, and clear and consistent communication across the organization.

• Not Addressing Holistic Security

  Create policies and procedures and follow standards that are holistic and based on threats and risks, e.g. consolidated access control policies.

• Lack of Governance

  While the IT department is a critical partner in cybersecurity, the ownership of such a role sits squarely in the organizational C-suite, with regular reporting to the board of directors (if applicable).

• Overlooking Business Continuity Effort

  IT and physical security are integral to business continuity and disaster recovery strategies.

• Not Having Relevant Training and Awareness

  Provide a training and awareness program based on relevant attack vectors. Trained employees are key assets to the development of a safe and secure environment. They must form the base of your security culture.

• Overbuilding or Underbuilding

  Select third-party providers that offer systems interoperability with other security tools. The intent is to promote a unified approach to security to avoid a cumbersome tooling zoo.

Sources: Real Time Networks, 2022; Andrew Amaro, KLAVAN Security Services (contributor)

Enhance

Enhancing is the development of an integrated security strategy, policies, procedures, BCP, DR, and IR based on the organization’s risks.

Enhance

Determine the level of security maturity and update the security strategy

• Before updating your security strategies, you need to understand the organization’s business strategies, IT strategies, facilities strategies, and physical and information security strategies. The goal is to align your integrated security strategies to contribute to your organization’s success.
• The integrated security leaders need to understand the direction of the organization. For example:
  • Growth expectation
  • Expansions or mergers anticipation
  • Product or service changes
  • Regulatory requirements
• Wise security investments depend on aligning your security initiatives to the organization’s objectives by supporting operational performance and ensuring brand protection and shareholder values.

Sources: Amy L. Meger, Platte River Power Authority (contributor); Baker and Benny, 2013; IFSEC Global, 2023; Security Priorities 2023, Info-Tech Research Group, 2023; Build an Information Security Strategy, Info-Tech Research Group, 2020; ISC, n.d.

Understanding security maturity

Maturity models are very effective for determining security states. This table provides examples of general descriptions for physical and information security maturity levels.

Determine which framework is suitable and select the description that most accurately reflects the ideal state for security in your organization.

Sources: ¹ Fennelly, 2013; ² Build an Information Security Strategy, Info-Tech Research Group, 2020

Enhance

Assess and treat integrated security risks

The risk assessment conducted consists of analyzing existing inherent risks, existing pressure to the risks such as health and safety laws and codes of practice, new risks from the integration process, risk tolerance, and countermeasures.

• Some organizations already integrate security into corporate security that consists of risk management, compliance, governance, information security, personnel security, and physical security. However, some organizations are still separating security components, especially physical security and information security, which limits security visibility and the organization’s ability to complete a comprehensive risks assessment.
• Many vendors are also segregating physical security and information security solutions because their tools do well only on certain aspects. This forces organizations to combine multiple tools, creating a complex environment.
• Additionally, risks related to people such as mental health issues must be addressed properly. The prevalence of hybrid work post-pandemic makes this aspect especially important.
• Assess and treat risks based on the organization’s requirements, including its environments. For example, the US federal facility security organization is required to conduct risk assessments at least every five years for Level I (lowest risk) and Level II facilities and at least every three years for Level III, IV, and V (highest risk) facilities.

Sources: EPA, n.d.; America's Water Infrastructure Act (AWIA), 2018; ISC, 2021

“In 2022, 95% of US companies are consolidating into a single platform across physical security, cybersecurity, HR, legal and compliance.”

Source: Ontic Center for Protective Intelligence, 2022; N=359

Example risk levels

The risk assessment conducted is based on a combination of physical and information security factors such as certain facilities factors. The risk level can be used to determine the baseline level of protection (LOP). Next, the baseline LOP is customized to the achievable LOP. The following is an example for federal facilities determined by Interagency Security Committee (ISC).

Source: ISC, 2021

Example assets

It is important to identify the organization’s requirements, including its environments (IT, IoT, OT, facilities, etc.), and to measure and evaluate its risks and threats using an appropriate risk framework and tools with the critical step of identifying assets prior to acquiring solutions.

Info-Tech Insight

Certain exceptions must be identified in risk assessment. Usually physical barriers such as gates and intrusion detection sensors are considered as countermeasures,1 however, under certain assessment, e.g. America's Water Infrastructure Act (AWIA),2 physical barriers are also considered assets and as such must also be assessed.

Compromising a fingerprint scanner

An anecdotal example of why physical security alone is not sufficient.

Image by Rawpixel.com on Freepik

Lessons learned from using fingerprints for authentication:

• Fingerprint scanners can be physically circumvented by making a copy an authorized user’s fingerprint with 3D printing or even by forcefully amputating an authorized user’s finger.
• Authorized users may not be given access when the fingerprint cannot be recognized, e.g. if the finger is covered by bandage due to injury.
• Integration with information security may help detect unauthorized access, e.g. a fingerprint being scanned in a Canadian office when the same user was scanned at a close time interval from an IP in Europe will trigger an alert of a possible incident.

Info-Tech Insight

In an ideal world, we want a physical security system that is interoperable with all technologies, flexible with minimal customization, functional, and integrated. In the real world, we may have physical systems with proprietary configurations that are not easily customized and siloed.

Source: Robert Dang, Info-Tech Research Group

Use case: Microchip implant

Microchip implants can be used instead of physical devices such as key cards for digital identity and access management. Risks can be assessed using quantitative or qualitative approaches. In this use case a qualitative approach is applied to impact and likelihood, and a quantitative approach is applied to revenue and cost.

Asset: Microchip implant

Benefits

Risks

Sources: Business Insider, 2018; BBC News, 2022; ISC, 2015

Enhance

Update integrated security policies and procedures

Global policies with local implementation

This model works for corporate groups with a parent company. In this model, global security policies are developed by a parent company and local policies are applied to the unique business that is not supported by the parent company.

Update of existing security policies

This model works for organizations with sufficient resources. In this model, integrated security policies are derived from various policies. For example, physical security in smart buildings/devices (sensors, automated meters, HVAC, etc.) and OT systems (SCADA, PLCs, RTUs, etc.) introduce unique risk exposures, necessitating updates to security policies.

Customization of information security policies

This model works for smaller organizations with limited resources. In this model, integrated security policies are derived from information security policies. The issue is when these policies are not applicable to physical security systems or other environments, e.g. OT systems.

Sources: Kris Krishan, Waymo (contributor); Isabelle Hertanto, Info-Tech Research Group (contributor); Physical and Environmental Security Policy Template, Info-Tech Research Group, 2022.

Enhance

Update BCP, DR, IR

• Physical threats such as theft of material, vandalism, loitering, and the like are also part of business continuity threats.
• These threats can be carried out by various means such as vehicles breaching perimeter security, bolt cutters used for cutting wire and cable, and ballistic attack.
• Issues may occur when security operations are owned separately by physical security or information security, thus lacking consistent application of best practices.
• To overcome this issue, organizations need to update BCP, DR, and IR holistically based on a cost-benefit analysis and the level of security maturity, which can be defined based on the suitable framework.

Sources: IEEE, 2021; ISC, 2021

“The best way to get management excited about a disaster plan is to burn down the building across the street.”

Source: Dan Erwin, Security Officer, Dow Chemical Co., in Computerworld, 2022

Optimize

Optimizing means working to make the most effective and efficient use of resources, starting with identifying skill requirements and closing skill gaps, followed by designing and deploying integrated security architecture and controls, and finally monitoring and reporting integrated security metrics.

Optimize

Identify skill requirements and close skill gaps

• The pandemic changed how people work and where they choose to work, and most people still want a hybrid work model. Our survey in July 2022 (N=516) found that 55.8% of employees have the option to work offsite 2-3 days per week, 21.0% can work offsite 1 day per week, and 17.8% can work offsite 4 days per week.
• The investment (e.g. on infrastructure and networks) to initiate remote work was huge, and the costs didn’t end there; organizations needed to maintain the secure remote work infrastructure to facilitate the hybrid work model.
• Moreover, roles are evolving due to convergence and modernization. These new roles require an integrative skill set. For example, the grid security and ops team might consist of an IT security specialist, a SCADA technician/engineer, and an OT/IIOT security specialist, where OT/IIOT security specialist is a new role.

Strategic investment in internal security team

Internal security governance and management using in-house developed tools or off-the-shelf solutions, e.g. security information and event management (SIEM).

Security management using third parties

Internal security management using third-party security services, e.g. managed security service providers (MSSPs).

Outsourcing security management

Outsourcing the entire security functions, e.g. using managed detection and response (MDR).

Sources: Info-Tech Research Group’s Security Priorities 2023, Close the InfoSec Skills Gap, Build an IT Employee Engagement Program, and Grid Modernization

Select the right certifications

What are the options?

• One issue in security certification is the complexity of relevancy in topics with respect to roles and levels.
• The European Union Agency for Cybersecurity (ENISA) takes the approach of analyzing existing certifications of ICS/SCADA professionals' cybersecurity skills by orientation, scope, and supporting bodies that are grouped into specific certifications, relevant certifications, and safety certifications (ENISA, 2015).
• This approach can also be applied to integrated security certifications.

Physical security certification

• Examples: Industrial Security Professional Certification (NCMS-ISP); Physical Security Professional (ASIS-PSP); Physical Security Certification (CDSE-PSC); ISC I-100, I-200, I-300, and I-400

Cyber physical system security certification

• Examples: Certified SCADA Security Architect (CSSA), EC-Council ICS/SCADA Cybersecurity Training Course

Information security certification

• Examples: Network and Information Security (NIS) Driving License, ISA/IEC 62443 Cybersecurity Certificate Program, GIAC Global Industrial Cyber Security Professional (GICSP)

Safety Certifications

• Examples: Board of Certified Safety Professionals (BCSP), European Network of Safety and Health Professional Organizations (ENSHPO)

Optimize

Design and deploy integrated security architecture and controls

• A survey by Brivo found that 38% of respondents have partly centralized security platforms, 25% have decentralized platforms, and 36% have centralized platforms (Brivo, 2022; N=700).
• If your organization’s security program is still decentralized or partly centralized and your organization is planning to establish an integrated security program, then the recommendation is to perform a holistic risk assessment based on probability and impact assessments on threats and vulnerabilities.
• The impacted factors, for example, are customers served, criticality of services, equipment present inside the building, personnel response time for operational recovery and the mitigation of hazards, and costs.
• Frameworks such as Sherwood Applied Business Security Architecture (SABSA), Control Objectives for Information and Related Technologies (COBIT), and The Open Group Architecture Framework (TOGAF) can be used to build security architecture that aligns security goals with business goals.
• Finally, analyze the security design against the design criteria.

Sources: ISA and Honeywell Integrated Security Technology Lab, n.d.; IEEE, 2021

“As long as organizations treat their physical and cyber domains as separate, there is little hope of securing either one.”

Source: FedTech magazine, 2009

Analyze architecture design

Cloud, on-premises, or hybrid? During the pandemic, many enterprises were under tight deadlines to migrate to the cloud. Many did not refactor data and applications correctly for cloud platforms during migration, with the consequence of high cloud bills. This happened because the migrated applications cannot take advantage of on-premises capabilities such as autoscaling. Thus, in 2023, it is plausible that enterprises will bring applications and data back on-premises.

Below is an example of a security design analysis of platform architecture. Design can be assessed using quantitative or qualitative approaches. In this example, a qualitative approach is applied using high-level advantages and disadvantages.

Info-Tech Insight

It is important for organizations to find the most optimized architecture to support them, for example, a hybrid architecture of cloud and on-premises based on operations and cost-effectiveness. To help design a security architecture that is strategic, realistic, and based on risk, see Info-Tech’s Identify the Components of Your Cloud Security Architecture research.

Sources: InfoWorld, 2023; Identify the Components of Your Cloud Security Architecture , Info-Tech Research Group, 2021

Analyze equipment design

Below is an example case of a security design analysis of electronic security systems. Design can be assessed using quantitative or qualitative approaches. In this example a qualitative approach is applied using advantages and disadvantages.

Info-Tech Insight

Once the design has been analyzed, the next step is to conduct market research to analyze the solutions landscape, e.g. to compare products or services from vendors or manufacturers.

Sources: IEEE, 202; IEC, n.d.; IEC, 2013

Analyze off-the-shelf solutions

Criteria to consider when comparing solutions:

Visibility and Asset Management

Passively monitoring data using various protocol layers, actively sending queries to devices, or parsing configuration files of physical security devices, OT, IoT, and IT environments on assets, processes, and connectivity paths.

Threat Detection, Mitigation, and Response (+ Hunting)

Automation of threat analysis (signature-based, specification-based, anomaly-based, flow-based, content-based, sandboxing) not only in IT but also in relevant environments, e.g. physical, IoT, IIoT, and OT on assets, data, network, and orchestration with threat intelligence sharing and analytics.

Risk Assessment and Vulnerability Management

Risk scoring approach (qualitative, quantitative) based on variables such as behavioral patterns and geolocation. Patching and vulnerability management.

Usability, Architecture, Cost

The user and administrative experience, multiple deployment options, extensive integration capabilities, and affordability.

