Design a Business-Aligned Security Program

Focus on business value first.

EXECUTIVE BRIEF

Analyst Perspective

Business alignment is no accident.

Security leaders often tout their choice of technical security framework as the first and most important program decision they make. While the right framework can help you take a snapshot of the maturity of your program and produce a quick strategy and roadmap, it won’t help you align, modernize, or transform your program to meet emerging business requirements. Common technical security frameworks focus on operational controls rather than business services and value creation. They are difficult to convey to business stakeholders and provide little program management or implementation guidance. Focus on business value first, and the security services that enable it. Your organization has its own distinct character and profile. Understand what makes your organization unique, then design and refine the design of your security program to ensure it supports the right capabilities. Next, collaborate with stakeholders to ensure the right accountabilities, roles, and responsibilities are in place to support the implementation of the security program.

Michel Hébert Research Director, Security & Privacy Info-Tech Research Group

Executive Summary

Info-Tech Insight

You are a business leader who supports business goals and mitigates risk. Focus first on business value and the security services that enable it, not security controls.

Your challenge

The need for a solid and responsive security program has never been greater.

• You need to build a security program that enables business services and secures the technology that makes them possible.
• Building an effective, business-aligned security program requires that you coordinate many components, including technologies, processes, organizational structures, information flows, and behaviors.
• The program must prioritize the right capabilities, and support its implementation with clear accountabilities, roles, and responsibilities.
• You must communicate effectively with stakeholders to describe the risks the organization faces, their likely impact on organizational goals, and how the security program will mitigate those risks and support the creation of business value.

• Ransomware is a persistent threat to organizations worldwide across all industries.

Cybercriminals deploying ransomware are evolving into a growing and sophisticated criminal ecosystem that will continue to adapt to maximize its profits.

• Critical infrastructure is increasingly at risk.

Malicious agents continue to target critical infrastructure to harm industrial processes and the customers they serve State-sponsored actors are expected to continue to target critical infrastructure to collect information through espionage, pre-position in case of future hostilities, and project state power.

• Disruptive technologies bring new threats.

Malicious actors increasingly deceive or exploit cryptocurrencies, machine learning, and artificial intelligence technologies to support their activities.

Sources: CCCS (2023), CISA (2023), ENISA (2023)

Your challenge

Most security programs are not aligned with the overall business strategy.

50% Only half of leaders are framing the impact of security threats as a business risk.

49% Less than half of leaders align security program cost and risk reduction targets with the business.

57% Most leaders still don’t regularly review security program performance of the business.

Source: Tenable, 2021

Common obstacles

Misalignment is hurting your security program and making you less influential.

Organizations with misaligned security programs have 48% more security incidents...

…and the cost of their data breaches are 40% higher than those with aligned programs.

37% of stakeholders still lack confidence in their security program.

54% of senior leaders still doubt security gets the goals of the organization.

Source: Frost & Sullivan, 2019

Source: Ponemon, 2023

Common obstacles

Common security frameworks won’t help you align your program.

• Common security frameworks focus on operational controls rather than business value creation, are difficult to convey to stakeholders, and provide little implementation guidance.
• A security strategy based on the right framework can provide a snapshot of your program, but it won’t help you modernize, transform, or align your program to meet emerging business requirements.
• The lack of guidance leads to a lack of structure in the way security services are designed and managed, which reduces service quality, increases security friction, and reduces business satisfaction.

There is no unique, one-size-fits-all security program.

• Each organization has a distinct character and profile and differs from others in several critical respects. The security program for a cloud-first, DevOps environment must emphasize different capabilities and accountabilities than one for an on-premise environment and a traditional implementation model.

Info-Tech’s approach

You are a business leader who supports business goals and mitigates risk.

• Understand what makes your organization unique, then design and refine a security program with capabilities that create business value.
• Next, collaborate with stakeholders to ensure the right accountabilities, roles, and responsibilities are in place, and build an implementation roadmap to ensure its components work together over time.

Security needs to evolve as a business strategy.

• Laying the right foundations for your security program will inform future security program decisions and give your leadership team the information they need to support your success. You can do it in two steps:
  • Evaluate the design factors that make your organization unique and prioritize the security capabilities to suit. Info-Tech’s approach is based on the design process embedded in the latest COBIT framework.
  • Review the key components of your security program, including security governance, security strategy, security architecture, service design, and service metrics.

If you build it, they will come

“There's so much focus on better risk management that every leadership team in every organization wants to be part of the solution.

If you can give them good data about what things they really need to do, they will work to understand it and help you solve the problem.”

Dan Bowden, CISO, Sentara Healthcare (Tenable)

Design a Business-Aligned Security Program

Choose your own adventure

This blueprint is ideal for new CISOs and for program modernization initiatives.

1. New CISO

“I need to understand the business, prioritize core security capabilities, and identify program accountabilities quickly.”

2. Program Renewal

“The business is changing, and the threat landscape is shifting. I am concerned the program is getting stale.”

Use this blueprint to understand what makes your organization unique:

1. Prioritize security capabilities.
2. Identify program accountabilities.
3. Plan program implementation.

If you need a deep dive into governance, move on to a security governance and management initiative.

3. Program Update

“I am happy with the fundamentals of my security program. I need to assess and improve our security posture.”

Move on to our guidance on how to Build an Information Security Strategy instead.

Info-Tech’s methodology for security program design

Insight Map

You are a business leader first and a security leader second

Technical security frameworks are static and focused on operational controls and standards. They belong in your program’s solar system but not at its center. Design your security program with business value and the security services that enable it in mind, not security controls.

There is no one-size-fits-all security program
Tailor your security program to your organization’s distinct profile to ensure the program generates value.

Lay the right foundations to increase engagement
Map out accountabilities, roles, and responsibilities to ensure the components of your security program work together over time to secure and enable business services.

If you build it, they will come
Your executive team wants to be part of the solution. If you give them reliable data for the things they really need to do, they will work to understand and help you solve the problem.

Blueprint deliverables

Info-Tech supports project and workshop activities with deliverables to help you accomplish your goals and accelerate your success.

Security Program Design Tool

Tailor the security program to what makes your organization unique to ensure alignment.

Security Program Implementation Tool

Assess the current state of different security program components and plan next steps.

SecurityProgram Design and Implementation Plan

Communicate capabilities, accountabilities, and implementation initiatives.

Key deliverable

Security Program Design and Implementation Plan

The design and implementation plan captures the key insights your work will generate, including:

• A prioritized set of security capabilities aligned to business requirements.
• Security program accountabilities.
• Security program implementation initiatives.

Blueprint benefits

Measure the value of using Info-Tech’s approach

Assess the effectiveness of your security program with a risk-based approach.

Measure the impact of your project

Use Info-Tech diagnostics before and after the engagement to measure your progress.

• Info-Tech diagnostics are standardized surveys that produce historical and industry trends against which to benchmark your organization.
• Run the Security Business Satisfaction and Alignment diagnostic now, and again in twelve months to assess business satisfaction with the security program and measure the impact of your program improvements.
• Reach out to your account manager or follow the link to deploy the diagnostic and measure your success. Diagnostics are included in your membership.

Inform this step with Info-Tech diagnostic results

• Info-Tech diagnostics are standardized surveys that accelerate the process of gathering and analyzing pain point data.
• Diagnostics also produce historical and industry trends against which to benchmark your organization.
• Reach out to your account manager or follow the links to deploy some or all these diagnostics to validate your assumptions. Diagnostics are included in your membership.

Governance & Management Maturity Scorecard
Understand the maturity of your security program across eight domains.
Audience: Security Manager

Security Business Satisfaction and Alignment Report
Assess the organization’s satisfaction with the security program.
Audience: Business Leaders

CIO Business Vision
Assess the organization’s satisfaction with IT services and identify relevant challenges.
Audience: Business Leaders

Executive Brief Case Study

INDUSTRY: Higher Education

SOURCE: Interview

Building a business-aligned security program

Portland Community College (PCC) is the largest post-secondary institution in Oregon and serves more than 50,000 students each year. The college has a well-established information technology program, which supports its education mission in four main campuses and several smaller centers.

PCC launched a security program modernization effort to deal with the evolving threat landscape in higher education. The CISO studied the enterprise strategy and goals and reviewed the college’s risk profile and compliance requirements. The exercise helped the organization prioritize security capabilities for the renewal effort and informed the careful assessment of technical controls in the current security program.

Results

Laying the right foundations for the security program helped the security function understand how to provide the organization with a clear report of its security posture. The CISO now reports directly to the board of directors and works with stakeholders to align cost, performance, and risk reduction objectives with the needs of the college.

The security program modernization effort prioritized several critical design factors

• Enterprise Strategy
• Enterprise Goals
• IT Risk Profile
• IT-Related Issues
• IT Threat Landscape
• Compliance Requirements

Info-Tech offers various levels of support to best suit your needs

DIY Toolkit

“Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

Guided Implementation

“Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

Workshop

“We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

Consulting

“Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

Diagnostics and consistent frameworks used throughout all four options

Guided Implementation

What does a typical GI on this topic look like?

A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

A typical GI is 4 to 6 calls over the course of 6 months.

Workshop Overview

Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889

Customize your journey

The security design blueprint pairs well with security governance and security strategy.

• The prioritized set of security capabilities you develop during the program design project will inform efforts to develop other parts of your security program, like the security governance and management program and the security strategy.
• Work with your member services director, executive advisor, or technical counselor to scope the journey you need. They will work with you to align the subject matter experts to support your roadmap and workshops.

Take the First Steps to Embrace Open-Source Software

Begin to understand what is required to embrace open-source software in your organization.

Analyst Perspective

With great empowerment comes great responsibilities.

Open-source software promotes enticing technology and functional opportunities to any organization looking to modernize without the headaches of traditional licensing. Many organizations see the value of open source in its ability to foster innovation, be flexible to various use cases and system configurations, and give complete control to the teams who are using and managing it.

However, open source is not free. While the software is freely and easily accessible, its use and sharing are bound by its licenses, and its implementation requires technical expertise and infrastructure investments. Your organization must be motivated and capable of taking on the various services traditionally provided and managed by the vendor.

Andrew Kum-Seun
Research Director,
Application Delivery and Application Management
Info-Tech Research Group

Executive Summary

Insight Summary

Overarching Info-Tech Insight

Open source is as much about an investment in people as it is about technology. It empowers applications teams to take greater control over their technology and customize it as they see fit. However, teams need the time and funding to conduct the necessary training, management, and ongoing community engagement that open-source software and its licenses require.