Source: Secure IT/OT Convergence, Info-Tech Research Group, 2022

Optimize

Establish, monitor, and report integrated security metrics

Security metrics serve various functions in a security program.1 For example:

• As audit requirements. For integrated security, the requirements are derived from mandatory or voluntary compliance, e.g. NERC CIP.
• As an indicator of maturity level. For integrated security, maturity level is used to measure the state of security, e.g. C2M2, CMMC.
• As a measurement of effectiveness and efficiency. Security metrics consist of operational metrics, financial metrics, etc.

Safety

Physical security interfaces with the physical world. Thus, metrics based on risks related to safety are crucial. These metrics motivate personnel by making clear why they should care about security.
Source: EPRI, 2017

Business Performance

The impact of security on the business can be measured with various metrics such as operational metrics, service level agreements (SLAs), and financial metrics.
Source: BMC, 2022

Technology Performance

Early detection leads to faster remediation and less damage. Metrics such as maximum tolerable downtime (MTD) and mean time to recovery (MTR) indicate system reliability.
Source: Dark Reading, 2022

Security Culture

Measure the overall quality of security culture with indicators such as compliance and audit, vulnerability management, and training and awareness.

Info-Tech Insight

Security failure can be avoided by evaluating the security systems and program. Security evaluation requires understanding what, where, when, and how to measure and to report the relevant metrics.

Related Info-Tech Research

Secure IT/OT Convergence

The previously entirely separate OT ecosystem is migrating into the IT ecosystem, primarily to improve access via connectivity and to leverage other standard IT capabilities for economic benefit.

Hence, IT and OT need to collaborate, starting with communication to build trust and to overcome their differences and followed by negotiation on components such as governance and management, security controls on OT environments, compliance with regulations and standards, and establishing metrics for OT security.

Preparing for Technology Convergence in Manufacturing

Information technology (IT) and operational technology (OT) teams have a long history of misalignment and poor communication.

Stakeholder expectations and technology convergence create the need to leave the past behind and build a culture of collaboration.

Build an Information Security Strategy

Info-Tech has developed a highly effective approach to building an information security strategy – an approach that has been successfully tested and refined for over seven years with hundreds of organizations.

This unique approach includes tools for ensuring alignment with business objectives, assessing organizational risk and stakeholder expectations, enabling a comprehensive current-state assessment, prioritizing initiatives, and building a security roadmap.

Bibliography

"1402-2021 - IEEE Guide for Physical Security of Electric Power Substations." IEEE, 2021. Accessed 25 Jan. 2023.

"2022 State of Protective Intelligence Report." Ontic Center for Protective Intelligence, 2022. Accessed 16 Jan. 2023.

"8 Staggering Statistics: Physical Security Technology Adoption." Brivo, 2022. Accessed 5 Jan. 2023.

"America's Water Infrastructure Act of 2018." The United States' Congress, 2018. Accessed 19 Jan. 2023.

Baker, Paul and Daniel Benny. The Complete Guide to Physical Security. Auerbach Publications. 2013

Bennett, Steve. "Physical Security Statistics 2022 - Everything You Need to Know." WebinarCare, 4 Dec. 2022. Accessed 30 Dec. 2022.

"Best Practices for Planning and Managing Physical Security Resources: An Interagency Security Committee Guide." Interagency Security Committee (ISC), Dec. 2015. Accessed 23 Jan. 2023.

Black, Daniel. "Improve Security Governance With a Security Steering Committee." Info-Tech Research Group, 23 Nov. 2018. Accessed 30 Jan. 2023.

Borg, Scott. "Don't Put Up Walls Between Your Security People." FedTech Magazine, 17 Feb. 2009. Accessed 15 Dec. 2022.

Burwash, John. “Preparing for Technology Convergence in Manufacturing.” Info-Tech Research Group, 12 Dec. 2018. Accessed 7 Dec. 2022.

Carney, John. "Why Integrate Physical and Logical Security?" Cisco. Accessed 19 Jan. 2023.

"Certification of Cyber Security Skills of ICS/SCADA Professionals." European Union Agency for Cybersecurity (ENISA), 2015. Accessed 27 Sep. 2022.

Cherdantseva, Yulia and Jeremy Hilton. "Information Security and Information Assurance. The Discussion about the Meaning, Scope and Goals." Organizational, Legal, and Technological Dimensions of IS Administrator, Almeida F., Portela, I. (eds.), pp. 1204-1235. IGI Global Publishing, 2013.

Cobb, Michael. "Physical security." TechTarget. Accessed 8 Dec. 2022.

“Conduct a Drinking Water or Wastewater Utility Risk Assessment.” United States Environmental Protection Agency (EPA), n.d. Web.

Conrad, Sandi. "Create and Implement an IoT Strategy." Info-Tech Research Group, 28 July 2022. Accessed 7 Dec. 2022.

Cooksley, Mark. "The IEC 62443 Series of Standards: A Product Manufacturer's Perspective." YouTube, uploaded by Plainly Explained, 27 Apr. 2021. Accessed 26 Aug. 2022.

"Cyber and physical security must validate their value in 2023." IFSEC Global, 12 Jan. 2023. Accessed 20 Jan. 2023.

"Cybersecurity Evaluation Tool (CSET®)." Cybersecurity and Infrastructure Security Agency (CISA). Accessed 23 Jan. 2023.

"Cybersecurity Maturity Model Certification (CMMC) 2.0." The United States' Department of Defense (DOD), 2021. Accessed 29 Dec. 2022.

“Cyber Security Metrics for the Electric Sector: Volume 3.” Electric Power Research Institute (EPRI), 2017.

Czachor, Emily. "Mass power outage in North Carolina caused by gunfire, repairs could take days." CBS News, 5 Dec. 2022. Accessed 20 Jan. 2023.

Dang, Robert, et al. “Secure IT/OT Convergence.” Info-Tech Research Group, 9 Dec. 2022. Web.

"Emergency Management Act (S.C. 2007, c. 15)." The Government of Canada, 2007. Accessed 19 Jan. 2023.

"Emergency management vocabulary." Translation Bureau, Government of Canada. Accessed 19 Jan. 2023.

Fennelly, Lawrence. Effective physical security. Butterworth-Heinemann, 2013.

Ghaznavi-Zadeh, Rassoul. "Enterprise Security Architecture - A Top-down Approach." The Information Systems Audit and Control Association (ISACA). Accessed 25 Jan. 2023.

"Good Practices for Security of Internet of Things." European Union Agency for Cybersecurity (ENISA), 2018. Accessed 27 Sep. 2022.

"Health and Safety at Work etc Act 1974." The United Kingdom Parliament. Accessed 23 Jan. 2023.

Hébert, Michel, et al. “Security Priorities 2023.” Info-Tech Research Group, 1 Feb. 2023. Web.

"History and Initial Formation of Physical Security and the Origin of Authority." Office of Research Services (ORS), National Institutes of Health (NIH). March 3, 2017. Accessed 19 Jan. 2023.

"IEC 62676-1-1:2013 Video surveillance systems for use in security applications - Part 1-1: System requirements - General." International Electrotechnical Commission (IEC), 2013. Accessed 9 Dec. 2022.

"Incident Command System (ICS)." ICS Canada. Accessed 17 Jan. 2023.

"Information Security Manual - Guidelines for Physical Security." The Australian Cyber Security Centre (ACSC), Dec. 2022. Accessed 13 Jan. 2023.

"Integrated Physical Security Framework." Anixter. Accessed 8 Dec. 2022.

"Integrating Risk and Security within a TOGAF® Enterprise Architecture." TOGAF 10, The Open Group. Accessed 11 Jan. 2023.

Latham, Katherine. "The microchip implants that let you pay with your hand." BBC News, 11 Apr. 2022. Accessed 12 Jan. 2023.

Linthicum, David. "2023 could be the year of public cloud repatriation." InfoWorld, 3 Jan. 2023. Accessed 10 Jan. 2023.

Ma, Alexandra. "Thousands of people in Sweden are embedding microchips under their skin to replace ID cards." Business Insider, 14 May 2018. Accessed 12 Jan. 2023.

Mendelssohn, Josh and Dana Tessler. "Take Control of Compliance Improvement to Conquer Every Audit." Info-Tech Research Group, 25 March 2015. Accessed 27 Jan. 2023.

Meredith, Sam. "All you need to know about the Nord Stream gas leaks - and why Europe suspects 'gross sabotage'." CNBC, 11 Oct. 2022. Accessed 20 Jan. 2023.

Nicaise, Vincent. "EU NIS2 Directive: what’s changing?" Stormshield, 20 Oct. 2022. Accessed 17 Nov. 2022.

"NIST SP 800-53 Rev. 5 Security and Privacy Controls for Information Systems and Organizations." The National Institute of Standards and Technology (NIST), 13 Jul. 2022. Accessed 27 Jan. 2023.

"North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) Series." NERC. Accessed 23 Jan. 2023.

"North America Physical Security Market - Global Forecast to 2026." MarketsandMarkets, June 2021. Accessed 30 Dec. 2022.

"NSTISSI No. 4011 National Training Standard For Information Systems Security (InfoSec) Professionals." The United States Committee on National Security Systems (CNSS), 20 Jun. 1994. Accessed 23 Jan. 2023.

"Occupational Safety and Health Administration (OSH) Act of 1970." The United States Department of Labor. Accessed 23 Jan. 2023.

Palter, Jay. "10 Mistakes Made in Designing a Physical Security Program." Real Time Networks, 7 Sep. 2022. Accessed 6 Jan. 2023.

Parker, Donn. Fighting Computer Crime. John Wiley & Sons, 1998.

Pathak, Parag. "What Is Threat Management? Common Challenges and Best Practices." Security Intelligence, 2020. Accessed 5 Jan. 2023.

Pender-Bey, Georgie. "The Parkerian Hexad." Lewis University, 2012. Accessed 24 Jan. 2023.

Philippou, Oliver. "2023 Trends to Watch: Physical Security Technologies." Omdia. Accessed 20 Jan. 2023.

Phinney, Tom. "IEC 62443: Industrial Network and System Security." ISA and Honeywell Integrated Security Technology Lab. Accessed 30 Jan. 2023.

"Physical Security Market, with COVID-19 Impact Analysis - Global Forecast to 2026." MarketsandMarkets, Jan. 2022. Accessed 30 Dec. 2022.

"Physical Security Professional (PSP)" ASIS International. Accessed 17 Jan. 2023.

"Physical Security Systems (PSS) Assessment Guide" The United States' Department of Energy (DOE), Dec. 2016. Accessed 23 Jan. 2023.

"Policies, Standards, Best Practices, Guidance, and White Papers." Interagency Security Committee (ISC). Accessed 23 Jan. 2023.

"Profiles, Add-ons and Specifications." ONVIF. Accessed 9 Dec. 2022.

"Protective Security Policy Framework (PSPF)." The Australian Attorney-General's Department (AGD). Accessed 13 Jan. 2023.

"Satellites detect methane plume in Nord Stream leak." The European Space Agency (ESA), 6 oct. 2022. Accessed 23 Jan. 2023.

""Satellites detect methane plume in Nord Stream leak." The European Space Agency (ESA), 6 oct. 2022. Accessed 23 Jan. 2023.

Satgunananthan, Niru. "Challenges in Security Convergence?" LinkedIn, 8 Jan. 2022. Accessed 20 Dec. 2022.

Sooknanan, Shastri and Isaac Kinsella. "Identify the Components of Your Cloud Security Architecture." Info-Tech Research Group, 12 March 2021. Accessed 26 Jan. 2023.

"TC 79 Alarm and electronic security systems." International Electrotechnical Commission (IEC), n.d. Accessed 9 Dec. 2022.

"The Risk Management Process for Federal Facilities: An Interagency Security Committee Standard." Interagency Security Committee (ISC), 2021. Accessed 26 Jan. 2023.

"The Short Guide to Why Security Programs Can Fail." CyberTalk, 23 Sep. 2021. Accessed 30 Dec. 2022.

Verton, Dan. "Companies Aim to Build Security Awareness." Computerworld, 27 Nov. 2022. Accessed 26 Jan. 2023.

"Vulnerability Assessment of Federal Facilities." The United States' Department of Justice, 28 Jun. 1995. Accessed 19 Jan. 2023.

"What is IEC 61508?" 61508 Association. Accessed 23 Jan. 2023.

Wolf, Gene. "Better Include Physical Security With Cybersecurity." T&D World 5 Jan. 2023. Accessed 19 Jan. 2023.

Wood, Kate, and Isaac Kinsella. “Build an Information Security Strategy.” Info-Tech Research Group, 9 Sept. 2020. Web.

Woolf, Tim, et al. "Benefit-Cost Analysis for Utility-Facing Grid Modernization Investments: Trends, Challenges, and Considerations." Lawrence Berkeley National Laboratory, Feb. 2021. Accessed 15 Nov. 2022.

"Work Health and Safety Act 2011." The Australian Government. Accessed 13 Jan. 2023.

Wu, Jing. “Industrial Control System Modernization: Unlock the Value of Automation in Utilities.” Info-Tech Research Group, 6 April 2023. Web.