• Position open source in the same light as commercial software.
  The continuous improvement and evolution of popular open-source software and communities have established a trusting and reliable reputation in the industry. Open-source software quality and community support can rival similar vendor capabilities given the community’s maturity and contributions in the technology.
• Consider open source another form of outsource development.
  Open source is externally developed software where the code is accessible and customizable. Code quality may not align to your organization’s standards, which can require extensive testing and optimization. A thorough analysis of change logs, code repositories, contributors, and the community is recommended – much to the same degree as one would do with prospective outsourcing partners.
• Treat open source as any internally developed solution.
  Configurations, integrations, customizations, and orchestrations of open-source software are often done at the code level. While some community support is provided, most of the heavy lifting is done by the applications team. Teams must be properly resourced, upskilled, and equipped to meet this requirement. Otherwise, third-party partners are needed.

What is open source?

According to Synopsys, “Open source software (OSS) is software that is distributed with its source code, making it available for use, modification, and distribution with its original rights. … Programmers who have access to source code can change a program by adding to it, changing it, or fixing parts of it that aren’t working properly. OSS typically includes a license that allows programmers to modify the software to best fit their needs and control how the software can be distributed.”

What are the popular use cases?

1. Programming languages and frameworks
2. Databases and data technologies
3. Operating systems
4. Git public repos
5. Frameworks and tools for AI/ML/DL
6. CI/CD tooling
7. Cloud-related tools
8. Security tools
9. Container technology
10. Networking

Source: OpenLogic, 2022

Common Attributes of All Open-Source Software

• Publicly shared repository that anyone can access to use the solution and contribute changes to the design and functionality of the project.
• A community that is an open forum to share ideas and solution enhancements, discuss project direction and vision, and seek support from peers.
• Project governance that sets out guidelines, rules, and requirements to participate and contribute to the project.
• Distribution license that defines the terms of how a solution can be used, assessed, modified, and distributed.

Take the first steps to embrace open-source software

Begin to understand what is required to embrace open-source software in your organization.

State the Value of Open Source: Discuss current business and IT priorities, use cases, and value opportunities to determine what to expect from open-source versus commercial software.

Select Your Open-Source Software: Clarify the driving factors in your evaluation of open-source and commercial software using your existing IT procurement practices as a starting point.

Prepare for Open Source: Clarify the roles, processes, and tools needed for the implementation, use, and maintenance of open-source software.

Step 1.1: State the Value of Open Source

Activities

1.1.1 Outline the value you expect to gain from open-source software

This step involves the following participants:

• Applications team
• Product owner

Outcomes of this step:

• Value proposition for open source
• Potential open-source use cases

Use a canvas to frame your open-source evaluation

This canvas is intended to provide a single pane of glass to start collecting your thoughts and framing your future conversations on open-source software selection and adoption.

Record the results in the “Open-Source Canvas” tab in the Open-Source Readiness Assessment.

Open source presents unique software and tooling opportunities

Innovation

Many leading-edge and bleeding-edge technologies are collaborated and innovated in open-source projects, especially in areas that are beyond the vision and scope of vendor products and priorities.

Niche Solutions

Open-source projects are focused. They are designed and built to solve specific business and technology problems.

Flexible & Customizable

All aspects of the open-source software are customizable, including source code and integrations. They can be used to extend, complement, or replace internally developed code. Licenses define how open-source code should be and must be used, productized, and modified.

Brand & Recognition

Open-source communities encourage contribution and collaboration among their members to add functionality and improve quality and adoption.

Cost

Open-source software is accessible to everyone, free of charge. Communities do not need be consulted prior to acquisition, but the software’s use, configurations, and modifications may be restricted by its license.

However, myths continue to challenge adoption

• Open source is less secure or poorer quality than proprietary solutions.
• Open source is free from risk of intellectual property (IP) infringement.
• Open source is cheaper than proprietary solutions.

What are the top perceived barriers to using enterprise open source?

• Concerns about the level of support
• Compatibility concerns
• Concerns about inherent security of the code
• Lack of internal skills to manage and support it

Source: Red Hat, 2022

Define a Sourcing Strategy for Your Development Team

Choose the right resourcing strategy to keep pace with your rapidly changing application and development needs.

Analyst Perspective

Choosing the right sourcing strategy for your development team is about assessing your technical situation, your business needs, your organizational culture, and your ability to manage partners!

Firms today are under continuous pressure to innovate and deliver new features to market faster while at the same time controlling costs. This has increased the need for higher throughput in their development teams along with a broadening of skills and knowledge. In the face of these challenges, there is a new focus on how firms source their development function. Should they continue to hire internally, offshore, or outsource? How do they decide which strategy is the right fit?

Info-Tech’s research shows that the sourcing strategy considerations have evolved beyond technical skills and costs. Identifying the right strategy has become a function of the characteristics of the organization, its culture, its reliance on the business for knowledge, its strategic value of the application, its vendor management skills, and its ability to internalize external knowledge. By assessing these factors firms can identify the best sourcing mix for their development portfolios.

Dr. Suneel Ghei
Principal Research Director, Application Development
Info-Tech Research Group

Executive Summary

Info-Tech Insight

Choosing the right sourcing strategy is not just a question of technical skills! Successful sourcing is based on matching your organization’s culture, knowledge, and experiences to the right choice of internal or external partnership.

Define a sourcing strategy for your development team

Business Business knowledge/ expertise required Product owner maturity Technical Complexity and maturity of technical environment Required level of integration Organizational Company culture Desired geographic proximity Required vendor management skills	Assess your current delivery posture for challenges and impediments. Decide whether to build or buy a solution. Select your desired sourcing strategy based on your current state and needs.
Three Perspectives +	Three Steps =	Your Sourcing Strategy

Diverse sourcing is used by many firms

Internal sourcing models

Insourcing comes in three distinct flavors

Info-Tech Insight

Insourcing allows you to stay close to more strategic applications. But choosing the right model requires a strong look inside your organization and your ability to provide business knowledge support to developers who may have different skills and cultures and are in different geographies.

Outsourcing models

External sourcing can be done to different degrees

Info-Tech Insight

Outsourcing represents one of the most popular ways for organizations to source external knowledge and skills. The choice of model is a function of the organization’s ability to support the external resources and to absorb the knowledge back into the organization.

Defining your sourcing strategy

Follow the steps below to identify the best match for your organization

Review Your Current Situation Review the issues and opportunities related to application development and categorize them based on the key factors.

Assess Build Versus Buy Before choosing a sourcing model you must assess whether a particular product or function should be bought as a package or developed.

Choose the Right Sourcing Strategy Based on the research, use the modeling tool to match the situation to the appropriate sourcing solution.

Step 1.1

Review Your Current Situation

Activities

• 1.1.1 Identify and categorize your challenges

This step involves the following participants:

• Product management team
• Software development leadership team
• Key stakeholders

Review your current delivery posture for challenges and impediments.

Review your situation

There are three key areas to examine in your current situation:

Business Challenges Do you need to gain new knowledge to drive innovation? Does your business need to enhance its software to improve its ability to compete in the market? Do you need to increase your speed of innovation? Technology Challenges Are you being asked to take tighter control of your development budgets? Does your team need to expand their skills and knowledge? Do you need to increase your development speed and capacity? Market Challenges Is your competition seen as more innovative? Do you need new features to attract new clients? Are you struggling to find highly skilled and knowledgeable development resources?

Info-Tech Insight Sourcing is a key tool to solve business and technical challenges and enhance market competitiveness when coupled with a robust definition of objectives and a way to measure success.

1.1.1 Identify and categorize your challenges

Output: List of the key challenges in your software lifecycle. Breakdown of the list into categories to identify opportunities for sourcing

Participants: Product management team, Software development leadership team, Key stakeholders

1. What challenge is your firm is facing with respect to your software that you think sourcing can address? (20 minutes)
2. Is the challenge related to a business outcome, development methodology, or technology challenge? (10 minutes)
3. Is the challenge due to a skills gap, budget or resource challenge, throughput issue, or a broader organizational knowledge or process issue? (10 minutes)
4. What is the specific objective for the team/leader in addressing this challenge? (15 minutes)
5. How will you measure progress and achievement of this objective? (5 minutes)

Document results in the Define a Sourcing Strategy Workbook

Identify and categorize your challenges

Step 1.2

Assess Build Versus Buy

Activities

• 1.2.1 Understand the benefits and drawbacks of build versus buy in your organizational context

This step involves the following participants:

• Product management team
• Software development leadership team
• Key stakeholders

Outcomes of this step

Understand in your context the benefits and drawbacks of build versus buy, leveraging Info-Tech’s recommended definitions as a starting point.

Define a Sourcing Strategy for Your Development Team

Look vertically across the IT hierarchy to assess the impact of your decision at every level

Regardless of the industry, a common and challenging dilemma facing technology teams is to determine when they should build software or systems in-house versus when they should rely wholly on an outside vendor for delivering on their technology needs. The answer is not as cut and dried as one would expect. Any build versus buy decision may have an impact on strategic and operational plans. It touches every part of the organization, starting with individual projects and rolling up to the enterprise strategy.

Info-Tech Insight

Do not ignore the impact of a build or buy decision on the various management levels in an IT organization.

Deciding whether to build or buy

It is as much about what you gain as it is about what problem you choose to have

1.2.1 Understand the benefits and drawbacks of build versus buy in your organizational context

30 minutes

Output: A common understanding of the different approaches to build versus buy applied to your organizational context

Participants: Product management team, Software development leadership team, Key stakeholders

1. Look at the previous slide, Deciding whether to build or buy.
2. Discuss the pros and cons listed for each approach.
   1. Do they apply in your context? Why or why not?
   2. Are there some approaches not applicable in terms of how you wish to work?
3. Record the curated list of pros and cons for the different build/buy approaches.
4. For each approach, arrange the pros and cons in order of importance.

Document results in the Define a Sourcing Strategy Workbook

Step 1.3

Choose the Right Sourcing Strategy

Activities

• 1.3.1 Determine the right sourcing strategy for your needs

This step involves the following participants:

• Product management team
• Software development leadership team
• Key stakeholders

Outcomes of this step

Choose your desired sourcing strategy based on your current state and needs.