Research Contributors and Experts

Amy L. Meger, IGP

Information and Cyber Governance Manager
Platte River Power Authority

Andrew Amaro

Chief Security Officer (CSO) & Founder
KLAVAN Security

Bilson Perez

IT Security Manager
4Wall Entertainment

Dan Adams

VP of Information Technology
4Wall Entertainment

Doery Abdou

Senior Manager
March Networks Corporate

Erich Krueger

Manager of Security Engineering
Omaha Public Power District

Kris Krishan

Head of IT
Waymo

Owen Yardley

Director, Facilities Security Preparedness
Omaha Public Power District

Build Your IT Cost Optimization Roadmap

Improve cost-to-value in a sustainable manner.

Analyst Perspective

Optimize your cost sustainably.

Whether the industry is in an economic downturn, or your business is facing headwinds in the market, pressure to reduce spending across organizations is inevitable. When it comes to the IT organization, it is often handled as a onetime event. Cost optimization is an industry standard term, but it usually translates into cost cutting. How do you manage this challenge given the day-to-day demands placed on IT? Do you apply cost reduction equally across the IT landscape, or do you apply reductions using a targeted approach? How do you balance the business demands regarding innovation with keeping the lights on? What is the best path forward?

While the situation isn't unique, all too often the IT organization response is too shortsighted.

By using the Info-Tech methodology and tools, you will be able to develop an IT cost optimization roadmap based on your specific circumstances and timeline.

A well-thought-out strategy should help you achieve three objectives:

1. Reduce your unwarranted IT spending.
2. Optimize your cost-to-value.
3. Sustain your cost optimization.

This blueprint will guide you to understand your mandate, identify your cost optimization journey (reactive, proactive, or strategic), and assess your IT spend across four levers (assets, vendors, project portfolio, and workforce).

Finally, keep in mind that cost optimization is not a project to be completed, but an ongoing process to be exercised.

Bilal Alberto Saab
Research Director, IT Financial Management
Info-Tech Research Group

Executive Summary

Info-Tech Insight
Cost optimization is not just about reducing costs. In fact, you should aim to achieve three objectives: (1) reduce your unwarranted IT spending, (2) optimize your cost-to-value, and (3) sustain your cost optimization.

Your challenge

IT leaders are often asked to cut costs.

• Cost management is a long-term challenge. Businesses and IT departments look to have a flexible cost structure focused on maximizing business value while maintaining the ability to adapt to market pressure. However, businesses must also be able to respond to unexpected events.
• In times of economic downturn, many CEOs and CFOs shift their thinking from growth to value protection. This can force a round of cost cutting across all departments focused on short-term, immediate, and measurable objectives.
• Many IT departments are then faced with the challenge of meeting cost cutting targets. No one knows exactly how markets will behave, but the effects of rising inflation and increasing interest rates, for example, can manifest very quickly.

When crisis hits, does IT's hard-won gains around being seen as a partner to the business suddenly disappear and IT becomes just a cost center all over again?

In times of economic slowdown or downturn, the key challenge of IT leaders is to optimize costs without jeopardizing their strategic and innovative contribution.

Common obstacles

The 90% of the budget you keep is more important than the 10% of the budget you cut.

• While the business responds to fluctuating economic conditions, IT must ensure that its budget remains fully aligned with business strategy and expected business value.
• However, in the face of sudden pressures, a common tendency is to make quick decisions without fully considering their long-term implications.
• Avoid costly mistakes with a proactive and strategic mindset. Put in place a well-communicated cost optimization strategy rather than hastily cutting back the biggest line items in your budget.

How can IT optimize costs to achieve a corporate impact, but not cut so deep that the organization can't take advantage of opportunities to recover and thrive?

Know how you will strategically optimize IT costs before you are forced to cut cost aggressively in a reactive fashion.

What is cost optimization?

It's not just about cutting costs

• While cost optimization may involve cutting costs, it is more about making smart spend and investment decisions.
• At its core, cost optimization is a strategic decision-making process that sets out to minimize waste and get the most value for money.
• Cost optimization encompasses near-term, mid-term, and long-term objectives, all of which are related and build upon one another. It is an accumulative practice, not a onetime exercise.
• A sound cost optimization practice is inherently flexible, sustainable, and consequence-oriented with the positive goal of generating net benefit for the organization over time.

Change your mindset ...

An Info-Tech survey of IT staff reveals that while most agree that cost optimization is an important IT process, nearly 20% fewer of them agree that it's being managed well.

Info-Tech IT Management & Governance Diagnostic, 2022.

A starting point for cost optimization improvement is adjusting your frame of mind. Know that it's not just about making difficult cuts - in reality, it's a creative pursuit that's about thriving in all circumstances, not just surviving.

Slow revenue growth expectations generate urgency

Many IT organizations will be directed to trim costs during turbulent times.

• Cost optimization implies continuous cost management, which entails long-term strategic initiatives (i.e. organizations and their IT departments seek flexible cost structures and practices focused on maximizing business value while maintaining the ability to adapt to changes in the broader economic environment). However, organizations must also be able to respond to unexpected events.
• During times of turmoil – poor economic outlook expected to negatively impact an organization's bottom line – CEOs and CFOs think more about survival than growth, driving cost cutting across all departments to create short-term, immediate, and measurable financial benefits.
• In such situations, many IT departments will be hard-pressed to meet cost cutting targets at short notice. If not planned correctly, with a tunnel vision focus instead of a strategic one, you can end up hurting yourself in the not-so-distant future.

Insight summary

Sustain an optimal cost-to-value ratio across four levers:

1. Assets
2. Vendors
3. Project Portfolio
4. Workforce

Cost optimization is not just about reducing costs

In fact, you should aim to achieve three objectives:
(1) reduce your unwarranted IT spending, (2) optimize your cost-to-value, and (3) sustain your cost optimization.

Reduce unwarranted IT spending

Stop the bleeding or go for quick wins
Start by reducing waste and bad spending habits while clearly communicating your intentions to your stakeholders – get buy-in.

Optimize cost-to-value

Value means tradeoffs
Pursue value but know that it will lead you to make tradeoffs between cost, performance, and risk.

Sustain cost optimization

Think about tomorrow: reduce, reuse, recalibrate, and repeat
Standardize and automate your cost optimization processes around a proper governance framework. Cost optimization is not a onetime exercise.

Info-Tech's methodology for building your IT cost optimization roadmap

Blueprint deliverables

Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

IT Cost Optimization Roadmap Samples and Templates
Templates including an abbreviated executive presentation and a final communication presentation based on a 12-month cost optimization roadmap.

IT Cost Optimization Workbook
A workbook generating a 12-month cost optimization roadmap.

Measure the value of this blueprint

Maintain an optimal IT cost-to-organization revenue ratio.

This blueprint will guide you to set cost optimization goals across one to three main objectives, depending on your identified journey (reactive, proactive, or strategic):

• Reduce unwarranted IT spending.
• Optimize cost-to value.
• Sustain cost optimization.

In phase 1 of this blueprint, we will help you establish your goals to satisfy your organization's needs.

In phase 3, we will help you develop a game plan and a roadmap for achieving those metrics.

Once you implement your 12-month roadmap, start tracking the metrics below over the next fiscal year (FY) to assess the effectiveness of undertaken measures.

Info-Tech offers various levels of support to best suit your needs

Diagnostics and consistent frameworks are used throughout all four options.

Guided implementation

What does a typical GI on this topic look like?

A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

A typical GI will include multiple calls over the course of one to two months.

IT cost analysis and optimization workshop overview

Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889

Phase 1

Understand Your Mandate and Objectives

Phase 1
Understand Your Mandate and Objectives

Phase 2
Outline Your Cost Optimization Initiatives

Phase 3
Develop Your IT Cost Optimization Roadmap

Phase 4
Communicate and Execute

This phase will walk you through the following activities:

• Business context and cost optimization journey
• Cost constraints and parameters
• Cost optimization goals

This phase involves the following participants:

• CIO/IT director
• IT finance lead

1.1 Gain consensus on the business context and IT cost optimization journey

60 minutes

• Using the questions on slide 20, conduct a brief journey assessment to ensure consensus on the direction you are planning to take.
• Document your findings in the provided template.

See the next three slides for guidelines and the journey assessment questions and template.

Distinguishing between three journeys

By considering business objectives without forgoing your IT mandate.

Questions to help determine your journey

Template & Example

Journey assessment

1.2 Review internal and external benchmarking reports

60-90 minutes

1. Review the IT spend and staffing results, summarized in your Info-Tech IT Spend & Staffing Benchmarking report.
2. Identify areas where your IT spend is disproportionately high or low in comparison with your industry peers.
3. Review and document any causes or rationales for high or low spend in each area identified. Do not be specific about any actual optimization targets or actions at this stage - simply make notes.
4. Start a list of potential cost optimization initiatives to be further analyzed and investigated for feasibility at a later stage (see next slides for guidance, example, and template).

Info-Tech's approach

Our IT cost model maps your IT spending and staffing according to four key views, putting IT spend in language that stakeholders across the organization can relate to.

Template & Example

Potential cost optimization initiatives list

Brainstorm and list potential cost optimization initiatives at a macro level.

Want help with your IT spend transparency and benchmarking efforts?

Let us fast-track your IT spend journey.

The path to IT financial management maturity starts with knowing exactly where your money is going. To streamline this effort, Info-Tech offers an IT Spend & Staffing Benchmarking service that provides full transparency into where your money is going without any heavy lifting on your part.

This unique service features:

• A client-proven approach to meet your IT spend transparency goals.
• Spend and staff mapping that reveals business consumption of IT.
• Industry benchmarking to compare your spending and staffing to that of your peers.
• Results in a fraction of the time with much less effort than going it alone.
• Expert review of results and ongoing discussions with Info-Tech analysts.

If you'd like Info-Tech to pave the way to IT spend transparency, contact your account manager for more information - we're happy to talk anytime.

1.3 Identify your overarching constraints

30 minutes

1. Assess where spend change opportunities are currently limited or nonexistent due to organization edict or policy, industry regulatory requirements, or active contracts. Ask yourself:
   1. Where do IT spend bottlenecks exist and what are they?
   2. What IT spend objectives and practices are absolutely mandatory and nonnegotiable from both a business and an IT perspective?
   3. Are there areas where spend change is possible but would be very difficult to execute due to the stakeholders involved, governance processes, time frames, or another constraining factor?
2. Identify where reduction or elimination of an IT service would negatively affect required service levels and business continuity or recovery.
3. List constraints as negotiable or nonnegotiable on the template provided.
4. Remove areas of focus from your cost optimization scope that land outside achievable parameters, and flag those that are difficult but still possible.

See the next slides for additional guidance and a constraints assessment template.

Acknowledge your limitations

By recognizing your constraints, which will lead you to define your cost optimization scope.

We define a constraint as a restriction controlling the behavior of any of your stakeholders, hence preventing a desired outcome.

In our context, constraints will determine your playing field: the boundaries of your cost optimization scope.

Distinguish between constraints

Negotiable vs. nonnegotiable to delimit your cost optimization scope.

Template & Example

Constraints assessment

List high-level limitations that hinder your cost optimization options.

1.4 Establish overarching cost optimization goals

60-90 minutes

1. Establish specific IT cost optimization goals. Depending on your journey, step 1.1. You will have one to three overarching cost optimization goals, as follows:
   1. Reactive: Cost-cutting goal to reduce unwarranted IT spending.
   2. Proactive: Cost-to-value optimization goal.
   3. Strategic: Cost optimization sustainability goal.
   Consider amounts and time frames, as well as likely/suitable approaches you plan to employ to achieve these goals.
2. Document your final cost optimization goals in the IT Cost Optimization Workbook.
3. Revisit your goals after outlining your initiatives (phase 2) to ensure feasibility depending on your journey.

Download the IT Cost Optimization Workbook

Template & Example

Document your overarching goals

Excel Workbook: IT Cost Optimization – Set Optimization Goals Worksheet

Refer to the example and guidelines below on how to document your goals based on your journey:

Complete the following fields for each goal depending on your journey in the Excel Workbook as per guidelines:

1. Navigate to the Set Cost Optimization Goals tab.
2. Identify your journey and objective for each goal.
3. Document your goal(s).

Download the IT Cost Optimization Workbook

Template & Example

Break down your goals per quarter

Excel Workbook: IT Cost Optimization - Set Cost Optimization Goals Worksheet

Refer to the example and guidelines below on how to break down your goals per quarter and track your progress:

Complete the following fields for each goal depending on your journey in the Excel Workbook as per guidelines:

1. Navigate to the Set Cost Optimization Goals tab.
2. Determine your target per quarter for every goal.
3. Document your targets.

Download the IT Cost Optimization Workbook

1.5 Identify inputs required for decision making

60-90 minutes

1. Each of the optimization levers (assets, vendors, project portfolio, and workforce) will require specific and unique sources of information which you will need to collect before moving forward. Examples of important sources of information include:
   1. Latest iteration of the IT strategy.
   2. List of IT assets (hardware, software).
   3. List of IT services or IT service catalog.
   4. List of current and planned IT projects and their resourcing allocations.
   5. List of largest vendor contracts and their key details, such as their expiration/renewal date.
   6. IT department organizational chart and salaries (by role).
2. Review and analyze each of the documents.
3. Continue to list potential cost optimization initiatives (step 1.2) to be further analyzed and investigated for feasibility at a later stage.

Prepare all pertinent sources of information

And start drafting your cost optimization laundry list.

Phase 2

Outline Your Cost Optimization Initiatives

Phase 1
Understand Your Mandate and Objectives

Phase 2
Outline Your Cost Optimization Initiatives

Phase 3
Develop Your IT Cost Optimization Roadmap

Phase 4
Communicate and Execute

This phase will walk you through the following activities:

• IT cost optimization initiatives
• IT cost optimization workbook

This phase involves the following participants:

• CIO/IT director
• IT finance lead
• IT asset manager
• IT infrastructure manager
• IT vendor management lead
• PMO lead
• IT talent management representative
• Other IT management

Outline your cost optimization initiatives

Across Info-Tech's four levers.

Most common cost optimization challenges

Across Info-Tech's four levers.

2.1 Determine your cost optimization initiatives

8 hours

Now that you have identified your journey and understood your constraints:

1. Review your list of potential cost optimization initiatives and document viable ones in the IT Cost Optimization Workbook.
2. Think of potential cost optimization initiatives within the four levers: assets, vendors, project portfolio, and workforce. The following slides will help you in this endeavor.

Download the IT Cost Optimization Workbook

Plan your cost optimization initiatives

Your initiatives will differ depending on your journey

In terms of aggressiveness and objectives.

Cost optimization initiatives pertaining to a reactive journey are characterized by aggressive cost reduction.

On the other hand, cost optimization initiatives within a strategic journey can vary in aggressiveness across objectives.

2.1.1 Identify asset optimization initiatives

2 hours

1. Review the IT asset management strategy if available. Compile a list of all hardware, software, and facility asset costs for delivery of IT services.
2. Analyze hardware and software assets for opportunities to consolidate, reduce, eliminate, and/or enhance functionality/automation. Look for:
   1. Redundancy or duplication of functionality not necessary for disaster recovery or business continuity purposes.
   2. Low or no-use software.
   3. Homegrown or legacy systems with high maintenance/support burdens.
   4. Multiple, old, or unsupported versions of current-use software.
   5. Opportunities to delay hardware/software refreshes or upgrades.
   6. Cloud/outsourced options.
   7. Instances of unsanctioned shadow IT.
3. Reassess your in-house asset management processes to see where efficiency and effectiveness could be improved overall.
4. Document cost optimization initiatives that could be driven by asset optimization objectives in the IT Cost Optimization Workbook.

Download the IT Cost Optimization Workbook

Example

Asset optimization

Some examples to get you started

Template & Example

List your objectives and initiatives

Excel Workbook: IT Cost Optimization – Outline Initiatives Worksheet

Refer to the example and guidelines below on how to input your asset optimization initiatives and related objectives:

List your initiatives in the provided Excel Workbook as per guidelines:

1. Navigate to the Outline Initiatives tab.
2. Enter all your initiatives driven by the asset optimization lever.
3. Determine the cost optimization objective per initiative.

2.1.2 Identify vendor optimization initiatives

2 hours

1. Revisit the IT vendor classification if available. Identify all existing vendor contracts up for renewal within the current fiscal year and create an inventory.
2. Examine your vendor contracts to optimize your expected value from every IT provider you deal with. For each contract:
   1. Identify the business purpose/drivers.
   2. Identify the expiration/renewal date to determine time frames for action.
   3. Determine if there is an opportunity to rightsize, cancel, renegotiate costs/service levels, or postpone renewal/purchase.
   4. Identify integrations and interdependencies with other hardware and software systems to understand scope and impact of potential changes.
3. Reassess your in-house vendor management processes to see where efficiency and effectiveness could be improved overall.
4. Document cost optimization initiatives that could be driven by vendor optimization objectives in the IT Cost Optimization Workbook.

Download the IT Cost Optimization Workbook

Example

Vendor optimization

Some examples to get you started.

Template & Example

List your objectives and initiatives

Excel Workbook: IT Cost Optimization – Outline Initiatives Worksheet

Refer to the example and guidelines below on how to input your vendor optimization initiatives and related objectives:

List your initiatives in the provided Excel Workbook as per guidelines:

1. Navigate to the Outline Initiatives tab.
2. Enter all your initiatives driven by the vendor optimization lever.
3. Determine the cost optimization objective per initiative.

2.1.3 Identify project portfolio optimization initiatives

2 hours

1. Review the IT Project Portfolio Strategy if available, and the list of both in-flight and planned projects.
2. Reassess your project portfolio to maximize total value in line with business objectives and strategy. For each current and pending project on the list, identify a cost optimization initiative, including:
   1. Revisiting, confirming, and documenting actual project rationale with the business in relation to strategic goals.
   2. Rescoping existing projects that are underway.
   3. Accelerating planned or existing projects that enable business cost savings or competitive advantage and revenue growth.
   4. Canceling or postponing projects that are underway or haven't started.
   5. Identifying net-new projects that enhance business capabilities or save business costs.
3. Reassess your in-house project management and project portfolio management processes to see where efficiency and effectiveness could be improved overall.
4. Document cost optimization initiatives that could be driven by project portfolio optimization objectives in the IT Cost Optimization Workbook.

Download the IT Cost Optimization Workbook

Example

Project portfolio optimization

Some examples to get you started.

Template & Example

List your objectives and initiatives

Excel Workbook: IT Cost Optimization – Outline Initiatives Worksheet

Refer to the example and guidelines below on how to input your project portfolio optimization initiatives and related objectives:

List your initiatives in the provided Excel Workbook as per guidelines:

1. Navigate to the Outline Initiatives tab.
2. Enter all your initiatives driven by the project portfolio optimization lever.
3. Determine the cost optimization objective per initiative.

2.1.4 Identify workforce optimization initiatives

2 hours

1. Review the IT department's strategic workforce plan (SWP) if available, organizational chart, and salaries by role. Do not review IT staffing in terms of named individuals who occupy a given role - focus on functions, roles, and job descriptions.
2. Determine capability gaps:
   1. Rectify efficiency, effectiveness, and other performance issues.
   2. Train IT staff to enhance or improve skills and effectiveness.
   3. Add roles, skills, or headcount to improve effectiveness.
   4. Integrate teams to improve collaboration and reduce redundancies or break out new ones to increase focus/specialization.
   5. Redesign job roles and responsibilities.
   6. Redeploy/reassign staff to other teams.
   7. Conduct layoff (as a last resort, starting by assessing contractual employees).
3. Document cost optimization initiatives that could be driven by workforce optimization objectives in the IT Cost Optimization Workbook.

Download the IT Cost Optimization Workbook

Example

Workforce optimization

Some examples to get you started.

Template & Example

List your objectives and initiatives

Excel Workbook: IT Cost Optimization – Outline Initiatives Worksheet

Refer to the example and guidelines below on how to input your workforce optimization initiatives and related objectives:

List your initiatives in the provided Excel Workbook as per guidelines:

1. Navigate to the Outline Initiatives tab.
2. Enter all your initiatives driven by the workforce optimization lever.
3. Determine the cost optimization objective per initiative.

2.2 Estimate the cost savings of cost optimization initiatives

8 hours

Now that you have identified your initiatives:

1. Review your cost optimization initiatives per lever (Assets, Vendors, Project Portfolio, and Workforce).
2. Determine whether the implementation cost of each of your initiatives is included as part of your budget.
3. Estimate your cost savings.
4. Document your assessment in the IT Cost Optimization Workbook.

Download the IT Cost Optimization Workbook

2.2.1 Estimate the costs impacting your asset optimization initiatives

2 hours

1. Review each asset optimization initiative to estimate cost implications.
2. Consider implementation cost in terms of your budget, and document it in the IT Cost Optimization Workbook (see next slides). Is the implementation cost of the underlying initiative considered in your current budget? If not, move to the next initiative. You will assess the flagged initiative independently at a later stage if deemed necessary.
3. Estimate the current cost related to the initiative (including implementation cost), and document it in the IT Cost Optimization Workbook (see next slides). This will be the first of two inputs needed to calculate the initiative's potential cost savings.
4. Estimate the expected cost, post initiative execution, of the underlying initiative, and document it in the IT Cost Optimization Workbook (see next slides). This will be the second and last input needed to calculate the initiative's potential cost savings.

Download the IT Cost Optimization Workbook

Template & Example

Estimate your cost

Excel Workbook: IT Cost Optimization – Outline Initiatives Worksheet

Refer to the example and guidelines below on how to complete cost estimates for each asset optimization initiative:

Complete the following fields for each initiative in the Excel Workbook as per guidelines:

1. Navigate to the Outline Initiatives tab.
2. Determine if the implementation cost is considered within the budget.
3. If yes, estimate the current cost, and expected cost of the underlying initiative.

2.2.2 Estimate the costs impacting your vendor optimization initiatives

2 hours

1. Review each vendor optimization initiative to estimate cost implications.
2. Consider implementation cost in terms of your budget, and document it in the IT Cost Optimization Workbook (see next slides). Is the implementation cost of the underlying initiative considered in your current budget? If not, move to the next initiative. You will assess the flagged initiative independently at a later stage if deemed necessary.
3. Estimate the current cost related to the initiative (including implementation cost), and document it in the IT Cost Optimization Workbook (see next slides). This will be the first of two inputs needed to calculate the initiative's potential cost savings.
4. Estimate the expected cost, post initiative execution, of the underlying initiative, and document it in the IT Cost Optimization Workbook (see next slides). This will be the second and last input needed to calculate the initiative's potential cost savings.

Download the IT Cost Optimization Workbook

Template & Example

Estimate your cost

Excel Workbook: IT Cost Optimization – Outline Initiatives Worksheet

Refer to the example and guidelines below on how to complete cost estimates for each vendor optimization initiative:

Complete the following fields for each initiative in the Excel Workbook as per guidelines:

1. Navigate to the Outline Initiatives tab.
2. Determine if the implementation cost is considered within the budget.
3. If yes, estimate the current cost, and expected cost of the underlying initiative.

2.2.3 Estimate the costs impacting your project portfolio optimization initiatives

2 hours

1. Review each project portfolio optimization initiative to estimate cost implications.
2. Consider implementation cost in terms of your budget, and document it in the IT Cost Optimization Workbook (see next slides). Is the implementation cost of the underlying initiative considered in your current budget? If not, move to the next initiative. You will assess the flagged initiative independently at a later stage if deemed necessary.
3. Estimate the current cost related to the initiative (including implementation cost), and document it in the IT Cost Optimization Workbook (see next slides). This will be the first of two inputs needed to calculate the initiative's potential cost savings.
4. Estimate the expected cost, post initiative execution, of the underlying initiative, and document it in the IT Cost Optimization Workbook (see next slides). This will be the second and last input needed to calculate the initiative's potential cost savings.

Download the IT Cost Optimization Workbook

Template & Example

Estimate your cost

Excel Workbook: IT Cost Optimization – Outline Initiatives Worksheet

Refer to the example and guidelines below on how to complete cost estimates for each project portfolio optimization initiative:

Complete the following fields for each initiative in the Excel Workbook as per guidelines:

1. Navigate to the Outline Initiatives tab.
2. Determine if the implementation cost is considered within the budget.
3. If yes, estimate the current cost, and expected cost of the underlying initiative.

2.2.4 Estimate the costs impacting your workforce optimization initiatives

2 hours

1. Review each workforce optimization initiative to estimate cost implications.
2. Consider implementation cost in terms of your budget, and document it in the IT Cost Optimization Workbook (see next slides). Is the implementation cost of the underlying initiative considered in your current budget? If not, move to the next initiative. You will assess the flagged initiative independently at a later stage if deemed necessary.
3. Estimate the current cost related to the initiative (including implementation cost), and document it in the IT Cost Optimization Workbook (see next slides). This will be the first of two inputs needed to calculate the initiative's potential cost savings.
4. Estimate the expected cost, post initiative execution, of the underlying initiative, and document it in the IT Cost Optimization Workbook (see next slides). This will be the second and last input needed to calculate the initiative's potential cost savings.

Download the IT Cost Optimization Workbook

Template & Example

Estimate your cost

Excel Workbook: IT Cost Optimization –i Outline Initiatives Worksheet

Refer to the example and guidelines below on how to complete cost estimates for each workforce optimization initiative:

Complete the following fields for each initiative in the Excel Workbook as per guidelines:

1. Navigate to the Outline Initiatives tab.
2. Determine if the implementation cost is considered within the budget.
3. If yes, estimate the current cost, and expected cost of the underlying initiative.

Phase 3

Develop Your IT Cost Optimization Roadmap

Phase 1
Understand Your Mandate and Objectives

Phase 2
Outline Your Cost Optimization Initiatives

Phase 3
Develop Your IT Cost Optimization Roadmap

Phase 4
Communicate and Execute

This phase will walk you through the following activities:

• IT cost optimization workbook
• IT cost optimization roadmap

This phase involves the following participants:

• CIO/IT director
• IT finance lead
• IT asset manager
• IT infrastructure manager
• IT vendor management lead
• PMO lead
• IT talent management representative
• Other IT management

Develop your prioritized and aligned cost optimization roadmap

The process of developing your roadmap is where you set final cost optimization priorities, conduct a final rationalization to decide what's in and what's out, and document your proposed plan of action.