Define a Sourcing Strategy for Your Development Team

Choose the right sourcing strategy

Business drivers

To choose the right sourcing strategy, you need to assess your key drivers of delivery

Product Knowledge The level of business involvement required to support the development team is a critical factor in determining the sourcing model. Both the breadth and depth of involvement are critical factors. Strategic Value The strategic value of the application to the company is also a critical component. The more strategic the application is to the company, the closer the sourcing should be maintained. Value can be assessed based on the revenue derived from the application and the depth of use of the application by the organization. Product Ownership Maturity To support sourcing models that move further from organizational boundaries a strong product ownership function is required. Product owners should ideally be fully allocated to the role and engaged with the development teams. Product owners should be empowered to make decisions related to the product, its vision, and its roadmap. The higher their allocation and empowerment, the higher the chances of success in external sourcing engagements.

Case Study: The GoodLabs Studio Experience

INDUSTRY: Software Development | SOURCE: Interview with Thomas Lo, Co-Founder, GoodLabs Studio

Organizational drivers

To choose the right sourcing strategy for a particular problem you need to assess the organization’s key capabilities

Vendor Management Vendor management is a critical skill for effective external sourcing. This can be assessed based on the organization’s ability to cultivate and grow long-term relationships of mutual value. The longevity and growth of existing vendor relationships can be a good benchmark for future success. Absorptive Capacity To effectively make use of external sourcing models, the organization must have a well-developed track record of absorbing outside knowledge. This can be assessed by looking at past cases where external knowledge was sourced and internalized, such as past vendor development engagements or use of open-source code. Organizational Culture Another factor in success of vendor engagements and long-term relationships is the matching of organizational cultures. It is key to measure the organization’s current position on items like communication strategy, geographical dispersal, conflict resolution strategy, and hierarchical vs flat management. These factors should be documented and matched with partners to determine the best fit.

Case Study: WCIRB California

INDUSTRY: Workers Compensation Insurance | SOURCE: Interview with Roger Cottman, Senior VP and CIO, WCIRB California

Technical drivers

To choose the right sourcing strategy for a particular problem you need to assess your technical situation and capabilities

Environment Complexity The complexity of your technical environment is a hurdle that must be overcome for external sourcing models. The number of environments used in the development lifecycle and the location of environments (physical, virtual, on-premises, or cloud) are key indicators. Integration Requirements The complexity of integration is another key technical driver. The number of integrations required for the application is a good measuring stick. Will it require fewer than 5, 5-10, or more than 10? Testing Capabilities Testing of the application is a key technical driver of success for external models. Having well-defined test cases, processes, and shared execution with the business are all steps that help drive success of external sourcing models. Test automation can also help facilitate success of external models. Measure the percentage of test cases that are standardized, the level of business involvement, and the percentage of test cases that are automated.

Case Study: Management Control Systems (MC Systems)

INDUSTRY: Technology Services | SOURCE: Interview with Kathryn Chin See, Business Development and Research Analyst, MC Systems

1.3.1 Determine the right sourcing strategy for your needs

60 minutes

Output: A scored matrix of the key drivers of the sourcing strategy

Participants: Development leaders, Product management team, Key stakeholders

Choose one of your products or product families and assess the factors below on a scale of None, Low, Medium, High, and Full.

• 3.1 Assess the business factors that drive selection using these key criteria (20 minutes):
  • 3.1.1 Product knowledge
  • 3.1.2 Strategic value
  • 3.1.3 Product ownership
• 3.2 Assess the organizational factors that drive selection using these key criteria (20 minutes):
  • 3.2.1 Vendor management
  • 3.2.2 Absorptive capacity
  • 3.2.3 Organization culture
• 3.3 Assess the technical factors that drive selection using these key criteria (20 minutes):
  • 3.3.1 Environments
  • 3.3.2 Integration
  • 3.3.3 Testing

Document results in the Define a Sourcing Strategy Workbook

Things to Consider When Implementing

Once you have built your strategy there are some additional things to consider

Things to Consider Before Acting on Your Strategy

By now you understand what goes into an effective sourcing strategy. Before implementing one, there are a few key items you need to consider:

Start with a pilot Changing sourcing needs to start with one team. Grow as skills develop to limit risk. Build an IT workforce plan Build an integrated workforce plan for the organization. Refer to our research: Build a Strategic IT Workforce Plan. Enhance your vendor management skills Refer to our research: Manage Your Vendor Before They Manage You. Involve the business early and often The business should feel they are part of the discussion. See our Agile/DevOps Research Center for more information on how the business and IT can better work together. Limit sourcing complexity Having too many different partners and models creates confusion and will strain your ability to manage vendors effectively.

Bibliography

Apfel, Isabella, et al. “IT Project Member Turnover and Outsourcing Relationship Success: An Inverted-U Effect.” Developments, Opportunities and Challenges of Digitization, 2020. Web.

Benamati, John, and Rajkumar, T.M. “The Application Development Outsourcing Decision: An Application of the Technology Acceptance Model.” Journal of Computer Information Systems, vol. 42, no. 4, 2008, pp. 35-43. Web.

Benamati, John, and Rajkumar, T.M. “An Outsourcing Acceptance Model: An Application of TAM to Application Development Outsourcing Decisions.” Information Resources Management Journal, vol. 21, no. 2, pp. 80-102, 2008. Web.

Broekhuizen, T. L. J., et al. “Digital Platform Openness: Drivers, Dimensions and Outcomes.” Journal of Business Research, vol. 122, July 2019, pp. 902-914. Web.

Brook, Jacques W., and Albert Plugge. “Strategic Sourcing of R&D: The Determinants of Success.” Business Information Processing, vol. 55, Aug. 2010, pp. 26-42. Web.

Delen, G. P A.J., et al. “Foundations for Measuring IT-Outsourcing Success and Failure.” Journal of Systems and Software, vol. 156, Oct. 2019, pp. 113-125. Web.

Elnakeep, Eman, et al. “Models and Frameworks for IS Outsourcing Structure and Dimensions: A Holistic Study.” Lecture notes in Networks and Systems, 2019. Web.

Ghei, Suneel. Modeling Absorptive Capacity for Open Innovation in the Software Industry. 2020. Faculty of Graduate Studies, Athabasca University, 2020. DBA Dissertation.

“IT Outsourcing Market Research Report by Service Model, Organization Sizes, Deployment, Industry, Region – Global Forecast to 2027 – Cumulative Impact of COVID-19.” ReportLinker, April 2022. Web.

Jeong, Jongkil Jay, et al. “Enhancing the Application and Measurement of Relationship Quality in Future IT Outsourcing Studies.” 26th European Conference on Information Systems: Beyond Digitization – Facets of Socio-Tehcnical Change: Proceedings of ECIS 2018, Portsmouth, UK, June 23-28, 2018. Edited by Peter Bednar, et al., 2018. Web.

Könning, Michael. “Conceptualizing the Effect of Cultural Distance on IT Outsourcing Success.” Proceedings of Australasian Conference on Information Systems 2018, Sydney, Australia, Dec. 3-5, 2018. Edited by Matthew Noble, UTS ePress, 2018. Web.

Lee, Jae-Nam, et al. “Holistic Archetypes of IT Outsourcing Strategy: A Contingency Fit and Configurational Approach.” MIS Quarterly, vol. 43, no. 4, Dec. 2019, pp. 1201-1225. Web.

Loukis, Euripidis, et al. “Determinants of Software-as-a-Service Benefits and Impact on Firm Performance.” Decision Support Systems, vol. 117, Feb. 2019, pp. 38-47. Web.

Martensson, Anders. “Patterns in Application Development Sourcing in the Financial Industry.” Proceedings of the 13th European Conference of Information Systems, 2004. Web.

Martínez-Sánchez, Angel, et al. “The Relationship Between R&D, the Absorptive Capacity of Knowledge, Human Resource Flexibility and Innovation: Mediator Effects on Industrial Firms.” Journal of Business Research, vol. 118, Sept. 2020, pp. 431-440. Web.

Moreno, Valter, et al. “Outsourcing of IT and Absorptive Capacity: A Multiple Case Study in the Brazilian Insurance Sector.” Brazilian Business Review, vol. 17, no. 1, Jan.-Feb. 2020, pp. 97-113. Web.

Ozturk, Ebru. “The Impact of R&D Sourcing Strategies on Basic and Developmental R&D in Emerging Economies.” European Journal of Innovation Management, vol. 21, no. 7, May 2018, pp. 522-542. Web.

Ribas, Imma, et al. “Multi-Step Process for Selecting Strategic Sourcing Options When Designing Supply Chains.” Journal of Industrial Engineering and Management, vol. 14, no. 3, 2021, pp. 477-495. Web.

Striteska, Michaela Kotkova, and Viktor Prokop. “Dynamic Innovation Strategy Model in Practice of Innovation Leaders and Followers in CEE Countries – A Prerequisite for Building Innovative Ecosystems.” Sustainability, vol. 12, no. 9, May 2020. Web.

Thakur-Wernz, Pooja, et al. “Antecedents and Relative Performance of Sourcing Choices for New Product Development Projects.” Technovation, 2020. Web.

Annual CIO Survey Report 2024

An inaugural look at what's on the minds of CIOs.

1. Firmographics

• Region
• Title
• Organization Size
• IT Budget Size
• Industry

Firmographics

The majority of CIO responses came from North America. Contributors represent regions from around the world.

n=354

Firmographics

A typical CIO respondent held a C-level position at a small to mid-sized organization.

Half of CIOs hold a C-level position, 10% are VP-level, and 20% are director level

38% of respondents are from an organization with above 1,000 employees

Firmographics

A typical CIO respondent held a C-level position at a small to mid-sized organization.

40% of CIOs report an annual budget of more than $10 million

A range of industries are represented, with 29% of respondents in the public sector or financial services

2. Key Factors

• IT Maturity
• Disruptive Factors
• IT Spending Plans
• Talent Shortage

Two in three respondents say IT can deliver outcomes that Support or Optimize the business

Most CIOs are concerned with cybersecurity disruptions, and one in four expect a budget increase of above 10%

How likely is it that the following factors will disrupt your business in the next 12 months?

Looking ahead to 2024, how will your organization's IT spending change compared to spending in 2023?

3. Adoption of Emerging Technology

• Fastest growing tech for 2024 and beyond

CIOs plan the most new spend on AI in 2024 and on mixed reality after 2024

Top five technologies for new spending planned in 2024:

1. Artificial intelligence - 35%
2. Robotic process automation or intelligent process automation - 24%
3. No-code/low-code platforms - 21%
4. Data management solutions - 14%
5. Internet of Things (IoT) - 13%

Top five technologies for new spending planned after 2024:

1. Mixed reality - 20%
2. Blockchain - 19%
3. Internet of Things (IoT) - 17%
4. Robotics/drones - 16%
5. Robotic process automation or intelligent process automation - 14%

n=301

Info-Tech Insight
Three in four CIOs say they have no plans to invest in quantum computing, more than any other technology with no spending plans.

4. Adoption of AI

• Interest in generative AI applications
• Tasks to be completed with AI
• Progress in deploying AI

CIOs are most interested in industry-specific generative AI applications or text-based

Rate your business interest in adopting the following generative AI applications:

There is interest across all types of generative AI applications. CIOs are least interested in visual media generators, rating it just 2.4 out of 5 on average.

n=251

Info-Tech Insight
Examples of generative AI solutions specific to the legal industry include Litigate, CoCounsel, and Harvey.

By the end of 2024, CIOs most often plan to use AI for analytics and repetitive tasks

Most popular use cases for AI by end of 2024:

1. Business analytics or intelligence - 69%
2. Automate repetitive, low-level tasks - 68%
3. Identify risks and improve security - 66%
4. IT operations - 62%
5. Conversational AI or virtual assistants - 57%

Fastest growing uses cases for AI in 2024:

1. Automate repetitive, low-level tasks - 39%
2. IT operations - 38%
3. Conversational AI or virtual assistants - 36%
4. Business analytics or intelligence - 35%
5. Identify risks and improve security - 32%

n=218

Info-Tech Insight
The least popular use case for AI is to help define business strategy, with 45% saying they have no plans for it.

One in three CIOs are running AI pilots or are more advanced with deployment

How far have you progressed in the use of AI?

Info-Tech Insight
Almost half of CIOs say ChatGPT has been a catalyst for their business to adopt new AI initiatives.

5. AI Risk

• Perceived impact of AI
• Approach to third-party AI tools
• AI features in business applications
• AI governance and accountability

Six in ten CIOs say AI will have a positive impact on their organization

What overall impact do you expect AI to have on your organization?

The majority of CIOs are waiting for professional-grade generative AI tools

Which of the following best describes your organization's approach to third-party generative AI tools (such as ChatGPT or Midjourney)?

Info-Tech Insight
Business concerns over intellectual property and sensitive data exposure led OpenAI to announce ChatGPT won't use data submitted via its API for model training unless customers opt in to do so. ChatGPT users can also disable chat history to avoid having their data used for model training (OpenAI).

One in three CIOs say they are accountable for AI, and the majority are exploring it cautiously

Who in your organization is accountable for governance of AI?

More than one-third of CIOs say no AI governance steps are in place today

What AI governance steps does your organization have in place today?

Among organizations that plan to invest in AI in 2024, 30% still say there are no steps in place for AI governance. The most popular steps to take are to publish clear explanations about how AI is used, and to conduct impact assessments (n=170).

Among all CIOs, including those that do not plan to invest in AI next year, 37% say no steps are being taken toward AI governance today (n=243).

6. Contribute to Info-Tech's Research Community

• Volunteer to be interviewed
• Attend LIVE in Las Vegas

It's not too late; take the Future of IT online survey

Contribute to our tech trends insights

If you haven't already contributed to our Future of IT online survey, we are keeping the survey open to continue to collect insights and inform our research reports and agenda planning process. You can take the survey today. Those that complete the survey will be sent a complimentary Tech Trends 2024 report.

Complete an interview for the Future of IT research project

Help us chart the future course of IT

If you are receiving this for completing the Future of IT online survey, thank you for your contribution. If you are interested in further participation and would like to provide a complementary interview, please get in touch at brian.Jackson@infotech.com. All interview subjects must also complete the online survey.

If you've already completed an interview, thank you very much, and you can look forward to seeing more impacts of your contribution in the near future.

Methodology

All data in this report is from Info-Tech's Future of IT online survey 2023 edition.

A CIO focus for the Future of IT

Data in this report represents respondents to the Future of IT online survey conducted by Info-Tech Research Group between May 11 and July 7, 2023.

Only CIO respondents were selected for this report, defined as those who indicated they are the most senior member of their organization's IT department.

This data segment reflects 355 total responses with 239 completing every question on the survey.

Further data from the Future of IT online survey and the accompanying interview process will be featured in Info-Tech's Tech Trends 2024 report this fall and in forthcoming Priorities reports including Applications, Data & EA, CIO, Infrastructure, and Security.

Application Portfolio Management Foundations

Ensure your application portfolio delivers the best possible return on investment.

Analyst Perspective

You can’t outsource accountability.

Many lack visibility into their overall application portfolio, focusing instead on individual projects or application development. Inevitably, application sprawl creates process and data disparities, redundant applications, and duplication of resources and stands as a significant barrier to business agility and responsiveness. The shift from strategic investment to application maintenance creates an unnecessary constraint on innovation and value delivery.

With the rise and convenience of SAAS solutions, IT has an increasing need to discover and support all applications in the organization. Unmanaged and unsanctioned applications can lead to increased reputational risk. What you don’t know WILL hurt you.

You can outsource development, you can even outsource maintenance, but you cannot outsource accountability for the portfolio. Organizations need a holistic dashboard of application performance and dispositions to help guide and inform planning and investment discussions. Application portfolio management (APM) can’t tell you why something is broken or how to fix it, but it is an important tool to determine if an application’s value and performance are up to your standards and can help meet your future goals.

Hans Eckman
Principal Research Director
Info-Tech Research Group

Is this research right for you?

Research Navigation

Managing your application portfolio is essential regardless of its size or whether your software is purchased or developed in house. Each organization must have some degree of application portfolio management to ensure that applications deliver value efficiently and that their risk or gradual decline in technical health is appropriately limited.

Executive Summary

Info-Tech Insight: You can’t outsource strategy.

Modern software options have decreased the need for organizations to have robust in-house application management capabilities. Your applications’ future and governance of the portfolio still require a centralized IT oversight to ensure the best return on investment.

The top IT challenges for SE come from app management

A hidden and inefficient application portfolio is the root cause of so many pains experienced by both IT and the business.

• Demand/Capacity Imbalance
• Overspending
• Security and Business Continuity Risk
• Delays in Delivery
• Barriers to Growth

APM comes at a justified cost

The benefits of APM

APM identifies areas where you can reduce core spending and reinvest in innovation initiatives.

Other benefits can include:

• Fewer redundancies
• Less risk
• Less complexity
• Improved processes
• Flexibility
• Scalability

APM allows you to better understand and set the direction of your portfolio

Application Inventory

The artifact that documents and informs the business of your application portfolio.

Application Rationalization

The process of collecting information and assessing your applications to determine recommended dispositions.

Application Alignment

The process of revealing application information through interviewing stakeholders and aligning to business capabilities.

Application Roadmap

The artifact that showcases the strategic directions for your applications over a given timeline.

Application Portfolio Management (APM):

The ongoing practice of:

• Providing visibility into applications across the organization.
• Recommending corrections or enhancements to decision makers.
• Aligning delivery teams on priority.
• Showcasing the direction of applications to stakeholders.

Create a balanced approach to value delivery

Enterprise Agility and Value Realization

Product Lifecycle Management

Align your product and service improvement and execution to enterprise strategy and value realization in three key areas: defining your products and services, aligning product/service owners, and developing your product vision.

• Make the Case for Product Delivery
• Deliver on Your Digital Product Vision
• Build a Better Product Owner

Product Delivery Lifecycle (Agile DevOps)

Enhance business agility by leveraging an Agile mindset and continuously improving your delivery throughput, quality, value realization, and adaptive governance.

• Agile/DevOps Research Center
• Implement Agile Practices That Work
• Spread Best Practices With an Agile Center of Excellence
• Implement DevOps Practices That Work
• Perform an Agile Skills Assessment
• Define the Role of Project Management in Agile and Product-Centric Delivery

Application Portfolio Management

Transform your application portfolio into a cohesive service catalog aligned to your business capabilities by discovering, rationalizing, and modernizing your applications while improving application maintenance, management, and reuse.

Every organization experiences some degree of application sprawl

Causes of Sprawl

• Poor Lifecycle Management
• Turnover & Lack of Knowledge Transfer
• Siloed Business Units & Decentralized IT
• Business-Managed IT
• (Shadow IT)
• Mergers & Acquisitions

Problems With Sprawl

• Redundancy and Inefficient Spending
• Disparate Apps & Data
• Obsolescence
• Difficulties in Prioritizing Support
• Barriers to Change & Growth

Application Sprawl:

Inefficiencies within your application portfolio are created by the gradual and non-strategic accumulation of applications.

You have more apps than you need.

Only 34% of software is rated as both IMPORTANT and EFFECTIVE by users.

Source: Info-Tech’s CIO Business Vision

Build your APM journey map

Application rationalization provides insight

Directionless portfolio of applications	Info-Tech’s Five Lens Model					Assigned dispositions for individual apps
	Application Alignment	Business Value	Technical Health	End-User Perspective	Total Cost of Ownership (TCO)	Maintain: Keep the application but adjust its support structure. Modernize: Create a new initiative to address an inadequacy. Consolidate: Create a new initiative to reduce duplicate functionality. Retire: Phase out the application. Disposition: The intended strategic direction or implied course of action for an application.
	How well do your apps support your core functions and teams?	How well are your apps aligned to value delivery?	Do your apps meet all IT quality standards and policies?	How well do your apps meet your end users’ needs?	What is the relative cost of ownership and operation of your apps?
Application rationalization requires the collection of several data points that represent these perspectives and act as the criteria for determining a disposition for each of your applications.

APM is an iterative and evergreen process

APM provides oversight and awareness of your application portfolio’s performance and support for your business operations and value delivery to all users and customers.

Repeat according to APM cadence and application changes

Executive Brief Case Study

INDUSTRY: Retail

SOURCE: Deloitte, 2017

Info-Tech’s application portfolio management methodology

Blueprint deliverables

Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals.

Application Portfolio Management Foundations Playbook	Application Portfolio Management Snapshot and Foundations Tool
This template allows you to capture your APM roles and responsibilities and build a repeatable process.	This tool stores all relevant application information and allows you to assess your capability support, execute rationalization, and build a portfolio roadmap.

Key deliverable:

Blueprint Storyboard

This is the PowerPoint document you are viewing now. Follow this guide to understand APM, learn how to use the tools, and build a repeatable APM process that will be captured in your playbook.