First, take a moment to consider if you missed anything. Too often, only the cost cutting elements of the cost optimization equation get attention. Remember that cost optimization also includes making smart investments. Sometimes adding and expanding is better for the business than removing or contracting.

• Do your proposed initiatives help position the organization to recover quickly if you're dealing with a downturn or recession scenario?
• Have you fully considered growth or innovation opportunities that will help optimize costs in the long run?

Feasibility
Eliminate initiatives from the longlist of potential initiatives that cannot be achieved given the cost optimization goals you determined at the beginning of this exercise.

Priority
Rank order the remaining initiatives according to their ability to contribute to goal attainment and dependency relationships with external constraints and one another.

Action Plan
Create an overarching visual roadmap that shows how you intend to achieve your cost optimization goals over the short, medium, and long-term.

3.1 Assess the feasibility of your cost optimization initiatives

4 hours

Now that you have identified your initiatives across the four levers and understood the business impacts:

1. Review each of your cost optimization initiatives and estimate the feasibility in terms of:
   1. Effort required to implement.
   2. Risk: Likelihood of failure and impact on performance.
   3. Approval rights: Within the IT or finance's accountability/domain or not.
2. Document your assessment in the IT Cost Optimization Workbook.

Download the IT Cost Optimization Workbook

3.1.1 Estimate the feasibility of your asset optimization initiatives

1 hour

1. Review each asset optimization initiative to estimate feasibility implications.
2. Start by defining the effort required variables. Think in terms of how many dedicated full-time employees you would need to implement the initiative. Document your definition for each of the three variables (High, Medium, or Low) in the IT Cost Optimization Workbook (see next slides). Then, estimate the effort required to implement the related initiative. Consider complexity, scope, and resource availability, before you document it in the IT Cost Optimization Workbook (see next slides).
3. Define your likelihood of failure variables. Think in terms of probability of failure or percent chance the underlying initiative will not succeed. Document your definition for each of the three variables (High, Medium, or Low) in the IT Cost Optimization Workbook (see next slides). Then, estimate the likelihood of failure to implement the related initiative, and document it in the IT Cost Optimization Workbook (see next slides).
4. Consider the initiative's impact on performance. Would implementing the initiative hinder IT or business performance? If you are on a reactive journey, would it impede business recovery in any way, shape, or form? Document the impact (Positive Impact, No Impact, or Negative Impact) in the IT Cost Optimization Workbook (see next slides).
5. Determine who is responsible for approving the initiative. Does it fall within your jurisdiction, responsibility, or accountability? If not, it would mean that it might be more difficult to implement the initiative. Document approval rights (within accountability or not within accountability) in the IT Cost Optimization Workbook (see next slides).

Download the IT Cost Optimization Workbook

Template & Example

Define your feasibility variables

Excel Workbook: IT Cost Optimization – Define Variables Worksheet

Refer to the example and guidelines below on how to define your feasibility variables for standardization purposes. You can adopt a different definition per optimization lever (Assets, Vendors, Project Portfolio, and Workforce), or maintain the same one across initiatives, depending on what makes sense for your organization:

Define your feasibility variables in the Excel Workbook as per guidelines:

1. Navigate to the Define Variables tab.
2. Review and enter the range of each effort required and likelihood of failure variable as you see fit for your organization.

Template & Example

Estimate your feasibility

Excel Workbook: IT Cost Optimization – Outline Initiatives Worksheet

Refer to the example and guidelines below on how to complete feasibility estimates for each asset optimization initiative:

Complete the following fields for each initiative in the Excel Workbook as per guidelines:

1. Navigate to the Outline Initiatives tab.
2. Determine the appropriate effort required to implement the underlying initiative.
3. Identify the risk of each initiative: likelihood of failure and impact on performance.
4. Choose the adequate approval right classification for each initiative.

3.1.2 Estimate the feasibility of your vendor optimization initiatives

1 hour

1. Review each vendor optimization initiative to estimate feasibility implications, along with previously defined variables (see slides 64 and 65).
2. Consider the initiative's impact on performance. Would implementing the initiative hinder IT or business performance? If you are on a reactive journey, would it impede business recovery in any way, shape, or form? Document the impact (Positive Impact, No Impact, or Negative Impact) in the IT Cost Optimization Workbook (see next slides).
3. Determine who is responsible for approving the initiative. Does it fall within your jurisdiction, responsibility, or accountability? If not, it would mean that it might be more difficult to implement the initiative. Document approval rights (within accountability or not within accountability) in the IT Cost Optimization Workbook (see next slides).

Download the IT Cost Optimization Workbook

Template & Example

Estimate your feasibility

Excel Workbook: IT Cost Optimization – Outline Initiatives Worksheet

Refer to the example and guidelines below on how to complete feasibility estimates for each vendor optimization initiative:

Complete the following fields for each initiative in the Excel Workbook as per guidelines:

1. Navigate to the Outline Initiatives tab.
2. Determine the appropriate effort required to implement the underlying initiative.
3. Identify the risk of each initiative: likelihood of failure and impact on performance.
4. Choose the adequate approval right classification for each initiative.

3.1.3 Estimate the feasibility of your project portfolio optimization initiatives

1 hour

1. Review each project portfolio optimization initiative to estimate feasibility implications, along with previously defined variables (see slides 64 and 65).
2. Consider the initiative's impact on performance. Would implementing the initiative hinder IT or business performance? If you are on a reactive journey, would it impede business recovery in any way, shape, or form? Document the impact (Positive Impact, No Impact, or Negative Impact) in the IT Cost Optimization Workbook (see next slides).
3. Determine who is responsible for approving the initiative. Does it fall within your jurisdiction, responsibility, or accountability? If not, it would mean that it might be more difficult to implement the initiative. Document approval rights (within accountability or not within accountability) in the IT Cost Optimization Workbook (see next slides).

Download the IT Cost Optimization Workbook

Template & Example

Estimate your feasibility

Excel Workbook: IT Cost Optimization – Outline Initiatives Worksheet

Refer to the example and guidelines below on how to complete feasibility estimates for each project portfolio optimization initiative:

Complete the following fields for each initiative in the Excel Workbook as per guidelines:

1. Navigate to the Outline Initiatives tab.
2. Determine the appropriate effort required to implement the underlying initiative.
3. Identify the risk of each initiative: likelihood of failure and impact on performance.
4. Choose the adequate approval right classification for each initiative.

3.1.4 Estimate the feasibility of your workforce optimization initiatives

1 hour

1. Review each workforce optimization initiative to estimate feasibility implications, along with previously defined variables (see slides 64 and 65).
2. Consider the initiative's impact on performance. Would implementing the initiative hinder IT or business performance? If you are on a reactive journey, would it impede business recovery in any way, shape, or form? Document the impact (Positive Impact, No Impact, or Negative Impact) in the IT Cost Optimization Workbook (see next slides).
3. Determine who is responsible for approving the initiative. Does it fall within your jurisdiction, responsibility, or accountability? If not, it would mean that it might be more difficult to implement the initiative. Document approval rights (within accountability or not within accountability) in the IT Cost Optimization Workbook (see next slides).

Download the IT Cost Optimization Workbook

Template & Example

Estimate your feasibility

Excel Workbook: IT Cost Optimization – Outline Initiatives Worksheet

Refer to the example and guidelines below on how to complete feasibility estimates for each workforce optimization initiative:

Complete the following fields for each initiative in the Excel Workbook as per guidelines:

1. Navigate to the Outline Initiatives tab.
2. Determine the appropriate effort required to implement the underlying initiative.
3. Identify the risk of each initiative: likelihood of failure and impact on performance.
4. Choose the adequate approval right classification for each initiative.

3.2 Prioritize cost optimization initiatives to create a final shortlist

4 hours

Now that you have your cost and feasibility for each cost optimization initiative:

1. Review each of your cost optimization initiatives and estimate the time and priority by considering:
   1. Preliminary priority assessment based on your cost and feasibility input.
   2. Time frame: start and end date of each initiative.
   3. Current budget cycle: time remaining in the current budget cycle and potential cost savings in this fiscal year.
2. Determine the final priority of the initiative and decide whether you want to include it in your 12-month roadmap.
3. Document your assessment in the IT Cost Optimization Workbook.

Download the IT Cost Optimization Workbook

3.2.1 Prioritize your asset optimization initiatives

1 hour

1. Review each asset optimization initiative to set the priority.
2. Validate your cost and feasibility estimates and consider the automated evaluation, in the IT Cost Optimization Workbook, providing you with a preliminary priority based on your cost and feasibility estimates (see next slides).
3. Revisit your overarching goals (step 1.4) as you will assess the time it will take you to complete your initiatives and prioritize accordingly.
4. Determine your start and end date for each initiative based on your journey, objectives, and overarching goals. Consider the urgency of each initiative. Document the quarter and year for your start and end dates in the IT Cost Optimization Workbook (see next slides).
5. Identify the time remaining in your current budget cycle after the completion of each initiative to get a cost savings estimate for the current fiscal year. Document the number of remaining quarters (0, 1, 2, 3, or 4) in the IT Cost Optimization Workbook (see next slides).
6. Decide on the priority of each initiative (High, Medium, or Low), and document it in the IT Cost Optimization Workbook (see next slides).
7. Revisit the priority decision after prioritizing all your initiatives and determine which ones to include in your 12-month roadmap; consider the number of initiatives you can tackle at the same time within a 12-month period. Document your final decision (Yes or No) in the IT Cost Optimization Workbook (see next slides).

Download the IT Cost Optimization Workbook

Template & Example

Understand your priority assessment

Excel Workbook: IT Cost Optimization – Outline Initiatives Worksheet

Refer to the example and guidelines below on how the preliminary priority assessment is assigned, for each asset optimization initiative, noting that columns Q to X are hidden automatic calculations and should not be touched:

Review the following fields for each initiative in the Excel Workbook as per guidelines:

1. Navigate to the Outline Initiatives tab.
2. Validate cost and feasibility estimates (columns I to P previously filled - steps 2.2 and 3.1) driving the Priority Score and Preliminary Priority Assessment.

Template & Example

Priority threshold rationale

Excel Workbook: IT Cost Optimization – Define Priority Threshold Worksheet

Refer to the screenshot of the Define Priority Threshold worksheet below to understand the rationale behind the priority score and priority level:

Template & Example

Estimate your timeline

Excel Workbook: IT Cost Optimization – Outline Initiatives Worksheet

Refer to the example and guidelines below on how to complete timeline estimates for each asset optimization initiative:

Complete the following fields for each initiative in the Excel Workbook as per guidelines:

1. Navigate to the Outline Initiatives tab.
2. Determine the appropriate quarter and year to start and complete the initiative.
3. Identify the time remaining in your current budget cycle after the completion of the initiative.

Template & Example

Make your final decisions

Excel Workbook: IT Cost Optimization – Outline Initiatives Worksheet

Refer to the example and guidelines below on how to assign the final priority for each asset optimization initiative, and include it in your 12-month roadmap:

• Estimated cost savings per year refer to cost savings fully realized by the end of the upcoming fiscal year, following the initiatives' implementation.
• Estimated cost savings in the current budget cycle, refer to cost savings partially realized in the current fiscal year, after the initiatives' implementation.

Complete the following fields for each initiative in the Excel Workbook as per guidelines:

1. Navigate to the Outline Initiatives tab.
2. Determine the final priority of the initiative.
3. Decide whether you want to include the initiative in your 12-month roadmap.

3.2.2 Prioritize your vendor optimization initiatives

1 hour

1. Review each vendor optimization initiative to set the priority.
2. Validate your cost and feasibility estimates and consider the automated evaluation, in the IT Cost Optimization Workbook, providing you with a preliminary priority based on your cost and feasibility estimates (see next slides).
3. Revisit your overarching goals (step 1.4) as you will assess the time it will take you to complete your initiatives and prioritize accordingly.
4. Determine your start and end date for each initiative based on your journey, objectives, and overarching goals. Consider the urgency of each initiative. Document the quarter and year for your start and end dates in the IT Cost Optimization Workbook (see next slides).
5. Identify the time remaining in your current budget cycle after the completion of each initiative to get a cost savings estimate for the current fiscal year. Document the number of remaining quarters (0, 1, 2, 3, or 4) in the IT Cost Optimization Workbook (see next slides).
6. Decide on the priority of each initiative (High, Medium, or Low), and document it in the IT Cost Optimization Workbook (see next slides).
7. Revisit the priority decision after prioritizing all your initiatives and determine which ones to include in your 12-month roadmap; consider the number of initiatives you can tackle at the same time within a 12-month period. Document your final decision (Yes or No) in the IT Cost Optimization Workbook (see next slides).

Download the IT Cost Optimization Workbook

Template & Example

Understand your priority assessment

Excel Workbook: IT Cost Optimization – Outline Initiatives Worksheet

Refer to the example and guidelines below on how the preliminary priority assessment is assigned, for each vendor optimization initiative, noting that columns Q to X are hidden automatic calculations and should not be touched:

Review the following fields for each initiative in the Excel Workbook as per guidelines:

1. Navigate to the Outline Initiatives tab.
2. Validate cost and feasibility estimates (columns I to P previously filled - steps 2.2 and 3.1) driving the Priority Score and Preliminary Priority Assessment.