Info-Tech offers various levels of support to best suit your needs

Diagnostics and consistent frameworks used throughout all four options

Guided Implementation

What does a typical GI for on this topic look like?

Note: The Guided Implementation will focus on a subset or group of applications depending on the state of your current APM inventory and available time. The goal is to use this first group to build your APM process and models to support your ongoing discovery, rationalization, and modernization efforts.

A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our right-sized best practices in your organization. A typical GI, using our materials, is 3 to 6 calls over the course of 1 to 3 months.

Workshop Overview

Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889

Note: The workshop will focus on a subset or group of applications depending on the state of your current APM inventory and available time. The goal is to use this first group to build your APM process and models to support your ongoing discovery, rationalization, and modernization efforts.

Workshop Options

Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889

Blueprint Pre-Step: Get the right stakeholders to the right exercises

APM Lead/Owner (Recommended) ☐ Applications Lead or the individual responsible for application portfolio management, along with any applications team members, if available Key Corporate Stakeholders Depending on size and structure, participants could include: ☐ Head of IT (CIO, CTO, IT Director, or IT Manager) ☐ Head of shared services (CFO, COO, VP HR, etc.) ☐ Compliance Officer, Steering Committee ☐ Company owner or CEO Application Subject Matter Experts Individuals who have familiarity with a specific subset of applications ☐ Business owners (product owners, Head of Business Function, power users) ☐ Support owners (Operations Manager, IT Technician) Delivery Leads ☐ Development Managers ☐ Solution Architects ☐ Project Managers

Understand your APM tools and outcomes

1.Diagnostic	5. Foundations: Chart
2. Data Journey	6. App Comparison
3. Snapshot	7. Roadmap
4. Foundations: Results

Examples and explanations of these tools are located on the following slides and within the phases where they occur.

Assess your current application portfolio with Info-Tech’s APM Diagnostic Tool

One of the primary purposes of application portfolio management is to get what we know and need to know on paper so we can share a common vision and understanding of our portfolio. This enables better discussions and decisions with your application owners and stakeholders.

APM worksheet data journey map

Interpreting your APM Snapshot results

Interpreting your APM Foundations results

Interpreting your APM Foundations chart

Compare application groups

Group comparison can be used for more than just redundant/overlapping applications.

Apply Info-Tech’s 6 R’s Rationalization Disposition Model

Disposition Description Reward Prioritize new features or enhancement requests and openly welcome the expansion of these applications as new requests are presented. Refresh Address the poor end-user satisfaction with a prioritized project. Consult with users to determine if UX issues require improvement to address satisfaction. Refocus Determine the root cause of the low value. Refocus, retrain, or refresh the UX to improve value. If there is no value found, aim to "keep the lights on" until the app can be decommissioned. Replace Replace or rebuild the application as technical and user issues are putting important business capabilities at risk. Decommission application alongside replacement. Remediate Address the poor technical health or risk with a prioritized project. Further consult with development and technical teams to determine if migration or refactoring is suited to address the technical issue. Retire Cancel any requested features and enhancements. Schedule the proper decommission and transfer end users to a new or alternative system if necessary.

TCO, compared relatively to business value, helps determine the practicality of a disposition and the urgency of any call to action. Application alignment is factored in when assessing redundancies and has a separate set of dispositions.

Populate roadmap example

ARE YOU READY TO GET STARTED?

Phase 1

Lay Your Foundations

This phase involves the following participants:

Applications Lead

Key Corporate Stakeholders

Additional Resources

• Build a Value Measurement Framework

APM supports many goals

Building an APM process requires a proper understanding of the underlying business goals and objectives of your organization’s strategy. Effectively identifying these drivers is paramount to gaining buy-in and the approval for any changes you plan to make to your application portfolio.

After identifying these goals, you will need to ensure they are built into the foundations of your APM process.

“What is most critical?” but also “What must come first?”

Assess your current application portfolio with Info-Tech’s APM Diagnostic Tool

One of the primary purposes of application portfolio management is to get what we know and need to know on paper so we can share a common vision and understanding of our portfolio. This enables better discussions and decisions with your application owners and stakeholders.

1.1 Assess your current application portfolio with Info-Tech’s diagnostic tool

Estimated time: 1 hour

1. This tool provides visibility into your application portfolio and APM practices.
2. Based on your assessment, you should gain a better understanding of whether the appropriate next steps are in application discovery, rationalization, or roadmapping.
3. Complete the “Data Entry” worksheet in the Application Portfolio Management Diagnostic Tool (Excel).
4. Review the “Results” worksheet to help inform and guide your next steps.

Download the Application Portfolio Management Diagnostic Tool

1.1 Understanding the diagnostic results

Managed Apps are your known knowns and most of your portfolio. Unmanaged and Unsanctioned Apps are known but have unknown risks and compliance. Bring these under IT support. Unknown Apps are high risk and noncompliant. Prioritize these based on risk, cost, and use.		APM is more than an inventory and assessment. A strong APM program provides ongoing visibility and insights to drive application improvement and value delivery. Use your Sprawl Factors to identify process and organizational gaps that may need to be addressed.
Your APM inventory is only as good as the information in it. Use this chart to identify gaps and develop a path to define missing information.		APM is an iterative process. Use this state assessment to determine where to focus most of your current effort.

Understand potential motivations for APM

The value of APM is defined by how the information will be used to drive better decisions.

Different motivations will influence the appropriate approach to and urgency of APM or, specifically, rationalizing the portfolio. When rationalizing is directly related to enabling or in response to a broader initiative, you will need to create a more structured approach with a formal budget and resources.

1.2 Determine narrative

Estimated time: 30 minutes-2 hours

1. Open the “Narrative” tab in the APM Snapshot and Foundations Tool.
2. Start by listing your prevailing IT pain points with the application portfolio. These will be the issues experienced predominantly by the IT team and not necessarily by the stakeholders. Be sure to distinguish pain points from their root causes.
3. Determine an equivalent business pain point for each IT pain point. This should be how the problem manifests itself to business stakeholders and should include potential risks to the organization is exposed to.
4. Determine the business goal for each business pain point. Ideally, these are established organizational goals that key decision-makers will recognize. These goals should address the business pain points you have documented.
5. Determine the technical objective for each business goal. These speak to the general corrections or enhancements to the portfolio required to accomplish the business goals.
6. Use the “Narrative - Matrix” worksheet to group items into themes if needed.

Record the results in the APM Snapshot and Foundations Tool

Connect your pains to what the business cares about to find the most effective narrative

1.3 Define goals and metrics

Estimated time: 1 hour

1. Determine the motivations behind APM. You may want to collect and review any of the organization’s strategic documents that provide additional context on previously established goals.
2. With the appropriate stakeholders, discuss the goals of APM. Try to label your goals as either:
   1. Short term: Refers to immediate goals used to represent the progress of APM activities. Likely these goals are more IT-oriented
   2. Long term: Refers to broader and more distant goals more related to the impact of APM. These goals tend to be more business-oriented.
3. To help clearly define your goals, discuss appropriate metrics for each goal. Often these metrics can be expressed as:
   1. Leading indicators: Metrics used to gauge the success of your short-term goals and the progress of APM activities.
   2. Lagging indicators: Metrics used to gauge the success of your long-term goals.

Record the results in the APM Snapshot and Foundations Tool

1.3 Define goals and metrics: Example

“Application” doesn’t have the same meaning to everyone

	Code: A body of code that's seen by developers as a single unit.
	Functionality: A group of functionality that business customers see as a single unit.
	Funding: An initiative that those with the money see as a single budget.
	?: What else?

“Essentially applications are social constructions.”

Source: Martin Fowler

APM focuses on business applications.

“Software used by business users to perform a business function.”

– ServiceNow, 2020

Unfortunately, that definition is still quite vague.

You must set boundaries and scope for “application”

Set boundaries on what is an application or the individual unit that you’re making business decisions on. Also, determine which categories of applications are in scope and how they will be included in the activities and artifacts of APM. Use your product families defined in Deliver Digital Products at Scale to help define your application categories, groups, and boundaries.

1.4 Define application categories

Estimated time: 1 hour

1. Review the items listed on the previous slide and consider what categories provide the best initial grouping to help organize your rationalization and dispositions. Update the category list to match your application groupings.
2. Identify the additional categories you need to manage in your application portfolio.
3. For each category, establish or modify a description or definition and provide examples that exist in your current portfolio.
4. For each category, answer:
   1. Will these be documented in the application inventory?
   2. Will these be included in application rationalization? Think about if this item will be assigned a TCO, value score, and, ultimately, a disposition.
   3. Will these be listed in the application portfolio roadmap?
5. If you completed Deliver Digital Products at Scale, use your product families to help define your application categories.

Record the results in the APM Snapshot and Foundations Tool

1.4 APM worksheet data journey map

1.4 Define application categories: Example

The roles in APM rarely exist; you need to adapt

Corner-of-the-Desk Approach

• No one is explicitly dedicated to building a strategy or APM practices.
• Information is collected whenever the applications team has time available.
• Benefits are pushed out and the value is lost.

Dedicated Approach

• The initiative is given a budget and formal agenda.
• Roles and responsibilities are assigned to team members.

The high-level steps of APM present some questions you need to answer

Build Inventory

Create the full list of applications and capture all necessary attributes.

• Who will build the inventory?
• Do you know all your applications (Shadow IT)?
• Do you know your applications’ functionality?
• Do you know where your applications overlap?
• Who do you need to consult with to fill in the gaps?
• Who will provide specific application information?

Collect & Compile

Engage with appropriate SMEs and collect necessary data points for rationalization.

• Who will collect and compile the data points for rationalization?
• What are the specific data points?
• Are some of the data points currently documented?
• Who will provide specific data points on technical health, cost, performance, and business value?
• Who will determine what business value is?

Assess & Recommend

Apply rationalization framework and toolset to determine dispositions.

• Who will apply a rationalization tool or decision-making framework to generate dispositions for the applications?
• Who will modify the tool or framework to ensure results align to the goals of the organization?
• Who will define any actions or projects that result from the rationalization? And who needs to be consulted to assess the feasibility of any potential project?

Validate & Roadmap

Present dispositions for validation and communicate any decisions or direction for applications.

• Who will present the recommended disposition, corrective action, or new project to the appropriate decision maker?
• Who is the appropriate decision maker for application changes or project approval?
• What format is recommended (idea, proposal, business case) and what extra analysis is required?
• Who needs to be consulted regarding the potential changes?

1.5 Determine APM steps and roles (SIPOC)

Estimated time: 1-2 hours

1. Begin by comparing Info-Tech’s list of common APM roles to the roles that exist in your organization with respect to application management and ownership.
2. There are four high-level steps for APM: build inventory, collect & compile, assess & recommend, and validate & roadmap. Apply the SIPOC (Supplier, Input, Process, Output, Customer) model by completing the following for each step:
   1. In the Process column, modify the description, if necessary. Identify who is responsible for performing the step.
   2. In the Inputs column, modify the list of inputs.
   3. In the Suppliers column, identify who must be included to provide the inputs.
   4. In the Outputs column, modify the list of outputs.
   5. In the Customers column, identify who consumes the outputs.
3. (Optional) Outline how the results of APM will be consumed. For example, project intake or execution, data or platform migration, application or product management, or whichever is appropriate.

Record the results in the APM Snapshot and Foundations Tool

1.5 Determine steps and roles

Planning your APM modernization journey steps

Phase 2

Improve Your Inventory

This phase involves the following participants:

• Applications Lead
• Applications Team

Additional Resources

Document Your Business Architecture

Industry Reference Architectures

Application Capability Template

Pre-step: Collect your applications

1. Consult with your IT team and leverage any existing documentation to gather an initial list of your applications.
2. Build an initial working list of applications. This is just meant to be a starting point. Aim to include any new applications in procurement, implementation, or development.
3. The rationalization and roadmapping phases are best completed when iteratively focusing on manageable groups of applications. Group your applications into subsets based on shared subject matter experts. Likely this will mean grouping applications by business units.
4. Select a subset to be the first group of applications that will undergo the activities of rationalization and roadmapping to refine your APM processes, scoring, and disposition selection.

Info-Tech Best Practice

The more information you plan to capture, the larger the time and effort, especially as you move along toward advanced and strategic items. Capture the information most aligned to your objectives to make the most of your investment.

If you completed Deliver Digital Products at Scale, use your product families and products to help define your applications.

Learn more about automated application discovery:
High Application Satisfaction Starts With Discovering Your Application Inventory

Discover your applications

2.1 Populate your inventory

Estimated time: 1-4 hours per group

1. Review Info-Tech’s list of application inventory attributes.
2. Open the “Application Inventory Details” tab of the APM Snapshot and Foundations Tool. Modify, add, or omit attributes.
3. For each application, populate your prioritized data fields or any fields you know at the time of discovery. You will complete all the fields in future iterations.
4. Complete this the best you can based on your team’s familiarity and any readily available documentation related to these applications.
5. Use the drop-down list to select Enabling, Redundant/Overlapping, and Dependent apps. This will be used to help determine dispositions and comparisons.
6. Highlight missing information or placeholder values that need to be verified.

Record the results in the APM Snapshot and Foundations Tool

2.1 APM worksheet data journey map

Why is the business capability so important?

For the purposes of an inventory, business capabilities help all stakeholders gain a sense of the functionality the application provides.

However, the true value of business capability comes with rationalization.

Upon linking all the organization’s applications to a standardized and consistent set of business capabilities, you can then group your applications based on similar, complementary, or overlapping functionality. In other words, find your redundancies and consolidation opportunities.

Important Consideration

Defining business capabilities and determining the full extent of redundancy is a challenging undertaking and often is a larger effort than APM all together.

Business capabilities should be defined according to the unique functions and language of your organization, at varying levels of granularity, and ideally including target-state capabilities that identify gaps in the future strategy.

This blueprint provides a simplified and generic list for the purpose of categorizing similar functionality. We strongly encourage exploring Document Your Business Architecture to help in the business capability defining process, especially when visibility into your portfolio and knowledge of redundancies is poor.

For a more detailed capability mapping, use the Application Portfolio Snapshot and the worksheets in your current workbook.

What is a business capability map?

A business capability map (BCM) is an abstraction of business operations that helps describe what the enterprise does to achieve its vision, mission, and goals. Business capabilities are the building blocks of the enterprise. They are typically defined at varying levels of granularity and include target-state capabilities that identify gaps in the future strategy. These are the people, process, and tool units that deliver value to your teams and customers.

Info-Tech’s Industry Coverage and Reference Architectures give you a head start on producing a BCM fit for your organization. The visual to the left is an example of a reference architecture for the retail industry.

These are the foundational piece for our Application Portfolio Snapshot. By linking capabilities to your supporting applications, you can better visualize how the portfolio supports the organization at a single glance. More specifically, you can highlight how issues with the portfolio are impacting capability delivery.

Reminder: Best practices imply that business capabilities are methodologically defined by business stakeholders and business architects to capture the unique functions and language of your organization.

The approach laid out in this service is about applying minimal time and effort to make the case for proper investment into the best practices, which can include creating a tailored BCM. Start with a good enough example to produce a useful visual and generate a positive conversation toward resourcing and analyses.

We strongly encourage exploring Document Your Business Architecture and the Application Portfolio Snapshot to understand the thorough methods and tactics for BCM.

Why perform a high-level application alignment before rationalization?

Having to address redundancy complicates the application rationalization process. There is no doubt that assessing applications in isolation is much easier and allows you to arrive at dispositions for your applications in a timelier manner.

Rationalization has two basic steps: first, collect and compile information, and second, analyze that information and determine a disposition for each application. When you don’t have redundancy, you can analyze an application and determine a disposition in isolation. When you do have redundancies, you need to collect information for multiple applications, likely across departments or lines of business, then perform a comparative analysis.

Most likely your approach will fall somewhere between the examples below and require a hybrid approach.

Benefits of a high-level application alignment:

• Review the degree of redundancy across your portfolio.
• Understand the priority areas for rationalization and the sequence of information collection.

2.2 Align apps to capabilities and functions

Estimated time: 1-4 hours per grouping

The APM tool provides up to three different grouping comparisons to assess how well your applications are supporting your enterprise. Although business capabilities are important, identify your organizational perspectives to determine how well your portfolio supports these functions, departments, or value streams. Each grouping should be a consistent category, type, or arrangement of applications.

1. Enter the business capabilities, from either your own BCM or the Info-Tech reference architectures, into the Business Capability column under Grouping 1.
2. Open the “Group 1 Alignment Matrix” worksheet in the APM Snapshot and Foundations Tool.
3. For each application’s row, enter an “X” in the column of a capability that the application supports.
4. Optionally, repeat these steps under Grouping 2 and 3 for each value stream, department, function, or business unit where you’d like to assess application support. Note: To use Grouping 3, unhide the columns on the “Application and Group Lists” worksheet and unhide the worksheet “Grouping 3 Alignment Matrix.”

Record the results in the APM Snapshot and Foundations Tool

2.2 APM worksheet data journey map

2.2 Aligning applications to groups example

Alignment Matrix: Identify applications supporting each capability or function.

In this example:

BC 1 is supported by App A

BC 2 is supported by App B

BC 3 is supported by Apps C & D

BCs 4 & 5 are supported by App E

BC 6 is supported by Apps F-G. BC 6 shows an example of potential redundancy and portfolio complexity.

The APM tool supports three different Snapshot groupings. Repeat this exercise for each grouping.

Align application to capabilities – tool view

Phase 3

Rationalize Your Applications

This phase involves the following participants:

• Applications Lead
• Application SMEs

Additional Resources

• Build a Value Measurement Framework
• Value Calculator
• Application Portfolio Assessment Diagnostic
• Application TCO Calculator
• Application Rationalization Tool

Phase pre-step: Sequence rationalization assessments appropriately

Use the APM Snapshot results to determine APM iterations

• Application rationalization requires an iterative approach.
• Review your application types and alignment from Phase 2 to begin to identify areas of overlapping or redundant applications.
• Sequence the activities of Phase 3 based on whether you have a:
  • Redundant Portfolio
    • Use the APM Snapshot to prioritize analysis by grouping.
    • Complete the application functional analysis.
    • Use the “Application Comparison” worksheet to aid your comparison of application subsets.
    • Update application dispositions and roadmap initiatives.
  • Non-Redundant Portfolio
    • Use the APM Snapshot to prioritize analysis by grouping.
    • Update application dispositions and roadmap initiatives.

Phase pre-step: Are the right stakeholders present?

Make sure you have the right people at the table from the beginning.

• Application rationalization requires specific stakeholders to provide specific data points.
• Ensure your application subsets are grouped by shared subject matter experts. Ideally, these are grouped by business units.
• For each subset, identify the appropriate SMEs for the five areas of rationalization criteria.
• Communicate and schedule interviews with groups of stakeholders. Inform them of additional information sources to have readily available.
• (Optional) This phase’s activities follow the clockwise sequence of the diagram to the right. Reorder the sequence of activities based on overlaps of availability in subject matter expertise.

Rationalize your applications

One of the principal goals of application rationalization is determining dispositions

Disposition: The intended strategic direction or course of action for an application.

Directionless portfolio of applications	Assigned dispositions for individual apps High-level examples:
	Maintain: Keep the application but adjust its support structure. Modernize: Create a new project to address an inadequacy. Consolidate: Create a new project to reduce duplicate functionality. Retire: Phase out the application.

Application rationalization provides insight

Directionless portfolio of applications	Info-Tech’s Five Lens Model					Assigned dispositions for individual apps
	Application Alignment	Business Value	Technical Health	End-User Perspective	Total Cost of Ownership (TCO)	Maintain: Keep the application but adjust its support structure. Modernize: Create a new initiative to address an inadequacy. Consolidate: Create a new initiative to reduce duplicate functionality. Retire: Phase out the application. Disposition: The intended strategic direction or implied course of action for an application.
	How well do your apps support your core functions and teams?	How well are your apps aligned to value delivery?	Do your apps meet all IT quality standards and policies?	How well do your apps meet your end users’ needs?	What is the relative cost of ownership and operation of your apps?
Application rationalization requires the collection of several data points that represent these perspectives and act as the criteria for determining a disposition for each of your applications. Disposition: The intended strategic direction or implied course of action for an application.

3.1-3.4 APM worksheet data journey map

Assessing application business value

First, the authorities on business value need to define and weigh their value drivers that describe the priorities of the organization.

This will then allow the applications team to apply a consistent, objective, and strategically aligned evaluation of applications across the organization.

In this context…business value is the value of the business outcome that the application produces and how effective the application is at producing that outcome.