Template & Example

Priority Threshold Rationale

Excel Workbook: IT Cost Optimization – Define Priority Threshold Worksheet

Refer to the screenshot of the Define Priority Threshold worksheet below to understand the rationale behind the Priority Score and Priority Level:

Template & Example

Estimate your timeline

Excel Workbook: IT Cost Optimization – Outline Initiatives Worksheet

Refer to the example and guidelines below on how to complete timeline estimates for each vendor optimization initiative:

Complete the following fields for each initiative in the Excel Workbook as per guidelines:

1. Navigate to the Outline Initiatives tab.
2. Determine the appropriate quarter and year to start and complete the initiative.
3. Identify the time remaining in your current budget cycle after the completion of the initiative.

Template & Example

Make your final decisions

Excel Workbook: IT Cost Optimization - Outline Initiatives Worksheet

Refer to the example and guidelines below on how to assign the final priority for each vendor optimization initiative, and include it in your 12-month roadmap:

• Estimated cost savings per year refer to cost savings fully realized by the end of the upcoming fiscal year, following the initiatives' implementation.
• Estimated cost savings in the current budget cycle, refer to cost savings partially realized in the current fiscal year, after the initiatives' implementation.

Complete the following fields for each initiative in the Excel Workbook as per guidelines:

1. Navigate to the Outline Initiatives tab.
2. Determine the final priority of the initiative.
3. Decide whether you want to include the initiative in your 12-month roadmap.

3.2.3 Prioritize your project portfolio optimization initiatives

1 hour

1. Review each project portfolio optimization initiative to set the priority.
2. Validate your cost and feasibility estimates and consider the automated evaluation, in the IT Cost Optimization Workbook, providing you with a preliminary priority based on your cost and feasibility estimates (see next slides).
3. Revisit your overarching goals (step 1.4) as you will assess the time it will take you to complete your initiatives and prioritize accordingly.
4. Determine your start and end date for each initiative based on your journey, objectives, and overarching goals. Consider the urgency of each initiative. Document the quarter and year for your start and end dates in the IT Cost Optimization Workbook (see next slides).
5. Identify the time remaining in your current budget cycle after the completion of each initiative to get a cost savings estimate for the current fiscal year. Document the number of remaining quarters (0, 1, 2, 3, or 4) in the IT Cost Optimization Workbook (see next slides).
6. Decide on the priority of each initiative (High, Medium, or Low), and document it in the IT Cost Optimization Workbook (see next slides).
7. Revisit the priority decision after prioritizing all your initiatives and determine which ones to include in your 12-month roadmap; consider the number of initiatives you can tackle at the same time within a 12-month period. Document your final decision (Yes or No) in the IT Cost Optimization Workbook (see next slides).

Download the IT Cost Optimization Workbook

Template & Example

Understand your priority assessment

Excel Workbook: IT Cost Optimization - Outline Initiatives Worksheet

Refer to the example and guidelines below on how the preliminary priority assessment is assigned, for each project portfolio optimization initiative, noting that columns Q to X are hidden automatic calculations and should not be touched:

Review the following fields for each initiative in the Excel Workbook as per guidelines:

1. Navigate to the Outline Initiatives tab.
2. Validate cost and feasibility estimates (columns I to P previously filled - steps 2.2 and 3.1) driving the Priority Score and Preliminary Priority Assessment.

Template & Example

Priority Threshold Rationale

Excel Workbook: IT Cost Optimization - Define Priority Threshold Worksheet

Refer to the screenshot of the Define Priority Threshold worksheet below to understand the rationale behind the Priority Score and Priority Level:

Template & Example

Estimate your timeline

Excel Workbook: IT Cost Optimization - Outline Initiatives Worksheet

Refer to the example and guidelines below on how to complete timeline estimates for each project portfolio optimization initiative:

Complete the following fields for each initiative in the Excel Workbook as per guidelines:

1. Navigate to the Outline Initiatives tab.
2. Determine the appropriate quarter and year to start and complete the initiative.
3. Identify the time remaining in your current budget cycle after the completion of the initiative.

Template & Example

Make your final decisions

Excel Workbook: IT Cost Optimization - Outline Initiatives Worksheet

Refer to the example and guidelines below on how to assign the final priority for each project portfolio optimization initiative and include it in your 12-month roadmap:

• Estimated cost savings per year refer to cost savings fully realized by the end of the upcoming fiscal year, following the initiatives' implementation.
• Estimated cost savings in the current budget cycle, refer to cost savings partially realized in the current fiscal year, after the initiatives' implementation.

Complete the following fields for each initiative in the Excel Workbook as per guidelines:

1. Navigate to the Outline Initiatives tab.
2. Determine the final priority of the initiative.
3. Decide whether you want to include the initiative in your 12-month roadmap.

3.2.4 Prioritize your workforce optimization initiatives

1 hour

1. Review each workforce optimization initiative to set the priority.
2. Validate your cost and feasibility estimates and consider the automated evaluation, in the IT Cost Optimization Workbook, providing you with a preliminary priority based on your cost and feasibility estimates (see next slides).
3. Revisit your overarching goals (step 1.4) as you will assess the time it will take you to complete your initiatives and prioritize accordingly.
4. Determine your start and end date for each initiative based on your journey, objectives, and overarching goals. Consider the urgency of each initiative. Document the quarter and year for your start and end dates in the IT Cost Optimization Workbook (see next slides).
5. Identify the time remaining in your current budget cycle after the completion of each initiative to get a cost savings estimate for the current fiscal year. Document the number of remaining quarters (0, 1, 2, 3, or 4) in the IT Cost Optimization Workbook (see next slides).
6. Decide on the priority of each initiative (High, Medium, or Low), and document it in the IT Cost Optimization Workbook (see next slides).
7. Revisit the priority decision after prioritizing all your initiatives and determine which ones to include in your 12-month roadmap; consider the number of initiatives you can tackle at the same time within a 12-month period. Document your final decision (Yes or No) in the IT Cost Optimization Workbook (see next slides).

Download the IT Cost Optimization Workbook

Template & Example

Understand your priority assessment

Excel Workbook: IT Cost Optimization - Outline Initiatives Worksheet

Refer to the example and guidelines below on how the preliminary priority assessment is assigned, for each workforce optimization initiative, noting that columns Q to X are hidden automatic calculations and should not be touched:

Review the following fields for each initiative in the Excel Workbook as per guidelines:

1. Navigate to the Outline Initiatives tab.
2. Validate cost and feasibility estimates (columns I to P previously filled - steps 2.2 and 3.1) driving the Priority Score and Preliminary Priority Assessment.

Template & Example

Priority Threshold Rationale

Excel Workbook: IT Cost Optimization - Define Priority Threshold

Refer to the screenshot of the Define Priority Threshold worksheet below to understand the rationale behind the Priority Score and Priority Level:

Template & Example

Estimate your timeline

Excel Workbook: IT Cost Optimization - Outline Initiatives Worksheet

Refer to the example and guidelines below on how to complete timeline estimates for each workforce optimization initiative:

Complete the following fields for each initiative in the Excel Workbook as per guidelines:

1. Navigate to the Outline Initiatives tab.
2. Determine the appropriate quarter and year to start and complete the initiative.
3. Identify the time remaining in your current budget cycle after the completion of the initiative.

Template & Example

Make your final decisions

Excel Workbook: IT Cost Optimization - Outline Initiatives Worksheet

Refer to the example and guidelines below on how to assign the final priority for each workforce optimization initiative, and include it in your 12-month roadmap:

• Estimated cost savings per year refer to cost savings fully realized by the end of the upcoming fiscal year, following the initiatives' implementation.
• Estimated cost savings in the current budget cycle, refer to cost savings partially realized in the current fiscal year, after the initiatives' implementation.

Complete the following fields for each initiative in the Excel Workbook as per guidelines:

1. Navigate to the Outline Initiatives tab.
2. Determine the final priority of the initiative.
3. Decide whether you want to include the initiative in your 12-month roadmap.

3.3 Develop your cost optimization roadmap

1 hour

1. Conduct a final evaluation of your timeline, priority decision, and initiatives you wish to include in your 12-month roadmap. Do they make sense, are they achievable, and do they all contribute individually and collectively to reaching your cost optimization goals?
2. Review your 12-month roadmap outputs in the IT Cost Optimization Workbook (see next slides).
3. Make adjustments to your 12-month roadmap by adding or removing initiatives as you deem necessary (step 3.2).
4. Document your final roadmap - including initiatives and relative time frames for execution - in the IT Cost Optimization Roadmap templates provided (see slide 97). The 12-month roadmap outputs from the IT Cost Optimization Workbook (see next slide) can facilitate this task.

Download the IT Cost Optimization Workbook

Template & Example

Potential Cost Savings Per Year

Excel Workbook: IT Cost Optimization - Outline Initiatives Charts Worksheet

Refer to the example below on charts depicting different views of estimated cost savings per year across the four optimization levers (Assets, Vendors, Project Portfolio, and Workforce) that could help you in your assessment and decision making.

From the Excel Workbook, after completing your potential initiatives and filling all related entries in the Outline Initiatives tab:

1. Navigate to the Outline Initiatives Charts tab.
2. Review each of the charts.
3. Navigate back to the Outline Initiatives tab to examine, drill down, and amend individual initiative entries or final decisions as you deem necessary.

Template & Example

12-month Roadmap Outputs

Excel Workbook: IT Cost Optimization - Diagram Results, List Results, and Timeline Result Worksheets

Refer to the example below depicting different roadmap output that could help you in presentations, assessment, and decision making.

From the Excel Workbook:

1. Navigate to the Diagram Results tab. This bubble diagram represent cost optimization initiatives by objective where each bubble size is determined by its estimated cost saving per year.
2. Navigate to the List Results tab. You will find a list of the cost optimizations initiatives you've chosen to include in your roadmap and related charts.
3. Navigate to the Timeline Result tab. This Gantt chart is a timeline view of the cost optimizations initiatives you've chosen to include in your roadmap.

Download the IT Cost Optimization Workbook

Phase 4

Communicate and Execute

Phase 1
Understand Your Mandate and Objectives

Phase 2
Outline Your Cost Optimization Initiatives

Phase 3
Develop Your IT Cost Optimization Roadmap

Phase 4
Communicate and Execute

This phase will walk you through the following activities:

• Cost optimization communication plan
• Cost optimization executive presentation

This phase involves the following participants:

• CIO/IT director
• IT finance lead
• PMO lead
• Other IT management

Build Your IT Cost Optimization Roadmap

4.1 Build the communication plan

45 to 60 minutes

1. Use the Cost Optimization Communication Plan templates and guidance on the following slides.
2. Complete the template to develop your communication plan for your cost optimization proposal and initiatives. At a minimum, it should include:
   1. Steps for preparing and presenting your proposal to decision-makers, sponsors, and other stakeholders, including named presenters and points of contact in IT.
   2. Checkpoints for communication throughout the execution of each initiative and the cost optimization roadmap overall, including target audiences, accountabilities, modes and methods of communication, type/scope of information to be communicated at each checkpoint, and any decision/approval steps.

Download the IT Cost Optimization Workbook

Understand a communication strategy's purpose

Put as much effort into developing your communication strategy as you would into planning and executing the cost optimization initiatives themselves. Don't skip this part.

Your communication strategy has two major components ...

1. A tactical plan for how and when you'll communicate with stakeholders about your proposals, activities, and progress toward meeting cost optimization goals.
2. An executive or board presentation that outlines your final proposed cost optimization initiatives, their respective business cases, and resources/support required with the goal of gaining approval to execute.

Your communication strategy will need to ...

• Provide answers to the "What's in it for me?" question from all impacted stakeholders.
• Roles, responsibilities, and accountabilities before, during, and after initiatives are completed.
• Descriptions and high-level information about dates, deliverables, and impacts of the specific changes being made.

You will also develop more detailed operational and project plans for each initiative. IT will use these plans to manage and track the execution of individual initiatives when the time comes.

Template & Example

Document the overall what and why of your planned communications

Template & Example

Next, note the who, how, and when of your communication plan

4.2 Build the executive presentation

45-60 minutes

1. Download Info-Tech's IT Cost Optimization Roadmap Samples and Templates.
2. Update the content with the outputs of your cost optimization roadmap and data/graph elements from the IT Cost Optimization Workbook. Refer to your organization's standards and norms for executive-level presentations and adapt accordingly.

Download IT Cost Optimization Roadmap Samples and Templates

Summary of Accomplishment

Congratulations! You now have an IT cost optimization strategy and a communication plan.

Throughout this blueprint, you have:

1. Identified your IT mandate and cost optimization journey.
2. Outlined your initiatives across the four levers (assets, vendors, project portfolio, and workforce).
3. Put together a 12-month IT cost optimization roadmap.
4. Developed a communication strategy and crafted an executive presentation - your initial step to communicate and discuss IT cost optimization initiatives with your key stakeholders.

What's next?