Business value IS NOT the user’s experience or satisfaction with the application.

Review the value drivers of your applications

	Financial vs. Human Benefits Financial benefits refer to the degree to which the value source can be measured through monetary metrics and are often quite tangible. Human benefits refer to how an application can deliver value through a user’s experience. Inward vs. Outward Orientation Inward orientation refers to value sources that have an internal impact and improve your organization’s effectiveness and efficiency in performing its operations. Outward orientation refers to value sources that come from your interaction with external factors, such as the market or your customers.

3.1 Assess business value

Estimated time: 1 -4 hours

1. Review Info-Tech’s four quadrants of business value: increase revenue/value, reduce costs, enhance services, and reach customers. Edit your value drivers, description, and scoring on the “Rationalization Inputs” worksheet. For each value driver, update the key indicators specific to your organization’s priorities. When editing the scoring descriptions, keep only the one you are using.
2. (Optional) Add an additional value driver if your organization has distinct value drivers (e.g. compliance, sustainability, innovation, and growth).
3. For each application, score on a scale of 0 to 5 how impactful the application is for each value driver. Use the indicators set in Phase 1 to guide your scoring.
4. For each value driver, adjust the criteria weighting to match its relative importance to the organization. Start with a balanced or low weighting. Adjust the weights to ensure that the category score matches your relative values and priorities.

Record the results in the APM Snapshot and Foundations Tool

3.1 Weigh value drivers: Example

For additional support in implementing a balanced value framework, refer to Build a Value Measurement Framework.

Understand the back end and technical health of your applications

Technical health identifies the extent of technology risk to the organization.

MAINTAINABILITY (RAS)

RAS refers to an app’s reliability, availability, and serviceability. How often, how long, and how difficult is it for your resources to keep an app functioning, and what are the resulting continuity risks? This can include root causes of maintenance challenges.

• Optimize Systems Management to Improve IT Resilience and Proactivity and Establish a Program to Enable Effective Performance Monitoring

SECURITY

Applications should be aligned and compliant with ALL security policies. Are there vulnerabilities or is there a history of security incidents? Remember that threats are often internal and non-malicious.

• Build an Information Security Strategy

ADAPTABILITY

How easily can the app be enhanced or scaled to meet changes in business needs? Does the app fit within the business strategy?

• Deliver on Your Digital Product Vision

INTEROPERABILITY

The degree to which an app is integrated with current systems. Apps require comprehensive technical planning and oversight to ensure they connect within the greater application architecture. Does the app fit within your enterprise architecture strategy?

• Design an Enterprise Architecture Strategy

BUSINESS CONTINUITY/DISASTER RECOVERY

The degree to which the application is compatible with business continuity/disaster recovery (BC/DR) policies and plans that are routinely tested and verified.

• Create a Right-Sized Disaster Recovery Plan

Unfortunately, the business only cares about what they can see or experience. Rationalization is your opportunity to get risk on the business’ radar and gain buy-in for the necessary action.

3.2 Assess technical health

Estimated time: 1-4 hours

1. Review Info-Tech’s suggested technical health criteria. Edit your criteria, descriptions, and scoring on the “Rationalization Inputs” worksheet. For each criterion, update the key indicators specific to your organization’s priorities.
2. For each application, score on a scale of 1 to 5 on how impactful the application is for each criterion.
3. For each criterion, adjust the weighting to match its relative importance to the organization. Start with a balanced or low weighting. Adjust the weights to ensure that the category score matches your relative values and priorities.

Record the results in the APM Snapshot and Foundations Tool

End users provide valuable perspective

Your end users are your best means of determining front-end issues.

Data Quality

To what degree do the end users find the data quality sufficient to perform their role and achieve their desired outcome?

Effectiveness

To what degree do the end users find the application effective for performing their role and desired outcome?

Usability

To what degree do the end users find the application reliable and easy to use to achieve their desired outcome?

Satisfaction

To what degree are end users satisfied with the features of this application?

What else matters to you?

Tune your criteria to match your values and priorities.

Info-Tech Best Practice

When facing large user groups, do not make assumptions or use lengthy methods of collecting information. Use Info-Tech’s Application Portfolio Assessment to collect data by surveying your end users’ perspectives.

3.3 Assess end-user perspective

Estimated time: 1-4 hours

1. Review Info-Tech’s suggested end-user perspective criteria. Edit your criteria, descriptions and scoring on the “Rationalization Inputs” worksheet. For each criterion, update the key indicators specific to your organization’s priorities.
2. For each application, score on a scale of 1 to 5 on how impactful the application is for each criterion.
3. For each criterion, adjust the weighting to match its relative importance to the organization. Start with a balanced or low weighting. Adjust the weights to ensure that the category score matches your relative values and priorities.

Record the results in the APM Snapshot and Foundations Tool

Consider the spectrum of application cost

An application’s cost extends past a vendor’s fee and even the application itself.

LICENSING AND SUBSCRIPTIONS: Your recurring payments to a vendor.

Many commercial off-the-shelf applications require a license on a per-user basis. Review contracts and determine costs by looking at per-user or fixed rates charged by the vendor.

MAINTENANCE COSTS: Your internal spending to maintain an app.

These are the additional costs to maintain an application such as support agreements, annual maintenance fees, or additional software or hosting expenses.

INDIRECT COSTS: Miscellaneous expenses necessary for an app’s continued use.

Expenses like end-user training, developer education, and admin are often neglected, but they are very real costs organizations pay regularly.

RETURN ON INVESTMENT: Perceived value of the application related to its TCO.

Some of our most valuable applications are the most expensive. ROI is an optional criterion to account for the value and importance of the application.

Info-Tech Best Practice

The TCO assessment is one area where what you are considering the ”application” matters quite a bit. An application’s peripherals or software components need to be considered in your estimates. For additional help calculating TCO, use the Application TCO Calculator from Build a Rationalization Framework.

3.4 Assess total cost of ownership

Estimated time: 1-4 hours

1. Review Info-Tech’s suggested TCO criteria. Edit your criteria, descriptions, and scoring on the “Rationalization Inputs” worksheet. For each criterion, update the key indicators specific to your organization’s priorities.
2. For each application, score on a scale of 1 to 5 on how impactful the application is for each criterion.
3. For each criterion, adjust the weighting to match its relative importance to the organization. Start with a balanced or low weighting. Adjust the weights to ensure that the category score matches your relative values and priorities.

Record the results in the APM Snapshot and Foundations Tool

Phase 4

Populate Your Roadmap

his phase involves the following participants:

• Applications Lead
• Delivery Leads

Additional Resources

• Disposition Prioritization Tool
• Application Rationalization Tool

Review your APM Snapshot

4.1 Review your APM Snapshot results

Estimated time: 1-2 hours

1. The APM Snapshot provides a dashboard to support your APM program’s focus and as an input to demand planning. Unhide the “Group 3” worksheet if you completed the alignment matrix.
2. For each grouping area, review the results to determine underperforming areas. Use this information to prioritize your application root cause analysis and demand planning. Use the key on the following slide to guide your analysis.
3. Analysis guidance:
   1. Start with the quartile grouping to find areas scoring in Remediate or Critical Need and focus follow-up actions on these areas.
   2. Use the lens/category heat map to determine which lenses are underperforming. Use this to then look up the individual app scores supporting that group to identify application issues.
   3. Use the “Application Comparison” worksheet to select and compare applications for the group to make your review and comparison easier.
   4. Work with teams in the group to provide root cause analysis for low scores.
   5. Build a plan to address any apps not supported by IT.

Record the results in the APM Snapshot and Foundations Tool

Interpreting your APM Snapshot

4.1 APM worksheet data journey map

Review your APM rationalization results

4.2 Review your APM Foundations results

Estimated time: 1-2 hours

The APM Foundations Results dashboard (“App Rationalization Results” worksheet) provides a detailed summary of your relative app scoring to serve as input to demand planning.

1. For each grouping, review the results to determine underperforming app support. Use this information to prioritize your application root cause analysis using the individual criteria scores on the “Rationalization Inputs” worksheet.
2. Use guidance on the following example slides to understand each area of the results.
3. Any applications marked as N/A for evaluation will display N/A on the results worksheet and will not be displayed in the chart. You can still enter dispositions.
4. Use the column filters to compare a subset of applications or use the “App Comparison” worksheet to maintain an ongoing view by grouping, redundancy, or category.
5. Any applications marked as N/A for evaluation will display N/A on the results worksheet and will not be displayed in the chart. You can still enter dispositions.

Record the results in the APM Snapshot and Foundations Tool

4.2 APM worksheet data journey map

Interpreting your APM Foundations results

Interpreting your APM Foundations chart

Modernize your applications

Apply Info-Tech’s 6 R’s Rationalization Disposition Model

Disposition Description Reward Prioritize new features or enhancement requests and openly welcome the expansion of these applications as new requests are presented. Refresh Address the poor end-user satisfaction with a prioritized project. Consult with users to determine if UX issues require improvement to address satisfaction. Refocus Determine the root cause of the low value. Refocus, retrain, or refresh the UX to improve value. If there is no value found, aim to "keep the lights on" until the app can be decommissioned. Replace Replace or rebuild the application as technical and user issues are putting important business capabilities at risk. Decommission application alongside replacement. Remediate Address the poor technical health or risk with a prioritized project. Further consult with development and technical teams to determine if migration or refactoring is suited to address the technical issue. Retire Cancel any requested features and enhancements. Schedule the proper decommission and transfer end users to a new or alternative system if necessary.

TCO, compared relatively to business value, helps determine the practicality of a disposition and the urgency of any call to action. Application alignment is factored in when assessing redundancies and has a separate set of dispositions.

4.3 Determine dispositions

Estimated time: 1-4 hours

1. The Recommended Disposition and Priority fields are prepopulated from your scoring thresholds and options on the “Disposition Options” worksheet. You can update any individual application disposition or priority using the drop-down menu and it will populate your selection on the “Roadmap” worksheet.
2. Question if that disposition is appropriate. Be sure to consider:
   1. TCO – cost should come into play for any decisions.
   2. Alignment to strategic goals set for the overarching organizational, IT, technology (infrastructure), or application portfolio.
   3. Existing organizational priorities or funded initiatives impacting the app.
3. Some dispositions may imply a call to action, new project, or initiative. Ideate and/or discuss with the team any potential initiatives. You can use different dispositions and priorities on the “App Rationalization Results” and “Roadmap” worksheets.
4. Note: Modify the list of dispositions on the “Disposition Options” worksheet as appropriate for your rationalization initiative. Any modifications to the Disposition column will be automatically updated in the “App Rationalization Results” and “Roadmap” worksheets.