Communicate with your stakeholders, then follow your internal project policies and procedures to get the necessary approvals as required. Once obtained, you can start the execution and implementation of your IT cost optimization strategy.

If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

Contact your account representative for more information.

workshops@infotech.com
1-888-670-8889

Research Contributors and Experts

Jennifer Perrier
Principal Research Director, IT Financial Management
Info-Tech Research Group

Jack Hakimian
Senior Vice President, Research Development
Info-Tech Research Group

Graham Price
Senior Executive Counselor, Executive Services
Info-Tech Research Group

Travis Duncan
Research Director, Project & Portfolio Management
Info-Tech Research Group

Dave Kish
Practice Lead, IT Financial Management
Info-Tech Research Group

Baird Miller, PhD
Senior Executive Advisor, Executive Services
Info-Tech Research Group

Other Research Contributors and Experts

Monica Braun
Research Director, IT Financial Management
Info-Tech Research Group

Sandi Conrad
Principal Advisory Director, Infrastructure & Operations
Info-Tech Research Group

Phil Bode
Principal Advisory Director, Vendor Management
Info-Tech Research Group

Donna Glidden
Advisory Director, Vendor Management
Info-Tech Research Group

Barry Cousins
Distinguished Analyst & Research Fellow
Info-Tech Research Group

Andrew Sharp
Research Director, Infrastructure & Operations Practice
Info-Tech Research Group

Frank Sewell
Advisory Director, Vendor Management
Info-Tech Research Group

Related Info-Tech Research

Achieve IT Spend & Staffing Transparency
Most CIOs, CFOs, and business function leaders don't enjoy a shared vocabulary when it comes to talking about technology spend. As a result, truly meaningful conversations about where and how to spend technology funds in support of business goals are rare. Enable these important conversations by transparently mapping your IT spend data against four key stakeholder views.

Reduce Shadow IT With a Service Request Catalog
As the business gets more innovative to solve its problems, IT finds itself in reactive mode, dealing with software bloat, managing surprise SaaS renewals, and having to integrate products that they didn't know were purchased. To solve this, IT needs to focus on service and visibility to counter Shadow IT.

Bibliography

"A Short Guide to Structured Cost Reduction." National Audit Office, 18 June 2010. Web.

"IT Cost Savings: A Guide to Application Rationalization." LeanIX, 2021. Web.

Jouravlev, Roman. "Service Financial Management: ITIL 4 Practice Guide." Axelos, 30 April 2020. Web.

Leinwand, Paul, and Vinay Couto. "How to Cut Costs More Strategically." Harvard Business Review, March 2017. Web.

"Role & Influence of the Technology Decision-Maker 2022." Foundry, 2022. Web.

"State of the CIO 2022." CIO, 2022. Web.

"The Definitive Guide to IT Cost Optimization." LeanIX, n.d. Web.

"Understand the Principles of Cost Optimization." Google Cloud, n.d. Web.

The State of Black Professionals in Tech

Keep inclusion at the forefront to gain the benefits from diversity.

Analysts' Perspective

The experience of Black professionals in technology is unique.

Diversity in tech is not a new topic, and it's not a secret that technology organizations struggle to attract and retain Black employees. Ever since the early '90s, large tech organizations have been dealing with public critique of their lack of diversity. This topic is close to our hearts, but unfortunately while improvements have been made, progress is quite slow.

In recent years, current events have once again brought diversity to the forefront for many organizations. In addition, the pandemic along with talent trends such as "the great resignation" and "quiet quitting" and preparations for a recession have not only impacted diversity at large but also Black professionals in technology. Our previous research has focused on the wider topic of Recruiting and Retaining People of Color in Tech, but we've found that the experiences of persons of color are not all the same.

This study focuses on the unique experience of Black professionals in technology. Over 600 people were surveyed using an online tool; interviews provided additional insights. We're excited to share our findings with you.

Allison Straker Research Director Info-Tech Research Group	Ugbad Farah Research Director Info-Tech Research Group

Demographics

In October 2021, we launched a survey to understand what the Black experience is like for people in technology. We wanted and received a variety of responses which would help us to understand how Black technology professionals experienced their working world. We received responses from 633 professionals, providing us with the data for this report.

For more information on our survey demographics please see the appendix at this end of this report.

26% of our respondents either identified as Black or felt the world sees them as Black.

Professionals from various countries responded to the survey:

• Most respondents were born in the US (52%), Canada (14%), India (14%), or Nigeria (4%).
• Most respondents live in the US (56%), Canada (25%), Nigeria (2%), or the United Kingdom (2%).

Companies with more diversity achieve more revenue from innovation

Organizations do better and are more innovative when they have more diversity, a key ingredient in an organization's secret sauce.
Organizations also benefit from engaged employees, yet we've seen that organizations struggle with both. Just having a certain number of diverse individuals is not enough. When it comes to reaping the benefits of diversity, organizations can flourish when employees feel safe bringing their whole selves to work.

Companies with higher employee engagement experience 19.2% higher earnings.

However, those with lower employee engagement experience 32.7% lower earnings.
(DecisionWise, 2020)

If your workforce doesn't reflect the community it serves, your business may be missing out on the chance to find great employees and break into new and growing markets, both locally and globally.
Diversity makes good business sense.
(Business Development Canada, 2023)

A study about Black professionals

Why is this about Black professionals and not other diverse groups?

While there are a variety of diversity dimensions, it's important to understand what makes up a "multicultural workforce." There is more to diversity than gender, race, and ethnicity. Organizations need to understand that there is diversity within these groups and Black professionals have their own unique experience when it comes to entering and navigating tech that needs to be addressed.

(Brookfield Institute for Innovation and Entrepreneurship, 2019)

The solutions that apply to Black professionals are not only beneficial for Black employees but for all. While all demographics are unique, the solutions in this report can support many.

Unsatisfied and underrepresented

Less Black professionals responded as "satisfied" in their IT careers. The question is: How do we mend the Gap?

Percentage of IT Professionals Who Reported Being Very Satisfied in Their Current Role

• All Other Professionals: 34%
• Black Professionals: 23%

Black workers are underrepresented in most professional roles, especially computer and math Occupations

The gap in satisfaction

What's Important?

Our research suggests that the differences in satisfaction among ethnic groups are related to differences in value systems. We asked respondents to rank what's important, and we explored why.

Non-Black professionals rated autonomy and their manager working relationships as most important.

For Black professionals, while those were important, #1 was promotion and growth opportunities, ranked #7 by all other professionals. This is a significant discrepancy.

Recognition of my work/accomplishments also was viewed significantly differently, with Black professionals ranking it low on the list at #7 and all other professionals considering it very important at #3.

All Other Professionals		Black Professionals

Maslow's Hierarchy of Needs applies to job satisfaction

In Maslow's hierarchy, it is necessary for people to achieve items lower on the hierarchy before they can successfully pursue the higher tiers.

Too many Black professionals in tech are busy trying to achieve some of the lower parts of the hierarchy; it is stopping them from achieving elements higher up that can lead to job satisfaction.

This can stop them from gaining esteem, importance, and ultimately, self-actualization. The barriers that impact safety and social belonging happen on a day-to-day basis, and so the day-to-day lives of Black professionals in tech can look very different from their counterparts.

There are barriers that hinder and solutions that support employees

There are various barriers that increase the likelihood for Black professionals to focus on the lower end of the needs hierarchy:	These are among some of the solutions that, when layered, can support Black professionals in tech in moving up the needs hierarchy. Focusing on these actions can support Black professionals in achieving much needed job satisfaction.

What does this mean?

The minority experience is not a monolith

The barriers that Black professionals encounter aren't limited to the same barriers as their colleagues, and too often this means that they aren't in a position to grow their careers in a way that leads to job satisfaction.

There is a 11% gap between the satisfaction of Black professionals and their peers.

Early Steps:
Take time to understand the Black experience.

As leaders, it's important to be aware that employee goals vary depending on the barriers they're battling with.

Intermediate:
If Black employees don't have strong relationships, networks, and mentorships it becomes increasingly difficult to navigate the path to upward mobility.

As a leader, you can look for opportunities to bridge the gap on these types of conversations.

Advanced:
Black professionals in tech are not advancing like their counterparts.

Creating clear career paths will not only benefit Black employees but also support your entire organization.

Key metrics:

• Engagement
• Committed Executive Leadership
• Development Opportunities
• Organizational Programs

Black respondents are significantly more likely to report barriers to their career advancement

Common barriers

Black professionals, like their colleagues, encounter barriers as they try to advance their careers. The barriers both groups encounter include microaggressions, racism, ageism, accessibility issues, sexual orientation, bias due to religion, lack of a career-supported network, gender bias, family status bias, and discrimination due to language/accents.

What tops the list

Microaggressions and racism are at the top of these barriers, but Black professionals also deal with other barriers that their colleagues may experience, such as gender-based bias, accessibility issues, religion, and more.

One of these barriers alone can be difficult to deal with but when they are compounded it can be very difficult to navigate through the working environment in tech.

What are microaggressions?

Microaggression

A statement, action, or incident regarded as an instance of indirect, subtle, or unintentional discrimination against members of a marginalized group such as a racial or ethnic minority.

(Oxford Languages, 2023)

Why are they significant?

These things may seem innocent enough but the messaging that is received and the lasting impression is often far from it.

Our research shows that racism and discrimination contribute to poor mental health among Black professionals.

Examples

• You're so articulate!
• How do you always have different hair, can I touch it?
• Where are you really from?
• I don't see color.
• I believe the most qualified person should get the job; everyone can succeed in this society if they work hard enough.

"The experience of having to question whether something happened to you because of your race or constantly being on edge because your environment is hostile can often leave people feeling invisible, silenced, angry, and resentful."
Dr. Joy Bradford,
clinical Psychologist, qtd. In Pfizer

It takes some time to get in the door

For too many Black respondents, It took Longer than their peers to Find Technology Jobs.

Both groups had some success finding jobs in "no time" – however, there was a difference. Thirty-four percent of "all others" found their jobs quickly, while the numbers were less for Black professionals, at 26%. There was also a difference at the opposite end of the spectrum. For 29% of Black professionals, it took seven months or longer to find their IT job, while that number is only 19% for their peers.

.

This points to the need for improvements in recruitment and career advancement.

29% of Black respondents said that it took them 7 months or longer to find their technology job.

Compared to 19% of all other professionals that selected the same response.

And once they're in, it's difficult to advance

Black Professionals are not Advancing as Quickly as their Colleagues. Especially when you look at their Experience.

Our research shows that compared to all other ethnicities; Black participants were 55% more likely to report that they had no career advancement/promotion in their career. There is a bigger percentage of Black professionals who have never received a promotion; there's also a large number of Black professionals who have been working a significant amount time in the same role without a promotion.

.Career Advancement

Black participants were 55% more likely to report that they had had no career advancement/promotion in their career.

No advancement

There's a high cost to lack of engagement

When employees feel disillusioned with things like career advancement and microaggressions, they often become disengaged. When you continuously have to steel yourself against microaggressions, racism, and other barriers, it prevents you from bringing your whole self to the office. The barriers can lead to what's been coined as "emotional tax." An emotional tax is the experience of feeling different from colleagues because of your inherent diversity and the associated negative effects on health, wellbeing, and the ability to thrive at work.

(DecisionWise, 2020)

"I've conditioned myself for the corporate world, I don't bring my authentic self to work."
Anonymous Interview Subject

Lack of engagement also costs the organization in terms of turnover, something many organizations today are struggling with how to address. Organizations want to increase the ability of the workforce to remain in the organization. For Black employees, this gets harder when they're not engaged and they're the only one. When the emotional tax gets to be too much, this can lead to turnover. Turnover not only costs companies billions in profits, it also negatively impacts leadership diversity. It's difficult to imagine career growth when you don't see anyone that looks like you at the top. It is a challenge to see your future when there aren't others that you can relate to at top levels in the organization, leading to one of our interview subjects to muse, "How long can I last?"

"Being Black in tech can be hard on your mental health. Your mind is constantly wondering, 'how long can I last?' "
Anonymous Interview Subject

Fewer Black professionals feel like they can be their authentic selves at work

Authentic vs. Successes

For many Black professionals, "code-switching," or altering the way one speaks and acts depending on context, becomes the norm to make others more comfortable. Many feel that being authentic and succeeding in the workplace are mutually exclusive.

Programs and Resources

We asked respondents "What's in place to build an inclusive culture at your company?" Most respondents (51% and 45%) reported that there were employee resource groups at their organizations.

Do you feel you can be your authentic self at work?

What can be done?

There are various actions that organizations can take to help address barriers.

It's important to ensure these are not put in as band-aid solutions but that they are carefully thought out and layered.

Our findings demonstrate that remote work, career development, and DEI programs along with mentorship and diverse leadership are strong enablers of professional satisfaction. An unfortunate consequence, if professionals are not nurtured, is that we risk losing much needed talent to self-employment or to other organizations.

There are several solutions

Respondents were asked to distribute points across potential solutions that could lead to job satisfaction. The ratings showed that there were common solutions that could be leveraged across all groups.

Respondents were asked what solutions were valuable for their career development.

All groups were mostly aligned on the order of the solutions that would lead to career satisfaction; however, Black professionals rated the importance of employee resource groups as higher than their colleagues did.

Mentorship and sponsorship are seen as key for all employees, as is of course training.

However, employee resource groups (ERGs) were rated significantly higher for Black professionals and discussions around diversity were higher for their colleagues. This may be because other groups feel a need to learn more about diversity, whereas Black professionals live this experience on a day-to day basis, so it's not as critical for them.

Double the number of satisfied Black professionals through mentorship and sponsorship

Mentorship and sponsorship help to close the job satisfaction gap for Black IT professionals. The percentage of satisfied Black employees almost doubles when they have a mentor or sponsorship, moving the satisfaction rate to closer to all other colleagues.

As leaders, you likely benefit from a few different advisors, and your staff should be able to benefit in the same way.

They can have their own personal board of advisors, both inside and outside of your organization, helping them to navigate the working world in IT.

To support your staff, provide guidance and coaching to internal mentors so that they can best support employees, and ensure that your organizational culture supports relationship building and trust.

While all are critical, coaching, mentoring, and sponsorship are not the same

Coaching

Performance-driven guidance geared to support the employee with on-the-job performance. This could be a short-term relationship.

Mentorship

A relationship where the mentor provides guidance, information, and expertise to support the long-term career development of the mentee.

Sponsorship

The act of advocating on the behalf of another for a position, promotion, development opportunity, etc. over a longer period.

For more information on setting up a mentorship program, see Optimize the Mentoring Program to Build a High Performing Learning Organization.

On why mentorship and sponsorship are important:

"With some degree of mentorship or sponsorship, it means that your ability to thrive or to have a positive experience in organizations increases substantially. Mentorship and sponsorship are very often the lynchpin of someone being successful and sticking with an organization. Sponsorship is an endorsement to other high-level stakeholders who very often are the gatekeepers of opportunity. Sponsors help to shepherd you through the gate."

Carlos Thomas Executive Councilor, Info-Tech Research Group

What is an employee resource group?

IT Professionals rated ERGs as the third top driver of success at work

Employee resource groups enable employees to connect in their workplace based on shared characteristics or life experiences.

ERGs generally focus on providing support, enhancing career development, and contributing to personal development in the work environment. Some ERGs provide advice to the organization on how they can support their diverse employees.

As leaders, you should support and encourage the formation of ERGs in your organization.

What each ERG does will vary according to the needs of employees in your organization. Your role is to enable the ERGs as they are created and maintained.

On setting up and leveraging employee resource groups:

"Employee resource groups, when leveraged in an authentically intentional way, can be the some of the most impactful stakeholders in the development and implementation of the organizational diversity, equity, and inclusion strategy. ERGs are essential to the development of policies, programs, and initiatives that address the needs of equity-seeking groups and are key to driving organizational culture and employee wellbeing, in addition to hiring and recruitment. ERGs must be set up for success by having adequate resources to do the work, which includes adequate budgets, executive sponsorship, training, support, and capacity to do the work. According to a Great Place To Work survey (2021), 50% of ERGs identified the need for adequate resources as a challenge for carrying out the work.:"

CINNAMON CLARK PRACTICE LEAD, DIVERSITY, EQUITY AND INCLUSION services, MCLEAN & CO

There is a gap when it comes to diversity in leadership

Representation at leadership levels is especially stagnant.

Black Americans comprise 13.6% of the US population
(2022 data from the US Census Bureau)

And yet only 5.9% of the country's CEOs are Black, with only 6 (1%) at the top of Fortune 500 companies.
(2021 data from the Bureau of Labor Statistics and Fortune.com)

I've never worked for a company that has Black executives. It's difficult to envision long-term growth with an organization when you don't see yourself represented in leadership.
– Anonymous Interview Subject

Having diversity in your leadership team doubles satisfaction

Our research shows that Black professionals are more satisfied in their role when they see leaders that look like them.

Satisfaction of other professionals is not as impacted by diversity in leadership as for Black professionals. Satisfaction doubles in organizations that have a diverse leadership team.

To reap the benefits from diversity, we need to ensure diversity is not just in entry or mid-level positions and provide employees an opportunity to see diversity in their company's leadership.

On the need for diversity in leadership:

"As a Black professional leader, it's not lost on me that I have a responsibility. I have to demonstrate authenticity, professionalism, and exemplary behavior that others can mimic. And I must also showcase that there are possibilities for those coming up in their career. I feel very grateful that I can bestow onto others my knowledge, my experience, my journey, and the tips that I've used to help bring me to be where I am. (Having Black leaders in an organization) demonstrates that there is talent across the board, that there are all types of women and people with proficiencies. What it brings to the table is a difference in thoughts and experience. A person like myself, sitting at the table, can bring a unique perspective on employee behavior and employee impact. CCL is an organization focused on equity, diversity, and inclusion; for sure having me at the table and others that look like me at the table demonstrates to the public an organization that's practicing what it preaches."

C. Fara Francis CIO, Center for creative leadership

Work from home

While all groups have embraced the work-from-home movement, many Black professionals find it reduces the impact of racial incidents in the workplace.

Percentage of employees who experienced positive changes in motivation after working remotely.

I have to guard and protect myself from experiencing and witnessing racism every day. I am currently working remotely, and I can say for certain my mood and demeanor have improved. Not having to decide if I should address a racist comment or action has made my day easier.
Source: Slate, 2022

Remote work significantly led to feelings of better chances for career advancement

Survey respondents were asked about the positive and negative changes they saw in their interactions and experiences with remote work. Black employees and their colleagues replied similarly, with mostly positive experiences.

While both groups enjoyed better chances for career advancement, the difference was significantly higher for Black professionals.

Reasons for Self-Employment:

More Black professionals have chosen self-employment than their colleagues.

The biggest reasons for both groups in choosing self-employment were for better pay, career growth, and work/life balance.

While the desire for better pay was the highest reason for both groups, for engaged employees salary is a lower priority than other concerns (Adecco Group's Global Workforce of the Future report). Consider salary in conjunction with career growth, work/life balance, and the variety in the work that your employees have.

If we don't consider our Black employees, not only do we risk them leaving the organization, but they may decide to just work for themselves.

Most professionals believe their organizations are committed to diversity, equity, and inclusion

38% of all respondents believe their organizations are very committed to DEI
49% believe they are somewhat committed
9% feel they are not committed
4% are unsure

Make sure supports are in place to help your employees grow in their careers:

Leadership
IT Leadership Career Planning Research Center

Diversity and Inclusion Tactics
IT Diversity & Inclusion Tactics

Employee Development Planning
Implement an IT Employee Development Plan

Belief in your organization's diversity, equity, and inclusion efforts isn't consistent across groups: Make sure actions are seen as genuine

While organization's efforts are acknowledged, Black professionals aren't as optimistic about the commitment as their peers. Make sure that your programs are reaching the various groups you want to impact, to increase the likelihood of satisfaction in their roles.

SATISFACTION INCREASES IN BOTH BLACK AND NON-BLACK PROFESSIONALS

When they believe in their company's commitment to diversity, equity. and inclusion.

Of those who believe in their organization's commitment, 61% of Black professionals and 67% of non-Black professionals are very satisfied in their roles.

Recommendations

It's important to understand the current landscape:

• The barriers that Black employees often face.
• The potential solutions that can help close the gap in employee satisfaction.

We recognize that resolving this is not easy. Although senior executives are recognizing that a diverse set of experiences, perspectives, and backgrounds is crucial to fostering innovation and competing on the global stage, organizations often don't take the extra step to actively look for racialized talent, and many people still believe that race doesn't play an important part in an individual's ability to access opportunities.

Look at a variety of solutions that you can implement within your organization; layering solutions is the key to driving business diversity. Always keep in mind that diversity is not a monolith, that the experiences of each demographic varies.

Info-Tech resources

• Recruit IT Talent
• Recruit and Retain People of Color in IT
• Recruit and Retain People of Color in IT Webinar

Appendix

About the research

Diversity in tech survey

As part of the research process for the State of Black Tech Report, Info-Tech Research Group conducted an open online survey among its membership and wider community of professionals. The survey was fielded from October 2021 to April 2022, collecting 633 responses.

Current Position

Education and Experience

Education was fairly consistent across both groups, with a few exceptions: more Black professionals had secondary school (9% vs. 4%) and more Black professionals had Doctorate degrees (4% vs. 2%).

We had more non-Black respondents with 20+ years of experience (31% vs. 19%) and more Black respondents with less than 1 year of experience (8% vs. 5%) – the rest of the years of experience were consistent across the two groups.

It is important to recognize that people are often seen by "the world" as belonging to a different race or set of races than what they personally identify as. Both aspects impact a professional's experience in the workplace.

Bibliography

Barton, LeRon. “I’m Black. Remote Work Has Been Great for My Mental Health.” Slate, 15 July 2022.

“Black or African American alone, percent.” U.S. Census Bureau QuickFacts: United States. Accessed 14 February 2023.

Boyle, Matthew. “More Workers Ready to Quit Over ‘Window Dressing’ Racism Efforts.” Bloomberg.com, 9 June 2022.

Boyle, Matthew. “Remote Work Has Vastly Improved the Black Worker Experience.” Bloomberg.com, 5 October 2021.

Cooper, Frank, and Ranjay Gulati. “What Do Black Executives Really Want?” Harvard Business Review, 18 November 2021.

“Emotional Tax.” Catalyst. Accessed 1 April 2022.

“Employed Persons by Detailed Occupation, Sex, Race, and Hispanic or Latino Ethnicity” U.S. Bureau of Labor Statistics. Accessed February 14, 2023.

“Equality in Tech Report - Welcome.” Dice, 9 March 2022. Accessed 23 March 2022.

Erb, Marcus. "Leaders Are Missing the Promise and Problems of Employee Resource Groups." Great Place To Work, 30 June 2021.

Gawlak, Emily, et al. “Key Findings - Being Black In Corporate America.” Coqual, Center for Talent Innovation (CTI), 2019.

“Global Workforce of the Future Research.” Adecco, 2022. Accessed 4 February 2023.

Gruman, Galen. “The State of Ethnic Minorities in U.S. Tech: 2020.” Computerworld, 21 September 2020. Accessed 31 May 2022.

Hancock, Bryan, et al. “Black Workers in the US Private Sector.” McKinsey, 21 February 2021. Accessed 1 April 2022.

“Hierarchy Of Needs Applied To Employee Engagement.” Proactive Insights, 12 February 2020.

Hobbs, Cecyl. “Shaping the Future of Leadership for Black Tech Talent.” Russell Reynolds Associates, 27 January 2022. Accessed 3 August 2022.

Hubbard, Lucas. “Race, Not Job, Predicts Economic Outcomes for Black Households.” Duke Today, 16 September 2021. Accessed 30 May 2022.

Knight, Marcus. “How the Tech Industry Can Be More Inclusive to the Black Community.” Crunchbase, 23 February 2022.

“Maslow’s Hierarchy of Needs in Employee Engagement (Pre and Post Covid 19).” Vantage Circle HR Blog, 30 May 2022.

McDonald, Autumn. “The Racism of the ‘Hard-to-Find’ Qualified Black Candidate Trope (SSIR).” Stanford Social Innovation Review, 1 June 2021. Accessed 13 December 2021.

McGlauflin, Paige. “The Fortune 500 Features 6 Black CEOs—and the First Black Founder Ever.” Fortune, 23 May 2022. Accessed 14 February 2023.

“Microaggression." Oxford English Dictionary, Oxford Languages, 2023.

Reed, Jordan. "Understanding Racial Microaggression and Its Effect on Mental Health." Pfizer, 26 August 2020.

Shemla, Meir “Why Workplace Diversity Is So Important, And Why It’s So Hard To Achieve.” Forbes, 22 August 2018. Accessed 4 February 2023.

“The State of Black Women in Corporate America.” Lean In and McKinsey & Company, 2020. Accessed 14 January 2022.

Van Bommel, Tara. “The Power of Empathy in Times of Crisis and Beyond (Report).” Catalyst, 2021. Accessed 1 April 2022.

Vu, Viet, Creig Lamb, and Asher Zafar. “Who Are Canada’s Tech Workers?” Brookfield Institute for Innovation and Entrepreneurship, January 2019. Accessed on Canadian Electronic Library, 2021. Web.

Warner, Justin. “The ROI of Employee Engagement: Show Me the Money!” DecisionWise, 1 January 2020. Web.

White, Sarah K. “5 Revealing Statistics about Career Challenges Black IT Pros Face.” CIO (blog), 9 February 2023. Accessed 5 July 2022.

Williams, Joan C. “Stop Asking Women of Color to Do Unpaid Diversity Work.” Bloomberg.com, 14 April 2022.

Williams, Joan C., Rachel Korn, and Asma Ghani. “A New Report Outlines Some of the Barriers Facing Asian Women in Tech.” Fast Company, 13 April 2022.

Wilson, Valerie, Ethan Miller, and Melat Kassa. “Racial representation in professional occupations.” Economic Policy Institute, 8 June 2021.

“Workplace Diversity: Why It’s Good for Business.” Business Development Canada (BDC.ca), 6 Feb. 2023. Accessed 4 February 2023.