Record the results in the APM Snapshot and Foundations Tool

4.3 APM worksheet data journey map

Redundancies require a different analysis and set of dispositions

Solving application redundancy is a lot more complicated than simply keeping one application and eliminating the others.

First, you need to understand the extent of the redundancy. The applications may support the same capability, but do they offer the same functions? Determine which apps offer which functions within a capability. This means you cannot accurately arrive at a disposition until you have evaluated all applications.

Next, you need to isolate the preferred system. This is completed by comparing the same data points collected for rationalization and the application alignment analysis. Cost and coverage of all necessary functions become the more important factors in this decision-making process.

Lastly, for the non-preferred redundant applications you need to determine: What will you do with the users? What will you do with the data? And what can you do with the functionality (can the actual coding be merged onto a common platform)?

Compare groups of applications

4.4 Assess redundancies (optional)

Estimated rime: 1 hour per group

This exercise is best performed after aligning business capabilities to applications across the portfolio and identifying your areas of redundancy. At this stage, this is still an information collection exercise, and it will not yield a consolidation-based disposition until applied to all relevant applications. Lastly, this exercise may still be at too high a level to outline the full details of redundancy, but it is still vital information to collect and a starting point to determine which areas require more concentrated analysis.

1. Determine which areas of redundancy or comparisons are desired. Duplicate the “App Comparison” worksheet for each grouping or comparison.
2. Extend the comparison to better identify redundancy.
   1. For each area of redundancy, identify the high-level features. Aim to limit the features to ten, grouping smaller features if necessary. SoftwareReviews can be a resource for identifying common features.
   2. Label features using the MoSCoW model: must have, should have, could have, will not have.
   3. For each application, identify which features they support. You can use the grouping alignment matrix as a template for feature alignment comparison. Duplicate the worksheet, unlock it, and replace the grouping cell references with your list of features.

Record the results in the APM Snapshot and Foundations Tool

4.4 Assess redundancies (optional)

4.5 Determine dispositions for redundant applications (optional)

Estimated time: 1 hour per group

1. Based on the feature-level assessment, determine if you can omit applications if they don’t truly overlap with other applications.
2. Make a copy of the “App Comparison” worksheet and select the applications you want to compare based on your functional analysis.
3. Determine the preferred application(s). Use the diagram to inform your decision. This may be the application closest to the top right (strong health and value). However, less expensive options or any options that provide a more complete set of features may be preferable.
4. Open the “App Rationalization Results” worksheet. Update your disposition for each application.
5. Use these updated dispositions to determine a call to action, new project, or initiative. Ideate and/or discuss with the team any potential initiatives. Update your roadmap with these initiatives in the next step.

Record the results in the APM Snapshot and Foundations Tool

Compare application groups

Group comparison can be used for more than just redundant/overlapping applications.

Roadmaps are used for different purposes

Roadmaps are used for different communication purposes and at varying points in your application delivery practice. Some use a roadmap to showcase strategy and act as a feedback mechanism that allows stakeholders to validate any changes (process 1). Others may use it to illustrate and communicate approved and granular elements of a change to an application to inform appropriate stakeholders of what to anticipate (process 2).

The steps between selecting a disposition and executing on any resulting project will vary based on the organization’s project intake standards (or lack thereof).

This blueprint focuses on building a strategic portfolio roadmap prior to any in-depth assessments related to initiative/project intake, approval, and prioritization. For in-depth support related to intake, approval, prioritization, or planning, review the following resources.

Determine what makes it onto the roadmap

A roadmap should not be limited to what is approved or committed to. A roadmap should be used to present the items that need to happen and begin the discussion of how or if this can be put into place. However, not every idea should make the cut and end up in front of key stakeholders.

4.6 Prioritize initiatives

Estimated time: 1-4 hours

1. This is a high-level assessment to provide a sense of feasibility, practicality, and priority as well as an estimated timeline of a given initiative. Do not get lost in granular estimations. Use this as an input to your demand planning process.
2. Enter the specific name or type of initiative.
   1. Process Initiative: Any project or effort focused on process improvements without technical modification to an app (e.g. user migration, change in SLA, new training program). Write the application and initiative name on a blue sticky note.
   2. App Initiative: Any project or effort involving technical modification to an app (e.g. refactoring, platform migration, feature addition or upgrade). Write the application and initiative name on a yellow sticky note.
   3. Decommission Initiative: Any project and related efforts to remove an app (e.g. migrating data, removal from server). Write the application and initiative name on a red sticky note.
3. Prioritize the initiative to aid in demand planning. This is prepopulated from your selected application disposition, but you can set a different priority for the initiative here.
4. Select the Initiative Phase in the timeline to show the intended schedule and sequencing of the initiative.

Record the results in the APM Snapshot and Foundations Tool

4.6 APM worksheet data journey map

Populate roadmap example

Create a recurring update plan

• Application inventories become stale before you know it. Build steps in your procurement process to capture the appropriate information on new applications. Also, build in checkpoints to revisit your inventory regularly to assess the accuracy of inventory data.
• Rationalization is not one and done; it must occur with an appropriate cadence.
  • Business priorities change, which will impact the current and future value of your apps.
  • Now more than ever, user expectations evolve rapidly.
  • Application sprawl likely won’t stop, so neither will shadow IT and redundancies.
  • Obsolescence, growing technical debt, changing security threats, or shifting technology strategies are all inevitable, as is the gradual decline of an app’s health or technical fit.
• An application’s disposition changes quicker than you think, and rationalization requires a structured cadence. You need to plan to minimize the need for repeated efforts. Conversely, many use preceding iterations to increase the analysis (e.g. more thorough TCO projections or more granular capability-application alignment).
• Portfolio roadmaps require a cadence for both updates and presentations to stakeholders. Updates are often completed semiannually or quarterly to gauge the business adjustments that affect the timeline of the domain-specific applications. The presentation of a roadmap should be completed alongside meetings or gatherings of key decision makers.
• M&A or other restructuring events will prompt the need to address all the above.

Build your APM maturity by taking the right steps at the right time

Info-Tech’s Build an Application Rationalization Framework provides additional TCO and value tools to help build out your portfolio strategy.

APM is an iterative and evergreen process

APM provides oversight and awareness of your application portfolio’s performance and support for your business operations and value delivery to all users and customers.

Repeat according to APM cadence and application changes

4.7 Ongoing APM cadence

Estimated time: 1-2 hours

1. Determine how frequently you will update or present the artifacts of your APM practice: Application Inventory, Rationalization, Disposition, and Roadmap.
2. For each artifact, determine the:
   1. Owner: Who is accountable for the artifact and the data or information within the artifact and will be responsible for or delegate the responsibility of updating or presenting the artifact to the appropriate audience?
   2. Update Cadence: How frequently will you update the artifact? Include what regularly scheduled meetings this activity will be within.
   3. Update Scope: Describe what activities will be performed to keep the artifact up to date. The goal here is to minimize the need for a full set of activities laid out within the blueprint. Optional: How will you expand the thoroughness of your analysis?
   4. Audience: Who is the audience for the artifact or assessment results?
   5. Presentation Cadence: How frequently and when will you review the artifact with the audience?

Record the results in the APM Snapshot and Foundations Tool

4.7 Ongoing APM cadence

Appendices

• Additional support slides
• Bibliography

The APM tool provides a single source of truth and global data sharing

The table shows where source data is used to support different aspects of APM discovery, rationalization, and modernization.

Common application inventory attributes

Common application inventory attributes

Bibliography

”2019 Technology & Small Business Survey.” National Small Business Association (NSBA), n.d. Accessed 1 April 2020.
“Application Rationalization – Essential Part of the Process for Modernization and Operational Efficiency.” Flexera, 2015. Web.
“Applications Rationalization during M&A: Standardize, Streamline, Simplify.” Deloitte Consulting, 2016. Web.
Bowling, Alan. “Clearer Visibility of Product Roadmaps Improves IT Planning.” ComputerWeekly.com, 1 Nov. 2010. Web.
Brown, Alex. “Calculating Business Value.” Agile 2014 Orlando, 13 July 2014. Scrum Inc. 2014. Web.
Brown, Roger. “Defining Business Value.” Scrum Gathering San Diego 2017. Agile Coach Journal. Web.
“Business Application Definition.” Microsoft Docs, 18 July 2012. Web.
“Connecting Small Businesses in the US.” Deloitte Consulting, 2017. Accessed 1 April. 2020.
Craveiro, João. “Marty meets Martin: connecting the two triads of Product Management.” Product Coalition, 18 Nov. 2017. Web.
Curtis, Bill. “The Business Value of Application Internal Quality.” CAST, 6 April 2009. Web.
Fleet, Neville, Joan Lasselle, and Paul Zimmerman. “Using a Balance Scorecard to Measure the Productivity and Value of Technical Documentation Organizations.” CIDM, April 2008. Web.
Fowler, Martin. “Application Boundary.” MartinFowler.com, 11 Sept. 2003. Web.
Harris, Michael. “Measuring the Business Value of IT.” David Consulting Group, 2007. Web.
“How Application Rationalization Contributes to the Bottom Line.” LeanIX, 2017. Web.
Jayanthi, Aruna. “Application Landscape Report 2014.” Capgemini, 4 March 2014. Web.
Lankhorst, Marc., et al. “Architecture-Based IT Valuation.” Via Nova Architectura, 31 March 2010. Web.
“Management of business application.” ServiceNow, Jan.2020. Accessed 1 April 2020.
Mauboussin, Michael J. “The True Measures of Success.” HBR, Oct. 2012. Web.
Neogi, Sombit., et al. “Next Generation Application Portfolio Rationalization.” TATA, 2011. Web.
Riverbed. “Measuring the Business Impact of IT Through Application Performance.” CIO Summits, 2015. Web.
Rouse, Margaret. “Application Rationalization.” TechTarget, March 2016. Web.
Van Ramshorst, E.A. “Application Portfolio Management from an Enterprise Architecture Perspective.” Universiteit Utrecht, July 2013.
“What is a Balanced Scorecard?” Intrafocus, n.d. Web.
Whitney, Lance. “SMBs share their biggest constraints and great challenges.” Tech Republic, 6 May 2019. Web.